aboutsummaryrefslogtreecommitdiff
path: root/cmd/sigsum
diff options
context:
space:
mode:
Diffstat (limited to 'cmd/sigsum')
-rw-r--r--cmd/sigsum/cmd.go23
-rw-r--r--cmd/sigsum/test/keys/ssh7
-rw-r--r--cmd/sigsum/test/keys/ssh.pub1
-rwxr-xr-xcmd/sigsum/test/ssh.sh53
4 files changed, 74 insertions, 10 deletions
diff --git a/cmd/sigsum/cmd.go b/cmd/sigsum/cmd.go
index 01c1223..c57d9e3 100644
--- a/cmd/sigsum/cmd.go
+++ b/cmd/sigsum/cmd.go
@@ -50,7 +50,7 @@ func cmdBundle(args []string, policy policy.Policy, optBundleType, optBundleKey,
var reqs []requests.Leaf
for _, path := range args {
- checksum, err := fileHash(path)
+ preimage, err := fileHash(path)
if err != nil {
return fmt.Errorf("bundle: %v", err)
}
@@ -66,15 +66,18 @@ func cmdBundle(args []string, policy policy.Policy, optBundleType, optBundleKey,
}
req := requests.Leaf{
- Statement: types.Statement{
- ShardHint: policy.ShardHint(),
- Checksum: *checksum,
- },
+ ShardHint: policy.ShardHint(),
+ Preimage: *preimage,
Signature: *sig,
VerificationKey: *pub,
DomainHint: optBundleDomainHint,
}
- if !req.Statement.Verify(&req.VerificationKey, &req.Signature) {
+
+ sd := types.Statement{
+ ShardHint: req.ShardHint,
+ Checksum: *types.HashFn(req.Preimage[:]),
+ }
+ if !sd.Verify(&req.VerificationKey, &req.Signature) {
return fmt.Errorf("bundle: invalid signature for file %q", path)
}
reqs = append(reqs, req)
@@ -99,16 +102,16 @@ func cmdFormat(args []string, policy policy.Policy) error {
return fmt.Errorf("format: need exactly one file")
}
- checksum, err := fileHash(args[0])
+ preimage, err := fileHash(args[0])
if err != nil {
return fmt.Errorf("format: %v", err)
}
- stm := types.Statement{
+ sd := types.Statement{
ShardHint: policy.ShardHint(),
- Checksum: *checksum,
+ Checksum: *types.HashFn(preimage[:]),
}
- fmt.Printf("%s", stm.ToBinary())
+ fmt.Printf("%s", sd.ToBinary())
return nil
}
diff --git a/cmd/sigsum/test/keys/ssh b/cmd/sigsum/test/keys/ssh
new file mode 100644
index 0000000..2bbd974
--- /dev/null
+++ b/cmd/sigsum/test/keys/ssh
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACC/0wdPezO/W1upVq2RduQ/ieEHn0r6LgwkXEINfJ52fQAAAJCRqZKpkamS
+qQAAAAtzc2gtZWQyNTUxOQAAACC/0wdPezO/W1upVq2RduQ/ieEHn0r6LgwkXEINfJ52fQ
+AAAEClIbTUqSPBTrfD9MCpwTF1Fwit4NXU2ci3R57uq4Aic7/TB097M79bW6lWrZF25D+J
+4QefSvouDCRcQg18nnZ9AAAACmxpbnVzQGJlc2sBAgM=
+-----END OPENSSH PRIVATE KEY-----
diff --git a/cmd/sigsum/test/keys/ssh.pub b/cmd/sigsum/test/keys/ssh.pub
new file mode 100644
index 0000000..14588ac
--- /dev/null
+++ b/cmd/sigsum/test/keys/ssh.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL/TB097M79bW6lWrZF25D+J4QefSvouDCRcQg18nnZ9 linus@besk
diff --git a/cmd/sigsum/test/ssh.sh b/cmd/sigsum/test/ssh.sh
new file mode 100755
index 0000000..56cae70
--- /dev/null
+++ b/cmd/sigsum/test/ssh.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+set -eu
+trap cleanup EXIT
+
+priv=keys/ssh
+pub=keys/ssh.pub
+domain_hint=_sigsum_v0.ssh.test.sigsum.org
+msg=msg-$(date +%s)
+num_msg=3
+
+function cleanup() {
+ set +e
+
+ rm -f sigsum
+ for i in $(seq 1 $num_msg); do
+ rm -f $msg-$i{,.trunnel,.sig}
+ done
+
+ exit
+}
+
+go build ../
+
+files=""
+for i in $(seq 1 $num_msg); do
+ echo $msg-$i > $msg-$i
+ if ! openssl dgst -binary $msg-$i | ssh-keygen \
+ -Y sign \
+ -O hashalg=sha256 \
+ -f $priv \
+ -n $(./sigsum namespace) > $msg-$i.sig ; then
+ echo "[FAIL] sign for $num_msg ssh message(s)" >&2
+ exit 1
+ fi
+ files=$(echo -n $files $msg-$i)
+done
+
+echo "[PASS] sign for $num_msg ssh message(s)" >&2
+
+if ! ./sigsum bundle -t ssh -k $pub -d $domain_hint $files; then
+ echo "[FAIL] bundle for $num_msg ssh message(s)" >&2
+ exit 1
+fi
+
+echo "[PASS] bundle for $num_msg ssh message(s)" >&2
+
+if ! ./sigsum verify -t ssh -k $pub $files; then
+ echo "[FAIL] verify for $num_msg ssh message(s)" >&2
+ exit 1
+fi
+
+echo "[PASS] verify for $num_msg ssh message(s)" >&2