guix-bioinformatics
/
guix
3
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3882 Commits
5 Branches
138 MiB
 
 
 
 
 
 
Tree: 1b3e968512
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1b3e968512'
${ noResults }
guix/guix/scripts/authenticate.scm

135 lines
5.4 KiB
Raw Blame History 

  1. ;;; GNU Guix --- Functional package management for GNU

  2. ;;; Copyright © 2013, 2014 Ludovic Courtès <ludo@gnu.org>

  3. ;;;

  4. ;;; This file is part of GNU Guix.

  5. ;;;

  6. ;;; GNU Guix is free software; you can redistribute it and/or modify it

  7. ;;; under the terms of the GNU General Public License as published by

  8. ;;; the Free Software Foundation; either version 3 of the License, or (at

  9. ;;; your option) any later version.

  10. ;;;

  11. ;;; GNU Guix is distributed in the hope that it will be useful, but

  12. ;;; WITHOUT ANY WARRANTY; without even the implied warranty of

  13. ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  14. ;;; GNU General Public License for more details.

  15. ;;;

  16. ;;; You should have received a copy of the GNU General Public License

  17. ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

  18. 

  19. (define-module (guix scripts authenticate)

  20.   #:use-module (guix config)

  21.   #:use-module (guix utils)

  22.   #:use-module (guix pk-crypto)

  23.   #:use-module (guix pki)

  24.   #:use-module (guix ui)

  25.   #:use-module (rnrs io ports)

  26.   #:use-module (ice-9 match)

  27.   #:export (guix-authenticate))

  28. 

  29. ;;; Commentary:

  30. ;;;

  31. ;;; This program is used internally by the daemon to sign exported archive

  32. ;;; (the 'export-paths' RPC), and to authenticate imported archives (the

  33. ;;; 'import-paths' RPC.)

  34. ;;;

  35. ;;; Code:

  36. 

  37. (define read-canonical-sexp

  38.   ;; Read a gcrypt sexp from a port and return it.

  39.   (compose string->canonical-sexp get-string-all))

  40. 

  41. (define (read-hash-data port key-type)

  42.   "Read sha256 hash data from PORT and return it as a gcrypt sexp.  KEY-TYPE

  43. is a symbol representing the type of public key algo being used."

  44.   (let* ((hex (get-string-all port))

  45.          (bv  (base16-string->bytevector (string-trim-both hex))))

  46.     (bytevector->hash-data bv #:key-type key-type)))

  47. 

  48. (define (sign-with-key key-file port)

  49.   "Sign the hash read from PORT with KEY-FILE, and write an sexp that includes

  50. both the hash and the actual signature."

  51.   (let* ((secret-key (call-with-input-file key-file read-canonical-sexp))

  52.          (public-key (if (string-suffix? ".sec" key-file)

  53.                          (call-with-input-file

  54.                              (string-append (string-drop-right key-file 4)

  55.                                             ".pub")

  56.                            read-canonical-sexp)

  57.                          (leave

  58.                           (_ "cannot find public key for secret key '~a'~%")

  59.                           key-file)))

  60.          (data       (read-hash-data port (key-type public-key)))

  61.          (signature  (signature-sexp data secret-key public-key)))

  62.     (display (canonical-sexp->string signature))

  63.     #t))

  64. 

  65. (define (validate-signature port)

  66.   "Read the signature from PORT (which is as produced above), check whether

  67. its public key is authorized, verify the signature, and print the signed data

  68. to stdout upon success."

  69.   (let* ((signature (read-canonical-sexp port))

  70.          (subject   (signature-subject signature))

  71.          (data      (signature-signed-data signature)))

  72.     (if (and data subject)

  73.         (if (authorized-key? subject)

  74.             (if (valid-signature? signature)

  75.                 (let ((hash (hash-data->bytevector data)))

  76.                   (display (bytevector->base16-string hash))

  77.                   #t)                              ; success

  78.                 (leave (_ "error: invalid signature: ~a~%")

  79.                        (canonical-sexp->string signature)))

  80.             (leave (_ "error: unauthorized public key: ~a~%")

  81.                    (canonical-sexp->string subject)))

  82.         (leave (_ "error: corrupt signature data: ~a~%")

  83.                (canonical-sexp->string signature)))))

  84. 

  85. (define %default-port-conversion-strategy

  86.   ;; This fluid is in Guile > 2.0.5.

  87.   (if (defined? '%default-port-conversion-strategy)

  88.       (@ (guile) %default-port-conversion-strategy)

  89.       (make-fluid #f)))

  90. 

  91. 

  92. ;;;

  93. ;;; Entry point with 'openssl'-compatible interface.  We support this

  94. ;;; interface because that's what the daemon expects, and we want to leave it

  95. ;;; unmodified currently.

  96. ;;;

  97. 

  98. (define (guix-authenticate . args)

  99.   ;; Signature sexps written to stdout may contain binary data, so force

  100.   ;; ISO-8859-1 encoding so that things are not mangled.  See

  101.   ;; <http://bugs.gnu.org/17312> for details.

  102.   (set-port-encoding! (current-output-port) "ISO-8859-1")

  103.   (set-port-conversion-strategy! (current-output-port) 'error)

  104. 

  105.   ;; Same goes for input ports.

  106.   (with-fluids ((%default-port-encoding "ISO-8859-1")

  107.                 (%default-port-conversion-strategy 'error))

  108.     (match args

  109.       ;; As invoked by guix-daemon.

  110.       (("rsautl" "-sign" "-inkey" key "-in" hash-file)

  111.        (call-with-input-file hash-file

  112.          (lambda (port)

  113.            (sign-with-key key port))))

  114.       ;; As invoked by Nix/Crypto.pm (used by Hydra.)

  115.       (("rsautl" "-sign" "-inkey" key)

  116.        (sign-with-key key (current-input-port)))

  117.       ;; As invoked by guix-daemon.

  118.       (("rsautl" "-verify" "-inkey" _ "-pubin" "-in" signature-file)

  119.        (call-with-input-file signature-file

  120.          (lambda (port)

  121.            (validate-signature port))))

  122.       ;; As invoked by Nix/Crypto.pm (used by Hydra.)

  123.       (("rsautl" "-verify" "-inkey" _ "-pubin")

  124.        (validate-signature (current-input-port)))

  125.       (("--help")

  126.        (display (_ "Usage: guix authenticate OPTION...

  127. Sign or verify the signature on the given file.  This tool is meant to

  128. be used internally by 'guix-daemon'.\n")))

  129.       (("--version")

  130.        (show-version-and-exit "guix authenticate"))

  131.       (else

  132.        (leave (_ "wrong arguments"))))))

  133. 

  134. ;;; authenticate.scm ends here