From 0a11cb0cb7953facd6393e0f5189164f112ade1c Mon Sep 17 00:00:00 2001 From: Linus Nordberg Date: Mon, 28 Mar 2022 15:45:33 +0200 Subject: sign using SSHSIG; add test using ssh-keygen -Y sign --- cmd/sigsum/cmd.go | 23 ++++++++++--------- cmd/sigsum/test/keys/ssh | 7 ++++++ cmd/sigsum/test/keys/ssh.pub | 1 + cmd/sigsum/test/ssh.sh | 53 ++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 74 insertions(+), 10 deletions(-) create mode 100755 cmd/sigsum/test/keys/ssh create mode 100644 cmd/sigsum/test/keys/ssh.pub create mode 100755 cmd/sigsum/test/ssh.sh (limited to 'cmd/sigsum') diff --git a/cmd/sigsum/cmd.go b/cmd/sigsum/cmd.go index 01c1223..d882fb9 100644 --- a/cmd/sigsum/cmd.go +++ b/cmd/sigsum/cmd.go @@ -50,7 +50,7 @@ func cmdBundle(args []string, policy policy.Policy, optBundleType, optBundleKey, var reqs []requests.Leaf for _, path := range args { - checksum, err := fileHash(path) + preimage, err := fileHash(path) if err != nil { return fmt.Errorf("bundle: %v", err) } @@ -66,15 +66,18 @@ func cmdBundle(args []string, policy policy.Policy, optBundleType, optBundleKey, } req := requests.Leaf{ - Statement: types.Statement{ - ShardHint: policy.ShardHint(), - Checksum: *checksum, - }, + ShardHint: policy.ShardHint(), + Preimage: *preimage, Signature: *sig, VerificationKey: *pub, DomainHint: optBundleDomainHint, } - if !req.Statement.Verify(&req.VerificationKey, &req.Signature) { + + stmt := types.Statement{ + ShardHint: req.ShardHint, + Checksum: *types.HashFn(req.Preimage[:]), + } + if !stmt.Verify(&req.VerificationKey, &req.Signature) { return fmt.Errorf("bundle: invalid signature for file %q", path) } reqs = append(reqs, req) @@ -99,16 +102,16 @@ func cmdFormat(args []string, policy policy.Policy) error { return fmt.Errorf("format: need exactly one file") } - checksum, err := fileHash(args[0]) + preimage, err := fileHash(args[0]) if err != nil { return fmt.Errorf("format: %v", err) } - stm := types.Statement{ + stmt := types.Statement{ ShardHint: policy.ShardHint(), - Checksum: *checksum, + Checksum: *types.HashFn(preimage[:]), } - fmt.Printf("%s", stm.ToBinary()) + fmt.Printf("%s", stmt.ToBinary()) return nil } diff --git a/cmd/sigsum/test/keys/ssh b/cmd/sigsum/test/keys/ssh new file mode 100755 index 0000000..2bbd974 --- /dev/null +++ b/cmd/sigsum/test/keys/ssh @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACC/0wdPezO/W1upVq2RduQ/ieEHn0r6LgwkXEINfJ52fQAAAJCRqZKpkamS +qQAAAAtzc2gtZWQyNTUxOQAAACC/0wdPezO/W1upVq2RduQ/ieEHn0r6LgwkXEINfJ52fQ +AAAEClIbTUqSPBTrfD9MCpwTF1Fwit4NXU2ci3R57uq4Aic7/TB097M79bW6lWrZF25D+J +4QefSvouDCRcQg18nnZ9AAAACmxpbnVzQGJlc2sBAgM= +-----END OPENSSH PRIVATE KEY----- diff --git a/cmd/sigsum/test/keys/ssh.pub b/cmd/sigsum/test/keys/ssh.pub new file mode 100644 index 0000000..14588ac --- /dev/null +++ b/cmd/sigsum/test/keys/ssh.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL/TB097M79bW6lWrZF25D+J4QefSvouDCRcQg18nnZ9 linus@besk diff --git a/cmd/sigsum/test/ssh.sh b/cmd/sigsum/test/ssh.sh new file mode 100755 index 0000000..56cae70 --- /dev/null +++ b/cmd/sigsum/test/ssh.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +set -eu +trap cleanup EXIT + +priv=keys/ssh +pub=keys/ssh.pub +domain_hint=_sigsum_v0.ssh.test.sigsum.org +msg=msg-$(date +%s) +num_msg=3 + +function cleanup() { + set +e + + rm -f sigsum + for i in $(seq 1 $num_msg); do + rm -f $msg-$i{,.trunnel,.sig} + done + + exit +} + +go build ../ + +files="" +for i in $(seq 1 $num_msg); do + echo $msg-$i > $msg-$i + if ! openssl dgst -binary $msg-$i | ssh-keygen \ + -Y sign \ + -O hashalg=sha256 \ + -f $priv \ + -n $(./sigsum namespace) > $msg-$i.sig ; then + echo "[FAIL] sign for $num_msg ssh message(s)" >&2 + exit 1 + fi + files=$(echo -n $files $msg-$i) +done + +echo "[PASS] sign for $num_msg ssh message(s)" >&2 + +if ! ./sigsum bundle -t ssh -k $pub -d $domain_hint $files; then + echo "[FAIL] bundle for $num_msg ssh message(s)" >&2 + exit 1 +fi + +echo "[PASS] bundle for $num_msg ssh message(s)" >&2 + +if ! ./sigsum verify -t ssh -k $pub $files; then + echo "[FAIL] verify for $num_msg ssh message(s)" >&2 + exit 1 +fi + +echo "[PASS] verify for $num_msg ssh message(s)" >&2 -- cgit v1.2.3