Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Habitat Artifact and Origin Key Header Update #425

Merged
merged 2 commits into from
Apr 22, 2016
Merged

Habitat Artifact and Origin Key Header Update #425

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e754631
Update Habitat Artifact (.hart) header information.
fnichol Apr 22, 2016
b1ec1c4
Update all box, sig, and sym style keys to contain a version string.
fnichol Apr 22, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
201 changes: 118 additions & 83 deletions components/core/src/crypto.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,20 +140,25 @@ use util::perm;
/// A signed `.hart` artifact has 3 plaintext lines followed by a binary blob
/// of data, which is the unsigned tarfile.
///
/// - The first plaintext line is the name of the origin signing key that was used
/// - The first plaintext line is the version of the artifact format
/// - The second plaintext line is the name of the origin signing key that was used
/// to sign this artifact.
/// - The second plaintext line is the hashing algorithm used, which will be
/// - The third plaintext line is the hashing algorithm used, which will be
/// `BLAKE2b` unless our use of crypto is expanded some time in the future.
/// - Our BLAKE2b hash functions use a digest length of 32 bytes (256 bits!).
/// - The third plaintext line is a base64 *signed* value of the binary blob's
/// information from the binary data
/// - The fourth plaintext line is a base64 *signed* value of the binary blob's
/// base64 file hash. Signing uses a secret origin key, while verifying uses the
/// public origin key. Thus, it it safe to distribute public origin keys.
/// - The fifth line is left empty, meaning that 2 newline characters separate the header
///
/// Example header:
/// ```text
/// HART-1
/// habitat-20160405144945
/// BLAKE2b
/// signed BLAKE2b signature
///
/// <binary-blob>
/// ```
///
Expand All @@ -162,7 +167,8 @@ use util::perm;
/// It's possible to examine the contents of a `.hart` file from a Linux shell:
///
/// ```text
/// $ head -3 /path/to/acme-glibc-2.22-20160310192356.hart
/// $ head -4 /path/to/acme-glibc-2.22-20160310192356.hart
/// HART-1
/// habitat-20160405144945
/// BLAKE2b
/// w4yC7/QADdC+NfH/wgN5u4K94nMieb1TxTVzbSfpMwRQ4k+YwhLs1nDXSIbSC8jHdF/7/LqLWtgPvGDmoKIvBDI0aGpIcGdlNDJhMDBnQ3lsMVVFM0JvRlZGSHhXcnBuWWF0/// SllXTXo1ZDg9
Expand All @@ -172,8 +178,8 @@ use util::perm;
/// It is also possible to extract a plain tarball from a signed `.hart` artifact using the following command:
///
/// ```text
/// tail -n +4 /tmp/somefile.hart > somefile.tar
/// # start at line 4, skipping the first 3 plaintext lines.
/// tail -n +6 /tmp/somefile.hart > somefile.tar
/// # start at line 6, skipping the first 5 plaintext lines.
/// ```
///
/// ### Habitat encrypted payload format
Expand All @@ -187,10 +193,11 @@ use util::perm;
/// 4. The encrypted message in base64 format.
///
/// ```text
/// 0.1.0\n
/// signing key name\n
/// recipient key name\n
/// nonce_base64\n
/// BOX-1
/// signing key name
/// recipient key name
/// nonce_base64
///
/// <ciphertext_base64>
/// ```
///
Expand All @@ -204,8 +211,9 @@ use util::perm;
/// 2. The key itself, which is base64-encoded
///
/// ```text
/// SYM-1\n
/// staging-20160405144945\n
/// SYM-1
/// staging-20160405144945
///
/// <symkey_base64>
/// ```

Expand Down Expand Up @@ -234,9 +242,15 @@ static PUBLIC_KEY_PERMISSIONS: &'static str = "0400";
static SECRET_KEY_PERMISSIONS: &'static str = "0400";


static HART_FORMAT_VERSION: &'static str = "HART-1";

static ENCRYPTED_PAYLOAD_VERSION: &'static str = "BOX-0.1.0";

static SYM_KEY_VERSION: &'static str = "SYM-1";
static PUBLIC_SIG_KEY_VERSION: &'static str = "SIG-PUB-1";
static SECRET_SIG_KEY_VERSION: &'static str = "SIG-SEC-1";
static PUBLIC_BOX_KEY_VERSION: &'static str = "BOX-PUB-1";
static SECRET_BOX_KEY_VERSION: &'static str = "BOX-SEC-1";
static SECRET_SYM_KEY_VERSION: &'static str = "SYM-SEC-1";

const BUF_SIZE: usize = 1024;

Expand Down Expand Up @@ -269,6 +283,12 @@ pub type SigKeyPair = KeyPair<SigPublicKey, SigSecretKey>;
pub type BoxKeyPair = KeyPair<BoxPublicKey, BoxSecretKey>;
pub type SymKey = KeyPair<(), SymSecretKey>;

enum KeyType {
Sig,
Box,
Sym,
}

/// If an env var is set, then return it's value.
/// If it's not, return the default
fn env_var_or_default(env_var: &str, default: &str) -> String {
Expand Down Expand Up @@ -359,7 +379,8 @@ impl Context {
let output_file = try!(File::create(outfilename));
let mut writer = BufWriter::new(&output_file);
let () = try!(write!(writer,
"{}\n{}\n{}\n",
"{}\n{}\n{}\n{}\n\n",
HART_FORMAT_VERSION,
key_with_rev,
SIG_HASH_TYPE,
signature.to_base64(STANDARD)));
Expand All @@ -371,11 +392,16 @@ impl Context {
/// return a BufReader to the .tar bytestream, skipping the signed header
pub fn get_artifact_reader(&self, infilename: &str) -> Result<BufReader<File>> {
let f = try!(File::open(infilename));
let mut your_format_version = String::new();
let mut your_key_name = String::new();
let mut your_hash_type = String::new();
let mut your_signature_raw = String::new();
let mut empty_line = String::new();

let mut reader = BufReader::new(f);
if try!(reader.read_line(&mut your_format_version)) <= 0 {
return Err(Error::CryptoError("Can't read format version".to_string()));
}
if try!(reader.read_line(&mut your_key_name)) <= 0 {
return Err(Error::CryptoError("Can't read keyname".to_string()));
}
Expand All @@ -385,6 +411,9 @@ impl Context {
if try!(reader.read_line(&mut your_signature_raw)) <= 0 {
return Err(Error::CryptoError("Can't read signature".to_string()));
}
if try!(reader.read_line(&mut empty_line)) <= 0 {
return Err(Error::CryptoError("Can't end of header".to_string()));
}
Ok(reader)
}

Expand All @@ -393,11 +422,17 @@ impl Context {
nacl_init();

let f = try!(File::open(infilename));

let mut your_format_version = String::new();
let mut your_key_name = String::new();
let mut your_hash_type = String::new();
let mut your_signature_raw = String::new();
let mut empty_line = String::new();

let mut reader = BufReader::new(f);
if try!(reader.read_line(&mut your_format_version)) <= 0 {
return Err(Error::CryptoError("Corrupt payload, can't read format version"
.to_string()));
}
if try!(reader.read_line(&mut your_key_name)) <= 0 {
return Err(Error::CryptoError("Corrupt payload, can't read origin key name"
.to_string()));
Expand All @@ -408,16 +443,28 @@ impl Context {
if try!(reader.read_line(&mut your_signature_raw)) <= 0 {
return Err(Error::CryptoError("Corrupt payload, can't read signature".to_string()));
}
if try!(reader.read_line(&mut empty_line)) <= 0 {
return Err(Error::CryptoError("Corrupt payload, can't end of header".to_string()));
}

// all input lines WILL have a newline at the end
let your_format_version = your_format_version.trim();
let your_key_name = your_key_name.trim();
let your_hash_type = your_hash_type.trim();
let your_signature_raw = your_signature_raw.trim();

debug!("Your format version = [{}]", your_format_version);
debug!("Your key name = [{}]", your_key_name);
debug!("Your hash type = [{}]", your_hash_type);
debug!("Your signature = [{}]", your_signature_raw);

if your_format_version.trim() != HART_FORMAT_VERSION {
let msg = format!("Unsupported format version: {}. Supported format versions: [{}]",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice touch :-)

&your_format_version,
HART_FORMAT_VERSION);
return Err(Error::CryptoError(msg));
}

let your_sig_pk = match self.get_sig_public_key(&your_key_name) {
Ok(pk) => pk,
Err(_) => {
Expand Down Expand Up @@ -655,8 +702,10 @@ impl Context {
let secret_keyfile = self.mk_key_filename(&self.key_cache, keyname, SECRET_BOX_KEY_SUFFIX);
debug!("public box keyfile = {}", &public_keyfile);
debug!("secret box keyfile = {}", &secret_keyfile);
try!(self.write_keypair_files(&public_keyfile,
&pk[..].to_base64(STANDARD).into_bytes(),
try!(self.write_keypair_files(KeyType::Box,
&keyname,
Some(&public_keyfile),
Some(&pk[..].to_base64(STANDARD).into_bytes()),
&secret_keyfile,
&sk[..].to_base64(STANDARD).into_bytes()));
Ok((pk, sk))
Expand All @@ -670,8 +719,10 @@ impl Context {
debug!("public sig keyfile = {}", &public_keyfile);
debug!("secret sig keyfile = {}", &secret_keyfile);

try!(self.write_keypair_files(&public_keyfile,
&pk[..].to_base64(STANDARD).into_bytes(),
try!(self.write_keypair_files(KeyType::Sig,
&keyname,
Some(&public_keyfile),
Some(&pk[..].to_base64(STANDARD).into_bytes()),
&secret_keyfile,
&sk[..].to_base64(STANDARD).into_bytes()));
Ok((pk, sk))
Expand All @@ -683,73 +734,73 @@ impl Context {
let secret_keyfile = self.mk_key_filename(&self.key_cache, keyname, SECRET_SYM_KEY_SUFFIX);
debug!("secret ring keyfile = {}", &secret_keyfile);

try!(self.write_sym_key_file(&keyname,
&secret_keyfile,
&sk[..].to_base64(STANDARD).into_bytes()));
try!(self.write_keypair_files(KeyType::Sym,
&keyname,
None,
None,
&secret_keyfile,
&sk[..].to_base64(STANDARD).into_bytes()));
Ok(sk)
}

fn write_keypair_files<K1: AsRef<Path>, K2: AsRef<Path>>(&self,
public_keyfile: K1,
public_content: &Vec<u8>,
secret_keyfile: K2,
secret_content: &Vec<u8>)
-> Result<()> {
if let Some(pk_dir) = public_keyfile.as_ref().parent() {
try!(fs::create_dir_all(pk_dir));
} else {
return Err(Error::BadKeyPath(public_keyfile.as_ref().to_string_lossy().into_owned()));
}

if let Some(sk_dir) = secret_keyfile.as_ref().parent() {
try!(fs::create_dir_all(sk_dir));
} else {
return Err(Error::BadKeyPath(secret_keyfile.as_ref().to_string_lossy().into_owned()));
}
fn write_keypair_files<P: AsRef<Path>>(&self,
key_type: KeyType,
keyname: &str,
public_keyfile: Option<P>,
public_content: Option<&Vec<u8>>,
secret_keyfile: P,
secret_content: &Vec<u8>)
-> Result<()> {
if let Some(public_keyfile) = public_keyfile {
let public_version = match key_type {
KeyType::Sig => PUBLIC_SIG_KEY_VERSION,
KeyType::Box => PUBLIC_BOX_KEY_VERSION,
KeyType::Sym => unreachable!("Sym keys do not have a public key"),
};

if public_keyfile.as_ref().exists() && public_keyfile.as_ref().is_file() {
return Err(Error::CryptoError(format!("Public keyfile already exists {}",
public_keyfile.as_ref().display())));
}
let public_content = match public_content {
Some(c) => c,
None => return Err(Error::CryptoError(format!("Invalid calling of this function"))),
};

if secret_keyfile.as_ref().exists() && secret_keyfile.as_ref().is_file() {
return Err(Error::CryptoError(format!("Secret keyfile already exists {}",
secret_keyfile.as_ref().display())));
if let Some(pk_dir) = public_keyfile.as_ref().parent() {
try!(fs::create_dir_all(pk_dir));
} else {
return Err(Error::BadKeyPath(public_keyfile.as_ref()
.to_string_lossy()
.into_owned()));
}
if public_keyfile.as_ref().exists() && public_keyfile.as_ref().is_file() {
return Err(Error::CryptoError(format!("Public keyfile already exists {}",
public_keyfile.as_ref().display())));
}
let public_file = try!(File::create(public_keyfile.as_ref()));
let mut public_writer = BufWriter::new(&public_file);
try!(write!(public_writer, "{}\n{}\n\n", public_version, keyname));
try!(public_writer.write_all(public_content));
try!(perm::set_permissions(public_keyfile, PUBLIC_KEY_PERMISSIONS));
}

let public_file = try!(File::create(public_keyfile.as_ref()));
let mut public_writer = BufWriter::new(&public_file);
try!(public_writer.write_all(public_content));
try!(perm::set_permissions(public_keyfile, PUBLIC_KEY_PERMISSIONS));

let secret_file = try!(File::create(secret_keyfile.as_ref()));
let mut secret_writer = BufWriter::new(&secret_file);
try!(secret_writer.write_all(secret_content));
try!(perm::set_permissions(secret_keyfile, SECRET_KEY_PERMISSIONS));
Ok(())
}

fn write_sym_key_file<K: AsRef<Path>>(&self,
keyname: &str,
secret_keyfile: K,
secret_content: &Vec<u8>)
-> Result<()> {
let secret_version = match key_type {
KeyType::Sig => SECRET_SIG_KEY_VERSION,
KeyType::Box => SECRET_BOX_KEY_VERSION,
KeyType::Sym => SECRET_SYM_KEY_VERSION,
};
if let Some(sk_dir) = secret_keyfile.as_ref().parent() {
try!(fs::create_dir_all(sk_dir));
} else {
return Err(Error::BadKeyPath(secret_keyfile.as_ref().to_string_lossy().into_owned()));
}

if secret_keyfile.as_ref().exists() && secret_keyfile.as_ref().is_file() {
return Err(Error::CryptoError(format!("Secret keyfile already exists {}",
secret_keyfile.as_ref().display())));
}

let secret_file = try!(File::create(secret_keyfile.as_ref()));
let mut secret_writer = BufWriter::new(&secret_file);
try!(write!(secret_writer, "{}\n{}\n\n", SYM_KEY_VERSION, keyname));
try!(write!(secret_writer, "{}\n{}\n\n", secret_version, keyname));
try!(secret_writer.write_all(secret_content));
try!(perm::set_permissions(secret_keyfile, SECRET_KEY_PERMISSIONS));

Ok(())
}

Expand Down Expand Up @@ -918,27 +969,11 @@ impl Context {
let secret_keyfile = self.mk_key_filename(&self.key_cache,
key_with_rev,
SECRET_SYM_KEY_SUFFIX);
self.read_key_bytes_after_header(&secret_keyfile)
self.read_key_bytes(&secret_keyfile)
}

/// Read a file into a Vec<u8>
fn read_key_bytes(&self, keyfile: &str) -> Result<Vec<u8>> {
let mut f = try!(File::open(keyfile));
let mut s = String::new();
if try!(f.read_to_string(&mut s)) <= 0 {
return Err(Error::CryptoError("Can't read key bytes".to_string()));
}
match s.as_bytes().from_base64() {
Ok(keybytes) => Ok(keybytes),
Err(e) => {
return Err(Error::CryptoError(format!("Can't read raw key from {}: {}",
keyfile,
e)))
}
}
}

fn read_key_bytes_after_header(&self, keyfile: &str) -> Result<Vec<u8>> {
let mut f = try!(File::open(keyfile));
let mut s = String::new();
if try!(f.read_to_string(&mut s)) <= 0 {
Expand Down
1 change: 1 addition & 0 deletions components/core/src/package/archive.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,7 @@ mod test {
use super::*;

#[test]
#[ignore] // This is being ignored until a new artifact can be generated to replace this fixture
fn reading_artifact_metadata() {
let mut hart = PackageArchive::new(fixtures()
.join("core-hab-sup-0.4.0-20160416170100.hab"));
Expand Down
6 changes: 3 additions & 3 deletions components/core/tests/crypto_tests/keygen.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -281,11 +281,11 @@ fn crypto_hash_file() {
let fixture = path::fixture("signme.dat");
let h = match crypto_ctx.hash_file(&fixture) {
Ok(hash) => hash,
Err(e) => panic!("Can't hash file {}", e)
Err(e) => panic!("Can't hash file {}", e),
};
// note: the b2sum program takes the -l parameter as the # of BITS,
// BLAKE2b defaults to 32 BYTES, so we use 8 * 32 = 256
//b2sum -l 256 tests/fixtures/signme.dat
//20590a52c4f00588c500328b16d466c982a26fabaa5fa4dcc83052dd0a84f233 ./signme.dat
// b2sum -l 256 tests/fixtures/signme.dat
// 20590a52c4f00588c500328b16d466c982a26fabaa5fa4dcc83052dd0a84f233 ./signme.dat
assert!(&h == "20590a52c4f00588c500328b16d466c982a26fabaa5fa4dcc83052dd0a84f233");
}