From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: Shannon Sterz <s.sterz@proxmox.com>
Cc: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] applied: [PATCH proxmox-offline-mirror] verifier: add ability to verify with keyrings
Date: Fri, 30 Aug 2024 11:21:48 +0200 [thread overview]
Message-ID: <xmmbdaokvvenqv6uwc5a5e7lg6esqboxwg76qqrzrm6as72jl3@e24fvpcbqtoq> (raw)
In-Reply-To: <20240808142518.248338-1-s.sterz@proxmox.com>
applied with a minor style followup, thanks
On Thu, Aug 08, 2024 at 04:25:18PM GMT, Shannon Sterz wrote:
> some vendors don't just provide a single certificate but an entire
> keyring for their repositories. apt can handle those gracefully, so
> should we. this commit adds the ability to verify a repository's
> signatures with a keyring.
>
> we use `PacketParserEOF` to check if a stream of packets is likely a
> single certificate or a keyring. if it is a keyring, we try to verify a
> message with all certificates in the ring and only fail if no
> certificate can verify the message.
>
> Reported-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
>
> this came up in the enterprise support, so i can't link the exact ticket
> here, but it was about mirroring this mellanox repository:
>
> https://linux.mellanox.com/public/repo/mlnx_ofed/24.04-0.7.0.0/debian12.1/amd64/
>
> mellanox says to install the corresponding keyring with this command:
>
> ```
> wget -qO - https://www.mellanox.com/downloads/ofed/RPM-GPG-KEY-Mellanox | \
> gpg --dearmor | tee /etc/apt/trusted.gpg.d/mellanox.gpg
> ```
>
> i tested the below code with this mellanox repo, our no-subscription
> repo and the debian security updates repo.
>
> src/helpers/verifier.rs | 71 +++++++++++++++++++++++++++++------------
> 1 file changed, 51 insertions(+), 20 deletions(-)
>
> diff --git a/src/helpers/verifier.rs b/src/helpers/verifier.rs
> index ed986af..0930bd7 100644
> --- a/src/helpers/verifier.rs
> +++ b/src/helpers/verifier.rs
> @@ -1,12 +1,13 @@
> -use anyhow::{bail, Error};
> +use anyhow::{bail, format_err, Error};
>
> use sequoia_openpgp::{
> + cert::CertParser,
> parse::{
> stream::{
> DetachedVerifierBuilder, MessageLayer, MessageStructure, VerificationError,
> VerificationHelper, VerifierBuilder,
> },
> - Parse,
> + PacketParser, PacketParserResult, Parse,
> },
> policy::StandardPolicy,
> types::HashAlgorithm,
> @@ -96,8 +97,6 @@ pub(crate) fn verify_signature(
> detached_sig: Option<&[u8]>,
> weak_crypto: &WeakCryptoConfig,
> ) -> Result<Vec<u8>, Error> {
> - let cert = Cert::from_bytes(key)?;
> -
> let mut policy = StandardPolicy::new();
> if weak_crypto.allow_sha1 {
> policy.accept_hash(HashAlgorithm::SHA1);
> @@ -113,23 +112,55 @@ pub(crate) fn verify_signature(
> }
> }
>
> - let helper = Helper { cert: &cert };
> -
> - let verified = if let Some(sig) = detached_sig {
> - let mut verifier =
> - DetachedVerifierBuilder::from_bytes(sig)?.with_policy(&policy, None, helper)?;
> - verifier.verify_bytes(msg)?;
> - msg.to_vec()
> - } else {
> - let mut verified = Vec::new();
> - let mut verifier = VerifierBuilder::from_bytes(msg)?.with_policy(&policy, None, helper)?;
> - let bytes = io::copy(&mut verifier, &mut verified)?;
> - println!("{bytes} bytes verified");
> - if !verifier.message_processed() {
> - bail!("Failed to verify message!");
> + let verifier = |cert| {
> + let helper = Helper { cert: &cert };
> +
> + if let Some(sig) = detached_sig {
> + let mut verifier =
> + DetachedVerifierBuilder::from_bytes(sig)?.with_policy(&policy, None, helper)?;
> + verifier.verify_bytes(msg)?;
> + Ok(msg.to_vec())
> + } else {
> + let mut verified = Vec::new();
> + let mut verifier =
> + VerifierBuilder::from_bytes(msg)?.with_policy(&policy, None, helper)?;
> + let bytes = io::copy(&mut verifier, &mut verified)?;
> + println!("{bytes} bytes verified");
> + if !verifier.message_processed() {
> + bail!("Failed to verify message!");
> + }
> + Ok(verified)
> }
> - verified
> };
>
> - Ok(verified)
> + let mut packed_parser = PacketParser::from_bytes(key)?;
> +
> + // parse all packets to see whether this is a simple certificate or a keyring
> + while let PacketParserResult::Some(pp) = packed_parser {
> + packed_parser = pp.recurse()?.1;
> + }
> +
> + if let PacketParserResult::EOF(eof) = packed_parser {
> + // verify against a single certificate
> + if eof.is_cert().is_ok() {
> + let cert = Cert::from_bytes(key)?;
> + return verifier(cert);
> + // verify against a keyring
> + } else if eof.is_keyring().is_ok() {
> + let packed_parser = PacketParser::from_bytes(key)?;
> +
> + return CertParser::from(packed_parser)
> + // flatten here as we ignore packets that aren't a certificate
> + .flatten()
> + // keep trying to verify the message until the first certificate that succeeds
> + .find_map(|c| verifier(c).ok())
> + // if no certificate verified the message, abort
> + .ok_or_else(|| format_err!("No key in keyring could verify the message!"));
> + }
> + }
> +
> + // neither a keyring nor a certificate was detect, so we abort here
> + Err(format_err!(
> + "'key-path' contains neither a keyring nor a certificate, aborting!"
> + ))
^ condensed the 3 final lines to a single `bail!()` line.
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
prev parent reply other threads:[~2024-08-30 9:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-08 14:25 [pbs-devel] " Shannon Sterz
2024-08-30 9:21 ` Wolfgang Bumiller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmmbdaokvvenqv6uwc5a5e7lg6esqboxwg76qqrzrm6as72jl3@e24fvpcbqtoq \
--to=w.bumiller@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
--cc=s.sterz@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox