From f0181adff3d2a494944f86a9ec248d4763498045 Mon Sep 17 00:00:00 2001 From: Denis Pynkin Date: Mon, 7 Oct 2019 23:37:08 +0300 Subject: [PATCH] lib/sign: allow to add keys as base64 string for ed25519 Allow to add public and secret key for ed25519 module as based64 string. This allows to use common API for pulling and builtins without knowledge of used signature algorithm. Signed-off-by: Denis Pynkin --- src/libostree/ostree-repo-pull.c | 32 +++----------------- src/libostree/ostree-sign-ed25519.c | 47 +++++++++++++++++++++++++++-- src/ostree/ot-builtin-commit.c | 12 +------- src/ostree/ot-builtin-sign.c | 45 ++++----------------------- 4 files changed, 56 insertions(+), 80 deletions(-) diff --git a/src/libostree/ostree-repo-pull.c b/src/libostree/ostree-repo-pull.c index 1a4e64da..f3f13ed3 100644 --- a/src/libostree/ostree-repo-pull.c +++ b/src/libostree/ostree-repo-pull.c @@ -1567,20 +1567,7 @@ ostree_verify_unwritten_commit (OtPullData *pull_data, &pk_ascii, NULL); if (pk_ascii != NULL) { - g_autoptr (GVariant) pk = NULL; - - if (!g_strcmp0(ostree_sign_get_name(sign), "dummy")) - { - // Just use the string as signature - pk = g_variant_new_string(pk_ascii); - } - else if (!g_strcmp0(ostree_sign_get_name(sign), "ed25519")) - { - gsize key_len = 0; - g_autofree guchar *key = g_base64_decode (pk_ascii, &key_len); - pk = g_variant_new_fixed_array (G_VARIANT_TYPE_BYTE, key, key_len, sizeof(guchar)); - } - + g_autoptr (GVariant) pk = g_variant_new_string(pk_ascii); if (!ostree_sign_set_pk (sign, pk, &local_error)) continue; } @@ -1976,18 +1963,8 @@ scan_commit_object (OtPullData *pull_data, { g_autoptr (GVariant) pk = NULL; - if (!g_strcmp0(ostree_sign_get_name(sign), "dummy")) - { - // Just use the string as signature - pk = g_variant_new_string(pk_ascii); - } - else if (!g_strcmp0(ostree_sign_get_name(sign), "ed25519")) - { - gsize key_len = 0; - g_autofree guchar *key = g_base64_decode (pk_ascii, &key_len); - pk = g_variant_new_fixed_array (G_VARIANT_TYPE_BYTE, key, key_len, sizeof(guchar)); - } - + // Just use the string as signature + pk = g_variant_new_string(pk_ascii); if (!ostree_sign_set_pk (sign, pk, &local_error)) continue; } @@ -4853,11 +4830,10 @@ ostree_repo_pull_with_options (OstreeRepo *self, else gpg_verify_state = (pull_data->gpg_verify ? "commit" : "disabled"); - g_string_append_printf (msg, "\nsecurity: GPG: %s ", gpg_verify_state); #else gpg_verify_state = "disabled"; - g_string_append_printf (msg, "\nsecurity: %s ", gpg_verify_state); #endif /* OSTREE_DISABLE_GPGME */ + g_string_append_printf (msg, "\nsecurity: GPG: %s ", gpg_verify_state); const char *sign_verify_state; sign_verify_state = (pull_data->sign_verify ? "commit" : "disabled"); diff --git a/src/libostree/ostree-sign-ed25519.c b/src/libostree/ostree-sign-ed25519.c index 2bf10cf1..f90a310c 100644 --- a/src/libostree/ostree-sign-ed25519.c +++ b/src/libostree/ostree-sign-ed25519.c @@ -253,6 +253,10 @@ const gchar * ostree_sign_ed25519_metadata_format (OstreeSign *self) return OSTREE_SIGN_METADATA_ED25519_TYPE; } +/* Support 2 representations: + * base64 ascii -- secret key is passed as string + * raw key -- key is passed as bytes array + * */ gboolean ostree_sign_ed25519_set_sk (OstreeSign *self, GVariant *secret_key, GError **error) @@ -266,7 +270,23 @@ gboolean ostree_sign_ed25519_set_sk (OstreeSign *self, g_free (sign->secret_key); gsize n_elements = 0; - sign->secret_key = (guchar *) g_variant_get_fixed_array (secret_key, &n_elements, sizeof(guchar)); + + if (g_variant_is_of_type (secret_key, G_VARIANT_TYPE_STRING)) + { + const gchar *sk_ascii = g_variant_get_string (secret_key, NULL); + sign->secret_key = g_base64_decode (sk_ascii, &n_elements); + } + else if (g_variant_is_of_type (secret_key, G_VARIANT_TYPE_BYTESTRING)) + { + sign->secret_key = (guchar *) g_variant_get_fixed_array (secret_key, &n_elements, sizeof(guchar)); + } + else + { + g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_FAILED, + "Unknown ed25519 secret key type"); + goto err; + } + if (n_elements != crypto_sign_SECRETKEYBYTES) { @@ -282,6 +302,10 @@ err: return FALSE; } +/* Support 2 representations: + * base64 ascii -- public key is passed as string + * raw key -- key is passed as bytes array + * */ gboolean ostree_sign_ed25519_set_pk (OstreeSign *self, GVariant *public_key, GError **error) @@ -301,6 +325,10 @@ gboolean ostree_sign_ed25519_set_pk (OstreeSign *self, return ostree_sign_ed25519_add_pk (self, public_key, error); } +/* Support 2 representations: + * base64 ascii -- public key is passed as string + * raw key -- key is passed as bytes array + * */ gboolean ostree_sign_ed25519_add_pk (OstreeSign *self, GVariant *public_key, GError **error) @@ -314,7 +342,22 @@ gboolean ostree_sign_ed25519_add_pk (OstreeSign *self, gpointer key = NULL; gsize n_elements = 0; - key = (gpointer) g_variant_get_fixed_array (public_key, &n_elements, sizeof(guchar)); + + if (g_variant_is_of_type (public_key, G_VARIANT_TYPE_STRING)) + { + const gchar *pk_ascii = g_variant_get_string (public_key, NULL); + key = g_base64_decode (pk_ascii, &n_elements); + } + else if (g_variant_is_of_type (public_key, G_VARIANT_TYPE_BYTESTRING)) + { + key = (gpointer) g_variant_get_fixed_array (public_key, &n_elements, sizeof(guchar)); + } + else + { + g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_FAILED, + "Unknown ed25519 public key type"); + goto err; + } hex = g_malloc0 (crypto_sign_PUBLICKEYBYTES*2 + 1); g_debug ("Read ed25519 public key = %s", sodium_bin2hex (hex, crypto_sign_PUBLICKEYBYTES*2+1, key, n_elements)); diff --git a/src/ostree/ot-builtin-commit.c b/src/ostree/ot-builtin-commit.c index 7d412639..606af2be 100644 --- a/src/ostree/ot-builtin-commit.c +++ b/src/ostree/ot-builtin-commit.c @@ -855,17 +855,7 @@ ostree_builtin_commit (int argc, char **argv, OstreeCommandInvocation *invocatio const char *keyid = *iter; g_autoptr (GVariant) secret_key = NULL; - if (!g_strcmp0(ostree_sign_get_name (sign), "dummy")) - { - secret_key = g_variant_new_string (keyid); - } - else if (!g_strcmp0 (ostree_sign_get_name (sign), "ed25519")) - { - gsize key_len = 0; - g_autofree guchar *key = g_base64_decode (keyid, &key_len); - - secret_key = g_variant_new_fixed_array (G_VARIANT_TYPE_BYTE, key, key_len, sizeof(guchar)); - } + secret_key = g_variant_new_string (keyid); if (!ostree_sign_set_sk (sign, secret_key, error)) goto out; diff --git a/src/ostree/ot-builtin-sign.c b/src/ostree/ot-builtin-sign.c index b1c9a73b..f673631d 100644 --- a/src/ostree/ot-builtin-sign.c +++ b/src/ostree/ot-builtin-sign.c @@ -72,11 +72,6 @@ ostree_builtin_sign (int argc, char **argv, OstreeCommandInvocation *invocation, char **key_ids; int n_key_ids, ii; gboolean ret = FALSE; -#if defined(HAVE_LIBSODIUM) - g_autoptr (GVariant) ed25519_sk = NULL; - g_autoptr (GVariant) ed25519_pk = NULL; -#endif - context = g_option_context_new ("COMMIT KEY-ID..."); @@ -119,25 +114,14 @@ ostree_builtin_sign (int argc, char **argv, OstreeCommandInvocation *invocation, { g_autoptr (GVariant) sk = NULL; g_autoptr (GVariant) pk = NULL; - g_autofree guchar *key = NULL; - if (!g_strcmp0(ostree_sign_get_name(sign), "dummy")) - { - // Just use the string as signature - sk = g_variant_new_string(key_ids[ii]); - pk = g_variant_new_string(key_ids[ii]); - } if (opt_verify) { g_autoptr (GError) local_error = NULL; - if (!g_strcmp0(ostree_sign_get_name(sign), "ed25519")) - { - gsize key_len = 0; - g_autofree guchar *key = g_base64_decode (key_ids[ii], &key_len); - pk = g_variant_new_fixed_array (G_VARIANT_TYPE_BYTE, key, key_len, sizeof(guchar)); - } + // Pass the key as a string + pk = g_variant_new_string(key_ids[ii]); if (!ostree_sign_set_pk (sign, pk, &local_error)) continue; @@ -151,13 +135,8 @@ ostree_builtin_sign (int argc, char **argv, OstreeCommandInvocation *invocation, } else { - if (!g_strcmp0(ostree_sign_get_name(sign), "ed25519")) - { - gsize key_len = 0; - g_autofree guchar *key = g_base64_decode (key_ids[ii], &key_len); - sk = g_variant_new_fixed_array (G_VARIANT_TYPE_BYTE, key, key_len, sizeof(guchar)); - } - + // Pass the key as a string + sk = g_variant_new_string(key_ids[ii]); if (!ostree_sign_set_sk (sign, sk, error)) { ret = FALSE; @@ -238,20 +217,8 @@ ostree_builtin_sign (int argc, char **argv, OstreeCommandInvocation *invocation, break; - if (!g_strcmp0(ostree_sign_get_name(sign), "dummy")) - { - // Just use the string as signature - sk = g_variant_new_string(line); - } - - - if (!g_strcmp0(ostree_sign_get_name(sign), "ed25519")) - { - gsize key_len = 0; - g_autofree guchar *key = g_base64_decode (line, &key_len); - sk = g_variant_new_fixed_array (G_VARIANT_TYPE_BYTE, key, key_len, sizeof(guchar)); - } - + // Pass the key as a string + sk = g_variant_new_string(line); if (!ostree_sign_set_sk (sign, sk, error)) { ret = FALSE;