wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-07-07 10:11:47 +02:00
Code Activity

Remove OpenSSL-based signing

Browse source
This commit is contained in:
Eelco Dolstra 2016-05-03 15:11:14 +02:00
parent dfebfc835f
commit f435f82475
16 changed files with 52 additions and 142 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/libstore/binary-cache-store.cc
View file

@ -156,10 +156,8 @@ void BinaryCacheStore::narFromPath(const Path & storePath, Sink & sink)
sink((unsigned char *) nar->c_str(), nar->size());
}
void BinaryCacheStore::exportPath(const Path & storePath, bool sign, Sink & sink)
void BinaryCacheStore::exportPath(const Path & storePath, Sink & sink)
{
assert(!sign);
auto res = queryPathInfo(storePath);
narFromPath(storePath, sink);
@ -169,10 +167,9 @@ void BinaryCacheStore::exportPath(const Path & storePath, bool sign, Sink & sink
sink << exportMagic << storePath << res->references << res->deriver << 0;
}
Paths BinaryCacheStore::importPaths(bool requireSignature, Source & source,
Paths BinaryCacheStore::importPaths(Source & source,
std::shared_ptr<FSAccessor> accessor)
{
assert(!requireSignature);
Paths res;
while (true) {
unsigned long long n = readLongLong(source);
@ -346,7 +343,7 @@ struct BinaryCacheStoreAccessor : public FSAccessor
if (i != nars.end()) return {i->second, restPath};
StringSink sink;
store->exportPath(storePath, false, sink);
store->exportPath(storePath, sink);
auto accessor = makeNarAccessor(sink.s);
nars.emplace(storePath, accessor);

4
src/libstore/binary-cache-store.hh
View file

@ -91,9 +91,9 @@ public:
void narFromPath(const Path & path, Sink & sink) override;
void exportPath(const Path & path, bool sign, Sink & sink) override;
void exportPath(const Path & path, Sink & sink) override;
Paths importPaths(bool requireSignature, Source & source,
Paths importPaths(Source & source,
std::shared_ptr<FSAccessor> accessor) override;
Path importPath(Source & source, std::shared_ptr<FSAccessor> accessor);

77
src/libstore/local-store.cc
View file

@ -1035,18 +1035,7 @@ struct HashAndWriteSink : Sink
};
static void checkSecrecy(const Path & path)
{
struct stat st;
if (stat(path.c_str(), &st))
throw SysError(format("getting status of %1%") % path);
if ((st.st_mode & (S_IRWXG | S_IRWXO)) != 0)
throw Error(format("file %1% should be secret (inaccessible to everybody else)!") % path);
}
void LocalStore::exportPath(const Path & path, bool sign,
Sink & sink)
void LocalStore::exportPath(const Path & path, Sink & sink)
{
assertStorePath(path);
@ -1068,30 +1057,7 @@ void LocalStore::exportPath(const Path & path, bool sign,
hashAndWriteSink << exportMagic << path << info->references << info->deriver;
if (sign) {
Hash hash = hashAndWriteSink.currentHash();
Path tmpDir = createTempDir();
AutoDelete delTmp(tmpDir);
Path hashFile = tmpDir + "/hash";
writeFile(hashFile, printHash(hash));
Path secretKey = settings.nixConfDir + "/signing-key.sec";
checkSecrecy(secretKey);
Strings args;
args.push_back("rsautl");
args.push_back("-sign");
args.push_back("-inkey");
args.push_back(secretKey);
args.push_back("-in");
args.push_back(hashFile);
string signature = runProgram(OPENSSL_PATH, true, args);
hashAndWriteSink << 1 << signature;
} else
hashAndWriteSink << 0;
hashAndWriteSink << 0; // backwards compatibility
}
@ -1129,7 +1095,7 @@ Path LocalStore::createTempDirInStore()
}
Path LocalStore::importPath(bool requireSignature, Source & source)
Path LocalStore::importPath(Source & source)
{
HashAndReadSource hashAndReadSource(source);
@ -1160,36 +1126,9 @@ Path LocalStore::importPath(bool requireSignature, Source & source)
bool haveSignature = readInt(hashAndReadSource) == 1;
if (requireSignature && !haveSignature)
throw Error(format("imported archive of %1% lacks a signature") % dstPath);
if (haveSignature) {
string signature = readString(hashAndReadSource);
if (requireSignature) {
Path sigFile = tmpDir + "/sig";
writeFile(sigFile, signature);
Strings args;
args.push_back("rsautl");
args.push_back("-verify");
args.push_back("-inkey");
args.push_back(settings.nixConfDir + "/signing-key.pub");
args.push_back("-pubin");
args.push_back("-in");
args.push_back(sigFile);
string hash2 = runProgram(OPENSSL_PATH, true, args);
/* Note: runProgram() throws an exception if the signature
is invalid. */
if (printHash(hash) != hash2)
throw Error(
"signed hash doesn't match actual contents of imported "
"archive; archive could be corrupt, or someone is trying "
"to import a Trojan horse");
}
}
if (haveSignature)
// Ignore legacy signature.
readString(hashAndReadSource);
/* Do the actual import. */
@ -1239,7 +1178,7 @@ Path LocalStore::importPath(bool requireSignature, Source & source)
}
Paths LocalStore::importPaths(bool requireSignature, Source & source,
Paths LocalStore::importPaths(Source & source,
std::shared_ptr<FSAccessor> accessor)
{
Paths res;
@ -1247,7 +1186,7 @@ Paths LocalStore::importPaths(bool requireSignature, Source & source,
unsigned long long n = readLongLong(source);
if (n == 0) break;
if (n != 1) throw Error("input doesn't look like something created by nix-store --export");
res.push_back(importPath(requireSignature, source));
res.push_back(importPath(source));
}
return res;
}

7
src/libstore/local-store.hh
View file

@ -126,10 +126,9 @@ public:
Path addTextToStore(const string & name, const string & s,
const PathSet & references, bool repair = false) override;
void exportPath(const Path & path, bool sign,
Sink & sink) override;
void exportPath(const Path & path, Sink & sink) override;
Paths importPaths(bool requireSignature, Source & source,
Paths importPaths(Source & source,
std::shared_ptr<FSAccessor> accessor) override;
void buildPaths(const PathSet & paths, BuildMode buildMode) override;
@ -230,7 +229,7 @@ private:
Path createTempDirInStore();
Path importPath(bool requireSignature, Source & source);
Path importPath(Source & source);
void checkDerivationOutputs(const Path & drvPath, const Derivation & drv);

9
src/libstore/remote-store.cc
View file

@ -373,23 +373,20 @@ Path RemoteStore::addTextToStore(const string & name, const string & s,
}
void RemoteStore::exportPath(const Path & path, bool sign,
Sink & sink)
void RemoteStore::exportPath(const Path & path, Sink & sink)
{
auto conn(connections->get());
conn->to << wopExportPath << path << (sign ? 1 : 0);
conn->to << wopExportPath << path << 0;
conn->processStderr(&sink); /* sink receives the actual data */
readInt(conn->from);
}
Paths RemoteStore::importPaths(bool requireSignature, Source & source,
Paths RemoteStore::importPaths(Source & source,
std::shared_ptr<FSAccessor> accessor)
{
auto conn(connections->get());
conn->to << wopImportPaths;
/* We ignore requireSignature, since the worker forces it to true
anyway. */
conn->processStderr(0, &source);
return readStorePaths<Paths>(conn->from);
}

5
src/libstore/remote-store.hh
View file

@ -58,10 +58,9 @@ public:
Path addTextToStore(const string & name, const string & s,
const PathSet & references, bool repair = false) override;
void exportPath(const Path & path, bool sign,
Sink & sink) override;
void exportPath(const Path & path, Sink & sink) override;
Paths importPaths(bool requireSignature, Source & source,
Paths importPaths(Source & source,
std::shared_ptr<FSAccessor> accessor) override;
void buildPaths(const PathSet & paths, BuildMode buildMode) override;

9
src/libstore/store-api.cc
View file

@ -363,10 +363,10 @@ void copyStorePath(ref<Store> srcStore, ref<Store> dstStore,
auto info = srcStore->queryPathInfo(storePath);
StringSink sink;
srcStore->exportPaths({storePath}, false, sink);
srcStore->exportPaths({storePath}, sink);
StringSource source(*sink.s);
dstStore->importPaths(false, source, 0);
dstStore->importPaths(source, 0);
}
@ -406,12 +406,11 @@ string showPaths(const PathSet & paths)
}
void Store::exportPaths(const Paths & paths,
bool sign, Sink & sink)
void Store::exportPaths(const Paths & paths, Sink & sink)
{
for (auto & i : paths) {
sink << 1;
exportPath(i, sign, sink);
exportPath(i, sink);
}
sink << 0;
}

11
src/libstore/store-api.hh
View file

@ -270,21 +270,18 @@ public:
virtual void narFromPath(const Path & path, Sink & sink) = 0;
/* Export a store path, that is, create a NAR dump of the store
path and append its references and its deriver. Optionally, a
cryptographic signature (created by OpenSSL) of the preceding
data is attached. */
virtual void exportPath(const Path & path, bool sign,
Sink & sink) = 0;
path and append its references and its deriver. */
virtual void exportPath(const Path & path, Sink & sink) = 0;
/* Export multiple paths in the format expected by nix-store
--import. */
void exportPaths(const Paths & paths, bool sign, Sink & sink);
void exportPaths(const Paths & paths, Sink & sink);
/* Import a sequence of NAR dumps created by exportPaths() into
the Nix store. Optionally, the contents of the NARs are
preloaded into the specified FS accessor to speed up subsequent
access. */
virtual Paths importPaths(bool requireSignature, Source & source,
virtual Paths importPaths(Source & source,
std::shared_ptr<FSAccessor> accessor) = 0;
/* For each path, if it's a derivation, build it. Building a

6
src/nix-daemon/nix-daemon.cc
View file

@ -312,10 +312,10 @@ static void performOp(ref<LocalStore> store, bool trusted, unsigned int clientVe
case wopExportPath: {
Path path = readStorePath(from);
bool sign = readInt(from) == 1;
readInt(from); // obsolete
startWork();
TunnelSink sink(to);
store->exportPath(path, sign, sink);
store->exportPath(path, sink);
stopWork();
to << 1;
break;
@ -324,7 +324,7 @@ static void performOp(ref<LocalStore> store, bool trusted, unsigned int clientVe
case wopImportPaths: {
startWork();
TunnelSource source(from);
Paths paths = store->importPaths(!trusted, source, 0);
Paths paths = store->importPaths(source, 0);
stopWork();
to << paths;
break;

18
src/nix-store/nix-store.cc
View file

@ -699,29 +699,25 @@ static void opRestore(Strings opFlags, Strings opArgs)
static void opExport(Strings opFlags, Strings opArgs)
{
bool sign = false;
for (auto & i : opFlags)
if (i == "--sign") sign = true;
else throw UsageError(format("unknown flag %1%") % i);
throw UsageError(format("unknown flag %1%") % i);
FdSink sink(STDOUT_FILENO);
Paths sorted = store->topoSortPaths(PathSet(opArgs.begin(), opArgs.end()));
reverse(sorted.begin(), sorted.end());
store->exportPaths(sorted, sign, sink);
store->exportPaths(sorted, sink);
}
static void opImport(Strings opFlags, Strings opArgs)
{
bool requireSignature = false;
for (auto & i : opFlags)
if (i == "--require-signature") requireSignature = true;
else throw UsageError(format("unknown flag %1%") % i);
throw UsageError(format("unknown flag %1%") % i);
if (!opArgs.empty()) throw UsageError("no arguments expected");
FdSource source(STDIN_FILENO);
Paths paths = store->importPaths(requireSignature, source, 0);
Paths paths = store->importPaths(source, 0);
for (auto & i : paths)
cout << format("%1%\n") % i << std::flush;
@ -909,16 +905,16 @@ static void opServe(Strings opFlags, Strings opArgs)
case cmdImportPaths: {
if (!writeAllowed) throw Error("importing paths is not allowed");
store->importPaths(false, in, 0);
store->importPaths(in, 0);
out << 1; // indicate success
break;
}
case cmdExportPaths: {
bool sign = readInt(in);
readInt(in); // obsolete
Paths sorted = store->topoSortPaths(readStorePaths<PathSet>(in));
reverse(sorted.begin(), sorted.end());
store->exportPaths(sorted, sign, out);
store->exportPaths(sorted, out);
break;
}