From: Fabian Stelzer <fs@gigacodes.de>
To: git@vger.kernel.org
Cc: "Fabian Stelzer" <fs@gigacodes.de>,
"Han-Wen Nienhuys" <hanwen@google.com>,
"brian m. carlson" <sandals@crustytoothpaste.net>,
"Randall S. Becker" <rsbecker@nexbridge.com>,
"Bagas Sanjaya" <bagasdotme@gmail.com>,
"Hans Jerry Illikainen" <hji@dyntopia.com>,
"Ævar Arnfjörð Bjarmason" <avarab@gmail.com>,
"Felipe Contreras" <felipe.contreras@gmail.com>,
"Eric Sunshine" <sunshine@sunshineco.com>,
"Gwyneth Morgan" <gwymor@tilde.club>,
"Jonathan Tan" <jonathantanmy@google.com>,
"Josh Steadmon" <steadmon@google.com>
Subject: [PATCH 1/6] ssh signing: extend check_signature to accept payload metadata
Date: Fri, 22 Oct 2021 17:09:44 +0200 [thread overview]
Message-ID: <20211022150949.1754477-2-fs@gigacodes.de> (raw)
In-Reply-To: <20211022150949.1754477-1-fs@gigacodes.de>
Adds two new parameters to the check_signature api and passes them to the
internal verification ssh/gpg methods.
A payload timestamp that will be used to verify signatures at the time of their
objects creation if the signing method supports it (only ssh for now).
And a signer strbuf containing ident information about the signer that
we will need for implementing "Trust on first use" in a future patch
series.
Adding the ident info right now instead of a later patch series makes
certain choices in this patch series clearer. Only passing the timestamp
could be done a bit simpler on some call sites but i am certain that we
will need the ident info for "Trust on first use" no matter how exactly
it will be implemented later.
To start with we pass 0, NULL on all invocations to keep the current behaviour
as is.
Signed-off-by: Fabian Stelzer <fs@gigacodes.de>
---
builtin/receive-pack.c | 5 +++--
commit.c | 2 +-
fmt-merge-msg.c | 4 ++--
gpg-interface.c | 36 +++++++++++++++++++++++++++---------
gpg-interface.h | 5 +++--
log-tree.c | 4 ++--
tag.c | 2 +-
7 files changed, 39 insertions(+), 19 deletions(-)
diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c
index 49b846d960..761c70642b 100644
--- a/builtin/receive-pack.c
+++ b/builtin/receive-pack.c
@@ -769,8 +769,9 @@ static void prepare_push_cert_sha1(struct child_process *proc)
memset(&sigcheck, '\0', sizeof(sigcheck));
bogs = parse_signed_buffer(push_cert.buf, push_cert.len);
- check_signature(push_cert.buf, bogs, push_cert.buf + bogs,
- push_cert.len - bogs, &sigcheck);
+ check_signature(push_cert.buf, bogs, 0, NULL,
+ push_cert.buf + bogs, push_cert.len - bogs,
+ &sigcheck);
nonce_status = check_nonce(push_cert.buf, bogs);
}
diff --git a/commit.c b/commit.c
index 551de4903c..1704d9df0a 100644
--- a/commit.c
+++ b/commit.c
@@ -1212,7 +1212,7 @@ int check_commit_signature(const struct commit *commit, struct signature_check *
if (parse_signed_commit(commit, &payload, &signature, the_hash_algo) <= 0)
goto out;
- ret = check_signature(payload.buf, payload.len, signature.buf,
+ ret = check_signature(payload.buf, payload.len, 0, NULL, signature.buf,
signature.len, sigc);
out:
diff --git a/fmt-merge-msg.c b/fmt-merge-msg.c
index 5216191488..d2cedad6b7 100644
--- a/fmt-merge-msg.c
+++ b/fmt-merge-msg.c
@@ -533,8 +533,8 @@ static void fmt_merge_msg_sigs(struct strbuf *out)
else {
buf = payload.buf;
len = payload.len;
- if (check_signature(payload.buf, payload.len, sig.buf,
- sig.len, &sigc) &&
+ if (check_signature(payload.buf, payload.len, 0, NULL,
+ sig.buf, sig.len, &sigc) &&
!sigc.output)
strbuf_addstr(&sig, "gpg verification failed.\n");
else
diff --git a/gpg-interface.c b/gpg-interface.c
index 800d8caa67..6049f7cbf7 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -20,7 +20,10 @@ struct gpg_format {
const char **sigs;
int (*verify_signed_buffer)(struct signature_check *sigc,
struct gpg_format *fmt, const char *payload,
- size_t payload_size, const char *signature,
+ size_t payload_size,
+ timestamp_t payload_timestamp,
+ struct strbuf *payload_signer,
+ const char *signature,
size_t signature_size);
int (*sign_buffer)(struct strbuf *buffer, struct strbuf *signature,
const char *signing_key);
@@ -54,11 +57,17 @@ static const char *ssh_sigs[] = {
static int verify_gpg_signed_buffer(struct signature_check *sigc,
struct gpg_format *fmt, const char *payload,
- size_t payload_size, const char *signature,
+ size_t payload_size,
+ timestamp_t payload_timestamp,
+ struct strbuf *payload_signer,
+ const char *signature,
size_t signature_size);
static int verify_ssh_signed_buffer(struct signature_check *sigc,
struct gpg_format *fmt, const char *payload,
- size_t payload_size, const char *signature,
+ size_t payload_size,
+ timestamp_t payload_timestamp,
+ struct strbuf *payload_signer,
+ const char *signature,
size_t signature_size);
static int sign_buffer_gpg(struct strbuf *buffer, struct strbuf *signature,
const char *signing_key);
@@ -315,7 +324,10 @@ static void parse_gpg_output(struct signature_check *sigc)
static int verify_gpg_signed_buffer(struct signature_check *sigc,
struct gpg_format *fmt, const char *payload,
- size_t payload_size, const char *signature,
+ size_t payload_size,
+ timestamp_t payload_timestamp,
+ struct strbuf *payload_signer,
+ const char *signature,
size_t signature_size)
{
struct child_process gpg = CHILD_PROCESS_INIT;
@@ -425,7 +437,10 @@ static void parse_ssh_output(struct signature_check *sigc)
static int verify_ssh_signed_buffer(struct signature_check *sigc,
struct gpg_format *fmt, const char *payload,
- size_t payload_size, const char *signature,
+ size_t payload_size,
+ timestamp_t payload_timestamp,
+ struct strbuf *payload_signer,
+ const char *signature,
size_t signature_size)
{
struct child_process ssh_keygen = CHILD_PROCESS_INIT;
@@ -560,8 +575,10 @@ static int verify_ssh_signed_buffer(struct signature_check *sigc,
return ret;
}
-int check_signature(const char *payload, size_t plen, const char *signature,
- size_t slen, struct signature_check *sigc)
+int check_signature(const char *payload, size_t plen,
+ timestamp_t payload_timestamp,
+ struct strbuf *payload_signer, const char *signature,
+ size_t slen, struct signature_check *sigc)
{
struct gpg_format *fmt;
int status;
@@ -573,8 +590,9 @@ int check_signature(const char *payload, size_t plen, const char *signature,
if (!fmt)
die(_("bad/incompatible signature '%s'"), signature);
- status = fmt->verify_signed_buffer(sigc, fmt, payload, plen, signature,
- slen);
+ status = fmt->verify_signed_buffer(sigc, fmt, payload, plen,
+ payload_timestamp, payload_signer,
+ signature, slen);
if (status && !sigc->output)
return !!status;
diff --git a/gpg-interface.h b/gpg-interface.h
index beefacbb1e..f7c5389c90 100644
--- a/gpg-interface.h
+++ b/gpg-interface.h
@@ -71,8 +71,9 @@ const char *get_signing_key(void);
*/
const char *get_signing_key_id(void);
int check_signature(const char *payload, size_t plen,
- const char *signature, size_t slen,
- struct signature_check *sigc);
+ timestamp_t payload_timestamp,
+ struct strbuf *payload_signer, const char *signature,
+ size_t slen, struct signature_check *sigc);
void print_signature_buffer(const struct signature_check *sigc,
unsigned flags);
diff --git a/log-tree.c b/log-tree.c
index 644893fd8c..3c3aec5c40 100644
--- a/log-tree.c
+++ b/log-tree.c
@@ -513,7 +513,7 @@ static void show_signature(struct rev_info *opt, struct commit *commit)
if (parse_signed_commit(commit, &payload, &signature, the_hash_algo) <= 0)
goto out;
- status = check_signature(payload.buf, payload.len, signature.buf,
+ status = check_signature(payload.buf, payload.len, 0, NULL, signature.buf,
signature.len, &sigc);
if (status && !sigc.output)
show_sig_lines(opt, status, "No signature\n");
@@ -583,7 +583,7 @@ static int show_one_mergetag(struct commit *commit,
status = -1;
if (parse_signature(extra->value, extra->len, &payload, &signature)) {
/* could have a good signature */
- status = check_signature(payload.buf, payload.len,
+ status = check_signature(payload.buf, payload.len, 0, NULL,
signature.buf, signature.len, &sigc);
if (sigc.output)
strbuf_addstr(&verify_message, sigc.output);
diff --git a/tag.c b/tag.c
index 3e18a41841..3459a0867c 100644
--- a/tag.c
+++ b/tag.c
@@ -25,7 +25,7 @@ static int run_gpg_verify(const char *buf, unsigned long size, unsigned flags)
return error("no signature found");
}
- ret = check_signature(payload.buf, payload.len, signature.buf,
+ ret = check_signature(payload.buf, payload.len, 0, NULL, signature.buf,
signature.len, &sigc);
if (!(flags & GPG_VERIFY_OMIT_STATUS))
--
2.31.1
next prev parent reply other threads:[~2021-10-22 15:10 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-22 15:09 [PATCH 0/6] ssh signing: verify key lifetime Fabian Stelzer
2021-10-22 15:09 ` Fabian Stelzer [this message]
2021-10-23 23:13 ` [PATCH 1/6] ssh signing: extend check_signature to accept payload metadata Junio C Hamano
2021-10-25 8:28 ` Fabian Stelzer
2021-10-25 17:16 ` Junio C Hamano
2021-10-22 15:09 ` [PATCH 2/6] ssh signing: add key lifetime test prereqs Fabian Stelzer
2021-10-22 15:09 ` [PATCH 3/6] ssh signing: verify-commit/check_signature with commit date Fabian Stelzer
2021-10-22 17:37 ` Ævar Arnfjörð Bjarmason
2021-10-25 8:31 ` Fabian Stelzer
2021-10-22 15:09 ` [PATCH 4/6] ssh signing: git log/check_signature " Fabian Stelzer
2021-10-22 15:09 ` [PATCH 5/6] ssh signing: verify-tag/check_signature with tag date Fabian Stelzer
2021-10-22 15:09 ` [PATCH 6/6] ssh signing: fmt-merge-msg/check_signature " Fabian Stelzer
2021-10-22 18:12 ` Ævar Arnfjörð Bjarmason
2021-10-25 8:39 ` Fabian Stelzer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211022150949.1754477-2-fs@gigacodes.de \
--to=fs@gigacodes.de \
--cc=avarab@gmail.com \
--cc=bagasdotme@gmail.com \
--cc=felipe.contreras@gmail.com \
--cc=git@vger.kernel.org \
--cc=gwymor@tilde.club \
--cc=hanwen@google.com \
--cc=hji@dyntopia.com \
--cc=jonathantanmy@google.com \
--cc=rsbecker@nexbridge.com \
--cc=sandals@crustytoothpaste.net \
--cc=steadmon@google.com \
--cc=sunshine@sunshineco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).