diff --git a/guix/base64.scm b/guix/base64.scm
new file mode 100644
index 0000000..f7f7f5f
--- /dev/null
+++ b/guix/base64.scm
@@ -0,0 +1,212 @@
+;; -*- mode: scheme; coding: utf-8 -*-
+;;
+;; This module was renamed from (weinholt text base64 (1 0 20100612)) to
+;; (guix base64) by Nikita Karetnikov
on
+;; February 12, 2014.
+;;
+;; Copyright © 2009, 2010 Göran Weinholt
+;;
+;; This program is free software: you can redistribute it and/or modify
+;; it under the terms of the GNU General Public License as published by
+;; the Free Software Foundation, either version 3 of the License, or
+;; (at your option) any later version.
+;;
+;; This program is distributed in the hope that it will be useful,
+;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;; GNU General Public License for more details.
+;;
+;; You should have received a copy of the GNU General Public License
+;; along with this program. If not, see .
+#!r6rs
+
+;; RFC 4648 Base-N Encodings
+
+(library (guix base64)
+ (export base64-encode
+ base64-decode
+ base64-alphabet
+ base64url-alphabet
+ get-delimited-base64
+ put-delimited-base64)
+ (import (rnrs)
+ (only (srfi :13 strings)
+ string-index
+ string-prefix? string-suffix?
+ string-concatenate string-trim-both))
+
+ (define base64-alphabet
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/")
+
+ (define base64url-alphabet
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_")
+
+ (define base64-encode
+ (case-lambda
+ ;; Simple interface. Returns a string containing the canonical
+ ;; base64 representation of the given bytevector.
+ ((bv)
+ (base64-encode bv 0 (bytevector-length bv) #f #f base64-alphabet #f))
+ ((bv start)
+ (base64-encode bv start (bytevector-length bv) #f #f base64-alphabet #f))
+ ((bv start end)
+ (base64-encode bv start end #f #f base64-alphabet #f))
+ ((bv start end line-length)
+ (base64-encode bv start end line-length #f base64-alphabet #f))
+ ((bv start end line-length no-padding)
+ (base64-encode bv start end line-length no-padding base64-alphabet #f))
+ ((bv start end line-length no-padding alphabet)
+ (base64-encode bv start end line-length no-padding alphabet #f))
+ ;; Base64 encodes the bytes [start,end[ in the given bytevector.
+ ;; Lines are limited to line-length characters (unless #f),
+ ;; which must be a multiple of four. To omit the padding
+ ;; characters (#\=) set no-padding to a true value. If port is
+ ;; #f, returns a string.
+ ((bv start end line-length no-padding alphabet port)
+ (assert (or (not line-length) (zero? (mod line-length 4))))
+ (let-values (((p extract) (if port
+ (values port (lambda () (values)))
+ (open-string-output-port))))
+ (letrec ((put (if line-length
+ (let ((chars 0))
+ (lambda (p c)
+ (when (fx=? chars line-length)
+ (set! chars 0)
+ (put-char p #\linefeed))
+ (set! chars (fx+ chars 1))
+ (put-char p c)))
+ put-char)))
+ (let lp ((i start))
+ (cond ((= i end))
+ ((<= (+ i 3) end)
+ (let ((x (bytevector-uint-ref bv i (endianness big) 3)))
+ (put p (string-ref alphabet (fxbit-field x 18 24)))
+ (put p (string-ref alphabet (fxbit-field x 12 18)))
+ (put p (string-ref alphabet (fxbit-field x 6 12)))
+ (put p (string-ref alphabet (fxbit-field x 0 6)))
+ (lp (+ i 3))))
+ ((<= (+ i 2) end)
+ (let ((x (fxarithmetic-shift-left (bytevector-u16-ref bv i (endianness big)) 8)))
+ (put p (string-ref alphabet (fxbit-field x 18 24)))
+ (put p (string-ref alphabet (fxbit-field x 12 18)))
+ (put p (string-ref alphabet (fxbit-field x 6 12)))
+ (unless no-padding
+ (put p #\=))))
+ (else
+ (let ((x (fxarithmetic-shift-left (bytevector-u8-ref bv i) 16)))
+ (put p (string-ref alphabet (fxbit-field x 18 24)))
+ (put p (string-ref alphabet (fxbit-field x 12 18)))
+ (unless no-padding
+ (put p #\=)
+ (put p #\=)))))))
+ (extract)))))
+
+ ;; Decodes a base64 string. The string must contain only pure
+ ;; unpadded base64 data.
+ (define base64-decode
+ (case-lambda
+ ((str)
+ (base64-decode str base64-alphabet #f))
+ ((str alphabet)
+ (base64-decode str alphabet #f))
+ ((str alphabet port)
+ (unless (zero? (mod (string-length str) 4))
+ (error 'base64-decode
+ "input string must be a multiple of four characters"))
+ (let-values (((p extract) (if port
+ (values port (lambda () (values)))
+ (open-bytevector-output-port))))
+ (do ((i 0 (+ i 4)))
+ ((= i (string-length str))
+ (extract))
+ (let ((c1 (string-ref str i))
+ (c2 (string-ref str (+ i 1)))
+ (c3 (string-ref str (+ i 2)))
+ (c4 (string-ref str (+ i 3))))
+ ;; TODO: be more clever than string-index
+ (let ((i1 (string-index alphabet c1))
+ (i2 (string-index alphabet c2))
+ (i3 (string-index alphabet c3))
+ (i4 (string-index alphabet c4)))
+ (cond ((and i1 i2 i3 i4)
+ (let ((x (fxior (fxarithmetic-shift-left i1 18)
+ (fxarithmetic-shift-left i2 12)
+ (fxarithmetic-shift-left i3 6)
+ i4)))
+ (put-u8 p (fxbit-field x 16 24))
+ (put-u8 p (fxbit-field x 8 16))
+ (put-u8 p (fxbit-field x 0 8))))
+ ((and i1 i2 i3 (char=? c4 #\=)
+ (= i (- (string-length str) 4)))
+ (let ((x (fxior (fxarithmetic-shift-left i1 18)
+ (fxarithmetic-shift-left i2 12)
+ (fxarithmetic-shift-left i3 6))))
+ (put-u8 p (fxbit-field x 16 24))
+ (put-u8 p (fxbit-field x 8 16))))
+ ((and i1 i2 (char=? c3 #\=) (char=? c4 #\=)
+ (= i (- (string-length str) 4)))
+ (let ((x (fxior (fxarithmetic-shift-left i1 18)
+ (fxarithmetic-shift-left i2 12))))
+ (put-u8 p (fxbit-field x 16 24))))
+ (else
+ (error 'base64-decode "invalid input"
+ (list c1 c2 c3 c4)))))))))))
+
+ (define (get-line-comp f port)
+ (if (port-eof? port)
+ (eof-object)
+ (f (get-line port))))
+
+ ;; Reads the common -----BEGIN/END type----- delimited format from
+ ;; the given port. Returns two values: a string with the type and a
+ ;; bytevector containing the base64 decoded data. The second value
+ ;; is the eof object if there is an eof before the BEGIN delimiter.
+ (define (get-delimited-base64 port)
+ (define (get-first-data-line port)
+ ;; Some MIME data has header fields in the same format as mail
+ ;; or http. These are ignored.
+ (let ((line (get-line-comp string-trim-both port)))
+ (cond ((eof-object? line) line)
+ ((string-index line #\:)
+ (let lp () ;read until empty line
+ (let ((line (get-line-comp string-trim-both port)))
+ (if (string=? line "")
+ (get-line-comp string-trim-both port)
+ (lp)))))
+ (else line))))
+ (let ((line (get-line-comp string-trim-both port)))
+ (cond ((eof-object? line)
+ (values "" (eof-object)))
+ ((string=? line "")
+ (get-delimited-base64 port))
+ ((and (string-prefix? "-----BEGIN " line)
+ (string-suffix? "-----" line))
+ (let* ((type (substring line 11 (- (string-length line) 5)))
+ (endline (string-append "-----END " type "-----")))
+ (let-values (((outp extract) (open-bytevector-output-port)))
+ (let lp ((line (get-first-data-line port)))
+ (cond ((eof-object? line)
+ (error 'get-delimited-base64
+ "unexpected end of file"))
+ ((string-prefix? "-" line)
+ (unless (string=? line endline)
+ (error 'get-delimited-base64
+ "bad end delimiter" type line))
+ (values type (extract)))
+ (else
+ (unless (and (= (string-length line) 5)
+ (string-prefix? "=" line)) ;Skip Radix-64 checksum
+ (base64-decode line base64-alphabet outp))
+ (lp (get-line-comp string-trim-both port))))))))
+ (else ;skip garbage (like in openssl x509 -in foo -text output).
+ (get-delimited-base64 port)))))
+
+ (define put-delimited-base64
+ (case-lambda
+ ((port type bv line-length)
+ (display (string-append "-----BEGIN " type "-----\n") port)
+ (base64-encode bv 0 (bytevector-length bv)
+ line-length #f base64-alphabet port)
+ (display (string-append "\n-----END " type "-----\n") port))
+ ((port type bv)
+ (put-delimited-base64 port type bv 76)))))
\ No newline at end of file
diff --git a/guix/scripts/substitute-binary.scm b/guix/scripts/substitute-binary.scm
index 3aaa1c4..6fd2d02 100755
--- a/guix/scripts/substitute-binary.scm
+++ b/guix/scripts/substitute-binary.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014 Ludovic Courtès
+;;; Copyright © 2014 Nikita Karetnikov
;;;
;;; This file is part of GNU Guix.
;;;
@@ -23,6 +24,9 @@
#:use-module (guix config)
#:use-module (guix records)
#:use-module (guix nar)
+ #:use-module (guix base64)
+ #:use-module (guix pk-crypto)
+ #:use-module (guix pki)
#:use-module ((guix build utils) #:select (mkdir-p))
#:use-module ((guix build download)
#:select (progress-proc uri-abbreviation))
@@ -33,6 +37,7 @@
#:use-module (ice-9 format)
#:use-module (ice-9 ftw)
#:use-module (ice-9 binary-ports)
+ #:use-module (rnrs bytevectors)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
#:use-module (srfi srfi-11)
@@ -40,7 +45,8 @@
#:use-module (srfi srfi-26)
#:use-module (web uri)
#:use-module (guix http-client)
- #:export (guix-substitute-binary))
+ #:export (parse-signature
+ guix-substitute-binary))
;;; Comment:
;;;
@@ -185,7 +191,7 @@ failure."
(define-record-type
(%make-narinfo path uri compression file-hash file-size nar-hash nar-size
- references deriver system)
+ references deriver system signature)
narinfo?
(path narinfo-path)
(uri narinfo-uri)
@@ -196,12 +202,58 @@ failure."
(nar-size narinfo-size)
(references narinfo-references)
(deriver narinfo-deriver)
- (system narinfo-system))
+ (system narinfo-system)
+ (signature narinfo-signature))
+
+(define-record-type
+ ;; See the last paragraph of this commit message:
+ ;; ,
+ ;; but keep in mind that Guix uses Libgcrypt (which uses the canonical
+ ;; S-expressions format) instead of OpenSSL.
+ (%make-signature version key-id body)
+ signature?
+ (version signature-version)
+ (key-id signature-key-id)
+ ;; The base64-encoded signature of the SHA-256 hash of the contents of the
+ ;; NAR info file up to but not including the Signature line.
+ (body signature-body))
+
+;;; XXX: Is it reasonable to parse and verify at the same time?
+(define* (parse-signature str #:optional (acl (current-acl)))
+ "Parse the Signature field of a NAR info file."
+ (let ((lst (string-split str #\;)))
+ (match lst
+ ((version id body)
+ (let* ((maybe-number (string->number version))
+ ;; XXX: Can we assume UTF-8 here? Probably not.
+ (body* (string->canonical-sexp
+ (utf8->string (base64-decode body))))
+ (key (signature-subject body*)))
+ ;; XXX: All these checks are subject to TOCTOU, can we do anything
+ ;; about it? Should we use file locking or 'catch'? I'm not sure.
+ ;; We are already screwed if someone can alter files owned by root,
+ ;; aren't we?
+ (cond ((not (number? maybe-number))
+ (leave (_ "signature version must be a number: ~a~%")
+ maybe-number))
+ ((not (= 1 maybe-number))
+ (leave (_ "unsupported signature version: ~a~%")
+ maybe-number))
+ ((not (authorized-key? key acl))
+ (leave (_ "unauthorized public key: ~a~%")
+ (canonical-sexp->string key)))
+ ((not (valid-signature? body*))
+ (leave (_ "invalid signature: ~a~%")
+ (canonical-sexp->string body*)))
+ (else
+ (%make-signature maybe-number id body*)))))
+ (x
+ (leave (_ "invalid format of the signature field: ~a~%") x)))))
(define (narinfo-maker cache-url)
"Return a narinfo constructor for narinfos originating from CACHE-URL."
(lambda (path url compression file-hash file-size nar-hash nar-size
- references deriver system)
+ references deriver system signature)
"Return a new object."
(%make-narinfo path
@@ -217,7 +269,8 @@ failure."
(match deriver
((or #f "") #f)
(_ deriver))
- system)))
+ system
+ (parse-signature signature))))
(define* (read-narinfo port #:optional url)
"Read a narinfo from PORT in its standard external form. If URL is true, it
@@ -227,7 +280,7 @@ reading PORT."
(narinfo-maker url)
'("StorePath" "URL" "Compression"
"FileHash" "FileSize" "NarHash" "NarSize"
- "References" "Deriver" "System")))
+ "References" "Deriver" "System" "Signature")))
(define (write-narinfo narinfo port)
"Write NARINFO to PORT."
@@ -254,7 +307,19 @@ reading PORT."
("References" . ,(compose string-join narinfo-references))
("Deriver" . ,(compose empty-string-if-false
narinfo-deriver))
- ("System" . ,narinfo-system))
+ ("System" . ,narinfo-system)
+ ("Signature" . ,(lambda (narinfo)
+ (let ((sig (narinfo-signature narinfo)))
+ (string-append
+ (number->string (signature-version sig))
+ ";"
+ (signature-key-id sig)
+ ";"
+ (base64-encode
+ ;; XXX: Can we assume UTF-8 here?
+ (string->utf8
+ (canonical-sexp->string
+ (signature-body sig)))))))))
port))
(define (narinfo->string narinfo)
diff --git a/tests/substitute-binary.scm b/tests/substitute-binary.scm
new file mode 100644
index 0000000..1d3ceec
--- /dev/null
+++ b/tests/substitute-binary.scm
@@ -0,0 +1,117 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2014 Nikita Karetnikov
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see .
+
+(define-module (test-substitute-binary)
+ #:use-module (guix scripts substitute-binary)
+ #:use-module (guix base64)
+ #:use-module (guix hash)
+ #:use-module (guix pk-crypto)
+ #:use-module (guix pki)
+ #:use-module (rnrs bytevectors)
+ #:use-module ((srfi srfi-64) #:hide (test-error)))
+
+;; XXX: Replace with 'test-error' from SRFI-64 as soon as it allows to catch
+;; specific exceptions.
+(define (test-error name key thunk val)
+ "Test whether THUNK throws a particular error KEY, e.g., 'misc-error, by
+comparing the expected VAL and the one returned by the handler. This
+procedure assumes that THUNK itself will never return VAL, which is
+error-prone but better than catching everything with 'test-error' from
+SRFI-64."
+ (test-equal name val
+ (catch key
+ thunk
+ (const val))))
+
+(define (test-error* name thunk)
+ ;; XXX: This catches all calls to 'exit', which is also error-prone, so it
+ ;; should be replaced in the future.
+ (test-error name 'quit thunk #t))
+
+(define 1024-bit-rsa
+ (string->canonical-sexp "(genkey (rsa (nbits 4:1024)))"))
+
+(define %keypair
+ (generate-key 1024-bit-rsa))
+
+(define %public-key
+ (find-sexp-token %keypair 'public-key))
+
+(define %private-key
+ (find-sexp-token %keypair 'private-key))
+
+(define %signature-body
+ ;; XXX: Can we assume UTF-8 here?
+ (base64-encode
+ (string->utf8
+ (canonical-sexp->string
+ (signature-sexp (bytevector->hash-data (sha256 (string->utf8 "secret")))
+ %private-key
+ %public-key)))))
+
+(define %wrong-public-key
+ (find-sexp-token (generate-key 1024-bit-rsa) 'public-key))
+
+(define %wrong-signature
+ (let* ((body (string->canonical-sexp
+ (utf8->string
+ (base64-decode %signature-body))))
+ (data (canonical-sexp->string (find-sexp-token body 'data)))
+ (sig-val (canonical-sexp->string (find-sexp-token body 'sig-val)))
+ (public-key (canonical-sexp->string %wrong-public-key))
+ ;; XXX: Can we assume UTF-8 here?
+ (body* (base64-encode
+ (string->utf8
+ (string-append "(signature \n" data sig-val
+ public-key " )\n")))))
+ (string-append "1;irrelevant;" body*)))
+
+(define (signature str)
+ (string-append str ";irrelevant;" %signature-body))
+
+(define %acl
+ (public-keys->acl (list %public-key)))
+
+(test-begin "parse-signature")
+
+(test-error* "not a number"
+ (lambda ()
+ (parse-signature (signature "not-a-number") %acl)))
+
+(test-error* "wrong version number"
+ (lambda ()
+ (parse-signature (signature "2") %acl)))
+
+(test-error* "unauthorized key"
+ (lambda ()
+ (parse-signature (signature "1") (public-keys->acl '()))))
+
+(test-error* "invalid signature"
+ (lambda ()
+ (parse-signature %wrong-signature
+ (public-keys->acl (list %wrong-public-key)))))
+
+(test-assert "valid"
+ (lambda ()
+ (parse-signature (signature "1") %acl)))
+
+(test-error* "invalid signature format"
+ (lambda ()
+ (parse-signature "no signature here" %acl)))
+
+(test-end "parse-signature")
\ No newline at end of file