diff options
author | Ludovic Courtès <ludo@gnu.org> | 2014-03-31 23:47:02 +0200 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2014-03-31 23:47:02 +0200 |
commit | e4687a5e68fce458685dd33bfa240758c816b3a2 (patch) | |
tree | a104d2d3cdbf73f9bc740e21b442cfedcd99d5f3 /guix/scripts | |
parent | 81deef270ded7dabcc623d9522ae593ed02160af (diff) | |
download | gnu-guix-e4687a5e68fce458685dd33bfa240758c816b3a2.tar gnu-guix-e4687a5e68fce458685dd33bfa240758c816b3a2.tar.gz |
Use 'signature-case' in (guix nar) and 'substitute-binary'.
* guix/nar.scm (restore-file-set)[assert-valid-signature]: Rewrite in
terms of 'signature-case'.
* guix/scripts/substitute-binary.scm (narinfo-signature->canonical-sexp):
Call 'leave' instead of 'raise' when SIGNATURE is invalid.
(&nar-signature-error, &nar-invalid-hash-error): Remove.
(assert-valid-signature): Add 'narinfo' parameter; remove 'port'.
Rewrite in terms of 'signature-case' and 'leave'. Mention NARINFO's
URI in error messages. Adjust caller.
(narinfo-sha256): New procedure.
(assert-valid-narinfo): Use it.
(valid-narinfo?): Rewrite using 'narinfo-sha256' and
'signature-case'.
* tests/substitute-binary.scm (assert-valid-signature,
test-error-condition): Remove.
("corrupt signature data", "unauthorized public key", "invalid
signature"): Remove.
Diffstat (limited to 'guix/scripts')
-rwxr-xr-x | guix/scripts/substitute-binary.scm | 98 |
1 files changed, 41 insertions, 57 deletions
diff --git a/guix/scripts/substitute-binary.scm b/guix/scripts/substitute-binary.scm index 7b8555ba36..8e08bf1172 100755 --- a/guix/scripts/substitute-binary.scm +++ b/guix/scripts/substitute-binary.scm @@ -252,14 +252,10 @@ failure." (catch 'gcry-error (lambda () (string->canonical-sexp signature)) - (lambda (err . _) - (raise (condition - (&message - (message "signature is not a valid \ -s-expression")) - (&nar-signature-error - (file #f) - (signature signature) (port #f))))))))))) + (lambda (err . rest) + (leave (_ "signature is not a valid \ +s-expression: ~s~%") + signature)))))))) (x (leave (_ "invalid format of the signature field: ~a~%") x)))) @@ -288,43 +284,21 @@ must contain the original contents of a narinfo file." (and=> signature narinfo-signature->canonical-sexp)) str))) -(define &nar-signature-error (@@ (guix nar) &nar-signature-error)) -(define &nar-invalid-hash-error (@@ (guix nar) &nar-invalid-hash-error)) - -;;; XXX: The following function is nearly an exact copy of the one from -;;; 'guix/nar.scm'. Factorize as soon as we know how to make the latter -;;; public (see <https://lists.gnu.org/archive/html/guix-devel/2014-03/msg00097.html>). -;;; Keep this one private to avoid confusion. -(define* (assert-valid-signature signature hash port +(define* (assert-valid-signature narinfo signature hash #:optional (acl (current-acl))) - "Bail out if SIGNATURE, a canonical sexp, doesn't match HASH, a bytevector -containing the expected hash for FILE." - (let* (;; XXX: This is just to keep the errors happy; get a sensible - ;; file name. - (file #f) - (subject (signature-subject signature)) - (data (signature-signed-data signature))) - (if (and data subject) - (if (authorized-key? subject acl) - (if (equal? (hash-data->bytevector data) hash) - (unless (valid-signature? signature) - (raise (condition - (&message (message "invalid signature")) - (&nar-signature-error - (file file) (signature signature) (port port))))) - (raise (condition (&message (message "invalid hash")) - (&nar-invalid-hash-error - (port port) (file file) - (signature signature) - (expected (hash-data->bytevector data)) - (actual hash))))) - (raise (condition (&message (message "unauthorized public key")) - (&nar-signature-error - (signature signature) (file file) (port port))))) - (raise (condition - (&message (message "corrupt signature data")) - (&nar-signature-error - (signature signature) (file file) (port port))))))) + "Bail out if SIGNATURE, a canonical sexp representing the signature of +NARINFO, doesn't match HASH, a bytevector containing the hash of NARINFO." + (let ((uri (uri->string (narinfo-uri narinfo)))) + (signature-case (signature hash acl) + (valid-signature #t) + (invalid-signature + (leave (_ "invalid signature for '~a'~%") uri)) + (hash-mismatch + (leave (_ "hash mismatch for '~a'~%") uri)) + (unauthorized-key + (leave (_ "'~a' is signed with an unauthorized key~%") uri)) + (corrupt-signature + (leave (_ "signature on '~a' is corrupt~%") uri))))) (define* (read-narinfo port #:optional url) "Read a narinfo from PORT. If URL is true, it must be a string used to @@ -343,22 +317,29 @@ No authentication and authorization checks are performed here!" ;; Regexp matching a signature line in a narinfo. (make-regexp "(.+)^[[:blank:]]*Signature:[[:blank:]].+$")) +(define (narinfo-sha256 narinfo) + "Return the sha256 hash of NARINFO as a bytevector, or #f if NARINFO lacks a +'Signature' field." + (let ((contents (narinfo-contents narinfo))) + (match (regexp-exec %signature-line-rx contents) + (#f #f) + ((= (cut match:substring <> 1) above-signature) + (sha256 (string->utf8 above-signature)))))) + (define* (assert-valid-narinfo narinfo #:optional (acl (current-acl)) #:key (verbose? #t)) "Raise an exception if NARINFO lacks a signature, has an invalid signature, or is signed by an unauthorized key." - (let* ((contents (narinfo-contents narinfo)) - (res (regexp-exec %signature-line-rx contents))) - (if (not res) + (let ((hash (narinfo-sha256 narinfo))) + (if (not hash) (if %allow-unauthenticated-substitutes? narinfo - (leave (_ "narinfo lacks a signature: ~s~%") - contents)) - (let ((hash (sha256 (string->utf8 (match:substring res 1)))) - (signature (narinfo-signature narinfo))) + (leave (_ "narinfo for '~a' lacks a signature~%") + (uri->string (narinfo-uri narinfo)))) + (let ((signature (narinfo-signature narinfo))) (unless %allow-unauthenticated-substitutes? - (assert-valid-signature signature hash #f acl) + (assert-valid-signature narinfo signature hash acl) (when verbose? (format (current-error-port) "found valid signature for '~a', from '~a'~%" @@ -366,12 +347,15 @@ or is signed by an unauthorized key." (uri->string (narinfo-uri narinfo))))) narinfo)))) -(define (valid-narinfo? narinfo) +(define* (valid-narinfo? narinfo #:optional (acl (current-acl))) "Return #t if NARINFO's signature is not valid." - (false-if-exception - (begin - (assert-valid-narinfo narinfo #:verbose? #f) - #t))) + (or %allow-unauthenticated-substitutes? + (let ((hash (narinfo-sha256 narinfo)) + (signature (narinfo-signature narinfo))) + (and hash signature + (signature-case (signature hash acl) + (valid-signature #t) + (else #f)))))) (define (write-narinfo narinfo port) "Write NARINFO to PORT." |