[pbs-devel] applied: [PATCH proxmox-offline-mirror] verifier: add ability to verify with keyrings
Wolfgang Bumiller
w.bumiller at proxmox.com
Fri Aug 30 11:21:48 CEST 2024
applied with a minor style followup, thanks
On Thu, Aug 08, 2024 at 04:25:18PM GMT, Shannon Sterz wrote:
> some vendors don't just provide a single certificate but an entire
> keyring for their repositories. apt can handle those gracefully, so
> should we. this commit adds the ability to verify a repository's
> signatures with a keyring.
>
> we use `PacketParserEOF` to check if a stream of packets is likely a
> single certificate or a keyring. if it is a keyring, we try to verify a
> message with all certificates in the ring and only fail if no
> certificate can verify the message.
>
> Reported-by: Maximiliano Sandoval <m.sandoval at proxmox.com>
> Signed-off-by: Shannon Sterz <s.sterz at proxmox.com>
> ---
>
> this came up in the enterprise support, so i can't link the exact ticket
> here, but it was about mirroring this mellanox repository:
>
> https://linux.mellanox.com/public/repo/mlnx_ofed/24.04-0.7.0.0/debian12.1/amd64/
>
> mellanox says to install the corresponding keyring with this command:
>
> ```
> wget -qO - https://www.mellanox.com/downloads/ofed/RPM-GPG-KEY-Mellanox | \
> gpg --dearmor | tee /etc/apt/trusted.gpg.d/mellanox.gpg
> ```
>
> i tested the below code with this mellanox repo, our no-subscription
> repo and the debian security updates repo.
>
> src/helpers/verifier.rs | 71 +++++++++++++++++++++++++++++------------
> 1 file changed, 51 insertions(+), 20 deletions(-)
>
> diff --git a/src/helpers/verifier.rs b/src/helpers/verifier.rs
> index ed986af..0930bd7 100644
> --- a/src/helpers/verifier.rs
> +++ b/src/helpers/verifier.rs
> @@ -1,12 +1,13 @@
> -use anyhow::{bail, Error};
> +use anyhow::{bail, format_err, Error};
>
> use sequoia_openpgp::{
> + cert::CertParser,
> parse::{
> stream::{
> DetachedVerifierBuilder, MessageLayer, MessageStructure, VerificationError,
> VerificationHelper, VerifierBuilder,
> },
> - Parse,
> + PacketParser, PacketParserResult, Parse,
> },
> policy::StandardPolicy,
> types::HashAlgorithm,
> @@ -96,8 +97,6 @@ pub(crate) fn verify_signature(
> detached_sig: Option<&[u8]>,
> weak_crypto: &WeakCryptoConfig,
> ) -> Result<Vec<u8>, Error> {
> - let cert = Cert::from_bytes(key)?;
> -
> let mut policy = StandardPolicy::new();
> if weak_crypto.allow_sha1 {
> policy.accept_hash(HashAlgorithm::SHA1);
> @@ -113,23 +112,55 @@ pub(crate) fn verify_signature(
> }
> }
>
> - let helper = Helper { cert: &cert };
> -
> - let verified = if let Some(sig) = detached_sig {
> - let mut verifier =
> - DetachedVerifierBuilder::from_bytes(sig)?.with_policy(&policy, None, helper)?;
> - verifier.verify_bytes(msg)?;
> - msg.to_vec()
> - } else {
> - let mut verified = Vec::new();
> - let mut verifier = VerifierBuilder::from_bytes(msg)?.with_policy(&policy, None, helper)?;
> - let bytes = io::copy(&mut verifier, &mut verified)?;
> - println!("{bytes} bytes verified");
> - if !verifier.message_processed() {
> - bail!("Failed to verify message!");
> + let verifier = |cert| {
> + let helper = Helper { cert: &cert };
> +
> + if let Some(sig) = detached_sig {
> + let mut verifier =
> + DetachedVerifierBuilder::from_bytes(sig)?.with_policy(&policy, None, helper)?;
> + verifier.verify_bytes(msg)?;
> + Ok(msg.to_vec())
> + } else {
> + let mut verified = Vec::new();
> + let mut verifier =
> + VerifierBuilder::from_bytes(msg)?.with_policy(&policy, None, helper)?;
> + let bytes = io::copy(&mut verifier, &mut verified)?;
> + println!("{bytes} bytes verified");
> + if !verifier.message_processed() {
> + bail!("Failed to verify message!");
> + }
> + Ok(verified)
> }
> - verified
> };
>
> - Ok(verified)
> + let mut packed_parser = PacketParser::from_bytes(key)?;
> +
> + // parse all packets to see whether this is a simple certificate or a keyring
> + while let PacketParserResult::Some(pp) = packed_parser {
> + packed_parser = pp.recurse()?.1;
> + }
> +
> + if let PacketParserResult::EOF(eof) = packed_parser {
> + // verify against a single certificate
> + if eof.is_cert().is_ok() {
> + let cert = Cert::from_bytes(key)?;
> + return verifier(cert);
> + // verify against a keyring
> + } else if eof.is_keyring().is_ok() {
> + let packed_parser = PacketParser::from_bytes(key)?;
> +
> + return CertParser::from(packed_parser)
> + // flatten here as we ignore packets that aren't a certificate
> + .flatten()
> + // keep trying to verify the message until the first certificate that succeeds
> + .find_map(|c| verifier(c).ok())
> + // if no certificate verified the message, abort
> + .ok_or_else(|| format_err!("No key in keyring could verify the message!"));
> + }
> + }
> +
> + // neither a keyring nor a certificate was detect, so we abort here
> + Err(format_err!(
> + "'key-path' contains neither a keyring nor a certificate, aborting!"
> + ))
^ condensed the 3 final lines to a single `bail!()` line.
More information about the pbs-devel
mailing list