mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tvl-depot/third_party/nix/src/libstore/crypto.cc
Kane York 1de00e6c42 chore(3p/nix): apply google-readability-casting 
Command run: jq <compile_commands.json -r 'map(.file)|.[]' | grep -v '/generated/' | parallel clang-tidy -p compile_commands.json -checks=-*,google-readability-casting --fix

Manual fixes applied in src/nix-env/nix-env.cc, src/libstore/store-api.cc

Change-Id: I406b4be9368c557ca59329bf6f7002704e955f8d
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1557
Tested-by: BuildkiteCI
Reviewed-by: glittershark <grfn@gws.fyi>
Reviewed-by: tazjin <mail@tazj.in>
2020-08-08 22:16:02 +00:00

138 lines
3.4 KiB
C++
Raw Blame History

#include "libstore/crypto.hh"
#include <absl/strings/escaping.h>
#include "libstore/globals.hh"
#include "libutil/util.hh"
#if HAVE_SODIUM
#include <sodium.h>
#endif
namespace nix {
// TODO(riking): convert to string_view to reduce allocations
static std::pair<std::string, std::string> split(const std::string& s) {
size_t colon = s.find(':');
if (colon == std::string::npos || colon == 0) {
return {"", ""};
}
return {std::string(s, 0, colon), std::string(s, colon + 1)};
}
Key::Key(const std::string& s) {
auto ss = split(s);
name = ss.first;
std::string keyb64 = ss.second;
if (name.empty() || keyb64.empty()) {
throw Error("secret key is corrupt");
}
if (!absl::Base64Unescape(keyb64, &key)) {
// TODO(grfn): replace this with StatusOr
throw Error("Invalid Base64");
}
}
SecretKey::SecretKey(const std::string& s) : Key(s) {
#if HAVE_SODIUM
if (key.size() != crypto_sign_SECRETKEYBYTES) {
throw Error("secret key is not valid");
}
#endif
}
#if !HAVE_SODIUM
[[noreturn]] static void noSodium() {
throw Error(
"Nix was not compiled with libsodium, required for signed binary cache "
"support");
}
#endif
std::string SecretKey::signDetached(const std::string& data) const {
#if HAVE_SODIUM
unsigned char sig[crypto_sign_BYTES];
unsigned long long sigLen;
crypto_sign_detached(sig, &sigLen, (unsigned char*)data.data(), data.size(),
(unsigned char*)key.data());
return name + ":" +
absl::Base64Escape(std::string(reinterpret_cast<char*>(sig), sigLen));
#else
noSodium();
#endif
}
PublicKey SecretKey::toPublicKey() const {
#if HAVE_SODIUM
unsigned char pk[crypto_sign_PUBLICKEYBYTES];
crypto_sign_ed25519_sk_to_pk(pk, (unsigned char*)key.data());
return PublicKey(name, std::string(reinterpret_cast<char*>(pk),
crypto_sign_PUBLICKEYBYTES));
#else
noSodium();
#endif
}
PublicKey::PublicKey(const std::string& s) : Key(s) {
#if HAVE_SODIUM
if (key.size() != crypto_sign_PUBLICKEYBYTES) {
throw Error("public key is not valid");
}
#endif
}
bool verifyDetached(const std::string& data, const std::string& sig,
const PublicKeys& publicKeys) {
#if HAVE_SODIUM
auto ss = split(sig);
auto key = publicKeys.find(ss.first);
if (key == publicKeys.end()) {
return false;
}
std::string sig2;
if (!absl::Base64Unescape(ss.second, &sig2)) {
// TODO(grfn): replace this with StatusOr
throw Error("Invalid Base64");
}
if (sig2.size() != crypto_sign_BYTES) {
throw Error("signature is not valid");
}
return crypto_sign_verify_detached(
reinterpret_cast<unsigned char*>(sig2.data()),
(unsigned char*)data.data(), data.size(),
(unsigned char*)key->second.key.data()) == 0;
#else
noSodium();
#endif
}
PublicKeys getDefaultPublicKeys() {
PublicKeys publicKeys;
// FIXME: filter duplicates
for (const auto& s : settings.trustedPublicKeys.get()) {
PublicKey key(s);
publicKeys.emplace(key.name, key);
}
for (const auto& secretKeyFile : settings.secretKeyFiles.get()) {
try {
SecretKey secretKey(readFile(secretKeyFile));
publicKeys.emplace(secretKey.name, secretKey.toPublicKey());
} catch (SysError& e) {
/* Ignore unreadable key files. That's normal in a
multi-user installation. */
}
}
return publicKeys;
}
} // namespace nix
Reference in a new issue View git blame Copy permalink