From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id IbjJBugCWF9LUAAA0tVLHw (envelope-from ) for ; Tue, 08 Sep 2020 22:17:12 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id SNohAugCWF8bYwAA1q6Kng (envelope-from ) for ; Tue, 08 Sep 2020 22:17:12 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8C7A39402C8 for ; Tue, 8 Sep 2020 22:17:11 +0000 (UTC) Received: from localhost ([::1]:60036 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kFlvK-0005SS-HS for larch@yhetil.org; Tue, 08 Sep 2020 18:17:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43440) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kFlvD-0005Qs-TO for guix-patches@gnu.org; Tue, 08 Sep 2020 18:17:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:45134) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kFlvD-0004ZR-K0 for guix-patches@gnu.org; Tue, 08 Sep 2020 18:17:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kFlvD-0002ul-Gg for guix-patches@gnu.org; Tue, 08 Sep 2020 18:17:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#43285] [PATCH 3/3] daemon: Simplify interface with 'guix authenticate'. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 08 Sep 2020 22:17:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 43285 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 43285@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 43285-submit@debbugs.gnu.org id=B43285.159960342211136 (code B ref 43285); Tue, 08 Sep 2020 22:17:03 +0000 Received: (at 43285) by debbugs.gnu.org; 8 Sep 2020 22:17:02 +0000 Received: from localhost ([127.0.0.1]:56678 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kFlvB-0002sx-DD for submit@debbugs.gnu.org; Tue, 08 Sep 2020 18:17:02 -0400 Received: from eggs.gnu.org ([209.51.188.92]:33276) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kFlv6-0002lN-Rp for 43285@debbugs.gnu.org; Tue, 08 Sep 2020 18:16:58 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:50277) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kFlv1-0004Wo-Ls; Tue, 08 Sep 2020 18:16:51 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=54296 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kFlv0-0008Ez-DX; Tue, 08 Sep 2020 18:16:50 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Wed, 9 Sep 2020 00:16:35 +0200 Message-Id: <20200908221635.32684-3-ludo@gnu.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200908221635.32684-1-ludo@gnu.org> References: <20200908221635.32684-1-ludo@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -3.3 (---) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: -0.01 X-TUID: KNixYxs7FBWi There's no reason at this point to mimic the calling convention of the 'openssl' command. * nix/libstore/local-store.cc (LocalStore::exportPath): Add only "sign" and HASH to ARGS. Remove 'tmpDir' and 'hashFile'. (LocalStore::importPath): Add only "verify" and SIGNATURE to ARGS. Remove 'sigFile'. * guix/scripts/authenticate.scm (guix-authenticate): Adjust accordingly; remove the OpenSSL-style clauses. (read-hash-data): Remove. (sign-with-key): Replace 'port' with 'sha256' and adjust accordingly. (validate-signature): Export SIGNATURE to be a canonical sexp. --- guix/scripts/authenticate.scm | 57 +++++++++++------------------------ nix/libstore/local-store.cc | 24 +++------------ 2 files changed, 22 insertions(+), 59 deletions(-) diff --git a/guix/scripts/authenticate.scm b/guix/scripts/authenticate.scm index f1fd8ee895..b5f043e6ac 100644 --- a/guix/scripts/authenticate.scm +++ b/guix/scripts/authenticate.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès +;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2020 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -17,7 +17,6 @@ ;;; along with GNU Guix. If not, see . (define-module (guix scripts authenticate) - #:use-module (guix config) #:use-module (guix base16) #:use-module (gcrypt pk-crypto) #:use-module (guix pki) @@ -39,16 +38,9 @@ ;; Read a gcrypt sexp from a port and return it. (compose string->canonical-sexp read-string)) -(define (read-hash-data port key-type) - "Read sha256 hash data from PORT and return it as a gcrypt sexp. KEY-TYPE -is a symbol representing the type of public key algo being used." - (let* ((hex (read-string port)) - (bv (base16-string->bytevector (string-trim-both hex)))) - (bytevector->hash-data bv #:key-type key-type))) - -(define (sign-with-key key-file port) - "Sign the hash read from PORT with KEY-FILE, and write an sexp that includes -both the hash and the actual signature." +(define (sign-with-key key-file sha256) + "Sign the hash SHA256 (a bytevector) with KEY-FILE, and write an sexp that +includes both the hash and the actual signature." (let* ((secret-key (call-with-input-file key-file read-canonical-sexp)) (public-key (if (string-suffix? ".sec" key-file) (call-with-input-file @@ -58,18 +50,18 @@ both the hash and the actual signature." (leave (G_ "cannot find public key for secret key '~a'~%") key-file))) - (data (read-hash-data port (key-type public-key))) + (data (bytevector->hash-data sha256 + #:key-type (key-type public-key))) (signature (signature-sexp data secret-key public-key))) (display (canonical-sexp->string signature)) #t)) -(define (validate-signature port) - "Read the signature from PORT (which is as produced above), check whether -its public key is authorized, verify the signature, and print the signed data -to stdout upon success." - (let* ((signature (read-canonical-sexp port)) - (subject (signature-subject signature)) - (data (signature-signed-data signature))) +(define (validate-signature signature) + "Validate SIGNATURE, a canonical sexp. Check whether its public key is +authorized, verify the signature, and print the signed data to stdout upon +success." + (let* ((subject (signature-subject signature)) + (data (signature-signed-data signature))) (if (and data subject) (if (authorized-key? subject) (if (valid-signature? signature) @@ -85,9 +77,7 @@ to stdout upon success." ;;; -;;; Entry point with 'openssl'-compatible interface. We support this -;;; interface because that's what the daemon expects, and we want to leave it -;;; unmodified currently. +;;; Entry point. ;;; (define (guix-authenticate . args) @@ -101,22 +91,11 @@ to stdout upon success." (with-fluids ((%default-port-encoding "ISO-8859-1") (%default-port-conversion-strategy 'error)) (match args - ;; As invoked by guix-daemon. - (("rsautl" "-sign" "-inkey" key "-in" hash-file) - (call-with-input-file hash-file - (lambda (port) - (sign-with-key key port)))) - ;; As invoked by Nix/Crypto.pm (used by Hydra.) - (("rsautl" "-sign" "-inkey" key) - (sign-with-key key (current-input-port))) - ;; As invoked by guix-daemon. - (("rsautl" "-verify" "-inkey" _ "-pubin" "-in" signature-file) - (call-with-input-file signature-file - (lambda (port) - (validate-signature port)))) - ;; As invoked by Nix/Crypto.pm (used by Hydra.) - (("rsautl" "-verify" "-inkey" _ "-pubin") - (validate-signature (current-input-port))) + (("sign" key-file hash) + (sign-with-key key-file (base16-string->bytevector hash))) + (("verify" signature) + (validate-signature (string->canonical-sexp signature))) + (("--help") (display (G_ "Usage: guix authenticate OPTION... Sign or verify the signature on the given file. This tool is meant to diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc index 7a520925e5..0534f2a3fc 100644 --- a/nix/libstore/local-store.cc +++ b/nix/libstore/local-store.cc @@ -1277,21 +1277,13 @@ void LocalStore::exportPath(const Path & path, bool sign, writeInt(1, hashAndWriteSink); - Path tmpDir = createTempDir(); - AutoDelete delTmp(tmpDir); - Path hashFile = tmpDir + "/hash"; - writeFile(hashFile, printHash(hash)); - Path secretKey = settings.nixConfDir + "/signing-key.sec"; checkSecrecy(secretKey); Strings args; - args.push_back("rsautl"); - args.push_back("-sign"); - args.push_back("-inkey"); + args.push_back("sign"); args.push_back(secretKey); - args.push_back("-in"); - args.push_back(hashFile); + args.push_back(printHash(hash)); string signature = runAuthenticationProgram(args); @@ -1372,17 +1364,9 @@ Path LocalStore::importPath(bool requireSignature, Source & source) string signature = readString(hashAndReadSource); if (requireSignature) { - Path sigFile = tmpDir + "/sig"; - writeFile(sigFile, signature); - Strings args; - args.push_back("rsautl"); - args.push_back("-verify"); - args.push_back("-inkey"); - args.push_back(settings.nixConfDir + "/signing-key.pub"); - args.push_back("-pubin"); - args.push_back("-in"); - args.push_back(sigFile); + args.push_back("verify"); + args.push_back(signature); string hash2 = runAuthenticationProgram(args); /* Note: runProgram() throws an exception if the signature -- 2.28.0