[bug#43340] [PATCH 2/5] daemon: Isolate signing and signature verification functions.

all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

From: "Ludovic Courtès" <ludo@gnu.org>
To: 43340@debbugs.gnu.org
Cc: "Ludovic Courtès" <ludo@gnu.org>
Subject: [bug#43340] [PATCH 2/5] daemon: Isolate signing and signature verification functions.
Date: Fri, 11 Sep 2020 16:51:51 +0200	[thread overview]
Message-ID: <20200911145154.15057-2-ludo@gnu.org> (raw)
In-Reply-To: <20200911145154.15057-1-ludo@gnu.org>

* nix/libstore/local-store.cc (signHash, verifySignature): New
functions.
(LocalStore::exportPath): Use 'signHash' instead of inline code.
(LocalStore::importPath): Use 'verifySignature' instead of inline code.
---
 nix/libstore/local-store.cc | 43 ++++++++++++++++++++++++++-----------
 1 file changed, 30 insertions(+), 13 deletions(-)

diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc
index e6badd3721..cbbd8e901d 100644
--- a/nix/libstore/local-store.cc
+++ b/nix/libstore/local-store.cc
@@ -1238,6 +1238,34 @@ static std::string runAuthenticationProgram(const Strings & args)
     return runProgram(settings.guixProgram, false, fullArgs);
 }
 
+/* Sign HASH with the key stored in file SECRETKEY.  Return the signature as a
+   string, or raise an exception upon error.  */
+static std::string signHash(const string &secretKey, const Hash &hash)
+{
+    Strings args;
+    args.push_back("sign");
+    args.push_back(secretKey);
+    args.push_back(printHash(hash));
+
+    return runAuthenticationProgram(args);
+}
+
+/* Verify SIGNATURE and return the base16-encoded hash over which it was
+   computed.  */
+static std::string verifySignature(const string &signature)
+{
+    Path tmpDir = createTempDir("", "guix", true, true, 0700);
+    AutoDelete delTmp(tmpDir);
+
+    Path sigFile = tmpDir + "/sig";
+    writeFile(sigFile, signature);
+
+    Strings args;
+    args.push_back("verify");
+    args.push_back(sigFile);
+    return runAuthenticationProgram(args);
+}
+
 void LocalStore::exportPath(const Path & path, bool sign,
     Sink & sink)
 {
@@ -1280,12 +1308,7 @@ void LocalStore::exportPath(const Path & path, bool sign,
         Path secretKey = settings.nixConfDir + "/signing-key.sec";
         checkSecrecy(secretKey);
 
-        Strings args;
-        args.push_back("sign");
-        args.push_back(secretKey);
-        args.push_back(printHash(hash));
-
-        string signature = runAuthenticationProgram(args);
+	string signature = signHash(secretKey, hash);
 
         writeString(signature, hashAndWriteSink);
 
@@ -1364,13 +1387,7 @@ Path LocalStore::importPath(bool requireSignature, Source & source)
         string signature = readString(hashAndReadSource);
 
         if (requireSignature) {
-            Path sigFile = tmpDir + "/sig";
-            writeFile(sigFile, signature);
-
-            Strings args;
-            args.push_back("verify");
-            args.push_back(sigFile);
-            string hash2 = runAuthenticationProgram(args);
+	    string hash2 = verifySignature(signature);
 
             /* Note: runProgram() throws an exception if the signature
                is invalid. */
-- 
2.28.0

next prev parent reply	other threads:[~2020-09-11 14:53 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-11 14:40 [bug#43340] [PATCH 0/5] Speed up archive export/import Ludovic Courtès
2020-09-11 14:51 ` [bug#43340] [PATCH 1/5] daemon: Generalize 'HookInstance' to 'Agent' Ludovic Courtès
2020-09-11 14:51   ` Ludovic Courtès [this message]
2020-09-11 14:51   ` [bug#43340] [PATCH 3/5] daemon: Move 'Agent' to libutil Ludovic Courtès
2020-09-12  7:21     ` Mathieu Othacehe
2020-09-11 14:51   ` [bug#43340] [PATCH 4/5] daemon: Spawn 'guix authenticate' once for all Ludovic Courtès
2020-09-12  7:20     ` Mathieu Othacehe
2020-09-11 14:51   ` [bug#43340] [PATCH 5/5] authenticate: Cache the ACL and key pairs Ludovic Courtès
2020-09-11 15:01 ` [bug#43340] [PATCH 0/5] Speed up archive export/import Ludovic Courtès
2020-09-12  7:12   ` Mathieu Othacehe
2020-09-13 13:07     ` Ludovic Courtès
2020-09-14 13:47     ` bug#43340: " Ludovic Courtès

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:e6badd372 dfblob:cbbd8e901
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200911145154.15057-2-ludo@gnu.org \
    --to=ludo@gnu.org \
    --cc=43340@debbugs.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.