func GenerateKeyPair(name, desc, email string) (pubkey, privkey []byte, fp string, err error) {
	defer func() {
		if e := recover(); e != nil {
			err = fmt.Errorf("GenerateKeyPair() -> %v", e)
		}
	}()
	// generate a private key
	ent, err := openpgp.NewEntity(name, desc, email, nil)
	if err != nil {
		panic(err)
	}
	// serialize the private key
	pkbuf := bytes.NewBuffer(nil)
	err = ent.SerializePrivate(pkbuf, nil)
	if err != nil {
		panic(err)
	}
	buf := bytes.NewBuffer(nil)
	ewrbuf, err := armor.Encode(buf, openpgp.PrivateKeyType, nil)
	if err != nil {
		panic(err)
	}
	_, err = ewrbuf.Write(pkbuf.Bytes())
	if err != nil {
		panic(err)
	}
	ewrbuf.Close()
	privkey = buf.Bytes()
	// serialize the public key
	pkbuf = bytes.NewBuffer(nil)
	err = ent.Serialize(pkbuf)
	if err != nil {
		panic(err)
	}
	buf = bytes.NewBuffer(nil)
	ewrbuf, err = armor.Encode(buf, openpgp.PublicKeyType, nil)
	if err != nil {
		panic(err)
	}
	_, err = ewrbuf.Write(pkbuf.Bytes())
	if err != nil {
		panic(err)
	}
	ewrbuf.Close()
	pubkey = buf.Bytes()
	// validate the public key and obtain a fingerprint from it
	fp, err = LoadArmoredPubKey(pubkey)
	if err != nil {
		panic(err)
	}
	return
}

func encryptAndArmor(input []byte, to []*openpgp.Entity) ([]byte, error) {
	encOutput := &bytes.Buffer{}
	encInput, err := openpgp.Encrypt(encOutput, to, nil, nil, nil)
	if err != nil {
		return nil, err
	}

	if _, err = encInput.Write(input); err != nil {
		return nil, err
	}

	if err = encInput.Close(); err != nil {
		return nil, err
	}

	armOutput := &bytes.Buffer{}
	armInput, err := armor.Encode(armOutput, "PGP MESSAGE", nil)
	if err != nil {
		return nil, err
	}

	if _, err = io.Copy(armInput, encOutput); err != nil {
		return nil, err
	}

	if err = armInput.Close(); err != nil {
		return nil, err
	}

	return armOutput.Bytes(), nil
}

// NewPGPEncryptor returns a new PGPEncryptor instance, prepared for encrypting one single
// mail with the given parameters.
func NewPGPEncryptor(signingKey, encryptionKey *openpgp.Entity, keepHeaders []string) (*PGPEncryptor, error) {
	if encryptionKey == nil {
		return nil, errors.New("missing encryption key")
	}
	e := &PGPEncryptor{}
	e.keepHeaders = keepHeaders
	e.pgpBuffer = &bytes.Buffer{}
	e.headerBuffer = NewHeaderBuffer()
	var err error
	e.asciiWriter, err = armor.Encode(e.pgpBuffer, "PGP MESSAGE", nil)
	if err != nil {
		return nil, err
	}
	cfg := &packet.Config{
		DefaultCipher: packet.CipherAES256,
		DefaultHash:   crypto.SHA256,
	}
	e.pgpWriter, err = openpgp.Encrypt(e.asciiWriter,
		[]*openpgp.Entity{encryptionKey}, signingKey,
		&openpgp.FileHints{IsBinary: true}, cfg)
	if err != nil {
		return nil, err
	}
	return e, nil
}

// Export writes out the named public key, or all public keys if keyID
// is empty. The result is an ASCII-armoured public key.
func (keyRing *KeyRing) Export(keyID string) (armoured string, err error) {
	buf := new(bytes.Buffer)
	blockType := openpgp.PublicKeyType
	blockHeaders := map[string]string{
		"Version": fmt.Sprintf("Keybase Go client (OpenPGP version %s)", Version),
	}

	armourBuffer, err := armor.Encode(buf, blockType, blockHeaders)
	if err != nil {
		return
	}

	if keyID != "" {
		e, ok := keyRing.Entities[strings.ToLower(keyID)]
		if !ok {
			err = ErrKeyNotFound
			return
		}
		e.Serialize(armourBuffer)
	} else {
		if len(keyRing.Entities) == 0 {
			err = ErrKeyNotFound
			return
		}
		for _, e := range keyRing.Entities {
			e.Serialize(armourBuffer)
		}
	}

	armourBuffer.Close()

	armoured = string(buf.Bytes())
	return
}

// NewEntity creates a new entity. It doesn't provide an option for comments.
func NewEntity(name, email, outFile string) (ne *openpgp.Entity, err error) {
	ne, err = openpgp.NewEntity(name, "", email, nil)
	if err != nil {
		return
	}

	out, err := os.Create(outFile)
	if err != nil {
		ne = nil
		return
	}

	hdr := map[string]string{
		"Version": "Keybase Go client (OpenPGP version v0.1)",
	}

	keyOut, err := armor.Encode(out, openpgp.PrivateKeyType, hdr)
	if err != nil {
		ne = nil
		return
	}

	defer func() {
		keyOut.Close()
		out.Close()
	}()

	err = ne.SerializePrivate(keyOut, nil)
	if err != nil {
		ne = nil
		return
	}

	return
}

func encryptOpenpgp(data io.Reader, recipient string, gpghome string) ([]byte, error) {
	pubkeyfile, err := os.Open(fmt.Sprintf("%s%spubring.gpg", gpghome, string(os.PathSeparator)))
	if err != nil {
		fmt.Println("Failed to open pubring", err)
		return nil, err
	}

	pubring, err := openpgp.ReadKeyRing(pubkeyfile)
	if err != nil {
		fmt.Println("Failed to open pubring", err)
		return nil, err
	}

	pubkey := findKey(pubring, recipient)

	buf := bytes.NewBuffer(nil)
	w, _ := armor.Encode(buf, "PGP MESSAGE", nil)
	plaintext, err := openpgp.Encrypt(w, []*openpgp.Entity{pubkey}, nil, nil, nil)
	if err != nil {
		return nil, err
	}
	//reader := bytes.NewReader(data)
	_, err = io.Copy(plaintext, data)
	plaintext.Close()
	w.Close()
	if err != nil {
		return nil, err
	}

	return buf.Bytes(), nil

}

func ReadJSKey() {
	pubringFile, _ := os.Open("path to public keyring")
	defer pubringFile.Close()
	pubring, _ := openpgp.ReadArmoredKeyRing(pubringFile)
	theirPublicKey := getKeyByEmail(pubring, "[email protected]")

	secringFile, _ := os.Open("path to private keyring")
	defer secringFile.Close()
	secring, _ := openpgp.ReadArmoredKeyRing(secringFile)
	myPrivateKey := getKeyByEmail(secring, "[email protected]")

	myPrivateKey.PrivateKey.Decrypt([]byte("passphrase"))

	var hint openpgp.FileHints
	hint.IsBinary = false
	hint.FileName = "_CONSOLE"
	hint.ModTime = time.Now()

	w, _ := armor.Encode(os.Stdout, "PGP MESSAGE", nil)
	defer w.Close()
	plaintext, _ := openpgp.Encrypt(w, []*openpgp.Entity{theirPublicKey}, myPrivateKey, &hint, nil)
	defer plaintext.Close()

	fmt.Fprintf(plaintext, "黄勇刚在熟悉OpenPGP代码\n")
}

// KeyringToArmoredPubKeys reads all public keys from a keyring and returned their armored format
// into map of keys indexed by key fingerprint
func KeyringToArmoredPubKeys(keyring io.ReadCloser) (armoredkeys map[string][]byte, err error) {
	defer func() {
		if e := recover(); e != nil {
			err = fmt.Errorf("KeyringToArmoredPubKeys() -> %v", e)
		}
	}()
	els, err := openpgp.ReadArmoredKeyRing(keyring)
	if err != nil {
		panic(err)
	}
	for _, el := range els {
		fingerprint := hex.EncodeToString(el.PrimaryKey.Fingerprint[:])
		var pubkeybuf bytes.Buffer
		err = el.Serialize(&pubkeybuf)
		if err != nil {
			panic(err)
		}
		armoredbuf := bytes.NewBuffer(nil)
		ewrbuf, err := armor.Encode(armoredbuf, openpgp.PublicKeyType, nil)
		if err != nil {
			panic(err)
		}
		_, err = ewrbuf.Write(pubkeybuf.Bytes())
		if err != nil {
			panic(err)
		}
		ewrbuf.Close()
		armoredkeys[fingerprint] = armoredbuf.Bytes()
	}
	return
}

func (d *dashEscaper) Close() (err error) {
	if !d.atBeginningOfLine {
		if err = d.buffered.WriteByte(lf); err != nil {
			return
		}
	}
	sig := new(packet.Signature)
	sig.SigType = packet.SigTypeText
	sig.PubKeyAlgo = d.privateKey.PubKeyAlgo
	sig.Hash = d.hashType
	sig.CreationTime = d.config.Now()
	sig.IssuerKeyId = &d.privateKey.KeyId

	if err = sig.Sign(d.h, d.privateKey, d.config); err != nil {
		return
	}

	out, err := armor.Encode(d.buffered, "PGP SIGNATURE", nil)
	if err != nil {
		return
	}

	if err = sig.Serialize(out); err != nil {
		return
	}
	if err = out.Close(); err != nil {
		return
	}
	if err = d.buffered.Flush(); err != nil {
		return
	}
	return
}

func ExportKey(key, filename string) error {
	entity, err := findKey(key)
	if err != nil {
		return err
	}

	f, err := os.Create(filename)
	if err != nil {
		return err
	}
	defer f.Close()

	w, err := armor.Encode(f, openpgp.PublicKeyType, nil)
	if err != nil {
		return err
	}

	err = entity.Serialize(w)
	if err != nil {
		return err
	}

	err = w.Close()
	if err != nil {
		return err
	}

	return nil
}

func ArmorPubKey(pubkey []byte) (armoredPubKey []byte, err error) {
	var pubkeybuf bytes.Buffer
	// Load PGP public key
	el, err := openpgp.ReadArmoredKeyRing(bytes.NewBuffer(pubkey))
	if err != nil {
		panic(err)
	}
	// serialize entities into io.Reader
	err = el[0].Serialize(&pubkeybuf)
	if err != nil {
		panic(err)
	}
	armoredbuf := bytes.NewBuffer(nil)
	ewrbuf, err := armor.Encode(armoredbuf, openpgp.PublicKeyType, nil)
	if err != nil {
		panic(err)
	}
	_, err = ewrbuf.Write(pubkeybuf.Bytes())
	if err != nil {
		panic(err)
	}
	ewrbuf.Close()
	armoredPubKey = armoredbuf.Bytes()
	return
}

func writePrivateKeyToFile(entity *openpgp.Entity, privateKeyFile string) error {
	privKey, err := os.OpenFile(privateKeyFile, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0400)
	if err != nil {
		return err
	}
	w, err := armor.Encode(
		privKey,
		openpgp.PrivateKeyType,
		map[string]string{
			"Comment": "Key pair generated by generic worker",
		},
	)
	if err != nil {
		return err
	}
	defer func() {
		w.Close()
		fmt.Fprintln(privKey)
		privKey.Close()
	}()
	err = entity.SerializePrivate(w, nil)
	if err != nil {
		return err
	}
	return nil
}

// encrypt uses PGP to symmetrically encrypt and armor text with the
// provided password.
func (c *OpenPGPClient) Encrypt(plaintext []byte, password []byte) (ciphertext []byte, err error) {
	encbuf := bytes.NewBuffer(nil)

	w, err := armor.Encode(encbuf, "PGP MESSAGE", nil)
	if err != nil {
		return
	}
	defer w.Close()

	pt, err := openpgp.SymmetricallyEncrypt(w, password, nil, c.packetConfig)
	if err != nil {
		return
	}
	defer pt.Close()

	if _, err := pt.Write(plaintext); err != nil {
		return nil, err
	}

	// Force-close writer to flush their cache
	if err = pt.Close(); err != nil {
		return
	}
	if err = w.Close(); err != nil {
		return
	}

	ciphertext = encbuf.Bytes()
	return
}

func (o *openPGP) GenKey(identifier string, email string) (pubKey string, secKey string, err error) {
	buf := bytes.NewBuffer(nil)
	header := map[string]string{
		"Version": fmt.Sprintf("INTERLOCK %s OpenPGP generated key", InterlockVersion),
	}

	entity, err := openpgp.NewEntity(identifier, "", email, nil)

	if err != nil {
		return
	}

	encoder, err := armor.Encode(buf, openpgp.PublicKeyType, header)

	if err != nil {
		return
	}

	// we use our own function due to issues in openpgp.Serialize (see Serialize() comments)
	err = serialize(entity, encoder, nil)

	if err != nil {
		return
	}

	encoder.Close()
	pubKey = buf.String()

	buf.Reset()
	encoder, err = armor.Encode(buf, openpgp.PrivateKeyType, header)

	if err != nil {
		encoder.Close()
		return
	}

	err = entity.SerializePrivate(encoder, nil)

	if err != nil {
		return
	}

	encoder.Close()
	secKey = buf.String()

	return
}

// Sign signs the given message.
func (keyRing *KeyRing) Sign(message []byte, keyID string) (sig []byte, err error) {
	err = keyRing.Unlock(keyID)
	if err != nil {
		return
	}

	signer := keyRing.Entities[strings.ToLower(keyID)]
	buf := new(bytes.Buffer)
	hdr := map[string]string{
		"Version": fmt.Sprintf("Keybase Go client (OpenPGP version %s)", Version),
	}
	armourBuf, err := armor.Encode(buf, "PGP MESSAGE", hdr)
	if err != nil {
		return
	}

	opSig := &packet.OnePassSignature{
		SigType:    packet.SigTypeBinary,
		Hash:       crypto.SHA1,
		PubKeyAlgo: packet.PubKeyAlgoRSA,
		KeyId:      signer.PrimaryKey.KeyId,
		IsLast:     true,
	}
	err = opSig.Serialize(armourBuf)
	if err != nil {
		return
	}

	literalPacket, err := newLiteralDataPacket(message, "", uint32(time.Now().Unix()))
	if err != nil {
		return
	}
	_, err = armourBuf.Write(literalPacket)
	if err != nil {
		return
	}

	sigPacket := &packet.Signature{
		SigType:      packet.SigTypeBinary,
		IssuerKeyId:  &signer.PrimaryKey.KeyId,
		PubKeyAlgo:   packet.PubKeyAlgoRSA,
		Hash:         crypto.SHA1,
		CreationTime: time.Now(),
	}
	h := sha1.New()
	h.Write(message)
	err = sigPacket.Sign(h, signer.PrivateKey, nil)
	if err != nil {
		return
	}

	err = sigPacket.Serialize(armourBuf)
	if err != nil {
		return
	}
	armourBuf.Close()
	sig = buf.Bytes()
	return
}

func (ctx *SecureContext) EncryptRoot() error {
	entityList, err := ctx.ReadAccessList()
	if err != nil {
		return err
	}

	fileCallback := func(filePath string, fi os.FileInfo, err error) error {
		if err != nil {
			return err
		}
		if fi.IsDir() {
			return nil
		}
		if filepath.Ext(fi.Name()) != ".txt" {
			return nil
		}

		fp, err := os.Open(filePath)
		if err != nil {
			return err
		}
		defer fp.Close()

		filePath = strings.Replace(filePath, ".txt", ".gpg", 1)
		destRootPath := path.Join(ctx.DirectoryRoot, "files")
		destPath := path.Join(destRootPath, filepath.Base(filePath))

		_, err = os.Stat(destRootPath)
		if err != nil {
			err = os.Mkdir(destRootPath, 0700)
			if err != nil {
				return err
			}
		}

		destFp, err := os.Create(destPath)
		if err != nil {
			return err
		}
		defer destFp.Close()

		w, err := armor.Encode(destFp, "PGP MESSAGE", nil)
		if err != nil {
			return err
		}
		defer w.Close()

		cleartext, err := openpgp.Encrypt(w, entityList, nil, nil, nil)
		if err != nil {
			return err
		}
		io.Copy(cleartext, fp)
		cleartext.Close()

		return nil
	}

	return filepath.Walk(ctx.DirectoryRoot, fileCallback)
}

func (h *HKPFront) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	q := r.URL.Query()
	if r.Method != "GET" || r.URL.Path != "/pks/lookup" || len(q["op"]) != 1 || q["op"][0] != "get" || len(q["search"]) != 1 {
		http.Error(w, `this server only supports queries of the form "/pks/lookup?op=get&search=<EMAIL>"`, 501)
		return
	}
	user := q["search"][0]
	ctx := context.Background()

	var requiredSignatures *proto.QuorumExpr
	if !h.InsecureSkipVerify {
		realm, err := coname.GetRealmByUser(h.Config, user)
		if err != nil {
			http.Error(w, err.Error(), 400)
			return
		}
		requiredSignatures = realm.VerificationPolicy.Quorum
	}

	pf, err := h.Lookup(ctx, &proto.LookupRequest{UserId: user, QuorumRequirement: requiredSignatures})
	if err != nil {
		http.Error(w, err.Error(), 503)
		return
	}

	if !h.InsecureSkipVerify {
		coname.VerifyLookup(h.Config, user, pf, h.Clk.Now())
	}

	if pf.Profile.Keys == nil {
		http.Error(w, `No results found: No keys found: unknown email`, 404)
		return
	}

	pgpKey, present := pf.Profile.Keys["pgp"]
	if !present {
		http.Error(w, `No results found: No keys found: the email is known to the keyserver, but the profile does not include an OpenPGP key`, 404)
		return
	}

	if _, mr := q["mr"]; mr {
		w.Header().Set("Content-Type", "application/pgp-keys")
	}
	aw, err := armor.Encode(w, "PGP PUBLIC KEY BLOCK", nil)
	if err != nil {
		http.Error(w, err.Error(), 500)
		return
	}
	_, err = aw.Write(pgpKey)
	if err != nil {
		http.Error(w, err.Error(), 500)
		return
	}
	if err := aw.Close(); err != nil {
		http.Error(w, err.Error(), 500)
		return
	}
}

func armoredDetachSign(w io.Writer, signer *Entity, message io.Reader, sigType packet.SignatureType, config *packet.Config) (err error) {
	out, err := armor.Encode(w, SignatureType, nil)
	if err != nil {
		return
	}
	err = detachSign(out, signer, message, sigType, config)
	if err != nil {
		return
	}
	return out.Close()
}

// Armor - this function returns the public part of our armored key.
// @return string - This is our public key
// @return error - An error can be produced when trying to access an unarmored string.
func (key *Key) Armor() (string, error) {
	buf := new(bytes.Buffer)
	armor, err := armor.Encode(buf, openpgp.PublicKeyType, nil)
	if err != nil {
		return "", err
	}
	key.Serialize(armor)
	armor.Close()

	return buf.String(), nil
}

func GpgEncrypt(text2encrypt string, headers map[string]string) string {
	var encrypted bytes.Buffer
	foo := bufio.NewWriter(&encrypted)
	w, _ := armor.Encode(foo, "TRIBES PAYLOAD", headers)
	plaintext, _ := openpgp.SymmetricallyEncrypt(w, []byte(config.GetTribeID()), nil, nil)
	fmt.Fprintf(plaintext, text2encrypt)
	plaintext.Close()
	w.Close()
	foo.Flush()
	return encrypted.String()
}