/
checksums.go
152 lines (133 loc) · 3.2 KB
/
checksums.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
package CPAN
import (
"bytes"
"encoding/json"
"errors"
"fmt"
"hash"
"io"
"io/ioutil"
"golang.org/x/crypto/openpgp"
"golang.org/x/crypto/openpgp/clearsign"
"golang.org/x/crypto/openpgp/packet"
)
type CheckSum struct {
MD5 string `json:"md5"`
MTime string `json:"mtime"`
Sha256 string `json:"sha256"`
Size int `json:"size"`
IsDir int `json:"isdir"`
}
var (
ErrNoData = errors.New("no data")
ErrSyntax = errors.New("syntax error")
)
func parseCheckSums(buf []byte) (map[string]CheckSum, error) {
// Skip perl comments
for {
if len(buf) == 0 {
return nil, ErrNoData
}
if buf[0] != '#' {
break
}
// Skip line
i := bytes.IndexByte(buf, '\n')
if i == -1 {
return nil, ErrNoData
}
buf = buf[i+1:]
}
i := bytes.IndexByte(buf, '{')
buf = buf[i:]
j := bytes.LastIndexByte(buf, '}')
if i == -1 {
return nil, ErrSyntax
}
if j == -1 {
return nil, ErrSyntax
}
buf = buf[:j+1]
// Special case for /authors/id/CHECKSUMS that has 'size' for 'RECENT-2d.yaml' as a string instead of int
if idx := bytes.Index(buf, []byte(`'size' => '35228'`)); idx >= 0 {
buf[idx+10] = ' '
buf[idx+16] = ' '
}
// Transform the Perl hashref into JSON
// FIXME fragile code
for i, c := range buf {
switch c {
// Forbid chars that could break our basic Perl-to-JSON transform
case '\\', '"':
return nil, ErrSyntax
case '\'':
buf[i] = '"'
case '=':
if len(buf) > i+2 && buf[i+1] == '>' {
buf[i] = ':'
buf[i+1] = ' '
}
}
}
var checksums map[string]CheckSum
if err := json.Unmarshal(buf, &checksums); err != nil {
return nil, err
}
return checksums, nil
}
// ReadCheckSums loads the content of a CHECKSUMS file.
// The PGP signature is verified.
func ReadCheckSums(r io.Reader, keyring openpgp.KeyRing) (map[string]CheckSum, error) {
content, err := ioutil.ReadAll(r)
if err != nil {
return nil, err
}
block, _ := clearsign.Decode(content)
if block == nil {
return nil, errors.New("no signed block found")
}
sigblock := block.ArmoredSignature
if sigblock == nil || sigblock.Type != openpgp.SignatureType {
return nil, errors.New("invalid signature block")
}
reader := packet.NewReader(sigblock.Body)
pkt, err := reader.Next()
if err != nil {
return nil, fmt.Errorf("error reading signature: %s", err)
}
var keyId uint64
var hash hash.Hash
var verifySignature func(pubkey *packet.PublicKey) error
switch sig := pkt.(type) {
case *packet.Signature:
keyId = *sig.IssuerKeyId
hash = sig.Hash.New()
verifySignature = func(pubkey *packet.PublicKey) error {
return pubkey.VerifySignature(hash, sig)
}
case *packet.SignatureV3:
keyId = sig.IssuerKeyId
hash = sig.Hash.New()
verifySignature = func(pubkey *packet.PublicKey) error {
return pubkey.VerifySignatureV3(hash, sig)
}
default:
return nil, fmt.Errorf("invalid signature: got %T", pkt)
}
hash.Write(block.Bytes)
// FIXME: use KeysByIdUsage
keys := keyring.KeysById(keyId)
if len(keys) == 0 {
return nil, fmt.Errorf("no PAUSE key with id 0x%X", keyId)
}
for _, pubkey := range keys {
err = verifySignature(pubkey.PublicKey)
if err == nil {
break
}
}
if err != nil {
return nil, fmt.Errorf("verify failure: %s", err)
}
return parseCheckSums(block.Bytes)
}