pk-crypto: Don't use Ed25519 when libgcrypt is older than 1.6.0.
* guix/pk-crypto.scm (gcrypt-version): New procedure. * guix/scripts/archive.scm (%key-generation-parameters): New variable. (%options) <generate-key>: Use it. * tests/pk-crypto.scm ("sign + verify, Ed25519"): Skip if using gcrypt < 1.6.0.
This commit is contained in:
parent
2f66e64c53
commit
1fda6840a8
@ -24,7 +24,8 @@
|
|||||||
#:use-module (system foreign)
|
#:use-module (system foreign)
|
||||||
#:use-module (rnrs bytevectors)
|
#:use-module (rnrs bytevectors)
|
||||||
#:use-module (ice-9 match)
|
#:use-module (ice-9 match)
|
||||||
#:export (canonical-sexp?
|
#:export (gcrypt-version
|
||||||
|
canonical-sexp?
|
||||||
error-source
|
error-source
|
||||||
error-string
|
error-string
|
||||||
string->canonical-sexp
|
string->canonical-sexp
|
||||||
@ -86,6 +87,17 @@
|
|||||||
"Return a pointer to symbol FUNC in libgcrypt."
|
"Return a pointer to symbol FUNC in libgcrypt."
|
||||||
(dynamic-func func lib))))
|
(dynamic-func func lib))))
|
||||||
|
|
||||||
|
(define gcrypt-version
|
||||||
|
;; According to the manual, this function must be called before any other,
|
||||||
|
;; and it's not clear whether it can be called more than once. So call it
|
||||||
|
;; right here from the top level.
|
||||||
|
(let* ((ptr (libgcrypt-func "gcry_check_version"))
|
||||||
|
(proc (pointer->procedure '* ptr '(*)))
|
||||||
|
(version (pointer->string (proc %null-pointer))))
|
||||||
|
(lambda ()
|
||||||
|
"Return the version number of libgcrypt as a string."
|
||||||
|
version)))
|
||||||
|
|
||||||
(define finalize-canonical-sexp!
|
(define finalize-canonical-sexp!
|
||||||
(libgcrypt-func "gcry_sexp_release"))
|
(libgcrypt-func "gcry_sexp_release"))
|
||||||
|
|
||||||
|
@ -87,6 +87,13 @@ Export/import one or more packages from/to the store.\n"))
|
|||||||
(newline)
|
(newline)
|
||||||
(show-bug-report-information))
|
(show-bug-report-information))
|
||||||
|
|
||||||
|
(define %key-generation-parameters
|
||||||
|
;; Default key generation parameters. We prefer Ed25519, but it was
|
||||||
|
;; introduced in libgcrypt 1.6.0.
|
||||||
|
(if (version>? (gcrypt-version) "1.6.0")
|
||||||
|
"(genkey (ecdsa (curve Ed25519) (flags rfc6979)))"
|
||||||
|
"(genkey (rsa (nbits 4:4096)))"))
|
||||||
|
|
||||||
(define %options
|
(define %options
|
||||||
;; Specifications of the command-line options.
|
;; Specifications of the command-line options.
|
||||||
(cons* (option '(#\h "help") #f #f
|
(cons* (option '(#\h "help") #f #f
|
||||||
@ -114,8 +121,7 @@ Export/import one or more packages from/to the store.\n"))
|
|||||||
;; libgcrypt 1.6.0.
|
;; libgcrypt 1.6.0.
|
||||||
(let ((params
|
(let ((params
|
||||||
(string->canonical-sexp
|
(string->canonical-sexp
|
||||||
(or arg "\
|
(or arg %key-generation-parameters))))
|
||||||
(genkey (ecdsa (curve Ed25519) (flags rfc6979)))"))))
|
|
||||||
(alist-cons 'generate-key params result)))
|
(alist-cons 'generate-key params result)))
|
||||||
(lambda (key err)
|
(lambda (key err)
|
||||||
(leave (_ "invalid key generation parameters: ~a: ~a~%")
|
(leave (_ "invalid key generation parameters: ~a: ~a~%")
|
||||||
|
@ -184,6 +184,8 @@
|
|||||||
#:key-type (key-type public))
|
#:key-type (key-type public))
|
||||||
public)))))
|
public)))))
|
||||||
|
|
||||||
|
;; Ed25519 appeared in libgcrypt 1.6.0.
|
||||||
|
(test-skip (if (version>? (gcrypt-version) "1.6.0") 0 1))
|
||||||
(test-assert "sign + verify, Ed25519"
|
(test-assert "sign + verify, Ed25519"
|
||||||
(let* ((pair (string->canonical-sexp %ecc-key-pair))
|
(let* ((pair (string->canonical-sexp %ecc-key-pair))
|
||||||
(secret (find-sexp-token pair 'private-key))
|
(secret (find-sexp-token pair 'private-key))
|
||||||
|
Loading…
Reference in New Issue
Block a user