diff options
Diffstat (limited to 'src/leap')
| -rw-r--r-- | src/leap/common/keymanager/__init__.py | 116 | ||||
| -rw-r--r-- | src/leap/common/keymanager/errors.py | 29 | ||||
| -rw-r--r-- | src/leap/common/keymanager/gpg.py | 398 | ||||
| -rw-r--r-- | src/leap/common/keymanager/keys.py | 127 | ||||
| -rw-r--r-- | src/leap/common/keymanager/openpgp.py | 126 | ||||
| -rw-r--r-- | src/leap/common/tests/test_keymanager.py | 230 | 
6 files changed, 922 insertions, 104 deletions
| diff --git a/src/leap/common/keymanager/__init__.py b/src/leap/common/keymanager/__init__.py index 71aaddd..10acb36 100644 --- a/src/leap/common/keymanager/__init__.py +++ b/src/leap/common/keymanager/__init__.py @@ -27,114 +27,22 @@ except ImportError:      import json  # noqa -from abc import ABCMeta, abstractmethod  from u1db.errors import HTTPError -# -# Key types -# - -class EncryptionKey(object): -    """ -    Abstract class for encryption keys. - -    A key is "validated" if the nicknym agent has bound the user address to a -    public key. Nicknym supports three different levels of key validation: - -    * Level 3 - path trusted: A path of cryptographic signatures can be traced -      from a trusted key to the key under evaluation. By default, only the -      provider key from the user's provider is a "trusted key". -    * level 2 - provider signed: The key has been signed by a provider key for -      the same domain, but the provider key is not validated using a trust -      path (i.e. it is only registered) -    * level 1 - registered: The key has been encountered and saved, it has no -      signatures (that are meaningful to the nicknym agent). -    """ - -    __metaclass__ = ABCMeta - -    def __init__(self, address, key_id=None, fingerprint=None, -                 key_data=None, length=None, expiry_date=None, -                 validation=None, first_seen_at=None, -                 last_audited_at=None): -        self.address = address -        self.key_id = key_id -        self.fingerprint = fingerprint -        self.key_data = key_data -        self.length = length -        self.expiry_date = expiry_date -        self.validation = validation -        self.first_seen_at = first_seen_at -        self.last_audited_at = last_audited_at - -    @abstractmethod -    def get_json(self): -        """ -        Return a JSON string describing this key. - -        @return: The JSON string describing this key. -        @rtype: str -        """ - - -# -# Key wrappers -# - -class KeyTypeWrapper(object): -    """ -    Abstract class for Key Type Wrappers. - -    A wrapper for a certain key type should know how to get and put keys in -    local storage using Soledad and also how to generate new keys. -    """ - -    __metaclass__ = ABCMeta - -    @abstractmethod -    def get_key(self, address): -        """ -        Get key from local storage. - -        @param address: The address bound to the key. -        @type address: str - -        @return: The key bound to C{address}. -        @rtype: EncryptionKey -        @raise KeyNotFound: If the key was not found on local storage. -        """ - -    @abstractmethod -    def put_key(self, key): -        """ -        Put a key in local storage. - -        @param key: The key to be stored. -        @type key: EncryptionKey -        """ - -    @abstractmethod -    def gen_key(self, address): -        """ -        Generate a new key. - -        @param address: The address bound to the key. -        @type address: str -        @return: The key bound to C{address}. -        @rtype: EncryptionKey -        """ - - -# -# Key manager -# +from leap.common.keymanager.errors import ( +    KeyNotFound, +    KeyAlreadyExists, +) +from leap.common.keymanager.openpgp import ( +    OpenPGPKey, +    OpenPGPWrapper, +) -class KeyNotFound(Exception): -    """ -    Raised when key was no found on keyserver. -    """ +wrapper_map = { +    OpenPGPKey: OpenPGPWrapper(), +}  class KeyManager(object): @@ -195,7 +103,7 @@ class KeyManager(object):          except KeyNotFound:              key = filter(lambda k: isinstance(k, ktype),                           self._fetch_keys(address)) -            if key is None +            if key is None:                  raise KeyNotFound()              wrapper_map[ktype].put_key(key)              return key diff --git a/src/leap/common/keymanager/errors.py b/src/leap/common/keymanager/errors.py new file mode 100644 index 0000000..f5bb1ab --- /dev/null +++ b/src/leap/common/keymanager/errors.py @@ -0,0 +1,29 @@ +# -*- coding: utf-8 -*- +# errors.py +# Copyright (C) 2013 LEAP +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + + + +class KeyNotFound(Exception): +    """ +    Raised when key was no found on keyserver. +    """ + + +class KeyAlreadyExists(Exception): +    """ +    Raised when attempted to create a key that already exists. +    """ diff --git a/src/leap/common/keymanager/gpg.py b/src/leap/common/keymanager/gpg.py new file mode 100644 index 0000000..dc5d791 --- /dev/null +++ b/src/leap/common/keymanager/gpg.py @@ -0,0 +1,398 @@ +# -*- coding: utf-8 -*- +# gpgwrapper.py +# Copyright (C) 2013 LEAP +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + + +""" +A GPG wrapper used to handle OpenPGP keys. + +This is a temporary class that will be superseded by the a revised version of +python-gnupg. +""" + + +import os +import gnupg +import re +from gnupg import ( +    logger, +    _is_sequence, +    _make_binary_stream, +) + + +class ListPackets(): +    """ +    Handle status messages for --list-packets. +    """ + +    def __init__(self, gpg): +        """ +        Initialize the packet listing handling class. + +        @param gpg: GPG object instance. +        @type gpg: gnupg.GPG +        """ +        self.gpg = gpg +        self.nodata = None +        self.key = None +        self.need_passphrase = None +        self.need_passphrase_sym = None +        self.userid_hint = None + +    def handle_status(self, key, value): +        """ +        Handle one line of the --list-packets status message. + +        @param key: The status message key. +        @type key: str +        @param value: The status message value. +        @type value: str +        """ +        # TODO: write tests for handle_status +        if key == 'NODATA': +            self.nodata = True +        if key == 'ENC_TO': +            # This will only capture keys in our keyring. In the future we +            # may want to include multiple unknown keys in this list. +            self.key, _, _ = value.split() +        if key == 'NEED_PASSPHRASE': +            self.need_passphrase = True +        if key == 'NEED_PASSPHRASE_SYM': +            self.need_passphrase_sym = True +        if key == 'USERID_HINT': +            self.userid_hint = value.strip().split() + + +class GPGWrapper(gnupg.GPG): +    """ +    This is a temporary class for handling GPG requests, and should be +    replaced by a more general class used throughout the project. +    """ + +    GNUPG_HOME = os.environ['HOME'] + "/.config/leap/gnupg" +    GNUPG_BINARY = "/usr/bin/gpg"  # this has to be changed based on OS + +    def __init__(self, gpgbinary=GNUPG_BINARY, gnupghome=GNUPG_HOME, +                 verbose=False, use_agent=False, keyring=None, options=None): +        """ +        Initialize a GnuPG process wrapper. + +        @param gpgbinary: Name for GnuPG binary executable. +        @type gpgbinary: C{str} +        @param gpghome: Full pathname to directory containing the public and +            private keyrings. +        @type gpghome: C{str} +        @param keyring: Name of alternative keyring file to use. If specified, +            the default keyring is not used. +        @param verbose: Should some verbose info be output? +        @type verbose: bool +        @param use_agent: Should pass `--use-agent` to GPG binary? +        @type use_agent: bool +        @param keyring: Path for the keyring to use. +        @type keyring: str +        @options: A list of additional options to pass to the GPG binary. +        @type options: list + +        @raise: RuntimeError with explanation message if there is a problem +            invoking gpg. +        """ +        gnupg.GPG.__init__(self, gnupghome=gnupghome, gpgbinary=gpgbinary, +                           verbose=verbose, use_agent=use_agent, +                           keyring=keyring, options=options) +        self.result_map['list-packets'] = ListPackets + +    def find_key_by_email(self, email, secret=False): +        """ +        Find user's key based on their email. + +        @param email: Email address of key being searched for. +        @type email: str +        @param secret: Should we search for a secret key? +        @type secret: bool + +        @return: The fingerprint of the found key. +        @rtype: str +        """ +        for key in self.list_keys(secret=secret): +            for uid in key['uids']: +                if re.search(email, uid): +                    return key +        raise LookupError("GnuPG public key for email %s not found!" % email) + +    def find_key_by_subkey(self, subkey, secret=False): +        """ +        Find user's key based on a subkey fingerprint. + +        @param email: Subkey fingerprint of the key being searched for. +        @type email: str +        @param secret: Should we search for a secret key? +        @type secret: bool + +        @return: The fingerprint of the found key. +        @rtype: str +        """ +        for key in self.list_keys(secret=secret): +            for sub in key['subkeys']: +                if sub[0] == subkey: +                    return key +        raise LookupError( +            "GnuPG public key for subkey %s not found!" % subkey) + +    def find_key_by_keyid(self, keyid, secret=False): +        """ +        Find user's key based on the key ID. + +        @param email: The key ID of the key being searched for. +        @type email: str +        @param secret: Should we search for a secret key? +        @type secret: bool + +        @return: The fingerprint of the found key. +        @rtype: str +        """ +        for key in self.list_keys(secret=secret): +            if keyid == key['keyid']: +                return key +        raise LookupError( +            "GnuPG public key for keyid %s not found!" % keyid) + +    def find_key_by_fingerprint(self, fingerprint, secret=False): +        """ +        Find user's key based on the key fingerprint. + +        @param email: The fingerprint of the key being searched for. +        @type email: str +        @param secret: Should we search for a secret key? +        @type secret: bool + +        @return: The fingerprint of the found key. +        @rtype: str +        """ +        for key in self.list_keys(secret=secret): +            if fingerprint == key['fingerprint']: +                return key +        raise LookupError( +            "GnuPG public key for fingerprint %s not found!" % fingerprint) + +    def encrypt(self, data, recipient, sign=None, always_trust=True, +                passphrase=None, symmetric=False): +        """ +        Encrypt data using GPG. + +        @param data: The data to be encrypted. +        @type data: str +        @param recipient: The address of the public key to be used. +        @type recipient: str +        @param sign: Should the encrypted content be signed? +        @type sign: bool +        @param always_trust: Skip key validation and assume that used keys +            are always fully trusted? +        @type always_trust: bool +        @param passphrase: The passphrase to be used if symmetric encryption +            is desired. +        @type passphrase: str +        @param symmetric: Should we encrypt to a password? +        @type symmetric: bool + +        @return: An object with encrypted result in the `data` field. +        @rtype: gnupg.Crypt +        """ +        # TODO: devise a way so we don't need to "always trust". +        return gnupg.GPG.encrypt(self, data, recipient, sign=sign, +                                 always_trust=always_trust, +                                 passphrase=passphrase, +                                 symmetric=symmetric, +                                 cipher_algo='AES256') + +    def decrypt(self, data, always_trust=True, passphrase=None): +        """ +        Decrypt data using GPG. + +        @param data: The data to be decrypted. +        @type data: str +        @param always_trust: Skip key validation and assume that used keys +            are always fully trusted? +        @type always_trust: bool +        @param passphrase: The passphrase to be used if symmetric encryption +            is desired. +        @type passphrase: str + +        @return: An object with decrypted result in the `data` field. +        @rtype: gnupg.Crypt +        """ +        # TODO: devise a way so we don't need to "always trust". +        return gnupg.GPG.decrypt(self, data, always_trust=always_trust, +                                 passphrase=passphrase) + +    def send_keys(self, keyserver, *keyids): +        """ +        Send keys to a keyserver + +        @param keyserver: The keyserver to send the keys to. +        @type keyserver: str +        @param keyids: The key ids to send. +        @type keyids: list + +        @return: A list of keys sent to server. +        @rtype: gnupg.ListKeys +        """ +        # TODO: write tests for this. +        # TODO: write a SendKeys class to handle status for this. +        result = self.result_map['list'](self) +        gnupg.logger.debug('send_keys: %r', keyids) +        data = gnupg._make_binary_stream("", self.encoding) +        args = ['--keyserver', keyserver, '--send-keys'] +        args.extend(keyids) +        self._handle_io(args, data, result, binary=True) +        gnupg.logger.debug('send_keys result: %r', result.__dict__) +        data.close() +        return result + +    def encrypt_file(self, file, recipients, sign=None, +                     always_trust=False, passphrase=None, +                     armor=True, output=None, symmetric=False, +                     cipher_algo=None): +        """ +        Encrypt the message read from the file-like object 'file'. + +        @param file: The file to be encrypted. +        @type data: file +        @param recipient: The address of the public key to be used. +        @type recipient: str +        @param sign: Should the encrypted content be signed? +        @type sign: bool +        @param always_trust: Skip key validation and assume that used keys +            are always fully trusted? +        @type always_trust: bool +        @param passphrase: The passphrase to be used if symmetric encryption +            is desired. +        @type passphrase: str +        @param armor: Create ASCII armored output? +        @type armor: bool +        @param output: Path of file to write results in. +        @type output: str +        @param symmetric: Should we encrypt to a password? +        @type symmetric: bool +        @param cipher_algo: Algorithm to use. +        @type cipher_algo: str + +        @return: An object with encrypted result in the `data` field. +        @rtype: gnupg.Crypt +        """ +        args = ['--encrypt'] +        if symmetric: +            args = ['--symmetric'] +            if cipher_algo: +                args.append('--cipher-algo %s' % cipher_algo) +        else: +            args = ['--encrypt'] +            if not _is_sequence(recipients): +                recipients = (recipients,) +            for recipient in recipients: +                args.append('--recipient "%s"' % recipient) +        if armor:  # create ascii-armored output - set to False for binary +            args.append('--armor') +        if output:  # write the output to a file with the specified name +            if os.path.exists(output): +                os.remove(output)  # to avoid overwrite confirmation message +            args.append('--output "%s"' % output) +        if sign: +            args.append('--sign --default-key "%s"' % sign) +        if always_trust: +            args.append("--always-trust") +        result = self.result_map['crypt'](self) +        self._handle_io(args, file, result, passphrase=passphrase, binary=True) +        logger.debug('encrypt result: %r', result.data) +        return result + +    def list_packets(self, data): +        """ +        List the sequence of packets. + +        @param data: The data to extract packets from. +        @type data: str + +        @return: An object with packet info. +        @rtype ListPackets +        """ +        args = ["--list-packets"] +        result = self.result_map['list-packets'](self) +        self._handle_io( +            args, +            _make_binary_stream(data, self.encoding), +            result, +        ) +        return result + +    def encrypted_to(self, data): +        """ +        Return the key to which data is encrypted to. + +        @param data: The data to be examined. +        @type data: str + +        @return: The fingerprint of the key to which data is encrypted to. +        @rtype: str +        """ +        # TODO: make this support multiple keys. +        result = self.list_packets(data) +        if not result.key: +            raise LookupError( +                "Content is not encrypted to a GnuPG key!") +        try: +            return self.find_key_by_keyid(result.key) +        except: +            return self.find_key_by_subkey(result.key) + +    def is_encrypted_sym(self, data): +        """ +        Say whether some chunk of data is encrypted to a symmetric key. + +        @param data: The data to be examined. +        @type data: str + +        @return: Whether data is encrypted to a symmetric key. +        @rtype: bool +        """ +        result = self.list_packets(data) +        return bool(result.need_passphrase_sym) + +    def is_encrypted_asym(self, data): +        """ +        Say whether some chunk of data is encrypted to a private key. + +        @param data: The data to be examined. +        @type data: str + +        @return: Whether data is encrypted to a private key. +        @rtype: bool +        """ +        result = self.list_packets(data) +        return bool(result.key) + +    def is_encrypted(self, data): +        """ +        Say whether some chunk of data is encrypted to a key. + +        @param data: The data to be examined. +        @type data: str + +        @return: Whether data is encrypted to a key. +        @rtype: bool +        """ +        self.is_encrypted_asym() or self.is_encrypted_sym() + diff --git a/src/leap/common/keymanager/keys.py b/src/leap/common/keymanager/keys.py new file mode 100644 index 0000000..13e3c0b --- /dev/null +++ b/src/leap/common/keymanager/keys.py @@ -0,0 +1,127 @@ +# -*- coding: utf-8 -*- +# keys.py +# Copyright (C) 2013 LEAP +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + + +""" +Abstact key type and wrapper representations. +""" + + +from abc import ABCMeta, abstractmethod + + +class EncryptionKey(object): +    """ +    Abstract class for encryption keys. + +    A key is "validated" if the nicknym agent has bound the user address to a +    public key. Nicknym supports three different levels of key validation: + +    * Level 3 - path trusted: A path of cryptographic signatures can be traced +      from a trusted key to the key under evaluation. By default, only the +      provider key from the user's provider is a "trusted key". +    * level 2 - provider signed: The key has been signed by a provider key for +      the same domain, but the provider key is not validated using a trust +      path (i.e. it is only registered) +    * level 1 - registered: The key has been encountered and saved, it has no +      signatures (that are meaningful to the nicknym agent). +    """ + +    __metaclass__ = ABCMeta + +    def __init__(self, address, key_id=None, fingerprint=None, +                 key_data=None, length=None, expiry_date=None, +                 validation=None, first_seen_at=None, +                 last_audited_at=None): +        self.address = address +        self.key_id = key_id +        self.fingerprint = fingerprint +        self.key_data = key_data +        self.length = length +        self.expiry_date = expiry_date +        self.validation = validation +        self.first_seen_at = first_seen_at +        self.last_audited_at = last_audited_at + +    def get_json(self): +        """ +        Return a JSON string describing this key. + +        @return: The JSON string describing this key. +        @rtype: str +        """ +        return json.dumps({ +            'address': self.address, +            'type': str(self.__type__), +            'key_id': self.key_id, +            'fingerprint': self.fingerprint, +            'key_data': self.key_data, +            'length': self.length, +            'expiry_date': self.expiry_date, +            'validation': self.validation, +            'first_seen_at': self.first_seen_at, +            'last_audited_at': self.last_audited_at, +        }) + + +# +# Key wrappers +# + +class KeyTypeWrapper(object): +    """ +    Abstract class for Key Type Wrappers. + +    A wrapper for a certain key type should know how to get and put keys in +    local storage using Soledad and also how to generate new keys. +    """ + +    __metaclass__ = ABCMeta + +    @abstractmethod +    def get_key(self, address): +        """ +        Get key from local storage. + +        @param address: The address bound to the key. +        @type address: str + +        @return: The key bound to C{address}. +        @rtype: EncryptionKey +        @raise KeyNotFound: If the key was not found on local storage. +        """ + +    @abstractmethod +    def put_key(self, key): +        """ +        Put a key in local storage. + +        @param key: The key to be stored. +        @type key: EncryptionKey +        """ + +    @abstractmethod +    def gen_key(self, address): +        """ +        Generate a new key. + +        @param address: The address bound to the key. +        @type address: str +        @return: The key bound to C{address}. +        @rtype: EncryptionKey +        """ + diff --git a/src/leap/common/keymanager/openpgp.py b/src/leap/common/keymanager/openpgp.py new file mode 100644 index 0000000..bb73089 --- /dev/null +++ b/src/leap/common/keymanager/openpgp.py @@ -0,0 +1,126 @@ +# -*- coding: utf-8 -*- +# openpgpwrapper.py +# Copyright (C) 2013 LEAP +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + + +""" +Infrastructure for using OpenPGP keys in Key Manager. +""" + + +import re + +from leap.common.keymanager.errors import ( +    KeyNotFound, +    KeyAlreadyExists, +) +from leap.common.keymanager.keys import ( +    EncryptionKey, +    KeyTypeWrapper, +) +from leap.common.keymanager.gpg import GPGWrapper + + +class OpenPGPKey(EncryptionKey): +    """ +    Base class for OpenPGP keys. +    """ + + +class OpenPGPWrapper(KeyTypeWrapper): +    """ +    A wrapper for OpenPGP keys. +    """ + +    def __init__(self, gnupghome=None): +        self._gpg = GPGWrapper(gnupghome=gnupghome) + +    def _build_key(self, address, result): +        """ +        Build an OpenPGPWrapper key for C{address} based on C{result} from +        local storage. + +        @param address: The address bound to the key. +        @type address: str +        @param result: Result obtained from GPG storage. +        @type result: dict +        """ +        key_data = self._gpg.export_keys(result['fingerprint'], secret=False) +        return OpenPGPKey( +            address, +            key_id=result['keyid'], +            fingerprint=result['fingerprint'], +            key_data=key_data, +            length=result['length'], +            expiry_date=result['expires'], +            validation=None,  # TODO: verify for validation. +        ) + +    def gen_key(self, address): +        """ +        Generate an OpenPGP keypair for C{address}. + +        @param address: The address bound to the key. +        @type address: str +        @return: The key bound to C{address}. +        @rtype: OpenPGPKey +        @raise KeyAlreadyExists: If key already exists in local database. +        """ +        try: +            self.get_key(address) +            raise KeyAlreadyExists() +        except KeyNotFound: +            pass +        params = self._gpg.gen_key_input( +            key_type='RSA', +            key_length=4096, +            name_real=address, +            name_email=address, +            name_comment='Generated by LEAP Key Manager.') +        self._gpg.gen_key(params) +        return self.get_key(address) + +    def get_key(self, address): +        """ +        Get key bound to C{address} from local storage. + +        @param address: The address bound to the key. +        @type address: str + +        @return: The key bound to C{address}. +        @rtype: OpenPGPKey +        @raise KeyNotFound: If the key was not found on local storage. +        """ +        m = re.compile('.*<%s>$' % address) +        keys = self._gpg.list_keys(secret=False) + +        def bound_to_address(key): +             return bool(filter(lambda u: m.match(u), key['uids'])) + +        try: +            bound_key = filter(bound_to_address, keys).pop() +            return self._build_key(address, bound_key) +        except IndexError: +            raise KeyNotFound(address) + +    def put_key(self, data): +        """ +        Put key contained in {data} in local storage. + +        @param key: The key data to be stored. +        @type key: str +        """ +        self._gpg.import_keys(data) diff --git a/src/leap/common/tests/test_keymanager.py b/src/leap/common/tests/test_keymanager.py new file mode 100644 index 0000000..4189aac --- /dev/null +++ b/src/leap/common/tests/test_keymanager.py @@ -0,0 +1,230 @@ +## -*- coding: utf-8 -*- +# test_keymanager.py +# Copyright (C) 2013 LEAP +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + + +""" +Tests for the Key Manager. +""" + + +import unittest + + +from leap.common.testing.basetest import BaseLeapTest +from leap.common.keymanager import KeyManager, openpgp, KeyNotFound + + +class KeyManagerTestCase(BaseLeapTest): + +    def setUp(self): +        pass + +    def tearDown(self): +        pass + +    def _key_manager(user='user@leap.se', url='https://domain.org:6425'): +        return KeyManager(user, url) + +    def test_openpgp_gen_key(self): +        pgp = openpgp.OpenPGPWrapper(self.tempdir+'/gnupg') +        try: +            pgp.get_key('user@leap.se') +        except KeyNotFound: +            key = pgp.gen_key('user@leap.se') +            self.assertIsInstance(key, openpgp.OpenPGPKey) +            self.assertEqual( +                'user@leap.se', key.address, 'Wrong address bound to key.') +            self.assertEqual( +                '4096', key.length, 'Wrong key length.') + +    def test_openpgp_put_key(self): +        pgp = openpgp.OpenPGPWrapper(self.tempdir+'/gnupg2') +        try: +            pgp.get_key('leap@leap.se') +        except KeyNotFound: +            pgp.put_key(PUBLIC_KEY) +            key = pgp.get_key('leap@leap.se') +            self.assertIsInstance(key, openpgp.OpenPGPKey) +            self.assertEqual( +                'leap@leap.se', key.address, 'Wrong address bound to key.') +            self.assertEqual( +                '4096', key.length, 'Wrong key length.') + + + +# Key material for testing +KEY_FINGERPRINT = "E36E738D69173C13D709E44F2F455E2824D18DDF" +PUBLIC_KEY = """ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.10 (GNU/Linux) + +mQINBFC9+dkBEADNRfwV23TWEoGc/x0wWH1P7PlXt8MnC2Z1kKaKKmfnglVrpOiz +iLWoiU58sfZ0L5vHkzXHXCBf6Eiy/EtUIvdiWAn+yASJ1mk5jZTBKO/WMAHD8wTO +zpMsFmWyg3xc4DkmFa9KQ5EVU0o/nqPeyQxNMQN7px5pPwrJtJFmPxnxm+aDkPYx +irDmz/4DeDNqXliazGJKw7efqBdlwTHkl9Akw2gwy178pmsKwHHEMOBOFFvX61AT +huKqHYmlCGSliwbrJppTG7jc1/ls3itrK+CWTg4txREkSpEVmfcASvw/ZqLbjgfs +d/INMwXnR9U81O8+7LT6yw/ca4ppcFoJD7/XJbkRiML6+bJ4Dakiy6i727BzV17g +wI1zqNvm5rAhtALKfACha6YO43aJzairO4II1wxVHvRDHZn2IuKDDephQ3Ii7/vb +hUOf6XCSmchkAcpKXUOvbxm1yfB1LRa64mMc2RcZxf4mW7KQkulBsdV5QG2276lv +U2UUy2IutXcGP5nXC+f6sJJGJeEToKJ57yiO/VWJFjKN8SvP+7AYsQSqINUuEf6H +T5gCPCraGMkTUTPXrREvu7NOohU78q6zZNaL3GW8ai7eSeANSuQ8Vzffx7Wd8Y7i +Pw9sYj0SMFs1UgjbuL6pO5ueHh+qyumbtAq2K0Bci0kqOcU4E9fNtdiovQARAQAB +tBxMZWFwIFRlc3QgS2V5IDxsZWFwQGxlYXAuc2U+iQI3BBMBCAAhBQJQvfnZAhsD +BQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEC9FXigk0Y3fT7EQAKH3IuRniOpb +T/DDIgwwjz3oxB/W0DDMyPXowlhSOuM0rgGfntBpBb3boezEXwL86NPQxNGGruF5 +hkmecSiuPSvOmQlqlS95NGQp6hNG0YaKColh+Q5NTspFXCAkFch9oqUje0LdxfSP +QfV9UpeEvGyPmk1I9EJV/YDmZ4+Djge1d7qhVZInz4Rx1NrSyF/Tc2EC0VpjQFsU +Y9Kb2YBBR7ivG6DBc8ty0jJXi7B4WjkFcUEJviQpMF2dCLdonCehYs1PqsN1N7j+ +eFjQd+hqVMJgYuSGKjvuAEfClM6MQw7+FmFwMyLgK/Ew/DttHEDCri77SPSkOGSI +txCzhTg6798f6mJr7WcXmHX1w1Vcib5FfZ8vTDFVhz/XgAgArdhPo9V6/1dgSSiB +KPQ/spsco6u5imdOhckERE0lnAYvVT6KE81TKuhF/b23u7x+Wdew6kK0EQhYA7wy +7LmlaNXc7rMBQJ9Z60CJ4JDtatBWZ0kNrt2VfdDHVdqBTOpl0CraNUjWE5YMDasr +K2dF5IX8D3uuYtpZnxqg0KzyLg0tzL0tvOL1C2iudgZUISZNPKbS0z0v+afuAAnx +2pTC3uezbh2Jt8SWTLhll4i0P4Ps5kZ6HQUO56O+/Z1cWovX+mQekYFmERySDR9n +3k1uAwLilJmRmepGmvYbB8HloV8HqwgguQINBFC9+dkBEAC0I/xn1uborMgDvBtf +H0sEhwnXBC849/32zic6udB6/3Efk9nzbSpL3FSOuXITZsZgCHPkKarnoQ2ztMcS +sh1ke1C5gQGms75UVmM/nS+2YI4vY8OX/GC/on2vUyncqdH+bR6xH5hx4NbWpfTs +iQHmz5C6zzS/kuabGdZyKRaZHt23WQ7JX/4zpjqbC99DjHcP9BSk7tJ8wI4bkMYD +uFVQdT9O6HwyKGYwUU4sAQRAj7XCTGvVbT0dpgJwH4RmrEtJoHAx4Whg8mJ710E0 +GCmzf2jqkNuOw76ivgk27Kge+Hw00jmJjQhHY0yVbiaoJwcRrPKzaSjEVNgrpgP3 +lXPRGQArgESsIOTeVVHQ8fhK2YtTeCY9rIiO+L0OX2xo9HK7hfHZZWL6rqymXdyS +fhzh/f6IPyHFWnvj7Brl7DR8heMikygcJqv+ed2yx7iLyCUJ10g12I48+aEj1aLe +dP7lna32iY8/Z0SHQLNH6PXO9SlPcq2aFUgKqE75A/0FMk7CunzU1OWr2ZtTLNO1 +WT/13LfOhhuEq9jTyTosn0WxBjJKq18lnhzCXlaw6EAtbA7CUwsD3CTPR56aAXFK +3I7KXOVAqggrvMe5Tpdg5drfYpI8hZovL5aAgb+7Y5ta10TcJdUhS5K3kFAWe/td +U0cmWUMDP1UMSQ5Jg6JIQVWhSwARAQABiQIfBBgBCAAJBQJQvfnZAhsMAAoJEC9F +Xigk0Y3fRwsP/i0ElYCyxeLpWJTwo1iCLkMKz2yX1lFVa9nT1BVTPOQwr/IAc5OX +NdtbJ14fUsKL5pWgW8OmrXtwZm1y4euI1RPWWubG01ouzwnGzv26UcuHeqC5orZj +cOnKtL40y8VGMm8LoicVkRJH8blPORCnaLjdOtmA3rx/v2EXrJpSa3AhOy0ZSRXk +ZSrK68AVNwamHRoBSYyo0AtaXnkPX4+tmO8X8BPfj125IljubvwZPIW9VWR9UqCE +VPfDR1XKegVb6VStIywF7kmrknM1C5qUY28rdZYWgKorw01hBGV4jTW0cqde3N51 +XT1jnIAa+NoXUM9uQoGYMiwrL7vNsLlyyiW5ayDyV92H/rIuiqhFgbJsHTlsm7I8 +oGheR784BagAA1NIKD1qEO9T6Kz9lzlDaeWS5AUKeXrb7ZJLI1TTCIZx5/DxjLqM +Tt/RFBpVo9geZQrvLUqLAMwdaUvDXC2c6DaCPXTh65oCZj/hqzlJHH+RoTWWzKI+ +BjXxgUWF9EmZUBrg68DSmI+9wuDFsjZ51BcqvJwxyfxtTaWhdoYqH/UQS+D1FP3/ +diZHHlzwVwPICzM9ooNTgbrcDzyxRkIVqsVwBq7EtzcvgYUyX53yG25Giy6YQaQ2 +ZtQ/VymwFL3XdUWV6B/hU4PVAFvO3qlOtdJ6TpE+nEWgcWjCv5g7RjXX +=MuOY +-----END PGP PUBLIC KEY BLOCK----- +""" +PRIVATE_KEY = """ +-----BEGIN PGP PRIVATE KEY BLOCK----- +Version: GnuPG v1.4.10 (GNU/Linux) + +lQcYBFC9+dkBEADNRfwV23TWEoGc/x0wWH1P7PlXt8MnC2Z1kKaKKmfnglVrpOiz +iLWoiU58sfZ0L5vHkzXHXCBf6Eiy/EtUIvdiWAn+yASJ1mk5jZTBKO/WMAHD8wTO +zpMsFmWyg3xc4DkmFa9KQ5EVU0o/nqPeyQxNMQN7px5pPwrJtJFmPxnxm+aDkPYx +irDmz/4DeDNqXliazGJKw7efqBdlwTHkl9Akw2gwy178pmsKwHHEMOBOFFvX61AT +huKqHYmlCGSliwbrJppTG7jc1/ls3itrK+CWTg4txREkSpEVmfcASvw/ZqLbjgfs +d/INMwXnR9U81O8+7LT6yw/ca4ppcFoJD7/XJbkRiML6+bJ4Dakiy6i727BzV17g +wI1zqNvm5rAhtALKfACha6YO43aJzairO4II1wxVHvRDHZn2IuKDDephQ3Ii7/vb +hUOf6XCSmchkAcpKXUOvbxm1yfB1LRa64mMc2RcZxf4mW7KQkulBsdV5QG2276lv +U2UUy2IutXcGP5nXC+f6sJJGJeEToKJ57yiO/VWJFjKN8SvP+7AYsQSqINUuEf6H +T5gCPCraGMkTUTPXrREvu7NOohU78q6zZNaL3GW8ai7eSeANSuQ8Vzffx7Wd8Y7i +Pw9sYj0SMFs1UgjbuL6pO5ueHh+qyumbtAq2K0Bci0kqOcU4E9fNtdiovQARAQAB +AA/+JHtlL39G1wsH9R6UEfUQJGXR9MiIiwZoKcnRB2o8+DS+OLjg0JOh8XehtuCs +E/8oGQKtQqa5bEIstX7IZoYmYFiUQi9LOzIblmp2vxOm+HKkxa4JszWci2/ZmC3t +KtaA4adl9XVnshoQ7pijuCMUKB3naBEOAxd8s9d/JeReGIYkJErdrnVfNk5N71Ds +FmH5Ll3XtEDvgBUQP3nkA6QFjpsaB94FHjL3gDwum/cxzj6pCglcvHOzEhfY0Ddb +J967FozQTaf2JW3O+w3LOqtcKWpq87B7+O61tVidQPSSuzPjCtFF0D2LC9R/Hpky +KTMQ6CaKja4MPhjwywd4QPcHGYSqjMpflvJqi+kYIt8psUK/YswWjnr3r4fbuqVY +VhtiHvnBHQjz135lUqWvEz4hM3Xpnxydx7aRlv5NlevK8+YIO5oFbWbGNTWsPZI5 +jpoFBpSsnR1Q5tnvtNHauvoWV+XN2qAOBTG+/nEbDYH6Ak3aaE9jrpTdYh0CotYF +q7csANsDy3JvkAzeU6WnYpsHHaAjqOGyiZGsLej1UcXPFMosE/aUo4WQhiS8Zx2c +zOVKOi/X5vQ2GdNT9Qolz8AriwzsvFR+bxPzyd8V6ALwDsoXvwEYinYBKK8j0OPv +OOihSR6HVsuP9NUZNU9ewiGzte/+/r6pNXHvR7wTQ8EWLcEIAN6Zyrb0bHZTIlxt +VWur/Ht2mIZrBaO50qmM5RD3T5oXzWXi/pjLrIpBMfeZR9DWfwQwjYzwqi7pxtYx +nJvbMuY505rfnMoYxb4J+cpRXV8MS7Dr1vjjLVUC9KiwSbM3gg6emfd2yuA93ihv +Pe3mffzLIiQa4mRE3wtGcioC43nWuV2K2e1KjxeFg07JhrezA/1Cak505ab/tmvP +4YmjR5c44+yL/YcQ3HdFgs4mV+nVbptRXvRcPpolJsgxPccGNdvHhsoR4gwXMS3F +RRPD2z6x8xeN73Q4KH3bm01swQdwFBZbWVfmUGLxvN7leCdfs9+iFJyqHiCIB6Iv +mQfp8F0IAOwSo8JhWN+V1dwML4EkIrM8wUb4yecNLkyR6TpPH/qXx4PxVMC+vy6x +sCtjeHIwKE+9vqnlhd5zOYh7qYXEJtYwdeDDmDbL8oks1LFfd+FyAuZXY33DLwn0 +cRYsr2OEZmaajqUB3NVmj3H4uJBN9+paFHyFSXrH68K1Fk2o3n+RSf2EiX+eICwI +L6rqoF5sSVUghBWdNegV7qfy4anwTQwrIMGjgU5S6PKW0Dr/3iO5z3qQpGPAj5OW +ATqPWkDICLbObPxD5cJlyyNE2wCA9VVc6/1d6w4EVwSq9h3/WTpATEreXXxTGptd +LNiTA1nmakBYNO2Iyo3djhaqBdWjk+EIAKtVEnJH9FAVwWOvaj1RoZMA5DnDMo7e +SnhrCXl8AL7Z1WInEaybasTJXn1uQ8xY52Ua4b8cbuEKRKzw/70NesFRoMLYoHTO +dyeszvhoDHberpGRTciVmpMu7Hyi33rM31K9epA4ib6QbbCHnxkWOZB+Bhgj1hJ8 +xb4RBYWiWpAYcg0+DAC3w9gfxQhtUlZPIbmbrBmrVkO2GVGUj8kH6k4UV6kUHEGY +HQWQR0HcbKcXW81ZXCCD0l7ROuEWQtTe5Jw7dJ4/QFuqZnPutXVRNOZqpl6eRShw +7X2/a29VXBpmHA95a88rSQsL+qm7Fb3prqRmuMCtrUZgFz7HLSTuUMR867QcTGVh +cCBUZXN0IEtleSA8bGVhcEBsZWFwLnNlPokCNwQTAQgAIQUCUL352QIbAwULCQgH +AwUVCgkICwUWAgMBAAIeAQIXgAAKCRAvRV4oJNGN30+xEACh9yLkZ4jqW0/wwyIM +MI896MQf1tAwzMj16MJYUjrjNK4Bn57QaQW926HsxF8C/OjT0MTRhq7heYZJnnEo +rj0rzpkJapUveTRkKeoTRtGGigqJYfkOTU7KRVwgJBXIfaKlI3tC3cX0j0H1fVKX +hLxsj5pNSPRCVf2A5mePg44HtXe6oVWSJ8+EcdTa0shf03NhAtFaY0BbFGPSm9mA +QUe4rxugwXPLctIyV4uweFo5BXFBCb4kKTBdnQi3aJwnoWLNT6rDdTe4/nhY0Hfo +alTCYGLkhio77gBHwpTOjEMO/hZhcDMi4CvxMPw7bRxAwq4u+0j0pDhkiLcQs4U4 +Ou/fH+pia+1nF5h19cNVXIm+RX2fL0wxVYc/14AIAK3YT6PVev9XYEkogSj0P7Kb +HKOruYpnToXJBERNJZwGL1U+ihPNUyroRf29t7u8flnXsOpCtBEIWAO8Muy5pWjV +3O6zAUCfWetAieCQ7WrQVmdJDa7dlX3Qx1XagUzqZdAq2jVI1hOWDA2rKytnReSF +/A97rmLaWZ8aoNCs8i4NLcy9Lbzi9QtornYGVCEmTTym0tM9L/mn7gAJ8dqUwt7n +s24dibfElky4ZZeItD+D7OZGeh0FDuejvv2dXFqL1/pkHpGBZhEckg0fZ95NbgMC +4pSZkZnqRpr2GwfB5aFfB6sIIJ0HGARQvfnZARAAtCP8Z9bm6KzIA7wbXx9LBIcJ +1wQvOPf99s4nOrnQev9xH5PZ820qS9xUjrlyE2bGYAhz5Cmq56ENs7THErIdZHtQ +uYEBprO+VFZjP50vtmCOL2PDl/xgv6J9r1Mp3KnR/m0esR+YceDW1qX07IkB5s+Q +us80v5LmmxnWcikWmR7dt1kOyV/+M6Y6mwvfQ4x3D/QUpO7SfMCOG5DGA7hVUHU/ +Tuh8MihmMFFOLAEEQI+1wkxr1W09HaYCcB+EZqxLSaBwMeFoYPJie9dBNBgps39o +6pDbjsO+or4JNuyoHvh8NNI5iY0IR2NMlW4mqCcHEazys2koxFTYK6YD95Vz0RkA +K4BErCDk3lVR0PH4StmLU3gmPayIjvi9Dl9saPRyu4Xx2WVi+q6spl3ckn4c4f3+ +iD8hxVp74+wa5ew0fIXjIpMoHCar/nndsse4i8glCddINdiOPPmhI9Wi3nT+5Z2t +9omPP2dEh0CzR+j1zvUpT3KtmhVICqhO+QP9BTJOwrp81NTlq9mbUyzTtVk/9dy3 +zoYbhKvY08k6LJ9FsQYySqtfJZ4cwl5WsOhALWwOwlMLA9wkz0eemgFxStyOylzl +QKoIK7zHuU6XYOXa32KSPIWaLy+WgIG/u2ObWtdE3CXVIUuSt5BQFnv7XVNHJllD +Az9VDEkOSYOiSEFVoUsAEQEAAQAP/1AagnZQZyzHDEgw4QELAspYHCWLXE5aZInX +wTUJhK31IgIXNn9bJ0hFiSpQR2xeMs9oYtRuPOu0P8oOFMn4/z374fkjZy8QVY3e +PlL+3EUeqYtkMwlGNmVw5a/NbNuNfm5Darb7pEfbYd1gPcni4MAYw7R2SG/57GbC +9gucvspHIfOSfBNLBthDzmK8xEKe1yD2eimfc2T7IRYb6hmkYfeds5GsqvGI6mwI +85h4uUHWRc5JOlhVM6yX8hSWx0L60Z3DZLChmc8maWnFXd7C8eQ6P1azJJbW71Ih +7CoK0XW4LE82vlQurSRFgTwfl7wFYszW2bOzCuhHDDtYnwH86Nsu0DC78ZVRnvxn +E8Ke/AJgrdhIOo4UAyR+aZD2+2mKd7/waOUTUrUtTzc7i8N3YXGi/EIaNReBXaq+ +ZNOp24BlFzRp+FCF/pptDW9HjPdiV09x0DgICmeZS4Gq/4vFFIahWctg52NGebT0 +Idxngjj+xDtLaZlLQoOz0n5ByjO/Wi0ANmMv1sMKCHhGvdaSws2/PbMR2r4caj8m +KXpIgdinM/wUzHJ5pZyF2U/qejsRj8Kw8KH/tfX4JCLhiaP/mgeTuWGDHeZQERAT +xPmRFHaLP9/ZhvGNh6okIYtrKjWTLGoXvKLHcrKNisBLSq+P2WeFrlme1vjvJMo/ +jPwLT5o9CADQmcbKZ+QQ1ZM9v99iDZol7SAMZX43JC019sx6GK0u6xouJBcLfeB4 +OXacTgmSYdTa9RM9fbfVpti01tJ84LV2SyL/VJq/enJF4XQPSynT/tFTn1PAor6o +tEAAd8fjKdJ6LnD5wb92SPHfQfXqI84rFEO8rUNIE/1ErT6DYifDzVCbfD2KZdoF +cOSp7TpD77sY1bs74ocBX5ejKtd+aH99D78bJSMM4pSDZsIEwnomkBHTziubPwJb +OwnATy0LmSMAWOw5rKbsh5nfwCiUTM20xp0t5JeXd+wPVWbpWqI2EnkCEN+RJr9i +7dp/ymDQ+Yt5wrsN3NwoyiexPOG91WQVCADdErHsnglVZZq9Z8Wx7KwecGCUurJ2 +H6lKudv5YOxPnAzqZS5HbpZd/nRTMZh2rdXCr5m2YOuewyYjvM757AkmUpM09zJX +MQ1S67/UX2y8/74TcRF97Ncx9HeELs92innBRXoFitnNguvcO6Esx4BTe1OdU6qR +ER3zAmVf22Le9ciXbu24DN4mleOH+OmBx7X2PqJSYW9GAMTsRB081R6EWKH7romQ +waxFrZ4DJzZ9ltyosEJn5F32StyLrFxpcrdLUoEaclZCv2qka7sZvi0EvovDVEBU +e10jOx9AOwf8Gj2ufhquQ6qgVYCzbP+YrodtkFrXRS3IsljIchj1M2ffB/0bfoUs +rtER9pLvYzCjBPg8IfGLw0o754Qbhh/ReplCRTusP/fQMybvCvfxreS3oyEriu/G +GufRomjewZ8EMHDIgUsLcYo2UHZsfF7tcazgxMGmMvazp4r8vpgrvW/8fIN/6Adu +tF+WjWDTvJLFJCe6O+BFJOWrssNrrra1zGtLC1s8s+Wfpe+bGPL5zpHeebGTwH1U +22eqgJArlEKxrfarz7W5+uHZJHSjF/K9ZvunLGD0n9GOPMpji3UO3zeM8IYoWn7E +/EWK1XbjnssNemeeTZ+sDh+qrD7BOi+vCX1IyBxbfqnQfJZvmcPWpruy1UsO+aIC +0GY8Jr3OL69dDQ21jueJAh8EGAEIAAkFAlC9+dkCGwwACgkQL0VeKCTRjd9HCw/+ +LQSVgLLF4ulYlPCjWIIuQwrPbJfWUVVr2dPUFVM85DCv8gBzk5c121snXh9Swovm +laBbw6ate3BmbXLh64jVE9Za5sbTWi7PCcbO/bpRy4d6oLmitmNw6cq0vjTLxUYy +bwuiJxWREkfxuU85EKdouN062YDevH+/YResmlJrcCE7LRlJFeRlKsrrwBU3BqYd +GgFJjKjQC1peeQ9fj62Y7xfwE9+PXbkiWO5u/Bk8hb1VZH1SoIRU98NHVcp6BVvp +VK0jLAXuSauSczULmpRjbyt1lhaAqivDTWEEZXiNNbRyp17c3nVdPWOcgBr42hdQ +z25CgZgyLCsvu82wuXLKJblrIPJX3Yf+si6KqEWBsmwdOWybsjygaF5HvzgFqAAD +U0goPWoQ71PorP2XOUNp5ZLkBQp5etvtkksjVNMIhnHn8PGMuoxO39EUGlWj2B5l +Cu8tSosAzB1pS8NcLZzoNoI9dOHrmgJmP+GrOUkcf5GhNZbMoj4GNfGBRYX0SZlQ +GuDrwNKYj73C4MWyNnnUFyq8nDHJ/G1NpaF2hiof9RBL4PUU/f92JkceXPBXA8gL +Mz2ig1OButwPPLFGQhWqxXAGrsS3Ny+BhTJfnfIbbkaLLphBpDZm1D9XKbAUvdd1 +RZXoH+FTg9UAW87eqU610npOkT6cRaBxaMK/mDtGNdc= +=JTFu +-----END PGP PRIVATE KEY BLOCK----- +""" | 
