Make API a bit stronger by taking namespace as well

obelisk · Apr 24, 2024 · 28687c7 · 28687c7
1 parent 81617bc
commit 28687c7
Show file tree

Hide file tree

Showing 7 changed files with 92 additions and 30 deletions.
diff --git a/examples/sign-file-with-file.rs b/examples/sign-file-with-file.rs
@@ -34,6 +34,14 @@ fn main() {
                 .required(true)
                 .takes_value(true),
         )
+        .arg(
+            Arg::new("namespace")
+                .help("The signing namespace you'd like the signature to be in")
+                .long("namespace")
+                .short('n')
+                .default_value("file")
+                .takes_value(true),
+        )
         .get_matches();
 
     let mut private_key = PrivateKey::from_path(matches.value_of("sign").unwrap()).unwrap();
@@ -42,10 +50,13 @@ fn main() {
         private_key.set_pin(pin);
     }
 
+    let namespace = matches.value_of("namespace").unwrap();
+
     let contents = std::fs::read(matches.value_of("file").unwrap()).unwrap();
 
     let signature =
-        VerifiedSshSignature::new_with_private_key(&contents, "file", private_key, None).unwrap();
+        VerifiedSshSignature::new_with_private_key(&contents, namespace, private_key, None)
+            .unwrap();
 
     println!("{}", signature);
 }
diff --git a/src/ssh/signature.rs b/src/ssh/signature.rs
@@ -203,6 +203,7 @@ impl VerifiedSshSignature {
     pub fn from_ssh_signature(
         message: &[u8],
         ssh_signature: SshSignature,
+        namespace: &str,
         pub_key: Option<PublicKey>,
     ) -> Result<Self> {
         // If a public key is provided, then we will check the signature also contains that same
@@ -214,6 +215,10 @@ impl VerifiedSshSignature {
             }
         }
 
+        if namespace != ssh_signature.namespace {
+            return Err(Error::InvalidSignature);
+        }
+
         match verify_signature(
             &ssh_signature.signature,
             &ssh_signature.to_signed_format(message),
@@ -255,6 +260,7 @@ impl VerifiedSshSignature {
         VerifiedSshSignature::from_ssh_signature(
             message,
             ssh_signature,
+            namespace,
             Some(private_key.pubkey.clone()),
         )
     }

diff --git a/tests/allowed_signers/test_keys b/tests/allowed_signers/test_keys
@@ -1,4 +1,5 @@
 mitchell@confurious.io ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDO0VQD9TIdICZLWFWwtf7s8/aENve8twGTEmNV0myh5 ed25519_1
 mitchell@confurious.io ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM0JfpeVmfRBExbXgAFlrkZlzrpT5ywSIqyCRnAYrT4U ed25519_2
+mitchell@confurious.io sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIVTblnROOE/e2jCl6ieSgqPjWtnxjzmpCHU+TJ3EbL8AAAAEHNzaDpTU0hDZXJ0c1Rlc3Q= sk_ed25519 
 mitchell@confurious.io ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBYEU2maNpyuWdSfjAxDO3s5NjqLCR+FFHmADo3sdoZl13alTDHIpoJuwfkCsNhNv5gLOsCY76mJsn2oJ1evoyo= ecdsa_256_1
 mitchell@confurious.io ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBBQ8HnzFz1zFwunWzCMnzteMPZu60fluVIn5U8779lX7IWfsSVchHO+b6LZo+PT99zngtJ0TxJmUC7tEu7ICDAfwip+EsBMbeart8M9KdFKfvMSuMhQY69FLuDm+EEf1HQ== ecdsa_384_1
diff --git a/tests/signature-bad.rs b/tests/signature-bad.rs
@@ -16,8 +16,12 @@ fn ensure_verification_fail_ecdsa_256_bitflip() {
         .pubkey
         .clone();
 
-    let vs =
-        VerifiedSshSignature::from_ssh_signature(message.as_slice(), signature, Some(public_key));
+    let vs = VerifiedSshSignature::from_ssh_signature(
+        message.as_slice(),
+        signature,
+        "file",
+        Some(public_key),
+    );
 
     assert!(vs.is_err());
 }

diff --git a/tests/signature-creation-rsa.rs b/tests/signature-creation-rsa.rs
@@ -28,6 +28,7 @@ fn check_basic_creation_rsa_2048_1_full_loop() {
     let fl_vss = VerifiedSshSignature::from_ssh_signature(
         &message,
         SshSignature::from_armored_string(&armored_signature).unwrap(),
+        "file",
         Some(public_key),
     );
 

diff --git a/tests/signature-creation.rs b/tests/signature-creation.rs
@@ -50,6 +50,7 @@ fn check_basic_creation_ed25519_full_loop() {
     let fl_vss = VerifiedSshSignature::from_ssh_signature(
         &message,
         SshSignature::from_armored_string(&armored_signature).unwrap(),
+        "file",
         Some(public_key),
     );
 
@@ -72,6 +73,7 @@ fn check_basic_creation_ecdsa_256_full_loop() {
     let fl_vss = VerifiedSshSignature::from_ssh_signature(
         &message,
         SshSignature::from_armored_string(&armored_signature).unwrap(),
+        "file",
         Some(public_key),
     );
 
@@ -94,6 +96,7 @@ fn check_basic_creation_ecdsa_384_full_loop() {
     let fl_vss = VerifiedSshSignature::from_ssh_signature(
         &message,
         SshSignature::from_armored_string(&armored_signature).unwrap(),
+        "file",
         Some(public_key),
     );
 

diff --git a/tests/signature.rs b/tests/signature.rs
@@ -70,9 +70,13 @@ fn check_verification_ed25519() {
         .pubkey
         .clone();
 
-    let _verified_signature =
-        VerifiedSshSignature::from_ssh_signature(message.as_slice(), signature, Some(public_key))
-            .expect("Failed to verify signature");
+    let _verified_signature = VerifiedSshSignature::from_ssh_signature(
+        message.as_slice(),
+        signature,
+        "file",
+        Some(public_key),
+    )
+    .expect("Failed to verify signature");
 }
 
 #[test]
@@ -86,9 +90,13 @@ fn check_verification_sk_ed25519() {
         .pubkey
         .clone();
 
-    let _verified_signature =
-        VerifiedSshSignature::from_ssh_signature(message.as_slice(), signature, Some(public_key))
-            .expect("Failed to verify signature");
+    let _verified_signature = VerifiedSshSignature::from_ssh_signature(
+        message.as_slice(),
+        signature,
+        "file",
+        Some(public_key),
+    )
+    .expect("Failed to verify signature");
 }
 
 #[test]
@@ -102,9 +110,13 @@ fn check_verification_ecdsa_256() {
         .pubkey
         .clone();
 
-    let _verified_signature =
-        VerifiedSshSignature::from_ssh_signature(message.as_slice(), signature, Some(public_key))
-            .expect("Failed to verify signature");
+    let _verified_signature = VerifiedSshSignature::from_ssh_signature(
+        message.as_slice(),
+        signature,
+        "file",
+        Some(public_key),
+    )
+    .expect("Failed to verify signature");
 }
 
 #[test]
@@ -118,9 +130,13 @@ fn check_verification_sk_ecdsa() {
         .pubkey
         .clone();
 
-    let _verified_signature =
-        VerifiedSshSignature::from_ssh_signature(message.as_slice(), signature, Some(public_key))
-            .expect("Failed to verify signature");
+    let _verified_signature = VerifiedSshSignature::from_ssh_signature(
+        message.as_slice(),
+        signature,
+        "file",
+        Some(public_key),
+    )
+    .expect("Failed to verify signature");
 }
 
 #[test]
@@ -134,9 +150,13 @@ fn check_verification_ecdsa_384() {
         .pubkey
         .clone();
 
-    let _verified_signature =
-        VerifiedSshSignature::from_ssh_signature(message.as_slice(), signature, Some(public_key))
-            .expect("Failed to verify signature");
+    let _verified_signature = VerifiedSshSignature::from_ssh_signature(
+        message.as_slice(),
+        signature,
+        "file",
+        Some(public_key),
+    )
+    .expect("Failed to verify signature");
 }
 
 #[test]
@@ -150,9 +170,13 @@ fn check_verification_rsa_2048() {
         .pubkey
         .clone();
 
-    let _verified_signature =
-        VerifiedSshSignature::from_ssh_signature(message.as_slice(), signature, Some(public_key))
-            .expect("Failed to verify signature");
+    let _verified_signature = VerifiedSshSignature::from_ssh_signature(
+        message.as_slice(),
+        signature,
+        "file",
+        Some(public_key),
+    )
+    .expect("Failed to verify signature");
 }
 
 #[test]
@@ -167,9 +191,13 @@ fn check_verification_rsa_sha2_256() {
         .pubkey
         .clone();
 
-    let _verified_signature =
-        VerifiedSshSignature::from_ssh_signature(message.as_slice(), signature, Some(public_key))
-            .expect("Failed to verify signature");
+    let _verified_signature = VerifiedSshSignature::from_ssh_signature(
+        message.as_slice(),
+        signature,
+        "file",
+        Some(public_key),
+    )
+    .expect("Failed to verify signature");
 }
 
 #[test]
@@ -184,9 +212,13 @@ fn check_verification_rsa_sha2_512() {
         .pubkey
         .clone();
 
-    let _verified_signature =
-        VerifiedSshSignature::from_ssh_signature(message.as_slice(), signature, Some(public_key))
-            .expect("Failed to verify signature");
+    let _verified_signature = VerifiedSshSignature::from_ssh_signature(
+        message.as_slice(),
+        signature,
+        "file",
+        Some(public_key),
+    )
+    .expect("Failed to verify signature");
 
     let signature =
         SshSignature::from_armored_string(include_str!("signatures/rsa-sha2-512-8192_Test.sig"))
@@ -198,7 +230,11 @@ fn check_verification_rsa_sha2_512() {
         .pubkey
         .clone();
 
-    let _verified_signature =
-        VerifiedSshSignature::from_ssh_signature(message.as_slice(), signature, Some(public_key))
-            .expect("Failed to verify signature");
+    let _verified_signature = VerifiedSshSignature::from_ssh_signature(
+        message.as_slice(),
+        signature,
+        "file",
+        Some(public_key),
+    )
+    .expect("Failed to verify signature");
 }