diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2016-05-03T13·11+0200 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2016-05-04T09·01+0200 |
commit | f435f8247553656774dd1b2c88e9de5d59cab203 (patch) | |
tree | 550a54804dbc4e926dacc8e6dafc400a353a70b8 /src/libstore | |
parent | dfebfc835f7b8156a559314bcd1ecff739c14fd1 (diff) |
Remove OpenSSL-based signing
Diffstat (limited to 'src/libstore')
-rw-r--r-- | src/libstore/binary-cache-store.cc | 9 | ||||
-rw-r--r-- | src/libstore/binary-cache-store.hh | 4 | ||||
-rw-r--r-- | src/libstore/local-store.cc | 77 | ||||
-rw-r--r-- | src/libstore/local-store.hh | 7 | ||||
-rw-r--r-- | src/libstore/remote-store.cc | 9 | ||||
-rw-r--r-- | src/libstore/remote-store.hh | 5 | ||||
-rw-r--r-- | src/libstore/store-api.cc | 9 | ||||
-rw-r--r-- | src/libstore/store-api.hh | 11 |
8 files changed, 29 insertions, 102 deletions
diff --git a/src/libstore/binary-cache-store.cc b/src/libstore/binary-cache-store.cc index 411d10130a31..41b1fa026af8 100644 --- a/src/libstore/binary-cache-store.cc +++ b/src/libstore/binary-cache-store.cc @@ -156,10 +156,8 @@ void BinaryCacheStore::narFromPath(const Path & storePath, Sink & sink) sink((unsigned char *) nar->c_str(), nar->size()); } -void BinaryCacheStore::exportPath(const Path & storePath, bool sign, Sink & sink) +void BinaryCacheStore::exportPath(const Path & storePath, Sink & sink) { - assert(!sign); - auto res = queryPathInfo(storePath); narFromPath(storePath, sink); @@ -169,10 +167,9 @@ void BinaryCacheStore::exportPath(const Path & storePath, bool sign, Sink & sink sink << exportMagic << storePath << res->references << res->deriver << 0; } -Paths BinaryCacheStore::importPaths(bool requireSignature, Source & source, +Paths BinaryCacheStore::importPaths(Source & source, std::shared_ptr<FSAccessor> accessor) { - assert(!requireSignature); Paths res; while (true) { unsigned long long n = readLongLong(source); @@ -346,7 +343,7 @@ struct BinaryCacheStoreAccessor : public FSAccessor if (i != nars.end()) return {i->second, restPath}; StringSink sink; - store->exportPath(storePath, false, sink); + store->exportPath(storePath, sink); auto accessor = makeNarAccessor(sink.s); nars.emplace(storePath, accessor); diff --git a/src/libstore/binary-cache-store.hh b/src/libstore/binary-cache-store.hh index 46a38a1e0fc3..eb03c5f26da3 100644 --- a/src/libstore/binary-cache-store.hh +++ b/src/libstore/binary-cache-store.hh @@ -91,9 +91,9 @@ public: void narFromPath(const Path & path, Sink & sink) override; - void exportPath(const Path & path, bool sign, Sink & sink) override; + void exportPath(const Path & path, Sink & sink) override; - Paths importPaths(bool requireSignature, Source & source, + Paths importPaths(Source & source, std::shared_ptr<FSAccessor> accessor) override; Path importPath(Source & source, std::shared_ptr<FSAccessor> accessor); diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index 01a11f11f65d..42e4ab9f4aff 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -1035,18 +1035,7 @@ struct HashAndWriteSink : Sink }; -static void checkSecrecy(const Path & path) -{ - struct stat st; - if (stat(path.c_str(), &st)) - throw SysError(format("getting status of ‘%1%’") % path); - if ((st.st_mode & (S_IRWXG | S_IRWXO)) != 0) - throw Error(format("file ‘%1%’ should be secret (inaccessible to everybody else)!") % path); -} - - -void LocalStore::exportPath(const Path & path, bool sign, - Sink & sink) +void LocalStore::exportPath(const Path & path, Sink & sink) { assertStorePath(path); @@ -1068,30 +1057,7 @@ void LocalStore::exportPath(const Path & path, bool sign, hashAndWriteSink << exportMagic << path << info->references << info->deriver; - if (sign) { - Hash hash = hashAndWriteSink.currentHash(); - - Path tmpDir = createTempDir(); - AutoDelete delTmp(tmpDir); - Path hashFile = tmpDir + "/hash"; - writeFile(hashFile, printHash(hash)); - - Path secretKey = settings.nixConfDir + "/signing-key.sec"; - checkSecrecy(secretKey); - - Strings args; - args.push_back("rsautl"); - args.push_back("-sign"); - args.push_back("-inkey"); - args.push_back(secretKey); - args.push_back("-in"); - args.push_back(hashFile); - string signature = runProgram(OPENSSL_PATH, true, args); - - hashAndWriteSink << 1 << signature; - - } else - hashAndWriteSink << 0; + hashAndWriteSink << 0; // backwards compatibility } @@ -1129,7 +1095,7 @@ Path LocalStore::createTempDirInStore() } -Path LocalStore::importPath(bool requireSignature, Source & source) +Path LocalStore::importPath(Source & source) { HashAndReadSource hashAndReadSource(source); @@ -1160,36 +1126,9 @@ Path LocalStore::importPath(bool requireSignature, Source & source) bool haveSignature = readInt(hashAndReadSource) == 1; - if (requireSignature && !haveSignature) - throw Error(format("imported archive of ‘%1%’ lacks a signature") % dstPath); - - if (haveSignature) { - string signature = readString(hashAndReadSource); - - if (requireSignature) { - Path sigFile = tmpDir + "/sig"; - writeFile(sigFile, signature); - - Strings args; - args.push_back("rsautl"); - args.push_back("-verify"); - args.push_back("-inkey"); - args.push_back(settings.nixConfDir + "/signing-key.pub"); - args.push_back("-pubin"); - args.push_back("-in"); - args.push_back(sigFile); - string hash2 = runProgram(OPENSSL_PATH, true, args); - - /* Note: runProgram() throws an exception if the signature - is invalid. */ - - if (printHash(hash) != hash2) - throw Error( - "signed hash doesn't match actual contents of imported " - "archive; archive could be corrupt, or someone is trying " - "to import a Trojan horse"); - } - } + if (haveSignature) + // Ignore legacy signature. + readString(hashAndReadSource); /* Do the actual import. */ @@ -1239,7 +1178,7 @@ Path LocalStore::importPath(bool requireSignature, Source & source) } -Paths LocalStore::importPaths(bool requireSignature, Source & source, +Paths LocalStore::importPaths(Source & source, std::shared_ptr<FSAccessor> accessor) { Paths res; @@ -1247,7 +1186,7 @@ Paths LocalStore::importPaths(bool requireSignature, Source & source, unsigned long long n = readLongLong(source); if (n == 0) break; if (n != 1) throw Error("input doesn't look like something created by ‘nix-store --export’"); - res.push_back(importPath(requireSignature, source)); + res.push_back(importPath(source)); } return res; } diff --git a/src/libstore/local-store.hh b/src/libstore/local-store.hh index 6f2341decfbd..d3cde7408153 100644 --- a/src/libstore/local-store.hh +++ b/src/libstore/local-store.hh @@ -126,10 +126,9 @@ public: Path addTextToStore(const string & name, const string & s, const PathSet & references, bool repair = false) override; - void exportPath(const Path & path, bool sign, - Sink & sink) override; + void exportPath(const Path & path, Sink & sink) override; - Paths importPaths(bool requireSignature, Source & source, + Paths importPaths(Source & source, std::shared_ptr<FSAccessor> accessor) override; void buildPaths(const PathSet & paths, BuildMode buildMode) override; @@ -230,7 +229,7 @@ private: Path createTempDirInStore(); - Path importPath(bool requireSignature, Source & source); + Path importPath(Source & source); void checkDerivationOutputs(const Path & drvPath, const Derivation & drv); diff --git a/src/libstore/remote-store.cc b/src/libstore/remote-store.cc index 5a254a6104f4..1616f98f00bb 100644 --- a/src/libstore/remote-store.cc +++ b/src/libstore/remote-store.cc @@ -373,23 +373,20 @@ Path RemoteStore::addTextToStore(const string & name, const string & s, } -void RemoteStore::exportPath(const Path & path, bool sign, - Sink & sink) +void RemoteStore::exportPath(const Path & path, Sink & sink) { auto conn(connections->get()); - conn->to << wopExportPath << path << (sign ? 1 : 0); + conn->to << wopExportPath << path << 0; conn->processStderr(&sink); /* sink receives the actual data */ readInt(conn->from); } -Paths RemoteStore::importPaths(bool requireSignature, Source & source, +Paths RemoteStore::importPaths(Source & source, std::shared_ptr<FSAccessor> accessor) { auto conn(connections->get()); conn->to << wopImportPaths; - /* We ignore requireSignature, since the worker forces it to true - anyway. */ conn->processStderr(0, &source); return readStorePaths<Paths>(conn->from); } diff --git a/src/libstore/remote-store.hh b/src/libstore/remote-store.hh index 8e45a7449e2e..f4fd96a6145f 100644 --- a/src/libstore/remote-store.hh +++ b/src/libstore/remote-store.hh @@ -58,10 +58,9 @@ public: Path addTextToStore(const string & name, const string & s, const PathSet & references, bool repair = false) override; - void exportPath(const Path & path, bool sign, - Sink & sink) override; + void exportPath(const Path & path, Sink & sink) override; - Paths importPaths(bool requireSignature, Source & source, + Paths importPaths(Source & source, std::shared_ptr<FSAccessor> accessor) override; void buildPaths(const PathSet & paths, BuildMode buildMode) override; diff --git a/src/libstore/store-api.cc b/src/libstore/store-api.cc index b03e4080afc2..c6cc46c6096d 100644 --- a/src/libstore/store-api.cc +++ b/src/libstore/store-api.cc @@ -363,10 +363,10 @@ void copyStorePath(ref<Store> srcStore, ref<Store> dstStore, auto info = srcStore->queryPathInfo(storePath); StringSink sink; - srcStore->exportPaths({storePath}, false, sink); + srcStore->exportPaths({storePath}, sink); StringSource source(*sink.s); - dstStore->importPaths(false, source, 0); + dstStore->importPaths(source, 0); } @@ -406,12 +406,11 @@ string showPaths(const PathSet & paths) } -void Store::exportPaths(const Paths & paths, - bool sign, Sink & sink) +void Store::exportPaths(const Paths & paths, Sink & sink) { for (auto & i : paths) { sink << 1; - exportPath(i, sign, sink); + exportPath(i, sink); } sink << 0; } diff --git a/src/libstore/store-api.hh b/src/libstore/store-api.hh index 099aa1d67b68..95ad5136d965 100644 --- a/src/libstore/store-api.hh +++ b/src/libstore/store-api.hh @@ -270,21 +270,18 @@ public: virtual void narFromPath(const Path & path, Sink & sink) = 0; /* Export a store path, that is, create a NAR dump of the store - path and append its references and its deriver. Optionally, a - cryptographic signature (created by OpenSSL) of the preceding - data is attached. */ - virtual void exportPath(const Path & path, bool sign, - Sink & sink) = 0; + path and append its references and its deriver. */ + virtual void exportPath(const Path & path, Sink & sink) = 0; /* Export multiple paths in the format expected by ‘nix-store --import’. */ - void exportPaths(const Paths & paths, bool sign, Sink & sink); + void exportPaths(const Paths & paths, Sink & sink); /* Import a sequence of NAR dumps created by exportPaths() into the Nix store. Optionally, the contents of the NARs are preloaded into the specified FS accessor to speed up subsequent access. */ - virtual Paths importPaths(bool requireSignature, Source & source, + virtual Paths importPaths(Source & source, std::shared_ptr<FSAccessor> accessor) = 0; /* For each path, if it's a derivation, build it. Building a |