diff --git a/guix/base64.scm b/guix/base64.scm new file mode 100644 index 0000000..f7f7f5f --- /dev/null +++ b/guix/base64.scm @@ -0,0 +1,212 @@ +;; -*- mode: scheme; coding: utf-8 -*- +;; +;; This module was renamed from (weinholt text base64 (1 0 20100612)) to +;; (guix base64) by Nikita Karetnikov on +;; February 12, 2014. +;; +;; Copyright © 2009, 2010 Göran Weinholt +;; +;; This program is free software: you can redistribute it and/or modify +;; it under the terms of the GNU General Public License as published by +;; the Free Software Foundation, either version 3 of the License, or +;; (at your option) any later version. +;; +;; This program is distributed in the hope that it will be useful, +;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;; GNU General Public License for more details. +;; +;; You should have received a copy of the GNU General Public License +;; along with this program. If not, see . +#!r6rs + +;; RFC 4648 Base-N Encodings + +(library (guix base64) + (export base64-encode + base64-decode + base64-alphabet + base64url-alphabet + get-delimited-base64 + put-delimited-base64) + (import (rnrs) + (only (srfi :13 strings) + string-index + string-prefix? string-suffix? + string-concatenate string-trim-both)) + + (define base64-alphabet + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/") + + (define base64url-alphabet + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_") + + (define base64-encode + (case-lambda + ;; Simple interface. Returns a string containing the canonical + ;; base64 representation of the given bytevector. + ((bv) + (base64-encode bv 0 (bytevector-length bv) #f #f base64-alphabet #f)) + ((bv start) + (base64-encode bv start (bytevector-length bv) #f #f base64-alphabet #f)) + ((bv start end) + (base64-encode bv start end #f #f base64-alphabet #f)) + ((bv start end line-length) + (base64-encode bv start end line-length #f base64-alphabet #f)) + ((bv start end line-length no-padding) + (base64-encode bv start end line-length no-padding base64-alphabet #f)) + ((bv start end line-length no-padding alphabet) + (base64-encode bv start end line-length no-padding alphabet #f)) + ;; Base64 encodes the bytes [start,end[ in the given bytevector. + ;; Lines are limited to line-length characters (unless #f), + ;; which must be a multiple of four. To omit the padding + ;; characters (#\=) set no-padding to a true value. If port is + ;; #f, returns a string. + ((bv start end line-length no-padding alphabet port) + (assert (or (not line-length) (zero? (mod line-length 4)))) + (let-values (((p extract) (if port + (values port (lambda () (values))) + (open-string-output-port)))) + (letrec ((put (if line-length + (let ((chars 0)) + (lambda (p c) + (when (fx=? chars line-length) + (set! chars 0) + (put-char p #\linefeed)) + (set! chars (fx+ chars 1)) + (put-char p c))) + put-char))) + (let lp ((i start)) + (cond ((= i end)) + ((<= (+ i 3) end) + (let ((x (bytevector-uint-ref bv i (endianness big) 3))) + (put p (string-ref alphabet (fxbit-field x 18 24))) + (put p (string-ref alphabet (fxbit-field x 12 18))) + (put p (string-ref alphabet (fxbit-field x 6 12))) + (put p (string-ref alphabet (fxbit-field x 0 6))) + (lp (+ i 3)))) + ((<= (+ i 2) end) + (let ((x (fxarithmetic-shift-left (bytevector-u16-ref bv i (endianness big)) 8))) + (put p (string-ref alphabet (fxbit-field x 18 24))) + (put p (string-ref alphabet (fxbit-field x 12 18))) + (put p (string-ref alphabet (fxbit-field x 6 12))) + (unless no-padding + (put p #\=)))) + (else + (let ((x (fxarithmetic-shift-left (bytevector-u8-ref bv i) 16))) + (put p (string-ref alphabet (fxbit-field x 18 24))) + (put p (string-ref alphabet (fxbit-field x 12 18))) + (unless no-padding + (put p #\=) + (put p #\=))))))) + (extract))))) + + ;; Decodes a base64 string. The string must contain only pure + ;; unpadded base64 data. + (define base64-decode + (case-lambda + ((str) + (base64-decode str base64-alphabet #f)) + ((str alphabet) + (base64-decode str alphabet #f)) + ((str alphabet port) + (unless (zero? (mod (string-length str) 4)) + (error 'base64-decode + "input string must be a multiple of four characters")) + (let-values (((p extract) (if port + (values port (lambda () (values))) + (open-bytevector-output-port)))) + (do ((i 0 (+ i 4))) + ((= i (string-length str)) + (extract)) + (let ((c1 (string-ref str i)) + (c2 (string-ref str (+ i 1))) + (c3 (string-ref str (+ i 2))) + (c4 (string-ref str (+ i 3)))) + ;; TODO: be more clever than string-index + (let ((i1 (string-index alphabet c1)) + (i2 (string-index alphabet c2)) + (i3 (string-index alphabet c3)) + (i4 (string-index alphabet c4))) + (cond ((and i1 i2 i3 i4) + (let ((x (fxior (fxarithmetic-shift-left i1 18) + (fxarithmetic-shift-left i2 12) + (fxarithmetic-shift-left i3 6) + i4))) + (put-u8 p (fxbit-field x 16 24)) + (put-u8 p (fxbit-field x 8 16)) + (put-u8 p (fxbit-field x 0 8)))) + ((and i1 i2 i3 (char=? c4 #\=) + (= i (- (string-length str) 4))) + (let ((x (fxior (fxarithmetic-shift-left i1 18) + (fxarithmetic-shift-left i2 12) + (fxarithmetic-shift-left i3 6)))) + (put-u8 p (fxbit-field x 16 24)) + (put-u8 p (fxbit-field x 8 16)))) + ((and i1 i2 (char=? c3 #\=) (char=? c4 #\=) + (= i (- (string-length str) 4))) + (let ((x (fxior (fxarithmetic-shift-left i1 18) + (fxarithmetic-shift-left i2 12)))) + (put-u8 p (fxbit-field x 16 24)))) + (else + (error 'base64-decode "invalid input" + (list c1 c2 c3 c4))))))))))) + + (define (get-line-comp f port) + (if (port-eof? port) + (eof-object) + (f (get-line port)))) + + ;; Reads the common -----BEGIN/END type----- delimited format from + ;; the given port. Returns two values: a string with the type and a + ;; bytevector containing the base64 decoded data. The second value + ;; is the eof object if there is an eof before the BEGIN delimiter. + (define (get-delimited-base64 port) + (define (get-first-data-line port) + ;; Some MIME data has header fields in the same format as mail + ;; or http. These are ignored. + (let ((line (get-line-comp string-trim-both port))) + (cond ((eof-object? line) line) + ((string-index line #\:) + (let lp () ;read until empty line + (let ((line (get-line-comp string-trim-both port))) + (if (string=? line "") + (get-line-comp string-trim-both port) + (lp))))) + (else line)))) + (let ((line (get-line-comp string-trim-both port))) + (cond ((eof-object? line) + (values "" (eof-object))) + ((string=? line "") + (get-delimited-base64 port)) + ((and (string-prefix? "-----BEGIN " line) + (string-suffix? "-----" line)) + (let* ((type (substring line 11 (- (string-length line) 5))) + (endline (string-append "-----END " type "-----"))) + (let-values (((outp extract) (open-bytevector-output-port))) + (let lp ((line (get-first-data-line port))) + (cond ((eof-object? line) + (error 'get-delimited-base64 + "unexpected end of file")) + ((string-prefix? "-" line) + (unless (string=? line endline) + (error 'get-delimited-base64 + "bad end delimiter" type line)) + (values type (extract))) + (else + (unless (and (= (string-length line) 5) + (string-prefix? "=" line)) ;Skip Radix-64 checksum + (base64-decode line base64-alphabet outp)) + (lp (get-line-comp string-trim-both port)))))))) + (else ;skip garbage (like in openssl x509 -in foo -text output). + (get-delimited-base64 port))))) + + (define put-delimited-base64 + (case-lambda + ((port type bv line-length) + (display (string-append "-----BEGIN " type "-----\n") port) + (base64-encode bv 0 (bytevector-length bv) + line-length #f base64-alphabet port) + (display (string-append "\n-----END " type "-----\n") port)) + ((port type bv) + (put-delimited-base64 port type bv 76))))) \ No newline at end of file diff --git a/guix/scripts/substitute-binary.scm b/guix/scripts/substitute-binary.scm index 3aaa1c4..6fd2d02 100755 --- a/guix/scripts/substitute-binary.scm +++ b/guix/scripts/substitute-binary.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014 Ludovic Courtès +;;; Copyright © 2014 Nikita Karetnikov ;;; ;;; This file is part of GNU Guix. ;;; @@ -23,6 +24,9 @@ #:use-module (guix config) #:use-module (guix records) #:use-module (guix nar) + #:use-module (guix base64) + #:use-module (guix pk-crypto) + #:use-module (guix pki) #:use-module ((guix build utils) #:select (mkdir-p)) #:use-module ((guix build download) #:select (progress-proc uri-abbreviation)) @@ -33,6 +37,7 @@ #:use-module (ice-9 format) #:use-module (ice-9 ftw) #:use-module (ice-9 binary-ports) + #:use-module (rnrs bytevectors) #:use-module (srfi srfi-1) #:use-module (srfi srfi-9) #:use-module (srfi srfi-11) @@ -40,7 +45,8 @@ #:use-module (srfi srfi-26) #:use-module (web uri) #:use-module (guix http-client) - #:export (guix-substitute-binary)) + #:export (parse-signature + guix-substitute-binary)) ;;; Comment: ;;; @@ -185,7 +191,7 @@ failure." (define-record-type (%make-narinfo path uri compression file-hash file-size nar-hash nar-size - references deriver system) + references deriver system signature) narinfo? (path narinfo-path) (uri narinfo-uri) @@ -196,12 +202,58 @@ failure." (nar-size narinfo-size) (references narinfo-references) (deriver narinfo-deriver) - (system narinfo-system)) + (system narinfo-system) + (signature narinfo-signature)) + +(define-record-type + ;; See the last paragraph of this commit message: + ;; , + ;; but keep in mind that Guix uses Libgcrypt (which uses the canonical + ;; S-expressions format) instead of OpenSSL. + (%make-signature version key-id body) + signature? + (version signature-version) + (key-id signature-key-id) + ;; The base64-encoded signature of the SHA-256 hash of the contents of the + ;; NAR info file up to but not including the Signature line. + (body signature-body)) + +;;; XXX: Is it reasonable to parse and verify at the same time? +(define* (parse-signature str #:optional (acl (current-acl))) + "Parse the Signature field of a NAR info file." + (let ((lst (string-split str #\;))) + (match lst + ((version id body) + (let* ((maybe-number (string->number version)) + ;; XXX: Can we assume UTF-8 here? Probably not. + (body* (string->canonical-sexp + (utf8->string (base64-decode body)))) + (key (signature-subject body*))) + ;; XXX: All these checks are subject to TOCTOU, can we do anything + ;; about it? Should we use file locking or 'catch'? I'm not sure. + ;; We are already screwed if someone can alter files owned by root, + ;; aren't we? + (cond ((not (number? maybe-number)) + (leave (_ "signature version must be a number: ~a~%") + maybe-number)) + ((not (= 1 maybe-number)) + (leave (_ "unsupported signature version: ~a~%") + maybe-number)) + ((not (authorized-key? key acl)) + (leave (_ "unauthorized public key: ~a~%") + (canonical-sexp->string key))) + ((not (valid-signature? body*)) + (leave (_ "invalid signature: ~a~%") + (canonical-sexp->string body*))) + (else + (%make-signature maybe-number id body*))))) + (x + (leave (_ "invalid format of the signature field: ~a~%") x))))) (define (narinfo-maker cache-url) "Return a narinfo constructor for narinfos originating from CACHE-URL." (lambda (path url compression file-hash file-size nar-hash nar-size - references deriver system) + references deriver system signature) "Return a new object." (%make-narinfo path @@ -217,7 +269,8 @@ failure." (match deriver ((or #f "") #f) (_ deriver)) - system))) + system + (parse-signature signature)))) (define* (read-narinfo port #:optional url) "Read a narinfo from PORT in its standard external form. If URL is true, it @@ -227,7 +280,7 @@ reading PORT." (narinfo-maker url) '("StorePath" "URL" "Compression" "FileHash" "FileSize" "NarHash" "NarSize" - "References" "Deriver" "System"))) + "References" "Deriver" "System" "Signature"))) (define (write-narinfo narinfo port) "Write NARINFO to PORT." @@ -254,7 +307,19 @@ reading PORT." ("References" . ,(compose string-join narinfo-references)) ("Deriver" . ,(compose empty-string-if-false narinfo-deriver)) - ("System" . ,narinfo-system)) + ("System" . ,narinfo-system) + ("Signature" . ,(lambda (narinfo) + (let ((sig (narinfo-signature narinfo))) + (string-append + (number->string (signature-version sig)) + ";" + (signature-key-id sig) + ";" + (base64-encode + ;; XXX: Can we assume UTF-8 here? + (string->utf8 + (canonical-sexp->string + (signature-body sig))))))))) port)) (define (narinfo->string narinfo) diff --git a/tests/substitute-binary.scm b/tests/substitute-binary.scm new file mode 100644 index 0000000..1d3ceec --- /dev/null +++ b/tests/substitute-binary.scm @@ -0,0 +1,117 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2014 Nikita Karetnikov +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (test-substitute-binary) + #:use-module (guix scripts substitute-binary) + #:use-module (guix base64) + #:use-module (guix hash) + #:use-module (guix pk-crypto) + #:use-module (guix pki) + #:use-module (rnrs bytevectors) + #:use-module ((srfi srfi-64) #:hide (test-error))) + +;; XXX: Replace with 'test-error' from SRFI-64 as soon as it allows to catch +;; specific exceptions. +(define (test-error name key thunk val) + "Test whether THUNK throws a particular error KEY, e.g., 'misc-error, by +comparing the expected VAL and the one returned by the handler. This +procedure assumes that THUNK itself will never return VAL, which is +error-prone but better than catching everything with 'test-error' from +SRFI-64." + (test-equal name val + (catch key + thunk + (const val)))) + +(define (test-error* name thunk) + ;; XXX: This catches all calls to 'exit', which is also error-prone, so it + ;; should be replaced in the future. + (test-error name 'quit thunk #t)) + +(define 1024-bit-rsa + (string->canonical-sexp "(genkey (rsa (nbits 4:1024)))")) + +(define %keypair + (generate-key 1024-bit-rsa)) + +(define %public-key + (find-sexp-token %keypair 'public-key)) + +(define %private-key + (find-sexp-token %keypair 'private-key)) + +(define %signature-body + ;; XXX: Can we assume UTF-8 here? + (base64-encode + (string->utf8 + (canonical-sexp->string + (signature-sexp (bytevector->hash-data (sha256 (string->utf8 "secret"))) + %private-key + %public-key))))) + +(define %wrong-public-key + (find-sexp-token (generate-key 1024-bit-rsa) 'public-key)) + +(define %wrong-signature + (let* ((body (string->canonical-sexp + (utf8->string + (base64-decode %signature-body)))) + (data (canonical-sexp->string (find-sexp-token body 'data))) + (sig-val (canonical-sexp->string (find-sexp-token body 'sig-val))) + (public-key (canonical-sexp->string %wrong-public-key)) + ;; XXX: Can we assume UTF-8 here? + (body* (base64-encode + (string->utf8 + (string-append "(signature \n" data sig-val + public-key " )\n"))))) + (string-append "1;irrelevant;" body*))) + +(define (signature str) + (string-append str ";irrelevant;" %signature-body)) + +(define %acl + (public-keys->acl (list %public-key))) + +(test-begin "parse-signature") + +(test-error* "not a number" + (lambda () + (parse-signature (signature "not-a-number") %acl))) + +(test-error* "wrong version number" + (lambda () + (parse-signature (signature "2") %acl))) + +(test-error* "unauthorized key" + (lambda () + (parse-signature (signature "1") (public-keys->acl '())))) + +(test-error* "invalid signature" + (lambda () + (parse-signature %wrong-signature + (public-keys->acl (list %wrong-public-key))))) + +(test-assert "valid" + (lambda () + (parse-signature (signature "1") %acl))) + +(test-error* "invalid signature format" + (lambda () + (parse-signature "no signature here" %acl))) + +(test-end "parse-signature") \ No newline at end of file