public inbox for pbs-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pbs-devel] [PATCH proxmox-offline-mirror] verifier: add ability to verify with keyrings
@ 2024-08-08 14:25 Shannon Sterz
  2024-08-30  9:21 ` [pbs-devel] applied: " Wolfgang Bumiller
  0 siblings, 1 reply; 2+ messages in thread
From: Shannon Sterz @ 2024-08-08 14:25 UTC (permalink / raw)
  To: pbs-devel

some vendors don't just provide a single certificate but an entire
keyring for their repositories. apt can handle those gracefully, so
should we. this commit adds the ability to verify a repository's
signatures with a keyring.

we use `PacketParserEOF` to check if a stream of packets is likely a
single certificate or a keyring. if it is a keyring, we try to verify a
message with all certificates in the ring and only fail if no
certificate can verify the message.

Reported-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---

this came up in the enterprise support, so i can't link the exact ticket
here, but it was about mirroring this mellanox repository:

https://linux.mellanox.com/public/repo/mlnx_ofed/24.04-0.7.0.0/debian12.1/amd64/

mellanox says to install the corresponding keyring with this command:

```
wget -qO - https://www.mellanox.com/downloads/ofed/RPM-GPG-KEY-Mellanox | \
    gpg --dearmor | tee /etc/apt/trusted.gpg.d/mellanox.gpg
```

i tested the below code with this mellanox repo, our no-subscription
repo and the debian security updates repo.

 src/helpers/verifier.rs | 71 +++++++++++++++++++++++++++++------------
 1 file changed, 51 insertions(+), 20 deletions(-)

diff --git a/src/helpers/verifier.rs b/src/helpers/verifier.rs
index ed986af..0930bd7 100644
--- a/src/helpers/verifier.rs
+++ b/src/helpers/verifier.rs
@@ -1,12 +1,13 @@
-use anyhow::{bail, Error};
+use anyhow::{bail, format_err, Error};

 use sequoia_openpgp::{
+    cert::CertParser,
     parse::{
         stream::{
             DetachedVerifierBuilder, MessageLayer, MessageStructure, VerificationError,
             VerificationHelper, VerifierBuilder,
         },
-        Parse,
+        PacketParser, PacketParserResult, Parse,
     },
     policy::StandardPolicy,
     types::HashAlgorithm,
@@ -96,8 +97,6 @@ pub(crate) fn verify_signature(
     detached_sig: Option<&[u8]>,
     weak_crypto: &WeakCryptoConfig,
 ) -> Result<Vec<u8>, Error> {
-    let cert = Cert::from_bytes(key)?;
-
     let mut policy = StandardPolicy::new();
     if weak_crypto.allow_sha1 {
         policy.accept_hash(HashAlgorithm::SHA1);
@@ -113,23 +112,55 @@ pub(crate) fn verify_signature(
         }
     }

-    let helper = Helper { cert: &cert };
-
-    let verified = if let Some(sig) = detached_sig {
-        let mut verifier =
-            DetachedVerifierBuilder::from_bytes(sig)?.with_policy(&policy, None, helper)?;
-        verifier.verify_bytes(msg)?;
-        msg.to_vec()
-    } else {
-        let mut verified = Vec::new();
-        let mut verifier = VerifierBuilder::from_bytes(msg)?.with_policy(&policy, None, helper)?;
-        let bytes = io::copy(&mut verifier, &mut verified)?;
-        println!("{bytes} bytes verified");
-        if !verifier.message_processed() {
-            bail!("Failed to verify message!");
+    let verifier = |cert| {
+        let helper = Helper { cert: &cert };
+
+        if let Some(sig) = detached_sig {
+            let mut verifier =
+                DetachedVerifierBuilder::from_bytes(sig)?.with_policy(&policy, None, helper)?;
+            verifier.verify_bytes(msg)?;
+            Ok(msg.to_vec())
+        } else {
+            let mut verified = Vec::new();
+            let mut verifier =
+                VerifierBuilder::from_bytes(msg)?.with_policy(&policy, None, helper)?;
+            let bytes = io::copy(&mut verifier, &mut verified)?;
+            println!("{bytes} bytes verified");
+            if !verifier.message_processed() {
+                bail!("Failed to verify message!");
+            }
+            Ok(verified)
         }
-        verified
     };

-    Ok(verified)
+    let mut packed_parser = PacketParser::from_bytes(key)?;
+
+    // parse all packets to see whether this is a simple certificate or a keyring
+    while let PacketParserResult::Some(pp) = packed_parser {
+        packed_parser = pp.recurse()?.1;
+    }
+
+    if let PacketParserResult::EOF(eof) = packed_parser {
+        // verify against a single certificate
+        if eof.is_cert().is_ok() {
+            let cert = Cert::from_bytes(key)?;
+            return verifier(cert);
+        // verify against a keyring
+        } else if eof.is_keyring().is_ok() {
+            let packed_parser = PacketParser::from_bytes(key)?;
+
+            return CertParser::from(packed_parser)
+                // flatten here as we ignore packets that aren't a certificate
+                .flatten()
+                // keep trying to verify the message until the first certificate that succeeds
+                .find_map(|c| verifier(c).ok())
+                // if no certificate verified the message, abort
+                .ok_or_else(|| format_err!("No key in keyring could verify the message!"));
+        }
+    }
+
+    // neither a keyring nor a certificate was detect, so we abort here
+    Err(format_err!(
+        "'key-path' contains neither a keyring nor a certificate, aborting!"
+    ))
 }
--
2.39.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel


^ permalink raw reply	[flat|nested] 2+ messages in thread

* [pbs-devel] applied: [PATCH proxmox-offline-mirror] verifier: add ability to verify with keyrings
  2024-08-08 14:25 [pbs-devel] [PATCH proxmox-offline-mirror] verifier: add ability to verify with keyrings Shannon Sterz
@ 2024-08-30  9:21 ` Wolfgang Bumiller
  0 siblings, 0 replies; 2+ messages in thread
From: Wolfgang Bumiller @ 2024-08-30  9:21 UTC (permalink / raw)
  To: Shannon Sterz; +Cc: pbs-devel

applied with a minor style followup, thanks

On Thu, Aug 08, 2024 at 04:25:18PM GMT, Shannon Sterz wrote:
> some vendors don't just provide a single certificate but an entire
> keyring for their repositories. apt can handle those gracefully, so
> should we. this commit adds the ability to verify a repository's
> signatures with a keyring.
> 
> we use `PacketParserEOF` to check if a stream of packets is likely a
> single certificate or a keyring. if it is a keyring, we try to verify a
> message with all certificates in the ring and only fail if no
> certificate can verify the message.
> 
> Reported-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
> 
> this came up in the enterprise support, so i can't link the exact ticket
> here, but it was about mirroring this mellanox repository:
> 
> https://linux.mellanox.com/public/repo/mlnx_ofed/24.04-0.7.0.0/debian12.1/amd64/
> 
> mellanox says to install the corresponding keyring with this command:
> 
> ```
> wget -qO - https://www.mellanox.com/downloads/ofed/RPM-GPG-KEY-Mellanox | \
>     gpg --dearmor | tee /etc/apt/trusted.gpg.d/mellanox.gpg
> ```
> 
> i tested the below code with this mellanox repo, our no-subscription
> repo and the debian security updates repo.
> 
>  src/helpers/verifier.rs | 71 +++++++++++++++++++++++++++++------------
>  1 file changed, 51 insertions(+), 20 deletions(-)
> 
> diff --git a/src/helpers/verifier.rs b/src/helpers/verifier.rs
> index ed986af..0930bd7 100644
> --- a/src/helpers/verifier.rs
> +++ b/src/helpers/verifier.rs
> @@ -1,12 +1,13 @@
> -use anyhow::{bail, Error};
> +use anyhow::{bail, format_err, Error};
> 
>  use sequoia_openpgp::{
> +    cert::CertParser,
>      parse::{
>          stream::{
>              DetachedVerifierBuilder, MessageLayer, MessageStructure, VerificationError,
>              VerificationHelper, VerifierBuilder,
>          },
> -        Parse,
> +        PacketParser, PacketParserResult, Parse,
>      },
>      policy::StandardPolicy,
>      types::HashAlgorithm,
> @@ -96,8 +97,6 @@ pub(crate) fn verify_signature(
>      detached_sig: Option<&[u8]>,
>      weak_crypto: &WeakCryptoConfig,
>  ) -> Result<Vec<u8>, Error> {
> -    let cert = Cert::from_bytes(key)?;
> -
>      let mut policy = StandardPolicy::new();
>      if weak_crypto.allow_sha1 {
>          policy.accept_hash(HashAlgorithm::SHA1);
> @@ -113,23 +112,55 @@ pub(crate) fn verify_signature(
>          }
>      }
> 
> -    let helper = Helper { cert: &cert };
> -
> -    let verified = if let Some(sig) = detached_sig {
> -        let mut verifier =
> -            DetachedVerifierBuilder::from_bytes(sig)?.with_policy(&policy, None, helper)?;
> -        verifier.verify_bytes(msg)?;
> -        msg.to_vec()
> -    } else {
> -        let mut verified = Vec::new();
> -        let mut verifier = VerifierBuilder::from_bytes(msg)?.with_policy(&policy, None, helper)?;
> -        let bytes = io::copy(&mut verifier, &mut verified)?;
> -        println!("{bytes} bytes verified");
> -        if !verifier.message_processed() {
> -            bail!("Failed to verify message!");
> +    let verifier = |cert| {
> +        let helper = Helper { cert: &cert };
> +
> +        if let Some(sig) = detached_sig {
> +            let mut verifier =
> +                DetachedVerifierBuilder::from_bytes(sig)?.with_policy(&policy, None, helper)?;
> +            verifier.verify_bytes(msg)?;
> +            Ok(msg.to_vec())
> +        } else {
> +            let mut verified = Vec::new();
> +            let mut verifier =
> +                VerifierBuilder::from_bytes(msg)?.with_policy(&policy, None, helper)?;
> +            let bytes = io::copy(&mut verifier, &mut verified)?;
> +            println!("{bytes} bytes verified");
> +            if !verifier.message_processed() {
> +                bail!("Failed to verify message!");
> +            }
> +            Ok(verified)
>          }
> -        verified
>      };
> 
> -    Ok(verified)
> +    let mut packed_parser = PacketParser::from_bytes(key)?;
> +
> +    // parse all packets to see whether this is a simple certificate or a keyring
> +    while let PacketParserResult::Some(pp) = packed_parser {
> +        packed_parser = pp.recurse()?.1;
> +    }
> +
> +    if let PacketParserResult::EOF(eof) = packed_parser {
> +        // verify against a single certificate
> +        if eof.is_cert().is_ok() {
> +            let cert = Cert::from_bytes(key)?;
> +            return verifier(cert);
> +        // verify against a keyring
> +        } else if eof.is_keyring().is_ok() {
> +            let packed_parser = PacketParser::from_bytes(key)?;
> +
> +            return CertParser::from(packed_parser)
> +                // flatten here as we ignore packets that aren't a certificate
> +                .flatten()
> +                // keep trying to verify the message until the first certificate that succeeds
> +                .find_map(|c| verifier(c).ok())
> +                // if no certificate verified the message, abort
> +                .ok_or_else(|| format_err!("No key in keyring could verify the message!"));
> +        }
> +    }
> +
> +    // neither a keyring nor a certificate was detect, so we abort here
> +    Err(format_err!(
> +        "'key-path' contains neither a keyring nor a certificate, aborting!"
> +    ))

^ condensed the 3 final lines to a single `bail!()` line.


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-08-30  9:21 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-08-08 14:25 [pbs-devel] [PATCH proxmox-offline-mirror] verifier: add ability to verify with keyrings Shannon Sterz
2024-08-30  9:21 ` [pbs-devel] applied: " Wolfgang Bumiller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal