diff --git a/Makefile b/Makefile index 68ecca7..b25062c 100644 --- a/Makefile +++ b/Makefile @@ -1,12 +1,12 @@ +.PHONY: all default install shellcheck-% shellspec-% tests uninstall BINDIR ?= $(PREFIX)/bin PREFIX ?= /usr/local -.PHONY: all default install shellcheck-% shellspec-% tests uninstall --include $(MYOS)/make/include.mk MYOS ?= ../myos MYOS_REPOSITORY ?= $(patsubst %/dpgpid,%/myos,$(shell git config --get remote.origin.url 2>/dev/null)) $(MYOS): -@git clone $(MYOS_REPOSITORY) $(MYOS) +-include $(MYOS)/make/include.mk default: tests @@ -19,10 +19,10 @@ install: pip install -r requirements.txt shellcheck-%: - shellcheck $*/*.sh + @shellcheck $*/*.sh shellspec-%: - shellspec -f tap $* + @shellspec -f tap $* tests: shellcheck-specs shellspec-specs diff --git a/keygen b/keygen index 8ea44ba..f0d4f06 100755 --- a/keygen +++ b/keygen @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # link: https://git.p2p.legal/aya/dpgpid/ -# desc: generate ed25519 keys suitables for duniter or ipfs +# desc: generate ed25519 keys for duniter and ipfs from gpg # Copyleft 2022 Yann Autissier # all crypto science belongs to Pascal Engélibert @@ -48,11 +48,10 @@ __version__='0.0.4' class keygen: def __init__(self): - # desc: generate ed25519 keys suitables for duniter or ipfs self.parser = argparse.ArgumentParser(description=""" - Generate ed25519 keys suitables for duniter and ipfs. - It converts an ed25519 key, duniter username/password, or a GPG key, to - a duniter wallet or an IPFS PeerID/PrivateKEY.""") + Generate ed25519 keys for duniter and ipfs from gpg. + It converts a gpg key, a duniter username/password, or any ed25519 key to + a duniter wallet or an IPFS key.""") self.parser.add_argument( "-d", "--debug", @@ -77,7 +76,7 @@ class keygen: "--input", dest="input", default=None, - help="read ed25519 key from file INPUT, autodetect format: [credentials|ewif|libnacl|mnemonic|pubsec|seedhex|wif]", + help="read ed25519 key from file INPUT, autodetect format: [credentials|ewif|nacl|mnemonic|pb2|pubsec|seed|wif]", ) self.parser.add_argument( "-k", @@ -121,7 +120,7 @@ class keygen: "--type", dest="type", default="base58", - help="output text format: [base58|base64|duniter|ipfs], default: base58", + help="output text format: [b58mh|b64mh|base58|base64|duniter|ipfs], default: base58", ) self.parser.add_argument( "-v", @@ -173,9 +172,9 @@ class keygen: if hasattr(self, 'ed25519_secret_pem_pkcs8') and self.ed25519_secret_pem_pkcs8: clearmem(self.ed25519_secret_pem_pkcs8) log.debug("cleared: keygen.ed25515_secret_pem_pkcs8") - if hasattr(self, 'ed25519_secret_protobuf2') and self.ed25519_secret_protobuf2: - clearmem(self.ed25519_secret_protobuf2) - log.debug("cleared: keygen.ed25515_secret_protobuf2") + if hasattr(self, 'ed25519_secret_protobuf') and self.ed25519_secret_protobuf: + clearmem(self.ed25519_secret_protobuf) + log.debug("cleared: keygen.ed25515_secret_protobuf") if hasattr(self, 'ed25519_seed_bytes') and self.ed25519_seed_bytes: clearmem(self.ed25519_seed_bytes) log.debug("cleared: keygen.ed25519_seed_bytes") @@ -238,17 +237,17 @@ class keygen: except pynentry.PinEntryCancelled: log.warning('Cancelled! Goodbye.') self._cleanup() - exit(2) + exit(1) self.duniterpy.save_ewif_file(self.output, self.password) elif self.format == 'nacl': if not hasattr(self, 'duniterpy'): self.duniterpy_from_ed25519() self.duniterpy.save_private_key(self.output) elif self.format == 'pb2': - if not hasattr(self, 'ed25519_secret_protobuf2'): - self.protobuf2_from_ed25519() + if not hasattr(self, 'ed25519_secret_protobuf'): + self.protobuf_from_ed25519() with open(self.output, "wb") as fh: - fh.write(self.ed25519_secret_protobuf2) + fh.write(self.ed25519_secret_protobuf) elif self.format == 'pubsec': if not hasattr(self, 'duniterpy'): self.duniterpy_from_ed25519() @@ -305,27 +304,65 @@ class keygen: method = getattr(self, f'do_{self.type}', self._invalid_type) return method() + def b58mh_from_protobuf(self): + log.debug("keygen.b58mh_from_protobuf()") + try: + self.ed25519_public_b58mh = base58.b58encode(self.ed25519_public_protobuf).decode('ascii') + self.ed25519_secret_b58mh = base58.b58encode(self.ed25519_secret_protobuf).decode('ascii') + except Exception as e: + log.error(f'Unable to get b58mh from protobuf: {e}') + self._cleanup() + exit(2) + log.debug("keygen.ed25519_public_b58mh=%s" % self.ed25519_public_b58mh) + log.debug("keygen.ed25519_secret_b58mh=%s" % self.ed25519_secret_b58mh) + + def b64mh_from_protobuf(self): + log.debug("keygen.b64mh_from_protobuf()") + try: + self.ed25519_public_b64mh = base64.b64encode(self.ed25519_public_protobuf).decode('ascii') + self.ed25519_secret_b64mh = base64.b64encode(self.ed25519_secret_protobuf).decode('ascii') + except Exception as e: + log.error(f'Unable to get b64mh from protobuf: {e}') + self._cleanup() + exit(2) + log.debug("keygen.ed25519_public_b64mh=%s" % self.ed25519_public_b64mh) + log.debug("keygen.ed25519_secret_b64mh=%s" % self.ed25519_secret_b64mh) + def base58_from_ed25519(self): log.debug("keygen.base58_from_ed25519()") - self.ed25519_public_base58 = base58.b58encode(self.ed25519_public_bytes).decode('ascii') + try: + self.ed25519_public_base58 = base58.b58encode(self.ed25519_public_bytes).decode('ascii') + self.ed25519_secret_base58 = base58.b58encode(self.ed25519_secret_bytes).decode('ascii') + except Exception as e: + log.error(f'Unable to get base58 from ed25519: {e}') + self._cleanup() + exit(2) log.debug("keygen.ed25519_public_base58=%s" % self.ed25519_public_base58) - self.ed25519_secret_base58 = base58.b58encode(self.ed25519_secret_bytes).decode('ascii') log.debug("keygen.ed25519_secret_base58=%s" % self.ed25519_secret_base58) def base64_from_ed25519(self): log.debug("keygen.base64_from_ed25519()") - self.ed25519_public_base64 = base64.b64encode(self.ed25519_public_bytes).decode('ascii') + try: + self.ed25519_public_base64 = base64.b64encode(self.ed25519_public_bytes).decode('ascii') + self.ed25519_secret_base64 = base64.b64encode(self.ed25519_secret_bytes).decode('ascii') + except Exception as e: + log.error(f'Unable to get base64 from ed25519: {e}') + self._cleanup() + exit(2) log.debug("keygen.ed25519_public_base64=%s" % self.ed25519_public_base64) - self.ed25519_secret_base64 = base64.b64encode(self.ed25519_secret_bytes).decode('ascii') log.debug("keygen.ed25519_secret_base64=%s" % self.ed25519_secret_base64) - def base58_from_pubsec(self): - log.debug("keygen.base58_from_pubsec()") - for line in open(self.input, "r"): - if re.search("pub", line): - self.ed25519_public_base58 = line.replace('\n','').split(': ')[1] - elif re.search("sec", line): - self.ed25519_secret_base58 = line.replace('\n','').split(': ')[1] + def do_b58mh(self): + log.debug("keygen.do_b58mh()") + self.protobuf_from_ed25519() + self.b58mh_from_protobuf() + self._output(self.ed25519_public_b58mh, self.ed25519_secret_b58mh, 'pub: ', 'sec: ') + + def do_b64mh(self): + log.debug("keygen.do_b64mh()") + self.protobuf_from_ed25519() + self.b64mh_from_protobuf() + self._output(self.ed25519_public_b64mh, self.ed25519_secret_b64mh, 'pub: ', 'sec: ') def do_base58(self): log.debug("keygen.do_base58()") @@ -338,44 +375,57 @@ class keygen: self._output(self.ed25519_public_base64, self.ed25519_secret_base64, 'pub: ', 'sec: ') def do_duniter(self): + log.debug("keygen.do_duniter()") if not self.format: self.format = 'pubsec' - self.do_base58() + self.base58_from_ed25519() + self._output(self.ed25519_public_base58, self.ed25519_secret_base58, 'pub: ', 'sec: ') def do_ipfs(self): log.debug("keygen.do_ipfs()") - self.protobuf2_from_ed25519() - self.ipfs_from_protobuf2() - self._output(self.ipfs_peerid, self.ipfs_privkey, 'PeerID: ', 'PrivKEY: ') + self.protobuf_from_ed25519() + self.b58mh_from_protobuf() + self.b64mh_from_protobuf() + self._output(self.ed25519_public_b58mh, self.ed25519_secret_b64mh, 'PeerID: ', 'PrivKEY: ') def duniterpy_from_credentials(self): log.debug("keygen.duniterpy_from_credentials()") - scrypt_params = duniterpy.key.scrypt_params.ScryptParams( - int(self.config.get('scrypt', 'n')) if self.config.has_option('scrypt', 'n') else 4096, - int(self.config.get('scrypt', 'r')) if self.config.has_option('scrypt', 'r') else 16, - int(self.config.get('scrypt', 'p')) if self.config.has_option('scrypt', 'p') else 1, - int(self.config.get('scrypt', 'sl')) if self.config.has_option('scrypt', 'sl') else 32, - ) - if not self.password: - with pynentry.PynEntry() as p: - p.description = f"""Please enter the passord for username "{self.username}".""" - p.prompt = 'Passsord:' - try: - self.password = p.get_pin() - except pynentry.PinEntryCancelled: - log.warning('Cancelled! Goodbye.') - self._cleanup() - exit(2) - self.duniterpy = duniterpy.key.SigningKey.from_credentials( - self.username, - self.password, - scrypt_params - ) + try: + scrypt_params = duniterpy.key.scrypt_params.ScryptParams( + int(self.config.get('scrypt', 'n')) if self.config.has_option('scrypt', 'n') else 4096, + int(self.config.get('scrypt', 'r')) if self.config.has_option('scrypt', 'r') else 16, + int(self.config.get('scrypt', 'p')) if self.config.has_option('scrypt', 'p') else 1, + int(self.config.get('scrypt', 'sl')) if self.config.has_option('scrypt', 'sl') else 32, + ) + if not self.password: + with pynentry.PynEntry() as p: + p.description = f"""Please enter the passord for username "{self.username}".""" + p.prompt = 'Passsord:' + try: + self.password = p.get_pin() + except pynentry.PinEntryCancelled: + log.warning('Cancelled! Goodbye.') + self._cleanup() + exit(1) + self.duniterpy = duniterpy.key.SigningKey.from_credentials( + self.username, + self.password, + scrypt_params + ) + except Exception as e: + log.error(f'Unable to get duniter from credentials: {e}') + self._cleanup() + exit(2) log.debug("keygen.duniterpy.seed: %s" % self.duniterpy.seed) def duniterpy_from_ed25519(self): log.debug("keygen.duniterpy_from_ed25519()") - self.duniterpy = duniterpy.key.SigningKey(self.ed25519_secret_bytes[:32]) + try: + self.duniterpy = duniterpy.key.SigningKey(self.ed25519_seed_bytes) + except Exception as e: + log.error(f'Unable to get duniterpy from ed25519: {e}') + self._cleanup() + exit(2) log.debug("keygen.duniterpy.seed: %s" % self.duniterpy.seed) def duniterpy_from_file(self): @@ -405,17 +455,15 @@ class keygen: except pynentry.PinEntryCancelled: log.warning('Cancelled! Goodbye.') self._cleanup() - exit(2) + exit(1) self.duniterpy = duniterpy.key.SigningKey.from_ewif_file(self.input, self.password) elif re.search(regex_nacl, line): log.info("input file format detected: nacl") self.duniterpy = duniterpy.key.SigningKey.from_private_key(self.input) elif re.search(regex_pem, line): log.info("input file format detected: pem") - self.ed25519_secret_bytes = serialization.load_pem_private_key(''.join(lines).encode(), password=None).private_bytes(encoding=serialization.Encoding.Raw, format=serialization.PrivateFormat.Raw, encryption_algorithm=serialization.NoEncryption()) + self.ed25519_seed_bytes = serialization.load_pem_private_key(''.join(lines).encode(), password=None).private_bytes(encoding=serialization.Encoding.Raw, format=serialization.PrivateFormat.Raw, encryption_algorithm=serialization.NoEncryption()) self.duniterpy_from_ed25519() - ## at this stage, self.ed25519_secret_bytes contains only the 32 seed bytes and not the 32 seed bytes + 32 public bytes as it should - # we need to call self.ed25519_from_duniterpy() later to correctly build the self.ed25519_secret_bytes elif re.search(regex_pubsec, line): log.info("input file format detected: pubsec") self.duniterpy = duniterpy.key.SigningKey.from_pubsec_file(self.input) @@ -438,25 +486,52 @@ class keygen: self.password = lines[1].strip() self.duniterpy_from_credentials() else: - raise NotImplementedError(f"""unable to detect input file format.""") + raise NotImplementedError('unknown input file format.') + else: + raise NotImplementedError('empty file.') + except UnicodeDecodeError as e: + try: + with open(self.input, 'rb') as file: + lines = file.readlines() + if len(lines) > 0: + line = lines[0].strip() + regex_pb2 = re.compile(b'^\x08\x01\x12@') + if re.search(regex_pb2, line): + log.info("input file format detected: pb2") + self.ed25519_secret_protobuf = line + self.ed25519_from_protobuf() + self.duniterpy_from_ed25519() + else: + raise NotImplementedError('unknown input file format.') + else: + raise NotImplementedError('empty file.') + except Exception as e: + log.error(f'Unable to get duniterpy from file {self.input}: {e}') + self._cleanup() + exit(2) except Exception as e: - log.error(f"""Unable to open file {self.input}: {e}""") + log.error(f'Unable to get duniterpy from file {self.input}: {e}') self._cleanup() - exit(1) + exit(2) log.debug("keygen.duniterpy.seed: %s" % self.duniterpy.seed) def duniterpy_from_mnemonic(self): log.debug("keygen.duniterpy_from_mnemonic()") - scrypt_params = duniterpy.key.scrypt_params.ScryptParams( - int(self.config.get('scrypt', 'n')) if self.config.has_option('scrypt', 'n') else 4096, - int(self.config.get('scrypt', 'r')) if self.config.has_option('scrypt', 'r') else 16, - int(self.config.get('scrypt', 'p')) if self.config.has_option('scrypt', 'p') else 1, - int(self.config.get('scrypt', 'sl')) if self.config.has_option('scrypt', 'sl') else 32, - ) - self.duniterpy = duniterpy.key.SigningKey.from_dubp_mnemonic( - self.username, - scrypt_params - ) + try: + scrypt_params = duniterpy.key.scrypt_params.ScryptParams( + int(self.config.get('scrypt', 'n')) if self.config.has_option('scrypt', 'n') else 4096, + int(self.config.get('scrypt', 'r')) if self.config.has_option('scrypt', 'r') else 16, + int(self.config.get('scrypt', 'p')) if self.config.has_option('scrypt', 'p') else 1, + int(self.config.get('scrypt', 'sl')) if self.config.has_option('scrypt', 'sl') else 32, + ) + self.duniterpy = duniterpy.key.SigningKey.from_dubp_mnemonic( + self.username, + scrypt_params + ) + except Exception as e: + log.error(f'Unable to get duniterpy from mnemonic: {e}') + self._cleanup() + exit(2) log.debug("keygen.duniterpy.seed: %s" % self.duniterpy.seed) def ed25519(self, args): @@ -473,131 +548,164 @@ class keygen: self.duniterpy_from_credentials() self.ed25519_from_duniterpy() - def ed25519_from_base58(self): - log.debug("keygen.ed25519_from_base58()") - self.ed25519_public_bytes = base58.b58decode(self.ed25519_public_base58) - self.ed25519_secret_bytes = base58.b58decode(self.ed25519_secret_base58) - log.debug("keygen.ed25519_public_bytes=%s" % self.ed25519_public_bytes) - log.debug("keygen.ed25519_secret_bytes=%s" % self.ed25519_secret_bytes) - def ed25519_from_duniterpy(self): log.debug("keygen.ed25519_from_duniterpy()") - self.ed25519_public_bytes = base58.b58decode(self.duniterpy.pubkey) - self.ed25519_secret_bytes = self.duniterpy.sk + try: + self.ed25519_public_bytes = base58.b58decode(self.duniterpy.pubkey) + self.ed25519_secret_bytes = self.duniterpy.sk + self.ed25519_seed_bytes = self.ed25519_secret_bytes[:32] + except Exception as e: + log.error(f'Unable to get ed25519 from duniterpy: {e}') + self._cleanup() + exit(2) + log.debug("keygen.ed25519_seed_bytes=%s" % self.ed25519_seed_bytes) log.debug("keygen.ed25519_public_bytes=%s" % self.ed25519_public_bytes) log.debug("keygen.ed25519_secret_bytes=%s" % self.ed25519_secret_bytes) def ed25519_from_gpg(self): log.debug("keygen.ed25519_from_gpg()") - self.pgpy_from_gpg() - self.ed25519_from_pgpy() - - def pgpy_from_gpg(self): - log.debug("keygen.pgpy_from_gpg()") - self.gpg_seckeys = list(self.gpg.keylist(pattern=self.username, secret=True)) - log.debug("keygen.gpg_seckeys=%s" % self.gpg_seckeys) - if not self.gpg_seckeys: - log.error(f"""Unable to find any key matching username "{self.username}".""") - self._cleanup() - exit(1) - else: - self.gpg_seckey = self.gpg_seckeys[0] - log.info(f"""Found key id "{self.gpg_seckey.fpr}" matching username "{self.username}".""") - log.debug("keygen.gpg_seckey.expired=%s" % self.gpg_seckey.expired) - log.debug("keygen.gpg_seckey.fpr=%s" % self.gpg_seckey.fpr) - log.debug("keygen.gpg_seckey.revoked=%s" % self.gpg_seckey.revoked) - log.debug("keygen.gpg_seckey.uids=%s" % self.gpg_seckey.uids) - log.debug("keygen.gpg_seckey.owner_trust=%s" % self.gpg_seckey.owner_trust) - log.debug("keygen.gpg_seckey.last_update=%s" % self.gpg_seckey.last_update) - if self.password: - self.gpg.set_pinentry_mode(gpg.constants.PINENTRY_MODE_LOOPBACK) - self.pgp_secret_armored = self.gpg.key_export_secret(self.gpg_seckey.fpr) - log.debug("keygen.pgp_secret_armored=%s" % self.pgp_secret_armored) - if not self.pgp_secret_armored: - log.error(f"""Unable to export gpg secret key id "{self.gpg_seckey.fpr}" of user "{self.username}". Please check your password!""") + try: + self.pgpy_from_gpg() + self.ed25519_from_pgpy() + except Exception as e: + log.error(f'Unable to get ed25519 from pgp: {e}') self._cleanup() exit(2) - with warnings.catch_warnings(): - # remove CryptographyDeprecationWarning about deprecated - # SymmetricKeyAlgorithm IDEA, CAST5 and Blowfish (PGPy v0.5.4) - warnings.simplefilter('ignore') - self.pgpy, _ = pgpy.PGPKey.from_blob(self.pgp_secret_armored) def ed25519_from_pgpy(self): log.debug("keygen.ed25519_from_pgpy()") - log.debug("keygen.pgpy.fingerprint.keyid=%s" % self.pgpy.fingerprint.keyid) - log.debug("keygen.pgpy.is_protected=%s" % self.pgpy.is_protected) - if self.pgpy.is_protected: - if not self.password: - with pynentry.PynEntry() as p: - p.description = f"""The exported pgp key id "{self.pgpy.fingerprint.keyid}" of user "{self.username}" is password protected. - Please enter the passphrase again to unlock it. - """ - p.prompt = 'Passphrase:' - try: - self.password = p.get_pin() - except pynentry.PinEntryCancelled: - log.warning('Cancelled! Goodbye.') - self._cleanup() - exit(2) - try: - with warnings.catch_warnings(): - # remove CryptographyDeprecationWarning about deprecated - # SymmetricKeyAlgorithm IDEA, CAST5 and Blowfish (PGPy v0.5.4) - warnings.simplefilter('ignore') - with self.pgpy.unlock(self.password): - assert self.pgpy.is_unlocked - log.debug("keygen.pgpy.is_unlocked=%s" % self.pgpy.is_unlocked) - self.ed25519_seed_bytes_from_pgpy() - except Exception as e: - log.error(f"""Unable to unlock pgp secret key id "{self.pgpy.fingerprint.keyid}" of user "{self.username}". Please check your password!""") - self._cleanup() - exit(2) - else: - self.ed25519_seed_bytes_from_pgpy() - self.ed25519_public_bytes, self.ed25519_secret_bytes = nacl.bindings.crypto_sign_seed_keypair(self.ed25519_seed_bytes) + try: + log.debug("keygen.pgpy.fingerprint.keyid=%s" % self.pgpy.fingerprint.keyid) + log.debug("keygen.pgpy.is_protected=%s" % self.pgpy.is_protected) + if self.pgpy.is_protected: + if not self.password: + with pynentry.PynEntry() as p: + p.description = f"""The exported pgp key id "{self.pgpy.fingerprint.keyid}" of user "{self.username}" is password protected. + Please enter the passphrase again to unlock it. + """ + p.prompt = 'Passphrase:' + try: + self.password = p.get_pin() + except pynentry.PinEntryCancelled: + log.warning('Cancelled! Goodbye.') + self._cleanup() + exit(1) + try: + with warnings.catch_warnings(): + # remove CryptographyDeprecationWarning about deprecated + # SymmetricKeyAlgorithm IDEA, CAST5 and Blowfish (PGPy v0.5.4) + warnings.simplefilter('ignore') + with self.pgpy.unlock(self.password): + assert self.pgpy.is_unlocked + log.debug("keygen.pgpy.is_unlocked=%s" % self.pgpy.is_unlocked) + self.ed25519_seed_bytes_from_pgpy() + except Exception as e: + log.error(f"""Unable to unlock pgp secret key id "{self.pgpy.fingerprint.keyid}" of user "{self.username}": {e}""") + self._cleanup() + exit(2) + else: + self.ed25519_seed_bytes_from_pgpy() + self.ed25519_from_seed_bytes() + except Exception as e: + log.error(f'Unable to get ed25519 from pgpy: {e}') + self._cleanup() + exit(2) + + def ed25519_from_protobuf(self): + log.debug("keygen.ed25519_from_protobuf()") + try: + self.ed25519_secret_bytes = self.ed25519_secret_protobuf.lstrip(b'\x08\x01\x12@') + self.ed25519_seed_bytes = self.ed25519_secret_bytes[:32] + self.ed25519_public_bytes = self.ed25519_secret_bytes.lstrip(self.ed25519_seed_bytes) + except Exception as e: + log.error(f'Unable to get ed25519 from protobuf: {e}') + self._cleanup() + exit(2) + log.debug("keygen.ed25519_seed_bytes=%s" % self.ed25519_seed_bytes) + log.debug("keygen.ed25519_public_bytes=%s" % self.ed25519_public_bytes) + log.debug("keygen.ed25519_secret_bytes=%s" % self.ed25519_secret_bytes) + + def ed25519_from_seed_bytes(self): + log.debug("keygen.ed25519_from_seed_bytes()") + try: + self.ed25519_public_bytes, self.ed25519_secret_bytes = nacl.bindings.crypto_sign_seed_keypair(self.ed25519_seed_bytes) + except Exception as e: + log.error(f'Unable to get ed25519 from seed bytes: {e}') + self._cleanup() + exit(2) log.debug("keygen.ed25519_public_bytes=%s" % self.ed25519_public_bytes) log.debug("keygen.ed25519_secret_bytes=%s" % self.ed25519_secret_bytes) def ed25519_seed_bytes_from_pgpy(self): log.debug("keygen.ed25519_seed_bytes_from_pgpy()") - self.pgpy_key_type() - if self.pgpy_key_type == 'RSA': - log.debug("keygen.pgpy._key.keymaterial.p=%s" % self.pgpy._key.keymaterial.p) - log.debug("keygen.pgpy._key.keymaterial.q=%s" % self.pgpy._key.keymaterial.q) - # custom seed: use sha256 hash of (p + q) - self.ed25519_seed_bytes = nacl.bindings.crypto_hash_sha256(long_to_bytes(self.pgpy._key.keymaterial.p + self.pgpy._key.keymaterial.q)) - p = long_to_bytes(self.pgpy._key.keymaterial.p) - q = long_to_bytes(self.pgpy._key.keymaterial.q) - log.debug("keygen.ed25519_seed_bytes=%s" % self.ed25519_seed_bytes) - elif self.pgpy_key_type in ('ECDSA', 'EdDSA', 'ECDH'): - log.debug("keygen.pgpy._key.keymaterial.s=%s" % self.pgpy._key.keymaterial.s) - self.ed25519_seed_bytes = long_to_bytes(self.pgpy._key.keymaterial.s) - log.debug("keygen.ed25519_seed_bytes=%s" % self.ed25519_seed_bytes) - else: - raise NotImplementedError(f"Getting seed from {self.pgpy_key_type} key is not implemented") + try: + self.pgpy_key_type() + if self.pgpy_key_type == 'RSA': + log.debug("keygen.pgpy._key.keymaterial.p=%s" % self.pgpy._key.keymaterial.p) + log.debug("keygen.pgpy._key.keymaterial.q=%s" % self.pgpy._key.keymaterial.q) + # custom seed: use sha256 hash of (p + q) + self.ed25519_seed_bytes = nacl.bindings.crypto_hash_sha256(long_to_bytes(self.pgpy._key.keymaterial.p + self.pgpy._key.keymaterial.q)) + elif self.pgpy_key_type in ('ECDSA', 'EdDSA', 'ECDH'): + log.debug("keygen.pgpy._key.keymaterial.s=%s" % self.pgpy._key.keymaterial.s) + self.ed25519_seed_bytes = long_to_bytes(self.pgpy._key.keymaterial.s) + else: + raise NotImplementedError(f"Getting seed from {self.pgpy_key_type} key is not implemented") + except Exception as e: + log.error(f'Unable to get ed25519 seed bytes from pgpy: {e}') + self._cleanup() + exit(2) + log.debug("keygen.ed25519_seed_bytes=%s" % self.ed25519_seed_bytes) def gpg_passphrase_cb(self, uid_hint, passphrase_info, prev_was_bad): log.debug("keygen.gpg_passphrase_cb(%s, %s, %s)" % (uid_hint, passphrase_info, prev_was_bad)) return self.password - def ipfs_from_protobuf2(self): - log.debug("keygen.ipfs_from_protobuf2()") - - # PeerID - self.ipfs_peerid = base58.b58encode(self.ed25519_public_protobuf2).decode('ascii') - log.debug("keygen.ipfs_peerid=%s" % self.ipfs_peerid) - - # PrivKey - self.ipfs_privkey = base64.b64encode(self.ed25519_secret_protobuf2).decode('ascii') - log.debug("keygen.ipfs_privkey=%s" % self.ipfs_privkey) - def pem_pkcs8_from_ed25519(self): log.debug("keygen.pem_pkcs8_from_ed25519()") - - self.ed25519_secret_pem_pkcs8 = ed25519.Ed25519PrivateKey.from_private_bytes(self.ed25519_secret_bytes[:32]).private_bytes(encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption()).decode('ascii') + try: + self.ed25519_secret_pem_pkcs8 = ed25519.Ed25519PrivateKey.from_private_bytes(self.ed25519_seed_bytes).private_bytes(encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption()).decode('ascii') + except Exception as e: + log.error(f'Unable to get pem pkcs8 from ed25519: {e}') + self._cleanup() + exit(2) log.debug("keygen.ed25519_secret_pem_pkcs8=%s" % self.ed25519_secret_pem_pkcs8) + def pgpy_from_gpg(self): + log.debug("keygen.pgpy_from_gpg()") + try: + self.gpg_seckeys = list(self.gpg.keylist(pattern=self.username, secret=True)) + log.debug("keygen.gpg_seckeys=%s" % self.gpg_seckeys) + if not self.gpg_seckeys: + log.warning(f"""Unable to find any key matching username "{self.username}".""") + self._cleanup() + exit(1) + else: + self.gpg_seckey = self.gpg_seckeys[0] + log.info(f"""Found key id "{self.gpg_seckey.fpr}" matching username "{self.username}".""") + log.debug("keygen.gpg_seckey.expired=%s" % self.gpg_seckey.expired) + log.debug("keygen.gpg_seckey.fpr=%s" % self.gpg_seckey.fpr) + log.debug("keygen.gpg_seckey.revoked=%s" % self.gpg_seckey.revoked) + log.debug("keygen.gpg_seckey.uids=%s" % self.gpg_seckey.uids) + log.debug("keygen.gpg_seckey.owner_trust=%s" % self.gpg_seckey.owner_trust) + log.debug("keygen.gpg_seckey.last_update=%s" % self.gpg_seckey.last_update) + if self.password: + self.gpg.set_pinentry_mode(gpg.constants.PINENTRY_MODE_LOOPBACK) + self.pgp_secret_armored = self.gpg.key_export_secret(self.gpg_seckey.fpr) + log.debug("keygen.pgp_secret_armored=%s" % self.pgp_secret_armored) + if not self.pgp_secret_armored: + log.error(f"""Unable to export gpg secret key id "{self.gpg_seckey.fpr}" of user "{self.username}". Please check your password!""") + self._cleanup() + exit(2) + with warnings.catch_warnings(): + # remove CryptographyDeprecationWarning about deprecated + # SymmetricKeyAlgorithm IDEA, CAST5 and Blowfish (PGPy v0.5.4) + warnings.simplefilter('ignore') + self.pgpy, _ = pgpy.PGPKey.from_blob(self.pgp_secret_armored) + except Exception as e: + log.error(f'Unable to get pgpy from gpg: {e}') + self._cleanup() + exit(2) + def pgpy_key_type(self): log.debug("keygen.pgpy_key_type()") if isinstance(self.pgpy._key.keymaterial, pgpy.packet.fields.RSAPriv): @@ -616,13 +724,18 @@ class keygen: self.pgpy_key_type = 'undefined' log.debug("keygen.pgpy_key_type=%s" % self.pgpy_key_type) - def protobuf2_from_ed25519(self): + def protobuf_from_ed25519(self): # libp2p protobuf version 2 - log.debug("keygen.protobuf2_from_ed25519()") - self.ed25519_public_protobuf2 = b'\x00$\x08\x01\x12 ' + self.ed25519_public_bytes - self.ed25519_secret_protobuf2 = b'\x08\x01\x12@' + self.ed25519_secret_bytes - log.debug("keygen.ed25519_public_protobuf2=%s" % self.ed25519_public_protobuf2) - log.debug("keygen.ed25519_secret_protobuf2=%s" % self.ed25519_secret_protobuf2) + log.debug("keygen.protobuf_from_ed25519()") + try: + self.ed25519_public_protobuf = b'\x00$\x08\x01\x12 ' + self.ed25519_public_bytes + self.ed25519_secret_protobuf = b'\x08\x01\x12@' + self.ed25519_secret_bytes + except Exception as e: + log.error(f'Unable to get protobuf from ed25519: {e}') + self._cleanup() + exit(2) + log.debug("keygen.ed25519_public_protobuf=%s" % self.ed25519_public_protobuf) + log.debug("keygen.ed25519_secret_protobuf=%s" % self.ed25519_secret_protobuf) ## # long_to_bytes comes from PyCrypto, which is released into Public Domain diff --git a/specs/keygen_spec.sh b/specs/keygen_spec.sh index f5e6ad1..291e495 100644 --- a/specs/keygen_spec.sh +++ b/specs/keygen_spec.sh @@ -3,14 +3,14 @@ set -eu CRED_FILE="${SHELLSPEC_TMPBASE}/credentials" DUBP_FILE="${SHELLSPEC_TMPBASE}/mnemonic" -EWIF_FILE="${SHELLSPEC_TMPBASE}/ed25519.ewif" -NACL_FILE="${SHELLSPEC_TMPBASE}/ed25519.nacl" -PB2_FILE="${SHELLSPEC_TMPBASE}/ed25519.pb2" -PEM_FILE="${SHELLSPEC_TMPBASE}/ed25519.pem" -PUBSEC_FILE="${SHELLSPEC_TMPBASE}/ed25519.pubsec" -SEED_FILE="${SHELLSPEC_TMPBASE}/ed25519.seed" -SSB_FILE="${SHELLSPEC_TMPBASE}/ed25519.ssb" -WIF_FILE="${SHELLSPEC_TMPBASE}/ed25519.wif" +EWIF_FILE="${SHELLSPEC_TMPBASE}/username.ewif" +NACL_FILE="${SHELLSPEC_TMPBASE}/username.nacl" +PB2_FILE="${SHELLSPEC_TMPBASE}/username.pb2" +PEM_FILE="${SHELLSPEC_TMPBASE}/username.pem" +PUBSEC_FILE="${SHELLSPEC_TMPBASE}/username.pubsec" +SEED_FILE="${SHELLSPEC_TMPBASE}/username.seed" +SSB_FILE="${SHELLSPEC_TMPBASE}/username.ssb" +WIF_FILE="${SHELLSPEC_TMPBASE}/username.wif" gpg() { GNUPGHOME="${SHELLSPEC_TMPBASE}" command gpg "$@" @@ -112,36 +112,54 @@ Describe 'keygen' The stderr should equal "" End End - Describe '-t base58 -pk username password:' + Describe '-pkt b58mh username password:' + It 'prints prefixed base58 multihash public and secret keys for user "username" and password "password"' + When run keygen -pkt b58mh username password + The output should include 'pub: 12D3KooWDMhdm5yrvtrbkshXFjkqLedHieUnPioczy9wzdnzquHC' + The output should include 'sec: 23jhTarm17VAHUwPkHD2Kv5sPfuQrsXSZUzKUrRkP2oP8bgnLjVExhG4AVoayCLxbXN4g2pjVG5qiJRucUtogbj7zGapz' + The status should be success + The stderr should equal "" + End + End + Describe '-pkt b64mh username password:' + It 'prints prefixed base64 multihash public and secret keys for user "username" and password "password"' + When run keygen -pkt b64mh username password + The output should include 'pub: ACQIARIgNJoTbvcP+m51+XwxrmWqHaOpI1ZD0USwLjqAmV8Boas=' + The output should include 'sec: CAESQA+XqCWjRqCjNe9oU3QA796bEH+T+rxgyPQ/EkXvE2MvNJoTbvcP+m51+XwxrmWqHaOpI1ZD0USwLjqAmV8Boas=' + The status should be success + The stderr should equal "" + End + End + Describe '-pkt base58 username password:' It 'prints prefixed base58 public and secret keys for user "username" and password "password"' - When run keygen -t base58 -pk username password + When run keygen -pkt base58 username password The output should include 'pub: 4YLU1xQ9jzb7LzC6d91VZrYTEKS9N2j93Nnvcee6wxZG' The output should include 'sec: K5heSX4xGUPtRbxcZh6zbgaKbDv8FeVc9JuSNWtUs7C1oGNKqv7kQJ3DHdouTPzoW4duKKnuLQK8LbHKfN9fkjC' The status should be success The stderr should equal "" End End - Describe '-t base64 -pk username password:' + Describe '-pkt base64 username password:' It 'prints prefixed base64 public and secret keys for user "username" and password "password"' - When run keygen -t base64 -pk username password + When run keygen -pkt base64 username password The output should include 'pub: NJoTbvcP+m51+XwxrmWqHaOpI1ZD0USwLjqAmV8Boas=' The output should include 'sec: D5eoJaNGoKM172hTdADv3psQf5P6vGDI9D8SRe8TYy80mhNu9w/6bnX5fDGuZaodo6kjVkPRRLAuOoCZXwGhqw==' The status should be success The stderr should equal "" End End - Describe '-t duniter -pk username password:' + Describe '-pkt duniter username password:' It 'prints prefixed duniter public and secret keys for user "username" and password "password"' - When run keygen -t duniter -pk username password + When run keygen -pkt duniter username password The output should include 'pub: 4YLU1xQ9jzb7LzC6d91VZrYTEKS9N2j93Nnvcee6wxZG' The output should include 'sec: K5heSX4xGUPtRbxcZh6zbgaKbDv8FeVc9JuSNWtUs7C1oGNKqv7kQJ3DHdouTPzoW4duKKnuLQK8LbHKfN9fkjC' The status should be success The stderr should equal "" End End - Describe '-t ipfs -pk username password:' + Describe '-pkt ipfs username password:' It 'prints prefixed ipfs public and secret keys for user "username" and password "password"' - When run keygen -t ipfs -pk username password + When run keygen -pkt ipfs username password The output should include 'PeerID: 12D3KooWDMhdm5yrvtrbkshXFjkqLedHieUnPioczy9wzdnzquHC' The output should include 'PrivKEY: CAESQA+XqCWjRqCjNe9oU3QA796bEH+T+rxgyPQ/EkXvE2MvNJoTbvcP+m51+XwxrmWqHaOpI1ZD0USwLjqAmV8Boas=' The status should be success @@ -273,6 +291,15 @@ Describe 'keygen' The status should be success The stderr should equal "" End + End + Describe "-pki ${PB2_FILE}:" + It 'prints prefixed base58 public and secret keys for ed25519 key read from pb2 file"' + When run keygen -pki "${PB2_FILE}" -v + The output should include 'pub: 4YLU1xQ9jzb7LzC6d91VZrYTEKS9N2j93Nnvcee6wxZG' + The output should include 'sec: K5heSX4xGUPtRbxcZh6zbgaKbDv8FeVc9JuSNWtUs7C1oGNKqv7kQJ3DHdouTPzoW4duKKnuLQK8LbHKfN9fkjC' + The status should be success + The stderr should include 'input file format detected: pb2' + End rm -f "${PB2_FILE}" End Describe "-f pubsec -o ${PUBSEC_FILE} username password:"