0x2620/openmedialibrary
1
0
Fork 0
Code Issues 131 Pull requests Releases Wiki Activity

sign release with OpenSSL.crypto.sign (last remaining use of ed25519)

Browse source
This commit is contained in:
j 2016-01-18 19:36:21 +05:30
parent 5a920ca053
commit 14b2c99ab3
5 changed files with 67 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
oml/commands.py
View file

@ -133,10 +133,13 @@ def command_release(*args):
Release new version
"""
print('checking...')
import os
import json
import hashlib
import base64
import ed25519
import hashlib
import json
import OpenSSL.crypto
from OpenSSL.crypto import load_privatekey, FILETYPE_PEM
import os
release_name = args[0] if args else 'release'
@ -144,14 +147,24 @@ def command_release(*args):
with open(os.path.expanduser('~/.openmedialibrary_release.key'), 'rb') as fd:
SIG_KEY=ed25519.SigningKey(fd.read())
SIG_ENCODING='base64'
with open(os.path.expanduser('~/.openmedialibrary_tls_release.key'), 'rb') as fd:
tls_key = load_privatekey(FILETYPE_PEM, fd.read())
def sign(release):
value = []
for module in sorted(release['modules']):
value += ['%s/%s' % (release['modules'][module]['version'], release['modules'][module]['sha1'])]
value = '\n'.join(value)
sig = SIG_KEY.sign(value.encode(), encoding=SIG_ENCODING).decode()
value = '\n'.join(value).encode()
sig = SIG_KEY.sign(value, encoding=SIG_ENCODING).decode()
release['signature'] = sig
digest = 'sha1'
tls_sig = OpenSSL.crypto.sign(tls_key, value, digest)
release['signature_%s'%digest] = base64.b64encode(tls_sig).decode()
import update
if not update.verify(release):
print('verifiying signature failed!')
return False
return True
def sha1sum(path):
h = hashlib.sha1()
@ -188,7 +201,7 @@ def command_release(*args):
'version': VERSIONS[module],
'sha1': sha1sum(join('updates', '%s-%s.tar.bz2' % (module, VERSIONS[module])))
} for module in MODULES}
sign(release)
if sign(release):
with open('updates/%s.json' % release_name, 'w') as fd:
json.dump(release, fd, indent=2, sort_keys=True)
print('signed latest release in updates/%s.json' % release_name)

4
oml/nodes.py
View file

@ -14,14 +14,12 @@ import os
import time
import ox
import ed25519
from tornado.ioloop import PeriodicCallback
import settings
import user.models
from changelog import Changelog
import directory
from websocket import trigger_event
from localnodes import LocalNodes
from tor_request import get_opener
@ -126,6 +124,8 @@ class Node(Thread):
def migrate_id(self):
import directory
import ed25519
key = self.user_id.encode()
vk = ed25519.VerifyingKey(key, encoding=ENCODING)
try:

18
oml/settings.py
View file

@ -3,7 +3,6 @@
import json
import os
import ed25519
from oml.pdict import pdict
from oml.utils import get_user_id
@ -60,6 +59,7 @@ for key in server_defaults:
release = pdict(os.path.join(data_path, 'release.json'))
if os.path.exists(key_path):
import ed25519
with open(key_path, 'rb') as fd:
sk = ed25519.SigningKey(fd.read())
vk = sk.get_verifying_key()
@ -72,6 +72,22 @@ else:
USER_ID = get_user_id(ssl_key_path, ssl_cert_path)
OML_UPDATE_KEY='K55EZpPYbP3X+3mA66cztlw1sSaUMqGwfTDKQyP2qOU'
OML_UPDATE_CERT='''-----BEGIN CERTIFICATE-----
MIICgzCCAeygAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBqc2pt
Z2J4ZjJvZGN6NGNxMB4XDTE1MTEyMzIwMzY1NFoXDTE1MTEyNDIwMzY1NFowGzEZ
MBcGA1UEAwwQanNqbWdieGYyb2RjejRjcTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAuUGGJPqtGaunUSWnnW6FO9WtMZUQkhjewlvZqFE8uQVcgeXVVmarpwjc
E/xFPYtDF5083jJs0UfCcJLpvWT5Y4pW8OCMmQl2JCxBiWsPTIYFtEizPbiZtMBs
xlEBmZRyB1mO/jSZ2ECmKf6yn2CJ4lY67Jlxy5/I963GZ9ZcHdECAwEAAaOB1jCB
0zASBgNVHRMBAf8ECDAGAQH/AgEAMBQGCWCGSAGG+EIBAQEB/wQEAwICBDB7BgNV
HSUBAf8EcTBvBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcD
CAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYKKwYBBAGCNwoD
AwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBMAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU
TJLDBuXThizwUMavAjjcm1mPu74wDQYJKoZIhvcNAQELBQADgYEAEyn9zfdrv7w9
GV47SOE+jJFhrSHsKGf0mKC1JDOJz1l9J1IYSnM7s8BcTBPpum2CJtc6braThH46
qvg7wm/8HUkrHouawZFudwTCGQEuUpe5AEQHGiBkBWiRwR9MIkfqE3aesrhDswb6
vZVVahubX7tZ0O1zUuCpn6E0uzh1aqg=
-----END CERTIFICATE-----'''
if 'modules' in release and 'openmedialibrary' in release['modules']:
MINOR_VERSION = release['modules']['openmedialibrary']['version']

25
oml/update.py
View file

@ -3,6 +3,8 @@
from contextlib import closing
import base64
import hashlib
import json
import os
import tarfile
@ -13,7 +15,7 @@ import subprocess
import sys
import time
import ed25519
import OpenSSL.crypto
import ox
from oxtornado import actions
@ -28,18 +30,33 @@ logger = logging.getLogger(__name__)
ENCODING='base64'
def verify(release):
vk = ed25519.VerifyingKey(settings.OML_UPDATE_KEY, encoding=ENCODING)
verified = False
value = []
for module in sorted(release['modules']):
value += [str('%s/%s' % (release['modules'][module]['version'], release['modules'][module]['sha1']))]
value = '\n'.join(value)
value = value.encode()
for digest in ('sha512', 'sha256', 'sha1'):
if 'signature_%s'%digest in release:
tls_sig = base64.b64decode(release['signature_%s'%digest].encode())
cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, settings.OML_UPDATE_CERT)
try:
OpenSSL.crypto.verify(cert, tls_sig, value, digest)
verified = True
except OpenSSL.crypto.Error:
print('invalid tls signature')
verified = False
break
if 'signature' in release and not verified:
import ed25519
vk = ed25519.VerifyingKey(settings.OML_UPDATE_KEY, encoding=ENCODING)
sig = release['signature'].encode()
try:
vk.verify(sig, value, encoding=ENCODING)
verified = True
except ed25519.BadSignatureError:
return False
return True
verified = False
return verified
def get(url, filename=None):
request = urllib.request.Request(url, headers={

2
oml/utils.py
View file

@ -16,7 +16,6 @@ import subprocess
import base64
import ox
import ed25519
from OpenSSL.crypto import (
load_privatekey, load_certificate,
dump_privatekey, dump_certificate,
@ -123,6 +122,7 @@ def valid(key, value, sig):
'''
validate that value was signed by key
'''
import ed25519
if isinstance(sig, str):
sig = sig.encode()
if isinstance(value, str):