pk-crypto: Use RFC6979 when signing with an ECC or DSA key.

* guix/pk-crypto.scm (bytevector->hash-data): Add #:key-type parameter.
  Use the 'pkcs1' flag when KEY-TYPE is 'rsa', and 'rfc6979' when
  KEY-TYPE is 'ecc' or 'dsa'.
  (key-type): New procedure.
* guix/scripts/authenticate.scm (read-hash-data): Add 'key-type'
  parameter.  Pass it to 'bytevector->hash-data'.  Adjust caller
  accordingly.
* tests/pk-crypto.scm (%ecc-key-pair): New variable.
  ("key-type"): New test.
  ("sign + verify"): Pass #:key-type to 'bytevector->hash-data'.
  ("sign + verify, Ed25519"): New test.

1 files changed, 5 insertions, 4 deletions

diff --git a/guix/scripts/authenticate.scm b/guix/scripts/authenticate.scm
index 27580dedff..927dbe8afc 100644
--- a/guix/scripts/authenticate.scm
+++ b/guix/scripts/authenticate.scm
@@ -39,11 +39,12 @@
   (call-with-input-file file
     (compose string->canonical-sexp get-string-all)))
 
-(define (read-hash-data file)
-  "Read sha256 hash data from FILE and return it as a gcrypt sexp."
+(define (read-hash-data file key-type)
+  "Read sha256 hash data from FILE and return it as a gcrypt sexp.  KEY-TYPE
+is a symbol representing the type of public key algo being used."
   (let* ((hex (call-with-input-file file get-string-all))
          (bv  (base16-string->bytevector (string-trim-both hex))))
-    (bytevector->hash-data bv)))
+    (bytevector->hash-data bv #:key-type key-type)))
 
 
 ;;;
@@ -64,7 +65,7 @@
                             (leave
                              (_ "cannot find public key for secret key '~a'~%")
                              key)))
-            (data       (read-hash-data hash-file))
+            (data       (read-hash-data hash-file (key-type public-key)))
             (signature  (signature-sexp data secret-key public-key)))
        (display (canonical-sexp->string signature))
        #t))