From: Nikita Karetnikov <nikita@karetnikov.org>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel@gnu.org
Subject: Re: Signed archives (preliminary patch)
Date: Sun, 09 Mar 2014 02:38:18 +0400 [thread overview]
Message-ID: <87k3c4joyt.fsf@karetnikov.org> (raw)
In-Reply-To: <87bnxl62ws.fsf@gnu.org> ("Ludovic Courtès"'s message of "Tue, 04 Mar 2014 22:59:31 +0100")
[-- Attachment #1.1: Type: text/plain, Size: 487 bytes --]
Still WIP, sorry. Please take a look anyway.
I think the current docstring of ‘assert-valid-signature’ is not correct
since ‘signature’ must be a string (as produced by
‘canonical-sexp->string’), not an sexp.
Similarly, the “signature is not a valid s-expression” and “corrupt
signature data” messages are a bit confusing due to the way
‘string->canonical-sexp’ works (try ‘string->canonical-sexp "foo"’).
But I may be wrong about the latter.
[-- Attachment #1.2: signature2.diff4 --]
[-- Type: text/plain, Size: 33113 bytes --]
diff --git a/guix/base64.scm b/guix/base64.scm
new file mode 100644
index 0000000..f7f7f5f
--- /dev/null
+++ b/guix/base64.scm
@@ -0,0 +1,212 @@
+;; -*- mode: scheme; coding: utf-8 -*-
+;;
+;; This module was renamed from (weinholt text base64 (1 0 20100612)) to
+;; (guix base64) by Nikita Karetnikov <nikita@karetnikov.org> on
+;; February 12, 2014.
+;;
+;; Copyright © 2009, 2010 Göran Weinholt <goran@weinholt.se>
+;;
+;; This program is free software: you can redistribute it and/or modify
+;; it under the terms of the GNU General Public License as published by
+;; the Free Software Foundation, either version 3 of the License, or
+;; (at your option) any later version.
+;;
+;; This program is distributed in the hope that it will be useful,
+;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;; GNU General Public License for more details.
+;;
+;; You should have received a copy of the GNU General Public License
+;; along with this program. If not, see <http://www.gnu.org/licenses/>.
+#!r6rs
+
+;; RFC 4648 Base-N Encodings
+
+(library (guix base64)
+ (export base64-encode
+ base64-decode
+ base64-alphabet
+ base64url-alphabet
+ get-delimited-base64
+ put-delimited-base64)
+ (import (rnrs)
+ (only (srfi :13 strings)
+ string-index
+ string-prefix? string-suffix?
+ string-concatenate string-trim-both))
+
+ (define base64-alphabet
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/")
+
+ (define base64url-alphabet
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_")
+
+ (define base64-encode
+ (case-lambda
+ ;; Simple interface. Returns a string containing the canonical
+ ;; base64 representation of the given bytevector.
+ ((bv)
+ (base64-encode bv 0 (bytevector-length bv) #f #f base64-alphabet #f))
+ ((bv start)
+ (base64-encode bv start (bytevector-length bv) #f #f base64-alphabet #f))
+ ((bv start end)
+ (base64-encode bv start end #f #f base64-alphabet #f))
+ ((bv start end line-length)
+ (base64-encode bv start end line-length #f base64-alphabet #f))
+ ((bv start end line-length no-padding)
+ (base64-encode bv start end line-length no-padding base64-alphabet #f))
+ ((bv start end line-length no-padding alphabet)
+ (base64-encode bv start end line-length no-padding alphabet #f))
+ ;; Base64 encodes the bytes [start,end[ in the given bytevector.
+ ;; Lines are limited to line-length characters (unless #f),
+ ;; which must be a multiple of four. To omit the padding
+ ;; characters (#\=) set no-padding to a true value. If port is
+ ;; #f, returns a string.
+ ((bv start end line-length no-padding alphabet port)
+ (assert (or (not line-length) (zero? (mod line-length 4))))
+ (let-values (((p extract) (if port
+ (values port (lambda () (values)))
+ (open-string-output-port))))
+ (letrec ((put (if line-length
+ (let ((chars 0))
+ (lambda (p c)
+ (when (fx=? chars line-length)
+ (set! chars 0)
+ (put-char p #\linefeed))
+ (set! chars (fx+ chars 1))
+ (put-char p c)))
+ put-char)))
+ (let lp ((i start))
+ (cond ((= i end))
+ ((<= (+ i 3) end)
+ (let ((x (bytevector-uint-ref bv i (endianness big) 3)))
+ (put p (string-ref alphabet (fxbit-field x 18 24)))
+ (put p (string-ref alphabet (fxbit-field x 12 18)))
+ (put p (string-ref alphabet (fxbit-field x 6 12)))
+ (put p (string-ref alphabet (fxbit-field x 0 6)))
+ (lp (+ i 3))))
+ ((<= (+ i 2) end)
+ (let ((x (fxarithmetic-shift-left (bytevector-u16-ref bv i (endianness big)) 8)))
+ (put p (string-ref alphabet (fxbit-field x 18 24)))
+ (put p (string-ref alphabet (fxbit-field x 12 18)))
+ (put p (string-ref alphabet (fxbit-field x 6 12)))
+ (unless no-padding
+ (put p #\=))))
+ (else
+ (let ((x (fxarithmetic-shift-left (bytevector-u8-ref bv i) 16)))
+ (put p (string-ref alphabet (fxbit-field x 18 24)))
+ (put p (string-ref alphabet (fxbit-field x 12 18)))
+ (unless no-padding
+ (put p #\=)
+ (put p #\=)))))))
+ (extract)))))
+
+ ;; Decodes a base64 string. The string must contain only pure
+ ;; unpadded base64 data.
+ (define base64-decode
+ (case-lambda
+ ((str)
+ (base64-decode str base64-alphabet #f))
+ ((str alphabet)
+ (base64-decode str alphabet #f))
+ ((str alphabet port)
+ (unless (zero? (mod (string-length str) 4))
+ (error 'base64-decode
+ "input string must be a multiple of four characters"))
+ (let-values (((p extract) (if port
+ (values port (lambda () (values)))
+ (open-bytevector-output-port))))
+ (do ((i 0 (+ i 4)))
+ ((= i (string-length str))
+ (extract))
+ (let ((c1 (string-ref str i))
+ (c2 (string-ref str (+ i 1)))
+ (c3 (string-ref str (+ i 2)))
+ (c4 (string-ref str (+ i 3))))
+ ;; TODO: be more clever than string-index
+ (let ((i1 (string-index alphabet c1))
+ (i2 (string-index alphabet c2))
+ (i3 (string-index alphabet c3))
+ (i4 (string-index alphabet c4)))
+ (cond ((and i1 i2 i3 i4)
+ (let ((x (fxior (fxarithmetic-shift-left i1 18)
+ (fxarithmetic-shift-left i2 12)
+ (fxarithmetic-shift-left i3 6)
+ i4)))
+ (put-u8 p (fxbit-field x 16 24))
+ (put-u8 p (fxbit-field x 8 16))
+ (put-u8 p (fxbit-field x 0 8))))
+ ((and i1 i2 i3 (char=? c4 #\=)
+ (= i (- (string-length str) 4)))
+ (let ((x (fxior (fxarithmetic-shift-left i1 18)
+ (fxarithmetic-shift-left i2 12)
+ (fxarithmetic-shift-left i3 6))))
+ (put-u8 p (fxbit-field x 16 24))
+ (put-u8 p (fxbit-field x 8 16))))
+ ((and i1 i2 (char=? c3 #\=) (char=? c4 #\=)
+ (= i (- (string-length str) 4)))
+ (let ((x (fxior (fxarithmetic-shift-left i1 18)
+ (fxarithmetic-shift-left i2 12))))
+ (put-u8 p (fxbit-field x 16 24))))
+ (else
+ (error 'base64-decode "invalid input"
+ (list c1 c2 c3 c4)))))))))))
+
+ (define (get-line-comp f port)
+ (if (port-eof? port)
+ (eof-object)
+ (f (get-line port))))
+
+ ;; Reads the common -----BEGIN/END type----- delimited format from
+ ;; the given port. Returns two values: a string with the type and a
+ ;; bytevector containing the base64 decoded data. The second value
+ ;; is the eof object if there is an eof before the BEGIN delimiter.
+ (define (get-delimited-base64 port)
+ (define (get-first-data-line port)
+ ;; Some MIME data has header fields in the same format as mail
+ ;; or http. These are ignored.
+ (let ((line (get-line-comp string-trim-both port)))
+ (cond ((eof-object? line) line)
+ ((string-index line #\:)
+ (let lp () ;read until empty line
+ (let ((line (get-line-comp string-trim-both port)))
+ (if (string=? line "")
+ (get-line-comp string-trim-both port)
+ (lp)))))
+ (else line))))
+ (let ((line (get-line-comp string-trim-both port)))
+ (cond ((eof-object? line)
+ (values "" (eof-object)))
+ ((string=? line "")
+ (get-delimited-base64 port))
+ ((and (string-prefix? "-----BEGIN " line)
+ (string-suffix? "-----" line))
+ (let* ((type (substring line 11 (- (string-length line) 5)))
+ (endline (string-append "-----END " type "-----")))
+ (let-values (((outp extract) (open-bytevector-output-port)))
+ (let lp ((line (get-first-data-line port)))
+ (cond ((eof-object? line)
+ (error 'get-delimited-base64
+ "unexpected end of file"))
+ ((string-prefix? "-" line)
+ (unless (string=? line endline)
+ (error 'get-delimited-base64
+ "bad end delimiter" type line))
+ (values type (extract)))
+ (else
+ (unless (and (= (string-length line) 5)
+ (string-prefix? "=" line)) ;Skip Radix-64 checksum
+ (base64-decode line base64-alphabet outp))
+ (lp (get-line-comp string-trim-both port))))))))
+ (else ;skip garbage (like in openssl x509 -in foo -text output).
+ (get-delimited-base64 port)))))
+
+ (define put-delimited-base64
+ (case-lambda
+ ((port type bv line-length)
+ (display (string-append "-----BEGIN " type "-----\n") port)
+ (base64-encode bv 0 (bytevector-length bv)
+ line-length #f base64-alphabet port)
+ (display (string-append "\n-----END " type "-----\n") port))
+ ((port type bv)
+ (put-delimited-base64 port type bv 76)))))
\ No newline at end of file
diff --git a/guix/nar.scm b/guix/nar.scm
index 5bf1745..d896c7f 100644
--- a/guix/nar.scm
+++ b/guix/nar.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2012, 2013, 2014 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2014 Nikita Karetnikov <nikita@karetnikov.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -52,6 +53,7 @@
write-file
restore-file
+ assert-valid-signature
restore-file-set))
;;; Comment:
@@ -345,6 +347,46 @@ protected from garbage collection."
template)
(temporary-store-directory))))
+(define* (assert-valid-signature signature hash port
+ #:optional (acl (current-acl)))
+ ;; Bail out if SIGNATURE, a string, doesn't match HASH, a bytevector
+ ;; containing the expected hash for PORT.
+ (let* ((file (port-filename port))
+ (signature (catch 'gcry-error
+ (lambda ()
+ (string->canonical-sexp signature))
+ (lambda (err . _)
+ (raise (condition
+ (&message
+ (message "signature is not a valid \
+s-expression"))
+ (&nar-signature-error
+ (file file)
+ (signature signature) (port port)))))))
+ (subject (signature-subject signature))
+ (data (signature-signed-data signature)))
+ (if (and data subject)
+ (if (authorized-key? subject acl)
+ (if (equal? (hash-data->bytevector data) hash)
+ (unless (valid-signature? signature)
+ (raise (condition
+ (&message (message "invalid signature"))
+ (&nar-signature-error
+ (file file) (signature signature) (port port)))))
+ (raise (condition (&message (message "invalid hash"))
+ (&nar-invalid-hash-error
+ (port port) (file file)
+ (signature signature)
+ (expected (hash-data->bytevector data))
+ (actual hash)))))
+ (raise (condition (&message (message "unauthorized public key"))
+ (&nar-signature-error
+ (signature signature) (file file) (port port)))))
+ (raise (condition
+ (&message (message "corrupt signature data"))
+ (&nar-signature-error
+ (signature signature) (file file) (port port)))))))
+
(define* (restore-file-set port
#:key (verify-signature? #t) (lock? #t)
(log-port (current-error-port)))
@@ -368,44 +410,6 @@ while the locks are held."
;; Keep that one around, for error conditions.
port)
- (define (assert-valid-signature signature hash file)
- ;; Bail out if SIGNATURE, an sexp, doesn't match HASH, a bytevector
- ;; containing the expected hash for FILE.
- (let* ((signature (catch 'gcry-error
- (lambda ()
- (string->canonical-sexp signature))
- (lambda (err . _)
- (raise (condition
- (&message
- (message "signature is not a valid \
-s-expression"))
- (&nar-signature-error
- (file file)
- (signature signature) (port port)))))))
- (subject (signature-subject signature))
- (data (signature-signed-data signature)))
- (if (and data subject)
- (if (authorized-key? subject)
- (if (equal? (hash-data->bytevector data) hash)
- (unless (valid-signature? signature)
- (raise (condition
- (&message (message "invalid signature"))
- (&nar-signature-error
- (file file) (signature signature) (port port)))))
- (raise (condition (&message (message "invalid hash"))
- (&nar-invalid-hash-error
- (port port) (file file)
- (signature signature)
- (expected (hash-data->bytevector data))
- (actual hash)))))
- (raise (condition (&message (message "unauthorized public key"))
- (&nar-signature-error
- (signature signature) (file file) (port port)))))
- (raise (condition
- (&message (message "corrupt signature data"))
- (&nar-signature-error
- (signature signature) (file file) (port port)))))))
-
(let loop ((n (read-long-long port))
(files '()))
(case n
@@ -436,7 +440,7 @@ s-expression"))
(when verify-signature?
(if sig
(begin
- (assert-valid-signature sig hash file)
+ (assert-valid-signature sig hash port)
(format log-port
(_ "found valid signature for '~a'~%")
file)
diff --git a/guix/scripts/substitute-binary.scm b/guix/scripts/substitute-binary.scm
index 3aaa1c4..d7f546c 100755
--- a/guix/scripts/substitute-binary.scm
+++ b/guix/scripts/substitute-binary.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2014 Nikita Karetnikov <nikita@karetnikov.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -23,6 +24,10 @@
#:use-module (guix config)
#:use-module (guix records)
#:use-module (guix nar)
+ #:use-module (guix hash)
+ #:use-module (guix base64)
+ #:use-module (guix pk-crypto)
+ #:use-module (guix pki)
#:use-module ((guix build utils) #:select (mkdir-p))
#:use-module ((guix build download)
#:select (progress-proc uri-abbreviation))
@@ -33,6 +38,8 @@
#:use-module (ice-9 format)
#:use-module (ice-9 ftw)
#:use-module (ice-9 binary-ports)
+ #:use-module (rnrs io ports)
+ #:use-module (rnrs bytevectors)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
#:use-module (srfi srfi-11)
@@ -40,7 +47,10 @@
#:use-module (srfi srfi-26)
#:use-module (web uri)
#:use-module (guix http-client)
- #:export (guix-substitute-binary))
+ #:export (parse-signature
+ read-narinfo
+ write-narinfo
+ guix-substitute-binary))
;;; Comment:
;;;
@@ -185,7 +195,7 @@ failure."
(define-record-type <narinfo>
(%make-narinfo path uri compression file-hash file-size nar-hash nar-size
- references deriver system)
+ references deriver system signature contents)
narinfo?
(path narinfo-path)
(uri narinfo-uri)
@@ -196,15 +206,38 @@ failure."
(nar-size narinfo-size)
(references narinfo-references)
(deriver narinfo-deriver)
- (system narinfo-system))
-
-(define (narinfo-maker cache-url)
- "Return a narinfo constructor for narinfos originating from CACHE-URL."
+ (system narinfo-system)
+ (signature narinfo-signature) ; canonical sexp
+ ;; The original contents of a narinfo file. This field is needed because we
+ ;; want to preserve the exact textual representation for verification purposes.
+ ;; See <https://lists.gnu.org/archive/html/guix-devel/2014-02/msg00340.html>
+ ;; for more information.
+ (contents narinfo-contents))
+
+(define (parse-signature str)
+ "Return the value of a narinfo's 'Signature' field as a canonical sexp."
+ (match (string-split str #\;)
+ ((version _ sig)
+ (let ((maybe-number (string->number version)))
+ (cond ((not (number? maybe-number))
+ (leave (_ "signature version must be a number: ~a~%")
+ version))
+ ;; Currently, there are no other versions.
+ ((not (= 1 maybe-number))
+ (leave (_ "unsupported signature version: ~a~%")
+ maybe-number))
+ (else (string->canonical-sexp
+ (utf8->string (base64-decode sig)))))))
+ (x
+ (leave (_ "invalid format of the signature field: ~a~%") x))))
+
+(define (narinfo-maker str cache-url)
+ "Return a narinfo constructor for narinfos originating from CACHE-URL. STR
+must contain the original contents of a narinfo file."
(lambda (path url compression file-hash file-size nar-hash nar-size
- references deriver system)
+ references deriver system signature)
"Return a new <narinfo> object."
(%make-narinfo path
-
;; Handle the case where URL is a relative URL.
(or (string->uri url)
(string->uri (string-append cache-url "/" url)))
@@ -217,45 +250,33 @@ failure."
(match deriver
((or #f "") #f)
(_ deriver))
- system)))
-
-(define* (read-narinfo port #:optional url)
- "Read a narinfo from PORT in its standard external form. If URL is true, it
-must be a string used to build full URIs from relative URIs found while
-reading PORT."
- (alist->record (fields->alist port)
- (narinfo-maker url)
- '("StorePath" "URL" "Compression"
- "FileHash" "FileSize" "NarHash" "NarSize"
- "References" "Deriver" "System")))
+ system
+ (parse-signature signature)
+ str)))
+
+(define* (read-narinfo port #:optional url (acl (current-acl)))
+ "Read a narinfo from PORT. If URL is true, it must be a string used to
+build full URIs from relative URIs found while reading PORT."
+ (let* ((str (begin (set-port-encoding! port "UTF-8")
+ (get-string-all port)))
+ (rx (make-regexp "(.+)^[[:blank:]]*Signature:[[:blank:]].+$"))
+ (res (or (regexp-exec rx str)
+ (leave (_ "cannot find the Signature line: ~a~%")
+ str)))
+ (hash (sha256 (string->utf8 (match:substring res 1))))
+ (narinfo (alist->record (fields->alist (open-input-string str))
+ (narinfo-maker str url)
+ '("StorePath" "URL" "Compression"
+ "FileHash" "FileSize" "NarHash" "NarSize"
+ "References" "Deriver" "System"
+ "Signature")))
+ (signature (canonical-sexp->string (narinfo-signature narinfo))))
+ (assert-valid-signature signature hash port acl)
+ narinfo))
(define (write-narinfo narinfo port)
"Write NARINFO to PORT."
- (define (empty-string-if-false x)
- (or x ""))
-
- (define (number-or-empty-string x)
- (if (number? x)
- (number->string x)
- ""))
-
- (object->fields narinfo
- `(("StorePath" . ,narinfo-path)
- ("URL" . ,(compose uri->string narinfo-uri))
- ("Compression" . ,narinfo-compression)
- ("FileHash" . ,(compose empty-string-if-false
- narinfo-file-hash))
- ("FileSize" . ,(compose number-or-empty-string
- narinfo-file-size))
- ("NarHash" . ,(compose empty-string-if-false
- narinfo-hash))
- ("NarSize" . ,(compose number-or-empty-string
- narinfo-size))
- ("References" . ,(compose string-join narinfo-references))
- ("Deriver" . ,(compose empty-string-if-false
- narinfo-deriver))
- ("System" . ,narinfo-system))
- port))
+ (put-bytevector port (string->utf8 (narinfo-contents narinfo))))
(define (narinfo->string narinfo)
"Return the external representation of NARINFO."
diff --git a/tests/base64.scm b/tests/base64.scm
new file mode 100644
index 0000000..99c02b5
--- /dev/null
+++ b/tests/base64.scm
@@ -0,0 +1,59 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2014 Nikita Karetnikov <nikita@karetnikov.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (test-base64)
+ #:use-module (guix base64)
+ #:use-module (rnrs bytevectors)
+ #:use-module (srfi srfi-64))
+
+(define (string->base64 str)
+ (base64-encode (string->utf8 str)))
+
+;;; Test vectors from <https://tools.ietf.org/rfc/rfc4648.txt>.
+
+(test-begin "base64")
+
+(test-equal "empty string"
+ (string->base64 "")
+ "")
+
+(test-equal "f"
+ (string->base64 "f")
+ "Zg==")
+
+(test-equal "fo"
+ (string->base64 "fo")
+ "Zm8=")
+
+(test-equal "foo"
+ (string->base64 "foo")
+ "Zm9v")
+
+(test-equal "foob"
+ (string->base64 "foob")
+ "Zm9vYg==")
+
+(test-equal "fooba"
+ (string->base64 "fooba")
+ "Zm9vYmE=")
+
+(test-equal "foobar"
+ (string->base64 "foobar")
+ "Zm9vYmFy")
+
+(test-end "base64")
\ No newline at end of file
diff --git a/tests/substitute-binary.scm b/tests/substitute-binary.scm
new file mode 100644
index 0000000..457fa56
--- /dev/null
+++ b/tests/substitute-binary.scm
@@ -0,0 +1,189 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2014 Nikita Karetnikov <nikita@karetnikov.org>
+;;; Copyright © 2014 Ludovic Courtès <ludo@gnu.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (test-substitute-binary)
+ #:use-module (guix scripts substitute-binary)
+ #:use-module (guix base64)
+ #:use-module (guix hash)
+ #:use-module (guix nar)
+ #:use-module (guix pk-crypto)
+ #:use-module (guix pki)
+ #:use-module (rnrs bytevectors)
+ #:use-module (srfi srfi-34)
+ #:use-module ((srfi srfi-64) #:hide (test-error)))
+
+;; XXX: Replace with 'test-error' from SRFI-64 as soon as it allow us to catch
+;; specific exceptions.
+(define-syntax-rule (test-error* name exp)
+ (test-assert name
+ (catch 'quit
+ (lambda ()
+ exp
+ #f)
+ (const #t))))
+
+(define %keypair
+ ;; (display (canonical-sexp->string
+ ;; (generate-key "(genkey (rsa (nbits 4:1024)))")))
+ (string->canonical-sexp
+ "(key-data
+ (public-key
+ (rsa
+ (n #00D74A00F16DD109A8E773291856A4EF9EE2C2D975E0BC207EA24245C9CFE39E32D8BA5442A2720A57E3A9D9E55E596A8B19CB2EF844E5E859362593914BD626433C887FB798AE87E1DA95D372DFC81E220B8802B04CEC818D9B6B4E2108817755AEBAC23D2FD2B0AB82A52FD785194F3C2D7B9327212588DB74D464EEE5DC9F5B#)
+ (e #010001#)
+ )
+ )
+ (private-key
+ (rsa
+ (n #00D74A00F16DD109A8E773291856A4EF9EE2C2D975E0BC207EA24245C9CFE39E32D8BA5442A2720A57E3A9D9E55E596A8B19CB2EF844E5E859362593914BD626433C887FB798AE87E1DA95D372DFC81E220B8802B04CEC818D9B6B4E2108817755AEBAC23D2FD2B0AB82A52FD785194F3C2D7B9327212588DB74D464EEE5DC9F5B#)
+ (e #010001#)
+ (d #40E6D963EF143E9241BC10DE7A785C988C89EB1EC33253A5796AFB38FCC804D015500EC8CBCA0F5E318EE9D660DC19E7774E2E89BFD38379297EA87EFBDAC24BA32EE5339215382B2C89F5A817FD9131CA8E8A0A70D58E26E847AD0C447053671A6B2D7746087DE058A02B17701752B8A36EB414435921615AE7CAA8AC48E451#)
+ (p #00EA88C0C19FE83C09285EF49FF88A1159357FD870031C20F15EF5103FBEB10925299BCA197F7143D6792A1BA7044EDA572EC94FA6B00889F9857216CF5B984403#)
+ (q #00EAFE541EE9E0531255A85CADBEF64D5F679766D7209F521ADD131CF4B7DA9DF5414901342A146EE84FAA1E35EE0D0F6CE3F5F25989C0D1E9FA5B678D78C113C9#)
+ (u #59C80FA2C48181F6855691C9D443619BA46C7648056E081697C370D8096E8EF165122D5E55F8FD6A2DCC404FA8BDCDC1FD20B4D76A433F25E8FD6901EC2DBDAD#)
+ )
+ )
+ )"))
+
+(define %public-key
+ (find-sexp-token %keypair 'public-key))
+
+(define %private-key
+ (find-sexp-token %keypair 'private-key))
+
+(define (signature-body str)
+ (base64-encode
+ (string->utf8
+ (canonical-sexp->string
+ (signature-sexp (bytevector->hash-data (sha256 (string->utf8 str)))
+ %private-key
+ %public-key)))))
+
+(define %signature-body
+ (signature-body "secret"))
+
+(define %wrong-public-key
+ (string->canonical-sexp "(public-key
+ (rsa
+ (n #00E05873AC2B168760343145918E954EE9AB73C026355693B192E01EE835261AA689E9EF46642E895BCD65C648524059FC450E4BA77A68F4C52D0E39EF0CC9359709AB6AAB153B63782201871325B0FDA19CB401CD99FD0C31A91CA9000AA90A77E82B89E036FB63BC1D3961207469B3B12468977148D376F8012BB12A4B11A8F1#)
+ (e #010001#)
+ )
+ )"))
+
+(define %wrong-signature
+ (let* ((body (string->canonical-sexp
+ (utf8->string
+ (base64-decode %signature-body))))
+ (data (canonical-sexp->string (find-sexp-token body 'data)))
+ (sig-val (canonical-sexp->string (find-sexp-token body 'sig-val)))
+ (public-key (canonical-sexp->string %wrong-public-key))
+ (body* (base64-encode
+ (string->utf8
+ (string-append "(signature \n" data sig-val
+ public-key " )\n")))))
+ (string-append "1;irrelevant;" body*)))
+
+(define* (signature str #:optional (body %signature-body))
+ (string-append str ";irrelevant;" body))
+
+(define %signature
+ (signature "1" %signature-body))
+
+(define %acl
+ (public-keys->acl (list %public-key)))
+
+(test-begin "substitute-binary")
+
+(test-error* "not a number"
+ (parse-signature (signature "not a number")))
+
+(test-error* "wrong version number"
+ (parse-signature (signature "2")))
+
+(test-assert "valid parse-signature"
+ (canonical-sexp? (parse-signature %signature)))
+
+;;; XXX: Fight boilerplate with a macro.
+;;; XXX: Do we need a better predicate hierarchy for these tests?
+(test-assert "corrupt signature data"
+ (guard (condition
+ ((nar-signature-error? condition) #t)
+ (else #f))
+ (assert-valid-signature "invalid sexp" "irrelevant"
+ (open-input-string "irrelevant")
+ %acl)))
+
+(test-assert "unauthorized public key"
+ (guard (condition
+ ((nar-signature-error? condition) #t)
+ (else #f))
+ (assert-valid-signature (canonical-sexp->string
+ (parse-signature %signature))
+ "irrelevant"
+ (open-input-string "irrelevant")
+ (public-keys->acl '()))))
+
+(test-assert "invalid signature"
+ (guard (condition
+ ((nar-signature-error? condition) #t)
+ (else #f))
+ (assert-valid-signature (canonical-sexp->string
+ (parse-signature %wrong-signature))
+ (sha256 (string->utf8 "secret"))
+ (open-input-string "irrelevant")
+ (public-keys->acl (list %wrong-public-key)))))
+
+(define %narinfo
+ "StorePath: /nix/store/foo
+URL: nar/foo
+Compression: bzip2
+NarHash: sha256:7
+NarSize: 42
+References: bar baz
+Deriver: foo.drv
+System: mips64el-linux\n")
+
+(define (narinfo sig)
+ (format #f "~aSignature: ~a~%" %narinfo sig))
+
+(define %signed-narinfo
+ (narinfo (signature "1" (signature-body %narinfo))))
+
+(test-assert "invalid hash"
+ ;; The hash of '%signature' is computed over the word "secret", not
+ ;; '%narinfo'.
+ (guard (condition
+ ((nar-invalid-hash-error? condition))
+ (else #f))
+ (read-narinfo (open-input-string (narinfo %signature))
+ "https://example.com" %acl)))
+
+(test-assert "valid read-narinfo"
+ (read-narinfo (open-input-string %signed-narinfo)
+ "https://example.com" %acl))
+
+(test-equal "valid write-narinfo"
+ %signed-narinfo
+ (call-with-output-string
+ (lambda (port)
+ (write-narinfo (read-narinfo (open-input-string %signed-narinfo)
+ "https://example.com" %acl)
+ port))))
+
+(test-end "substitute-binary")
[-- Attachment #2: Type: application/pgp-signature, Size: 835 bytes --]
next prev parent reply other threads:[~2014-03-08 22:31 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-26 14:13 ‘guix archive’ doesn’t work over ‘./pre-inst-env’ Nikita Karetnikov
2014-01-26 14:52 ` Ludovic Courtès
2014-01-26 16:09 ` Signed archives (was: ‘guix archive’ doesn’t work over ‘./pre-inst-env’) Nikita Karetnikov
2014-01-26 19:36 ` Signed archives Ludovic Courtès
2014-01-27 15:36 ` Nikita Karetnikov
2014-01-27 15:56 ` Ludovic Courtès
2014-02-03 10:45 ` Nikita Karetnikov
2014-02-04 13:12 ` Ludovic Courtès
2014-02-20 9:54 ` Nikita Karetnikov
2014-02-21 21:17 ` Ludovic Courtès
2014-02-27 20:48 ` Signed archives (preliminary patch) Nikita Karetnikov
2014-02-27 22:43 ` Ludovic Courtès
2014-02-28 9:21 ` Mark H Weaver
2014-02-28 10:37 ` Ludovic Courtès
2014-02-28 18:46 ` Nikita Karetnikov
2014-02-28 21:22 ` Nikita Karetnikov
2014-02-28 22:05 ` Ludovic Courtès
2014-03-03 22:54 ` Nikita Karetnikov
2014-03-04 21:59 ` Ludovic Courtès
2014-03-08 22:38 ` Nikita Karetnikov [this message]
2014-03-08 22:46 ` Nikita Karetnikov
2014-03-09 17:22 ` Ludovic Courtès
2014-03-09 22:35 ` Ludovic Courtès
2014-03-11 9:51 ` Nikita Karetnikov
2014-03-12 11:57 ` Nikita Karetnikov
2014-03-12 14:25 ` Ludovic Courtès
2014-03-12 23:37 ` [PATCH 2/2] guix substitute-binary: Support the Signature field of a narinfo file. (was: Signed archives (preliminary patch)) Nikita Karetnikov
2014-03-13 21:38 ` [PATCH 2/2] guix substitute-binary: Support the Signature field of a narinfo file Ludovic Courtès
2014-03-13 21:55 ` Nikita Karetnikov
2014-03-13 22:53 ` Ludovic Courtès
2014-03-15 12:24 ` Nikita Karetnikov
2014-03-31 21:54 ` Signed archives (preliminary patch) Ludovic Courtès
2014-02-21 22:10 ` Applying the GPG web-of-trust to Guix (was Re: Signed archives) Mark H Weaver
2014-02-21 23:10 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87k3c4joyt.fsf@karetnikov.org \
--to=nikita@karetnikov.org \
--cc=guix-devel@gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).