wala-rust

Content-adressed HTTP file server
Info | Log | Files | Refs | README | LICENSE

pgp.rs (18101B)


      1 //! This module provides authentication using PGP signatures.
      2 //!
      3 //! The public key and signature may be provided both as literal values from the individual PGP packets (i.e. raw public key and signature),
      4 //! or as the conventional packet bundle.
      5 //!
      6 //! If using bundle, the encoded data must be from the binary content, e.g. the output value of:
      7 //! 
      8 //! ``` ignore,
      9 //! gpg -b <file>
     10 //! ```
     11 //!
     12 //! Does not work for ECC secp256k1 signature.
     13 use std::io::Read;
     14 use crate::auth::{
     15     AuthSpec,
     16     AuthError,
     17     AuthResult,
     18 };
     19 use pgp::packet::{
     20     PublicKey,
     21     PacketParser,
     22     Signature,
     23 };
     24 //use pgp::errors::Error;
     25 use pgp::types::{
     26     Tag,
     27     Version,
     28     KeyTrait,
     29 };
     30 use pgp::composed::{
     31     SignedPublicKey,
     32     Deserializable,
     33     StandaloneSignature,
     34 };
     35 use pgp::ser::Serialize;
     36 use pgp::de::Deserialize;
     37 use base64;
     38 
     39 use log::{debug, info, error};
     40 
     41 
     42 fn check_key_single(data: &Vec<u8>) -> Option<PublicKey> {
     43     match PublicKey::from_slice(Version::Old, &data) {
     44         Ok(v) => {
     45             return Some(v);
     46         },
     47         Err(e) => {
     48         },
     49     };
     50     None
     51 }
     52 
     53 fn check_key_bundle(data: &Vec<u8>) -> Option<PublicKey> {
     54     match SignedPublicKey::from_bytes(&data[..]) {
     55         Ok(v) => {
     56             return Some(v.primary_key);
     57         },
     58         Err(e) => {},
     59     };
     60     None
     61 
     62 //    let mut packets = PacketParser::new(&data[..]);
     63 //    loop {
     64 //        match packets.next() {
     65 //            Some(packet) => {
     66 //                let v = packet.unwrap();
     67 //                if v.tag() == Tag::PublicKey {
     68 //                //Some(v) => {
     69 //                    let packet_bytes = v.to_bytes().unwrap();
     70 //                    //let key_pub = PublicKey::from_slice(v.packet_version(), &packet_bytes[..]).unwrap();
     71 //                    let key_pub_composed = SignedPublicKey::from_bytes(&packet_bytes[..]).unwrap();
     72 //                    return Some(key_pub_composed.primary_key);
     73 //                }
     74 //            },
     75 //            None => {
     76 //                break;
     77 //            },
     78 //        //},
     79 //        //_ => {},
     80 //        };
     81 //    };
     82 //    None
     83 }
     84 
     85 fn check_sig_single(public_key: &PublicKey, signature_data: Vec<u8>, mut message: impl Read, message_length: usize) -> bool {
     86     match Signature::from_slice(Version::Old, &signature_data) {
     87         Ok(v) => {
     88             match v.verify(public_key, message) {
     89                 Ok(v) => {
     90                     return true;
     91                 },
     92                 _ => {},
     93             };
     94         },
     95         _ => {},
     96     };
     97     false
     98 }
     99 
    100 fn check_sig_bundle(public_key: &PublicKey, signature_data: Vec<u8>, mut message: impl Read, message_length: usize) -> bool {
    101     match StandaloneSignature::from_bytes(&signature_data[..]) {
    102         Ok(v) => {
    103             let mut data: Vec<u8> = vec!();
    104             let r = message.read_to_end(&mut data);
    105             match v.verify(public_key, &data) {
    106                 Ok(v) => {
    107                     return true;
    108                 },
    109                 _ => {},
    110             };
    111         },
    112         _ => {},
    113     };
    114     false
    115 }
    116 
    117 /// Verifies the given [auth::AuthSpec](crate::auth::AuthSpec) structure against the `pgp` scheme.
    118 ///
    119 /// The `key` and `signature` fields of the [auth::AuthSpec](crate::auth::AuthSpec) **MUST** be
    120 /// base64 encoded.
    121 ///
    122 /// # Arguments
    123 ///
    124 /// * `auth` - Authentication data submitted by client.
    125 /// * `data` - Content body submitted by client, to match signature against.
    126 /// * `data_length` - Length of content body.
    127 pub fn auth_check(auth: &AuthSpec, data: impl Read, data_length: usize) -> Result<AuthResult, AuthError> {
    128     if auth.method != "pgp" {
    129         return Err(AuthError{});
    130     }
    131 
    132     let key_data = match base64::decode(&auth.key) {
    133         Ok(v) => {
    134             v
    135         },
    136         Err(e) => {
    137             return Err(AuthError{});
    138         }
    139     };
    140 
    141     debug!("signature data {:?}", auth.signature);
    142     let sig_data = match base64::decode(&auth.signature) {
    143         Ok(v) => {
    144             v
    145         },
    146         Err(e) => {
    147             return Err(AuthError{});
    148         }
    149     };
    150 
    151     
    152     let key = match check_key_single(&key_data) {
    153         Some(v) => {
    154             debug!("using public key (raw) {:?}", v.key_id());
    155             if !check_sig_single(&v, sig_data, data, data_length) {
    156                 error!("invalid raw signature for {:?}", hex::encode(&v.fingerprint()));
    157                 return Err(AuthError{});
    158             }
    159             debug!("found valid raw key {:?}", hex::encode(&v.fingerprint()));
    160             v
    161         },
    162         None => {
    163             let key = match check_key_bundle(&key_data) {
    164                 Some(v) => {
    165                     debug!("using public key (bundle) {:?}", v.key_id());
    166                     if !check_sig_bundle(&v, sig_data, data, data_length) {
    167                         error!("invalid bundle signature for {:?}", hex::encode(&v.fingerprint()));
    168                         return Err(AuthError{});
    169                     }
    170                     debug!("found valid key bundle {:?}", hex::encode(&v.fingerprint()));
    171                     v
    172                 },
    173                 None => {
    174                     return Err(AuthError{});
    175                 },
    176             };
    177             key
    178         },
    179     };
    180 
    181 
    182     let res = AuthResult {
    183         identity: key.fingerprint(),
    184         error: false,
    185     };
    186     Ok(res)
    187 }
    188 
    189 #[cfg(test)]
    190 mod tests { 
    191 
    192     use super::auth_check;
    193     use super::AuthSpec;
    194     use std::str::FromStr;
    195     use super::{
    196         check_key_bundle,
    197         check_key_single,
    198         check_sig_single,
    199         check_sig_bundle,
    200     };
    201 
    202 
    203     #[test]
    204     fn test_pgp_single() {
    205         let key_single_hex = "0462a9f5a916092b06010401da470f0101074061f06baae76d5115553019e50353890e498652fac873d78003e9e192dd9f3e13";
    206         let sig_foo_single_hex = "0401160a0006050262a9f5a9002109108b21a9d88b4a0c7f1621044ab95b491980f89789ae8fde8b21a9d88b4a0c7f2aba0100b7b06c424cdb67bba97463d2eb3035ead329f62c92fb6100b629df003748131200fd17e8b6dc866aa1662b93a17ff599334002de273b800fc7160634516187b41407";
    207 
    208         let key_single = hex::decode(&key_single_hex).unwrap();
    209         let key_single_base64 = base64::encode(&key_single);
    210 
    211         let sig_foo_single = hex::decode(&sig_foo_single_hex).unwrap();
    212         let sig_foo_single_base64 = base64::encode(&sig_foo_single);
    213 
    214         let auth_spec_str = format!("PUBSIG pgp:{}:{}", key_single_base64, sig_foo_single_base64);
    215         let auth_spec = AuthSpec::from_str(&auth_spec_str).unwrap();
    216 
    217         let data = b"foo";
    218         let r = match check_key_single(&key_single) {
    219             Some(v) => {
    220                 if !check_sig_single(&v, sig_foo_single, &data[..], 0) {
    221                     panic!("invalid");
    222                 }
    223             },
    224             None => {
    225                 panic!("no public key");
    226             },
    227         };
    228 
    229     }
    230 
    231  
    232     #[test]
    233     fn test_pgp_bundle() {
    234         let key_bundle_hex = "99018d045fa148e8010c00a990f4048c00e39d0b63980b1d3d8a71e4df8e3090588f50c0a0862c0ed57abdb701250b7de0e9b7c65ed1061bfd9b6a0b8333ec891c230841515b2352bb4054a790858dc5df9b44b82b67a0c787ab1674e74920bd4bab6654dad53445ef49c13ab0a027989ec9357d44c49b848963db50345627586823df8047ef0438d78944ba3f8f4369f92e081439f43ecc5d4fe481d06634cf6704823be3a0faf8956f4801bf05b7d4c3629fa63b37a39f5160ec2b88ae5051480bfeb23edb550c35e5d8754a96f0b52e71c6e6c26bc1311062380725e6797751d0a649f8403992c3b4892b10ffa8a948e75283e8b49e2382945366d4ffce85b52c600c4251f897eb9e05327db3a315411232777bb974a47ee4b6875ac4472d3e87d02c103d2d20d421e8ea26c5349e9c3f0c70c3daebf11befc0ea5815f4bf044e5be0a7c47378e09fd9b1ee88a618cfceedc6f905c2c5e0535f936716e4fa6b4205b9e0b153cb35aad8fca1a45492feca1707443d0f978c1751de9ab90b98eaf43d02e2a2093d567b6b0011010001b41e4d6572204d616e203c6d65726d616e4067726579736b756c6c2e636f6d3e8901d404130108003e162104f3faf668e82ef5124d5187baef26f4682343f69205025fa148e8021b03050903c26700050b0908070206150a09080b020416020301021e01021780000a0910ef26f4682343f692f08b0c0084525b03250ad394c929f0f3f35ef9ecde3bd924ed07cb1faf46aec2646bf19b35bad1d154cd1bfe39234eea38b8936bed85552932a013bfab27ea70866df0953438e0b54b8c1c96022ffb35683713d6f67a59beaa47e09bf45f16ddef92e3b1192c99c8814587efedc2fea20013efafac3b319c2b15a4b450fde0d5519ae5316a83a28dc6877d1ff80f2f1bf8e65bad5dfdd5bc1653269af5a719fb68b1e51731322203596cffcdd50178e064ab37f9340df2fadf5b198dab945da6576e2e711ac28a098c09d60deae7cee98ba9937535779f484a815ba2a4ef211b2e7ef9878ebfe857b02c43c3267e4a1bfea9abddfd26a9c58802744b9ebb038d2057ec22c58277748272329789c4d310532ef27bc199fef1ba8da1bfabc43b1a228e55d5fb82e41abb24741f19320f0fcb0131e832e60e89209c08532eb4dcd5285b90eb50df23638f214aec10e9aa86ec25a97a77c4a96e171c5092dea5a4a6b24d02809b138e1025e84c17d046204e8de43f97d272aadb0fc57041a4fc09c138ac2578b9018d045fa148e8010c00c7b694d3d64e31fba14de4e794469280688b283c7821909da56fac969844826be0da47a19700a95b7742fd50c7172ea9da0a7e12a59bdb7fc84fe1f251816751979b9537fae6c956d92d456333c35c55d15122b4ec372bb898b066c9d737880ffdd2c09310e8fd7bb0d2bf12e698b163a70339c572ddeb3d25ebef46fb0a0d980457552dd5fd1af2167b72282dc04c2a95949a10046e394e3da0308ba7a5a7532575a6762a28a1e196dec2de52fe4c33df26481e128ca46526a18f363c7994ee8c9896d979767f2ff68ee84b175100f687cd96a61965e2ba466163e21d3098a99622a8d62be84df1529cdcbd6569dee09854958fe83b35d7ba7b068c8a573d34cb10bd95e745ddea6992d656a85568c02322850137ebbe8bdc30d366c9c97f5ffcc4a521e54d8c8f7941be396f08408a8b4d2aa3c6f59a7fce9254232794f85b34eb1fa5feff3a5ecfc6649ad70e6b21dd50a0ffeb8ae867d7576d71bf869e40f945a3f2849560a83640d03002767e6a2676295444fd8eb50c280583a09cc7f700110100018901bc041801080026162104f3faf668e82ef5124d5187baef26f4682343f69205025fa148e8021b0c050903c26700000a0910ef26f4682343f69220f70bff78ea2f60364a60beb3404ee2f30f11f0a96b6819fefa356b3ce3522799bb95a12316f98a4d15e93ef9116e45d0e7998fda97234ea05be20cf3e0ba226520691de5e3b52306204fabeb8a3bd42e4ff9ceb5b4acd9d5e84cd08b31037b325add5018b1fa59ea6591920e087a9ffb95c80630f12878737ff7b611d4891ef1cd5286c402834fc2e8563847b214f362e42af0caa57efc1523878448b6abc90f98fa3e7e54b0f348b80f0279c8a85fee8b62508de7c9c66fd52e860d68f00676aa33feefd1d139b3f786d951f2e3810683a14a67c58cb02b624695fde63d9dcf3568f1273b904c5e467b96f3fd3ca59d1608c814fb283ee868a1ceeb67e10db60f2787fde2264de01ea79d301e3f7e3314396451b5f8007b9d5d4edbbf14f939493dc7d736b63ef1c3140768486adbe26c616d04570dbb44b85bca69c17cb8d555492d345d27406bd4d93128730e29af66640c74244a795b35ae24ba394bed5cdba67120c8e9a2e5eafd19a22e5525400e8bc1bbea73fcebf5cbfde351ef2167f2a579";
    235         let sig_foo_bundle_hex = "8901b304000108001d162104f3faf668e82ef5124d5187baef26f4682343f692050262b426d7000a0910ef26f4682343f6922fc50bff526ff1fb6de59bd022f4f71389b7d429040fcf4f3c6889b015de95dd1562b9ff197c7cb24040370c7a68c08c0b2430e034456f71a0c3b1c8c4bfacf6dd37e3d3305563b59c157c015d33a360395daefd9f4cd9370fd3e75c201d491a2008bead964f31955cd9bd3b09ef3647d4b92188fedcabbbfdefdb70a5c345c4f94ad1cacfe10b12782731d49ef516d2223dc2e01c4dedaffa558794339ee866244f7bcf4e2daeffb1d2501dd969837163e8eebc9b58fa0d6e75e6e119753c9bd7b621ef4a73f1953bd2ab69e8241d17ae5dcb900cf6f9575d2038152769dece1baf446cd1adcfb6e742ed0980519de3ca4c7360ef70e4cf38cafb504d5b04144fae0786e8d8c65c5c1475ca723bbbb5fed2416f10f0fd82a4e2bd6c5590e8f018c85941f63dd4ca5f3784760facca9a5c68a01b5ddde25887a492475ae611bfbb359a281b0052c1674d1cf6646f84b75293f1820bb5cf5a2a029e02b7c54177fb92e1184b14b646a80d37da28c9715aad37f9609d7c866881a2efe51e931cccc38d438f";
    236 
    237         let key_bundle = hex::decode(&key_bundle_hex).unwrap();
    238         let key_bundle_base64 = base64::encode(&key_bundle);
    239 
    240         let sig_foo_bundle = hex::decode(&sig_foo_bundle_hex).unwrap();
    241         let sig_foo_bundle_base64 = base64::encode(&sig_foo_bundle);
    242 
    243         let data = b"foo";
    244 
    245         let r = match check_key_bundle(&key_bundle) {
    246             Some(v) => {
    247                 if !check_sig_bundle(&v, sig_foo_bundle, &data[..], 0) {
    248                     panic!("invalid");
    249                 }
    250             },
    251             None => {
    252                 panic!("no public key");
    253             },
    254         };
    255     }
    256 
    257 
    258     #[test]
    259     fn test_pgp_auth_single() {
    260         let key_single_hex = "0462a9f5a916092b06010401da470f0101074061f06baae76d5115553019e50353890e498652fac873d78003e9e192dd9f3e13";
    261         let sig_foo_single_hex = "0401160a0006050262a9f5a9002109108b21a9d88b4a0c7f1621044ab95b491980f89789ae8fde8b21a9d88b4a0c7f2aba0100b7b06c424cdb67bba97463d2eb3035ead329f62c92fb6100b629df003748131200fd17e8b6dc866aa1662b93a17ff599334002de273b800fc7160634516187b41407";
    262 
    263         let key_single = hex::decode(&key_single_hex).unwrap();
    264         let key_single_base64 = base64::encode(&key_single);
    265 
    266         let sig_foo_single = hex::decode(&sig_foo_single_hex).unwrap();
    267         let sig_foo_single_base64 = base64::encode(&sig_foo_single);
    268 
    269         let auth_spec_str = format!("PUBSIG pgp:{}:{}", key_single_base64, sig_foo_single_base64);
    270         let auth_spec = AuthSpec::from_str(&auth_spec_str).unwrap();
    271 
    272         let data = b"foo";
    273 
    274         match auth_check(&auth_spec, &data[..], 0) {
    275             Ok(v) => {
    276             },
    277             Err(e) => {
    278                 panic!("{}", e);
    279             },
    280         }
    281     }
    282 
    283     #[test]
    284     fn test_pgp_auth_bundle() {
    285         let key_bundle_hex = "99018d045fa148e8010c00a990f4048c00e39d0b63980b1d3d8a71e4df8e3090588f50c0a0862c0ed57abdb701250b7de0e9b7c65ed1061bfd9b6a0b8333ec891c230841515b2352bb4054a790858dc5df9b44b82b67a0c787ab1674e74920bd4bab6654dad53445ef49c13ab0a027989ec9357d44c49b848963db50345627586823df8047ef0438d78944ba3f8f4369f92e081439f43ecc5d4fe481d06634cf6704823be3a0faf8956f4801bf05b7d4c3629fa63b37a39f5160ec2b88ae5051480bfeb23edb550c35e5d8754a96f0b52e71c6e6c26bc1311062380725e6797751d0a649f8403992c3b4892b10ffa8a948e75283e8b49e2382945366d4ffce85b52c600c4251f897eb9e05327db3a315411232777bb974a47ee4b6875ac4472d3e87d02c103d2d20d421e8ea26c5349e9c3f0c70c3daebf11befc0ea5815f4bf044e5be0a7c47378e09fd9b1ee88a618cfceedc6f905c2c5e0535f936716e4fa6b4205b9e0b153cb35aad8fca1a45492feca1707443d0f978c1751de9ab90b98eaf43d02e2a2093d567b6b0011010001b41e4d6572204d616e203c6d65726d616e4067726579736b756c6c2e636f6d3e8901d404130108003e162104f3faf668e82ef5124d5187baef26f4682343f69205025fa148e8021b03050903c26700050b0908070206150a09080b020416020301021e01021780000a0910ef26f4682343f692f08b0c0084525b03250ad394c929f0f3f35ef9ecde3bd924ed07cb1faf46aec2646bf19b35bad1d154cd1bfe39234eea38b8936bed85552932a013bfab27ea70866df0953438e0b54b8c1c96022ffb35683713d6f67a59beaa47e09bf45f16ddef92e3b1192c99c8814587efedc2fea20013efafac3b319c2b15a4b450fde0d5519ae5316a83a28dc6877d1ff80f2f1bf8e65bad5dfdd5bc1653269af5a719fb68b1e51731322203596cffcdd50178e064ab37f9340df2fadf5b198dab945da6576e2e711ac28a098c09d60deae7cee98ba9937535779f484a815ba2a4ef211b2e7ef9878ebfe857b02c43c3267e4a1bfea9abddfd26a9c58802744b9ebb038d2057ec22c58277748272329789c4d310532ef27bc199fef1ba8da1bfabc43b1a228e55d5fb82e41abb24741f19320f0fcb0131e832e60e89209c08532eb4dcd5285b90eb50df23638f214aec10e9aa86ec25a97a77c4a96e171c5092dea5a4a6b24d02809b138e1025e84c17d046204e8de43f97d272aadb0fc57041a4fc09c138ac2578b9018d045fa148e8010c00c7b694d3d64e31fba14de4e794469280688b283c7821909da56fac969844826be0da47a19700a95b7742fd50c7172ea9da0a7e12a59bdb7fc84fe1f251816751979b9537fae6c956d92d456333c35c55d15122b4ec372bb898b066c9d737880ffdd2c09310e8fd7bb0d2bf12e698b163a70339c572ddeb3d25ebef46fb0a0d980457552dd5fd1af2167b72282dc04c2a95949a10046e394e3da0308ba7a5a7532575a6762a28a1e196dec2de52fe4c33df26481e128ca46526a18f363c7994ee8c9896d979767f2ff68ee84b175100f687cd96a61965e2ba466163e21d3098a99622a8d62be84df1529cdcbd6569dee09854958fe83b35d7ba7b068c8a573d34cb10bd95e745ddea6992d656a85568c02322850137ebbe8bdc30d366c9c97f5ffcc4a521e54d8c8f7941be396f08408a8b4d2aa3c6f59a7fce9254232794f85b34eb1fa5feff3a5ecfc6649ad70e6b21dd50a0ffeb8ae867d7576d71bf869e40f945a3f2849560a83640d03002767e6a2676295444fd8eb50c280583a09cc7f700110100018901bc041801080026162104f3faf668e82ef5124d5187baef26f4682343f69205025fa148e8021b0c050903c26700000a0910ef26f4682343f69220f70bff78ea2f60364a60beb3404ee2f30f11f0a96b6819fefa356b3ce3522799bb95a12316f98a4d15e93ef9116e45d0e7998fda97234ea05be20cf3e0ba226520691de5e3b52306204fabeb8a3bd42e4ff9ceb5b4acd9d5e84cd08b31037b325add5018b1fa59ea6591920e087a9ffb95c80630f12878737ff7b611d4891ef1cd5286c402834fc2e8563847b214f362e42af0caa57efc1523878448b6abc90f98fa3e7e54b0f348b80f0279c8a85fee8b62508de7c9c66fd52e860d68f00676aa33feefd1d139b3f786d951f2e3810683a14a67c58cb02b624695fde63d9dcf3568f1273b904c5e467b96f3fd3ca59d1608c814fb283ee868a1ceeb67e10db60f2787fde2264de01ea79d301e3f7e3314396451b5f8007b9d5d4edbbf14f939493dc7d736b63ef1c3140768486adbe26c616d04570dbb44b85bca69c17cb8d555492d345d27406bd4d93128730e29af66640c74244a795b35ae24ba394bed5cdba67120c8e9a2e5eafd19a22e5525400e8bc1bbea73fcebf5cbfde351ef2167f2a579";
    286         let sig_foo_bundle_hex = "8901b304000108001d162104f3faf668e82ef5124d5187baef26f4682343f692050262b426d7000a0910ef26f4682343f6922fc50bff526ff1fb6de59bd022f4f71389b7d429040fcf4f3c6889b015de95dd1562b9ff197c7cb24040370c7a68c08c0b2430e034456f71a0c3b1c8c4bfacf6dd37e3d3305563b59c157c015d33a360395daefd9f4cd9370fd3e75c201d491a2008bead964f31955cd9bd3b09ef3647d4b92188fedcabbbfdefdb70a5c345c4f94ad1cacfe10b12782731d49ef516d2223dc2e01c4dedaffa558794339ee866244f7bcf4e2daeffb1d2501dd969837163e8eebc9b58fa0d6e75e6e119753c9bd7b621ef4a73f1953bd2ab69e8241d17ae5dcb900cf6f9575d2038152769dece1baf446cd1adcfb6e742ed0980519de3ca4c7360ef70e4cf38cafb504d5b04144fae0786e8d8c65c5c1475ca723bbbb5fed2416f10f0fd82a4e2bd6c5590e8f018c85941f63dd4ca5f3784760facca9a5c68a01b5ddde25887a492475ae611bfbb359a281b0052c1674d1cf6646f84b75293f1820bb5cf5a2a029e02b7c54177fb92e1184b14b646a80d37da28c9715aad37f9609d7c866881a2efe51e931cccc38d438f";
    287 
    288         let key_bundle = hex::decode(&key_bundle_hex).unwrap();
    289         let key_bundle_base64 = base64::encode(&key_bundle);
    290 
    291         let sig_foo_bundle = hex::decode(&sig_foo_bundle_hex).unwrap();
    292         let sig_foo_bundle_base64 = base64::encode(&sig_foo_bundle);
    293 
    294         let auth_spec_str = format!("PUBSIG pgp:{}:{}", key_bundle_base64, sig_foo_bundle_base64);
    295         let auth_spec = AuthSpec::from_str(&auth_spec_str).unwrap();
    296 
    297         let data = b"foo";
    298 
    299         match auth_check(&auth_spec, &data[..], 0) {
    300             Ok(v) => {
    301             },
    302             Err(e) => {
    303                 panic!("{}", e);
    304             },
    305         }
    306     }
    307 }