smimesign/command_sign.go

package main

import (
	"bytes"
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"io"
	"os"
	"strings"

	"github.com/github/smimesign/certstore"
	cms "github.com/github/smimesign/ietf-cms"
	"github.com/pkg/errors"
)

func commandSign() error {
	userIdent, err := findUserIdentity()
	if err != nil {
		return errors.Wrap(err, "failed to get identity matching specified user-id")
	}
	if userIdent == nil {
		return fmt.Errorf("could not find identity matching specified user-id: %s", *localUserOpt)
	}

	// Git is looking for "\n[GNUPG:] SIG_CREATED ", meaning we need to print a
	// line before SIG_CREATED. BEGIN_SIGNING seems appropraite. GPG emits this,
	// though GPGSM does not.
	sBeginSigning.emit()

	cert, err := userIdent.Certificate()
	if err != nil {
		return errors.Wrap(err, "failed to get idenity certificate")
	}

	signer, err := userIdent.Signer()
	if err != nil {
		return errors.Wrap(err, "failed to get idenity signer")
	}

	var f io.ReadCloser
	if len(fileArgs) == 1 {
		if f, err = os.Open(fileArgs[0]); err != nil {
			return errors.Wrapf(err, "failed to open message file (%s)", fileArgs[0])
		}
		defer f.Close()
	} else {
		f = stdin
	}

	dataBuf := new(bytes.Buffer)
	if _, err = io.Copy(dataBuf, f); err != nil {
		return errors.Wrap(err, "failed to read message from stdin")
	}

	sd, err := cms.NewSignedData(dataBuf.Bytes())
	if err != nil {
		return errors.Wrap(err, "failed to create signed data")
	}
	if err = sd.Sign([]*x509.Certificate{cert}, signer); err != nil {
		return errors.Wrap(err, "failed to sign message")
	}
	if *detachSignFlag {
		sd.Detached()
	}

	if len(*tsaOpt) > 0 {
		if err = sd.AddTimestamps(*tsaOpt); err != nil {
			return errors.Wrap(err, "failed to add timestamp")
		}
	}

	chain, err := userIdent.CertificateChain()
	if err != nil {
		return errors.Wrap(err, "failed to get idenity certificate chain")
	}
	if chain, err = certsForSignature(chain); err != nil {
		return err
	}
	if err = sd.SetCertificates(chain); err != nil {
		return errors.Wrap(err, "failed to set certificates")
	}

	der, err := sd.ToDER()
	if err != nil {
		return errors.Wrap(err, "failed to serialize signature")
	}

	emitSigCreated(cert, *detachSignFlag)

	if *armorFlag {
		err = pem.Encode(stdout, &pem.Block{
			Type:  "SIGNED MESSAGE",
			Bytes: der,
		})
	} else {
		_, err = stdout.Write(der)
	}
	if err != nil {
		return errors.New("failed to write signature")
	}

	return nil
}

// findUserIdentity attempts to find an identity to sign with in the certstore
// by checking available identities against the --local-user argument.
func findUserIdentity() (certstore.Identity, error) {
	var (
		email string
		fpr   []byte
	)

	if strings.ContainsRune(*localUserOpt, '@') {
		email = normalizeEmail(*localUserOpt)
	} else {
		fpr = normalizeFingerprint(*localUserOpt)
	}

	if len(email) == 0 && len(fpr) == 0 {
		return nil, fmt.Errorf("bad user-id format: %s", *localUserOpt)
	}

	for _, ident := range idents {
		if cert, err := ident.Certificate(); err == nil && (certHasEmail(cert, email) || certHasFingerprint(cert, fpr)) {
			return ident, nil
		}
	}

	return nil, nil
}

// certsForSignature determines which certificates to include in the signature
// based on the --include-certs option specified by the user.
func certsForSignature(chain []*x509.Certificate) ([]*x509.Certificate, error) {
	include := *includeCertsOpt

	if include < -3 {
		include = -2 // default
	}
	if include > len(chain) {
		include = len(chain)
	}

	switch include {
	case -3:
		for i := len(chain) - 1; i > 0; i-- {
			issuer, cert := chain[i], chain[i-1]

			// remove issuer when cert has AIA extension
			if bytes.Equal(issuer.RawSubject, cert.RawIssuer) && len(cert.IssuingCertificateURL) > 0 {
				chain = chain[0:i]
			}
		}
		return chainWithoutRoot(chain), nil
	case -2:
		return chainWithoutRoot(chain), nil
	case -1:
		return chain, nil
	default:
		return chain[0:include], nil
	}
}

// Returns the provided chain, having removed the root certificate, if present.
// This includes removing the cert itself if the chain is a single self-signed
// cert.
func chainWithoutRoot(chain []*x509.Certificate) []*x509.Certificate {
	if len(chain) == 0 {
		return chain
	}

	lastIdx := len(chain) - 1
	last := chain[lastIdx]

	if bytes.Equal(last.RawIssuer, last.RawSubject) {
		return chain[0:lastIdx]
	}

	return chain
}
get signing working 2017-11-22 18:31:25 +03:00			`package main`

			`import (`
			`"bytes"`
implement gpgsm's --include-certs argument 2018-07-26 17:56:36 +03:00			`"crypto/x509"`
get signing working 2017-11-22 18:31:25 +03:00			`"encoding/pem"`
			`"fmt"`
			`"io"`
add read file logic for signning 2019-04-03 01:09:07 +03:00			`"os"`
get signing working 2017-11-22 18:31:25 +03:00			`"strings"`

Consolidate `smimesign`-specific dependencies into a monorepo. github.com/github/fakeca → github.com/github/smimesign/fakeca github.com/github/certstore → github.com/github/smimesign/certstore github.com/github/ietf-cms → github.com/github/smimesign/ietf-cms 2021-09-29 21:21:04 +03:00			`"github.com/github/smimesign/certstore"`
			`cms "github.com/github/smimesign/ietf-cms"`
better error messages 2017-11-29 23:50:15 +03:00			`"github.com/pkg/errors"`
get signing working 2017-11-22 18:31:25 +03:00			`)`

bubble up errors instead of doing fancy wrappers around panics 2018-09-05 21:07:20 +03:00			`func commandSign() error {`
better error messages 2017-11-29 23:50:15 +03:00			`userIdent, err := findUserIdentity()`
get signing working 2017-11-22 18:31:25 +03:00			`if err != nil {`
bubble up errors instead of doing fancy wrappers around panics 2018-09-05 21:07:20 +03:00			`return errors.Wrap(err, "failed to get identity matching specified user-id")`
get signing working 2017-11-22 18:31:25 +03:00			`}`
			`if userIdent == nil {`
update README\ 2018-09-10 21:27:34 +03:00			`return fmt.Errorf("could not find identity matching specified user-id: %s", *localUserOpt)`
get signing working 2017-11-22 18:31:25 +03:00			`}`

emit statuses during verification 2017-11-29 03:25:14 +03:00			`// Git is looking for "\n[GNUPG:] SIG_CREATED ", meaning we need to print a`
Change `BEGING_SIGNING` to `BEGIN_SIGNING`. Per https://github.com/github/smimesign/blob/c068195384830899ef594141a7586039afd0c7ec/status.go#L17 and https://github.com/gpg/gnupg/blob/918792befd835e04b4043b9ce42ea6d829a284fa/doc/DETAILS#begin_signing , sthis is a typo. 2020-07-30 20:42:44 +03:00			`// line before SIG_CREATED. BEGIN_SIGNING seems appropraite. GPG emits this,`
emit statuses during verification 2017-11-29 03:25:14 +03:00			`// though GPGSM does not.`
			`sBeginSigning.emit()`

implement gpgsm's --include-certs argument 2018-07-26 17:56:36 +03:00			`cert, err := userIdent.Certificate()`
get signing working 2017-11-22 18:31:25 +03:00			`if err != nil {`
Merge branch 'master' into include-certs 2018-09-05 21:43:23 +03:00			`return errors.Wrap(err, "failed to get idenity certificate")`
get signing working 2017-11-22 18:31:25 +03:00			`}`

			`signer, err := userIdent.Signer()`
			`if err != nil {`
bubble up errors instead of doing fancy wrappers around panics 2018-09-05 21:07:20 +03:00			`return errors.Wrap(err, "failed to get idenity signer")`
get signing working 2017-11-22 18:31:25 +03:00			`}`

add var f definition 2019-04-03 02:10:10 +03:00			`var f io.ReadCloser`
add read file logic for signning 2019-04-03 01:09:07 +03:00			`if len(fileArgs) == 1 {`
			`if f, err = os.Open(fileArgs[0]); err != nil {`
			`return errors.Wrapf(err, "failed to open message file (%s)", fileArgs[0])`
			`}`
			`defer f.Close()`
			`} else {`
			`f = stdin`
			`}`

get signing working 2017-11-22 18:31:25 +03:00			`dataBuf := new(bytes.Buffer)`
add read file logic for signning 2019-04-03 01:09:07 +03:00			`if _, err = io.Copy(dataBuf, f); err != nil {`
bubble up errors instead of doing fancy wrappers around panics 2018-09-05 21:07:20 +03:00			`return errors.Wrap(err, "failed to read message from stdin")`
get signing working 2017-11-22 18:31:25 +03:00			`}`

option for adding timestamps to signatures 2018-07-17 00:06:26 +03:00			`sd, err := cms.NewSignedData(dataBuf.Bytes())`
			`if err != nil {`
bubble up errors instead of doing fancy wrappers around panics 2018-09-05 21:07:20 +03:00			`return errors.Wrap(err, "failed to create signed data")`
option for adding timestamps to signatures 2018-07-17 00:06:26 +03:00			`}`
implement gpgsm's --include-certs argument 2018-07-26 17:56:36 +03:00			`if err = sd.Sign([]*x509.Certificate{cert}, signer); err != nil {`
bubble up errors instead of doing fancy wrappers around panics 2018-09-05 21:07:20 +03:00			`return errors.Wrap(err, "failed to sign message")`
option for adding timestamps to signatures 2018-07-17 00:06:26 +03:00			`}`
get signing working 2017-11-22 18:31:25 +03:00			`if *detachSignFlag {`
option for adding timestamps to signatures 2018-07-17 00:06:26 +03:00			`sd.Detached()`
get signing working 2017-11-22 18:31:25 +03:00			`}`
option for adding timestamps to signatures 2018-07-17 00:06:26 +03:00
			`if len(*tsaOpt) > 0 {`
			`if err = sd.AddTimestamps(*tsaOpt); err != nil {`
bubble up errors instead of doing fancy wrappers around panics 2018-09-05 21:07:20 +03:00			`return errors.Wrap(err, "failed to add timestamp")`
option for adding timestamps to signatures 2018-07-17 00:06:26 +03:00			`}`
			`}`

implement gpgsm's --include-certs argument 2018-07-26 17:56:36 +03:00			`chain, err := userIdent.CertificateChain()`
			`if err != nil {`
Merge branch 'master' into include-certs 2018-09-05 21:43:23 +03:00			`return errors.Wrap(err, "failed to get idenity certificate chain")`
implement gpgsm's --include-certs argument 2018-07-26 17:56:36 +03:00			`}`
include chain minus root by default 2018-09-06 00:27:35 +03:00			`if chain, err = certsForSignature(chain); err != nil {`
			`return err`
			`}`
			`if err = sd.SetCertificates(chain); err != nil {`
Merge branch 'master' into include-certs 2018-09-05 21:43:23 +03:00			`return errors.Wrap(err, "failed to set certificates")`
implement gpgsm's --include-certs argument 2018-07-26 17:56:36 +03:00			`}`

option for adding timestamps to signatures 2018-07-17 00:06:26 +03:00			`der, err := sd.ToDER()`
get signing working 2017-11-22 18:31:25 +03:00			`if err != nil {`
bubble up errors instead of doing fancy wrappers around panics 2018-09-05 21:07:20 +03:00			`return errors.Wrap(err, "failed to serialize signature")`
get signing working 2017-11-22 18:31:25 +03:00			`}`

implement gpgsm's --include-certs argument 2018-07-26 17:56:36 +03:00			`emitSigCreated(cert, *detachSignFlag)`
get signing working 2017-11-22 18:31:25 +03:00
			`if *armorFlag {`
implement gpgsm's --include-certs argument 2018-07-26 17:56:36 +03:00			`err = pem.Encode(stdout, &pem.Block{`
get signing working 2017-11-22 18:31:25 +03:00			`Type: "SIGNED MESSAGE",`
			`Bytes: der,`
			`})`
			`} else {`
implement gpgsm's --include-certs argument 2018-07-26 17:56:36 +03:00			`_, err = stdout.Write(der)`
get signing working 2017-11-22 18:31:25 +03:00			`}`
			`if err != nil {`
bubble up errors instead of doing fancy wrappers around panics 2018-09-05 21:07:20 +03:00			`return errors.New("failed to write signature")`
get signing working 2017-11-22 18:31:25 +03:00			`}`
bubble up errors instead of doing fancy wrappers around panics 2018-09-05 21:07:20 +03:00
			`return nil`
get signing working 2017-11-22 18:31:25 +03:00			`}`

			`// findUserIdentity attempts to find an identity to sign with in the certstore`
			`// by checking available identities against the --local-user argument.`
better error messages 2017-11-29 23:50:15 +03:00			`func findUserIdentity() (certstore.Identity, error) {`
get signing working 2017-11-22 18:31:25 +03:00			`var (`
			`email string`
			`fpr []byte`
			`)`

			`if strings.ContainsRune(*localUserOpt, '@') {`
			`email = normalizeEmail(*localUserOpt)`
			`} else {`
			`fpr = normalizeFingerprint(*localUserOpt)`
			`}`

			`if len(email) == 0 && len(fpr) == 0 {`
			`return nil, fmt.Errorf("bad user-id format: %s", *localUserOpt)`
			`}`

			`for _, ident := range idents {`
bad certificate in store shouldn't prevent signing 2018-11-29 00:12:25 +03:00			`if cert, err := ident.Certificate(); err == nil && (certHasEmail(cert, email) \|\| certHasFingerprint(cert, fpr)) {`
get signing working 2017-11-22 18:31:25 +03:00			`return ident, nil`
			`}`
			`}`

			`return nil, nil`
			`}`
implement gpgsm's --include-certs argument 2018-07-26 17:56:36 +03:00
			`// certsForSignature determines which certificates to include in the signature`
			`// based on the --include-certs option specified by the user.`
include chain minus root by default 2018-09-06 00:27:35 +03:00			`func certsForSignature(chain []x509.Certificate) ([]x509.Certificate, error) {`
			`include := *includeCertsOpt`

			`if include < -3 {`
			`include = -2 // default`
			`}`
			`if include > len(chain) {`
			`include = len(chain)`
			`}`

			`switch include {`
			`case -3:`
ommit issuer by default if cert has AIA this adds a new --include-certs=-3 option (default) that includes the chain except for the root (as per gpgsm). The difference is that each issuer in the chain will be omitted if the cert has the AIA extension specifying where to download the issuer. 2018-07-26 20:15:20 +03:00			`for i := len(chain) - 1; i > 0; i-- {`
			`issuer, cert := chain[i], chain[i-1]`

			`// remove issuer when cert has AIA extension`
			`if bytes.Equal(issuer.RawSubject, cert.RawIssuer) && len(cert.IssuingCertificateURL) > 0 {`
			`chain = chain[0:i]`
			`}`
implement gpgsm's --include-certs argument 2018-07-26 17:56:36 +03:00			`}`
include chain minus root by default 2018-09-06 00:27:35 +03:00			`return chainWithoutRoot(chain), nil`
			`case -2:`
			`return chainWithoutRoot(chain), nil`
			`case -1:`
			`return chain, nil`
			`default:`
			`return chain[0:include], nil`
implement gpgsm's --include-certs argument 2018-07-26 17:56:36 +03:00			`}`
			`}`
ommit issuer by default if cert has AIA this adds a new --include-certs=-3 option (default) that includes the chain except for the root (as per gpgsm). The difference is that each issuer in the chain will be omitted if the cert has the AIA extension specifying where to download the issuer. 2018-07-26 20:15:20 +03:00
			`// Returns the provided chain, having removed the root certificate, if present.`
			`// This includes removing the cert itself if the chain is a single self-signed`
			`// cert.`
			`func chainWithoutRoot(chain []x509.Certificate) []x509.Certificate {`
			`if len(chain) == 0 {`
			`return chain`
			`}`

			`lastIdx := len(chain) - 1`
			`last := chain[lastIdx]`

			`if bytes.Equal(last.RawIssuer, last.RawSubject) {`
			`return chain[0:lastIdx]`
			`}`

			`return chain`
			`}`