Documentation ¶
Overview ¶
Package openpgp implements high level operations on OpenPGP messages.
Index ¶
- Constants
- Variables
- func ArmoredDetachSign(w io.Writer, signers []*Entity, message io.Reader, params *SignParams) (err error)
- func DetachSign(w io.Writer, signers []*Entity, message io.Reader, config *packet.Config) error
- func DetachSignWithParams(w io.Writer, signers []*Entity, message io.Reader, params *SignParams) error
- func DetachSignWriter(w io.Writer, signers []*Entity, params *SignParams) (io.WriteCloser, error)
- func Encrypt(ciphertext io.Writer, to, toHidden []*Entity, signers []*Entity, ...) (plaintext io.WriteCloser, err error)
- func EncryptWithParams(ciphertext io.Writer, to, toHidden []*Entity, params *EncryptParams) (plaintext io.WriteCloser, err error)
- func HashIdToHash(id byte) (h crypto.Hash, ok bool)
- func HashIdToString(id byte) (name string, ok bool)
- func HashToHashId(h crypto.Hash) (id byte, ok bool)
- func NewCanonicalTextHash(h hash.Hash) hash.Hash
- func NewCanonicalTextReader(r io.Reader) io.Reader
- func NewCanonicalTextWriteCloser(w io.WriteCloser) io.WriteCloser
- func Sign(output io.Writer, signers []*Entity, hints *FileHints, config *packet.Config) (input io.WriteCloser, err error)
- func SignWithParams(output io.Writer, signers []*Entity, params *SignParams) (input io.WriteCloser, err error)
- func SymmetricallyEncrypt(ciphertext io.Writer, passphrase []byte, hints *FileHints, ...) (plaintext io.WriteCloser, err error)
- func SymmetricallyEncryptWithParams(passphrase []byte, dataWriter io.Writer, params *EncryptParams) (plaintext io.WriteCloser, err error)
- type EncryptParams
- type Entity
- func NewEntity(name, comment, email string, config *packet.Config) (*Entity, error)
- func NewEntityWithoutId(config *packet.Config) (*Entity, error)
- func ReadEntity(packets *packet.Reader) (*Entity, error)
- func VerifyArmoredDetachedSignature(keyring KeyRing, signed, signature io.Reader, config *packet.Config) (sig *packet.Signature, signer *Entity, err error)
- func VerifyDetachedSignature(keyring KeyRing, signed, signature io.Reader, config *packet.Config) (sig *packet.Signature, signer *Entity, err error)
- func (t *Entity) AddDirectKeySignature(selectedKeyProperties *keyProperties, config *packet.Config) error
- func (e *Entity) AddEncryptionSubkey(config *packet.Config) error
- func (e *Entity) AddSigningSubkey(config *packet.Config) error
- func (t *Entity) AddUserId(name, comment, email string, config *packet.Config) error
- func (e *Entity) CertificationKey(now time.Time, config *packet.Config) (Key, bool)
- func (e *Entity) CertificationKeyById(now time.Time, id uint64, config *packet.Config) (Key, bool)
- func (e *Entity) DecryptPrivateKeys(passphrase []byte) error
- func (e *Entity) DecryptionKeys(id uint64, date time.Time, config *packet.Config) (keys []Key)
- func (e *Entity) EncryptPrivateKeys(passphrase []byte, config *packet.Config) error
- func (e *Entity) EncryptionKey(now time.Time, config *packet.Config) (Key, bool)
- func (e *Entity) LatestValidDirectSignature(date time.Time, config *packet.Config) (selectedSig *packet.Signature, err error)
- func (e *Entity) NewForwardingEntity(name, comment, email string, config *packet.Config, strict bool) (forwardeeKey *Entity, instances []packet.ForwardingInstance, err error)
- func (e *Entity) PrimaryIdentity(date time.Time, config *packet.Config) (*packet.Signature, *Identity)
- func (e *Entity) PrimarySelfSignature(date time.Time, config *packet.Config) (primarySig *packet.Signature, err error)
- func (e *Entity) Revoke(reason packet.ReasonForRevocation, reasonText string, config *packet.Config) error
- func (e *Entity) Revoked(now time.Time) bool
- func (e *Entity) Serialize(w io.Writer) error
- func (e *Entity) SerializePrivate(w io.Writer, config *packet.Config) (err error)
- func (e *Entity) SerializePrivateWithoutSigning(w io.Writer, config *packet.Config) (err error)
- func (e *Entity) SignIdentity(identity string, signer *Entity, config *packet.Config) error
- func (e *Entity) SigningKey(now time.Time, config *packet.Config) (Key, bool)
- func (e *Entity) SigningKeyById(now time.Time, id uint64, config *packet.Config) (Key, bool)
- func (e *Entity) VerifyPrimaryKey(date time.Time, config *packet.Config) (*packet.Signature, error)
- type EntityList
- type FileHints
- type Identity
- func (i *Identity) LatestValidSelfCertification(date time.Time, config *packet.Config) (selectedSig *packet.Signature, err error)
- func (i *Identity) ReSign(config *packet.Config) error
- func (i *Identity) Revoked(selfCertification *packet.Signature, date time.Time, config *packet.Config) bool
- func (i *Identity) Serialize(w io.Writer) error
- func (ident *Identity) SignIdentity(signer *Entity, config *packet.Config) error
- func (i *Identity) Verify(date time.Time, config *packet.Config) (selfSignature *packet.Signature, err error)
- type Key
- type KeyRing
- type MessageDetails
- type PromptFunction
- type SignParams
- type SignatureCandidate
- type Subkey
- func (s *Subkey) Expired(selectedSig *packet.Signature, date time.Time) bool
- func (s *Subkey) LatestValidBindingSignature(date time.Time, config *packet.Config) (selectedSig *packet.Signature, err error)
- func (s *Subkey) ReSign(config *packet.Config) error
- func (s *Subkey) Revoke(reason packet.ReasonForRevocation, reasonText string, config *packet.Config) error
- func (s *Subkey) Revoked(selfCertification *packet.Signature, date time.Time) bool
- func (s *Subkey) Serialize(w io.Writer, includeSecrets bool) error
- func (s *Subkey) Verify(date time.Time, config *packet.Config) (selfSig *packet.Signature, err error)
Constants ¶
const LegacyECCKeyV6 = `` /* 792-byte string literal not displayed */
Variables ¶
var PrivateKeyType = "PGP PRIVATE KEY BLOCK"
PrivateKeyType is the armor type for a PGP private key.
var PublicKeyType = "PGP PUBLIC KEY BLOCK"
PublicKeyType is the armor type for a PGP public key.
var SignatureType = "PGP SIGNATURE"
SignatureType is the armor type for a PGP signature.
Functions ¶
func ArmoredDetachSign ¶
func ArmoredDetachSign(w io.Writer, signers []*Entity, message io.Reader, params *SignParams) (err error)
ArmoredDetachSign signs message with the private key from signer (which must already have been decrypted) and writes an armored signature to the Writer. If config is nil, sensible defaults will be used.
func DetachSign ¶
DetachSign signs message with the private key from signer (which must already have been decrypted) and writes the signature to w. If config is nil, sensible defaults will be used.
func DetachSignWithParams ¶
func DetachSignWithParams(w io.Writer, signers []*Entity, message io.Reader, params *SignParams) error
DetachSignWithParams signs message with the private key from signer (which must already have been decrypted) and writes the signature to the Writer. If config is nil, sensible defaults will be used.
func DetachSignWriter ¶
func DetachSignWriter(w io.Writer, signers []*Entity, params *SignParams) (io.WriteCloser, error)
DetachSignWriter signs a message with the private key from a signer (which must already have been decrypted) and writes the signature to the Writer. DetachSignWriter returns a WriteCloser to which the message can be written to. The resulting WriteCloser must be closed after the contents of the message have been written. If utf8Message is set to true, the line endings of the message are canonicalised and the type of the signature will be SigTypeText. If config is nil, sensible defaults will be used.
func Encrypt ¶
func Encrypt(ciphertext io.Writer, to, toHidden []*Entity, signers []*Entity, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error)
Encrypt encrypts a message to a number of recipients and, optionally, signs it. Hints contains optional information, that is also encrypted, that aids the recipients in processing the message. The crypto-refresh recommends to not set file hints since the data is not included in the signature hash. See https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-5.9. The resulting WriteCloser must be closed after the contents of the file have been written. The to argument contains recipients that are explicitly mentioned in signatures and encrypted keys, whereas the toHidden argument contains recipients that will be hidden and not mentioned. If config is nil, sensible defaults will be used.
func EncryptWithParams ¶
func EncryptWithParams(ciphertext io.Writer, to, toHidden []*Entity, params *EncryptParams) (plaintext io.WriteCloser, err error)
EncryptWithParams encrypts a message to a number of recipients and, optionally, signs it. The resulting WriteCloser must be closed after the contents of the file have been written. The to argument contains recipients that are explicitly mentioned in signatures and encrypted keys, whereas the toHidden argument contains recipients that will be hidden and not mentioned. Params contains all optional parameters.
func HashIdToHash ¶
HashIdToHash returns a crypto.Hash which corresponds to the given OpenPGP hash id.
func HashIdToString ¶
HashIdToString returns the name of the hash function corresponding to the given OpenPGP hash id.
func HashToHashId ¶
HashToHashId returns an OpenPGP hash id which corresponds the given Hash.
func NewCanonicalTextHash ¶
NewCanonicalTextHash reformats text written to it into the canonical form and then applies the hash h. See RFC 4880, section 5.2.1.
func NewCanonicalTextReader ¶
NewCanonicalTextReader reformats text read from it into the canonical form. See RFC 4880, section 5.2.1.
func NewCanonicalTextWriteCloser ¶
func NewCanonicalTextWriteCloser(w io.WriteCloser) io.WriteCloser
NewCanonicalTextWriteCloser reformats text written to it into the canonical form. See RFC 4880, section 5.2.1.
func Sign ¶
func Sign(output io.Writer, signers []*Entity, hints *FileHints, config *packet.Config) (input io.WriteCloser, err error)
Sign signs a message. The resulting WriteCloser must be closed after the contents of the file have been written. Hints contains optional information that aids the recipients in processing the message. The crypto-refresh recommends to not set file hints since the data is not included in the signature hash. See https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-5.9. If config is nil, sensible defaults will be used.
func SignWithParams ¶
func SignWithParams(output io.Writer, signers []*Entity, params *SignParams) (input io.WriteCloser, err error)
SignWithParams signs a message. The resulting WriteCloser must be closed after the contents of the file have been written. SignParams can contain optional params and can be nil for defaults.
func SymmetricallyEncrypt ¶
func SymmetricallyEncrypt(ciphertext io.Writer, passphrase []byte, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error)
SymmetricallyEncrypt acts like gpg -c: it encrypts a file with a passphrase. The resulting WriteCloser must be closed after the contents of the file have been written. If config is nil, sensible defaults will be used.
func SymmetricallyEncryptWithParams ¶
func SymmetricallyEncryptWithParams(passphrase []byte, dataWriter io.Writer, params *EncryptParams) (plaintext io.WriteCloser, err error)
SymmetricallyEncryptWithParams acts like SymmetricallyEncrypt but provides more configuration options. EncryptParams provides the optional parameters. The resulting WriteCloser must be closed after the contents of the file have been written.
Types ¶
type EncryptParams ¶
type EncryptParams struct { // KeyWriter is a Writer to which the encrypted // session keys are written to. // If nil, DataWriter is used instead. KeyWriter io.Writer // Hints contains file metadata for the literal data packet. // If nil, default is used. Hints *FileHints // SiningEntities contains the private keys to produce signatures with // If nil, no signatures are created. Signers []*Entity // TextSig indicates if signatures of type SigTypeText should be produced. TextSig bool // Passwords defines additional passwords that the message should be encrypted to. // i.e., for each defined password an additional SKESK packet is written. Passwords [][]byte // SessionKey provides a session key to be used for encryption. // If nil, a random one-time session key is generated. SessionKey []byte // OutsideSig allows to set a signature that should be included // in the message to encrypt. // Should only be used for exceptional cases. // If nil, ignored. OutsideSig []byte // EncryptionTime allows to override the time that is used // for selecting the encryption key. // If EncryptionTime is zero (i.e., EncryptionTime.isZero()) expiration checks // are not performed on the encryption key. // If nil, the default clock in config is used. EncryptionTime *time.Time // Config provides the config to be used. // If Config is nil, sensible defaults will be used. Config *packet.Config }
type Entity ¶
type Entity struct { PrimaryKey *packet.PublicKey PrivateKey *packet.PrivateKey Identities map[string]*Identity // indexed by Identity.Name Revocations []*packet.VerifiableSignature DirectSignatures []*packet.VerifiableSignature // Direct-key self signature of the PrimaryKey (contains primary key properties in v6)} Subkeys []Subkey }
An Entity represents the components of an OpenPGP key: a primary public key (which must be a signing key), one or more identities claimed by that key, and zero or more subkeys, which may be encryption keys.
func NewEntity ¶
NewEntity returns an Entity that contains fresh keys with a for signing and encrypting pgp messages. The key is associated with a single identity composed of the given full name, comment and email, any of which may be empty but must not contain any of "()<>\x00". If config is nil, sensible defaults will be used.
func NewEntityWithoutId ¶
NewEntityWithoutId returns an Entity that contains fresh keys for signing and encrypting pgp messages. The key is not associated with an identity. This is only allowed for v6 key generation. If v6 is not enabled, it will return an error. If config is nil, sensible defaults will be used.
func ReadEntity ¶
ReadEntity reads an entity (public key, identities, subkeys etc) from the given Reader.
func VerifyArmoredDetachedSignature ¶
func VerifyArmoredDetachedSignature(keyring KeyRing, signed, signature io.Reader, config *packet.Config) (sig *packet.Signature, signer *Entity, err error)
VerifyArmoredDetachedSignature performs the same actions as VerifyDetachedSignature but expects the signature to be armored.
func VerifyDetachedSignature ¶
func VerifyDetachedSignature(keyring KeyRing, signed, signature io.Reader, config *packet.Config) (sig *packet.Signature, signer *Entity, err error)
VerifyDetachedSignature takes a signed file and a detached signature and returns the signature packet and the entity the signature was signed by, if any, and a possible signature verification error. If the signer isn't known, ErrUnknownIssuer is returned.
func (*Entity) AddDirectKeySignature ¶
func (t *Entity) AddDirectKeySignature(selectedKeyProperties *keyProperties, config *packet.Config) error
AddDirectKeySignature adds a fresh direct key signature with the selected key-properties.
func (*Entity) AddEncryptionSubkey ¶
AddEncryptionSubkey adds an encryption keypair as a subkey to the Entity. If config is nil, sensible defaults will be used.
func (*Entity) AddSigningSubkey ¶
AddSigningSubkey adds a signing keypair as a subkey to the Entity. If config is nil, sensible defaults will be used.
func (*Entity) CertificationKey ¶
CertificationKey return the best candidate Key for certifying a key with this Entity.
func (*Entity) CertificationKeyById ¶
CertificationKeyById return the Key for key certification with this Entity and keyID.
func (*Entity) DecryptPrivateKeys ¶
DecryptPrivateKeys decrypts all encrypted keys in the entity with the given passphrase. Avoids recomputation of similar s2k key derivations. Public keys and dummy keys are ignored, and don't cause an error to be returned.
func (*Entity) DecryptionKeys ¶
DecryptionKeys returns all keys that are available for decryption, matching the keyID when given If date is zero (i.e., date.IsZero() == true) the time checks are not performed, which should be proffered to decrypt older messages. If id is 0 all decryption keys are returned. This is useful to retrieve keys for session key decryption.
func (*Entity) EncryptPrivateKeys ¶
EncryptPrivateKeys encrypts all non-encrypted keys in the entity with the same key derived from the provided passphrase. Public keys and dummy keys are ignored, and don't cause an error to be returned.
func (*Entity) EncryptionKey ¶
EncryptionKey returns the best candidate Key for encrypting a message to the given Entity.
func (*Entity) LatestValidDirectSignature ¶
func (e *Entity) LatestValidDirectSignature(date time.Time, config *packet.Config) (selectedSig *packet.Signature, err error)
LatestValidDirectSignature returns the latest valid direct key-signature of the entity.
func (*Entity) NewForwardingEntity ¶
func (e *Entity) NewForwardingEntity( name, comment, email string, config *packet.Config, strict bool, ) ( forwardeeKey *Entity, instances []packet.ForwardingInstance, err error, )
NewForwardingEntity generates a new forwardee key and derives the proxy parameters from the entity e. If strict, it will return an error if encryption-capable non-revoked subkeys with a wrong algorithm are found, instead of ignoring them
func (*Entity) PrimaryIdentity ¶
func (e *Entity) PrimaryIdentity(date time.Time, config *packet.Config) (*packet.Signature, *Identity)
PrimaryIdentity returns a valid non-revoked Identity while preferring identities marked as primary, or the latest-created identity, in that order. Returns an nil for both return values if there is no valid primary identity.
func (*Entity) PrimarySelfSignature ¶
func (e *Entity) PrimarySelfSignature(date time.Time, config *packet.Config) (primarySig *packet.Signature, err error)
PrimarySelfSignature searches the entity for the self-signature that stores key preferences. For V4 keys, returns the self-signature of the primary identity, and the identity. For V6 keys, returns the latest valid direct-key self-signature, and no identity (nil). This self-signature is to be used to check the key expiration, algorithm preferences, and so on.
func (*Entity) Revoke ¶
func (e *Entity) Revoke(reason packet.ReasonForRevocation, reasonText string, config *packet.Config) error
Revoke generates a key revocation signature (packet.SigTypeKeyRevocation) with the specified reason code and text (RFC4880 section-5.2.3.23). If config is nil, sensible defaults will be used.
func (*Entity) Revoked ¶
Revoked returns whether the entity has any direct key revocation signatures. Note that third-party revocation signatures are not supported. Note also that Identity and Subkey revocation should be checked separately.
func (*Entity) Serialize ¶
Serialize writes the public part of the given Entity to w, including signatures from other entities. No private key material will be output.
func (*Entity) SerializePrivate ¶
SerializePrivate serializes an Entity, including private key material, but excluding signatures from other entities, to the given Writer. Identities and subkeys are re-signed in case they changed since NewEntry. If config is nil, sensible defaults will be used.
func (*Entity) SerializePrivateWithoutSigning ¶
SerializePrivateWithoutSigning serializes an Entity, including private key material, but excluding signatures from other entities, to the given Writer. Self-signatures of identities and subkeys are not re-signed. This is useful when serializing GNU dummy keys, among other things. If config is nil, sensible defaults will be used.
func (*Entity) SignIdentity ¶
SignIdentity adds a signature to e, from signer, attesting that identity is associated with e. The provided identity must already be an element of e.Identities and the private key of signer must have been decrypted if necessary. If config is nil, sensible defaults will be used.
func (*Entity) SigningKey ¶
SigningKey return the best candidate Key for signing a message with this Entity.
func (*Entity) SigningKeyById ¶
SigningKeyById return the Key for signing a message with this Entity and keyID.
func (*Entity) VerifyPrimaryKey ¶
VerifyPrimaryKey checks if the primary key is valid by checking: - that the primary key is has not been revoked at the given date, - that there is valid non-expired self-signature, - that the primary key is not expired given its self-signature. If date is zero (i.e., date.IsZero() == true) the time checks are not performed.
type EntityList ¶
type EntityList []*Entity
EntityList contains one or more Entities.
func ReadArmoredKeyRing ¶
func ReadArmoredKeyRing(r io.Reader) (EntityList, error)
ReadArmoredKeyRing reads one or more public/private keys from an armor keyring file.
func ReadKeyRing ¶
func ReadKeyRing(r io.Reader) (el EntityList, err error)
ReadKeyRing reads one or more public/private keys. Unsupported keys are ignored as long as at least a single valid key is found.
func (EntityList) EntitiesById ¶
func (el EntityList) EntitiesById(id uint64) (entities []*Entity)
EntitiesById returns the entities that contain a key with the given key id.
func (EntityList) KeysById ¶
func (el EntityList) KeysById(id uint64) (keys []Key)
KeysById returns the set of keys that have the given key id. KeysById does not perform any key validation, and the self-signature fields in the returned key structs are nil.
type FileHints ¶
type FileHints struct { // IsUTF8 can be set to hint that the contents are utf8 encoded data. IsUTF8 bool // FileName hints at the name of the file that should be written. FileName string // ModTime contains the modification time of the file, or the zero time if not applicable. ModTime time.Time }
FileHints contains metadata about encrypted files. This metadata is, itself, encrypted. OpenPGP signatures do not include the FileHints in a signature hash and thus those fields are not protected against tampering in a signed document. The crypto[refresh does not recommend to set the data in file hints. See https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-5.9.
type Identity ¶
type Identity struct { Primary *Entity Name string // by convention, has the form "Full Name (comment) <email@example.com>" UserId *packet.UserId SelfCertifications []*packet.VerifiableSignature OtherCertifications []*packet.VerifiableSignature Revocations []*packet.VerifiableSignature }
Identity represents an identity claimed by an Entity and zero or more assertions by other entities about that claim.
func (*Identity) LatestValidSelfCertification ¶
func (i *Identity) LatestValidSelfCertification(date time.Time, config *packet.Config) (selectedSig *packet.Signature, err error)
LatestValidSelfCertification returns the latest valid self-signature of this user-id that is not newer than the provided date. Does not consider signatures that are expired. If date is zero (i.e., date.IsZero() == true) the expiration checks are not performed. Returns a StructuralError if no valid self-certification is found.
func (*Identity) Revoked ¶
func (i *Identity) Revoked(selfCertification *packet.Signature, date time.Time, config *packet.Config) bool
Revoked returns whether the identity has been revoked by a self-signature. Note that third-party revocation signatures are not supported.
func (*Identity) SignIdentity ¶
SignIdentity adds a signature to e, from signer, attesting that identity is associated with e. The provided identity must already be an element of e.Identities and the private key of signer must have been decrypted if necessary. If config is nil, sensible defaults will be used.
func (*Identity) Verify ¶
func (i *Identity) Verify(date time.Time, config *packet.Config) (selfSignature *packet.Signature, err error)
Verify checks if the user-id is valid by checking: - that a valid self-certification exists and is not expired - that user-id has not been revoked at the given point in time If date is zero (i.e., date.IsZero() == true) the time checks are not performed.
type Key ¶
type Key struct { Entity *Entity PrimarySelfSignature *packet.Signature // might be nil, if not verified PublicKey *packet.PublicKey PrivateKey *packet.PrivateKey SelfSignature *packet.Signature // might be nil, if not verified }
A Key identifies a specific public key in an Entity. This is either the Entity's primary key or a subkey.
type KeyRing ¶
type KeyRing interface { // KeysById returns the set of keys that have the given key id. // KeysById does not perform any signature validations and verification of the returned keys. KeysById(id uint64) []Key // EntitiesById returns the set of entities that contain a key with the given key id. // EntitiesById does not perform any signature validations and verification of the returned keys. EntitiesById(id uint64) []*Entity }
A KeyRing provides access to public and private keys.
type MessageDetails ¶
type MessageDetails struct { IsEncrypted bool // true if the message was encrypted. EncryptedToKeyIds []uint64 // the list of recipient key ids. IsSymmetricallyEncrypted bool // true if a passphrase could have decrypted the message. DecryptedWith Key // the private key used to decrypt the message, if any. DecryptedWithAlgorithm packet.CipherFunction // Stores the algorithm used to decrypt the message, if any. IsSigned bool // true if the message is signed. LiteralData *packet.LiteralData // the metadata of the contents UnverifiedBody io.Reader // the contents of the message. CheckRecipients bool // Indicates if the intended recipients should be checked SessionKey []byte // Caches the session key if the flag in packet.Config is set to true and a session key was present. // If IsSigned is true then the signature candidates will // be verified as UnverifiedBody is read. The signature cannot be // checked until the whole of UnverifiedBody is read so UnverifiedBody // must be consumed until EOF before the data can be trusted. Even if a // message isn't signed (or the signer is unknown) the data may contain // an authentication code that is only checked once UnverifiedBody has // been consumed. Once EOF has been seen, the following fields are // valid. (An authentication code failure is reported as a // SignatureError error when reading from UnverifiedBody.) IsVerified bool // true if the signatures have been verified else false SignatureCandidates []*SignatureCandidate // stores state for all signatures of this message SignedBy *Key // the issuer key of the fist successfully verified signature, if any found. Signature *packet.Signature // the first successfully verified signature, if any found. // SignatureError is nil if one of the signatures in the message verifies successfully // else it points to the last observed signature error. // The error of each signature verification can be inspected by iterating trough // SignatureCandidates. SignatureError error // SelectedCandidate points to the signature candidate the SignatureError error stems from or // the selected successfully verified signature candidate. SelectedCandidate *SignatureCandidate // contains filtered or unexported fields }
MessageDetails contains the result of parsing an OpenPGP encrypted and/or signed message.
func ReadMessage ¶
func ReadMessage(r io.Reader, keyring KeyRing, prompt PromptFunction, config *packet.Config) (md *MessageDetails, err error)
ReadMessage parses an OpenPGP message that may be signed and/or encrypted. The given KeyRing should contain both public keys (for signature verification) and, possibly encrypted, private keys for decrypting. If config is nil, sensible defaults will be used.
func VerifyDetachedSignatureReader ¶
func VerifyDetachedSignatureReader(keyring KeyRing, signed, signature io.Reader, config *packet.Config) (md *MessageDetails, err error)
VerifyDetachedSignatureReader takes a signed file and a detached signature and returns message details struct similar to the ReadMessage function. Once all data is read from md.UnverifiedBody the detached signature is verified. If a verification error occurs it is stored in md.SignatureError If the signer isn't known, ErrUnknownIssuer is returned.
type PromptFunction ¶
A PromptFunction is used as a callback by functions that may need to decrypt a private key, or prompt for a passphrase. It is called with a list of acceptable, encrypted private keys and a boolean that indicates whether a passphrase is usable. It should either decrypt a private key or return a passphrase to try. If the decrypted private key or given passphrase isn't correct, the function will be called again, forever. Any error returned will be passed up.
type SignParams ¶
type SignParams struct { // Hints contains file metadata for the literal data packet. // The crypto-refresh recommends to not set file hints since the data is not included in the signature hash. // See https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#section-5.9. // If nil, default is used. Hints *FileHints // TextSig indicates if signatures of type SigTypeText should be produced TextSig bool // OutsideSig allows to set a signature that should be included // in an inline signed message. // Should only be used for exceptional cases. // If nil, ignored. OutsideSig []byte // Config provides the config to be used. // If Config is nil, sensible defaults will be used. Config *packet.Config }
type SignatureCandidate ¶
type SignatureCandidate struct { OPSVersion int SigType packet.SignatureType HashAlgorithm crypto.Hash PubKeyAlgo packet.PublicKeyAlgorithm IssuerKeyId uint64 IssuerFingerprint []byte Salt []byte // v6 only SignedByEntity *Entity SignedBy *Key // the key of the signer, if available. (OPS) SignatureError error // nil if the signature is valid or not checked. CorrespondingSig *packet.Signature // the candidate's signature packet Hash, WrappedHash hash.Hash // hashes for this signature candidate (OPS) }
SignatureCandidate keeps state about a signature that can be potentially verified.
type Subkey ¶
type Subkey struct { Primary *Entity PublicKey *packet.PublicKey PrivateKey *packet.PrivateKey Bindings []*packet.VerifiableSignature Revocations []*packet.VerifiableSignature }
Subkey is an additional public key in an Entity. Subkeys can be used for encryption.
func (*Subkey) Expired ¶
Expired checks if given the selected self-signature if the subkey is expired.
func (*Subkey) LatestValidBindingSignature ¶
func (s *Subkey) LatestValidBindingSignature(date time.Time, config *packet.Config) (selectedSig *packet.Signature, err error)
LatestValidBindingSignature returns the latest valid self-signature of this subkey that is not newer than the provided date. Does not consider signatures/embedded signatures that are expired. If date is zero (i.e., date.IsZero() == true) the expiration checks are not performed. Returns a StructuralError if no valid self-signature is found.
func (*Subkey) ReSign ¶
ReSign resigns the latest valid subkey binding signature with the given config.
func (*Subkey) Revoke ¶
func (s *Subkey) Revoke(reason packet.ReasonForRevocation, reasonText string, config *packet.Config) error
Revoke generates a subkey revocation signature (packet.SigTypeSubkeyRevocation) for a subkey with the specified reason code and text (RFC4880 section-5.2.3.23). If config is nil, sensible defaults will be used.
func (*Subkey) Revoked ¶
Revoked returns whether the subkey has been revoked by a self-signature. Note that third-party revocation signatures are not supported.
func (*Subkey) Serialize ¶
Serialize serializes the subkey and writes it into writer. The includeSecrets flag controls if the secrets should be included in the encoding or not.
func (*Subkey) Verify ¶
func (s *Subkey) Verify(date time.Time, config *packet.Config) (selfSig *packet.Signature, err error)
Verify checks if the subkey is valid by checking: - that the key is not revoked - that there is valid non-expired binding self-signature - that the subkey is not expired If date is zero (i.e., date.IsZero() == true) the time checks are not performed.