diff --git a/tvix/nix-compat/src/narinfo/mod.rs b/tvix/nix-compat/src/narinfo/mod.rs index b1c10bceb..1b657d0b1 100644 --- a/tvix/nix-compat/src/narinfo/mod.rs +++ b/tvix/nix-compat/src/narinfo/mod.rs @@ -27,13 +27,12 @@ use std::{ use crate::{nixbase32, nixhash::CAHash, store_path::StorePathRef}; mod fingerprint; -mod public_keys; mod signature; +mod verifying_keys; pub use fingerprint::fingerprint; - -pub use public_keys::{Error as PubKeyError, PubKey}; pub use signature::{Error as SignatureError, Signature}; +pub use verifying_keys::{Error as VerifyingKeyError, VerifyingKey}; #[derive(Debug)] pub struct NarInfo<'a> { diff --git a/tvix/nix-compat/src/narinfo/public_keys.rs b/tvix/nix-compat/src/narinfo/verifying_keys.rs similarity index 88% rename from tvix/nix-compat/src/narinfo/public_keys.rs rename to tvix/nix-compat/src/narinfo/verifying_keys.rs index 4739f4fc9..b8ed2b953 100644 --- a/tvix/nix-compat/src/narinfo/public_keys.rs +++ b/tvix/nix-compat/src/narinfo/verifying_keys.rs @@ -4,7 +4,7 @@ use std::fmt::Display; use data_encoding::BASE64; -use ed25519_dalek::{VerifyingKey, PUBLIC_KEY_LENGTH}; +use ed25519_dalek::PUBLIC_KEY_LENGTH; use super::Signature; @@ -12,13 +12,13 @@ use super::Signature; /// These are normally passed in the `trusted-public-keys` Nix config option, /// and consist of a name and base64-encoded ed25519 pubkey, separated by a `:`. #[derive(Clone, Debug, PartialEq, Eq)] -pub struct PubKey { +pub struct VerifyingKey { name: String, - verifying_key: VerifyingKey, + verifying_key: ed25519_dalek::VerifyingKey, } -impl PubKey { - pub fn new(name: String, verifying_key: VerifyingKey) -> Self { +impl VerifyingKey { + pub fn new(name: String, verifying_key: ed25519_dalek::VerifyingKey) -> Self { Self { name, verifying_key, @@ -37,7 +37,7 @@ impl PubKey { } if bytes64.len() != BASE64.encode_len(PUBLIC_KEY_LENGTH) { - return Err(Error::InvalidPubKeyLen(bytes64.len())); + return Err(Error::InvalidVerifyingKeyLen(bytes64.len())); } let mut buf = [0; PUBLIC_KEY_LENGTH + 1]; @@ -51,7 +51,8 @@ impl PubKey { Err(_) => return Err(Error::DecodeError(input.to_string())), } - let verifying_key = VerifyingKey::from_bytes(&bytes).map_err(Error::InvalidVerifyingKey)?; + let verifying_key = + ed25519_dalek::VerifyingKey::from_bytes(&bytes).map_err(Error::InvalidVerifyingKey)?; Ok(Self { name: name.to_string(), @@ -84,14 +85,14 @@ pub enum Error { #[error("Missing separator")] MissingSeparator, #[error("Invalid pubkey len: {0}")] - InvalidPubKeyLen(usize), + InvalidVerifyingKeyLen(usize), #[error("VerifyingKey error: {0}")] InvalidVerifyingKey(ed25519_dalek::SignatureError), #[error("Unable to base64-decode pubkey: {0}")] DecodeError(String), } -impl Display for PubKey { +impl Display for VerifyingKey { fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { write!( f, @@ -110,7 +111,7 @@ mod test { use crate::narinfo::Signature; - use super::PubKey; + use super::VerifyingKey; const FINGERPRINT: &str = "1;/nix/store/syd87l2rxw8cbsxmxl853h0r6pdwhwjr-curl-7.82.0-bin;sha256:1b4sb93wp679q4zx9k1ignby1yna3z7c4c2ri3wphylbc2dwsys0;196040;/nix/store/0jqd0rlxzra1rs38rdxl43yh6rxchgc6-curl-7.82.0,/nix/store/6w8g7njm4mck5dmjxws0z1xnrxvl81xa-glibc-2.34-115,/nix/store/j5jxw3iy7bbz4a57fh9g2xm2gxmyal8h-zlib-1.2.12,/nix/store/yxvjs9drzsphm9pcf42a4byzj1kb9m7k-openssl-1.1.1n"; #[rstest] @@ -122,7 +123,7 @@ mod test { #[case] exp_name: &'static str, #[case] exp_verifying_key_bytes: &[u8; PUBLIC_KEY_LENGTH], ) { - let pubkey = PubKey::parse(input).expect("must parse"); + let pubkey = VerifyingKey::parse(input).expect("must parse"); assert_eq!(exp_name, pubkey.name()); assert_eq!(exp_verifying_key_bytes, pubkey.verifying_key.as_bytes()); } @@ -132,7 +133,7 @@ mod test { #[case::missing_padding("cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY")] #[case::wrong_length("cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDS")] fn parse_fail(#[case] input: &'static str) { - PubKey::parse(input).expect_err("must fail"); + VerifyingKey::parse(input).expect_err("must fail"); } #[rstest] @@ -144,7 +145,7 @@ mod test { #[case] signature_str: &'static str, #[case] expected: bool, ) { - let pubkey = PubKey::parse(pubkey_str).expect("must parse"); + let pubkey = VerifyingKey::parse(pubkey_str).expect("must parse"); let signature = Signature::parse(signature_str).expect("must parse"); assert_eq!(expected, pubkey.verify(fingerprint, &signature)); diff --git a/tvix/nix-compat/src/nixcpp/conf.rs b/tvix/nix-compat/src/nixcpp/conf.rs index 909b3c9eb..68308115f 100644 --- a/tvix/nix-compat/src/nixcpp/conf.rs +++ b/tvix/nix-compat/src/nixcpp/conf.rs @@ -13,7 +13,7 @@ pub struct NixConfig<'a> { pub sandbox_fallback: Option, pub substituters: Option>, pub system_features: Option>, - pub trusted_public_keys: Option>, + pub trusted_public_keys: Option>, pub trusted_substituters: Option>, pub trusted_users: Option>, pub extra_platforms: Option>, @@ -78,8 +78,8 @@ impl<'a> NixConfig<'a> { "trusted-public-keys" => { this.trusted_public_keys = Some( val.split_whitespace() - .map(crate::narinfo::PubKey::parse) - .collect::, _>>() + .map(crate::narinfo::VerifyingKey::parse) + .collect::, _>>() .ok()?, ) } @@ -155,7 +155,7 @@ impl FromStr for SandboxSetting { #[cfg(test)] mod tests { - use crate::{narinfo::PubKey, nixcpp::conf::SandboxSetting}; + use crate::{narinfo::VerifyingKey, nixcpp::conf::SandboxSetting}; use super::NixConfig; @@ -175,9 +175,9 @@ mod tests { substituters: Some(vec!["https://nix-community.cachix.org", "https://cache.nixos.org/"]), system_features: Some(vec!["nixos-test", "benchmark", "big-parallel", "kvm"]), trusted_public_keys: Some(vec![ - PubKey::parse("cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=") + VerifyingKey::parse("cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=") .expect("failed to parse pubkey"), - PubKey::parse("nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=") + VerifyingKey::parse("nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=") .expect("failed to parse pubkey") ]), trusted_substituters: Some(vec![]), diff --git a/tvix/store/src/pathinfoservice/nix_http.rs b/tvix/store/src/pathinfoservice/nix_http.rs index af9234bc0..b74385c63 100644 --- a/tvix/store/src/pathinfoservice/nix_http.rs +++ b/tvix/store/src/pathinfoservice/nix_http.rs @@ -41,7 +41,7 @@ pub struct NixHTTPPathInfoService { /// An optional list of [narinfo::PubKey]. /// If set, the .narinfo files received need to have correct signature by at least one of these. - public_keys: Option>, + public_keys: Option>, } impl NixHTTPPathInfoService { @@ -59,7 +59,7 @@ impl NixHTTPPathInfoService { } /// Configures [Self] to validate NARInfo fingerprints with the public keys passed. - pub fn set_public_keys(&mut self, public_keys: Vec) { + pub fn set_public_keys(&mut self, public_keys: Vec) { self.public_keys = Some(public_keys); } } @@ -311,7 +311,7 @@ impl ServiceBuilder for NixHTTPPathInfoServiceConfig { public_keys .iter() .map(|pubkey_str| { - narinfo::PubKey::parse(pubkey_str) + narinfo::VerifyingKey::parse(pubkey_str) .map_err(|e| Error::StorageError(format!("invalid public key: {e}"))) }) .collect::, Error>>()?,