2013-12-29 09:53:49 -05:00
|
|
|
;;; GNU Guix --- Functional package management for GNU
|
2022-12-12 08:55:32 -05:00
|
|
|
;;; Copyright © 2013, 2014, 2016, 2022 Ludovic Courtès <ludo@gnu.org>
|
2013-12-29 09:53:49 -05:00
|
|
|
;;;
|
|
|
|
;;; This file is part of GNU Guix.
|
|
|
|
;;;
|
|
|
|
;;; GNU Guix is free software; you can redistribute it and/or modify it
|
|
|
|
;;; under the terms of the GNU General Public License as published by
|
|
|
|
;;; the Free Software Foundation; either version 3 of the License, or (at
|
|
|
|
;;; your option) any later version.
|
|
|
|
;;;
|
|
|
|
;;; GNU Guix is distributed in the hope that it will be useful, but
|
|
|
|
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
;;; GNU General Public License for more details.
|
|
|
|
;;;
|
|
|
|
;;; You should have received a copy of the GNU General Public License
|
|
|
|
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
(define-module (guix pki)
|
|
|
|
#:use-module (guix config)
|
Switch to Guile-Gcrypt.
This removes (guix hash) and (guix pk-crypto), which now live as part of
Guile-Gcrypt (version 0.1.0.)
* guix/gcrypt.scm, guix/hash.scm, guix/pk-crypto.scm,
tests/hash.scm, tests/pk-crypto.scm: Remove.
* configure.ac: Test for Guile-Gcrypt. Remove LIBGCRYPT and
LIBGCRYPT_LIBDIR assignments.
* m4/guix.m4 (GUIX_ASSERT_LIBGCRYPT_USABLE): Remove.
* README: Add Guile-Gcrypt to the dependencies; move libgcrypt as
"required unless --disable-daemon".
* doc/guix.texi (Requirements): Likewise.
* gnu/packages/bash.scm, guix/derivations.scm, guix/docker.scm,
guix/git.scm, guix/http-client.scm, guix/import/cpan.scm,
guix/import/cran.scm, guix/import/crate.scm, guix/import/elpa.scm,
guix/import/gnu.scm, guix/import/hackage.scm,
guix/import/texlive.scm, guix/import/utils.scm, guix/nar.scm,
guix/pki.scm, guix/scripts/archive.scm,
guix/scripts/authenticate.scm, guix/scripts/download.scm,
guix/scripts/hash.scm, guix/scripts/pack.scm,
guix/scripts/publish.scm, guix/scripts/refresh.scm,
guix/scripts/substitute.scm, guix/store.scm,
guix/store/deduplication.scm, guix/tests.scm, tests/base32.scm,
tests/builders.scm, tests/challenge.scm, tests/cpan.scm,
tests/crate.scm, tests/derivations.scm, tests/gem.scm,
tests/nar.scm, tests/opam.scm, tests/pki.scm,
tests/publish.scm, tests/pypi.scm, tests/store-deduplication.scm,
tests/store.scm, tests/substitute.scm: Adjust imports.
* gnu/system/vm.scm: Likewise.
(guile-sqlite3&co): Rename to...
(gcrypt-sqlite3&co): ... this. Add GUILE-GCRYPT.
(expression->derivation-in-linux-vm)[config]: Remove.
(iso9660-image)[config]: Remove.
(qemu-image)[config]: Remove.
(system-docker-image)[config]: Remove.
* guix/scripts/pack.scm: Adjust imports.
(guile-sqlite3&co): Rename to...
(gcrypt-sqlite3&co): ... this. Add GUILE-GCRYPT.
(self-contained-tarball)[build]: Call 'make-config.scm' without
#:libgcrypt argument.
(squashfs-image)[libgcrypt]: Remove.
[build]: Call 'make-config.scm' without #:libgcrypt.
(docker-image)[config, json]: Remove.
[build]: Add GUILE-GCRYPT to the extensions Remove (guix config) from
the imported modules.
* guix/self.scm (specification->package): Remove "libgcrypt", add
"guile-gcrypt".
(compiled-guix): Remove #:libgcrypt.
[guile-gcrypt]: New variable.
[dependencies]: Add it.
[*core-modules*]: Remove #:libgcrypt from 'make-config.scm' call.
Add #:extensions.
[*config*]: Remove #:libgcrypt from 'make-config.scm' call.
(%dependency-variables): Remove %libgcrypt.
(make-config.scm): Remove #:libgcrypt.
* build-aux/build-self.scm (guile-gcrypt): New variable.
(make-config.scm): Remove #:libgcrypt.
(build-program)[fake-gcrypt-hash]: New variable.
Add (gcrypt hash) to the imported modules. Adjust load path
assignments.
* gnu/packages/package-management.scm (guix)[propagated-inputs]: Add
GUILE-GCRYPT.
[arguments]: In 'wrap-program' phase, add GUILE-GCRYPT to the search
path.
2018-08-31 11:07:07 -04:00
|
|
|
#:use-module (gcrypt pk-crypto)
|
2013-12-29 09:53:49 -05:00
|
|
|
#:use-module ((guix utils) #:select (with-atomic-file-output))
|
2014-01-05 17:40:06 -05:00
|
|
|
#:use-module ((guix build utils) #:select (mkdir-p))
|
2022-12-12 08:55:32 -05:00
|
|
|
#:autoload (srfi srfi-1) (delete-duplicates)
|
2013-12-29 09:53:49 -05:00
|
|
|
#:use-module (ice-9 match)
|
2016-10-19 08:28:56 -04:00
|
|
|
#:use-module (ice-9 rdelim)
|
2013-12-29 09:53:49 -05:00
|
|
|
#:export (%public-key-file
|
2013-12-30 16:46:21 -05:00
|
|
|
%private-key-file
|
2013-12-30 17:18:52 -05:00
|
|
|
%acl-file
|
2013-12-29 09:53:49 -05:00
|
|
|
current-acl
|
|
|
|
public-keys->acl
|
|
|
|
acl->public-keys
|
2014-01-23 16:23:22 -05:00
|
|
|
authorized-key?
|
2014-04-03 18:23:17 -04:00
|
|
|
write-acl
|
2014-01-23 16:23:22 -05:00
|
|
|
|
2013-12-29 09:53:49 -05:00
|
|
|
signature-sexp
|
2014-01-23 16:23:22 -05:00
|
|
|
signature-subject
|
|
|
|
signature-signed-data
|
2014-03-31 17:34:20 -04:00
|
|
|
valid-signature?
|
|
|
|
signature-case))
|
2013-12-29 09:53:49 -05:00
|
|
|
|
|
|
|
;;; Commentary:
|
|
|
|
;;;
|
|
|
|
;;; Public key infrastructure for the authentication and authorization of
|
|
|
|
;;; archive imports. This is essentially a subset of SPKI for our own
|
|
|
|
;;; purposes (see <http://theworld.com/~cme/spki.txt> and
|
|
|
|
;;; <http://www.ietf.org/rfc/rfc2693.txt>.)
|
|
|
|
;;;
|
|
|
|
;;; Code:
|
|
|
|
|
|
|
|
(define (public-keys->acl keys)
|
2014-04-01 17:46:23 -04:00
|
|
|
"Return an ACL that lists all of KEYS with a '(guix import)'
|
2013-12-29 09:53:49 -05:00
|
|
|
tag---meaning that all of KEYS are authorized for archive imports. Each
|
|
|
|
element in KEYS must be a canonical sexp with type 'public-key'."
|
2014-04-01 17:46:23 -04:00
|
|
|
|
|
|
|
;; Use SPKI-style ACL entry sexp for PUBLIC-KEY, authorizing imports
|
|
|
|
;; signed by the corresponding secret key (see the IETF draft at
|
|
|
|
;; <http://theworld.com/~cme/spki.txt> for the ACL format.)
|
|
|
|
;;
|
|
|
|
;; Note: We always use PUBLIC-KEY to designate the subject. Someday we may
|
|
|
|
;; want to have name certificates and to use subject names instead of
|
|
|
|
;; complete keys.
|
|
|
|
`(acl ,@(map (lambda (key)
|
2022-12-12 08:55:32 -05:00
|
|
|
`(entry ,key
|
2014-04-01 17:46:23 -04:00
|
|
|
(tag (guix import))))
|
2022-12-12 08:55:32 -05:00
|
|
|
(delete-duplicates
|
|
|
|
(map canonical-sexp->sexp keys)))))
|
2013-12-29 09:53:49 -05:00
|
|
|
|
|
|
|
(define %acl-file
|
|
|
|
(string-append %config-directory "/acl"))
|
|
|
|
|
|
|
|
(define %public-key-file
|
|
|
|
(string-append %config-directory "/signing-key.pub"))
|
|
|
|
|
2013-12-30 16:46:21 -05:00
|
|
|
(define %private-key-file
|
|
|
|
(string-append %config-directory "/signing-key.sec"))
|
|
|
|
|
2013-12-29 09:53:49 -05:00
|
|
|
(define (ensure-acl)
|
|
|
|
"Make sure the ACL file exists, and create an initialized one if needed."
|
|
|
|
(unless (file-exists? %acl-file)
|
|
|
|
;; If there's no public key file, don't attempt to create the ACL.
|
|
|
|
(when (file-exists? %public-key-file)
|
|
|
|
(let ((public-key (call-with-input-file %public-key-file
|
|
|
|
(compose string->canonical-sexp
|
2016-10-19 08:28:56 -04:00
|
|
|
read-string))))
|
2014-01-05 17:40:06 -05:00
|
|
|
(mkdir-p (dirname %acl-file))
|
2013-12-29 09:53:49 -05:00
|
|
|
(with-atomic-file-output %acl-file
|
|
|
|
(lambda (port)
|
2014-04-03 18:23:17 -04:00
|
|
|
(write-acl (public-keys->acl (list public-key))
|
|
|
|
port)))))))
|
|
|
|
|
|
|
|
(define (write-acl acl port)
|
|
|
|
"Write ACL to PORT in canonical-sexp format."
|
|
|
|
(let ((sexp (sexp->canonical-sexp acl)))
|
|
|
|
(display (canonical-sexp->string sexp) port)))
|
2013-12-29 09:53:49 -05:00
|
|
|
|
|
|
|
(define (current-acl)
|
2014-04-01 17:46:23 -04:00
|
|
|
"Return the current ACL."
|
2013-12-29 09:53:49 -05:00
|
|
|
(ensure-acl)
|
|
|
|
(if (file-exists? %acl-file)
|
|
|
|
(call-with-input-file %acl-file
|
2014-04-01 17:46:23 -04:00
|
|
|
(compose canonical-sexp->sexp
|
|
|
|
string->canonical-sexp
|
2016-10-19 08:28:56 -04:00
|
|
|
read-string))
|
2013-12-29 09:53:49 -05:00
|
|
|
(public-keys->acl '()))) ; the empty ACL
|
|
|
|
|
|
|
|
(define (acl->public-keys acl)
|
|
|
|
"Return the public keys (as canonical sexps) listed in ACL with the '(guix
|
|
|
|
import)' tag."
|
2014-04-01 17:46:23 -04:00
|
|
|
(match acl
|
2013-12-29 09:53:49 -05:00
|
|
|
(('acl
|
|
|
|
('entry subject-keys
|
|
|
|
('tag ('guix 'import)))
|
|
|
|
...)
|
|
|
|
(map sexp->canonical-sexp subject-keys))
|
|
|
|
(_
|
|
|
|
(error "invalid access-control list" acl))))
|
|
|
|
|
2014-04-01 17:46:23 -04:00
|
|
|
(define* (authorized-key? key #:optional (acl (current-acl)))
|
2013-12-29 09:53:49 -05:00
|
|
|
"Return #t if KEY (a canonical sexp) is an authorized public key for archive
|
|
|
|
imports according to ACL."
|
2014-04-01 17:46:23 -04:00
|
|
|
;; Note: ACL is kept in native sexp form to make 'authorized-key?' faster,
|
|
|
|
;; by not having to convert it with 'canonical-sexp->sexp' on each call.
|
|
|
|
;; TODO: We could use a better data type for ACLs.
|
2013-12-29 09:53:49 -05:00
|
|
|
(let ((key (canonical-sexp->sexp key)))
|
2014-04-01 17:46:23 -04:00
|
|
|
(match acl
|
2013-12-29 09:53:49 -05:00
|
|
|
(('acl
|
|
|
|
('entry subject-keys
|
|
|
|
('tag ('guix 'import)))
|
|
|
|
...)
|
|
|
|
(not (not (member key subject-keys))))
|
|
|
|
(_
|
|
|
|
(error "invalid access-control list" acl)))))
|
|
|
|
|
|
|
|
(define (signature-sexp data secret-key public-key)
|
|
|
|
"Return a SPKI-style sexp for the signature of DATA with SECRET-KEY that
|
|
|
|
includes DATA, the actual signature value (with a 'sig-val' tag), and
|
|
|
|
PUBLIC-KEY (see <http://theworld.com/~cme/spki.txt> for examples.)"
|
|
|
|
(string->canonical-sexp
|
|
|
|
(format #f
|
|
|
|
"(signature ~a ~a ~a)"
|
|
|
|
(canonical-sexp->string data)
|
|
|
|
(canonical-sexp->string (sign data secret-key))
|
|
|
|
(canonical-sexp->string public-key))))
|
|
|
|
|
2014-01-23 16:23:22 -05:00
|
|
|
(define (signature-subject sig)
|
|
|
|
"Return the signer's public key for SIG."
|
|
|
|
(find-sexp-token sig 'public-key))
|
|
|
|
|
|
|
|
(define (signature-signed-data sig)
|
|
|
|
"Return the signed data from SIG, typically an sexp such as
|
|
|
|
(hash \"sha256\" #...#)."
|
|
|
|
(find-sexp-token sig 'data))
|
|
|
|
|
|
|
|
(define (valid-signature? sig)
|
|
|
|
"Return #t if SIG is valid."
|
|
|
|
(let* ((data (signature-signed-data sig))
|
|
|
|
(signature (find-sexp-token sig 'sig-val))
|
|
|
|
(public-key (signature-subject sig)))
|
|
|
|
(and data signature
|
|
|
|
(verify signature data public-key))))
|
|
|
|
|
2014-03-31 17:34:20 -04:00
|
|
|
(define* (%signature-status signature hash
|
|
|
|
#:optional (acl (current-acl)))
|
|
|
|
"Return a symbol denoting the status of SIGNATURE vs. HASH vs. ACL.
|
|
|
|
|
|
|
|
This procedure must only be used internally, because it would be easy to
|
|
|
|
forget some of the cases."
|
|
|
|
(let ((subject (signature-subject signature))
|
|
|
|
(data (signature-signed-data signature)))
|
|
|
|
(if (and data subject)
|
|
|
|
(if (authorized-key? subject acl)
|
|
|
|
(if (equal? (hash-data->bytevector data) hash)
|
|
|
|
(if (valid-signature? signature)
|
|
|
|
'valid-signature
|
|
|
|
'invalid-signature)
|
|
|
|
'hash-mismatch)
|
|
|
|
'unauthorized-key)
|
|
|
|
'corrupt-signature)))
|
|
|
|
|
|
|
|
(define-syntax signature-case
|
|
|
|
(syntax-rules (valid-signature invalid-signature
|
|
|
|
hash-mismatch unauthorized-key corrupt-signature
|
|
|
|
else)
|
|
|
|
"\
|
|
|
|
Match the cases of the verification of SIGNATURE against HASH and ACL:
|
|
|
|
|
|
|
|
- the 'valid-signature' case if SIGNATURE is indeed a signature of HASH with
|
|
|
|
a key present in ACL;
|
|
|
|
- 'invalid-signature' if SIGNATURE is incorrect;
|
|
|
|
- 'hash-mismatch' if the hash in SIGNATURE does not match HASH;
|
|
|
|
- 'unauthorized-key' if the public key in SIGNATURE is not listed in ACL;
|
|
|
|
- 'corrupt-signature' if SIGNATURE is not a valid signature sexp.
|
|
|
|
|
|
|
|
This macro guarantees at compile-time that all these cases are handled.
|
|
|
|
|
|
|
|
SIGNATURE, and ACL must be canonical sexps; HASH must be a bytevector."
|
|
|
|
|
|
|
|
;; Simple case: we only care about valid signatures.
|
|
|
|
((_ (signature hash acl)
|
|
|
|
(valid-signature valid-exp ...)
|
|
|
|
(else else-exp ...))
|
|
|
|
(case (%signature-status signature hash acl)
|
|
|
|
((valid-signature) valid-exp ...)
|
|
|
|
(else else-exp ...)))
|
|
|
|
|
|
|
|
;; Full case.
|
|
|
|
((_ (signature hash acl)
|
|
|
|
(valid-signature valid-exp ...)
|
|
|
|
(invalid-signature invalid-exp ...)
|
|
|
|
(hash-mismatch mismatch-exp ...)
|
|
|
|
(unauthorized-key unauthorized-exp ...)
|
|
|
|
(corrupt-signature corrupt-exp ...))
|
|
|
|
(case (%signature-status signature hash acl)
|
|
|
|
((valid-signature) valid-exp ...)
|
|
|
|
((invalid-signature) invalid-exp ...)
|
|
|
|
((hash-mismatch) mismatch-exp ...)
|
|
|
|
((unauthorized-key) unauthorized-exp ...)
|
|
|
|
((corrupt-signature) corrupt-exp ...)
|
|
|
|
(else (error "bogus signature status"))))))
|
|
|
|
|
2013-12-29 09:53:49 -05:00
|
|
|
;;; pki.scm ends here
|