[pbs-devel] [PATCH proxmox-offline-mirror] verifier: add ability to verify with keyrings
Shannon Sterz
s.sterz at proxmox.com
Thu Aug 8 16:25:18 CEST 2024
some vendors don't just provide a single certificate but an entire
keyring for their repositories. apt can handle those gracefully, so
should we. this commit adds the ability to verify a repository's
signatures with a keyring.
we use `PacketParserEOF` to check if a stream of packets is likely a
single certificate or a keyring. if it is a keyring, we try to verify a
message with all certificates in the ring and only fail if no
certificate can verify the message.
Reported-by: Maximiliano Sandoval <m.sandoval at proxmox.com>
Signed-off-by: Shannon Sterz <s.sterz at proxmox.com>
---
this came up in the enterprise support, so i can't link the exact ticket
here, but it was about mirroring this mellanox repository:
https://linux.mellanox.com/public/repo/mlnx_ofed/24.04-0.7.0.0/debian12.1/amd64/
mellanox says to install the corresponding keyring with this command:
```
wget -qO - https://www.mellanox.com/downloads/ofed/RPM-GPG-KEY-Mellanox | \
gpg --dearmor | tee /etc/apt/trusted.gpg.d/mellanox.gpg
```
i tested the below code with this mellanox repo, our no-subscription
repo and the debian security updates repo.
src/helpers/verifier.rs | 71 +++++++++++++++++++++++++++++------------
1 file changed, 51 insertions(+), 20 deletions(-)
diff --git a/src/helpers/verifier.rs b/src/helpers/verifier.rs
index ed986af..0930bd7 100644
--- a/src/helpers/verifier.rs
+++ b/src/helpers/verifier.rs
@@ -1,12 +1,13 @@
-use anyhow::{bail, Error};
+use anyhow::{bail, format_err, Error};
use sequoia_openpgp::{
+ cert::CertParser,
parse::{
stream::{
DetachedVerifierBuilder, MessageLayer, MessageStructure, VerificationError,
VerificationHelper, VerifierBuilder,
},
- Parse,
+ PacketParser, PacketParserResult, Parse,
},
policy::StandardPolicy,
types::HashAlgorithm,
@@ -96,8 +97,6 @@ pub(crate) fn verify_signature(
detached_sig: Option<&[u8]>,
weak_crypto: &WeakCryptoConfig,
) -> Result<Vec<u8>, Error> {
- let cert = Cert::from_bytes(key)?;
-
let mut policy = StandardPolicy::new();
if weak_crypto.allow_sha1 {
policy.accept_hash(HashAlgorithm::SHA1);
@@ -113,23 +112,55 @@ pub(crate) fn verify_signature(
}
}
- let helper = Helper { cert: &cert };
-
- let verified = if let Some(sig) = detached_sig {
- let mut verifier =
- DetachedVerifierBuilder::from_bytes(sig)?.with_policy(&policy, None, helper)?;
- verifier.verify_bytes(msg)?;
- msg.to_vec()
- } else {
- let mut verified = Vec::new();
- let mut verifier = VerifierBuilder::from_bytes(msg)?.with_policy(&policy, None, helper)?;
- let bytes = io::copy(&mut verifier, &mut verified)?;
- println!("{bytes} bytes verified");
- if !verifier.message_processed() {
- bail!("Failed to verify message!");
+ let verifier = |cert| {
+ let helper = Helper { cert: &cert };
+
+ if let Some(sig) = detached_sig {
+ let mut verifier =
+ DetachedVerifierBuilder::from_bytes(sig)?.with_policy(&policy, None, helper)?;
+ verifier.verify_bytes(msg)?;
+ Ok(msg.to_vec())
+ } else {
+ let mut verified = Vec::new();
+ let mut verifier =
+ VerifierBuilder::from_bytes(msg)?.with_policy(&policy, None, helper)?;
+ let bytes = io::copy(&mut verifier, &mut verified)?;
+ println!("{bytes} bytes verified");
+ if !verifier.message_processed() {
+ bail!("Failed to verify message!");
+ }
+ Ok(verified)
}
- verified
};
- Ok(verified)
+ let mut packed_parser = PacketParser::from_bytes(key)?;
+
+ // parse all packets to see whether this is a simple certificate or a keyring
+ while let PacketParserResult::Some(pp) = packed_parser {
+ packed_parser = pp.recurse()?.1;
+ }
+
+ if let PacketParserResult::EOF(eof) = packed_parser {
+ // verify against a single certificate
+ if eof.is_cert().is_ok() {
+ let cert = Cert::from_bytes(key)?;
+ return verifier(cert);
+ // verify against a keyring
+ } else if eof.is_keyring().is_ok() {
+ let packed_parser = PacketParser::from_bytes(key)?;
+
+ return CertParser::from(packed_parser)
+ // flatten here as we ignore packets that aren't a certificate
+ .flatten()
+ // keep trying to verify the message until the first certificate that succeeds
+ .find_map(|c| verifier(c).ok())
+ // if no certificate verified the message, abort
+ .ok_or_else(|| format_err!("No key in keyring could verify the message!"));
+ }
+ }
+
+ // neither a keyring nor a certificate was detect, so we abort here
+ Err(format_err!(
+ "'key-path' contains neither a keyring nor a certificate, aborting!"
+ ))
}
--
2.39.2
More information about the pbs-devel
mailing list