protonmail: verify SRP modulus signatures
Code follows how the official proton-bridge is doing it.
This commit is contained in:
parent
c483823b5c
commit
06f6d5b8e9
|
@ -1,34 +1,54 @@
|
||||||
package protonmail
|
package protonmail
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"bytes"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"crypto/subtle"
|
"crypto/subtle"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
// "log"
|
"log"
|
||||||
"math/big"
|
"math/big"
|
||||||
|
|
||||||
|
"golang.org/x/crypto/openpgp"
|
||||||
"golang.org/x/crypto/openpgp/clearsign"
|
"golang.org/x/crypto/openpgp/clearsign"
|
||||||
// openpgperrors "golang.org/x/crypto/openpgp/errors"
|
openpgperrors "golang.org/x/crypto/openpgp/errors"
|
||||||
)
|
)
|
||||||
|
|
||||||
var randReader io.Reader = rand.Reader
|
var randReader io.Reader = rand.Reader
|
||||||
|
|
||||||
|
// Public key for SRP verification
|
||||||
|
// From https://github.com/ProtonMail/proton-bridge/blob/99721b6577fe9079ac7547f11fc77e5090cdd31b/pkg/srp/srp.go#L41-L52
|
||||||
|
const modulusPubkey = `-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
xjMEXAHLgxYJKwYBBAHaRw8BAQdAFurWXXwjTemqjD7CXjXVyKf0of7n9Ctm
|
||||||
|
L8v9enkzggHNEnByb3RvbkBzcnAubW9kdWx1c8J3BBAWCgApBQJcAcuDBgsJ
|
||||||
|
BwgDAgkQNQWFxOlRjyYEFQgKAgMWAgECGQECGwMCHgEAAPGRAP9sauJsW12U
|
||||||
|
MnTQUZpsbJb53d0Wv55mZIIiJL2XulpWPQD/V6NglBd96lZKBmInSXX/kXat
|
||||||
|
Sv+y0io+LR8i2+jV+AbOOARcAcuDEgorBgEEAZdVAQUBAQdAeJHUz1c9+KfE
|
||||||
|
kSIgcBRE3WuXC4oj5a2/U3oASExGDW4DAQgHwmEEGBYIABMFAlwBy4MJEDUF
|
||||||
|
hcTpUY8mAhsMAAD/XQD8DxNI6E78meodQI+wLsrKLeHn32iLvUqJbVDhfWSU
|
||||||
|
WO4BAMcm1u02t4VKw++ttECPt+HUgPUq5pqQWe5Q2cW4TMsE
|
||||||
|
=Y4Mw
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----`
|
||||||
|
|
||||||
func decodeModulus(msg string) ([]byte, error) {
|
func decodeModulus(msg string) ([]byte, error) {
|
||||||
block, _ := clearsign.Decode([]byte(msg))
|
block, _ := clearsign.Decode([]byte(msg))
|
||||||
if block == nil {
|
if block == nil {
|
||||||
return nil, errors.New("invalid SRP modulus signed PGP block")
|
return nil, errors.New("invalid SRP modulus signed PGP block")
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: check signature and signature key
|
modulusKeyring, err := openpgp.ReadArmoredKeyRing(bytes.NewReader([]byte(modulusPubkey)))
|
||||||
// FIXME: segfaults
|
if err != nil {
|
||||||
// _, err := block.VerifySignature(nil, nil)
|
return nil, fmt.Errorf("cannot read modulus pubkey: %v", err)
|
||||||
// if err != nil && err != openpgperrors.ErrUnknownIssuer {
|
}
|
||||||
|
|
||||||
|
_, err = openpgp.CheckDetachedSignature(modulusKeyring, bytes.NewReader(block.Bytes), block.ArmoredSignature.Body, nil)
|
||||||
|
if err != nil && err != openpgperrors.ErrUnknownIssuer {
|
||||||
//return nil, fmt.Errorf("failed to decode modulus: %v", err)
|
//return nil, fmt.Errorf("failed to decode modulus: %v", err)
|
||||||
// log.Println("warning: failed to check SRP modulus signature:", err)
|
log.Println("warning: failed to check SRP modulus signature:", err)
|
||||||
//}
|
}
|
||||||
|
|
||||||
b, err := base64.StdEncoding.DecodeString(string(block.Plaintext))
|
b, err := base64.StdEncoding.DecodeString(string(block.Plaintext))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
Loading…
Reference in New Issue