refactor(tvix/nix-compat): rename PubKey to VerifyingKey
Align these with the way it's called in the ed25519 crates. Change-Id: Ia52d3bb9bf831dc6b5f7d5356f5ac62135672883 Reviewed-on: https://cl.tvl.fyi/c/depot/+/12013 Tested-by: BuildkiteCI Reviewed-by: raitobezarius <tvl@lahfa.xyz> Autosubmit: flokli <flokli@flokli.de>
This commit is contained in:
parent
62184ee35a
commit
05b4e805ee
4 changed files with 25 additions and 25 deletions
|
@ -27,13 +27,12 @@ use std::{
|
||||||
use crate::{nixbase32, nixhash::CAHash, store_path::StorePathRef};
|
use crate::{nixbase32, nixhash::CAHash, store_path::StorePathRef};
|
||||||
|
|
||||||
mod fingerprint;
|
mod fingerprint;
|
||||||
mod public_keys;
|
|
||||||
mod signature;
|
mod signature;
|
||||||
|
mod verifying_keys;
|
||||||
|
|
||||||
pub use fingerprint::fingerprint;
|
pub use fingerprint::fingerprint;
|
||||||
|
|
||||||
pub use public_keys::{Error as PubKeyError, PubKey};
|
|
||||||
pub use signature::{Error as SignatureError, Signature};
|
pub use signature::{Error as SignatureError, Signature};
|
||||||
|
pub use verifying_keys::{Error as VerifyingKeyError, VerifyingKey};
|
||||||
|
|
||||||
#[derive(Debug)]
|
#[derive(Debug)]
|
||||||
pub struct NarInfo<'a> {
|
pub struct NarInfo<'a> {
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
use std::fmt::Display;
|
use std::fmt::Display;
|
||||||
|
|
||||||
use data_encoding::BASE64;
|
use data_encoding::BASE64;
|
||||||
use ed25519_dalek::{VerifyingKey, PUBLIC_KEY_LENGTH};
|
use ed25519_dalek::PUBLIC_KEY_LENGTH;
|
||||||
|
|
||||||
use super::Signature;
|
use super::Signature;
|
||||||
|
|
||||||
|
@ -12,13 +12,13 @@ use super::Signature;
|
||||||
/// These are normally passed in the `trusted-public-keys` Nix config option,
|
/// These are normally passed in the `trusted-public-keys` Nix config option,
|
||||||
/// and consist of a name and base64-encoded ed25519 pubkey, separated by a `:`.
|
/// and consist of a name and base64-encoded ed25519 pubkey, separated by a `:`.
|
||||||
#[derive(Clone, Debug, PartialEq, Eq)]
|
#[derive(Clone, Debug, PartialEq, Eq)]
|
||||||
pub struct PubKey {
|
pub struct VerifyingKey {
|
||||||
name: String,
|
name: String,
|
||||||
verifying_key: VerifyingKey,
|
verifying_key: ed25519_dalek::VerifyingKey,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl PubKey {
|
impl VerifyingKey {
|
||||||
pub fn new(name: String, verifying_key: VerifyingKey) -> Self {
|
pub fn new(name: String, verifying_key: ed25519_dalek::VerifyingKey) -> Self {
|
||||||
Self {
|
Self {
|
||||||
name,
|
name,
|
||||||
verifying_key,
|
verifying_key,
|
||||||
|
@ -37,7 +37,7 @@ impl PubKey {
|
||||||
}
|
}
|
||||||
|
|
||||||
if bytes64.len() != BASE64.encode_len(PUBLIC_KEY_LENGTH) {
|
if bytes64.len() != BASE64.encode_len(PUBLIC_KEY_LENGTH) {
|
||||||
return Err(Error::InvalidPubKeyLen(bytes64.len()));
|
return Err(Error::InvalidVerifyingKeyLen(bytes64.len()));
|
||||||
}
|
}
|
||||||
|
|
||||||
let mut buf = [0; PUBLIC_KEY_LENGTH + 1];
|
let mut buf = [0; PUBLIC_KEY_LENGTH + 1];
|
||||||
|
@ -51,7 +51,8 @@ impl PubKey {
|
||||||
Err(_) => return Err(Error::DecodeError(input.to_string())),
|
Err(_) => return Err(Error::DecodeError(input.to_string())),
|
||||||
}
|
}
|
||||||
|
|
||||||
let verifying_key = VerifyingKey::from_bytes(&bytes).map_err(Error::InvalidVerifyingKey)?;
|
let verifying_key =
|
||||||
|
ed25519_dalek::VerifyingKey::from_bytes(&bytes).map_err(Error::InvalidVerifyingKey)?;
|
||||||
|
|
||||||
Ok(Self {
|
Ok(Self {
|
||||||
name: name.to_string(),
|
name: name.to_string(),
|
||||||
|
@ -84,14 +85,14 @@ pub enum Error {
|
||||||
#[error("Missing separator")]
|
#[error("Missing separator")]
|
||||||
MissingSeparator,
|
MissingSeparator,
|
||||||
#[error("Invalid pubkey len: {0}")]
|
#[error("Invalid pubkey len: {0}")]
|
||||||
InvalidPubKeyLen(usize),
|
InvalidVerifyingKeyLen(usize),
|
||||||
#[error("VerifyingKey error: {0}")]
|
#[error("VerifyingKey error: {0}")]
|
||||||
InvalidVerifyingKey(ed25519_dalek::SignatureError),
|
InvalidVerifyingKey(ed25519_dalek::SignatureError),
|
||||||
#[error("Unable to base64-decode pubkey: {0}")]
|
#[error("Unable to base64-decode pubkey: {0}")]
|
||||||
DecodeError(String),
|
DecodeError(String),
|
||||||
}
|
}
|
||||||
|
|
||||||
impl Display for PubKey {
|
impl Display for VerifyingKey {
|
||||||
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
||||||
write!(
|
write!(
|
||||||
f,
|
f,
|
||||||
|
@ -110,7 +111,7 @@ mod test {
|
||||||
|
|
||||||
use crate::narinfo::Signature;
|
use crate::narinfo::Signature;
|
||||||
|
|
||||||
use super::PubKey;
|
use super::VerifyingKey;
|
||||||
const FINGERPRINT: &str = "1;/nix/store/syd87l2rxw8cbsxmxl853h0r6pdwhwjr-curl-7.82.0-bin;sha256:1b4sb93wp679q4zx9k1ignby1yna3z7c4c2ri3wphylbc2dwsys0;196040;/nix/store/0jqd0rlxzra1rs38rdxl43yh6rxchgc6-curl-7.82.0,/nix/store/6w8g7njm4mck5dmjxws0z1xnrxvl81xa-glibc-2.34-115,/nix/store/j5jxw3iy7bbz4a57fh9g2xm2gxmyal8h-zlib-1.2.12,/nix/store/yxvjs9drzsphm9pcf42a4byzj1kb9m7k-openssl-1.1.1n";
|
const FINGERPRINT: &str = "1;/nix/store/syd87l2rxw8cbsxmxl853h0r6pdwhwjr-curl-7.82.0-bin;sha256:1b4sb93wp679q4zx9k1ignby1yna3z7c4c2ri3wphylbc2dwsys0;196040;/nix/store/0jqd0rlxzra1rs38rdxl43yh6rxchgc6-curl-7.82.0,/nix/store/6w8g7njm4mck5dmjxws0z1xnrxvl81xa-glibc-2.34-115,/nix/store/j5jxw3iy7bbz4a57fh9g2xm2gxmyal8h-zlib-1.2.12,/nix/store/yxvjs9drzsphm9pcf42a4byzj1kb9m7k-openssl-1.1.1n";
|
||||||
|
|
||||||
#[rstest]
|
#[rstest]
|
||||||
|
@ -122,7 +123,7 @@ mod test {
|
||||||
#[case] exp_name: &'static str,
|
#[case] exp_name: &'static str,
|
||||||
#[case] exp_verifying_key_bytes: &[u8; PUBLIC_KEY_LENGTH],
|
#[case] exp_verifying_key_bytes: &[u8; PUBLIC_KEY_LENGTH],
|
||||||
) {
|
) {
|
||||||
let pubkey = PubKey::parse(input).expect("must parse");
|
let pubkey = VerifyingKey::parse(input).expect("must parse");
|
||||||
assert_eq!(exp_name, pubkey.name());
|
assert_eq!(exp_name, pubkey.name());
|
||||||
assert_eq!(exp_verifying_key_bytes, pubkey.verifying_key.as_bytes());
|
assert_eq!(exp_verifying_key_bytes, pubkey.verifying_key.as_bytes());
|
||||||
}
|
}
|
||||||
|
@ -132,7 +133,7 @@ mod test {
|
||||||
#[case::missing_padding("cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY")]
|
#[case::missing_padding("cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY")]
|
||||||
#[case::wrong_length("cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDS")]
|
#[case::wrong_length("cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDS")]
|
||||||
fn parse_fail(#[case] input: &'static str) {
|
fn parse_fail(#[case] input: &'static str) {
|
||||||
PubKey::parse(input).expect_err("must fail");
|
VerifyingKey::parse(input).expect_err("must fail");
|
||||||
}
|
}
|
||||||
|
|
||||||
#[rstest]
|
#[rstest]
|
||||||
|
@ -144,7 +145,7 @@ mod test {
|
||||||
#[case] signature_str: &'static str,
|
#[case] signature_str: &'static str,
|
||||||
#[case] expected: bool,
|
#[case] expected: bool,
|
||||||
) {
|
) {
|
||||||
let pubkey = PubKey::parse(pubkey_str).expect("must parse");
|
let pubkey = VerifyingKey::parse(pubkey_str).expect("must parse");
|
||||||
let signature = Signature::parse(signature_str).expect("must parse");
|
let signature = Signature::parse(signature_str).expect("must parse");
|
||||||
|
|
||||||
assert_eq!(expected, pubkey.verify(fingerprint, &signature));
|
assert_eq!(expected, pubkey.verify(fingerprint, &signature));
|
|
@ -13,7 +13,7 @@ pub struct NixConfig<'a> {
|
||||||
pub sandbox_fallback: Option<bool>,
|
pub sandbox_fallback: Option<bool>,
|
||||||
pub substituters: Option<Vec<&'a str>>,
|
pub substituters: Option<Vec<&'a str>>,
|
||||||
pub system_features: Option<Vec<&'a str>>,
|
pub system_features: Option<Vec<&'a str>>,
|
||||||
pub trusted_public_keys: Option<Vec<crate::narinfo::PubKey>>,
|
pub trusted_public_keys: Option<Vec<crate::narinfo::VerifyingKey>>,
|
||||||
pub trusted_substituters: Option<Vec<&'a str>>,
|
pub trusted_substituters: Option<Vec<&'a str>>,
|
||||||
pub trusted_users: Option<Vec<&'a str>>,
|
pub trusted_users: Option<Vec<&'a str>>,
|
||||||
pub extra_platforms: Option<Vec<&'a str>>,
|
pub extra_platforms: Option<Vec<&'a str>>,
|
||||||
|
@ -78,8 +78,8 @@ impl<'a> NixConfig<'a> {
|
||||||
"trusted-public-keys" => {
|
"trusted-public-keys" => {
|
||||||
this.trusted_public_keys = Some(
|
this.trusted_public_keys = Some(
|
||||||
val.split_whitespace()
|
val.split_whitespace()
|
||||||
.map(crate::narinfo::PubKey::parse)
|
.map(crate::narinfo::VerifyingKey::parse)
|
||||||
.collect::<Result<Vec<crate::narinfo::PubKey>, _>>()
|
.collect::<Result<Vec<crate::narinfo::VerifyingKey>, _>>()
|
||||||
.ok()?,
|
.ok()?,
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
@ -155,7 +155,7 @@ impl FromStr for SandboxSetting {
|
||||||
|
|
||||||
#[cfg(test)]
|
#[cfg(test)]
|
||||||
mod tests {
|
mod tests {
|
||||||
use crate::{narinfo::PubKey, nixcpp::conf::SandboxSetting};
|
use crate::{narinfo::VerifyingKey, nixcpp::conf::SandboxSetting};
|
||||||
|
|
||||||
use super::NixConfig;
|
use super::NixConfig;
|
||||||
|
|
||||||
|
@ -175,9 +175,9 @@ mod tests {
|
||||||
substituters: Some(vec!["https://nix-community.cachix.org", "https://cache.nixos.org/"]),
|
substituters: Some(vec!["https://nix-community.cachix.org", "https://cache.nixos.org/"]),
|
||||||
system_features: Some(vec!["nixos-test", "benchmark", "big-parallel", "kvm"]),
|
system_features: Some(vec!["nixos-test", "benchmark", "big-parallel", "kvm"]),
|
||||||
trusted_public_keys: Some(vec![
|
trusted_public_keys: Some(vec![
|
||||||
PubKey::parse("cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=")
|
VerifyingKey::parse("cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=")
|
||||||
.expect("failed to parse pubkey"),
|
.expect("failed to parse pubkey"),
|
||||||
PubKey::parse("nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=")
|
VerifyingKey::parse("nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=")
|
||||||
.expect("failed to parse pubkey")
|
.expect("failed to parse pubkey")
|
||||||
]),
|
]),
|
||||||
trusted_substituters: Some(vec![]),
|
trusted_substituters: Some(vec![]),
|
||||||
|
|
|
@ -41,7 +41,7 @@ pub struct NixHTTPPathInfoService<BS, DS> {
|
||||||
|
|
||||||
/// An optional list of [narinfo::PubKey].
|
/// An optional list of [narinfo::PubKey].
|
||||||
/// If set, the .narinfo files received need to have correct signature by at least one of these.
|
/// If set, the .narinfo files received need to have correct signature by at least one of these.
|
||||||
public_keys: Option<Vec<narinfo::PubKey>>,
|
public_keys: Option<Vec<narinfo::VerifyingKey>>,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl<BS, DS> NixHTTPPathInfoService<BS, DS> {
|
impl<BS, DS> NixHTTPPathInfoService<BS, DS> {
|
||||||
|
@ -59,7 +59,7 @@ impl<BS, DS> NixHTTPPathInfoService<BS, DS> {
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Configures [Self] to validate NARInfo fingerprints with the public keys passed.
|
/// Configures [Self] to validate NARInfo fingerprints with the public keys passed.
|
||||||
pub fn set_public_keys(&mut self, public_keys: Vec<narinfo::PubKey>) {
|
pub fn set_public_keys(&mut self, public_keys: Vec<narinfo::VerifyingKey>) {
|
||||||
self.public_keys = Some(public_keys);
|
self.public_keys = Some(public_keys);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -311,7 +311,7 @@ impl ServiceBuilder for NixHTTPPathInfoServiceConfig {
|
||||||
public_keys
|
public_keys
|
||||||
.iter()
|
.iter()
|
||||||
.map(|pubkey_str| {
|
.map(|pubkey_str| {
|
||||||
narinfo::PubKey::parse(pubkey_str)
|
narinfo::VerifyingKey::parse(pubkey_str)
|
||||||
.map_err(|e| Error::StorageError(format!("invalid public key: {e}")))
|
.map_err(|e| Error::StorageError(format!("invalid public key: {e}")))
|
||||||
})
|
})
|
||||||
.collect::<Result<Vec<_>, Error>>()?,
|
.collect::<Result<Vec<_>, Error>>()?,
|
||||||
|
|
Loading…
Reference in a new issue