aboutsummaryrefslogtreecommitdiff
path: root/verify.go
blob: 25615a143c48c9da15026f1a5e23f830852e7472 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
package main

import (
	"flag"
	"fmt"
	"io/ioutil"
	"os"

	"dim13.org/signify/b64file"
	"dim13.org/signify/key"
	"dim13.org/signify/zsig"
)

// Usage: signify -V [-eqz] [-p pubkey] [-t keytype] [-x sigfile] -m message

func verify(args []string) error {
	opts := flag.NewFlagSet("verify", flag.ExitOnError)
	var (
		embedded = opts.Bool("e", false, "Embed message")
		quiet    = opts.Bool("q", false, "Quiet mode")
		zip      = opts.Bool("z", false, "Verify gzip archive") // TODO
		pubFile  = opts.String("p", "", "Public key file")
		keyType  = opts.String("t", "", "Key type") // TODO
		sigFile  = opts.String("x", "", "Signature file")
		msgFile  = opts.String("m", "", "Message file (required)")
	)
	opts.Parse(args)
	if *msgFile == "" {
		opts.Usage()
		return nil
	}
	if *sigFile == "" {
		*sigFile = b64file.SigName(*msgFile)
	}
	_ = keyType // TODO

	switch {
	case *zip && *embedded:
		return ErrEZ
	case *zip:
		if err := verifyGzip(*pubFile, *sigFile); err != nil {
			return err
		}
	case *embedded:
		if err := verifyEmbedded(*pubFile, *sigFile); err != nil {
			return err
		}
	default:
		if err := verifyPlain(*pubFile, *sigFile, *msgFile); err != nil {
			return err
		}
	}
	if !*quiet {
		fmt.Println("Signature Verified")
	}
	return nil
}

func verifyPlain(pubFile, sigFile, msgFile string) error {
	msg, err := ioutil.ReadFile(msgFile)
	if err != nil {
		return err
	}
	sig, _, verifyWith, err := openSig(sigFile)
	if err != nil {
		return err
	}
	if pubFile == "" {
		pubFile = verifyWith
	}
	pub, err := openPub(pubFile)
	if err != nil {
		return err
	}
	return sig.Verify(msg, pub)
}

func verifyEmbedded(pubFile, sigFile string) error {
	sig, msg, verifyWith, err := openSig(sigFile)
	if err != nil {
		return err
	}
	if pubFile == "" {
		pubFile = verifyWith
	}
	pub, err := openPub(pubFile)
	if err != nil {
		return err
	}
	return sig.Verify(msg, pub)
}

// TODO ugly work-in-progress
func verifyGzip(pubFile, sigFile string) error {
	fd, err := os.Open(sigFile)
	if err != nil {
		return err
	}
	defer fd.Close()
	z, err := zsig.NewReader(fd)
	if err != nil {
		return err
	}

	sig := new(key.Sig)
	_, msg, err := b64file.DecodeString(z.Comment, sig)
	if err != nil {
		return err
	}
	if err := sig.Validate(); err != nil {
		return err
	}

	pub, err := openPub(pubFile)
	if err != nil {
		return err
	}
	if err := sig.Verify(msg, pub); err != nil {
		return err
	}

	zhead, err := zsig.ParseBytes(msg)
	if err != nil {
		return err
	}

	return zhead.Verify(z)
}

func openPub(fname string) (*key.Pub, error) {
	pub := new(key.Pub)
	if _, _, err := b64file.DecodeFile(fname, pub); err != nil {
		return nil, err
	}
	if err := pub.Validate(); err != nil {
		return nil, err
	}
	return pub, nil
}

func openSig(fname string) (*key.Sig, []byte, string, error) {
	sig := new(key.Sig)
	comment, msg, err := b64file.DecodeFile(fname, sig)
	if err != nil {
		return nil, nil, "", err
	}
	if err := sig.Validate(); err != nil {
		return nil, nil, "", err
	}
	pubKey := b64file.PubFile(comment)
	return sig, msg, pubKey, nil
}