keybase / kbpgp Goto Github PK

If I get a PGP message that is encrypted and signed, but I don't have the key of the sender (to verify), unbox will throw an error ("key not found"), even if it decrypted ok and has literals.

Maybe unbox should pass back that the message was signed with key(s) but couldn't find them to verify.

Following new spec (v5) which has binary and UTF-8 types, and also application-specific types.

One for encryption and one for signing.

Seems to be stuck in the pre-Chrome days.

We need: Async utils (like ASP), openpgp-specific utils, and keybase-packet-utils.

(don't use the real passphrase..)

we have one for private, none for public...

Would be good to specify multiple userids on key generation, so you can add a users real email and their keybase info:

userid: ["Test User <[email protected]>", "keybase.io/testuser <[email protected]>"]

Looks like GO is eventually going to have one...

This thesis is helpful: http://rsapss.hboeck.de/rsapss-1.0.2.pdf

• Also, a key-manager that works with Keybase public keys.

We should expose it properly from triplesec

...to make sure they have not expired.

It seemed to be needed in public keys, but not in private keys. We might want to revisit this distinction later.

See comment in openpgp/packet/keymaterial.iced in the function is_signed_subkey_of.

Right now it's hard-coded into kbpacket/keymaterial.iced.

Hi,

I wanted to try out some of the command-line features of Keybase, and noticed that you could run keybase dir verify on this project after cloning it. Unfortunately, I'm getting the following output after running that command:

warn: gpg: Signature made Thu Sep 18 10:26:36 2014 EDT
warn: gpg:                using RSA key 980A3F0D01FE04DF
warn: gpg: requesting key 980A3F0D01FE04DF from hkp server 127.0.0.1
warn: gpg: key 6052B2AD31A6631C: rejected by import filter
warn: gpg: Total number processed: 1
warn: [GNUPG:] IMPORT_RES 1 0 0 0 0 0 0 0 0 0 0 0 0 0
warn: [GNUPG:] ERRSIG 980A3F0D01FE04DF 1 10 00 1411050396 9
warn: [GNUPG:] NO_PUBKEY 980A3F0D01FE04DF
warn: gpg: Can't check signature: public key not found
error: `gpg` exited with code 2

My installation of gpg is from Homebrew - here's the output of brew info gpg:

gnupg: stable 1.4.18 (bottled)
http://www.gnupg.org/
/usr/local/Cellar/gnupg/1.4.18 (54 files, 5.3M) *
  Poured from bottle
From: https://github.com/Homebrew/homebrew/blob/master/Library/Formula/gnupg.rb

https://keybase.io/kbpgp is showing the older 1.0.0 release

I am using kbpgp-1.1.0.js in browser and am having trouble importing a private key.

I am not seeing the private key read into the armor private property on the key proto. The public key works fine. It appears the returned object does not have the private key property or unlock_pgp method.

TypeError: undefined is not a function
at http://localhost:8100/js/services.js:985:24
at http://localhost:8100/lib/kbpgp/rel/kbpgp-1.1.0.js:4950:18
at Deferrals.exports.Deferrals.Deferrals._call (http://localhost:8100/lib/kbpgp/rel/kbpgp-1.1.0.js:26024:16)
at http://localhost:8100/lib/kbpgp/rel/kbpgp-1.1.0.js:26036:26
at exports.trampoline.trampoline (http://localhost:8100/lib/kbpgp/rel/kbpgp-1.1.0.js:26002:14)
at Deferrals.exports.Deferrals.Deferrals._fulfill (http://localhost:8100/lib/kbpgp/rel/kbpgp-1.1.0.js:26034:16)
at http://localhost:8100/lib/kbpgp/rel/kbpgp-1.1.0.js:4946:28
at KeyManager.unlock_pgp (http://localhost:8100/lib/kbpgp/rel/kbpgp-1.1.0.js:4948:15)
at http://localhost:8100/js/services.js:981:20
at http://localhost:8100/lib/kbpgp/rel/kbpgp-1.1.0.js:4915:18

            kbpgp.KeyManager.import_from_armored_pgp({
                    armored: pair.publicKeyArmored
                }, function(err, imported) {
                    if (!err) {
                        imported.merge_pgp_private({
                            armored: pair.privateKeyArmored
                        }, function(err) {
                            if (!err) {
                                if (imported.is_pgp_locked()) {
                                    imported.unlock_pgp({
                                        passphrase: pin
                                    }, function(err) {
                                        if (!err) {
                                            var ring = new kbpgp.keyring.KeyRing;
                                            var kms = [imported];
                                            for (var i in kms) {
                                                ring.add_key_manager(kms[i]);
                                            }
                                            kbpgp.unbox({keyfetch: ring, armored: msg }, function(err, literals) {
                                                if (err != null) {

                                                } else {
                                                    deferred.resolve(literals[0].toString());
                                                }
                                            });
                                        }
                                    });
                                }
                            }
                        });
                    }
                });

Pick one and stick with it! See keymaterial.iced and keymanager.iced for more details.

Like in msg_roundtrip.iced. We might want to refactor that reg test to do everything twice over different keys.

there's something going on that's taking a while. maybe computing n=pq ?

In particular, see

https://github.com/keybase/kbpgp/blob/master/src/openpgp/packet/signature.iced#L207-L218

Uncaught AssertionError: cannot write a non-number as a number 

The problem is that we're trying to write a bool out as a uint8.

Use TweetNacl or Nacl library for crypto

Key type=20

More info here

Related to keybase/keybase-issues#273

npm install kbpgp

Gets me 1.0.0

var k = require('kbpgp')
console.log(k)

results in

Error: Cannot find module 'iced-coffee-script/lib/coffee-script/iced'

cool stuff you guys are doing.

I'm a contributor to OpenPGP.js and I was wondering how we might share code more effectively. The library has improved quite a bit in terms of code quality and testing in the last 6 months and we just underwent our first complete security audit:
https://github.com/openpgpjs/openpgpjs/wiki/Cure53-security-audit

If I'm not mistaken this library is based on OpenPGP.js?

Thanks

See here for more details:

https://github.com/keybase/keybase/issues/41

See the comment in openpgp/packet/keymaterial.iced

We need to be way more careful about scrubbing, but it's hard to even start to figure it out with the openpgpjs code.

Right now we're only handling one, and that's going to break in certain cases.

I was following the examples for using the key manager to generate a key pair, and I am getting this error (trying to export the private key).

/home/ubuntu/.nvm/v0.10.26/lib/node_modules/kbpgp/lib/keymanager.js:1390
      passphrase = _arg.passphrase, asp = _arg.asp, regen = _arg.regen;
                   ^
TypeError: Cannot read property 'passphrase' of undefined
    at KeyManager.export_pgp_private_to_client     (/home/ubuntu/.nvm/v0.10.26/lib/node_modules/kbpgp/lib/keymanager.js:1390:24)
    at KeyManager.export_pgp_private     (/home/ubuntu/.nvm/v0.10.26/lib/node_modules/kbpgp/lib/keymanager.js:1408:48)
    at /home/ubuntu/workspace/pgp.js:40:13
    at KeyManager.sign     (/home/ubuntu/.nvm/v0.10.26/lib/node_modules/kbpgp/lib/keymanager.js:1539:18)
    at Deferrals.exports.Deferrals.Deferrals._call     (/home/ubuntu/.nvm/v0.10.26/lib/node_modules/kbpgp/node_modules/iced-runtime/lib/runtime.js:86:16)
    at exports.Deferrals.Deferrals._fulfill     (/home/ubuntu/.nvm/v0.10.26/lib/node_modules/kbpgp/node_modules/iced-runtime/lib/runtime.js:98:26)
    at exports.trampoline.trampoline     (/home/ubuntu/.nvm/v0.10.26/lib/node_modules/kbpgp/node_modules/iced-runtime/lib/runtime.js:64:14)
    at Deferrals.exports.Deferrals.Deferrals._fulfill     (/home/ubuntu/.nvm/v0.10.26/lib/node_modules/kbpgp/node_modules/iced-runtime/lib/runtime.js:96:16)
    at ret (/home/ubuntu/.nvm/v0.10.26/lib/node_modules/kbpgp/node_modules/iced-runtime/lib/runtime.js:29:18)
    at Engine.sign     (/home/ubuntu/.nvm/v0.10.26/lib/node_modules/kbpgp/lib/keymanager.js:263:20)

here is the code:

alice.export_pgp_private({
  passphrase: "my_secret_phrase"
}, function(err, pgp_private) {
  console.log("Private Key: ", pgp_private);
});

I think instead what we should do is just triplesec an unencrypted version of the PGP private key, this was the clients in Python, etc. won't have to reimplement the whole PGP stack.

Right now we're assuming it's always ON, but what if it's off?

...or something that has a consistent metaphor. The box/unbox is from NaCl.

We will have to understand the packet format and then parse it.

The caller probably shouldn't care about the format of the output. In other words, how would this work for DSA?

We have the wrong ASN codes for the hashes, need to use different ones, according to the RFC. If we're not going to handle v3, we should make a better error.

We have a mix of different options, in primary keys, subkeys, and also regular messages. We should clean this up and only have one way, if possible.

A lot of places we have hard-coded RSA support. We should fix this.

See openpgp.KeyMaterial::get_klass as an example.

Right now we have something in the KeyBlock processor when reading in keyblocks for signatures that we're skipping. We probably need a better system.

Need to borrow OIDs and packet format from GnuPG, since there's no RFC yet.

Right now it's always OFF, but what if it's ON?

See openpgp/packet/signature.iced.