lib/sign: allow to add keys as base64 string for ed25519

Allow to add public and secret key for ed25519 module as based64 string. This allows to use common API for pulling and builtins without knowledge of used signature algorithm. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
ostreedev · Oct 7, 2019 · 1893d02 · 1893d02
1 parent 5cb8fd5
commit 1893d02
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 79 deletions.
diff --git a/src/libostree/ostree-repo-pull.c b/src/libostree/ostree-repo-pull.c
@@ -1567,20 +1567,7 @@ ostree_verify_unwritten_commit (OtPullData                 *pull_data,
                                          &pk_ascii, NULL);
           if (pk_ascii != NULL)
             {
-              g_autoptr (GVariant) pk = NULL;
-
-              if (!g_strcmp0(ostree_sign_get_name(sign), "dummy"))
-                {
-                  // Just use the string as signature
-                  pk = g_variant_new_string(pk_ascii);
-                }
-              else if (!g_strcmp0(ostree_sign_get_name(sign), "ed25519"))
-                {
-                  gsize key_len = 0;
-                  g_autofree guchar *key = g_base64_decode (pk_ascii, &key_len);
-                  pk = g_variant_new_fixed_array (G_VARIANT_TYPE_BYTE, key, key_len, sizeof(guchar));
-                }
-
+              g_autoptr (GVariant) pk = g_variant_new_string(pk_ascii);
               if (!ostree_sign_set_pk (sign, pk, &local_error))
                 continue;
             }
@@ -1976,18 +1963,8 @@ scan_commit_object (OtPullData                 *pull_data,
             {
               g_autoptr (GVariant) pk = NULL;
 
-              if (!g_strcmp0(ostree_sign_get_name(sign), "dummy"))
-                {
-                  // Just use the string as signature
-                  pk = g_variant_new_string(pk_ascii);
-                }
-              else if (!g_strcmp0(ostree_sign_get_name(sign), "ed25519"))
-                {
-                  gsize key_len = 0;
-                  g_autofree guchar *key = g_base64_decode (pk_ascii, &key_len);
-                  pk = g_variant_new_fixed_array (G_VARIANT_TYPE_BYTE, key, key_len, sizeof(guchar));
-                }
-
+              // Just use the string as signature
+              pk = g_variant_new_string(pk_ascii);
               if (!ostree_sign_set_pk (sign, pk, &local_error))
                 continue;
             }
@@ -4852,11 +4829,10 @@ ostree_repo_pull_with_options (OstreeRepo             *self,
       else
         gpg_verify_state = (pull_data->gpg_verify ? "commit" : "disabled");
 
-      g_string_append_printf (msg, "\nsecurity: GPG: %s ", gpg_verify_state);
 #else
       gpg_verify_state = "disabled";
-      g_string_append_printf (msg, "\nsecurity: %s ", gpg_verify_state);
 #endif /* OSTREE_DISABLE_GPGME */
+      g_string_append_printf (msg, "\nsecurity: GPG: %s ", gpg_verify_state);
 
       const char *sign_verify_state;
       sign_verify_state = (pull_data->sign_verify ? "commit" : "disabled");

diff --git a/src/libostree/ostree-sign-ed25519.c b/src/libostree/ostree-sign-ed25519.c
@@ -253,6 +253,10 @@ const gchar * ostree_sign_ed25519_metadata_format (OstreeSign *self)
   return OSTREE_SIGN_METADATA_ED25519_TYPE;
 }
 
+/* Support 2 representations:
+ * base64 ascii -- secret key is passed as string
+ * raw key -- key is passed as bytes array
+ * */
 gboolean ostree_sign_ed25519_set_sk (OstreeSign *self,
                                      GVariant *secret_key,
                                      GError **error)
@@ -266,7 +270,23 @@ gboolean ostree_sign_ed25519_set_sk (OstreeSign *self,
   g_free (sign->secret_key);
 
   gsize n_elements = 0;
-  sign->secret_key = (guchar *) g_variant_get_fixed_array (secret_key, &n_elements, sizeof(guchar));
+
+  if (g_variant_is_of_type (secret_key, G_VARIANT_TYPE_STRING))
+    {
+      const gchar *sk_ascii = g_variant_get_string (secret_key, NULL);
+      sign->secret_key = g_base64_decode (sk_ascii, &n_elements);
+    }
+  else if (g_variant_is_of_type (secret_key, G_VARIANT_TYPE_BYTESTRING))
+    {
+      sign->secret_key = (guchar *) g_variant_get_fixed_array (secret_key, &n_elements, sizeof(guchar));
+    }
+  else
+    {
+      g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+                           "Unknown ed25519 secret key type");
+      goto err;
+    }
+
 
   if (n_elements != crypto_sign_SECRETKEYBYTES)
     {
@@ -282,6 +302,10 @@ gboolean ostree_sign_ed25519_set_sk (OstreeSign *self,
   return FALSE;
 }
 
+/* Support 2 representations:
+ * base64 ascii -- public key is passed as string
+ * raw key -- key is passed as bytes array
+ * */
 gboolean ostree_sign_ed25519_set_pk (OstreeSign *self,
                                      GVariant *public_key,
                                      GError **error)
@@ -301,6 +325,10 @@ gboolean ostree_sign_ed25519_set_pk (OstreeSign *self,
   return ostree_sign_ed25519_add_pk (self, public_key, error);
 }
 
+/* Support 2 representations:
+ * base64 ascii -- public key is passed as string
+ * raw key -- key is passed as bytes array
+ * */
 gboolean ostree_sign_ed25519_add_pk (OstreeSign *self,
                                      GVariant *public_key,
                                      GError **error)
@@ -314,7 +342,22 @@ gboolean ostree_sign_ed25519_add_pk (OstreeSign *self,
   gpointer key = NULL; 
 
   gsize n_elements = 0;
-  key = (gpointer) g_variant_get_fixed_array (public_key, &n_elements, sizeof(guchar));
+
+  if (g_variant_is_of_type (public_key, G_VARIANT_TYPE_STRING))
+    {
+      const gchar *pk_ascii = g_variant_get_string (public_key, NULL);
+      key = g_base64_decode (pk_ascii, &n_elements);
+    }
+  else if (g_variant_is_of_type (public_key, G_VARIANT_TYPE_BYTESTRING))
+    {
+      key = (gpointer) g_variant_get_fixed_array (public_key, &n_elements, sizeof(guchar));
+    }
+  else
+    {
+      g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+                           "Unknown ed25519 public key type");
+      goto err;
+    }
 
   hex = g_malloc0 (crypto_sign_PUBLICKEYBYTES*2 + 1);
   g_debug ("Read ed25519 public key = %s", sodium_bin2hex (hex, crypto_sign_PUBLICKEYBYTES*2+1, key, n_elements));

diff --git a/src/ostree/ot-builtin-commit.c b/src/ostree/ot-builtin-commit.c
@@ -840,17 +840,7 @@ ostree_builtin_commit (int argc, char **argv, OstreeCommandInvocation *invocatio
               const char *keyid = *iter;
               g_autoptr (GVariant) secret_key = NULL;
 
-              if (!g_strcmp0(ostree_sign_get_name (sign), "dummy"))
-                {
-                  secret_key = g_variant_new_string (keyid);
-                }
-              else if (!g_strcmp0 (ostree_sign_get_name (sign), "ed25519"))
-                {
-                  gsize key_len = 0;
-                  g_autofree guchar *key = g_base64_decode (keyid, &key_len);
-
-                  secret_key = g_variant_new_fixed_array (G_VARIANT_TYPE_BYTE, key, key_len, sizeof(guchar));
-                }
+              secret_key = g_variant_new_string (keyid);
               if (!ostree_sign_set_sk (sign, secret_key, error))
                   goto out;
 

diff --git a/src/ostree/ot-builtin-sign.c b/src/ostree/ot-builtin-sign.c
@@ -72,11 +72,6 @@ ostree_builtin_sign (int argc, char **argv, OstreeCommandInvocation *invocation,
   char **key_ids;
   int n_key_ids, ii;
   gboolean ret = FALSE;
-#if defined(HAVE_LIBSODIUM)
-  g_autoptr (GVariant) ed25519_sk = NULL;
-  g_autoptr (GVariant) ed25519_pk = NULL;
-#endif
-
 
   context = g_option_context_new ("COMMIT KEY-ID...");
 
@@ -121,23 +116,13 @@ ostree_builtin_sign (int argc, char **argv, OstreeCommandInvocation *invocation,
       g_autoptr (GVariant) pk = NULL;
       g_autofree guchar *key = NULL;
 
-      if (!g_strcmp0(ostree_sign_get_name(sign), "dummy"))
-        {
-          // Just use the string as signature
-          sk = g_variant_new_string(key_ids[ii]);
-          pk = g_variant_new_string(key_ids[ii]);
-        }
       if (opt_verify)
         {
           g_autoptr (GError) local_error = NULL;
 
 
-          if (!g_strcmp0(ostree_sign_get_name(sign), "ed25519"))
-            {
-              gsize key_len = 0;
-              g_autofree guchar *key = g_base64_decode (key_ids[ii], &key_len);
-              pk = g_variant_new_fixed_array (G_VARIANT_TYPE_BYTE, key, key_len, sizeof(guchar));
-            }
+          // Pass the signature as a string
+          pk = g_variant_new_string(key_ids[ii]);
 
           if (!ostree_sign_set_pk (sign, pk, &local_error))
             continue;
@@ -151,13 +136,8 @@ ostree_builtin_sign (int argc, char **argv, OstreeCommandInvocation *invocation,
         }
       else
         {
-          if (!g_strcmp0(ostree_sign_get_name(sign), "ed25519"))
-            {
-              gsize key_len = 0;
-              g_autofree guchar *key = g_base64_decode (key_ids[ii], &key_len);
-              sk = g_variant_new_fixed_array (G_VARIANT_TYPE_BYTE, key, key_len, sizeof(guchar));
-            }
-
+          // Pass the signature as a string
+          sk = g_variant_new_string(key_ids[ii]);
           if (!ostree_sign_set_sk (sign, sk, error))
             {
               ret = FALSE;
@@ -238,20 +218,8 @@ ostree_builtin_sign (int argc, char **argv, OstreeCommandInvocation *invocation,
                 break;
 
 
-              if (!g_strcmp0(ostree_sign_get_name(sign), "dummy"))
-                {
-                  // Just use the string as signature
-                  sk = g_variant_new_string(line);
-                }
-
-
-              if (!g_strcmp0(ostree_sign_get_name(sign), "ed25519"))
-                {
-                  gsize key_len = 0;
-                  g_autofree guchar *key = g_base64_decode (line, &key_len);
-                  sk = g_variant_new_fixed_array (G_VARIANT_TYPE_BYTE, key, key_len, sizeof(guchar));
-                }
-
+              // Pass the signature as a string
+              sk = g_variant_new_string(line);
               if (!ostree_sign_set_sk (sign, sk, error))
                 {
                   ret = FALSE;