forked from sylabs/singularity
/
signing.go
407 lines (352 loc) · 12.3 KB
/
signing.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
// Copyright (c) 2018, Sylabs Inc. All rights reserved.
// This software is licensed under a 3-clause BSD license. Please consult the
// LICENSE.md file distributed with the sources of this project regarding your
// rights to use or distribute this software.
package signing
import (
"bytes"
"crypto/sha512"
"encoding/binary"
"encoding/hex"
"fmt"
"os"
"github.com/sylabs/sif/pkg/sif"
"github.com/sylabs/singularity/internal/pkg/sylog"
"github.com/sylabs/singularity/pkg/sypgp"
"golang.org/x/crypto/openpgp"
"golang.org/x/crypto/openpgp/clearsign"
)
// computeHashStr generates a hash from data object(s) and generates a string
// to be stored in the signature block
func computeHashStr(fimg *sif.FileImage, descr []*sif.Descriptor) string {
hash := sha512.New384()
for _, v := range descr {
hash.Write(v.GetData(fimg))
}
sum := hash.Sum(nil)
return fmt.Sprintf("SIFHASH:\n%x", sum)
}
// sifAddSignature adds a signature block to a SIF file
func sifAddSignature(fimg *sif.FileImage, groupid, link uint32, fingerprint [20]byte, signature []byte) error {
// data we need to create a signature descriptor
siginput := sif.DescriptorInput{
Datatype: sif.DataSignature,
Groupid: groupid,
Link: link,
Fname: "part-signature",
Data: signature,
}
siginput.Size = int64(binary.Size(siginput.Data))
// extra data needed for the creation of a signature descriptor
err := siginput.SetSignExtra(sif.HashSHA384, hex.EncodeToString(fingerprint[:]))
if err != nil {
return err
}
// add new signature data object to SIF file
err = fimg.AddObject(siginput)
if err != nil {
return err
}
return nil
}
// descrToSign determines via argument or interactively which descriptor to sign
func descrToSign(fimg *sif.FileImage, id uint32, isGroup bool) (descr []*sif.Descriptor, err error) {
descr = make([]*sif.Descriptor, 1)
if id == 0 {
descr[0], _, err = fimg.GetPartPrimSys()
if err != nil {
return nil, fmt.Errorf("no primary partition found")
}
} else if isGroup {
var search = sif.Descriptor{
Groupid: id | sif.DescrGroupMask,
}
descr, _, err = fimg.GetFromDescr(search)
if err != nil {
return nil, fmt.Errorf("no descriptors found for groupid %v", id)
}
} else {
descr[0], _, err = fimg.GetFromDescrID(id)
if err != nil {
return nil, fmt.Errorf("no descriptor found for id %v", id)
}
}
return
}
// Sign takes the path of a container and generates an OpenPGP signature block for
// its system partition. Sign uses the private keys found in the default
// location if available or helps the user by prompting with key generation
// configuration options. In its current form, Sign also pushes, when desired,
// public material to a key server.
func Sign(cpath, url string, id uint32, isGroup bool, keyIdx int, authToken string) error {
elist, err := sypgp.LoadPrivKeyring()
if err != nil {
return fmt.Errorf("could not load private keyring: %s", err)
}
// Generate a private key usable for signing
var entity *openpgp.Entity
if elist == nil {
resp, err := sypgp.AskQuestion("No OpenPGP signing keys found, autogenerate? [Y/n] ")
if err != nil {
return fmt.Errorf("could not read response: %s", err)
}
if resp == "" || resp == "y" || resp == "Y" {
entity, err = sypgp.GenKeyPair()
if err != nil {
return fmt.Errorf("generating openpgp key pair failed: %s", err)
}
} else {
return fmt.Errorf("cannot sign without installed keys")
}
resp, err = sypgp.AskQuestion("Upload public key %X to %s? [Y/n] ", entity.PrimaryKey.Fingerprint, url)
if err != nil {
return err
}
if resp == "" || resp == "y" || resp == "Y" {
if err = sypgp.PushPubkey(entity, url, authToken); err != nil {
return fmt.Errorf("failed while pushing public key to server: %s", err)
}
fmt.Printf("Uploaded key successfully!\n")
}
} else {
if keyIdx != -1 { // -k <idx> has been specified
if keyIdx >= 0 && keyIdx < len(elist) {
entity = elist[keyIdx]
} else {
return fmt.Errorf("specified (-k, --keyidx) key index out of range")
}
} else if len(elist) > 1 {
entity, err = sypgp.SelectPrivKey(elist)
if err != nil {
return fmt.Errorf("failed while reading selection: %s", err)
}
} else {
entity = elist[0]
}
}
// Decrypt key if needed
if err = sypgp.DecryptKey(entity); err != nil {
return fmt.Errorf("could not decrypt private key, wrong password?")
}
// load the container
fimg, err := sif.LoadContainer(cpath, false)
if err != nil {
return fmt.Errorf("failed to load SIF container file: %s", err)
}
defer fimg.UnloadContainer()
// figure out which descriptor has data to sign
descr, err := descrToSign(&fimg, id, isGroup)
if err != nil {
return fmt.Errorf("signing requires a primary partition: %s", err)
}
// signature also include data integrity check
sifhash := computeHashStr(&fimg, descr)
// create an ascii armored signature block
var signedmsg bytes.Buffer
plaintext, err := clearsign.Encode(&signedmsg, entity.PrivateKey, nil)
if err != nil {
return fmt.Errorf("could not build a signature block: %s", err)
}
_, err = plaintext.Write([]byte(sifhash))
if err != nil {
return fmt.Errorf("failed writing hash value to signature block: %s", err)
}
if err = plaintext.Close(); err != nil {
return fmt.Errorf("I/O error while wrapping up signature block: %s", err)
}
// finally add the signature block (for descr) as a new SIF data object
var groupid, link uint32
if isGroup {
groupid = sif.DescrUnusedGroup
link = descr[0].Groupid
} else {
groupid = descr[0].Groupid
link = descr[0].ID
}
err = sifAddSignature(&fimg, groupid, link, entity.PrimaryKey.Fingerprint, signedmsg.Bytes())
if err != nil {
return fmt.Errorf("failed adding signature block to SIF container file: %s", err)
}
return nil
}
// return all signatures for the primary partition
func getSigsPrimPart(fimg *sif.FileImage) (sigs []*sif.Descriptor, descr []*sif.Descriptor, err error) {
descr = make([]*sif.Descriptor, 1)
descr[0], _, err = fimg.GetPartPrimSys()
if err != nil {
return nil, nil, fmt.Errorf("no primary partition found")
}
sigs, _, err = fimg.GetFromLinkedDescr(descr[0].ID)
if err != nil {
return nil, nil, fmt.Errorf("no signatures found for system partition")
}
return
}
// return all signatures for specified descriptor
func getSigsDescr(fimg *sif.FileImage, id uint32) (sigs []*sif.Descriptor, descr []*sif.Descriptor, err error) {
descr = make([]*sif.Descriptor, 1)
descr[0], _, err = fimg.GetFromDescrID(id)
if err != nil {
return nil, nil, fmt.Errorf("no descriptor found for id %v", id)
}
sigs, _, err = fimg.GetFromLinkedDescr(id)
if err != nil {
return nil, nil, fmt.Errorf("no signatures found for id %v", id)
}
return
}
// return all signatures for specified group
func getSigsGroup(fimg *sif.FileImage, id uint32) (sigs []*sif.Descriptor, descr []*sif.Descriptor, err error) {
// find descriptors that are part of a signing group
search := sif.Descriptor{
Groupid: id | sif.DescrGroupMask,
}
descr, _, err = fimg.GetFromDescr(search)
if err != nil {
return nil, nil, fmt.Errorf("no descriptors found for groupid %v", id)
}
// find signature blocks pointing to specified group
search = sif.Descriptor{
Datatype: sif.DataSignature,
Link: id | sif.DescrGroupMask,
}
sigs, _, err = fimg.GetFromDescr(search)
if err != nil {
return nil, nil, fmt.Errorf("no signatures found for groupid %v", id)
}
return
}
// return all signatures for "id" being unique or group id
func getSigsForSelection(fimg *sif.FileImage, id uint32, isGroup bool) (sigs []*sif.Descriptor, descr []*sif.Descriptor, err error) {
if id == 0 {
return getSigsPrimPart(fimg)
} else if isGroup {
return getSigsGroup(fimg, id)
}
return getSigsDescr(fimg, id)
}
// Verify takes a container path and look for a verification block for a
// specified descriptor. If found, the signature block is used to verify the
// partition hash against the signer's version. Verify takes care of looking
// for OpenPGP keys in the default local store or looks it up from a key server
// if access is enabled.
func Verify(cpath, url string, id uint32, isGroup bool, authToken string, noPrompt bool) error {
fimg, err := sif.LoadContainer(cpath, true)
if err != nil {
return fmt.Errorf("failed to load SIF container file: %s", err)
}
defer fimg.UnloadContainer()
// get all signature blocks (signatures) for ID/GroupID selected (descr) from SIF file
signatures, descr, err := getSigsForSelection(&fimg, id, isGroup)
if err != nil {
return fmt.Errorf("error while searching for signature blocks: %s", err)
}
// the selected data object is hashed for comparison against signature block's
sifhash := computeHashStr(&fimg, descr)
// load the public keys available locally from the cache
elist, err := sypgp.LoadPubKeyring()
if err != nil {
return fmt.Errorf("could not load public keyring: %s", err)
}
// compare freshly computed hash with hashes stored in signatures block(s)
var authok string
for _, v := range signatures {
// Extract hash string from signature block
data := v.GetData(&fimg)
block, _ := clearsign.Decode(data)
if block == nil {
return fmt.Errorf("failed to parse signature block")
}
if !bytes.Equal(bytes.TrimRight(block.Plaintext, "\n"), []byte(sifhash)) {
sylog.Infof("NOTE: group signatures will fail if new data is added to a group")
sylog.Infof("after the group signature is created.")
return fmt.Errorf("hashes differ, data may be corrupted")
}
// (1) Data integrity is verified, (2) now validate identify of signers
// get the entity fingerprint for the signature block
fingerprint, err := v.GetEntityString()
if err != nil {
return fmt.Errorf("could not get the signing entity fingerprint: %s", err)
}
// try to verify with local OpenPGP store first
signer, err := openpgp.CheckDetachedSignature(elist, bytes.NewBuffer(block.Bytes), block.ArmoredSignature.Body)
if err != nil {
// verification with local keyring failed, try to fetch from key server
sylog.Infof("key missing, searching key server for KeyID: %s...", fingerprint[24:])
netlist, err := sypgp.FetchPubkey(fingerprint, url, authToken, noPrompt)
if err != nil {
return fmt.Errorf("could not fetch public key from server: %s", err)
}
sylog.Infof("key retrieved successfully!")
block, _ := clearsign.Decode(data)
if block == nil {
return fmt.Errorf("failed to parse signature block")
}
// try verification again with downloaded key
signer, err = openpgp.CheckDetachedSignature(netlist, bytes.NewBuffer(block.Bytes), block.ArmoredSignature.Body)
if err != nil {
return fmt.Errorf("signature verification failed: %s", err)
}
if noPrompt {
// always store key when prompts disabled
if err = sypgp.StorePubKey(netlist[0]); err != nil {
return fmt.Errorf("could not store public key: %s", err)
}
} else {
// Ask to store new public key
resp, err := sypgp.AskQuestion("Store new public key %X? [Y/n] ", signer.PrimaryKey.Fingerprint)
if err != nil {
return err
}
if resp == "" || resp == "y" || resp == "Y" {
if err = sypgp.StorePubKey(netlist[0]); err != nil {
return fmt.Errorf("could not store public key: %s", err)
}
}
}
}
// Get first Identity data for convenience
var name string
for _, i := range signer.Identities {
name = i.Name
break
}
authok += fmt.Sprintf("\t%s, KeyID %X\n", name, signer.PrimaryKey.KeyId)
}
fmt.Printf("Data integrity checked, authentic and signed by:\n")
fmt.Print(authok)
return nil
}
func getSignEntities(fimg *sif.FileImage) ([]string, error) {
// get all signature blocks (signatures) for ID/GroupID selected (descr) from SIF file
signatures, _, err := getSigsPrimPart(fimg)
if err != nil {
return nil, err
}
var entities []string
for _, v := range signatures {
fingerprint, err := v.GetEntityString()
if err != nil {
return nil, err
}
entities = append(entities, fingerprint)
}
return entities, nil
}
// GetSignEntities returns all signing entities for an ID/Groupid
func GetSignEntities(cpath string) ([]string, error) {
fimg, err := sif.LoadContainer(cpath, true)
if err != nil {
return nil, err
}
defer fimg.UnloadContainer()
return getSignEntities(&fimg)
}
// GetSignEntitiesFp returns all signing entities for an ID/Groupid
func GetSignEntitiesFp(fp *os.File) ([]string, error) {
fimg, err := sif.LoadContainerFp(fp, true)
if err != nil {
return nil, err
}
return getSignEntities(&fimg)
}