openpgp.scm 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272
  1. ;;; GNU Guix --- Functional package management for GNU
  2. ;;; Copyright © 2020 Ludovic Courtès <ludo@gnu.org>
  3. ;;;
  4. ;;; This file is part of GNU Guix.
  5. ;;;
  6. ;;; GNU Guix is free software; you can redistribute it and/or modify it
  7. ;;; under the terms of the GNU General Public License as published by
  8. ;;; the Free Software Foundation; either version 3 of the License, or (at
  9. ;;; your option) any later version.
  10. ;;;
  11. ;;; GNU Guix is distributed in the hope that it will be useful, but
  12. ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
  13. ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14. ;;; GNU General Public License for more details.
  15. ;;;
  16. ;;; You should have received a copy of the GNU General Public License
  17. ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
  18. (define-module (tests-openpgp)
  19. #:use-module (guix openpgp)
  20. #:use-module (gcrypt base16)
  21. #:use-module (gcrypt hash)
  22. #:use-module (gcrypt pk-crypto)
  23. #:use-module (ice-9 binary-ports)
  24. #:use-module (ice-9 match)
  25. #:use-module (rnrs bytevectors)
  26. #:use-module (srfi srfi-1)
  27. #:use-module (srfi srfi-11)
  28. #:use-module (srfi srfi-64)
  29. #:use-module (srfi srfi-71))
  30. (define %radix-64-sample
  31. ;; Example of Radix-64 encoding from Section 6.6 of RFC4880.
  32. "\
  33. -----BEGIN PGP MESSAGE-----
  34. Version: OpenPrivacy 0.99
  35. yDgBO22WxBHv7O8X7O/jygAEzol56iUKiXmV+XmpCtmpqQUKiQrFqclFqUDBovzS
  36. vBSFjNSiVHsuAA==
  37. =njUN
  38. -----END PGP MESSAGE-----\n")
  39. (define %radix-64-sample/crc-mismatch
  40. ;; This time with a wrong CRC24 value.
  41. "\
  42. -----BEGIN PGP MESSAGE-----
  43. yDgBO22WxBHv7O8X7O/jygAEzol56iUKiXmV+XmpCtmpqQUKiQrFqclFqUDBovzS
  44. vBSFjNSiVHsuAA==
  45. =AAAA
  46. -----END PGP MESSAGE-----\n")
  47. (define %binary-sample
  48. ;; Same message as %radix-64-sample, decoded into bytevector.
  49. (base16-string->bytevector
  50. "c838013b6d96c411efecef17ecefe3ca0004ce8979ea250a897995f979a9\
  51. 0ad9a9a9050a890ac5a9c945a940c1a2fcd2bc14858cd4a2547b2e00"))
  52. (define %civodul-fingerprint
  53. "3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5")
  54. (define %civodul-key-id #x090B11993D9AEBB5) ;civodul.pub
  55. #|
  56. Test keys in ./tests/keys. They were generated in a container along these lines:
  57. guix environment -CP --ad-hoc gnupg pinentry coreutils
  58. then, within the container:
  59. mkdir ~/.gnupg && chmod -R og-rwx ~/.gnupg
  60. gpg --batch --passphrase '' --quick-gen-key '<example@example.com>' ed25519
  61. gpg --armor --export example@example.com
  62. gpg --armor --export-secret-key example@example.com
  63. # echo pinentry-program ~/.guix-profile/bin/pinentry-curses > ~/.gnupg/gpg-agent.conf
  64. or similar.
  65. |#
  66. (define %rsa-key-id #xAE25DA2A70DEED59) ;rsa.pub
  67. (define %dsa-key-id #x587918047BE8BD2C) ;dsa.pub
  68. (define %ed25519-key-id #x771F49CBFAAE072D) ;ed25519.pub
  69. (define %rsa-key-fingerprint
  70. (base16-string->bytevector
  71. (string-downcase "385F86CFC86B665A5C165E6BAE25DA2A70DEED59")))
  72. (define %dsa-key-fingerprint
  73. (base16-string->bytevector
  74. (string-downcase "2884A980422330A4F33DD97F587918047BE8BD2C")))
  75. (define %ed25519-key-fingerprint
  76. (base16-string->bytevector
  77. (string-downcase "44D31E21AF7138F9B632280A771F49CBFAAE072D")))
  78. ;;; The following are detached signatures created commands like:
  79. ;;; echo 'Hello!' | gpg -sba --digest-algo sha512
  80. ;;; They are detached (no PACKET-ONE-PASS-SIGNATURE) and uncompressed.
  81. (define %hello-signature/rsa
  82. ;; Signature of the ASCII string "Hello!\n".
  83. "\
  84. -----BEGIN PGP SIGNATURE-----
  85. iQEzBAABCAAdFiEEOF+Gz8hrZlpcFl5rriXaKnDe7VkFAl4SRF0ACgkQriXaKnDe
  86. 7VlIyQf/TU5rGUK42/C1ULoWvvm25Mjwh6xxoPPkuBxvos8bE6yKr/vJZePU3aSE
  87. mjbVFcO7DioxHMqLd49j803bUtdllJVU18ex9MkKbKjapkgEGkJsuTTzqyONprgk
  88. 7xtZGBWuxkP1M6hJICJkA3Ys+sTdKalux/pzr5OWAe+gxytTF/vr/EyJzdmBxbJv
  89. /fhd1SeVIXSw4c5gf2Wcvcgfy4N5CiLaUb7j4646KBTvDvmUMcDZ+vmKqC/XdQeQ
  90. PrjArGKt40ErVd98fwvNHZnw7VQMx0A3nL3joL5g7/RckDOUb4mqKoqLsLd0wPHP
  91. y32DiDUY9s3sy5OMzX4Y49em8vxvlg==
  92. =ASEm
  93. -----END PGP SIGNATURE-----")
  94. (define %hello-signature/dsa
  95. "\
  96. -----BEGIN PGP SIGNATURE-----
  97. iHUEABEIAB0WIQQohKmAQiMwpPM92X9YeRgEe+i9LAUCXhJFpQAKCRBYeRgEe+i9
  98. LDAaAQC0lXPQepvZBANAUtRLMZuOwL9NQPkfhIwUXtLEBBzyFQD/So8DcybXpRBi
  99. JKOiyAQQjMs/GJ6qMEQpRAhyyJRAock=
  100. =iAEc
  101. -----END PGP SIGNATURE-----")
  102. (define %hello-signature/ed25519/sha256 ;digest-algo: sha256
  103. "\
  104. -----BEGIN PGP SIGNATURE-----
  105. iHUEABYIAB0WIQRE0x4hr3E4+bYyKAp3H0nL+q4HLQUCXqRADAAKCRB3H0nL+q4H
  106. LUImAP9/foaSjPFC/MSr52LNV5ROSL9haea4jPpUP+N6ViFGowEA+AE/xpXPIqsz
  107. R6CdxMevURuqUpqQ7rHeiMmdUepeewU=
  108. =tLXy
  109. -----END PGP SIGNATURE-----")
  110. (define %hello-signature/ed25519/sha512 ;digest-algo: sha512
  111. "\
  112. -----BEGIN PGP SIGNATURE-----
  113. iHUEABYKAB0WIQRE0x4hr3E4+bYyKAp3H0nL+q4HLQUCXqRAGgAKCRB3H0nL+q4H
  114. LTeKAP0S8LiiosJXOARlYNdhfGw9j26lHrbwJh5CORGlaqqIJAEAoMYcmtNa2b6O
  115. inlEwB/KQM88O9RwA8xH7X5a0rodOw4=
  116. =68r/
  117. -----END PGP SIGNATURE-----")
  118. (define %hello-signature/ed25519/sha1 ;digest-algo: sha1
  119. "\
  120. -----BEGIN PGP SIGNATURE-----
  121. iHUEABYCAB0WIQRE0x4hr3E4+bYyKAp3H0nL+q4HLQUCXqRALQAKCRB3H0nL+q4H
  122. LdhEAQCfkdYhIVRa43oTNw9EL/TDFGQjXSHNRFVU0ktjkWbkQwEAjIXhvj2sqy79
  123. Pz7oopeN72xgggYUNT37ezqN3MeCqw0=
  124. =AE4G
  125. -----END PGP SIGNATURE-----")
  126. (test-begin "openpgp")
  127. (test-equal "read-radix-64"
  128. '(#t "PGP MESSAGE")
  129. (let-values (((data type)
  130. (call-with-input-string %radix-64-sample read-radix-64)))
  131. (list (bytevector? data) type)))
  132. (test-equal "read-radix-64, CRC mismatch"
  133. '(#f "PGP MESSAGE")
  134. (call-with-values
  135. (lambda ()
  136. (call-with-input-string %radix-64-sample/crc-mismatch
  137. read-radix-64))
  138. list))
  139. (test-assert "port-ascii-armored?, #t"
  140. (call-with-input-string %radix-64-sample port-ascii-armored?))
  141. (test-assert "port-ascii-armored?, #f"
  142. (not (port-ascii-armored? (open-bytevector-input-port %binary-sample))))
  143. (test-assert "get-openpgp-keyring"
  144. (let* ((key (search-path %load-path "tests/keys/civodul.pub"))
  145. (keyring (get-openpgp-keyring
  146. (open-bytevector-input-port
  147. (call-with-input-file key read-radix-64)))))
  148. (let-values (((primary packets)
  149. (lookup-key-by-id keyring %civodul-key-id)))
  150. (let ((fingerprint (openpgp-public-key-fingerprint primary)))
  151. (and (= (openpgp-public-key-id primary) %civodul-key-id)
  152. (not (openpgp-public-key-subkey? primary))
  153. (string=? (openpgp-format-fingerprint fingerprint)
  154. %civodul-fingerprint)
  155. (string=? (openpgp-user-id-value (find openpgp-user-id? packets))
  156. "Ludovic Courtès <ludo@gnu.org>")
  157. (eq? (lookup-key-by-fingerprint keyring fingerprint)
  158. primary))))))
  159. (test-equal "get-openpgp-detached-signature/ascii"
  160. (list `(,%dsa-key-id ,%dsa-key-fingerprint dsa sha256)
  161. `(,%rsa-key-id ,%rsa-key-fingerprint rsa sha256)
  162. `(,%ed25519-key-id ,%ed25519-key-fingerprint eddsa sha256)
  163. `(,%ed25519-key-id ,%ed25519-key-fingerprint eddsa sha512)
  164. `(,%ed25519-key-id ,%ed25519-key-fingerprint eddsa sha1))
  165. (map (lambda (str)
  166. (let ((signature (get-openpgp-detached-signature/ascii
  167. (open-input-string str))))
  168. (list (openpgp-signature-issuer-key-id signature)
  169. (openpgp-signature-issuer-fingerprint signature)
  170. (openpgp-signature-public-key-algorithm signature)
  171. (openpgp-signature-hash-algorithm signature))))
  172. (list %hello-signature/dsa
  173. %hello-signature/rsa
  174. %hello-signature/ed25519/sha256
  175. %hello-signature/ed25519/sha512
  176. %hello-signature/ed25519/sha1)))
  177. (test-equal "verify-openpgp-signature, missing key"
  178. `(missing-key ,%rsa-key-fingerprint)
  179. (let* ((keyring (get-openpgp-keyring (%make-void-port "r")))
  180. (signature (string->openpgp-packet %hello-signature/rsa)))
  181. (let-values (((status key)
  182. (verify-openpgp-signature signature keyring
  183. (open-input-string "Hello!\n"))))
  184. (list status key))))
  185. (test-equal "verify-openpgp-signature, good signatures"
  186. `((good-signature ,%rsa-key-id)
  187. (good-signature ,%dsa-key-id)
  188. (good-signature ,%ed25519-key-id)
  189. (good-signature ,%ed25519-key-id)
  190. (good-signature ,%ed25519-key-id))
  191. (map (lambda (key signature)
  192. (let* ((key (search-path %load-path key))
  193. (keyring (get-openpgp-keyring
  194. (open-bytevector-input-port
  195. (call-with-input-file key read-radix-64))))
  196. (signature (string->openpgp-packet signature)))
  197. (let-values (((status key)
  198. (verify-openpgp-signature signature keyring
  199. (open-input-string "Hello!\n"))))
  200. (list status (openpgp-public-key-id key)))))
  201. (list "tests/keys/rsa.pub" "tests/keys/dsa.pub"
  202. "tests/keys/ed25519.pub"
  203. "tests/keys/ed25519.pub"
  204. "tests/keys/ed25519.pub")
  205. (list %hello-signature/rsa %hello-signature/dsa
  206. %hello-signature/ed25519/sha256
  207. %hello-signature/ed25519/sha512
  208. %hello-signature/ed25519/sha1)))
  209. (test-equal "verify-openpgp-signature, bad signature"
  210. `((bad-signature ,%rsa-key-id)
  211. (bad-signature ,%dsa-key-id)
  212. (bad-signature ,%ed25519-key-id)
  213. (bad-signature ,%ed25519-key-id)
  214. (bad-signature ,%ed25519-key-id))
  215. (let ((keyring (fold (lambda (key keyring)
  216. (let ((key (search-path %load-path key)))
  217. (get-openpgp-keyring
  218. (open-bytevector-input-port
  219. (call-with-input-file key read-radix-64))
  220. keyring)))
  221. %empty-keyring
  222. '("tests/keys/rsa.pub" "tests/keys/dsa.pub"
  223. "tests/keys/ed25519.pub" "tests/keys/ed25519.pub"
  224. "tests/keys/ed25519.pub"))))
  225. (map (lambda (signature)
  226. (let ((signature (string->openpgp-packet signature)))
  227. (let-values (((status key)
  228. (verify-openpgp-signature signature keyring
  229. (open-input-string "What?!"))))
  230. (list status (openpgp-public-key-id key)))))
  231. (list %hello-signature/rsa %hello-signature/dsa
  232. %hello-signature/ed25519/sha256
  233. %hello-signature/ed25519/sha512
  234. %hello-signature/ed25519/sha1))))
  235. (test-end "openpgp")