From: Shannon Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-offline-mirror] verifier: add ability to verify with keyrings
Date: Thu, 8 Aug 2024 16:25:18 +0200 [thread overview]
Message-ID: <20240808142518.248338-1-s.sterz@proxmox.com> (raw)
some vendors don't just provide a single certificate but an entire
keyring for their repositories. apt can handle those gracefully, so
should we. this commit adds the ability to verify a repository's
signatures with a keyring.
we use `PacketParserEOF` to check if a stream of packets is likely a
single certificate or a keyring. if it is a keyring, we try to verify a
message with all certificates in the ring and only fail if no
certificate can verify the message.
Reported-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
this came up in the enterprise support, so i can't link the exact ticket
here, but it was about mirroring this mellanox repository:
https://linux.mellanox.com/public/repo/mlnx_ofed/24.04-0.7.0.0/debian12.1/amd64/
mellanox says to install the corresponding keyring with this command:
```
wget -qO - https://www.mellanox.com/downloads/ofed/RPM-GPG-KEY-Mellanox | \
gpg --dearmor | tee /etc/apt/trusted.gpg.d/mellanox.gpg
```
i tested the below code with this mellanox repo, our no-subscription
repo and the debian security updates repo.
src/helpers/verifier.rs | 71 +++++++++++++++++++++++++++++------------
1 file changed, 51 insertions(+), 20 deletions(-)
diff --git a/src/helpers/verifier.rs b/src/helpers/verifier.rs
index ed986af..0930bd7 100644
--- a/src/helpers/verifier.rs
+++ b/src/helpers/verifier.rs
@@ -1,12 +1,13 @@
-use anyhow::{bail, Error};
+use anyhow::{bail, format_err, Error};
use sequoia_openpgp::{
+ cert::CertParser,
parse::{
stream::{
DetachedVerifierBuilder, MessageLayer, MessageStructure, VerificationError,
VerificationHelper, VerifierBuilder,
},
- Parse,
+ PacketParser, PacketParserResult, Parse,
},
policy::StandardPolicy,
types::HashAlgorithm,
@@ -96,8 +97,6 @@ pub(crate) fn verify_signature(
detached_sig: Option<&[u8]>,
weak_crypto: &WeakCryptoConfig,
) -> Result<Vec<u8>, Error> {
- let cert = Cert::from_bytes(key)?;
-
let mut policy = StandardPolicy::new();
if weak_crypto.allow_sha1 {
policy.accept_hash(HashAlgorithm::SHA1);
@@ -113,23 +112,55 @@ pub(crate) fn verify_signature(
}
}
- let helper = Helper { cert: &cert };
-
- let verified = if let Some(sig) = detached_sig {
- let mut verifier =
- DetachedVerifierBuilder::from_bytes(sig)?.with_policy(&policy, None, helper)?;
- verifier.verify_bytes(msg)?;
- msg.to_vec()
- } else {
- let mut verified = Vec::new();
- let mut verifier = VerifierBuilder::from_bytes(msg)?.with_policy(&policy, None, helper)?;
- let bytes = io::copy(&mut verifier, &mut verified)?;
- println!("{bytes} bytes verified");
- if !verifier.message_processed() {
- bail!("Failed to verify message!");
+ let verifier = |cert| {
+ let helper = Helper { cert: &cert };
+
+ if let Some(sig) = detached_sig {
+ let mut verifier =
+ DetachedVerifierBuilder::from_bytes(sig)?.with_policy(&policy, None, helper)?;
+ verifier.verify_bytes(msg)?;
+ Ok(msg.to_vec())
+ } else {
+ let mut verified = Vec::new();
+ let mut verifier =
+ VerifierBuilder::from_bytes(msg)?.with_policy(&policy, None, helper)?;
+ let bytes = io::copy(&mut verifier, &mut verified)?;
+ println!("{bytes} bytes verified");
+ if !verifier.message_processed() {
+ bail!("Failed to verify message!");
+ }
+ Ok(verified)
}
- verified
};
- Ok(verified)
+ let mut packed_parser = PacketParser::from_bytes(key)?;
+
+ // parse all packets to see whether this is a simple certificate or a keyring
+ while let PacketParserResult::Some(pp) = packed_parser {
+ packed_parser = pp.recurse()?.1;
+ }
+
+ if let PacketParserResult::EOF(eof) = packed_parser {
+ // verify against a single certificate
+ if eof.is_cert().is_ok() {
+ let cert = Cert::from_bytes(key)?;
+ return verifier(cert);
+ // verify against a keyring
+ } else if eof.is_keyring().is_ok() {
+ let packed_parser = PacketParser::from_bytes(key)?;
+
+ return CertParser::from(packed_parser)
+ // flatten here as we ignore packets that aren't a certificate
+ .flatten()
+ // keep trying to verify the message until the first certificate that succeeds
+ .find_map(|c| verifier(c).ok())
+ // if no certificate verified the message, abort
+ .ok_or_else(|| format_err!("No key in keyring could verify the message!"));
+ }
+ }
+
+ // neither a keyring nor a certificate was detect, so we abort here
+ Err(format_err!(
+ "'key-path' contains neither a keyring nor a certificate, aborting!"
+ ))
}
--
2.39.2
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next reply other threads:[~2024-08-08 14:25 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-08 14:25 Shannon Sterz [this message]
2024-08-30 9:21 ` [pbs-devel] applied: " Wolfgang Bumiller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240808142518.248338-1-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox