2016-02-16 15:38:44 +00:00
|
|
|
#include "crypto.hh"
|
|
|
|
#include "util.hh"
|
2016-03-29 12:29:50 +00:00
|
|
|
#include "globals.hh"
|
2016-02-16 15:38:44 +00:00
|
|
|
|
|
|
|
#include <sodium.h>
|
|
|
|
|
|
|
|
namespace nix {
|
|
|
|
|
2021-01-06 16:04:46 +00:00
|
|
|
static std::pair<std::string_view, std::string_view> split(std::string_view s)
|
2016-02-16 15:38:44 +00:00
|
|
|
{
|
|
|
|
size_t colon = s.find(':');
|
|
|
|
if (colon == std::string::npos || colon == 0)
|
|
|
|
return {"", ""};
|
2021-01-06 16:04:46 +00:00
|
|
|
return {s.substr(0, colon), s.substr(colon + 1)};
|
2016-02-16 15:38:44 +00:00
|
|
|
}
|
|
|
|
|
2021-01-06 16:04:46 +00:00
|
|
|
Key::Key(std::string_view s)
|
2016-02-16 15:38:44 +00:00
|
|
|
{
|
|
|
|
auto ss = split(s);
|
|
|
|
|
|
|
|
name = ss.first;
|
|
|
|
key = ss.second;
|
|
|
|
|
|
|
|
if (name == "" || key == "")
|
|
|
|
throw Error("secret key is corrupt");
|
|
|
|
|
|
|
|
key = base64Decode(key);
|
|
|
|
}
|
|
|
|
|
2021-01-06 16:04:46 +00:00
|
|
|
std::string Key::to_string() const
|
|
|
|
{
|
|
|
|
return name + ":" + base64Encode(key);
|
|
|
|
}
|
|
|
|
|
|
|
|
SecretKey::SecretKey(std::string_view s)
|
2016-02-16 15:38:44 +00:00
|
|
|
: Key(s)
|
|
|
|
{
|
|
|
|
if (key.size() != crypto_sign_SECRETKEYBYTES)
|
|
|
|
throw Error("secret key is not valid");
|
|
|
|
}
|
|
|
|
|
2021-01-06 16:04:46 +00:00
|
|
|
std::string SecretKey::signDetached(std::string_view data) const
|
2016-02-16 15:38:44 +00:00
|
|
|
{
|
|
|
|
unsigned char sig[crypto_sign_BYTES];
|
|
|
|
unsigned long long sigLen;
|
|
|
|
crypto_sign_detached(sig, &sigLen, (unsigned char *) data.data(), data.size(),
|
|
|
|
(unsigned char *) key.data());
|
|
|
|
return name + ":" + base64Encode(std::string((char *) sig, sigLen));
|
|
|
|
}
|
|
|
|
|
2016-03-04 16:08:30 +00:00
|
|
|
PublicKey SecretKey::toPublicKey() const
|
|
|
|
{
|
|
|
|
unsigned char pk[crypto_sign_PUBLICKEYBYTES];
|
|
|
|
crypto_sign_ed25519_sk_to_pk(pk, (unsigned char *) key.data());
|
|
|
|
return PublicKey(name, std::string((char *) pk, crypto_sign_PUBLICKEYBYTES));
|
|
|
|
}
|
|
|
|
|
2021-01-06 16:04:46 +00:00
|
|
|
SecretKey SecretKey::generate(std::string_view name)
|
|
|
|
{
|
|
|
|
unsigned char pk[crypto_sign_PUBLICKEYBYTES];
|
|
|
|
unsigned char sk[crypto_sign_SECRETKEYBYTES];
|
|
|
|
if (crypto_sign_keypair(pk, sk) != 0)
|
|
|
|
throw Error("key generation failed");
|
|
|
|
|
|
|
|
return SecretKey(name, std::string((char *) sk, crypto_sign_SECRETKEYBYTES));
|
|
|
|
}
|
|
|
|
|
|
|
|
PublicKey::PublicKey(std::string_view s)
|
2016-02-16 15:38:44 +00:00
|
|
|
: Key(s)
|
|
|
|
{
|
|
|
|
if (key.size() != crypto_sign_PUBLICKEYBYTES)
|
|
|
|
throw Error("public key is not valid");
|
|
|
|
}
|
|
|
|
|
|
|
|
bool verifyDetached(const std::string & data, const std::string & sig,
|
|
|
|
const PublicKeys & publicKeys)
|
|
|
|
{
|
|
|
|
auto ss = split(sig);
|
|
|
|
|
2021-01-06 16:04:46 +00:00
|
|
|
auto key = publicKeys.find(std::string(ss.first));
|
2016-02-16 15:38:44 +00:00
|
|
|
if (key == publicKeys.end()) return false;
|
|
|
|
|
|
|
|
auto sig2 = base64Decode(ss.second);
|
|
|
|
if (sig2.size() != crypto_sign_BYTES)
|
|
|
|
throw Error("signature is not valid");
|
|
|
|
|
|
|
|
return crypto_sign_verify_detached((unsigned char *) sig2.data(),
|
|
|
|
(unsigned char *) data.data(), data.size(),
|
|
|
|
(unsigned char *) key->second.key.data()) == 0;
|
|
|
|
}
|
|
|
|
|
2016-03-29 12:29:50 +00:00
|
|
|
PublicKeys getDefaultPublicKeys()
|
|
|
|
{
|
|
|
|
PublicKeys publicKeys;
|
2016-04-07 13:07:00 +00:00
|
|
|
|
|
|
|
// FIXME: filter duplicates
|
|
|
|
|
2017-11-20 16:29:54 +00:00
|
|
|
for (auto s : settings.trustedPublicKeys.get()) {
|
2016-03-29 12:29:50 +00:00
|
|
|
PublicKey key(s);
|
|
|
|
publicKeys.emplace(key.name, key);
|
|
|
|
}
|
2016-04-07 13:07:00 +00:00
|
|
|
|
2017-04-13 18:53:23 +00:00
|
|
|
for (auto secretKeyFile : settings.secretKeyFiles.get()) {
|
2016-04-07 13:07:00 +00:00
|
|
|
try {
|
|
|
|
SecretKey secretKey(readFile(secretKeyFile));
|
|
|
|
publicKeys.emplace(secretKey.name, secretKey.toPublicKey());
|
|
|
|
} catch (SysError & e) {
|
|
|
|
/* Ignore unreadable key files. That's normal in a
|
|
|
|
multi-user installation. */
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-03-29 12:29:50 +00:00
|
|
|
return publicKeys;
|
|
|
|
}
|
|
|
|
|
2016-02-16 15:38:44 +00:00
|
|
|
}
|