// Given a control.Marshal'able object, encode it to the blobstore, while // also clearsigning the data. func (a Archive) encodeClearsigned(data interface{}) (*blobstore.Object, error) { if a.signingKey == nil { return nil, fmt.Errorf("No signing key loaded") } fd, err := a.Store.Create() if err != nil { return nil, err } defer fd.Close() wc, err := clearsign.Encode(fd, a.signingKey.PrivateKey, &packet.Config{ DefaultHash: crypto.SHA512, }) if err != nil { return nil, err } encoder, err := control.NewEncoder(wc) if err != nil { return nil, err } if err := encoder.Encode(data); err != nil { return nil, err } if err := wc.Close(); err != nil { return nil, err } return a.Store.Commit(*fd) }
// ClearSign signs a chart with the given key. // // This takes the path to a chart archive file and a key, and it returns a clear signature. // // The Signatory must have a valid Entity.PrivateKey for this to work. If it does // not, an error will be returned. func (s *Signatory) ClearSign(chartpath string) (string, error) { if s.Entity == nil { return "", errors.New("private key not found") } else if s.Entity.PrivateKey == nil { return "", errors.New("provided key is not a private key") } if fi, err := os.Stat(chartpath); err != nil { return "", err } else if fi.IsDir() { return "", errors.New("cannot sign a directory") } out := bytes.NewBuffer(nil) b, err := messageBlock(chartpath) if err != nil { return "", nil } // Sign the buffer w, err := clearsign.Encode(out, s.Entity.PrivateKey, &defaultPGPConfig) if err != nil { return "", err } _, err = io.Copy(w, b) w.Close() return out.String(), err }
// ClearSign the assertions using the private key and return a clear-signed buffer. // If the private key is encrypted, the passphrase must be supplied to decrypt // the key. func ClearSign(assertions, armoredPrivateKey, passphrase string) ([]byte, error) { keyring, err := openpgp.ReadArmoredKeyRing(bytes.NewBufferString(armoredPrivateKey)) if err != nil { return nil, err } // Decrypt the private key, if it is encrypted privateKey := keyring[0].PrivateKey if privateKey.Encrypted { err = privateKey.Decrypt([]byte(passphrase)) if err != nil { return nil, err } } // Sign the assertions and save the result in the buffer var buf bytes.Buffer plaintext, err := clearsign.Encode(&buf, privateKey, nil) if err != nil { return nil, err } _, err = plaintext.Write([]byte(assertions)) if err != nil { return nil, err } err = plaintext.Close() if err != nil { return nil, err } return buf.Bytes(), nil }
func testSignedManifest(t *testing.T, modify func(*pods.Manifest, *openpgp.Entity)) (*pods.Manifest, *openpgp.Entity) { testManifest := testManifest(t) if fakeSigner == nil { var err error fakeSigner, err = openpgp.ReadEntity(packet.NewReader(bytes.NewReader(fakeEntity))) Assert(t).IsNil(err, "should have read entity") } if modify != nil { modify(testManifest, fakeSigner) } manifestBytes, err := testManifest.Marshal() Assert(t).IsNil(err, "manifest bytes error should have been nil") var buf bytes.Buffer sigWriter, err := clearsign.Encode(&buf, fakeSigner.PrivateKey, nil) Assert(t).IsNil(err, "clearsign Encode error should have been nil") sigWriter.Write(manifestBytes) sigWriter.Close() manifest, err := pods.ManifestFromBytes(buf.Bytes()) Assert(t).IsNil(err, "should have generated manifest from signed bytes") return manifest, fakeSigner }
func testHookListener(t *testing.T) (HookListener, string, <-chan struct{}) { hookPrefix := kp.HOOK_TREE destDir, _ := ioutil.TempDir("", "pods") defer os.RemoveAll(destDir) execDir, err := ioutil.TempDir("", "exec") defer os.RemoveAll(execDir) Assert(t).IsNil(err, "should not have erred creating a tempdir") current, err := user.Current() Assert(t).IsNil(err, "test setup: could not get the current user") builder := manifest.NewBuilder() builder.SetID("users") builder.SetRunAsUser(current.Username) builder.SetLaunchables(map[launch.LaunchableID]launch.LaunchableStanza{ "create": { Location: util.From(runtime.Caller(0)).ExpandPath("hoisted-hello_def456.tar.gz"), LaunchableType: "hoist", LaunchableId: "create", }, }) podManifest := builder.GetManifest() manifestBytes, err := podManifest.Marshal() Assert(t).IsNil(err, "manifest bytes error should have been nil") fakeSigner, err := openpgp.NewEntity("p2", "p2-test", "*****@*****.**", nil) Assert(t).IsNil(err, "NewEntity error should have been nil") var buf bytes.Buffer sigWriter, err := clearsign.Encode(&buf, fakeSigner.PrivateKey, nil) Assert(t).IsNil(err, "clearsign encode error should have been nil") sigWriter.Write(manifestBytes) sigWriter.Close() podManifest, err = manifest.FromBytes(buf.Bytes()) Assert(t).IsNil(err, "should have generated manifest from signed bytes") fakeIntent := fakeStoreWithManifests(kp.ManifestResult{ Manifest: podManifest, }) hookFactory := pods.NewHookFactory(destDir, "testNode") listener := HookListener{ Intent: fakeIntent, HookPrefix: hookPrefix, ExecDir: execDir, HookFactory: hookFactory, Logger: logging.DefaultLogger, authPolicy: auth.FixedKeyringPolicy{openpgp.EntityList{fakeSigner}, nil}, artifactVerifier: auth.NopVerifier(), artifactRegistry: artifact.NewRegistry(nil, uri.DefaultFetcher, osversion.DefaultDetector), } return listener, destDir, fakeIntent.quit }
func encodeCloudYAML(c *gc.C, yaml string) string { // TODO(wallyworld) - move test signing key elsewhere keyring, err := openpgp.ReadArmoredKeyRing(bytes.NewBufferString(sstesting.SignedMetadataPrivateKey)) c.Assert(err, jc.ErrorIsNil) privateKey := keyring[0].PrivateKey err = privateKey.Decrypt([]byte(sstesting.PrivateKeyPassphrase)) c.Assert(err, jc.ErrorIsNil) var buf bytes.Buffer plaintext, err := clearsign.Encode(&buf, privateKey, nil) c.Assert(err, jc.ErrorIsNil) _, err = plaintext.Write([]byte(yaml)) c.Assert(err, jc.ErrorIsNil) err = plaintext.Close() c.Assert(err, jc.ErrorIsNil) return string(buf.Bytes()) }
// it will sign the sha256 hash (or any string) and save it // under the path (signer Path) and uuid as file name func (s *Signer) SignIt(sha256 string, uuid string) { var buf bytes.Buffer w, err := clearsign.Encode(&buf, s.Entity.PrivateKey, nil) if err != nil { log.Fatal(err) } _, _ = w.Write([]byte(sha256)) w.Close() ret := buf.Bytes() f, err := os.Create(filepath.Join(s.Path, uuid)) defer f.Close() if err != nil { log.Fatal(err) } f.WriteString(string(ret[:])) }
func Clearsign(input io.Reader, output io.Writer, key string) error { entity, err := findKey(key) if err != nil { return err } w, err := clearsign.Encode(output, entity.PrivateKey, nil) if err != nil { return err } _, err = io.Copy(w, input) if err != nil { return err } err = w.Close() if err != nil { return err } return nil }
// Encode signs the data returned by the reader and returns an inline signed copy. func Encode(r io.Reader, armoredPrivateKey, passphrase string) ([]byte, error) { keyring, err := openpgp.ReadArmoredKeyRing(bytes.NewBufferString(armoredPrivateKey)) if err != nil { return nil, err } privateKey := keyring[0].PrivateKey if privateKey.Encrypted { err = privateKey.Decrypt([]byte(passphrase)) if err != nil { return nil, err } } var buf bytes.Buffer plaintext, err := clearsign.Encode(&buf, privateKey, nil) if err != nil { return nil, err } metadata, err := ioutil.ReadAll(r) if err != nil { return nil, err } dataToSign := metadata if dataToSign[0] == '\n' { dataToSign = dataToSign[1:] } _, err = plaintext.Write([]byte(dataToSign)) if err != nil { return nil, err } err = plaintext.Close() if err != nil { return nil, err } return buf.Bytes(), nil }
func TestHookPodsInstallAndLinkCorrectly(t *testing.T) { hookPrefix := "hooks" destDir, _ := ioutil.TempDir("", "pods") defer os.RemoveAll(destDir) execDir, err := ioutil.TempDir("", "exec") defer os.RemoveAll(execDir) Assert(t).IsNil(err, "should not have erred creating a tempdir") current, err := user.Current() Assert(t).IsNil(err, "test setup: could not get the current user") manifest := &pods.Manifest{ Id: "users", RunAs: current.Username, LaunchableStanzas: map[string]pods.LaunchableStanza{ "create": pods.LaunchableStanza{ Location: util.From(runtime.Caller(0)).ExpandPath("hoisted-hello_def456.tar.gz"), LaunchableType: "hoist", LaunchableId: "create", }, }, } manifestBytes, err := manifest.OriginalBytes() Assert(t).IsNil(err, "manifest bytes error should have been nil") fakeSigner, err := openpgp.NewEntity("p2", "p2-test", "*****@*****.**", nil) Assert(t).IsNil(err, "NewEntity error should have been nil") var buf bytes.Buffer sigWriter, err := clearsign.Encode(&buf, fakeSigner.PrivateKey, nil) Assert(t).IsNil(err, "clearsign encode error should have been nil") sigWriter.Write(manifestBytes) sigWriter.Close() manifest, err = pods.ManifestFromBytes(buf.Bytes()) Assert(t).IsNil(err, "should have generated manifest from signed bytes") fakeIntent := fakeStoreWithManifests(kp.ManifestResult{ Path: path.Join(hookPrefix, "before_install/users"), Manifest: *manifest, }) listener := HookListener{ Intent: fakeIntent, HookPrefix: hookPrefix, ExecDir: execDir, DestinationDir: destDir, Logger: logging.DefaultLogger, authPolicy: auth.FixedKeyringPolicy{openpgp.EntityList{fakeSigner}, nil}, } errCh := make(chan error, 1) listener.Sync(fakeIntent.quit, errCh) select { case err := <-errCh: Assert(t).IsNil(err, "There should not have been an error in the call to sync") default: } currentAlias := path.Join(destDir, "before_install", "users", "create", "current", "bin", "launch") _, err = os.Stat(currentAlias) Assert(t).IsNil(err, fmt.Sprintf("%s should have been created", currentAlias)) hookFile := path.Join(execDir, "before_install", "users__create__launch") _, err = os.Stat(hookFile) Assert(t).IsNil(err, "should have created the user launch script") }