nixo
/
guix-devel
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

pki: Factorize signature manipulation procedures. 

* guix/pki.scm (signature-subject, signature-signed-data,
  valid-signature?): New procedures.
* guix/scripts/authenticate.scm (guix-authenticate): Adjust to use
  them.
master
Ludovic Courtès 2014-01-23 22:23:22 +01:00
parent 2cd5c0380e
commit d28684b5a5
2 changed files with 33 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
guix/pki.scm
View File

@ -29,8 +29,12 @@
current-acl current-acl
public-keys->acl public-keys->acl
acl->public-keys acl->public-keys
authorized-key?
signature-sexp signature-sexp
authorized-key?)) signature-subject
signature-signed-data
valid-signature?))
;;; Commentary: ;;; Commentary:
;;; ;;;
@ -136,4 +140,21 @@ PUBLIC-KEY (see <http://theworld.com/~cme/spki.txt> for examples.)"
(canonical-sexp->string (sign data secret-key)) (canonical-sexp->string (sign data secret-key))
(canonical-sexp->string public-key)))) (canonical-sexp->string public-key))))
(define (signature-subject sig)
"Return the signer's public key for SIG."
(find-sexp-token sig 'public-key))
(define (signature-signed-data sig)
"Return the signed data from SIG, typically an sexp such as
(hash \"sha256\" #...#)."
(find-sexp-token sig 'data))
(define (valid-signature? sig)
"Return #t if SIG is valid."
(let* ((data (signature-signed-data sig))
(signature (find-sexp-token sig 'sig-val))
(public-key (signature-subject sig)))
(and data signature
(verify signature data public-key))))
;;; pki.scm ends here ;;; pki.scm ends here

24
guix/scripts/authenticate.scm
View File

@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU ;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2013, 2014 Ludovic Courtès <ludo@gnu.org>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
;;; ;;;
@ -72,23 +72,21 @@
;; Read the signature as produced above, check whether its public key is ;; Read the signature as produced above, check whether its public key is
;; authorized, and verify the signature, and print the signed data to ;; authorized, and verify the signature, and print the signed data to
;; stdout upon success. ;; stdout upon success.
(let* ((sig+data (read-canonical-sexp signature-file)) (let* ((signature (read-canonical-sexp signature-file))
(public-key (find-sexp-token sig+data 'public-key)) (subject (signature-subject signature))
(data (find-sexp-token sig+data 'data)) (data (signature-signed-data signature)))
(signature (find-sexp-token sig+data 'sig-val))) (if (and data subject)
(if (and data signature) (if (authorized-key? subject)
(if (authorized-key? public-key) (if (valid-signature? signature)
(if (verify signature data public-key) (let ((hash (hash-data->bytevector data)))
(begin (display (bytevector->base16-string hash))
(display (bytevector->base16-string
(hash-data->bytevector data)))
#t) ; success #t) ; success
(leave (_ "error: invalid signature: ~a~%") (leave (_ "error: invalid signature: ~a~%")
(canonical-sexp->string signature))) (canonical-sexp->string signature)))
(leave (_ "error: unauthorized public key: ~a~%") (leave (_ "error: unauthorized public key: ~a~%")
(canonical-sexp->string public-key))) (canonical-sexp->string subject)))
(leave (_ "error: corrupt signature data: ~a~%") (leave (_ "error: corrupt signature data: ~a~%")
(canonical-sexp->string sig+data))))) (canonical-sexp->string signature)))))
(("--help") (("--help")
(display (_ "Usage: guix authenticate OPTION... (display (_ "Usage: guix authenticate OPTION...
Sign or verify the signature on the given file. This tool is meant to Sign or verify the signature on the given file. This tool is meant to