mirrors/stfs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: Block usage of minisign on tape

Browse Source
This commit is contained in:
Felicitas Pojtinger
2021-12-05 22:44:56 +01:00
parent 0ed32dcc2c
commit bbfde631a9
7 changed files with 46 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
cmd/stbak/cmd/archive.go
View File

@@ -68,6 +68,8 @@ var (
errCompressionFormatRequiresLargerRecordSize = errors.New("this compression format requires a larger record size")
errCompressionFormatOnlyRegularSupport = errors.New("this compression format only supports regular files, not i.e. tape drives")
errSignatureFormatOnlyRegularSupport = errors.New("this signature format only supports regular files, not i.e. tape drives")
)
var archiveCmd = &cobra.Command{
@@ -166,7 +168,7 @@ var archiveCmd = &cobra.Command{
return nil
},
0,
func(hdr *tar.Header) error {
func(hdr *tar.Header, isRegular bool) error {
return nil // We sign above, no need to verify
},
)
@@ -296,7 +298,7 @@ func archive(
return err
}
signer, sign, err := sign(file, signatureFormat, identity)
signer, sign, err := sign(file, isRegular, signatureFormat, identity)
if err != nil {
return err
}
@@ -363,7 +365,7 @@ func archive(
hdrToAppend := *hdr
headers = append(headers, &hdrToAppend)
if err := signHeader(hdr, signatureFormat, identity); err != nil {
if err := signHeader(hdr, isRegular, signatureFormat, identity); err != nil {
return err
}
@@ -502,6 +504,7 @@ func encryptHeader(
func signHeader(
hdr *tar.Header,
isRegular bool,
signatureFormat string,
identity interface{},
) error {
@@ -521,7 +524,7 @@ func signHeader(
}
newHdr.PAXRecords[pax.STFSRecordEmbeddedHeader] = string(wrappedHeader)
newHdr.PAXRecords[pax.STFSRecordSignature], err = signString(newHdr.PAXRecords[pax.STFSRecordEmbeddedHeader], signatureFormat, identity)
newHdr.PAXRecords[pax.STFSRecordSignature], err = signString(newHdr.PAXRecords[pax.STFSRecordEmbeddedHeader], isRegular, signatureFormat, identity)
if err != nil {
return err
}
@@ -627,11 +630,16 @@ func parseSignerIdentity(
func sign(
src io.Reader,
isRegular bool,
signatureFormat string,
identity interface{},
) (io.Reader, func() (string, error), error) {
switch signatureFormat {
case signatureFormatMinisignKey:
if !isRegular {
return nil, nil, errSignatureFormatOnlyRegularSupport
}
identity, ok := identity.(minisign.PrivateKey)
if !ok {
return nil, nil, errIdentityUnparsable
@@ -748,11 +756,16 @@ func encryptString(
func signString(
src string,
isRegular bool,
signatureFormat string,
identity interface{},
) (string, error) {
switch signatureFormat {
case signatureFormatMinisignKey:
if !isRegular {
return "", errSignatureFormatOnlyRegularSupport
}
identity, ok := identity.(minisign.PrivateKey)
if !ok {
return "", errIdentityUnparsable

4
cmd/stbak/cmd/delete.go
View File

@@ -90,7 +90,7 @@ func delete(
identity interface{},
) error {
dirty := false
tw, _, cleanup, err := openTapeWriter(tape, recordSize, false)
tw, isRegular, cleanup, err := openTapeWriter(tape, recordSize, false)
if err != nil {
return err
}
@@ -138,7 +138,7 @@ func delete(
hdr.PAXRecords[pax.STFSRecordVersion] = pax.STFSRecordVersion1
hdr.PAXRecords[pax.STFSRecordAction] = pax.STFSRecordActionDelete
if err := signHeader(hdr, signatureFormat, identity); err != nil {
if err := signHeader(hdr, isRegular, signatureFormat, identity); err != nil {
return err
}

4
cmd/stbak/cmd/move.go
View File

@@ -85,7 +85,7 @@ func move(
identity interface{},
) error {
dirty := false
tw, _, cleanup, err := openTapeWriter(tape, recordSize, false)
tw, isRegular, cleanup, err := openTapeWriter(tape, recordSize, false)
if err != nil {
return err
}
@@ -135,7 +135,7 @@ func move(
hdr.PAXRecords[pax.STFSRecordAction] = pax.STFSRecordActionUpdate
hdr.PAXRecords[pax.STFSRecordReplacesName] = dbhdr.Name
if err := signHeader(hdr, signatureFormat, identity); err != nil {
if err := signHeader(hdr, isRegular, signatureFormat, identity); err != nil {
return err
}

17
cmd/stbak/cmd/recovery_fetch.go
View File

@@ -160,7 +160,7 @@ func restoreFromRecordAndBlock(
return err
}
if err := verifyHeader(hdr, signatureFormat, recipient); err != nil {
if err := verifyHeader(hdr, isRegular, signatureFormat, recipient); err != nil {
return err
}
@@ -218,7 +218,7 @@ func restoreFromRecordAndBlock(
}
}
verifier, verify, err := verify(decompressor, signatureFormat, recipient, signature)
verifier, verify, err := verify(decompressor, isRegular, signatureFormat, recipient, signature)
if err != nil {
return err
}
@@ -326,6 +326,7 @@ func decryptHeader(
func verifyHeader(
hdr *tar.Header,
isRegular bool,
signatureFormat string,
recipient interface{},
) error {
@@ -347,7 +348,7 @@ func verifyHeader(
return errSignatureMissing
}
if err := verifyString(embeddedHeader, signatureFormat, recipient, signature); err != nil {
if err := verifyString(embeddedHeader, isRegular, signatureFormat, recipient, signature); err != nil {
return err
}
@@ -537,12 +538,17 @@ func parseSignerRecipient(
func verify(
src io.Reader,
isRegular bool,
signatureFormat string,
recipient interface{},
signature string,
) (io.Reader, func() error, error) {
switch signatureFormat {
case signatureFormatMinisignKey:
if !isRegular {
return nil, nil, errSignatureFormatOnlyRegularSupport
}
recipient, ok := recipient.(minisign.PublicKey)
if !ok {
return nil, nil, errRecipientUnparsable
@@ -606,12 +612,17 @@ func verify(
func verifyString(
src string,
isRegular bool,
signatureFormat string,
recipient interface{},
signature string,
) error {
switch signatureFormat {
case signatureFormatMinisignKey:
if !isRegular {
return errSignatureFormatOnlyRegularSupport
}
recipient, ok := recipient.(minisign.PublicKey)
if !ok {
return errRecipientUnparsable

9
cmd/stbak/cmd/recovery_index.go
View File

@@ -79,8 +79,8 @@ var recoveryIndexCmd = &cobra.Command{
return decryptHeader(hdr, viper.GetString(encryptionFlag), identity)
},
0,
func(hdr *tar.Header) error {
return verifyHeader(hdr, viper.GetString(signatureFlag), recipient)
func(hdr *tar.Header, isRegular bool) error {
return verifyHeader(hdr, isRegular, viper.GetString(signatureFlag), recipient)
},
)
},
@@ -102,6 +102,7 @@ func index(
offset int,
verifyHeader func(
hdr *tar.Header,
isRegular bool,
) error,
) error {
if overwrite {
@@ -196,7 +197,7 @@ func index(
return err
}
if err := verifyHeader(hdr); err != nil {
if err := verifyHeader(hdr, isRegular); err != nil {
return err
}
@@ -282,7 +283,7 @@ func index(
return err
}
if err := verifyHeader(hdr); err != nil {
if err := verifyHeader(hdr, isRegular); err != nil {
return err
}

4
cmd/stbak/cmd/recovery_query.go
View File

@@ -151,7 +151,7 @@ func query(
return err
}
if err := verifyHeader(hdr, signatureFormat, recipient); err != nil {
if err := verifyHeader(hdr, isRegular, signatureFormat, recipient); err != nil {
return err
}
@@ -238,7 +238,7 @@ func query(
return err
}
if err := verifyHeader(hdr, signatureFormat, recipient); err != nil {
if err := verifyHeader(hdr, isRegular, signatureFormat, recipient); err != nil {
return err
}

8
cmd/stbak/cmd/update.go
View File

@@ -114,7 +114,7 @@ var updateCmd = &cobra.Command{
return nil
},
1,
func(hdr *tar.Header) error {
func(hdr *tar.Header, isRegular bool) error {
return nil // We sign above, no need to verify
},
)
@@ -198,7 +198,7 @@ func update(
return err
}
signer, sign, err := sign(file, signatureFormat, identity)
signer, sign, err := sign(file, isRegular, signatureFormat, identity)
if err != nil {
return err
}
@@ -268,7 +268,7 @@ func update(
hdrToAppend := *hdr
headers = append(headers, &hdrToAppend)
if err := signHeader(hdr, signatureFormat, identity); err != nil {
if err := signHeader(hdr, isRegular, signatureFormat, identity); err != nil {
return err
}
@@ -342,7 +342,7 @@ func update(
hdrToAppend := *hdr
headers = append(headers, &hdrToAppend)
if err := signHeader(hdr, signatureFormat, identity); err != nil {
if err := signHeader(hdr, isRegular, signatureFormat, identity); err != nil {
return err
}