[backend] BSTUF: get rid of BSConfiguration dependency

This was only used to read BSConfig::sign. With this change we assume the caller has put the sign binary in front of the sign command.
openSUSE · Nov 14, 2018 · 1d2645e · 1d2645e
1 parent 56cbb1e
commit 1d2645e
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 34 deletions.
diff --git a/src/backend/BSPublisher/Registry.pm b/src/backend/BSPublisher/Registry.pm
@@ -189,12 +189,13 @@ sub gen_timestampkey {
   my @keyargs = ('rsa@2048', '800');	# expire time does not matter...
   mkdir_p($uploaddir);
   unlink("$uploaddir/timestampkey.$$");
-  my @signargs;
-  push @signargs, '--project', ':tmpkey' if $BSConfig::sign_project;
-  push @signargs, '-P', "$uploaddir/timestampkey.$$";
+  my @signcmd;
+  push @signcmd, $BSConfig::sign;
+  push @signcmd, '--project', ':tmpkey' if $BSConfig::sign_project;
+  push @signcmd, '-P', "$uploaddir/timestampkey.$$";
   my $pubkey = '';
   my $fd;
-  open($fd, '-|', $BSConfig::sign, @signargs, '-g', @keyargs, "timestamp signing key", 'timestampsign@build.opensuse.org') || die("$BSConfig::sign: $!\n");
+  open($fd, '-|', @signcmd, '-g', @keyargs, "timestamp signing key", 'timestampsign@build.opensuse.org') || die("$BSConfig::sign: $!\n");
   1 while sysread($fd, $pubkey, 4096, length($pubkey));
   close($fd) || die("$BSConfig::sign: $?\n");
   my $privkey = readstr("$uploaddir/timestampkey.$$");
@@ -211,9 +212,10 @@ sub update_tuf {
   my ($prp, $repo, $gun, $containerdigests, $pubkey, $signargs) = @_;
 
   my ($projid, $repoid) = split('/', $prp, 2);
-  my @signargs;
-  push @signargs, '--project', $projid if $BSConfig::sign_project;
-  push @signargs, @{$signargs || []};
+  my @signcmd;
+  push @signcmd, $BSConfig::sign;
+  push @signcmd, '--project', $projid if $BSConfig::sign_project;
+  push @signcmd, @{$signargs || []};
 
   my $repodir = "$registrydir/$repo";
   my $now = time();
@@ -234,7 +236,7 @@ sub update_tuf {
   my $cmpres = BSTUF::cmprootcert($oldroot, $tbscert);
   my $cert;
   $cert = BSTUF::getrootcert($oldroot) if $cmpres == 2;		# reuse cert of old root
-  $cert ||= BSTUF::mkcert($tbscert, \@signargs);
+  $cert ||= BSTUF::mkcert($tbscert, \@signcmd);
 
   if ($cmpres == 0) {
     # pubkey changed, better start from scratch
@@ -299,7 +301,7 @@ sub update_tuf {
       @key_ids = BSUtil::unify(@key_ids);
       @key_ids = splice(@key_ids, 0, 2);	# enough for now
     }
-    $tuf->{'root'} = BSTUF::updatedata($root, $oldroot, \@signargs, @key_ids);
+    $tuf->{'root'} = BSTUF::updatedata($root, $oldroot, \@signcmd, @key_ids);
   }
 
   my $manifests = {};
@@ -328,7 +330,7 @@ sub update_tuf {
     'expires' => BSTUF::rfc3339time($now + $targets_expire),
     'targets' => $manifests,
   };
-  $tuf->{'targets'} = BSTUF::updatedata($targets, $oldtargets, \@signargs, $root_key_id);
+  $tuf->{'targets'} = BSTUF::updatedata($targets, $oldtargets, \@signcmd, $root_key_id);
 
   my $snapshot = {
     '_type' => 'Snapshot',
@@ -337,22 +339,23 @@ sub update_tuf {
   BSTUF::addmetaentry($snapshot, 'root', $tuf->{'root'});
   BSTUF::addmetaentry($snapshot, 'targets', $tuf->{'targets'});
   my $oldsnapshot = $oldtuf->{'snapshot'} ? JSON::XS::decode_json($oldtuf->{'snapshot'}) : {};
-  $tuf->{'snapshot'} = BSTUF::updatedata($snapshot, $oldsnapshot, \@signargs, $root_key_id);
+  $tuf->{'snapshot'} = BSTUF::updatedata($snapshot, $oldsnapshot, \@signcmd, $root_key_id);
 
   mkdir_p($uploaddir);
   unlink("$uploaddir/timestampkey.$$");
   writestr("$uploaddir/timestampkey.$$", undef, $tuf->{'timestamp_privkey'});
-  my @signargs_timestamp;
-  push @signargs_timestamp, '--project', ':tmpkey' if $BSConfig::sign_project;
-  push @signargs_timestamp, '-P', "$uploaddir/timestampkey.$$";
+  my @signcmd_timestamp;
+  push @signcmd_timestamp, $BSConfig::sign;
+  push @signcmd_timestamp, '--project', ':tmpkey' if $BSConfig::sign_project;
+  push @signcmd_timestamp, '-P', "$uploaddir/timestampkey.$$";
 
   my $timestamp = {
     '_type' => 'Timestamp',
     'expires' => BSTUF::rfc3339time($now + $timestamp_expire),
   };
   BSTUF::addmetaentry($timestamp, 'snapshot', $tuf->{'snapshot'});
   my $oldtimestamp = $oldtuf->{'timestamp'} ? JSON::XS::decode_json($oldtuf->{'timestamp'}) : {};
-  $tuf->{'timestamp'} = BSTUF::updatedata($timestamp, $oldtimestamp, \@signargs_timestamp, $timestamp_key_id);
+  $tuf->{'timestamp'} = BSTUF::updatedata($timestamp, $oldtimestamp, \@signcmd_timestamp, $timestamp_key_id);
   unlink("$uploaddir/timestampkey.$$");
 
   # add expire information

diff --git a/src/backend/BSTUF.pm b/src/backend/BSTUF.pm
@@ -26,7 +26,6 @@ use JSON::XS ();
 use MIME::Base64 ();
 use Digest::SHA;
 
-use BSConfiguration;
 use BSUtil;
 use BSASN1;
 use BSX509;
@@ -56,8 +55,8 @@ sub key2keyid {
 }
 
 sub sign {
-  my ($data, $signargs) = @_;
-  return BSUtil::xsystem($data, $BSConfig::sign, @$signargs, '-O', '-h', 'sha256');
+  my ($data, $signcmd) = @_;
+  return BSUtil::xsystem($data, @$signcmd, '-O', '-h', 'sha256');
 }
 
 sub mktbscert {
@@ -79,8 +78,8 @@ sub mktbscert {
 }
 
 sub mkcert {
-  my ($tbscert, $signargs) = @_;
-  my $signature = sign($tbscert, $signargs);
+  my ($tbscert, $signcmd) = @_;
+  my $signature = sign($tbscert, $signcmd);
   my $sigalgo = BSASN1::pack_sequence($BSX509::oid_sha256withrsaencryption, BSASN1::pack_null());
   my $cert = BSASN1::pack_sequence($tbscert, $sigalgo, BSASN1::pack_bytes($signature));
   return BSASN1::der2pem($cert, 'CERTIFICATE');
@@ -109,8 +108,8 @@ sub getsubjectkeyinfo {
 }
 
 sub signdata {
-  my ($d, $signargs, @keyids) = @_;
-  my $sig = MIME::Base64::encode_base64(sign(canonical_json($d), $signargs), '');
+  my ($d, $signcmd, @keyids) = @_;
+  my $sig = MIME::Base64::encode_base64(sign(canonical_json($d), $signcmd), '');
   my @sigs = map { { 'keyid' => $_, 'method' => 'rsapkcs1v15', 'sig' => $sig } } @keyids;
   # hack: signed must be first
   $d = { 'AAA_signed' => $d, 'signatures' => \@sigs };
@@ -120,10 +119,10 @@ sub signdata {
 }
 
 sub updatedata {
-  my ($d, $oldd, $signargs, @keyids) = @_;
+  my ($d, $oldd, $signcmd, @keyids) = @_;
   $d->{'version'} = 1;
   $d->{'version'} = ($oldd->{'signed'}->{'version'} || 0) + 1 if $oldd && $oldd->{'signed'};
-  return signdata($d, $signargs, @keyids);
+  return signdata($d, $signcmd, @keyids);
 }
 
 sub getrootcert {

diff --git a/src/backend/bs_notar b/src/backend/bs_notar
@@ -48,7 +48,7 @@ my $targets_expire = 3 * 366 * 24 * 3600;	# 3 years
 my $notary_timeout = 300;
 my $registry_timeout = 300;
 
-my @signargs;
+my @signcmd = ( $BSConfig::sign );
 
 sub multipartentry {
   my ($name, $d) = @_;
@@ -77,7 +77,7 @@ while (@ARGV) {
     next;
   }
   if ($ARGV[0] eq '-P' || $ARGV[0] eq '--project' || $ARGV[0] eq '-u' || $ARGV[0] eq '--signtype') {
-    push @signargs, splice(@ARGV, 0, 2);
+    push @signcmd, splice(@ARGV, 0, 2);
     next;
   }
   if ($ARGV[0] eq '-h') {
@@ -278,7 +278,7 @@ $oldroot = JSON::XS::decode_json($oldroot_json) if $oldroot_json;
 my $cmpres = BSTUF::cmprootcert($oldroot, $tbscert);
 my $cert;
 $cert = BSTUF::getrootcert($oldroot) if $cmpres == 2;
-$cert ||= BSTUF::mkcert($tbscert, \@signargs);
+$cert ||= BSTUF::mkcert($tbscert, \@signcmd);
 $oldroot_json = '' if $cmpres == 0;	# start from scratch
 $oldroot = {} if $cmpres == 0;	# start from scratch
 
@@ -347,7 +347,7 @@ if (BSTUF::canonical_json($root) eq BSTUF::canonical_json($oldroot->{'signed'} |
     @key_ids = BSUtil::unify(@key_ids);
     @key_ids = splice(@key_ids, 0, 2);		# enough for now
   }
-  $tuf->{'root'} = BSTUF::updatedata($root, $cmpres ? $oldroot : {}, \@signargs, @key_ids);
+  $tuf->{'root'} = BSTUF::updatedata($root, $cmpres ? $oldroot : {}, \@signcmd, @key_ids);
 }
 
 #
@@ -373,7 +373,7 @@ my $targets = {
   'expires' => BSTUF::rfc3339time($now + $targets_expire),
   'targets' => $manifests,
 };
-$tuf->{'targets'} = BSTUF::updatedata($targets, $cmpres ? $oldtargets : {}, \@signargs, $root_key_id);
+$tuf->{'targets'} = BSTUF::updatedata($targets, $cmpres ? $oldtargets : {}, \@signcmd, $root_key_id);
 
 #
 # setup snapshot
@@ -386,7 +386,7 @@ my $snapshot = {
 };
 BSTUF::addmetaentry($snapshot, 'root', $tuf->{'root'});
 BSTUF::addmetaentry($snapshot, 'targets', $tuf->{'targets'});
-$tuf->{'snapshot'} = BSTUF::updatedata($snapshot, $cmpres ? $oldsnapshot : {}, \@signargs, $root_key_id);
+$tuf->{'snapshot'} = BSTUF::updatedata($snapshot, $cmpres ? $oldsnapshot : {}, \@signcmd, $root_key_id);
 
 #
 # delete old data if necessary

diff --git a/src/backend/bs_repserver b/src/backend/bs_repserver
@@ -4160,10 +4160,11 @@ sub extend_timestamp {
   mkdir_p($uploaddir);
   unlink("$uploaddir/timestampkey.$$");
   writestr("$uploaddir/timestampkey.$$", undef, $tuf->{'timestamp_privkey'});
-  my @signargs;
-  push @signargs, '--project', ':tmpkey' if $BSConfig::sign_project;
-  push @signargs, '-P', "$uploaddir/timestampkey.$$";
-  $timestamp = BSTUF::signdata($timestamp, \@signargs, $keyid);
+  my @signcmd;
+  push @signcmd, $BSConfig::sign;
+  push @signcmd, '--project', ':tmpkey' if $BSConfig::sign_project;
+  push @signcmd, '-P', "$uploaddir/timestampkey.$$";
+  $timestamp = BSTUF::signdata($timestamp, \@signcmd, $keyid);
   unlink("$uploaddir/timestampkey.$$");
   my $fd;
   BSUtil::lockopen($fd, '<', "$repodir/:tuf");