├── .github ├── dependabot.yml └── workflows │ ├── linux.yml │ └── macos.yml ├── .gitignore ├── LICENSE ├── README.md ├── cmd ├── color.go ├── github.go ├── gitlab.go ├── root.go ├── sign.go ├── util.go └── verify.go ├── go.mod ├── go.sum ├── main.go ├── ring ├── challenge.go ├── ecdsa.go ├── ed25519.go ├── keys.go ├── ring_test.go ├── rsa.go ├── sigma.go ├── sign.go ├── transcript.go └── verify.go └── tests.sh /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: gomod 4 | directory: / 5 | schedule: 6 | interval: "weekly" 7 | -------------------------------------------------------------------------------- /.github/workflows/linux.yml: -------------------------------------------------------------------------------- 1 | name: Tests on Linux 2 | 3 | on: 4 | push: 5 | pull_request: 6 | 7 | jobs: 8 | check: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v2 12 | 13 | - name: Download particular version of Go 14 | run: curl -o go.tar.gz https://storage.googleapis.com/golang/go1.20.1.linux-amd64.tar.gz 15 | 16 | - name: Digest of compiler 17 | run: sha256sum go.tar.gz 18 | 19 | - name: Install Go 20 | run: sudo tar -C /usr/local -xzf go.tar.gz 21 | 22 | - name: Install Go 23 | run: sudo echo "/usr/local/go/bin" >> $GITHUB_PATH 24 | 25 | - name: Verify dependencies 26 | run: go mod verify 27 | 28 | - name: Build 29 | run: go build -v ./... 30 | 31 | - name: Run go vet 32 | run: go vet ./... 33 | 34 | - name: Install staticcheck 35 | run: GOBIN=/usr/local/bin/ go install honnef.co/go/tools/cmd/staticcheck@latest 36 | 37 | - name: Run staticcheck 38 | run: staticcheck ./... 39 | 40 | - name: Run unit tests 41 | run: go test -race -vet=off ./... 42 | 43 | - name: Build command util 44 | run: go build -asmflags -trimpath 45 | 46 | - name: Install dependencies for command utility tests. 47 | run: sudo apt update -y && sudo apt install -y ssh 48 | 49 | - name: Run integration tests for command utility. 50 | run: ./tests.sh 51 | env: 52 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 53 | 54 | - name: Digest of binary 55 | run: sha256sum ./git-ring 56 | 57 | - name: Upload binary 58 | uses: actions/upload-artifact@v3 59 | with: 60 | name: git-ring 61 | path: ./git-ring 62 | -------------------------------------------------------------------------------- /.github/workflows/macos.yml: -------------------------------------------------------------------------------- 1 | name: Tests on MacOS 2 | 3 | on: 4 | push: 5 | pull_request: 6 | 7 | jobs: 8 | check: 9 | runs-on: macOS-latest 10 | steps: 11 | - uses: actions/checkout@v2 12 | 13 | - name: Download particular version of Go 14 | run: curl -o go.tar.gz https://storage.googleapis.com/golang/go1.20.1.darwin-amd64.tar.gz 15 | 16 | - name: Install Go 17 | run: sudo tar -C /usr/local -xzf go.tar.gz 18 | 19 | - name: Install Go 20 | run: sudo echo "/usr/local/go/bin" >> $GITHUB_PATH 21 | 22 | - name: Verify dependencies 23 | run: go mod verify 24 | 25 | - name: Build 26 | run: go build -v ./... 27 | 28 | - name: Run go vet 29 | run: go vet ./... 30 | 31 | - name: Install staticcheck 32 | run: GOBIN=/usr/local/bin/ go install honnef.co/go/tools/cmd/staticcheck@latest 33 | 34 | - name: Run staticcheck 35 | run: staticcheck ./... 36 | 37 | - name: Run unit tests 38 | run: go test -race -vet=off ./... 39 | 40 | - name: Build command util 41 | run: go build -asmflags -trimpath 42 | 43 | - name: Run integration tests for command utility. 44 | run: ./tests.sh 45 | env: 46 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 47 | 48 | - name: Upload binary 49 | uses: actions/upload-artifact@v3 50 | with: 51 | name: git-ring 52 | path: ./git-ring 53 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | git-ring 2 | *.sig 3 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU AFFERO GENERAL PUBLIC LICENSE 2 | Version 3, 19 November 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU Affero General Public License is a free, copyleft license for 11 | software and other kinds of works, specifically designed to ensure 12 | cooperation with the community in the case of network server software. 13 | 14 | The licenses for most software and other practical works are designed 15 | to take away your freedom to share and change the works. By contrast, 16 | our General Public Licenses are intended to guarantee your freedom to 17 | share and change all versions of a program--to make sure it remains free 18 | software for all its users. 19 | 20 | When we speak of free software, we are referring to freedom, not 21 | price. Our General Public Licenses are designed to make sure that you 22 | have the freedom to distribute copies of free software (and charge for 23 | them if you wish), that you receive source code or can get it if you 24 | want it, that you can change the software or use pieces of it in new 25 | free programs, and that you know you can do these things. 26 | 27 | Developers that use our General Public Licenses protect your rights 28 | with two steps: (1) assert copyright on the software, and (2) offer 29 | you this License which gives you legal permission to copy, distribute 30 | and/or modify the software. 31 | 32 | A secondary benefit of defending all users' freedom is that 33 | improvements made in alternate versions of the program, if they 34 | receive widespread use, become available for other developers to 35 | incorporate. Many developers of free software are heartened and 36 | encouraged by the resulting cooperation. However, in the case of 37 | software used on network servers, this result may fail to come about. 38 | The GNU General Public License permits making a modified version and 39 | letting the public access it on a server without ever releasing its 40 | source code to the public. 41 | 42 | The GNU Affero General Public License is designed specifically to 43 | ensure that, in such cases, the modified source code becomes available 44 | to the community. It requires the operator of a network server to 45 | provide the source code of the modified version running there to the 46 | users of that server. Therefore, public use of a modified version, on 47 | a publicly accessible server, gives the public access to the source 48 | code of the modified version. 49 | 50 | An older license, called the Affero General Public License and 51 | published by Affero, was designed to accomplish similar goals. This is 52 | a different license, not a version of the Affero GPL, but Affero has 53 | released a new version of the Affero GPL which permits relicensing under 54 | this license. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | TERMS AND CONDITIONS 60 | 61 | 0. Definitions. 62 | 63 | "This License" refers to version 3 of the GNU Affero General Public License. 64 | 65 | "Copyright" also means copyright-like laws that apply to other kinds of 66 | works, such as semiconductor masks. 67 | 68 | "The Program" refers to any copyrightable work licensed under this 69 | License. Each licensee is addressed as "you". "Licensees" and 70 | "recipients" may be individuals or organizations. 71 | 72 | To "modify" a work means to copy from or adapt all or part of the work 73 | in a fashion requiring copyright permission, other than the making of an 74 | exact copy. The resulting work is called a "modified version" of the 75 | earlier work or a work "based on" the earlier work. 76 | 77 | A "covered work" means either the unmodified Program or a work based 78 | on the Program. 79 | 80 | To "propagate" a work means to do anything with it that, without 81 | permission, would make you directly or secondarily liable for 82 | infringement under applicable copyright law, except executing it on a 83 | computer or modifying a private copy. Propagation includes copying, 84 | distribution (with or without modification), making available to the 85 | public, and in some countries other activities as well. 86 | 87 | To "convey" a work means any kind of propagation that enables other 88 | parties to make or receive copies. Mere interaction with a user through 89 | a computer network, with no transfer of a copy, is not conveying. 90 | 91 | An interactive user interface displays "Appropriate Legal Notices" 92 | to the extent that it includes a convenient and prominently visible 93 | feature that (1) displays an appropriate copyright notice, and (2) 94 | tells the user that there is no warranty for the work (except to the 95 | extent that warranties are provided), that licensees may convey the 96 | work under this License, and how to view a copy of this License. If 97 | the interface presents a list of user commands or options, such as a 98 | menu, a prominent item in the list meets this criterion. 99 | 100 | 1. Source Code. 101 | 102 | The "source code" for a work means the preferred form of the work 103 | for making modifications to it. "Object code" means any non-source 104 | form of a work. 105 | 106 | A "Standard Interface" means an interface that either is an official 107 | standard defined by a recognized standards body, or, in the case of 108 | interfaces specified for a particular programming language, one that 109 | is widely used among developers working in that language. 110 | 111 | The "System Libraries" of an executable work include anything, other 112 | than the work as a whole, that (a) is included in the normal form of 113 | packaging a Major Component, but which is not part of that Major 114 | Component, and (b) serves only to enable use of the work with that 115 | Major Component, or to implement a Standard Interface for which an 116 | implementation is available to the public in source code form. A 117 | "Major Component", in this context, means a major essential component 118 | (kernel, window system, and so on) of the specific operating system 119 | (if any) on which the executable work runs, or a compiler used to 120 | produce the work, or an object code interpreter used to run it. 121 | 122 | The "Corresponding Source" for a work in object code form means all 123 | the source code needed to generate, install, and (for an executable 124 | work) run the object code and to modify the work, including scripts to 125 | control those activities. However, it does not include the work's 126 | System Libraries, or general-purpose tools or generally available free 127 | programs which are used unmodified in performing those activities but 128 | which are not part of the work. For example, Corresponding Source 129 | includes interface definition files associated with source files for 130 | the work, and the source code for shared libraries and dynamically 131 | linked subprograms that the work is specifically designed to require, 132 | such as by intimate data communication or control flow between those 133 | subprograms and other parts of the work. 134 | 135 | The Corresponding Source need not include anything that users 136 | can regenerate automatically from other parts of the Corresponding 137 | Source. 138 | 139 | The Corresponding Source for a work in source code form is that 140 | same work. 141 | 142 | 2. Basic Permissions. 143 | 144 | All rights granted under this License are granted for the term of 145 | copyright on the Program, and are irrevocable provided the stated 146 | conditions are met. This License explicitly affirms your unlimited 147 | permission to run the unmodified Program. The output from running a 148 | covered work is covered by this License only if the output, given its 149 | content, constitutes a covered work. This License acknowledges your 150 | rights of fair use or other equivalent, as provided by copyright law. 151 | 152 | You may make, run and propagate covered works that you do not 153 | convey, without conditions so long as your license otherwise remains 154 | in force. You may convey covered works to others for the sole purpose 155 | of having them make modifications exclusively for you, or provide you 156 | with facilities for running those works, provided that you comply with 157 | the terms of this License in conveying all material for which you do 158 | not control copyright. Those thus making or running the covered works 159 | for you must do so exclusively on your behalf, under your direction 160 | and control, on terms that prohibit them from making any copies of 161 | your copyrighted material outside their relationship with you. 162 | 163 | Conveying under any other circumstances is permitted solely under 164 | the conditions stated below. Sublicensing is not allowed; section 10 165 | makes it unnecessary. 166 | 167 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 168 | 169 | No covered work shall be deemed part of an effective technological 170 | measure under any applicable law fulfilling obligations under article 171 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 172 | similar laws prohibiting or restricting circumvention of such 173 | measures. 174 | 175 | When you convey a covered work, you waive any legal power to forbid 176 | circumvention of technological measures to the extent such circumvention 177 | is effected by exercising rights under this License with respect to 178 | the covered work, and you disclaim any intention to limit operation or 179 | modification of the work as a means of enforcing, against the work's 180 | users, your or third parties' legal rights to forbid circumvention of 181 | technological measures. 182 | 183 | 4. Conveying Verbatim Copies. 184 | 185 | You may convey verbatim copies of the Program's source code as you 186 | receive it, in any medium, provided that you conspicuously and 187 | appropriately publish on each copy an appropriate copyright notice; 188 | keep intact all notices stating that this License and any 189 | non-permissive terms added in accord with section 7 apply to the code; 190 | keep intact all notices of the absence of any warranty; and give all 191 | recipients a copy of this License along with the Program. 192 | 193 | You may charge any price or no price for each copy that you convey, 194 | and you may offer support or warranty protection for a fee. 195 | 196 | 5. Conveying Modified Source Versions. 197 | 198 | You may convey a work based on the Program, or the modifications to 199 | produce it from the Program, in the form of source code under the 200 | terms of section 4, provided that you also meet all of these conditions: 201 | 202 | a) The work must carry prominent notices stating that you modified 203 | it, and giving a relevant date. 204 | 205 | b) The work must carry prominent notices stating that it is 206 | released under this License and any conditions added under section 207 | 7. This requirement modifies the requirement in section 4 to 208 | "keep intact all notices". 209 | 210 | c) You must license the entire work, as a whole, under this 211 | License to anyone who comes into possession of a copy. This 212 | License will therefore apply, along with any applicable section 7 213 | additional terms, to the whole of the work, and all its parts, 214 | regardless of how they are packaged. This License gives no 215 | permission to license the work in any other way, but it does not 216 | invalidate such permission if you have separately received it. 217 | 218 | d) If the work has interactive user interfaces, each must display 219 | Appropriate Legal Notices; however, if the Program has interactive 220 | interfaces that do not display Appropriate Legal Notices, your 221 | work need not make them do so. 222 | 223 | A compilation of a covered work with other separate and independent 224 | works, which are not by their nature extensions of the covered work, 225 | and which are not combined with it such as to form a larger program, 226 | in or on a volume of a storage or distribution medium, is called an 227 | "aggregate" if the compilation and its resulting copyright are not 228 | used to limit the access or legal rights of the compilation's users 229 | beyond what the individual works permit. Inclusion of a covered work 230 | in an aggregate does not cause this License to apply to the other 231 | parts of the aggregate. 232 | 233 | 6. Conveying Non-Source Forms. 234 | 235 | You may convey a covered work in object code form under the terms 236 | of sections 4 and 5, provided that you also convey the 237 | machine-readable Corresponding Source under the terms of this License, 238 | in one of these ways: 239 | 240 | a) Convey the object code in, or embodied in, a physical product 241 | (including a physical distribution medium), accompanied by the 242 | Corresponding Source fixed on a durable physical medium 243 | customarily used for software interchange. 244 | 245 | b) Convey the object code in, or embodied in, a physical product 246 | (including a physical distribution medium), accompanied by a 247 | written offer, valid for at least three years and valid for as 248 | long as you offer spare parts or customer support for that product 249 | model, to give anyone who possesses the object code either (1) a 250 | copy of the Corresponding Source for all the software in the 251 | product that is covered by this License, on a durable physical 252 | medium customarily used for software interchange, for a price no 253 | more than your reasonable cost of physically performing this 254 | conveying of source, or (2) access to copy the 255 | Corresponding Source from a network server at no charge. 256 | 257 | c) Convey individual copies of the object code with a copy of the 258 | written offer to provide the Corresponding Source. This 259 | alternative is allowed only occasionally and noncommercially, and 260 | only if you received the object code with such an offer, in accord 261 | with subsection 6b. 262 | 263 | d) Convey the object code by offering access from a designated 264 | place (gratis or for a charge), and offer equivalent access to the 265 | Corresponding Source in the same way through the same place at no 266 | further charge. You need not require recipients to copy the 267 | Corresponding Source along with the object code. If the place to 268 | copy the object code is a network server, the Corresponding Source 269 | may be on a different server (operated by you or a third party) 270 | that supports equivalent copying facilities, provided you maintain 271 | clear directions next to the object code saying where to find the 272 | Corresponding Source. Regardless of what server hosts the 273 | Corresponding Source, you remain obligated to ensure that it is 274 | available for as long as needed to satisfy these requirements. 275 | 276 | e) Convey the object code using peer-to-peer transmission, provided 277 | you inform other peers where the object code and Corresponding 278 | Source of the work are being offered to the general public at no 279 | charge under subsection 6d. 280 | 281 | A separable portion of the object code, whose source code is excluded 282 | from the Corresponding Source as a System Library, need not be 283 | included in conveying the object code work. 284 | 285 | A "User Product" is either (1) a "consumer product", which means any 286 | tangible personal property which is normally used for personal, family, 287 | or household purposes, or (2) anything designed or sold for incorporation 288 | into a dwelling. In determining whether a product is a consumer product, 289 | doubtful cases shall be resolved in favor of coverage. For a particular 290 | product received by a particular user, "normally used" refers to a 291 | typical or common use of that class of product, regardless of the status 292 | of the particular user or of the way in which the particular user 293 | actually uses, or expects or is expected to use, the product. A product 294 | is a consumer product regardless of whether the product has substantial 295 | commercial, industrial or non-consumer uses, unless such uses represent 296 | the only significant mode of use of the product. 297 | 298 | "Installation Information" for a User Product means any methods, 299 | procedures, authorization keys, or other information required to install 300 | and execute modified versions of a covered work in that User Product from 301 | a modified version of its Corresponding Source. The information must 302 | suffice to ensure that the continued functioning of the modified object 303 | code is in no case prevented or interfered with solely because 304 | modification has been made. 305 | 306 | If you convey an object code work under this section in, or with, or 307 | specifically for use in, a User Product, and the conveying occurs as 308 | part of a transaction in which the right of possession and use of the 309 | User Product is transferred to the recipient in perpetuity or for a 310 | fixed term (regardless of how the transaction is characterized), the 311 | Corresponding Source conveyed under this section must be accompanied 312 | by the Installation Information. But this requirement does not apply 313 | if neither you nor any third party retains the ability to install 314 | modified object code on the User Product (for example, the work has 315 | been installed in ROM). 316 | 317 | The requirement to provide Installation Information does not include a 318 | requirement to continue to provide support service, warranty, or updates 319 | for a work that has been modified or installed by the recipient, or for 320 | the User Product in which it has been modified or installed. Access to a 321 | network may be denied when the modification itself materially and 322 | adversely affects the operation of the network or violates the rules and 323 | protocols for communication across the network. 324 | 325 | Corresponding Source conveyed, and Installation Information provided, 326 | in accord with this section must be in a format that is publicly 327 | documented (and with an implementation available to the public in 328 | source code form), and must require no special password or key for 329 | unpacking, reading or copying. 330 | 331 | 7. Additional Terms. 332 | 333 | "Additional permissions" are terms that supplement the terms of this 334 | License by making exceptions from one or more of its conditions. 335 | Additional permissions that are applicable to the entire Program shall 336 | be treated as though they were included in this License, to the extent 337 | that they are valid under applicable law. If additional permissions 338 | apply only to part of the Program, that part may be used separately 339 | under those permissions, but the entire Program remains governed by 340 | this License without regard to the additional permissions. 341 | 342 | When you convey a copy of a covered work, you may at your option 343 | remove any additional permissions from that copy, or from any part of 344 | it. (Additional permissions may be written to require their own 345 | removal in certain cases when you modify the work.) You may place 346 | additional permissions on material, added by you to a covered work, 347 | for which you have or can give appropriate copyright permission. 348 | 349 | Notwithstanding any other provision of this License, for material you 350 | add to a covered work, you may (if authorized by the copyright holders of 351 | that material) supplement the terms of this License with terms: 352 | 353 | a) Disclaiming warranty or limiting liability differently from the 354 | terms of sections 15 and 16 of this License; or 355 | 356 | b) Requiring preservation of specified reasonable legal notices or 357 | author attributions in that material or in the Appropriate Legal 358 | Notices displayed by works containing it; or 359 | 360 | c) Prohibiting misrepresentation of the origin of that material, or 361 | requiring that modified versions of such material be marked in 362 | reasonable ways as different from the original version; or 363 | 364 | d) Limiting the use for publicity purposes of names of licensors or 365 | authors of the material; or 366 | 367 | e) Declining to grant rights under trademark law for use of some 368 | trade names, trademarks, or service marks; or 369 | 370 | f) Requiring indemnification of licensors and authors of that 371 | material by anyone who conveys the material (or modified versions of 372 | it) with contractual assumptions of liability to the recipient, for 373 | any liability that these contractual assumptions directly impose on 374 | those licensors and authors. 375 | 376 | All other non-permissive additional terms are considered "further 377 | restrictions" within the meaning of section 10. If the Program as you 378 | received it, or any part of it, contains a notice stating that it is 379 | governed by this License along with a term that is a further 380 | restriction, you may remove that term. If a license document contains 381 | a further restriction but permits relicensing or conveying under this 382 | License, you may add to a covered work material governed by the terms 383 | of that license document, provided that the further restriction does 384 | not survive such relicensing or conveying. 385 | 386 | If you add terms to a covered work in accord with this section, you 387 | must place, in the relevant source files, a statement of the 388 | additional terms that apply to those files, or a notice indicating 389 | where to find the applicable terms. 390 | 391 | Additional terms, permissive or non-permissive, may be stated in the 392 | form of a separately written license, or stated as exceptions; 393 | the above requirements apply either way. 394 | 395 | 8. Termination. 396 | 397 | You may not propagate or modify a covered work except as expressly 398 | provided under this License. Any attempt otherwise to propagate or 399 | modify it is void, and will automatically terminate your rights under 400 | this License (including any patent licenses granted under the third 401 | paragraph of section 11). 402 | 403 | However, if you cease all violation of this License, then your 404 | license from a particular copyright holder is reinstated (a) 405 | provisionally, unless and until the copyright holder explicitly and 406 | finally terminates your license, and (b) permanently, if the copyright 407 | holder fails to notify you of the violation by some reasonable means 408 | prior to 60 days after the cessation. 409 | 410 | Moreover, your license from a particular copyright holder is 411 | reinstated permanently if the copyright holder notifies you of the 412 | violation by some reasonable means, this is the first time you have 413 | received notice of violation of this License (for any work) from that 414 | copyright holder, and you cure the violation prior to 30 days after 415 | your receipt of the notice. 416 | 417 | Termination of your rights under this section does not terminate the 418 | licenses of parties who have received copies or rights from you under 419 | this License. If your rights have been terminated and not permanently 420 | reinstated, you do not qualify to receive new licenses for the same 421 | material under section 10. 422 | 423 | 9. Acceptance Not Required for Having Copies. 424 | 425 | You are not required to accept this License in order to receive or 426 | run a copy of the Program. Ancillary propagation of a covered work 427 | occurring solely as a consequence of using peer-to-peer transmission 428 | to receive a copy likewise does not require acceptance. However, 429 | nothing other than this License grants you permission to propagate or 430 | modify any covered work. These actions infringe copyright if you do 431 | not accept this License. Therefore, by modifying or propagating a 432 | covered work, you indicate your acceptance of this License to do so. 433 | 434 | 10. Automatic Licensing of Downstream Recipients. 435 | 436 | Each time you convey a covered work, the recipient automatically 437 | receives a license from the original licensors, to run, modify and 438 | propagate that work, subject to this License. You are not responsible 439 | for enforcing compliance by third parties with this License. 440 | 441 | An "entity transaction" is a transaction transferring control of an 442 | organization, or substantially all assets of one, or subdividing an 443 | organization, or merging organizations. If propagation of a covered 444 | work results from an entity transaction, each party to that 445 | transaction who receives a copy of the work also receives whatever 446 | licenses to the work the party's predecessor in interest had or could 447 | give under the previous paragraph, plus a right to possession of the 448 | Corresponding Source of the work from the predecessor in interest, if 449 | the predecessor has it or can get it with reasonable efforts. 450 | 451 | You may not impose any further restrictions on the exercise of the 452 | rights granted or affirmed under this License. For example, you may 453 | not impose a license fee, royalty, or other charge for exercise of 454 | rights granted under this License, and you may not initiate litigation 455 | (including a cross-claim or counterclaim in a lawsuit) alleging that 456 | any patent claim is infringed by making, using, selling, offering for 457 | sale, or importing the Program or any portion of it. 458 | 459 | 11. Patents. 460 | 461 | A "contributor" is a copyright holder who authorizes use under this 462 | License of the Program or a work on which the Program is based. The 463 | work thus licensed is called the contributor's "contributor version". 464 | 465 | A contributor's "essential patent claims" are all patent claims 466 | owned or controlled by the contributor, whether already acquired or 467 | hereafter acquired, that would be infringed by some manner, permitted 468 | by this License, of making, using, or selling its contributor version, 469 | but do not include claims that would be infringed only as a 470 | consequence of further modification of the contributor version. For 471 | purposes of this definition, "control" includes the right to grant 472 | patent sublicenses in a manner consistent with the requirements of 473 | this License. 474 | 475 | Each contributor grants you a non-exclusive, worldwide, royalty-free 476 | patent license under the contributor's essential patent claims, to 477 | make, use, sell, offer for sale, import and otherwise run, modify and 478 | propagate the contents of its contributor version. 479 | 480 | In the following three paragraphs, a "patent license" is any express 481 | agreement or commitment, however denominated, not to enforce a patent 482 | (such as an express permission to practice a patent or covenant not to 483 | sue for patent infringement). To "grant" such a patent license to a 484 | party means to make such an agreement or commitment not to enforce a 485 | patent against the party. 486 | 487 | If you convey a covered work, knowingly relying on a patent license, 488 | and the Corresponding Source of the work is not available for anyone 489 | to copy, free of charge and under the terms of this License, through a 490 | publicly available network server or other readily accessible means, 491 | then you must either (1) cause the Corresponding Source to be so 492 | available, or (2) arrange to deprive yourself of the benefit of the 493 | patent license for this particular work, or (3) arrange, in a manner 494 | consistent with the requirements of this License, to extend the patent 495 | license to downstream recipients. "Knowingly relying" means you have 496 | actual knowledge that, but for the patent license, your conveying the 497 | covered work in a country, or your recipient's use of the covered work 498 | in a country, would infringe one or more identifiable patents in that 499 | country that you have reason to believe are valid. 500 | 501 | If, pursuant to or in connection with a single transaction or 502 | arrangement, you convey, or propagate by procuring conveyance of, a 503 | covered work, and grant a patent license to some of the parties 504 | receiving the covered work authorizing them to use, propagate, modify 505 | or convey a specific copy of the covered work, then the patent license 506 | you grant is automatically extended to all recipients of the covered 507 | work and works based on it. 508 | 509 | A patent license is "discriminatory" if it does not include within 510 | the scope of its coverage, prohibits the exercise of, or is 511 | conditioned on the non-exercise of one or more of the rights that are 512 | specifically granted under this License. You may not convey a covered 513 | work if you are a party to an arrangement with a third party that is 514 | in the business of distributing software, under which you make payment 515 | to the third party based on the extent of your activity of conveying 516 | the work, and under which the third party grants, to any of the 517 | parties who would receive the covered work from you, a discriminatory 518 | patent license (a) in connection with copies of the covered work 519 | conveyed by you (or copies made from those copies), or (b) primarily 520 | for and in connection with specific products or compilations that 521 | contain the covered work, unless you entered into that arrangement, 522 | or that patent license was granted, prior to 28 March 2007. 523 | 524 | Nothing in this License shall be construed as excluding or limiting 525 | any implied license or other defenses to infringement that may 526 | otherwise be available to you under applicable patent law. 527 | 528 | 12. No Surrender of Others' Freedom. 529 | 530 | If conditions are imposed on you (whether by court order, agreement or 531 | otherwise) that contradict the conditions of this License, they do not 532 | excuse you from the conditions of this License. If you cannot convey a 533 | covered work so as to satisfy simultaneously your obligations under this 534 | License and any other pertinent obligations, then as a consequence you may 535 | not convey it at all. For example, if you agree to terms that obligate you 536 | to collect a royalty for further conveying from those to whom you convey 537 | the Program, the only way you could satisfy both those terms and this 538 | License would be to refrain entirely from conveying the Program. 539 | 540 | 13. Remote Network Interaction; Use with the GNU General Public License. 541 | 542 | Notwithstanding any other provision of this License, if you modify the 543 | Program, your modified version must prominently offer all users 544 | interacting with it remotely through a computer network (if your version 545 | supports such interaction) an opportunity to receive the Corresponding 546 | Source of your version by providing access to the Corresponding Source 547 | from a network server at no charge, through some standard or customary 548 | means of facilitating copying of software. This Corresponding Source 549 | shall include the Corresponding Source for any work covered by version 3 550 | of the GNU General Public License that is incorporated pursuant to the 551 | following paragraph. 552 | 553 | Notwithstanding any other provision of this License, you have 554 | permission to link or combine any covered work with a work licensed 555 | under version 3 of the GNU General Public License into a single 556 | combined work, and to convey the resulting work. The terms of this 557 | License will continue to apply to the part which is the covered work, 558 | but the work with which it is combined will remain governed by version 559 | 3 of the GNU General Public License. 560 | 561 | 14. Revised Versions of this License. 562 | 563 | The Free Software Foundation may publish revised and/or new versions of 564 | the GNU Affero General Public License from time to time. Such new versions 565 | will be similar in spirit to the present version, but may differ in detail to 566 | address new problems or concerns. 567 | 568 | Each version is given a distinguishing version number. If the 569 | Program specifies that a certain numbered version of the GNU Affero General 570 | Public License "or any later version" applies to it, you have the 571 | option of following the terms and conditions either of that numbered 572 | version or of any later version published by the Free Software 573 | Foundation. If the Program does not specify a version number of the 574 | GNU Affero General Public License, you may choose any version ever published 575 | by the Free Software Foundation. 576 | 577 | If the Program specifies that a proxy can decide which future 578 | versions of the GNU Affero General Public License can be used, that proxy's 579 | public statement of acceptance of a version permanently authorizes you 580 | to choose that version for the Program. 581 | 582 | Later license versions may give you additional or different 583 | permissions. However, no additional obligations are imposed on any 584 | author or copyright holder as a result of your choosing to follow a 585 | later version. 586 | 587 | 15. Disclaimer of Warranty. 588 | 589 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 590 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 591 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 592 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 593 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 594 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 595 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 596 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 597 | 598 | 16. Limitation of Liability. 599 | 600 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 601 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 602 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 603 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 604 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 605 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 606 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 607 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 608 | SUCH DAMAGES. 609 | 610 | 17. Interpretation of Sections 15 and 16. 611 | 612 | If the disclaimer of warranty and limitation of liability provided 613 | above cannot be given local legal effect according to their terms, 614 | reviewing courts shall apply local law that most closely approximates 615 | an absolute waiver of all civil liability in connection with the 616 | Program, unless a warranty or assumption of liability accompanies a 617 | copy of the Program in return for a fee. 618 | 619 | END OF TERMS AND CONDITIONS 620 | 621 | How to Apply These Terms to Your New Programs 622 | 623 | If you develop a new program, and you want it to be of the greatest 624 | possible use to the public, the best way to achieve this is to make it 625 | free software which everyone can redistribute and change under these terms. 626 | 627 | To do so, attach the following notices to the program. It is safest 628 | to attach them to the start of each source file to most effectively 629 | state the exclusion of warranty; and each file should have at least 630 | the "copyright" line and a pointer to where the full notice is found. 631 | 632 | 633 | Copyright (C) 634 | 635 | This program is free software: you can redistribute it and/or modify 636 | it under the terms of the GNU Affero General Public License as published 637 | by the Free Software Foundation, either version 3 of the License, or 638 | (at your option) any later version. 639 | 640 | This program is distributed in the hope that it will be useful, 641 | but WITHOUT ANY WARRANTY; without even the implied warranty of 642 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 643 | GNU Affero General Public License for more details. 644 | 645 | You should have received a copy of the GNU Affero General Public License 646 | along with this program. If not, see . 647 | 648 | Also add information on how to contact you by electronic and paper mail. 649 | 650 | If your software can interact with users remotely through a computer 651 | network, you should also make sure that it provides a way for users to 652 | get its source. For example, if your program is a web application, its 653 | interface could display a "Source" link that leads users to an archive 654 | of the code. There are many ways you could offer source, and different 655 | solutions will be better for different programs; see section 13 for the 656 | specific requirements. 657 | 658 | You should also get your employer (if you work as a programmer) or school, 659 | if any, to sign a "copyright disclaimer" for the program, if necessary. 660 | For more information on this, and how to apply and follow the GNU AGPL, see 661 | . 662 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Git-Ring; Easy SSH Ring Signatures 4 | 5 | Anonymously proving that you belong to a set of Github users is now easy. 6 | 7 | Git(hub/lab) is one of the few places with a large repository of identities tied to associated public keys, namely, 8 | the list of authorized SSH keys for each user which these platforms make public (e.g. [github.com/rot256.keys](https://github.com/rot256.keys)). 9 | Git-ring exploits this feature to allow anonymously proving membership among a set of users/organizations/repositories on these platforms using ring signatures (a cryptographic tool) -- without revealing your identity. 10 | 11 | **Disclaimer:** Although I aim for this software to be usable and not just a demo, 12 | I take no responsibility for the correctness/security/completeness of this software: 13 | the software has not undergone a security audit and should currently be considered in an alpha state. 14 | I also do not guarantee that the CLI remains stable, or that the signature format remains backwards compatible. 15 | 16 | There is a [companion post](https://rot256.dev/post/git-ring) describing how the cryptography in git-ring works. 17 | 18 | ## Applications 19 | 20 | #### Whistleblowing 21 | 22 | The primary motivation for ring signatures (e.g. in the seminal work [How to leak a secret](https://people.csail.mit.edu/rivest/pubs/RST01.pdf) 23 | by Rivest, Shamir and Tauman) is that of whistleblowing: suppose you are a member of an organization (e.g. on Github) 24 | and you want to raise an issue either publically or internally. 25 | You could post your revelations anonymously, but how do people know that the claims are not fabrications by someone with no relation to the organization? 26 | You could also raise your concerns with your name attached, so that people can verify that you belong to the organization, but that might have undesired personal ramifications... 27 | 28 | Ring signatures (e.g. git-ring) offers a solution to this dilemma: you can prove that you belong to the organization without revealing your identity. 29 | 30 | In git-ring, this may look something like this: 31 | 32 | ```console 33 | $ ./git-ring sign --msg "They are doing bad things, I work there." --github EvilCorp 34 | ``` 35 | 36 | Which creates a signature showing that someone within the organization "EvilCorp" created the message, but does not reveal who. 37 | 38 | #### Designed Verifier Signatures 39 | 40 | You can also use git-ring to create signatures that can only be verified by a single entity (i.e. not publicly verifiable): 41 | by including the verifying party in the ring, the signature could also be forged by the designed verifier 42 | and hence it is not convincing when passed to a third party. e.g. 43 | 44 | ```console 45 | $ ./git-ring --msg "Do not pass this on" --github --github 46 | ``` 47 | 48 | Creates a signature on the message "Do not pass this on" under the Github user `` which can only be verified by the user ``. 49 | 50 | ## Features 51 | 52 | - Easy to use (see below). 53 | - Support for hetrogenous sets of keys:
54 | The ring of signers can contain combinations of RSA, Ed25519 and ECDSA keys
55 | (i.e. all the types supported by Github). 56 | - Perfectly deniability:
57 | The real signers identity is hidden even if the adversary get access to private keys or break the cryptography. 58 | - Easily prove membership among Github/Gitlab users. 59 | - Easily prove membership of a Github Organization. 60 | - Supports Github credentials to provide access to hidden organizations / private members. 61 | - Manually include SSH keys in the ring. 62 | - Cross platform. 63 | 64 | ## Example Usage 65 | 66 | Git-ring aims to be dead-easy to use and hard to misuse. e.g. running: 67 | 68 | ```console 69 | $ ./git-ring sign --msg "testing git-ring" --github WireGuard 70 | Loading Keys from Different Entities: 71 | Github: 72 | Organization: WireGuard 73 | mdlayher (1 keys) 74 | msfjarvis (2 keys) 75 | nathanchance (1 keys) 76 | rot256 (3 keys) 77 | smaeul (1 keys) 78 | zx2c4 (1 keys) 79 | 9 Keys in the ring. 80 | Covering: 6 / 6 entities 81 | Signature successfully generated 82 | Saved in: ring.sig (1874 bytes) 83 | ``` 84 | 85 | Produces a signature on the message "test" proving that the signer ("rot256" in this case) belongs to the [WireGuard organization on Github](https://github.com/orgs/WireGuard/people). 86 | The signature can then be verified as follows (the path to the signature is "./ring.sig" by default): 87 | 88 | ```console 89 | $ ./git-ring verify --github WireGuard 90 | Loading Keys from Different Entities: 91 | Github: 92 | Organization: WireGuard 93 | mdlayher (1 keys) 94 | msfjarvis (2 keys) 95 | nathanchance (1 keys) 96 | rot256 (3 keys) 97 | smaeul (1 keys) 98 | zx2c4 (1 keys) 99 | 9 Keys in the ring. 100 | Covering: 6 / 6 entities 101 | Message: 102 | testing git-ring 103 | ``` 104 | 105 | Note git-ring signatures include the message being signed to simplify usage. 106 | 107 | You can also include individual people in the ring, e.g. using: 108 | 109 | ```console 110 | $ ./git-ring sign --github rot256 --github torvalds --github gregkh --msg "testing git-ring" 111 | ``` 112 | 113 | Proves that one of the following people signed the message "testing git-ring": 114 | 115 | - Mathias Hall-Andersen (rot256). 116 | - Linus Torvalds (torvalds). 117 | - Greg Kroah-Hartman (gregkh). 118 | 119 | More examples can be found in [the tests for the command-line utility](/tests.sh). 120 | 121 | ## Installation 122 | 123 | If you have a Go enviroment set up, then simply run: 124 | 125 | ```console 126 | $ go install github.com/rot256/git-ring@latest 127 | ``` 128 | -------------------------------------------------------------------------------- /cmd/color.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "fmt" 5 | "runtime" 6 | ) 7 | 8 | const indent = " " 9 | 10 | var colorReset = "\033[0m" 11 | var colorRed = "\033[31m" 12 | var colorGreen = "\033[32m" 13 | var colorYellow = "\033[33m" 14 | var colorBlue = "\033[34m" 15 | var colorPurple = "\033[35m" 16 | var colorCyan = "\033[36m" 17 | var colorWhite = "\033[37m" //lint:ignore U1000 for completeness 18 | 19 | func init() { 20 | if runtime.GOOS == "windows" { 21 | colorReset = "" 22 | colorRed = "" 23 | colorGreen = "" 24 | colorYellow = "" 25 | colorBlue = "" 26 | colorPurple = "" 27 | colorCyan = "" 28 | colorWhite = "" 29 | } 30 | } 31 | 32 | func colorWarnBool(b bool) { 33 | if b { 34 | fmt.Print(colorGreen) 35 | } else { 36 | fmt.Print(colorYellow) 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /cmd/github.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "bytes" 5 | "encoding/json" 6 | "fmt" 7 | "io" 8 | "net/http" 9 | "os" 10 | 11 | "github.com/rot256/git-ring/ring" 12 | ) 13 | 14 | const githubEnvUsername = "GITHUB_USERNAME" 15 | const githubEnvToken = "GITHUB_TOKEN" 16 | 17 | type githubOrgMember struct { 18 | Login string 19 | Type string 20 | } 21 | 22 | // TODO: allow supplying credentials to fetch private orgs 23 | func githubOrganizationUsers(name string) (bool, []string, error) { 24 | // if token is provided: default to bearer token 25 | token, ok := os.LookupEnv(githubEnvToken) 26 | basicAuth := ok 27 | bearerToken := ok 28 | 29 | // if username is provided: use basic auth 30 | username, ok := os.LookupEnv(githubEnvUsername) 31 | basicAuth = basicAuth && ok 32 | bearerToken = bearerToken && !ok 33 | 34 | membersPerPage := 100 35 | 36 | var names []string 37 | var client http.Client 38 | 39 | for n := 1; ; n += 1 { 40 | req, err := http.NewRequest( 41 | http.MethodGet, 42 | fmt.Sprintf("https://api.github.com/orgs/%s/members?page=%d&per_page=%d", name, n, membersPerPage), 43 | bytes.NewReader([]byte{}), // empty body 44 | ) 45 | if err != nil { 46 | panic(err) 47 | } 48 | 49 | // request JSON 50 | req.Header.Add("content-type", "application/json") 51 | 52 | // use basic auth (if supplied) 53 | if basicAuth { 54 | req.SetBasicAuth(username, token) 55 | } else if bearerToken { 56 | req.Header.Add("Authorization", "Bearer "+token) 57 | } 58 | 59 | // send request 60 | resp, err := client.Do(req) 61 | if err != nil { 62 | return false, nil, err 63 | } 64 | 65 | // stop if org not found 66 | if resp.StatusCode == http.StatusNotFound { 67 | return false, nil, nil 68 | } 69 | 70 | // check for error 71 | if resp.StatusCode != http.StatusOK { 72 | return false, nil, fmt.Errorf("HTTP request failed with: %s", resp.Status) 73 | } 74 | 75 | // read response 76 | body, err := io.ReadAll(resp.Body) 77 | if err != nil { 78 | return false, nil, err 79 | } 80 | 81 | // deserialize json 82 | var members []githubOrgMember 83 | if err := json.Unmarshal(body, &members); err != nil { 84 | return false, nil, err 85 | } 86 | 87 | // add to user names 88 | for _, m := range members { 89 | if m.Type == "User" { 90 | names = append(names, m.Login) 91 | } 92 | } 93 | 94 | if len(members) < membersPerPage { 95 | break 96 | } 97 | } 98 | 99 | return true, names, nil 100 | } 101 | 102 | func loadGithubUser(indent string, name string) []ring.PublicKey { 103 | url := "https://github.com/" + name + ".keys" 104 | keys, err := fetchKeys(url) 105 | if err != nil { 106 | exitError("Failed to fetch keys for Github user", name, "err:", err) 107 | } 108 | 109 | colorWarnBool(len(keys) > 0) 110 | fmt.Printf("%s%s (%d keys)\n", indent, name, len(keys)) 111 | fmt.Print(colorReset) 112 | 113 | return keys 114 | } 115 | -------------------------------------------------------------------------------- /cmd/gitlab.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "fmt" 5 | 6 | "github.com/rot256/git-ring/ring" 7 | ) 8 | 9 | func loadGitlabUser(indent string, name string) []ring.PublicKey { 10 | url := "https://gitlab.com/" + name + ".keys" 11 | keys, err := fetchKeys(url) 12 | if err != nil { 13 | exitError("Failed to fetch keys for Gitlab user", name, "err:", err) 14 | } 15 | 16 | colorWarnBool(len(keys) > 0) 17 | fmt.Printf("%s%s (%d keys)\n", indent, name, len(keys)) 18 | fmt.Print(colorReset) 19 | 20 | return keys 21 | } 22 | -------------------------------------------------------------------------------- /cmd/root.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "fmt" 5 | "os" 6 | 7 | "github.com/spf13/cobra" 8 | ) 9 | 10 | const appName = "git-ring" 11 | const appUrl = "https://github.com/rot256/git-ring" 12 | 13 | const optVerbose = "verbose" 14 | const optMsg = "msg" 15 | const optSig = "sig" 16 | const optGithub = "github" 17 | const optGitlab = "gitlab" 18 | const optSSHKeys = "ssh-key" 19 | const optUrls = "url" 20 | const optAllowEmpty = "allow-empty" 21 | 22 | func description() string { 23 | s := "" 24 | s += "Heterogeneous ring signatures for SSH keys.\n" 25 | s += "An easy and private way to prove membership among a set of git users.\n" 26 | s += "More info: " + appUrl 27 | return s 28 | } 29 | 30 | var rootCmd = &cobra.Command{ 31 | Use: appName, 32 | Short: appName + ": Easy SSH Ring Signatures", 33 | Long: description(), 34 | Run: func(cmd *cobra.Command, args []string) { 35 | cmd.Help() 36 | }, 37 | } 38 | 39 | func init() { 40 | rootCmd.AddCommand(signCmd) 41 | rootCmd.AddCommand(verifyCmd) 42 | 43 | // global flags 44 | rootCmd.PersistentFlags().StringP(optSig, "s", "ring.sig", "Path to signature") 45 | rootCmd.PersistentFlags().BoolP(optVerbose, "v", false, "Verbose output") 46 | rootCmd.PersistentFlags().StringArray(optUrls, []string{}, "URLs with lists of keys to include") 47 | rootCmd.PersistentFlags().StringArray(optSSHKeys, []string{}, "Paths to SSH keys to include in the ring") 48 | rootCmd.PersistentFlags().StringArray(optGitlab, []string{}, "Gitlab usernames/organizations to include in the ring") 49 | rootCmd.PersistentFlags().StringArray(optGithub, []string{}, "Github usernames/organizations to include in the ring") 50 | 51 | // flags specific to signing 52 | signCmd.PersistentFlags().StringP(optMsg, "m", "", "Message to sign") 53 | signCmd.PersistentFlags().Bool(optAllowEmpty, false, "Allow retrieving zero keys from a source") 54 | signCmd.MarkPersistentFlagRequired(optMsg) 55 | signCmd.MarkPersistentFlagRequired(optSig) 56 | 57 | // flags specific to verification 58 | verifyCmd.MarkPersistentFlagRequired(optSig) 59 | } 60 | 61 | func Execute() { //nolint:golint 62 | if err := rootCmd.Execute(); err != nil { 63 | fmt.Fprintln(os.Stderr, err) 64 | os.Exit(1) 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /cmd/sign.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "encoding/asn1" 5 | "fmt" 6 | "os" 7 | "path/filepath" 8 | "runtime" 9 | 10 | "github.com/rot256/git-ring/ring" 11 | "github.com/spf13/cobra" 12 | "golang.org/x/term" 13 | ) 14 | 15 | const sshDirectoryEnv = "SSH_DIRECTORY" 16 | 17 | var signCmd = &cobra.Command{ 18 | Use: "sign", 19 | Short: "Generate ring signatures on messages", 20 | Long: `/`, 21 | Run: func(cmd *cobra.Command, args []string) { 22 | msg, err := cmd.Flags().GetString(optMsg) 23 | if err != nil { 24 | panic(err) 25 | } 26 | 27 | sigPath, err := cmd.Flags().GetString(optSig) 28 | if err != nil { 29 | panic(err) 30 | } 31 | 32 | // open the file (better to fail before touching the network) 33 | sigFile, err := os.Create(sigPath) 34 | if err != nil { 35 | exitError("Failed to create signature file:", err) 36 | } 37 | 38 | // load public keys from different sources 39 | sourcesTotal, sourcesWithKeys, pks := loadPublicKeys(cmd) 40 | 41 | // check if all entities covered 42 | allowEmpty, err := cmd.Flags().GetBool(optAllowEmpty) 43 | 44 | if err != nil { 45 | panic(err) 46 | } 47 | 48 | if sourcesTotal != sourcesWithKeys && !allowEmpty { 49 | printError("Error: Obtained zero keys from one/more sources:") 50 | printError("THEY (SHOWN IN " + colorYellow + "YELLOW" + colorRed + ") WILL NOT BE INCLUDED IN THE RING.") 51 | printError("Aborting to avoid accidentially excluding an entity from the ring.") 52 | printError("If you want to allow exlcuding these entities use --" + optAllowEmpty) 53 | exitError() 54 | } 55 | 56 | // list directory to load ssh keys from 57 | var sshDirs []string 58 | dir, ok := os.LookupEnv(sshDirectoryEnv) 59 | if ok { 60 | // use 61 | sshDirs = append(sshDirs, dir) 62 | } else { 63 | // list files in ./ssh directory 64 | home, err := os.UserHomeDir() 65 | if err != nil { 66 | exitError("Failed to obtain home directory") 67 | } 68 | sshDirs = append(sshDirs, filepath.Join(home, "/.ssh")) 69 | 70 | // on windows there are two options: 71 | // 1. %USERPROFILE%/.ssh/ 72 | // 2. %HOMEDRIVE%%HOMEPATH%/.ssh/ 73 | if runtime.GOOS == "windows" { 74 | homeAlt := os.Getenv("HOMEDRIVE") + os.Getenv("HOMEPATH") 75 | sshDirs = append(sshDirs, filepath.Join(homeAlt, "/.ssh")) 76 | } 77 | } 78 | 79 | // load pairs for all included directories 80 | var pairs []ring.EncKeyPair 81 | for _, dir := range sshDirs { 82 | ps, err := loadEncKeyPairs(dir) 83 | if err != nil { 84 | exitError("Failed to load local SSH keys:", err) 85 | } 86 | pairs = append(pairs, ps...) 87 | } 88 | 89 | // find matches between ring members and local keys 90 | matches := findMatches(pks, pairs) 91 | if len(matches) == 0 { 92 | exitError("Error: No matching keys found:\nDid you remember to include yourself in the ring?") 93 | } 94 | 95 | verbose(cmd, "SSH keys in ring (available keys marked with +):\n") 96 | for i, key := range pks { 97 | match := false 98 | for _, m := range matches { 99 | if m.PK.Equals(key) { 100 | match = true 101 | } 102 | } 103 | if match { 104 | verbose(cmd, colorBlue) 105 | verbose(cmd, fmt.Sprintf(" + [ %03d ] : %s\n", i, key.Name())) 106 | verbose(cmd, colorReset) 107 | } else { 108 | verbose(cmd, fmt.Sprintf(" [ %03d ] : %s\n", i, key.Name())) 109 | } 110 | } 111 | 112 | // attempt to use unecrypted secret key 113 | var selected *ring.KeyPair 114 | for _, pair := range matches { 115 | selected, err = pair.Parse() 116 | if err == nil { 117 | break 118 | } 119 | } 120 | 121 | // if not unencrypted pair was found, ask user to decrypt 122 | if selected == nil { 123 | // enumerate matches for the user 124 | for i, pair := range matches { 125 | fmt.Print(colorBlue) 126 | fmt.Printf(" [ %d ] : %s\n", i, pair.PK.Name()) 127 | } 128 | 129 | // prompt the user to select 130 | var index int 131 | fmt.Print(colorReset) 132 | fmt.Printf("Select key to decrypt (enter number 0-%d): ", len(matches)-1) 133 | _, err := fmt.Scanln(&index) 134 | if err != nil { 135 | exitError("Faild to read index:", err) 136 | } 137 | if index < 0 || index >= len(matches) { 138 | exitError("Invalid index:", index) 139 | } 140 | 141 | // prompt for password 142 | passwd, err := term.ReadPassword(int(os.Stdin.Fd())) 143 | if err != nil { 144 | exitError(err) 145 | } 146 | 147 | // attempt decryption 148 | selected, err = matches[index].Decrypt(passwd) 149 | if err != nil { 150 | exitError(err) 151 | } 152 | } 153 | 154 | // generate ring signature 155 | sig := ring.Sign(*selected, pks, []byte(msg)) 156 | 157 | // serialize signature to file 158 | data, err := asn1.Marshal(sig) 159 | if err != nil { 160 | panic(err) 161 | } 162 | if _, err := sigFile.Write(data); err != nil { 163 | exitError("Failed to write signature to disk:", err) 164 | } 165 | 166 | fmt.Print(colorBlue) 167 | fmt.Println("Signature successfully generated") 168 | fmt.Printf("Saved in: %s (%d bytes)\n", sigPath, len(data)) 169 | fmt.Print(colorReset) 170 | }, 171 | } 172 | -------------------------------------------------------------------------------- /cmd/util.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "bufio" 5 | "fmt" 6 | "io" 7 | "log" 8 | "net/http" 9 | "os" 10 | "path/filepath" 11 | "sort" 12 | "strings" 13 | 14 | "github.com/rot256/git-ring/ring" 15 | "github.com/spf13/cobra" 16 | ) 17 | 18 | func verbose(cmd *cobra.Command, s ...interface{}) { 19 | if enabled, _ := cmd.Flags().GetBool(optVerbose); enabled { 20 | fmt.Print(s...) 21 | } 22 | } 23 | 24 | func printError(s ...interface{}) { 25 | fmt.Fprint(os.Stderr, colorRed) 26 | fmt.Fprintln(os.Stderr, s...) 27 | fmt.Fprint(os.Stderr, colorReset) 28 | } 29 | 30 | func exitError(s ...interface{}) { 31 | if len(s) > 0 { 32 | printError(s...) 33 | } 34 | os.Exit(1) 35 | } 36 | 37 | func loadUrl(indent string, url string) []ring.PublicKey { 38 | keys, err := fetchKeys(url) 39 | if err != nil { 40 | exitError("Failed to fetch keys from url:", url) 41 | } 42 | 43 | colorWarnBool(len(keys) > 0) 44 | fmt.Printf("%s%s (%d keys)%s\n", indent, url, len(keys), colorReset) 45 | 46 | return keys 47 | } 48 | 49 | func loadPath(path string) []ring.PublicKey { 50 | file, err := os.Open(path) 51 | if err != nil { 52 | exitError("Failed to open file:", path) 53 | } 54 | 55 | keyData, err := io.ReadAll(file) 56 | if err != nil { 57 | exitError("Failed to read file", path, ":", err) 58 | } 59 | 60 | pk, err := ring.PublicKeyFromStr(string(keyData)) 61 | if err != nil { 62 | exitError("Failed to read public key from", path, ":", err) 63 | } 64 | 65 | return []ring.PublicKey{pk} 66 | } 67 | 68 | func loadPublicKeys(cmd *cobra.Command) (int, int, []ring.PublicKey) { 69 | // 70 | 71 | var sourcesTotal int 72 | var sourcesWithKeys int 73 | var pks []ring.PublicKey 74 | 75 | fmt.Println("Loading Keys from Different Entities:") 76 | 77 | addKeys := func(keys []ring.PublicKey) { 78 | if len(keys) > 0 { 79 | sourcesWithKeys += 1 80 | } 81 | sourcesTotal += 1 82 | pks = append(pks, keys...) 83 | } 84 | 85 | // load github keys 86 | 87 | githubNames, _ := cmd.Flags().GetStringArray(optGithub) 88 | if len(githubNames) > 0 { 89 | fmt.Print(colorCyan + "Github:" + colorReset + "\n") 90 | for _, name := range githubNames { 91 | isOrg, members, err := githubOrganizationUsers(name) 92 | if err != nil { 93 | printError("Failed check for Github org:") 94 | exitError(err) 95 | } 96 | 97 | if isOrg { 98 | fmt.Print(colorPurple) 99 | fmt.Println(indent+"Organization:", name) 100 | fmt.Print(colorReset) 101 | for _, member := range members { 102 | addKeys(loadGithubUser(indent+indent, member)) 103 | } 104 | } else { 105 | addKeys(loadGithubUser(indent, name)) 106 | } 107 | } 108 | } 109 | 110 | // load gitlab keys 111 | gitlabNames, _ := cmd.Flags().GetStringArray(optGitlab) 112 | if len(gitlabNames) > 0 { 113 | fmt.Print(colorCyan + "Gitlab:" + colorReset + "\n") 114 | for _, name := range gitlabNames { 115 | addKeys(loadGitlabUser(indent, name)) 116 | } 117 | } 118 | 119 | // fetch keys from other urls 120 | urls, _ := cmd.Flags().GetStringArray(optUrls) 121 | if len(urls) > 0 { 122 | fmt.Print(colorCyan + "Urls:" + colorReset + "\n") 123 | for _, url := range urls { 124 | addKeys(loadUrl(indent, url)) 125 | } 126 | } 127 | 128 | // load keys from disk 129 | keyPaths, _ := cmd.Flags().GetStringArray(optSSHKeys) 130 | if len(keyPaths) > 0 { 131 | fmt.Print(colorCyan + "Files:" + colorReset + "\n") 132 | for _, path := range keyPaths { 133 | addKeys(loadPath(path)) 134 | fmt.Print(colorBlue + indent + path + colorReset + "\n") 135 | } 136 | } 137 | 138 | // sort and deuplicate the keys 139 | pks = sortAndDedupKeys(pks) 140 | fmt.Println(len(pks), "Keys in the ring.") 141 | fmt.Println("Covering:", sourcesWithKeys, "/", sourcesTotal, "entities") 142 | return sourcesTotal, sourcesWithKeys, pks 143 | } 144 | 145 | // this is used to avoid leaking the order in which the keys were fetched 146 | func sortAndDedupKeys(pks []ring.PublicKey) []ring.PublicKey { 147 | // deduplicate the keys 148 | set := make(map[string]ring.PublicKey) 149 | for _, pk := range pks { 150 | set[pk.Id()] = pk 151 | } 152 | 153 | // sort id's 154 | sorted := make([]string, 0) 155 | for k := range set { 156 | sorted = append(sorted, k) 157 | } 158 | sort.Strings(sorted) 159 | 160 | // retrieve keys in sorted order 161 | pksNew := make([]ring.PublicKey, 0, len(set)) 162 | for _, k := range sorted { 163 | pksNew = append(pksNew, set[k]) 164 | } 165 | return pksNew 166 | } 167 | 168 | func fetchKeys(url string) ([]ring.PublicKey, error) { 169 | var keys []ring.PublicKey 170 | 171 | resp, err := http.Get(url) 172 | if err != nil { 173 | return keys, err 174 | } 175 | 176 | scanner := bufio.NewScanner(resp.Body) 177 | for scanner.Scan() { 178 | pk, err := ring.PublicKeyFromStr(scanner.Text()) 179 | if err != nil { 180 | log.Println("Found invalid public key") 181 | continue 182 | } 183 | keys = append(keys, pk) 184 | } 185 | 186 | if err := scanner.Err(); err != nil { 187 | return keys, err 188 | } 189 | 190 | return keys, nil 191 | } 192 | 193 | func findMatches(pks []ring.PublicKey, pairs []ring.EncKeyPair) []ring.EncKeyPair { 194 | // create lookup 195 | index := make(map[string]bool) 196 | for _, pk := range pks { 197 | index[pk.Id()] = true 198 | } 199 | 200 | // find all pairs which was present in the list of public key 201 | var matches []ring.EncKeyPair 202 | for _, pair := range pairs { 203 | if index[pair.PK.Id()] { 204 | matches = append(matches, pair) 205 | } 206 | } 207 | 208 | return matches 209 | } 210 | 211 | func loadEncKeyPairs(dir string) ([]ring.EncKeyPair, error) { 212 | var pairs []ring.EncKeyPair 213 | 214 | key_files, err := os.ReadDir(dir) 215 | if err != nil { 216 | return pairs, err 217 | } 218 | 219 | // add all pairs of public/secret keys found in .ssh 220 | for _, entry := range key_files { 221 | // ignore directories 222 | if entry.IsDir() { 223 | continue 224 | } 225 | 226 | // ignores public keys 227 | if strings.HasSuffix(entry.Name(), ".pub") { 228 | continue 229 | } 230 | 231 | // read suspected private key 232 | pathSK := filepath.Join(dir, entry.Name()) 233 | skPEM, err := os.ReadFile(pathSK) 234 | if err != nil { 235 | continue 236 | } 237 | 238 | // read corresponding public key 239 | pathPK := filepath.Join(dir, entry.Name()+".pub") 240 | pk_data, err := os.ReadFile(pathPK) 241 | if err != nil { 242 | continue 243 | } 244 | 245 | // parse public key 246 | pk, err := ring.PublicKeyFromStr(string(pk_data)) 247 | if err != nil { 248 | panic(err) 249 | } 250 | 251 | pairs = append( 252 | pairs, 253 | ring.EncKeyPair{ 254 | SKPEM: string(skPEM), 255 | PK: pk, 256 | }, 257 | ) 258 | } 259 | 260 | return pairs, nil 261 | } 262 | -------------------------------------------------------------------------------- /cmd/verify.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "encoding/asn1" 5 | "fmt" 6 | "io" 7 | "os" 8 | 9 | "github.com/rot256/git-ring/ring" 10 | "github.com/spf13/cobra" 11 | ) 12 | 13 | var verifyCmd = &cobra.Command{ 14 | Use: "verify", 15 | Short: "Verify ring signatures", 16 | Long: `/`, 17 | Run: func(cmd *cobra.Command, args []string) { 18 | 19 | sigPath, err := cmd.Flags().GetString(optSig) 20 | if err != nil { 21 | panic(err) 22 | } 23 | 24 | sigFile, err := os.Open(sigPath) 25 | if err != nil { 26 | exitError("Failed to open signature file:", err) 27 | } 28 | 29 | sigData, err := io.ReadAll(sigFile) 30 | if err != nil { 31 | exitError("Failed to read signature file:", err) 32 | } 33 | 34 | var sig ring.Signature 35 | rest, err := asn1.Unmarshal(sigData, &sig) 36 | if err != nil { 37 | exitError("Failed to deserialize signature:", err) 38 | } 39 | if len(rest) != 0 { 40 | exitError("Signature is followed by junk") 41 | } 42 | 43 | _, _, pks := loadPublicKeys(cmd) 44 | 45 | msg, err := sig.Verify(pks) 46 | if err != nil { 47 | printError("Signature is not valid:") 48 | exitError(err) 49 | } 50 | 51 | fmt.Println("Message:") 52 | fmt.Println(string(msg)) 53 | }, 54 | } 55 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/rot256/git-ring 2 | 3 | go 1.20 4 | 5 | require ( 6 | filippo.io/edwards25519 v1.1.0 7 | github.com/spf13/cobra v1.7.0 8 | golang.org/x/crypto v0.25.0 9 | golang.org/x/term v0.22.0 10 | ) 11 | 12 | require ( 13 | github.com/inconshreveable/mousetrap v1.1.0 // indirect 14 | github.com/spf13/pflag v1.0.5 // indirect 15 | golang.org/x/sys v0.22.0 // indirect 16 | ) 17 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= 2 | filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= 3 | github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= 4 | github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= 5 | github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= 6 | github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= 7 | github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= 8 | github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= 9 | github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= 10 | github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= 11 | golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= 12 | golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= 13 | golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= 14 | golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= 15 | golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= 16 | golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= 17 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 18 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 19 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/rot256/git-ring/cmd" 5 | ) 6 | 7 | func main() { 8 | cmd.Execute() 9 | } 10 | -------------------------------------------------------------------------------- /ring/challenge.go: -------------------------------------------------------------------------------- 1 | package ring 2 | 3 | import ( 4 | "crypto/rand" 5 | "crypto/sha512" 6 | "math/big" 7 | 8 | "golang.org/x/crypto/hkdf" 9 | ) 10 | 11 | const challengeSize = 32 12 | 13 | type challenge struct { 14 | Bytes []byte 15 | } 16 | 17 | func (c *challenge) Random() { 18 | c.Bytes = make([]byte, challengeSize) 19 | if _, err := rand.Read(c.Bytes[:]); err != nil { 20 | panic(err) 21 | } 22 | } 23 | 24 | func (c *challenge) Int(tag string, mod *big.Int) *big.Int { 25 | bytes := (mod.BitLen() + 7) / 8 26 | random := (&big.Int{}).SetBytes(c.Take(tag, bytes*2)) 27 | return random.Mod(random, mod) 28 | } 29 | 30 | func (c *challenge) Take(tag string, n int) []byte { 31 | if len(c.Bytes) != challengeSize { 32 | panic("invalid challenge size") 33 | } 34 | 35 | // expand challenge using HKDF 36 | out := make([]byte, n) 37 | expand := hkdf.New( 38 | sha512.New, 39 | c.Bytes[:], 40 | []byte(tag), 41 | []byte("challenge-hkdf"), 42 | ) 43 | _, err := expand.Read(out) 44 | if err != nil { 45 | panic(err) 46 | } 47 | return out 48 | } 49 | 50 | func (c *challenge) IsValid() bool { 51 | return len(c.Bytes) == challengeSize 52 | } 53 | 54 | // not constant time: only used in verification 55 | func (c *challenge) IsZero() bool { 56 | if len(c.Bytes) != challengeSize { 57 | panic("invalid challenge size") 58 | } 59 | for i := 0; i < challengeSize; i++ { 60 | if c.Bytes[i] != 0x00 { 61 | return false 62 | } 63 | } 64 | return true 65 | } 66 | 67 | func (c *challenge) Add(c1 challenge) { 68 | if len(c.Bytes) != challengeSize || len(c1.Bytes) != challengeSize { 69 | panic("invalid challenge size") 70 | } 71 | 72 | for i := range c.Bytes { 73 | c.Bytes[i] ^= c1.Bytes[i] 74 | } 75 | } 76 | -------------------------------------------------------------------------------- /ring/ecdsa.go: -------------------------------------------------------------------------------- 1 | package ring 2 | 3 | import ( 4 | "crypto/ecdsa" 5 | "crypto/rand" 6 | "encoding/asn1" 7 | "errors" 8 | "math/big" 9 | ) 10 | 11 | // almost forgot how much the ECC fucking sucks in Go... 12 | // a frigin arsenal of footguns, shit looks like 90ties crypto code. 13 | // sucks to have a weak type-system I guess... 14 | 15 | type ecdsaProver struct { 16 | sk *ecdsa.PrivateKey 17 | pf ecdsaProof 18 | r *big.Int 19 | } 20 | 21 | type ecdsaProof struct { 22 | Ax *big.Int 23 | Ay *big.Int 24 | Z *big.Int 25 | } 26 | 27 | func (pf ecdsaProof) Marshal() []byte { 28 | b, err := asn1.Marshal(pf) 29 | if err != nil { 30 | panic(err) 31 | } 32 | return b 33 | } 34 | 35 | func (pf *ecdsaProof) Unmarshal(b []byte) error { 36 | rest, err := asn1.Unmarshal(b, pf) 37 | if err != nil { 38 | return err 39 | } 40 | if len(rest) != 0 { 41 | return errors.New("ECDSA proof contains junk") 42 | } 43 | if pf.Ax == nil || pf.Ay == nil { 44 | return errors.New("ECDSA proof missing A point") 45 | } 46 | if pf.Z == nil { 47 | return errors.New("ECDSA proof missing Z scalar") 48 | } 49 | return nil 50 | } 51 | 52 | func ecdsaRandomScalar(pk *ecdsa.PublicKey) *big.Int { 53 | // generate enough random bits to avoid statistical bias (or make it negl.) 54 | n := pk.Curve.Params().N.BitLen() 55 | rBytes := make([]byte, n/8*2) 56 | if _, err := rand.Read(rBytes[:]); err != nil { 57 | panic(err) 58 | } 59 | 60 | // reduce modulo the order of the curve 61 | r := (&big.Int{}).SetBytes(rBytes) 62 | return r.Mod(r, pk.Curve.Params().N) 63 | } 64 | 65 | func ecdsaNewChallenge(pk *ecdsa.PublicKey, chal challenge) *big.Int { 66 | return chal.Int("schorr-nist-challenge", pk.Curve.Params().N) 67 | } 68 | 69 | func (pf ecdsaProof) Commit(tx *transcript) { 70 | tx.Append([]byte("ecdsa proof")) 71 | tx.Append(pf.Ax.Bytes()) 72 | tx.Append(pf.Ay.Bytes()) 73 | } 74 | 75 | func (pf ecdsaProof) Verify(key interface{}, chal challenge) error { 76 | pk := key.(*ecdsa.PublicKey) 77 | 78 | if pf.Ax == nil || pf.Ay == nil || !pk.Curve.IsOnCurve(pf.Ax, pf.Ay) { 79 | return errors.New("invalid A point") 80 | } 81 | 82 | if pf.Z == nil || pk.Curve.Params().N.Cmp(pf.Z) != 1 { 83 | return errors.New("invalid Z scalar") 84 | } 85 | 86 | c := ecdsaNewChallenge(pk, chal) 87 | 88 | zx, zy := pk.Curve.ScalarBaseMult(pf.Z.Bytes()) 89 | rx, ry := pk.Curve.ScalarMult(pk.X, pk.Y, c.Bytes()) 90 | lx, ly := pk.Curve.Add(rx, ry, pf.Ax, pf.Ay) 91 | 92 | if lx.Cmp(zx) != 0 || ly.Cmp(zy) != 0 { 93 | return errors.New("failed final check: [c] * pk + A != [z] * G") 94 | } 95 | 96 | return nil 97 | } 98 | 99 | func ecdsaSim(pk *ecdsa.PublicKey, chal challenge) *ecdsaProof { 100 | if !pk.Curve.IsOnCurve(pk.X, pk.Y) { 101 | panic("the point must be on the curve") 102 | } 103 | 104 | Z := ecdsaRandomScalar(pk) 105 | c := ecdsaNewChallenge(pk, chal) 106 | 107 | lx, ly := pk.Curve.ScalarBaseMult(Z.Bytes()) 108 | rx, ry := pk.Curve.ScalarMult(pk.X, pk.Y, c.Bytes()) 109 | 110 | // invert the point (there is not method to do this, wtf?) 111 | // yea for leaky "abstractions" 112 | ry = ry.Neg(ry) 113 | ry = ry.Mod(ry, pk.Params().P) 114 | 115 | // sanity check 116 | if !pk.Curve.IsOnCurve(rx, ry) { 117 | panic("failed inversion") 118 | } 119 | 120 | Ax, Ay := pk.Curve.Add(lx, ly, rx, ry) 121 | 122 | return &ecdsaProof{ 123 | Ax: Ax, 124 | Ay: Ay, 125 | Z: Z, 126 | } 127 | } 128 | 129 | func (p ecdsaProver) Pf() proof { 130 | return &p.pf 131 | } 132 | 133 | func (p *ecdsaProver) Finish(chal challenge) { 134 | 135 | c := ecdsaNewChallenge(&p.sk.PublicKey, chal) 136 | 137 | p.pf.Z = (&big.Int{}).Mul(c, p.sk.D) 138 | p.pf.Z = (&big.Int{}).Add(p.pf.Z, p.r) 139 | p.pf.Z = (&big.Int{}).Mod(p.pf.Z, p.sk.Curve.Params().N) 140 | 141 | // to protect against mistakes erase the blinding 142 | p.r = nil 143 | } 144 | 145 | // Schorr proof 146 | func ecdsaProve(sk *ecdsa.PrivateKey) *ecdsaProver { 147 | // sample random blinding 148 | var p ecdsaProver 149 | p.r = ecdsaRandomScalar(&sk.PublicKey) 150 | p.sk = sk 151 | 152 | // compute commitment 153 | Ax, Ay := sk.PublicKey.Curve.ScalarBaseMult(p.r.Bytes()) 154 | p.pf.Ax = Ax 155 | p.pf.Ay = Ay 156 | 157 | return &p 158 | } 159 | -------------------------------------------------------------------------------- /ring/ed25519.go: -------------------------------------------------------------------------------- 1 | package ring 2 | 3 | import ( 4 | "crypto/ed25519" 5 | "crypto/rand" 6 | "crypto/sha512" 7 | "errors" 8 | 9 | "filippo.io/edwards25519" 10 | ) 11 | 12 | type ed25519Prover struct { 13 | r *edwards25519.Scalar 14 | pf ed25519Proof 15 | sk ed25519.PrivateKey 16 | pk ed25519.PublicKey 17 | } 18 | 19 | type ed25519Proof struct { 20 | A *edwards25519.Point 21 | Z *edwards25519.Scalar 22 | } 23 | 24 | // derieve secret from ed25519 secret key 25 | func ed25519SfromSK(sk ed25519.PrivateKey) *edwards25519.Scalar { 26 | if len(sk) != ed25519.PrivateKeySize { 27 | panic("ed25519: bad private key length") 28 | } 29 | 30 | seed := sk[:ed25519.SeedSize] 31 | 32 | h := sha512.Sum512(seed) 33 | s, err := edwards25519.NewScalar().SetBytesWithClamping(h[:32]) 34 | if err != nil { 35 | panic(err) 36 | } 37 | return s 38 | } 39 | 40 | func (pf ed25519Proof) Marshal() []byte { 41 | out := pf.A.Bytes() 42 | out = append(out, pf.Z.Bytes()...) 43 | return out 44 | } 45 | 46 | func (pf *ed25519Proof) Unmarshal(b []byte) error { 47 | if len(b) != 64 { 48 | return errors.New("ed25519 proof should be 64 bytes") 49 | } 50 | 51 | A, err := (&edwards25519.Point{}).SetBytes(b[:32]) 52 | if err != nil { 53 | return err 54 | } 55 | 56 | Z, err := (&edwards25519.Scalar{}).SetCanonicalBytes(b[32:]) 57 | if err != nil { 58 | return err 59 | } 60 | 61 | pf.A = A 62 | pf.Z = Z 63 | return nil 64 | } 65 | 66 | func ed25519RandomScalar() *edwards25519.Scalar { 67 | var rBytes [64]byte 68 | if _, err := rand.Read(rBytes[:]); err != nil { 69 | panic(err) 70 | } 71 | 72 | r, err := (&edwards25519.Scalar{}).SetUniformBytes(rBytes[:]) 73 | if err != nil { 74 | panic(err) 75 | } 76 | return r 77 | } 78 | 79 | func ed25519NewChallenge(chal challenge) *edwards25519.Scalar { 80 | c, err := edwards25519.NewScalar().SetUniformBytes( 81 | chal.Take("schorr-edwards25519-challenge", 64), 82 | ) 83 | if err != nil { 84 | panic(err) 85 | } 86 | return c 87 | } 88 | 89 | func (pf ed25519Proof) Commit(tx *transcript) { 90 | tx.Append([]byte("ed25519 proof")) 91 | tx.Append(pf.A.Bytes()) 92 | } 93 | 94 | func (pf ed25519Proof) Verify(pk interface{}, chal challenge) error { 95 | if pf.A == nil || pf.Z == nil { 96 | return errors.New("incomplete proof") 97 | } 98 | A := pf.computeA(pk.(ed25519.PublicKey), chal) 99 | if A.Equal(pf.A) != 1 { 100 | return errors.New("recompute commitment does not match") 101 | } 102 | return nil 103 | } 104 | 105 | func (pf ed25519Proof) computeA(pk ed25519.PublicKey, chal challenge) *edwards25519.Point { 106 | x, err := (&edwards25519.Point{}).SetBytes(pk) 107 | if err != nil { 108 | panic(err) 109 | } 110 | 111 | c := ed25519NewChallenge(chal) 112 | g := edwards25519.NewGeneratorPoint() 113 | 114 | l := (&edwards25519.Point{}).ScalarMult(pf.Z, g) 115 | r := (&edwards25519.Point{}).ScalarMult(c, x) 116 | r = r.Negate(r) 117 | 118 | return (&edwards25519.Point{}).Add(l, r) 119 | } 120 | 121 | func ed25519Sim(pk ed25519.PublicKey, chal challenge) *ed25519Proof { 122 | // [z] * g = [c] * x + a 123 | // [z] * g - [c] * x = a 124 | 125 | var pf ed25519Proof 126 | pf.Z = ed25519RandomScalar() 127 | pf.A = pf.computeA(pk, chal) 128 | 129 | return &pf 130 | } 131 | 132 | func (p ed25519Prover) Pf() proof { 133 | return &p.pf 134 | } 135 | 136 | func (p *ed25519Prover) Finish(chal challenge) { 137 | 138 | s := ed25519SfromSK(p.sk) 139 | c := ed25519NewChallenge(chal) 140 | 141 | p.pf.Z = (&edwards25519.Scalar{}).MultiplyAdd(c, s, p.r) 142 | p.r = nil 143 | } 144 | 145 | // Schorr proof 146 | func ed25519Prove(sk ed25519.PrivateKey) *ed25519Prover { 147 | 148 | // generate a commitment message 149 | 150 | var pf ed25519Proof 151 | 152 | g := edwards25519.NewGeneratorPoint() 153 | r := ed25519RandomScalar() 154 | 155 | pf.A = (&edwards25519.Point{}).ScalarMult(r, g) 156 | 157 | return &ed25519Prover{ 158 | pk: sk.Public().(ed25519.PublicKey), 159 | pf: pf, 160 | sk: sk, 161 | r: r, 162 | } 163 | } 164 | -------------------------------------------------------------------------------- /ring/keys.go: -------------------------------------------------------------------------------- 1 | package ring 2 | 3 | import ( 4 | "crypto" 5 | "crypto/ecdsa" 6 | "crypto/ed25519" 7 | "errors" 8 | "reflect" 9 | "strings" 10 | "unsafe" 11 | 12 | "golang.org/x/crypto/ssh" 13 | ) 14 | 15 | type PublicKey struct { 16 | pk ssh.PublicKey 17 | pk_ssh string // this is only used for displaying (the generated signature does not depend on it) 18 | } 19 | 20 | func (p *PublicKey) Id() string { 21 | return p.pk.Type() + "-" + ssh.FingerprintSHA256(p.pk) 22 | } 23 | 24 | type EncKeyPair struct { 25 | PK PublicKey 26 | SKPEM string // PEM serialized private key 27 | } 28 | 29 | type KeyPair struct { 30 | PK PublicKey 31 | SK interface{} 32 | } 33 | 34 | func (pk1 PublicKey) Equals(pk2 PublicKey) bool { 35 | return pk1.Id() == pk2.Id() 36 | } 37 | 38 | func (k *PublicKey) FP() string { 39 | return ssh.FingerprintSHA256(k.pk) 40 | } 41 | 42 | func (k *PublicKey) Name() string { 43 | return k.pk_ssh // k.FP() + " (" + k.pk.Type() + ")" 44 | } 45 | 46 | func (p *EncKeyPair) Parse() (*KeyPair, error) { 47 | sk, err := ssh.ParseRawPrivateKey([]byte(p.SKPEM)) 48 | if err != nil { 49 | return nil, err 50 | } 51 | return &KeyPair{ 52 | SK: sk, 53 | PK: p.PK, 54 | }, nil 55 | } 56 | 57 | func (p *EncKeyPair) Decrypt(passwd []byte) (*KeyPair, error) { 58 | sk, err := ssh.ParseRawPrivateKeyWithPassphrase([]byte(p.SKPEM), passwd) 59 | if err != nil { 60 | return nil, err 61 | } 62 | return &KeyPair{ 63 | SK: sk, 64 | PK: p.PK, 65 | }, nil 66 | } 67 | 68 | func PublicKeyFromStr(s string) (PublicKey, error) { 69 | pk_ssh := strings.TrimSpace(s) 70 | pk, _, _, _, err := ssh.ParseAuthorizedKey([]byte(pk_ssh)) 71 | if err != nil { 72 | return PublicKey{}, err 73 | } 74 | 75 | return PublicKey{ 76 | pk_ssh: pk_ssh, 77 | pk: pk, 78 | }, nil 79 | } 80 | 81 | func toCryptoPublicKey(pk PublicKey) crypto.PublicKey { 82 | switch pk.pk.Type() { 83 | case ssh.KeyAlgoED25519, ssh.KeyAlgoRSA, ssh.KeyAlgoECDSA256, ssh.KeyAlgoECDSA384, ssh.KeyAlgoECDSA521: 84 | return pk.pk.(ssh.CryptoPublicKey).CryptoPublicKey() 85 | 86 | case ssh.KeyAlgoSKECDSA256: 87 | // use reflection to access the inner (unexported) ecdsa.PublicKey 88 | rs := reflect.ValueOf(pk.pk) 89 | rs2 := reflect.New(rs.Type()).Elem() 90 | rs2.Set(rs) 91 | 92 | // access the second field 93 | rf := reflect.Indirect(rs2).Field(1) 94 | rf = reflect.NewAt(rf.Type(), unsafe.Pointer(rf.UnsafeAddr())).Elem() 95 | 96 | // copy the inner value into an ecdsa.PublicKey 97 | var inner ecdsa.PublicKey 98 | ri := reflect.ValueOf(&inner).Elem() 99 | ri.Set(rf) 100 | return &inner 101 | 102 | case ssh.KeyAlgoSKED25519: 103 | // use reflection to access the inner (unexported) ed25519.PublicKey 104 | rs := reflect.ValueOf(pk.pk) 105 | rs2 := reflect.New(rs.Type()).Elem() 106 | rs2.Set(rs) 107 | 108 | // access the second field 109 | rf := reflect.Indirect(rs2).Field(1) 110 | rf = reflect.NewAt(rf.Type(), unsafe.Pointer(rf.UnsafeAddr())).Elem() 111 | 112 | // copy the inner value into an ecdsa.PublicKey 113 | var inner ed25519.PublicKey 114 | ri := reflect.ValueOf(&inner).Elem() 115 | ri.Set(rf) 116 | return inner 117 | 118 | default: 119 | panic(errors.New("unknown key type")) 120 | } 121 | } 122 | -------------------------------------------------------------------------------- /ring/ring_test.go: -------------------------------------------------------------------------------- 1 | package ring 2 | 3 | import ( 4 | "math/rand" 5 | "testing" 6 | 7 | "golang.org/x/crypto/ssh" 8 | ) 9 | 10 | type testKeyPair struct { 11 | pk string 12 | sk string 13 | } 14 | 15 | var testKeys []testKeyPair = []testKeyPair{ 16 | testKeyPair{ 17 | pk: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1Gbv1qD9Lj7kX0SgEnN7OEHphcn0xdziUE76MEGLhs6UbWiGvI6akuFw7kWYu1QAtK/pfoRSoxxNKjJURQDOPkO9HBsbk3qutFrvwJsZBAeif/ywyg357+NT2iv0v/bCOL/n/apKTbojdAFsWCrFGienbaTC4iQpAAK9uvj36WE7kFNEJ41y5VlWWm+u7geurJC3lhxyukHsH0g+aidTaFHyVMIPMJG6yK82F4myYAnaCT0I543RzRIldiiaJzJ1Wv1WHiByRhwLs7esggwvZlu1I9jxjFHSWRxDyfg/8SJk1JE/cuDiBltdWhA0YOrRJIyQsp1JdBl1frGgqUql+1mmOzhqOXcYb+OflxAjB4y2FSMwnBZP+AAzRSkbxWvHXbJKZBvrah3CEb3FL8Pri/Jt+dNXKwdOuRriwHKApelaAGZYtQI3++IPyi3lh7+tSi5QUAVCWUycxmSUo0kl09L/oXxkkA+aLQfWGQva6sl+Yg72q5qTApilIDh0uJtjzTd49FsUoiNn3FqRbiXnRYiKJf4HKyLNRWoyptLwttVu0P5cTyBXsCj0ocRcBscWO/P2x/4pnqK3Vn795Fo3OjKjaswmPJu0wrbIn9agQWW6p++RExAqfH7IwReEXb4FGuN4tJPW4vO4ny+uFBGOjS396EK7uJoQ92iKesNJ0qQ==", 18 | sk: ` 19 | -----BEGIN OPENSSH PRIVATE KEY----- 20 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn 21 | NhAAAAAwEAAQAAAgEAtRm79ag/S4+5F9EoBJzezhB6YXJ9MXc4lBO+jBBi4bOlG1ohryOm 22 | pLhcO5FmLtUALSv6X6EUqMcTSoyVEUAzj5DvRwbG5N6rrRa78CbGQQHon/8sMoN+e/jU9o 23 | r9L/2wji/5/2qSk26I3QBbFgqxRonp22kwuIkKQACvbr49+lhO5BTRCeNcuVZVlpvru4Hr 24 | qyQt5YccrpB7B9IPmonU2hR8lTCDzCRusivNheJsmAJ2gk9COeN0c0SJXYomicydVr9Vh4 25 | gckYcC7O3rIIML2ZbtSPY8YxR0lkcQ8n4P/EiZNSRP3Lg4gZbXVoQNGDq0SSMkLKdSXQZd 26 | X6xoKlKpftZpjs4ajl3GG/jn5cQIweMthUjMJwWT/gAM0UpG8Vrx12ySmQb62odwhG9xS/ 27 | D64vybfnTVysHTrka4sBygKXpWgBmWLUCN/viD8ot5Ye/rUouUFAFQllMnMZklKNJJdPS/ 28 | 6F8ZJAPmi0H1hkL2urJfmIO9quakwKYpSA4dLibY803ePRbFKIjZ9xakW4l50WIiiX+Bys 29 | izUVqMqbS8LbVbtD+XE8gV7Ao9KHEXAbHFjvz9sf+KZ6it1Z+/eRaNzoyo2rMJjybtMK2y 30 | J/WoEFluqfvkRMQKnx+yMEXhF2+BRrjeLST1uLzuJ8vrhQRjo0t/ehCu7iaEPdoinrDSdK 31 | kAAAdIxBfPpsQXz6YAAAAHc3NoLXJzYQAAAgEAtRm79ag/S4+5F9EoBJzezhB6YXJ9MXc4 32 | lBO+jBBi4bOlG1ohryOmpLhcO5FmLtUALSv6X6EUqMcTSoyVEUAzj5DvRwbG5N6rrRa78C 33 | bGQQHon/8sMoN+e/jU9or9L/2wji/5/2qSk26I3QBbFgqxRonp22kwuIkKQACvbr49+lhO 34 | 5BTRCeNcuVZVlpvru4HrqyQt5YccrpB7B9IPmonU2hR8lTCDzCRusivNheJsmAJ2gk9COe 35 | N0c0SJXYomicydVr9Vh4gckYcC7O3rIIML2ZbtSPY8YxR0lkcQ8n4P/EiZNSRP3Lg4gZbX 36 | VoQNGDq0SSMkLKdSXQZdX6xoKlKpftZpjs4ajl3GG/jn5cQIweMthUjMJwWT/gAM0UpG8V 37 | rx12ySmQb62odwhG9xS/D64vybfnTVysHTrka4sBygKXpWgBmWLUCN/viD8ot5Ye/rUouU 38 | FAFQllMnMZklKNJJdPS/6F8ZJAPmi0H1hkL2urJfmIO9quakwKYpSA4dLibY803ePRbFKI 39 | jZ9xakW4l50WIiiX+BysizUVqMqbS8LbVbtD+XE8gV7Ao9KHEXAbHFjvz9sf+KZ6it1Z+/ 40 | eRaNzoyo2rMJjybtMK2yJ/WoEFluqfvkRMQKnx+yMEXhF2+BRrjeLST1uLzuJ8vrhQRjo0 41 | t/ehCu7iaEPdoinrDSdKkAAAADAQABAAACACmUcgJSEc5AfmfIft6oQcOgJukOx02/KL9e 42 | 1SYFcR6PB36DMC6tCcrSBWMr3AEuqG62pTKloj+qDXTVWDhwvCXfSgDNvoa31UTVbmsSC/ 43 | zK+mUZykUCydye4g6FFOKa5ZmPzF9nUaYF/+h193PVGqSub4IP4b7MwAy324+aoFJFSj+1 44 | w9T4Xcaz2szMmdAgYUKW+O61GdG+nHDMOwbpVHSJtZzvWaNaTgwcYIC33uT708fReMwfvB 45 | HnD37phDWpRAqxvWpzxtNm4zYQ3iZF0EeyDmLtHipFfQsv3+U9KmBrLrnzz15G8bpXLrPP 46 | d84zVEdiiSCzfgabun6H8BafigiQ4hxq9YHeKeS1FF0PJZNux13EuMQc9d+gvre4NrM8Uq 47 | FowPOC5C8l8esY+AWZHFSXFIx//ifcJgP8m1GZG6RxbTqEDOlqVrXJsGjKvhJEDb7gFDcm 48 | u8BF6yIS4eOv+Mrwec5B2mU8hhShmCVtIvCUV+1lFnx0+3So6wmFJZ/Pt+NQu+YK7I1fnG 49 | shEEFbgkJNcHc662Xg9et0TxfKeEtjbvXhtlUoRMbS78i19LZ+fqWjWr77aUL04cA+BL9T 50 | bTjJEEn9W3JSlXgd0vElr8qWMYI8RgI1xS3S/l6O3h3B5Cby1YLUqGQmhXKLqPsOLIGpxX 51 | LEAb/5WvJAMpRIoftdAAABAQCr3mQoUpUIQ6SXnvzleNMJCvxLxZNowGz13kfyX0rwJzHr 52 | RnowmZBO+Z5i2bhyjfpWYX8VE6edMW0qWMa1DfbwbRZnV2vdbgr+Otc09wDHhsn/qsJCqD 53 | 2k3yAXg1FFTQFzdUEzEazokgAf88IJqEgpaSbG2NQC1rlcRgfC12h9vyYklA1BqlmphHS8 54 | nLe1Q6Vak+40kVgBQ0bnYZgSFmRNi3G97wQAM0KqhDa48FMkzeR/IA5YJ83F1X2cFkKGR8 55 | JV77160Z9K9yqjGeXmeySHpxQNLFCO8zVRquImAC/fFSpKYjrT7y67JLxP97ETyZriHa7L 56 | aMWAKWcFm8wLQQ2OAAABAQDFKMZBDyk8V3F0L74dWWhBbgUJLVkq3XxbUK1YpkbvLGS3VJ 57 | WVRzmI0sb7GnKRANjhV7mqiJ3+Qrl8fEBZyATpiP6/PuoM4mNWM0DHLKkJ6t9v8ZymSP3r 58 | 62euR5fqMyEiShT5iRjZC+e4o+paGuMSP8z79FXp0x4czX/e40nSiUXIx1UzjJUpvh4WYg 59 | 9Jo/iyVbVVm41ylUkUIcGhAyXBWtqNOfWZ0Jx2h18AomUs68Dha0qhaiAjDzzgNhGL4arX 60 | 6ZDXDfLPsASdc1SoenY8MvpUsF1bM3pxzIKdeZPysj8FBknu4ToUfwcCqMfeGnNAsSeefc 61 | GM/F4YbYjnrovjAAABAQDrJgzgGuFREuGXVKzodv31M7W8rSqMOwNx5KQsuZDMaNCdfEcg 62 | PzSvc66r+I0reYaRufNdFOFST3gwyZNuTQPmGKd9+gEeIRmcdZI4sL5f5vtamXqw6i3are 63 | XAQ8FuWTVdFuVRTkBemnHc6MFeQv/Frlq7SbScl8L1KQpqEqjpsZJ1Q27+YZb+GiaXOp4f 64 | JGZ7LoZsTw/0prXo1bb3h7qQYlk8A+KSnd0iDO9vPYgQu3N146di4rxeBHQa93mbXsawbL 65 | AQh5og5t5TDk3FGzkR/FaO0YZEW23Vcy+ix0nHMVGo6bTLwoK5wrJRDWgl76HSpJieUOMv 66 | b9LovSiDiLsDAAAAC3JvdDI1NkBoZXhhAQIDBAUGBw== 67 | -----END OPENSSH PRIVATE KEY-----`, 68 | }, 69 | testKeyPair{ 70 | pk: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCdDfXDTEmWgEuj/dTs8nSV+Ec2bczZhJNlRDe+3A2SWoGLlxHjSrq/TQULFrll2JrzSrGiCpQ9/E81G9KoHMErUZKS5aYAPkc/XQrJ/WdN3f5JNM7TfDcO2oYce3IiC+4qm9DuYlRr51TjqUDyoxp5XBXMMyZcGbQguDr9enCRXm9t/3KdTdgmc5PjqQO+OKFV9vkO5xD1hD+snXkIMmaIjTbkUR03CjxHPwJQMtMXWhmuHbSkKXlyeTQLdEfN82F09JYSOhcPxxs5bRbPOurYepgmFPRq3dqwhVu2Cc8lrYXAA4yE1ce66VvfRLyLqpuu0z6WTTA4PwcpYfY5prrroLwzFtYHLzzY/J8+frsbuejym4un96u5Ub4Jh4eqO59BsOm0nFf95wG7HLps7XKxCgUqErXDS7aHOZ9LCmtGno/sB/9bnKIDT5MJWcJO30ohBSNTvxtWgfe6srgohsUOnaQJtFmB346G/YpwJMKgRlL3ri4Ln0z7Yujzj6HO9rM=", 71 | sk: ` 72 | -----BEGIN OPENSSH PRIVATE KEY----- 73 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn 74 | NhAAAAAwEAAQAAAYEAnQ31w0xJloBLo/3U7PJ0lfhHNm3M2YSTZUQ3vtwNklqBi5cR40q6 75 | v00FCxa5Zdia80qxogqUPfxPNRvSqBzBK1GSkuWmAD5HP10Kyf1nTd3+STTO03w3DtqGHH 76 | tyIgvuKpvQ7mJUa+dU46lA8qMaeVwVzDMmXBm0ILg6/XpwkV5vbf9ynU3YJnOT46kDvjih 77 | Vfb5DucQ9YQ/rJ15CDJmiI025FEdNwo8Rz8CUDLTF1oZrh20pCl5cnk0C3RHzfNhdPSWEj 78 | oXD8cbOW0Wzzrq2HqYJhT0at3asIVbtgnPJa2FwAOMhNXHuulb30S8i6qbrtM+lk0wOD8H 79 | KWH2Oaa666C8MxbWBy882PyfPn67G7no8puLp/eruVG+CYeHqjufQbDptJxX/ecBuxy6bO 80 | 1ysQoFKhK1w0u2hzmfSwprRp6P7Af/W5yiA0+TCVnCTt9KIQUjU78bVoH3urK4KIbFDp2k 81 | CbRZgd+Ohv2KcCTCoEZS964uC59M+2Lo84+hzvazAAAFgOG8YbPhvGGzAAAAB3NzaC1yc2 82 | EAAAGBAJ0N9cNMSZaAS6P91OzydJX4RzZtzNmEk2VEN77cDZJagYuXEeNKur9NBQsWuWXY 83 | mvNKsaIKlD38TzUb0qgcwStRkpLlpgA+Rz9dCsn9Z03d/kk0ztN8Nw7ahhx7ciIL7iqb0O 84 | 5iVGvnVOOpQPKjGnlcFcwzJlwZtCC4Ov16cJFeb23/cp1N2CZzk+OpA744oVX2+Q7nEPWE 85 | P6ydeQgyZoiNNuRRHTcKPEc/AlAy0xdaGa4dtKQpeXJ5NAt0R83zYXT0lhI6Fw/HGzltFs 86 | 866th6mCYU9Grd2rCFW7YJzyWthcADjITVx7rpW99EvIuqm67TPpZNMDg/Bylh9jmmuuug 87 | vDMW1gcvPNj8nz5+uxu56PKbi6f3q7lRvgmHh6o7n0Gw6bScV/3nAbscumztcrEKBSoStc 88 | NLtoc5n0sKa0aej+wH/1ucogNPkwlZwk7fSiEFI1O/G1aB97qyuCiGxQ6dpAm0WYHfjob9 89 | inAkwqBGUveuLgufTPti6POPoc72swAAAAMBAAEAAAGABRCZr+Iqb12U0uWRM9D/3IREu6 90 | cf15X0cOwZxiBvmZwsmFVXYNacniW8N2bUtMme+aCbiOfBbxxPa52Jlh1TR3Paf71DNLfN 91 | cWgtPGVdKwAxPqgi0WQsnGCEua9rd1ieJiafPsjSAybTMIJZU1naNTa4hzzRDGBR1EpMsL 92 | b9oVqDym7WAeesRFUu3EUrlztZTJ3p20atX9WTfhwX9qE1eErhjcxl3kwItJ1+FBsHfrXL 93 | pTdVB4RE4+GvwXzPAf/KxF1lmiuXGtuXdNGi1q03HvCgO10MhcYWw2WiS6GLG6NfAta1jA 94 | +R1twoeO0qz1Bi8y0AXj2thpuPmUhtolHJbSeGm/JHRgv70VYJExHWyaHONIkqVBlUiIbV 95 | N+BklbyiCkGyM0C9U+dg3qAqd2gBVST8L1jH3aC4HfHrGvW7VaX8nu2fXliEXcWNCpk9ic 96 | YVH9/Y8iM1izERlmBHjcXf86XWsu85uGCkIsCExJe95SlKd14w9eL6lQP6QMXvLPw9AAAA 97 | wCXvM8QypXOYY3b+AvlWdw2pUMQTqjw07aVqnbyN1N71KYtxrVxcGkS5cvO1VFuYtQGMBT 98 | VJF3YAJl6WS1crD4I37WjnnhbftYrk2X5vD7bFP4gdrbkAxmwqgMKdjgCZfE+ZyCezLR1a 99 | JValPFlbjQej4FOP3sRf6au0zTWs4II04tkeUBMc9mCv7pS7vrYfFeWy29IL5lWxyRdfdu 100 | 7P7JKx8jgfcPnUlFoU7lcN/5yi2HHJzI3eJUbTuItayGIiKQAAAMEAyc+mmvGWmVqUdmbT 101 | ak5lcNtB5gtwgezNVSCG/5TVuIDyIcpHEEMPJMY8AGskHNxZx1eCOcrlyMmbKScIRxfbNa 102 | b/HwGzuBBPbG7K1HQy2PYKBunOLAHZSwzDtvC305XSmoXLFMO/f5KLYCbD9moWoKY64TlH 103 | JFRYEUH7pk4mwKkNvgj7a9V3S64TmcEYYsONVBVjSYVqa4vd/gBSX5Gx3RdRngCcdyIW7k 104 | 3Y7qKESv0kNOWIEu5x6HUz6CBK5JhfAAAAwQDHOcXpXFVJlV5RCJssOvmLv6gh9sEpH/vq 105 | o08EmlAR9/1lcw/yC61zjldlhnltRJDPchnXYsQC61ApKuPssWzzc+xCq03BAjypjw1FKz 106 | FqubdFZ2Kbjg+85YAzv8HVKvGrnxpkI2GbIgpudTHOVT4Bse/qIgV+nYY7GITU5xxS7Q7B 107 | vZJDfW+aY5B/IH13oYiZtB4JHc9knm6XtX6riEbKWcQgAegW/ZoR2rDTgow6nZeThojFR7 108 | jbQ42WdwmGki0AAAALcm90MjU2QGhleGE= 109 | -----END OPENSSH PRIVATE KEY-----`, 110 | }, 111 | testKeyPair{ 112 | pk: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMGjtL/v4fT7tGHtNgyw8PphfeqDspm2T4GcnxWt1PVN+VcVtLLl9gULtE+w1t0VWPtTn4hjh9aHk5HySXD2nGfe9og5XXR9qFxwqlJVZTCRTC+tYKdMfm9TqmRn+iFLZIXUlP3gl4b2Cn77bND0UZmWDfldlT+oaGjXyzbjetCBR5O7HKDvN71NbFm1fjzOHlxK55caEZKUdEsge/ndWEl9qfu7gWX9kJwp8PCUPd5Ni8y8wMarA/eUV6Ssw6IhnhNqhFgNY5uKwEDkIAyvL1RssodIq4GLa11L4yvGxzOBiO9NZtaQmRlFvyVECiAYrLE1XN5rM41eg5GrykRnzp", 113 | sk: ` 114 | -----BEGIN OPENSSH PRIVATE KEY----- 115 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn 116 | NhAAAAAwEAAQAAAQEAzBo7S/7+H0+7Rh7TYMsPD6YX3qg7KZtk+BnJ8VrdT1TflXFbSy5f 117 | YFC7RPsNbdFVj7U5+IY4fWh5OR8klw9pxn3vaIOV10fahccKpSVWUwkUwvrWCnTH5vU6pk 118 | Z/ohS2SF1JT94JeG9gp++2zQ9FGZlg35XZU/qGho18s243rQgUeTuxyg7ze9TWxZtX48zh 119 | 5cSueXGhGSlHRLIHv53VhJfan7u4Fl/ZCcKfDwlD3eTYvMvMDGqwP3lFekrMOiIZ4TaoRY 120 | DWObisBA5CAMry9UbLKHSKuBi2tdS+MrxsczgYjvTWbWkJkZRb8lRAogGKyxNVzeazONXo 121 | ORq8pEZ86QAAA8h52fjXedn41wAAAAdzc2gtcnNhAAABAQDMGjtL/v4fT7tGHtNgyw8Pph 122 | feqDspm2T4GcnxWt1PVN+VcVtLLl9gULtE+w1t0VWPtTn4hjh9aHk5HySXD2nGfe9og5XX 123 | R9qFxwqlJVZTCRTC+tYKdMfm9TqmRn+iFLZIXUlP3gl4b2Cn77bND0UZmWDfldlT+oaGjX 124 | yzbjetCBR5O7HKDvN71NbFm1fjzOHlxK55caEZKUdEsge/ndWEl9qfu7gWX9kJwp8PCUPd 125 | 5Ni8y8wMarA/eUV6Ssw6IhnhNqhFgNY5uKwEDkIAyvL1RssodIq4GLa11L4yvGxzOBiO9N 126 | ZtaQmRlFvyVECiAYrLE1XN5rM41eg5GrykRnzpAAAAAwEAAQAAAQAHykmF8faLmzy2kAcj 127 | 4Y7n20BRJo0piPhD3aIe/5zvrKQ4XUJYM9h+lzOVTgVvcgcTbDNJUyrVTeHwm58cfUFdiu 128 | F9f6Y+DbdKFgndOfgEmoBhHSIDIKgfnoUNoyZhzpYS3C1SlSg54VBoYIZ9ka4NbH9YJq1L 129 | 9AWN8wO1393+ppKQuQHF0TAQT6HKEePS2LSjrAQIis8lq2vdvREfbcxWjKhy0aDbU3ztLM 130 | QLIVFsIUGzZFGosyQlu0jOpTJKV2Hl4px0DnV1moy1bxG8kzO+9LP4lgIO7UC/rdbrk7AE 131 | 0H7t+ZveEDTxDpuuwTPR8mE9ka4wNHm0qXMEOPMiCPuNAAAAgQDR36rFbXaMuLkbprWBZZ 132 | kD8V4AcF5uKz1WvMpH0BD0DRGo1FwGOMgXpW7QpStvlDIwhHNrKIw2AR+N+xQjzdVfEfWM 133 | 2zQu5ZCDq4Ez0NWTkTUTA1m4hklsCU9SJzsMUJPhiqTuyHs1AGhZrIe/i0s19S/kVrG4Xy 134 | RVa5R+WzS9rQAAAIEA85mIJZvb6kZkEBoZlVN5dU825zwsZX6Ah8APyprkh8Fu7WlPqLWu 135 | RgsKUtx8pqHXuijcbF6QpL9+8KvOdZyZ4rdgkTLJvOc9LWnApWFleUBg0GeOkSEFU6OvvO 136 | Fl7eUcsh+kK8URS/HPxI8TVUYG1ac69TfCme6Crzszs/FpAH0AAACBANZ9/dBxi2C6dOKS 137 | VFbve+BVFxmpTvyzOQeVqdoYCHJONX1C5mRX4e43WuWRTnqLxBCIhZtKmbaI8sM06aEOiL 138 | pw2iheaic1bvOFirw0uml6UBKwY6lpbvcSqg6AuD8rzCmWQsXULh8CdpLdVXLGz/x4Ft1n 139 | f7rHzl1MD6T5+yXdAAAAC3JvdDI1NkBoZXhhAQIDBAUGBw== 140 | -----END OPENSSH PRIVATE KEY-----`, 141 | }, 142 | testKeyPair{ 143 | pk: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDG1A2g2BDCkfyI1SYh3rJn+5MZg9CQFdVQpwJeUy9bYkj6j9EgzMYg3SGeJeIlvAarPjka9qhZBhZ4xxvfoVPEMm2aAG1Lg3IjHV2ilRqbXDoHbNkB4d9H4fvYta1q/+wIL7daTQSSo/lgas9zfCivMoIQa5NjPno58cs9hJxpGw==", 144 | sk: ` 145 | -----BEGIN OPENSSH PRIVATE KEY----- 146 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAlwAAAAdzc2gtcn 147 | NhAAAAAwEAAQAAAIEAxtQNoNgQwpH8iNUmId6yZ/uTGYPQkBXVUKcCXlMvW2JI+o/RIMzG 148 | IN0hniXiJbwGqz45GvaoWQYWeMcb36FTxDJtmgBtS4NyIx1dopUam1w6B2zZAeHfR+H72L 149 | Wtav/sCC+3Wk0EkqP5YGrPc3worzKCEGuTYz56OfHLPYScaRsAAAII40h81uNIfNYAAAAH 150 | c3NoLXJzYQAAAIEAxtQNoNgQwpH8iNUmId6yZ/uTGYPQkBXVUKcCXlMvW2JI+o/RIMzGIN 151 | 0hniXiJbwGqz45GvaoWQYWeMcb36FTxDJtmgBtS4NyIx1dopUam1w6B2zZAeHfR+H72LWt 152 | av/sCC+3Wk0EkqP5YGrPc3worzKCEGuTYz56OfHLPYScaRsAAAADAQABAAAAgDlCtLIPx7 153 | PhSzM0/4hdlE+x+gktFxGH2CkkD+COYGMXCSFv7bBeiOjKBnZ/PoPThLAoeVW0l4Mb57jc 154 | zsA2u+KQyo5ZW8ngpqbw+LK22C0UCUSsjOk14cWqta/robvtmGlIjlch/V7DEnwRfyIkAP 155 | yokE109HS+oDQpls+oeYIxAAAAQQCHI3TY0O75nwszAZHleplQuPXCLHvvRSkd6l/JERkS 156 | ZPz8LoPIW0oDtcLh9tpKcVWCm4ZuWuoDnlF46ozOU7WOAAAAQQDxk/uCeEsBikavYQe/Z3 157 | S8bdPdHCu7jZZP4gjSBFmlBAkJmg+ZDCQC49ZaH1RwD+f6akQic4iGiN1wVMO8aoBfAAAA 158 | QQDSsrrzHioWa5i5n1h15r97xJic7VfjfcgUbdEQpGF4lDBKVZy7O9VMyGaqE4wxIyixh1 159 | hTn7WRDnw/Vydn/GDFAAAAC3JvdDI1NkBoZXhhAQIDBAUGBw== 160 | -----END OPENSSH PRIVATE KEY-----`, 161 | }, 162 | testKeyPair{ 163 | pk: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYImAgE51Zr2qgtm35nzY/88h9gYehjW9+CNa87mb5P", 164 | sk: ` 165 | -----BEGIN OPENSSH PRIVATE KEY----- 166 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW 167 | QyNTUxOQAAACBmCJgIBOdWa9qoLZt+Z82P/PIfYGHoY1vfgjWvO5m+TwAAAJA42+zRONvs 168 | 0QAAAAtzc2gtZWQyNTUxOQAAACBmCJgIBOdWa9qoLZt+Z82P/PIfYGHoY1vfgjWvO5m+Tw 169 | AAAEC4yVHLE00IjntOw0ZPEvja/kDeiLgWQK4N+NQ4TKm4zGYImAgE51Zr2qgtm35nzY/8 170 | 8h9gYehjW9+CNa87mb5PAAAAC3JvdDI1NkBoZXhhAQI= 171 | -----END OPENSSH PRIVATE KEY-----`, 172 | }, 173 | testKeyPair{ 174 | pk: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFmtb463zcFyZMdh23djtu2hQU5CUQHQKVwRkVMugOC", 175 | sk: ` 176 | -----BEGIN OPENSSH PRIVATE KEY----- 177 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW 178 | QyNTUxOQAAACDhZrW+Ot83BcmTHYdt3Y7btoUFOQlEB0ClcEZFTLoDggAAAJBrnHABa5xw 179 | AQAAAAtzc2gtZWQyNTUxOQAAACDhZrW+Ot83BcmTHYdt3Y7btoUFOQlEB0ClcEZFTLoDgg 180 | AAAEBYoBOpMvswZxK302oXzsfetRzdXD+BWRRCI9a4Kv6xweFmtb463zcFyZMdh23djtu2 181 | hQU5CUQHQKVwRkVMugOCAAAAC3JvdDI1NkBoZXhhAQI= 182 | -----END OPENSSH PRIVATE KEY-----`, 183 | }, 184 | testKeyPair{ 185 | pk: "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDOQPd+sUiGWMhnMe8umAxVc5GmGM0/OFJkTDIGecGbCAAAABHNzaDo=", 186 | sk: ` 187 | -----BEGIN OPENSSH PRIVATE KEY----- 188 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAASgAAABpzay1zc2 189 | gtZWQyNTUxOUBvcGVuc3NoLmNvbQAAACAzkD3frFIhljIZzHvLpgMVXORphjNPzhSZEwyB 190 | nnBmwgAAAARzc2g6AAAA8BtxfCAbcXwgAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY2 191 | 9tAAAAIDOQPd+sUiGWMhnMe8umAxVc5GmGM0/OFJkTDIGecGbCAAAABHNzaDoBAAAAgFYp 192 | IoE5Nk1NWUs5lsfr/weMX/RzF0C5I+5KezKhfBjpb4gAdFL0q2F1Kf/ltgXGq1Eg89JVLp 193 | LlgWaGafO+JXzLfzdYzZrfYc73xEZTngk/j5DPcaDH1x6/YnBgU3TIEVzZf3demyZg7RSv 194 | twHAN7bHDxJsv3WXRw/JjeRpgkiFAAAAAAAAAAtyb3QyNTZAaGV4YQECAwQFBg== 195 | -----END OPENSSH PRIVATE KEY-----`, 196 | }, 197 | testKeyPair{ 198 | pk: "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAyoeQnJJ6+OYB+oy8jshG3PM2cHQSqCtcnsEBxf2lqT0QTdw0u07neT09ZVqut3HdtZkSJ1+TfYxB3yX9M5nB0=", 199 | sk: ` 200 | -----BEGIN OPENSSH PRIVATE KEY----- 201 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS 202 | 1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQMqHkJySevjmAfqMvI7IRtzzNnB0Eq 203 | grXJ7BAcX9pak9EE3cNLtO53k9PWVarrdx3bWZEidfk32MQd8l/TOZwdAAAAqKcC7SGnAu 204 | 0hAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAyoeQnJJ6+OYB+o 205 | y8jshG3PM2cHQSqCtcnsEBxf2lqT0QTdw0u07neT09ZVqut3HdtZkSJ1+TfYxB3yX9M5nB 206 | 0AAAAgAqqeG68xdER0mnkNJ9QCx1cLQf+28ahmSX5WMO5wRcEAAAALcm90MjU2QGhleGEB 207 | AgMEBQ== 208 | -----END OPENSSH PRIVATE KEY-----`, 209 | }, 210 | testKeyPair{ 211 | pk: "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBGpdENH6L6VZFX21t8Rd2mDeQRa5jPhiFAE+EWrc+olJjNj7sjJIWm5AR6Gp+7NxfwEFf6h8rC96tk2Y1ik+UI4AAAAEc3NoOg==", 212 | sk: ` 213 | -----BEGIN OPENSSH PRIVATE KEY----- 214 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAfwAAACJzay1lY2 215 | RzYS1zaGEyLW5pc3RwMjU2QG9wZW5zc2guY29tAAAACG5pc3RwMjU2AAAAQQRqXRDR+i+l 216 | WRV9tbfEXdpg3kEWuYz4YhQBPhFq3PqJSYzY+7IySFpuQEehqfuzcX8BBX+ofKwverZNmN 217 | YpPlCOAAAABHNzaDoAAADguAETGLgBExgAAAAic2stZWNkc2Etc2hhMi1uaXN0cDI1NkBv 218 | cGVuc3NoLmNvbQAAAAhuaXN0cDI1NgAAAEEEal0Q0fovpVkVfbW3xF3aYN5BFrmM+GIUAT 219 | 4Ratz6iUmM2PuyMkhabkBHoan7s3F/AQV/qHysL3q2TZjWKT5QjgAAAARzc2g6AQAAAEDz 220 | 0O7gKVwW+fFf/yaf8eL2ukVRzRIUU0Dv2eXr8Ckhg2nT9f/eeWGICsV2Hm9VC0mKVyR3eJ 221 | kPUeA+/gnFtKuWAAAAAAAAAAtyb3QyNTZAaGV4YQE= 222 | -----END OPENSSH PRIVATE KEY-----`, 223 | }, 224 | } 225 | 226 | func TestSignVerify(t *testing.T) { 227 | 228 | for rep := 0; rep < 50; rep++ { 229 | // copy keys 230 | keys := make([]testKeyPair, len(testKeys)) 231 | copy(keys, testKeys) 232 | 233 | // shuffle the keys in the ring 234 | rand.Shuffle(len(keys), func(i, j int) { keys[i], keys[j] = keys[j], keys[i] }) 235 | 236 | // decode keys 237 | sks := make([]KeyPair, 0, len(keys)) 238 | pks := make([]PublicKey, 0, len(keys)) 239 | for i := 0; i < len(testKeys); i++ { 240 | pk, err := PublicKeyFromStr(keys[i].pk) 241 | if err != nil { 242 | t.Error(err) 243 | } 244 | 245 | sk, err := ssh.ParseRawPrivateKey([]byte(keys[i].sk)) 246 | if err != nil { 247 | sk = nil // -sk keys are not supported 248 | } 249 | 250 | pks = append(pks, pk) 251 | sks = append( 252 | sks, 253 | KeyPair{ 254 | PK: pk, 255 | SK: sk, 256 | }, 257 | ) 258 | } 259 | 260 | msg := []byte("test") 261 | 262 | // pick the signing key in the ring 263 | var sk KeyPair 264 | for n := 0; sk.SK == nil; n++ { 265 | sk = sks[n] 266 | } 267 | 268 | t.Log(sk) 269 | t.Log(pks) 270 | 271 | sig := Sign(sk, pks, msg) 272 | 273 | _, err := sig.Verify(pks) 274 | if err != nil { 275 | t.Error(err) 276 | } 277 | 278 | } 279 | 280 | } 281 | -------------------------------------------------------------------------------- /ring/rsa.go: -------------------------------------------------------------------------------- 1 | package ring 2 | 3 | // Assumes StrongRSA 4 | // Note: not technically a PoK (and therefore not a sigma protocol) for the secret key: 5 | // there is no reduction from inverting the RSA permutation to recoving the order of the group 6 | // (equiv. the factorization of the modulus) 7 | // 8 | // Instead it demonstrates that the prover can invert the permutation. 9 | // The proof is however SHVZK. 10 | 11 | import ( 12 | "crypto/rand" 13 | "crypto/rsa" 14 | "encoding/asn1" 15 | "errors" 16 | "math/big" 17 | ) 18 | 19 | type rsaProver struct { 20 | pf rsaProof 21 | sk *rsa.PrivateKey 22 | } 23 | 24 | type rsaProof struct { 25 | A *big.Int // image 26 | Z *big.Int // preimage of (a + c) mod N 27 | } 28 | 29 | func rsaChallenge(pk *rsa.PublicKey, chal challenge) *big.Int { 30 | return chal.Int("rsa-challenge", pk.N) 31 | } 32 | 33 | func randomZnElem(pk *rsa.PublicKey) *big.Int { 34 | // read random bytes 35 | n := pk.N.BitLen() / 8 36 | bs := make([]byte, 2*n) 37 | if _, err := rand.Read(bs); err != nil { 38 | panic(err) 39 | } 40 | 41 | // reduce mod N 42 | r := (&big.Int{}).SetBytes(bs) 43 | return r.Mod(r, pk.N) 44 | } 45 | 46 | func rsaPerm(pk *rsa.PublicKey, input *big.Int) *big.Int { 47 | return (&big.Int{}).Exp( 48 | input, 49 | big.NewInt(int64(pk.E)), 50 | pk.N, 51 | ) 52 | } 53 | 54 | func (pf *rsaProof) Verify(pki interface{}, chal challenge) error { 55 | pk := pki.(*rsa.PublicKey) 56 | 57 | // strict encoding: all numbers in \ZZ_N canonical 58 | if pk.N.Cmp(pf.A) != 1 { 59 | return errors.New("field A is not canonically encoded in ZZ_N") 60 | } 61 | if pk.N.Cmp(pf.Z) != 1 { 62 | return errors.New("field Z is not canonically encoded in ZZ_N") 63 | } 64 | 65 | // compute challenge 66 | c := rsaChallenge(pk, chal) 67 | 68 | // img = a + c (image) 69 | img := (&big.Int{}).Add(pf.A, c) 70 | img = img.Mod(img, pk.N) 71 | 72 | // check that \phi(z) = a + c 73 | if rsaPerm(pk, pf.Z).Cmp(img) != 0 { 74 | return errors.New("challenge is not inverted correctly") 75 | } 76 | 77 | return nil 78 | } 79 | 80 | func rsaSim(pk *rsa.PublicKey, chal challenge) *rsaProof { 81 | var pf rsaProof 82 | 83 | // convert challenge to element in Z_N 84 | c := rsaChallenge(pk, chal) 85 | 86 | // z <- Z_N 87 | pf.Z = randomZnElem(pk) 88 | 89 | // phi(z) = a + c mod N 90 | // a = phi(z) - c mod N 91 | pf.A = rsaPerm(pk, pf.Z) 92 | pf.A = pf.A.Sub(pf.A, c) 93 | pf.A = pf.A.Mod(pf.A, pk.N) 94 | 95 | return &pf 96 | } 97 | 98 | func (pf *rsaProof) Commit(tx *transcript) { 99 | tx.Append([]byte("rsa proof")) 100 | tx.Append(pf.A.Bytes()) 101 | } 102 | 103 | func (pf *rsaProof) Unmarshal(b []byte) error { 104 | rest, err := asn1.Unmarshal(b, pf) 105 | if err != nil { 106 | return err 107 | } 108 | if len(rest) != 0 || pf.A == nil || pf.Z == nil { 109 | return errors.New("rsa proofs contains additional junk") 110 | } 111 | return nil 112 | } 113 | 114 | func (pf *rsaProof) Marshal() []byte { 115 | bytes, err := asn1.Marshal(*pf) 116 | if err != nil { 117 | panic(err) 118 | } 119 | return bytes 120 | } 121 | 122 | func rsaProve(sk *rsa.PrivateKey) *rsaProver { 123 | // sample random Zn elem 124 | // (might not be in the range of \phi with negl. prob) 125 | var pf rsaProof 126 | pf.A = randomZnElem(&sk.PublicKey) 127 | return &rsaProver{pf: pf, sk: sk} 128 | } 129 | 130 | func (p *rsaProver) Finish(chal challenge) { 131 | // sample challeng 132 | c := rsaChallenge(&p.sk.PublicKey, chal) 133 | 134 | // compute challenge image (product of c and A) 135 | img := (&big.Int{}).Add(c, p.pf.A) 136 | img = img.Mod(img, p.sk.PublicKey.N) 137 | 138 | // invert challenge 139 | p.pf.Z = img.Exp(img, p.sk.D, p.sk.N) 140 | } 141 | 142 | func (p *rsaProver) Pf() proof { 143 | return &p.pf 144 | } 145 | -------------------------------------------------------------------------------- /ring/sigma.go: -------------------------------------------------------------------------------- 1 | package ring 2 | 3 | type proof interface { 4 | Marshal() []byte 5 | Unmarshal([]byte) error 6 | Commit(*transcript) 7 | Verify(interface{}, challenge) error 8 | } 9 | 10 | type prover interface { 11 | Finish(challenge) 12 | Pf() proof 13 | } 14 | -------------------------------------------------------------------------------- /ring/sign.go: -------------------------------------------------------------------------------- 1 | package ring 2 | 3 | import ( 4 | "crypto" 5 | "crypto/ecdsa" 6 | "crypto/ed25519" 7 | "crypto/rsa" 8 | "crypto/sha512" 9 | "encoding/binary" 10 | "fmt" 11 | "log" 12 | 13 | "golang.org/x/crypto/ssh" 14 | ) 15 | 16 | const version = 1 17 | 18 | type Signature struct { 19 | Version int 20 | Proofs [][]byte 21 | Challenges []challenge 22 | Fingerprints []string 23 | Msg []byte 24 | } 25 | 26 | func setupTranscript(pks []PublicKey, msg []byte) *transcript { 27 | tx := NewTranscript() 28 | 29 | // include version in transcript 30 | var versionBytes [4]byte 31 | binary.BigEndian.PutUint32(versionBytes[:], uint32(version)) 32 | tx.Append(versionBytes[:]) 33 | 34 | // add message to transcript 35 | // 36 | // We hash the message first to enable streaming in the future: 37 | // signing a big file without keeping it in memory. 38 | hash := sha512.Sum512(msg) 39 | tx.Append(hash[:]) 40 | 41 | // add public keys 42 | for _, pk := range pks { 43 | tx.Append([]byte(pk.FP())) 44 | } 45 | return tx 46 | } 47 | 48 | func Sign(pair KeyPair, pks []PublicKey, msg []byte) Signature { 49 | // commit to statement (list of public key) 50 | tx := setupTranscript(pks, msg) 51 | 52 | // retrieve the index of the signer 53 | index := len(pks) 54 | for i := range pks { 55 | if pair.PK.Equals(pks[i]) { 56 | index = i 57 | } 58 | } 59 | 60 | // sanity checks 61 | if index == len(pks) { 62 | panic("public keys does not contain pair, this is a bug.") 63 | } 64 | 65 | // generate random challenges for in-active clauses 66 | challenges := make([]challenge, len(pks)) 67 | for i := range challenges { 68 | if i != index { 69 | challenges[i].Random() 70 | } 71 | } 72 | 73 | // construct appropiate prover 74 | var prover prover 75 | skCkey := pair.SK.(crypto.PrivateKey) 76 | 77 | // detect ed25519 key 78 | if sk, ok := skCkey.(*ed25519.PrivateKey); ok { 79 | prover = ed25519Prove(*sk) 80 | } 81 | 82 | // detect RSA key 83 | if sk, ok := skCkey.(*rsa.PrivateKey); ok { 84 | prover = rsaProve(sk) 85 | } 86 | 87 | if sk, ok := skCkey.(*ecdsa.PrivateKey); ok { 88 | prover = ecdsaProve(sk) 89 | } 90 | 91 | if prover == nil { 92 | panic(fmt.Errorf("unrecognized private key-type %T", skCkey)) 93 | } 94 | 95 | // the proof for the active index is generated by the honest prover 96 | pfs := make([]proof, len(pks)) 97 | pfs[index] = prover.Pf() 98 | 99 | // simulate in-active clauses using SHVZK sim. 100 | for i, pk := range pks { 101 | if i == index { 102 | continue 103 | } 104 | 105 | chal := challenges[i] 106 | ckey := toCryptoPublicKey(pk) 107 | 108 | switch pk.pk.Type() { 109 | case ssh.KeyAlgoSKED25519, ssh.KeyAlgoED25519: 110 | pfs[i] = ed25519Sim(ckey.(ed25519.PublicKey), chal) 111 | case ssh.KeyAlgoRSA: 112 | pfs[i] = rsaSim(ckey.(*rsa.PublicKey), chal) 113 | case ssh.KeyAlgoSKECDSA256, ssh.KeyAlgoECDSA256, ssh.KeyAlgoECDSA384, ssh.KeyAlgoECDSA521: 114 | pfs[i] = ecdsaSim(ckey.(*ecdsa.PublicKey), chal) 115 | default: 116 | log.Fatalln("unsupported key type:", pk.pk.Type()) 117 | } 118 | } 119 | 120 | // commit to first round messages 121 | for _, pf := range pfs { 122 | pf.Commit(tx) 123 | } 124 | 125 | // sample challenge 126 | challenges[index] = tx.Challenge() 127 | 128 | // compute challenge for active clause 129 | // (challenges and tx.Challenge sums to 0) 130 | for i, chal := range challenges { 131 | if i != index { 132 | challenges[index].Add(chal) 133 | } 134 | } 135 | 136 | // finish transcript for active clause 137 | prover.Finish(challenges[index]) 138 | pfs[index] = prover.Pf() 139 | 140 | // compile combined signature 141 | sig := Signature{ 142 | Version: version, 143 | Msg: msg, 144 | Challenges: challenges, 145 | Proofs: make([][]byte, len(pfs)), 146 | Fingerprints: make([]string, len(pks)), 147 | } 148 | 149 | // serialize all the proofs 150 | for i, pf := range pfs { 151 | sig.Proofs[i] = pf.Marshal() 152 | } 153 | 154 | // add fingerprints to signature 155 | // (to enable verifying against a superset of keys) 156 | for i, pk := range pks { 157 | sig.Fingerprints[i] = ssh.FingerprintSHA256(pk.pk) 158 | } 159 | 160 | // check validity of generated signature: sanity check 161 | if _, err := sig.VerifyExact(pks); err != nil { 162 | panic(err) 163 | } 164 | 165 | return sig 166 | } 167 | -------------------------------------------------------------------------------- /ring/transcript.go: -------------------------------------------------------------------------------- 1 | package ring 2 | 3 | import ( 4 | "crypto/sha512" 5 | "encoding/binary" 6 | "errors" 7 | "hash" 8 | ) 9 | 10 | type transcript struct { 11 | h hash.Hash 12 | } 13 | 14 | func NewTranscript() *transcript { 15 | return &transcript{ 16 | h: sha512.New(), 17 | } 18 | } 19 | 20 | func (tx *transcript) Append(bs []byte) { 21 | err := binary.Write(tx.h, binary.LittleEndian, uint64(len(bs))) 22 | if err != nil { 23 | panic(err) 24 | } 25 | tx.h.Write(bs) 26 | } 27 | 28 | func (tx *transcript) Challenge() challenge { 29 | // compute digest 30 | hsh := tx.h.Sum([]byte{}) 31 | if len(hsh) < challengeSize { 32 | panic(errors.New("challenge is bigger than digest")) 33 | } 34 | 35 | // copy hash prefix into challenge 36 | var chal challenge 37 | chal.Bytes = make([]byte, challengeSize) 38 | copy(chal.Bytes, hsh) 39 | return chal 40 | } 41 | -------------------------------------------------------------------------------- /ring/verify.go: -------------------------------------------------------------------------------- 1 | package ring 2 | 3 | import ( 4 | "errors" 5 | "fmt" 6 | 7 | "golang.org/x/crypto/ssh" 8 | ) 9 | 10 | func (sig *Signature) Verify(pks []PublicKey) ([]byte, error) { 11 | // index by fingerprints 12 | keyMap := make(map[string]PublicKey) 13 | for _, pk := range pks { 14 | keyMap[pk.FP()] = pk 15 | } 16 | 17 | // lookup subset of keys included in the signature 18 | // (the signature might be for a smaller ring, e.g. keys may have been added later) 19 | selectPks := make([]PublicKey, 0, len(sig.Fingerprints)) 20 | for _, fp := range sig.Fingerprints { 21 | if pk, ok := keyMap[fp]; ok { 22 | selectPks = append(selectPks, pk) 23 | } else { 24 | return nil, errors.New("the ring is not a subset of the public keys used to verify") 25 | } 26 | } 27 | 28 | return sig.VerifyExact(selectPks) 29 | } 30 | 31 | func (sig *Signature) VerifyExact(pks []PublicKey) ([]byte, error) { 32 | // basic checks 33 | if len(sig.Proofs) != len(pks) { 34 | return nil, errors.New("incorrect number of proofs") 35 | } 36 | if len(sig.Challenges) != len(pks) { 37 | return nil, errors.New("incorrect number of challenges") 38 | } 39 | if len(sig.Fingerprints) != len(pks) { 40 | return nil, errors.New("incorrect number of fingerprints") 41 | } 42 | if sig.Version != version { 43 | return nil, errors.New("supported signature version") 44 | } 45 | 46 | // commit to statement (list of public key) 47 | tx := setupTranscript(pks, sig.Msg) 48 | 49 | // verify every proof 50 | for i, pk := range pks { 51 | // check fingerprint hint included in signature 52 | if pk.FP() != sig.Fingerprints[i] { 53 | return nil, errors.New("fingerprint does not match public key") 54 | } 55 | 56 | // pick proof type (based on public key) 57 | var pf proof 58 | switch pk.pk.Type() { 59 | case ssh.KeyAlgoED25519, ssh.KeyAlgoSKED25519: 60 | pf = &ed25519Proof{} 61 | case ssh.KeyAlgoRSA: 62 | pf = &rsaProof{} 63 | case ssh.KeyAlgoECDSA256, ssh.KeyAlgoECDSA384, ssh.KeyAlgoECDSA521, ssh.KeyAlgoSKECDSA256: 64 | pf = &ecdsaProof{} 65 | default: 66 | return nil, fmt.Errorf("unsupported key type: %s", pk.pk.Type()) 67 | } 68 | 69 | // unmarshal proof 70 | if err := pf.Unmarshal(sig.Proofs[i]); err != nil { 71 | return nil, err 72 | } 73 | 74 | // check that challenge is right size 75 | chal := sig.Challenges[i] 76 | if !chal.IsValid() { 77 | return nil, errors.New("challenge is invalid (wrong length)") 78 | } 79 | 80 | // verify proof against challenge 81 | ckey := toCryptoPublicKey(pk) 82 | if err := pf.Verify(ckey, chal); err != nil { 83 | return nil, err 84 | } 85 | pf.Commit(tx) 86 | } 87 | 88 | // final check: challenges sum to zero 89 | delta := tx.Challenge() 90 | for _, chal := range sig.Challenges { 91 | delta.Add(chal) 92 | } 93 | 94 | if delta.IsZero() { 95 | return sig.Msg, nil 96 | } else { 97 | return nil, errors.New("challenges does not sum to zero") 98 | } 99 | } 100 | -------------------------------------------------------------------------------- /tests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | MSG="test msg" 6 | SSH_DIRECTORY=/tmp/ring-ssh 7 | 8 | rm -rf $SSH_DIRECTORY 9 | 10 | mkdir $SSH_DIRECTORY 11 | 12 | echo "$SSH_DIRECTORY/id_ecdsa" | ssh-keygen -t ecdsa 13 | echo "$SSH_DIRECTORY/id_ed25519" | ssh-keygen -t ed25519 14 | echo "$SSH_DIRECTORY/id_rsa" | ssh-keygen -b 3072 -t rsa 15 | 16 | export SSH_DIRECTORY=$SSH_DIRECTORY 17 | 18 | ## ECDSA Test ## 19 | 20 | # generate signature 21 | ./git-ring sign --msg "$MSG" --url https://github.com/torvalds.keys --github rot256 --ssh-key $SSH_DIRECTORY/id_ecdsa.pub 22 | 23 | # check against same ring 24 | ./git-ring verify --url https://github.com/torvalds.keys --github rot256 --ssh-key $SSH_DIRECTORY/id_ecdsa.pub | grep "$MSG" 25 | 26 | # check against superset 27 | ./git-ring verify --github torvalds --github gregkh --github rot256 --ssh-key $SSH_DIRECTORY/id_ecdsa.pub | grep "$MSG" 28 | 29 | ## Ed25519 Test ## 30 | 31 | # generate signature 32 | ./git-ring sign --msg "$MSG" --gitlab dzaporozhets --ssh-key $SSH_DIRECTORY/id_ed25519.pub 33 | 34 | # check against same ring 35 | ./git-ring verify --gitlab dzaporozhets --ssh-key $SSH_DIRECTORY/id_ed25519.pub | grep "$MSG" 36 | 37 | # check against superset 38 | ./git-ring verify --github torvalds --github gregkh --github rot256 --gitlab dzaporozhets --ssh-key $SSH_DIRECTORY/id_ed25519.pub | grep "$MSG" 39 | 40 | ## RSA Test ## 41 | 42 | # generate signature (large ring) 43 | ./git-ring sign --msg "$MSG" --allow-empty --github Cloudflare --ssh-key $SSH_DIRECTORY/id_rsa.pub 44 | 45 | # check against superset (large ring) 46 | ./git-ring verify --github Cloudflare --ssh-key $SSH_DIRECTORY/id_rsa.pub --ssh-key $SSH_DIRECTORY/id_ed25519.pub | grep "$MSG" 47 | --------------------------------------------------------------------------------