Documentation
¶
Index ¶
- func CompareFingerprints(fp1, fp2 string) bool
- func ComputeHash(data []byte, algorithmBits int) string
- func ComputeIdentityHash(identity *Identity) string
- func GetIdentitySigningData(identity *Identity) string
- func IsValidBase64(s string) bool
- func IsValidHex(s string) bool
- func NormalizeFingerprint(fingerprint string) string
- func ValidateIdentitiesOrder(identities []Identity) error
- func ValidateIdentity(identity *Identity, signer *Identity) error
- func VerifyIdentitySignature(identity *Identity, signer *Identity) (bool, error)
- func VerifySignatureWithPublicKey(publicKeyBase64 string, data []byte, signatureHex string) (bool, error)
- type Identity
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CompareFingerprints ¶
CompareFingerprints compares two fingerprints for equality, ignoring case and spaces.
func ComputeHash ¶
ComputeHash computes a cryptographic hash of the data based on the algorithm bits. Uses SHA-512 for keys >= 256 bits (RSA 4096, ECC P-521), SHA-256 for smaller keys. This follows security best practices for matching hash strength to key strength.
func ComputeIdentityHash ¶
ComputeIdentityHash computes the canonical hash for an identity. The canonical format includes all identity fields in a deterministic order: added_at:algorithm:algorithm_bits:curve:created_at:expires_at:fingerprint:public_key:signed_by:uid
func GetIdentitySigningData ¶
GetIdentitySigningData returns the canonical data string used for signing an identity. This is the data that should be hashed and signed when creating an identity signature.
func IsValidBase64 ¶
IsValidBase64 checks if a string is valid base64 encoding (loose check). Returns true if the string contains only valid base64 characters (A-Z, a-z, 0-9, +, /, =).
func IsValidHex ¶
IsValidHex checks if a string is valid hexadecimal encoding. Returns true if the string contains only hex characters (0-9, a-f, A-F) and has an even length.
func NormalizeFingerprint ¶
NormalizeFingerprint normalizes a GPG fingerprint to uppercase without spaces.
func ValidateIdentitiesOrder ¶
ValidateIdentitiesOrder checks that identities are sorted by AddedAt (most recent last). This is required for append-only vault operations.
func ValidateIdentity ¶
ValidateIdentity performs comprehensive validation of an identity. It checks:
- Required fields are present (Signature, PublicKey)
- Signature is valid hex encoding
- Signature is cryptographically valid
Returns nil if valid, or an error describing the validation failure.
func VerifyIdentitySignature ¶
VerifyIdentitySignature verifies the cryptographic signature of an identity. It performs a two-step verification: 1. Computes the hash of canonical data and verifies it matches the stored hash 2. Verifies the signature of the hash using the signer's public key
Returns true if both verifications pass, false otherwise.
func VerifySignatureWithPublicKey ¶
func VerifySignatureWithPublicKey(publicKeyBase64 string, data []byte, signatureHex string) (bool, error)
VerifySignatureWithPublicKey performs cryptographic verification of a detached signature. The signature is stored as hex-encoded binary (created by gpg --detach-sign). The public key is base64-encoded and stored in the vault's identities list.
Verification process:
- Decode the public key from base64 encoding
- Parse the public key using ProtonMail's openpgp library
- Decode the signature from hex encoding
- Use openpgp.CheckDetachedSignature to verify the signature against the data
This approach catches:
- Any modification to the signed data (verification fails)
- Forged signatures (verification fails without correct private key)
- Corrupted or tampered signatures (invalid hex or parsing errors)
- Invalid public key encoding or format
Implementation uses github.com/ProtonMail/go-crypto/openpgp which:
- Supports both armored and binary public key formats
- Verifies detached signatures in OpenPGP format
- Does not require external GPG process
- Is compatible with standard GPG detached signatures
Types ¶
type Identity ¶
type Identity struct {
AddedAt time.Time `json:"added_at"`
Algorithm string `json:"algorithm"`
AlgorithmBits int `json:"algorithm_bits"`
Curve string `json:"curve,omitempty"`
CreatedAt time.Time `json:"created_at"`
ExpiresAt *time.Time `json:"expires_at,omitempty"`
Fingerprint string `json:"fingerprint"`
Hash string `json:"hash"`
PublicKey string `json:"public_key"`
SignedBy string `json:"signed_by"`
Signature string `json:"signature"`
UID string `json:"uid"`
}
Identity represents a user/machine identity with its public GPG key. Identities are stored in vault files and used to control access to secrets.
Source Files