github.com/hugh712/snapd@v0.0.0-20200910133618-1a99902bd583/asserts/asserts.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2015-2020 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package asserts 21 22 import ( 23 "bufio" 24 "bytes" 25 "crypto" 26 "fmt" 27 "io" 28 "sort" 29 "strconv" 30 "strings" 31 "unicode/utf8" 32 ) 33 34 type typeFlags int 35 36 const ( 37 noAuthority typeFlags = 1 << iota 38 sequenceForming 39 ) 40 41 // MetaHeaders is a list of headers in assertions which are about the assertion 42 // itself. 43 var MetaHeaders = [...]string{ 44 "type", 45 "format", 46 "authority-id", 47 "revision", 48 "body-length", 49 "sign-key-sha3-384", 50 } 51 52 // AssertionType describes a known assertion type with its name and metadata. 53 type AssertionType struct { 54 // Name of the type. 55 Name string 56 // PrimaryKey holds the names of the headers that constitute the 57 // unique primary key for this assertion type. 58 PrimaryKey []string 59 60 assembler func(assert assertionBase) (Assertion, error) 61 flags typeFlags 62 } 63 64 // MaxSupportedFormat returns the maximum supported format iteration for the type. 65 func (at *AssertionType) MaxSupportedFormat() int { 66 return maxSupportedFormat[at.Name] 67 } 68 69 // SequencingForming returns true if the assertion type has a positive 70 // integer >= 1 as the last component (preferably called "sequence") 71 // of its primary key over which the assertions of the type form 72 // sequences, usually without gaps, one sequence per sequence key (the 73 // primary key prefix omitting the sequence number). 74 // See SequenceMember. 75 func (at *AssertionType) SequenceForming() bool { 76 return at.flags&sequenceForming != 0 77 } 78 79 // Understood assertion types. 80 var ( 81 AccountType = &AssertionType{"account", []string{"account-id"}, assembleAccount, 0} 82 AccountKeyType = &AssertionType{"account-key", []string{"public-key-sha3-384"}, assembleAccountKey, 0} 83 RepairType = &AssertionType{"repair", []string{"brand-id", "repair-id"}, assembleRepair, sequenceForming} 84 ModelType = &AssertionType{"model", []string{"series", "brand-id", "model"}, assembleModel, 0} 85 SerialType = &AssertionType{"serial", []string{"brand-id", "model", "serial"}, assembleSerial, 0} 86 BaseDeclarationType = &AssertionType{"base-declaration", []string{"series"}, assembleBaseDeclaration, 0} 87 SnapDeclarationType = &AssertionType{"snap-declaration", []string{"series", "snap-id"}, assembleSnapDeclaration, 0} 88 SnapBuildType = &AssertionType{"snap-build", []string{"snap-sha3-384"}, assembleSnapBuild, 0} 89 SnapRevisionType = &AssertionType{"snap-revision", []string{"snap-sha3-384"}, assembleSnapRevision, 0} 90 SnapDeveloperType = &AssertionType{"snap-developer", []string{"snap-id", "publisher-id"}, assembleSnapDeveloper, 0} 91 SystemUserType = &AssertionType{"system-user", []string{"brand-id", "email"}, assembleSystemUser, 0} 92 ValidationType = &AssertionType{"validation", []string{"series", "snap-id", "approved-snap-id", "approved-snap-revision"}, assembleValidation, 0} 93 ValidationSetType = &AssertionType{"validation-set", []string{"series", "account-id", "name", "sequence"}, assembleValidationSet, sequenceForming} 94 StoreType = &AssertionType{"store", []string{"store"}, assembleStore, 0} 95 96 // ... 97 ) 98 99 // Assertion types without a definite authority set (on the wire and/or self-signed). 100 var ( 101 DeviceSessionRequestType = &AssertionType{"device-session-request", []string{"brand-id", "model", "serial"}, assembleDeviceSessionRequest, noAuthority} 102 SerialRequestType = &AssertionType{"serial-request", nil, assembleSerialRequest, noAuthority} 103 AccountKeyRequestType = &AssertionType{"account-key-request", []string{"public-key-sha3-384"}, assembleAccountKeyRequest, noAuthority} 104 ) 105 106 var typeRegistry = map[string]*AssertionType{ 107 AccountType.Name: AccountType, 108 AccountKeyType.Name: AccountKeyType, 109 ModelType.Name: ModelType, 110 SerialType.Name: SerialType, 111 BaseDeclarationType.Name: BaseDeclarationType, 112 SnapDeclarationType.Name: SnapDeclarationType, 113 SnapBuildType.Name: SnapBuildType, 114 SnapRevisionType.Name: SnapRevisionType, 115 SnapDeveloperType.Name: SnapDeveloperType, 116 SystemUserType.Name: SystemUserType, 117 ValidationType.Name: ValidationType, 118 ValidationSetType.Name: ValidationSetType, 119 RepairType.Name: RepairType, 120 StoreType.Name: StoreType, 121 // no authority 122 DeviceSessionRequestType.Name: DeviceSessionRequestType, 123 SerialRequestType.Name: SerialRequestType, 124 AccountKeyRequestType.Name: AccountKeyRequestType, 125 } 126 127 // Type returns the AssertionType with name or nil 128 func Type(name string) *AssertionType { 129 return typeRegistry[name] 130 } 131 132 // TypeNames returns a sorted list of known assertion type names. 133 func TypeNames() []string { 134 names := make([]string, 0, len(typeRegistry)) 135 for k := range typeRegistry { 136 names = append(names, k) 137 } 138 139 sort.Strings(names) 140 141 return names 142 } 143 144 var maxSupportedFormat = map[string]int{} 145 146 func init() { 147 // register maxSupportedFormats while breaking initialisation loop 148 149 // 1: plugs and slots 150 // 2: support for $SLOT()/$PLUG()/$MISSING 151 // 3: support for on-store/on-brand/on-model device scope constraints 152 // 4: support for plug-names/slot-names constraints 153 maxSupportedFormat[SnapDeclarationType.Name] = 4 154 155 // 1: support to limit to device serials 156 maxSupportedFormat[SystemUserType.Name] = 1 157 } 158 159 func MockMaxSupportedFormat(assertType *AssertionType, maxFormat int) (restore func()) { 160 prev := maxSupportedFormat[assertType.Name] 161 maxSupportedFormat[assertType.Name] = maxFormat 162 return func() { 163 maxSupportedFormat[assertType.Name] = prev 164 } 165 } 166 167 var formatAnalyzer = map[*AssertionType]func(headers map[string]interface{}, body []byte) (formatnum int, err error){ 168 SnapDeclarationType: snapDeclarationFormatAnalyze, 169 SystemUserType: systemUserFormatAnalyze, 170 } 171 172 // MaxSupportedFormats returns a mapping between assertion type names 173 // and corresponding max supported format if it is >= min. Typical 174 // usage passes 1 or 0 for min. 175 func MaxSupportedFormats(min int) (maxFormats map[string]int) { 176 if min == 0 { 177 maxFormats = make(map[string]int, len(typeRegistry)) 178 } else { 179 maxFormats = make(map[string]int) 180 } 181 for name := range typeRegistry { 182 m := maxSupportedFormat[name] 183 if m >= min { 184 maxFormats[name] = m 185 } 186 } 187 return maxFormats 188 } 189 190 // SuggestFormat returns a minimum format that supports the features that would be used by an assertion with the given components. 191 func SuggestFormat(assertType *AssertionType, headers map[string]interface{}, body []byte) (formatnum int, err error) { 192 analyzer := formatAnalyzer[assertType] 193 if analyzer == nil { 194 // no analyzer, format 0 is all there is 195 return 0, nil 196 } 197 formatnum, err = analyzer(headers, body) 198 if err != nil { 199 return 0, fmt.Errorf("assertion %s: %v", assertType.Name, err) 200 } 201 return formatnum, nil 202 } 203 204 // HeadersFromPrimaryKey constructs a headers mapping from the 205 // primaryKey values and the assertion type, it errors if primaryKey 206 // has the wrong length. 207 func HeadersFromPrimaryKey(assertType *AssertionType, primaryKey []string) (headers map[string]string, err error) { 208 if len(primaryKey) != len(assertType.PrimaryKey) { 209 return nil, fmt.Errorf("primary key has wrong length for %q assertion", assertType.Name) 210 } 211 headers = make(map[string]string, len(assertType.PrimaryKey)) 212 for i, name := range assertType.PrimaryKey { 213 keyVal := primaryKey[i] 214 if keyVal == "" { 215 return nil, fmt.Errorf("primary key %q header cannot be empty", name) 216 } 217 headers[name] = keyVal 218 } 219 return headers, nil 220 } 221 222 // PrimaryKeyFromHeaders extracts the tuple of values from headers 223 // corresponding to a primary key under the assertion type, it errors 224 // if there are missing primary key headers. 225 func PrimaryKeyFromHeaders(assertType *AssertionType, headers map[string]string) (primaryKey []string, err error) { 226 return keysFromHeaders(assertType.PrimaryKey, headers) 227 } 228 229 func keysFromHeaders(keys []string, headers map[string]string) (keyValues []string, err error) { 230 keyValues = make([]string, len(keys)) 231 for i, k := range keys { 232 keyVal := headers[k] 233 if keyVal == "" { 234 return nil, fmt.Errorf("must provide primary key: %v", k) 235 } 236 keyValues[i] = keyVal 237 } 238 return keyValues, nil 239 } 240 241 // Ref expresses a reference to an assertion. 242 type Ref struct { 243 Type *AssertionType 244 PrimaryKey []string 245 } 246 247 func (ref *Ref) String() string { 248 pkStr := "-" 249 n := len(ref.Type.PrimaryKey) 250 if n != len(ref.PrimaryKey) { 251 pkStr = "???" 252 } else if n > 0 { 253 pkStr = ref.PrimaryKey[n-1] 254 if n > 1 { 255 sfx := []string{pkStr + ";"} 256 for i, k := range ref.Type.PrimaryKey[:n-1] { 257 sfx = append(sfx, fmt.Sprintf("%s:%s", k, ref.PrimaryKey[i])) 258 } 259 pkStr = strings.Join(sfx, " ") 260 } 261 } 262 return fmt.Sprintf("%s (%s)", ref.Type.Name, pkStr) 263 } 264 265 // Unique returns a unique string representing the reference that can be used as a key in maps. 266 func (ref *Ref) Unique() string { 267 return fmt.Sprintf("%s/%s", ref.Type.Name, strings.Join(ref.PrimaryKey, "/")) 268 } 269 270 // Resolve resolves the reference using the given find function. 271 func (ref *Ref) Resolve(find func(assertType *AssertionType, headers map[string]string) (Assertion, error)) (Assertion, error) { 272 headers, err := HeadersFromPrimaryKey(ref.Type, ref.PrimaryKey) 273 if err != nil { 274 return nil, fmt.Errorf("%q assertion reference primary key has the wrong length (expected %v): %v", ref.Type.Name, ref.Type.PrimaryKey, ref.PrimaryKey) 275 } 276 return find(ref.Type, headers) 277 } 278 279 const RevisionNotKnown = -1 280 281 // AtRevision represents an assertion at a given revision, possibly 282 // not known (RevisionNotKnown). 283 type AtRevision struct { 284 Ref 285 Revision int 286 } 287 288 func (at *AtRevision) String() string { 289 s := at.Ref.String() 290 if at.Revision == RevisionNotKnown { 291 return s 292 } 293 return fmt.Sprintf("%s at revision %d", s, at.Revision) 294 } 295 296 // Assertion represents an assertion through its general elements. 297 type Assertion interface { 298 // Type returns the type of this assertion 299 Type() *AssertionType 300 // Format returns the format iteration of this assertion 301 Format() int 302 // SupportedFormat returns whether the assertion uses a supported 303 // format iteration. If false the assertion might have been only 304 // partially parsed. 305 SupportedFormat() bool 306 // Revision returns the revision of this assertion 307 Revision() int 308 // AuthorityID returns the authority that signed this assertion 309 AuthorityID() string 310 311 // Header retrieves the header with name 312 Header(name string) interface{} 313 314 // Headers returns the complete headers 315 Headers() map[string]interface{} 316 317 // HeaderString retrieves the string value of header with name or "" 318 HeaderString(name string) string 319 320 // Body returns the body of this assertion 321 Body() []byte 322 323 // Signature returns the signed content and its unprocessed signature 324 Signature() (content, signature []byte) 325 326 // SignKeyID returns the key id for the key that signed this assertion. 327 SignKeyID() string 328 329 // Prerequisites returns references to the prerequisite assertions for the validity of this one. 330 Prerequisites() []*Ref 331 332 // Ref returns a reference representing this assertion. 333 Ref() *Ref 334 335 // At returns an AtRevision referencing this assertion at its revision. 336 At() *AtRevision 337 } 338 339 // SequenceMember is implemented by assertions of sequence forming types. 340 type SequenceMember interface { 341 Assertion 342 343 // Sequence returns the sequence number of this assertion. 344 Sequence() int 345 } 346 347 // customSigner represents an assertion with special arrangements for its signing key (e.g. self-signed), rather than the usual case where an assertion is signed by its authority. 348 type customSigner interface { 349 // signKey returns the public key material for the key that signed this assertion. See also SignKeyID. 350 signKey() PublicKey 351 } 352 353 // MediaType is the media type for encoded assertions on the wire. 354 const MediaType = "application/x.ubuntu.assertion" 355 356 // assertionBase is the concrete base to hold representation data for actual assertions. 357 type assertionBase struct { 358 headers map[string]interface{} 359 body []byte 360 // parsed format iteration 361 format int 362 // parsed revision 363 revision int 364 // preserved content 365 content []byte 366 // unprocessed signature 367 signature []byte 368 } 369 370 // HeaderString retrieves the string value of header with name or "" 371 func (ab *assertionBase) HeaderString(name string) string { 372 s, _ := ab.headers[name].(string) 373 return s 374 } 375 376 // Type returns the assertion type. 377 func (ab *assertionBase) Type() *AssertionType { 378 return Type(ab.HeaderString("type")) 379 } 380 381 // Format returns the assertion format iteration. 382 func (ab *assertionBase) Format() int { 383 return ab.format 384 } 385 386 // SupportedFormat returns whether the assertion uses a supported 387 // format iteration. If false the assertion might have been only 388 // partially parsed. 389 func (ab *assertionBase) SupportedFormat() bool { 390 return ab.format <= maxSupportedFormat[ab.HeaderString("type")] 391 } 392 393 // Revision returns the assertion revision. 394 func (ab *assertionBase) Revision() int { 395 return ab.revision 396 } 397 398 // AuthorityID returns the authority-id a.k.a the signer id of the assertion. 399 func (ab *assertionBase) AuthorityID() string { 400 return ab.HeaderString("authority-id") 401 } 402 403 // Header returns the value of an header by name. 404 func (ab *assertionBase) Header(name string) interface{} { 405 v := ab.headers[name] 406 if v == nil { 407 return nil 408 } 409 return copyHeader(v) 410 } 411 412 // Headers returns the complete headers. 413 func (ab *assertionBase) Headers() map[string]interface{} { 414 return copyHeaders(ab.headers) 415 } 416 417 // Body returns the body of the assertion. 418 func (ab *assertionBase) Body() []byte { 419 return ab.body 420 } 421 422 // Signature returns the signed content and its unprocessed signature. 423 func (ab *assertionBase) Signature() (content, signature []byte) { 424 return ab.content, ab.signature 425 } 426 427 // SignKeyID returns the key id for the key that signed this assertion. 428 func (ab *assertionBase) SignKeyID() string { 429 return ab.HeaderString("sign-key-sha3-384") 430 } 431 432 // Prerequisites returns references to the prerequisite assertions for the validity of this one. 433 func (ab *assertionBase) Prerequisites() []*Ref { 434 return nil 435 } 436 437 // Ref returns a reference representing this assertion. 438 func (ab *assertionBase) Ref() *Ref { 439 assertType := ab.Type() 440 primKey := make([]string, len(assertType.PrimaryKey)) 441 for i, name := range assertType.PrimaryKey { 442 primKey[i] = ab.HeaderString(name) 443 } 444 return &Ref{ 445 Type: assertType, 446 PrimaryKey: primKey, 447 } 448 } 449 450 // At returns an AtRevision referencing this assertion at its revision. 451 func (ab *assertionBase) At() *AtRevision { 452 return &AtRevision{Ref: *ab.Ref(), Revision: ab.Revision()} 453 } 454 455 // sanity check 456 var _ Assertion = (*assertionBase)(nil) 457 458 // Decode parses a serialized assertion. 459 // 460 // The expected serialisation format looks like: 461 // 462 // HEADER ("\n\n" BODY?)? "\n\n" SIGNATURE 463 // 464 // where: 465 // 466 // HEADER is a set of header entries separated by "\n" 467 // BODY can be arbitrary text, 468 // SIGNATURE is the signature 469 // 470 // Both BODY and HEADER must be UTF8. 471 // 472 // A header entry for a single line value (no '\n' in it) looks like: 473 // 474 // NAME ": " SIMPLEVALUE 475 // 476 // The format supports multiline text values (with '\n's in them) and 477 // lists or maps, possibly nested, with string scalars in them. 478 // 479 // For those a header entry looks like: 480 // 481 // NAME ":\n" MULTI(baseindent) 482 // 483 // where MULTI can be 484 // 485 // * (baseindent + 4)-space indented value (multiline text) 486 // 487 // * entries of a list each of the form: 488 // 489 // " "*baseindent " -" ( " " SIMPLEVALUE | "\n" MULTI ) 490 // 491 // * entries of map each of the form: 492 // 493 // " "*baseindent " " NAME ":" ( " " SIMPLEVALUE | "\n" MULTI ) 494 // 495 // baseindent starts at 0 and then grows with nesting matching the 496 // previous level introduction (e.g. the " "*baseindent " -" bit) 497 // length minus 1. 498 // 499 // In general the following headers are mandatory: 500 // 501 // type 502 // authority-id (except for on the wire/self-signed assertions like serial-request) 503 // 504 // Further for a given assertion type all the primary key headers 505 // must be non empty and must not contain '/'. 506 // 507 // The following headers expect string representing integer values and 508 // if omitted otherwise are assumed to be 0: 509 // 510 // revision (a positive int) 511 // body-length (expected to be equal to the length of BODY) 512 // format (a positive int for the format iteration of the type used) 513 // 514 // Times are expected to be in the RFC3339 format: "2006-01-02T15:04:05Z07:00". 515 // 516 func Decode(serializedAssertion []byte) (Assertion, error) { 517 // copy to get an independent backstorage that can't be mutated later 518 assertionSnapshot := make([]byte, len(serializedAssertion)) 519 copy(assertionSnapshot, serializedAssertion) 520 contentSignatureSplit := bytes.LastIndex(assertionSnapshot, nlnl) 521 if contentSignatureSplit == -1 { 522 return nil, fmt.Errorf("assertion content/signature separator not found") 523 } 524 content := assertionSnapshot[:contentSignatureSplit] 525 signature := assertionSnapshot[contentSignatureSplit+2:] 526 527 headersBodySplit := bytes.Index(content, nlnl) 528 var body, head []byte 529 if headersBodySplit == -1 { 530 head = content 531 } else { 532 body = content[headersBodySplit+2:] 533 if len(body) == 0 { 534 body = nil 535 } 536 head = content[:headersBodySplit] 537 } 538 539 headers, err := parseHeaders(head) 540 if err != nil { 541 return nil, fmt.Errorf("parsing assertion headers: %v", err) 542 } 543 544 return assemble(headers, body, content, signature) 545 } 546 547 // Maximum assertion component sizes. 548 const ( 549 MaxBodySize = 2 * 1024 * 1024 550 MaxHeadersSize = 128 * 1024 551 MaxSignatureSize = 128 * 1024 552 ) 553 554 // Decoder parses a stream of assertions bundled by separating them with double newlines. 555 type Decoder struct { 556 rd io.Reader 557 initialBufSize int 558 b *bufio.Reader 559 err error 560 maxHeadersSize int 561 maxSigSize int 562 563 defaultMaxBodySize int 564 typeMaxBodySize map[*AssertionType]int 565 } 566 567 // initBuffer finishes a Decoder initialization by setting up the bufio.Reader, 568 // it returns the *Decoder for convenience of notation. 569 func (d *Decoder) initBuffer() *Decoder { 570 d.b = bufio.NewReaderSize(d.rd, d.initialBufSize) 571 return d 572 } 573 574 const defaultDecoderBufSize = 4096 575 576 // NewDecoder returns a Decoder to parse the stream of assertions from the reader. 577 func NewDecoder(r io.Reader) *Decoder { 578 return (&Decoder{ 579 rd: r, 580 initialBufSize: defaultDecoderBufSize, 581 maxHeadersSize: MaxHeadersSize, 582 maxSigSize: MaxSignatureSize, 583 defaultMaxBodySize: MaxBodySize, 584 }).initBuffer() 585 } 586 587 // NewDecoderWithTypeMaxBodySize returns a Decoder to parse the stream of assertions from the reader enforcing optional per type max body sizes or the default one as fallback. 588 func NewDecoderWithTypeMaxBodySize(r io.Reader, typeMaxBodySize map[*AssertionType]int) *Decoder { 589 return (&Decoder{ 590 rd: r, 591 initialBufSize: defaultDecoderBufSize, 592 maxHeadersSize: MaxHeadersSize, 593 maxSigSize: MaxSignatureSize, 594 defaultMaxBodySize: MaxBodySize, 595 typeMaxBodySize: typeMaxBodySize, 596 }).initBuffer() 597 } 598 599 func (d *Decoder) peek(size int) ([]byte, error) { 600 buf, err := d.b.Peek(size) 601 if err == bufio.ErrBufferFull { 602 rebuf, reerr := d.b.Peek(d.b.Buffered()) 603 if reerr != nil { 604 panic(reerr) 605 } 606 mr := io.MultiReader(bytes.NewBuffer(rebuf), d.rd) 607 d.b = bufio.NewReaderSize(mr, (size/d.initialBufSize+1)*d.initialBufSize) 608 buf, err = d.b.Peek(size) 609 } 610 if err != nil && d.err == nil { 611 d.err = err 612 } 613 return buf, d.err 614 } 615 616 // NB: readExact and readUntil use peek underneath and their returned 617 // buffers are valid only until the next reading call 618 619 func (d *Decoder) readExact(size int) ([]byte, error) { 620 buf, err := d.peek(size) 621 d.b.Discard(len(buf)) 622 if len(buf) == size { 623 return buf, nil 624 } 625 if err == io.EOF { 626 return buf, io.ErrUnexpectedEOF 627 } 628 return buf, err 629 } 630 631 func (d *Decoder) readUntil(delim []byte, maxSize int) ([]byte, error) { 632 last := 0 633 size := d.initialBufSize 634 for { 635 buf, err := d.peek(size) 636 if i := bytes.Index(buf[last:], delim); i >= 0 { 637 d.b.Discard(last + i + len(delim)) 638 return buf[:last+i+len(delim)], nil 639 } 640 // report errors only once we have consumed what is buffered 641 if err != nil && len(buf) == d.b.Buffered() { 642 d.b.Discard(len(buf)) 643 return buf, err 644 } 645 last = size - len(delim) + 1 646 size *= 2 647 if size > maxSize { 648 return nil, fmt.Errorf("maximum size exceeded while looking for delimiter %q", delim) 649 } 650 } 651 } 652 653 // Decode parses the next assertion from the stream. 654 // It returns the error io.EOF at the end of a well-formed stream. 655 func (d *Decoder) Decode() (Assertion, error) { 656 // read the headers and the nlnl separator after them 657 headAndSep, err := d.readUntil(nlnl, d.maxHeadersSize) 658 if err != nil { 659 if err == io.EOF { 660 if len(headAndSep) != 0 { 661 return nil, io.ErrUnexpectedEOF 662 } 663 return nil, io.EOF 664 } 665 return nil, fmt.Errorf("error reading assertion headers: %v", err) 666 } 667 668 headLen := len(headAndSep) - len(nlnl) 669 headers, err := parseHeaders(headAndSep[:headLen]) 670 if err != nil { 671 return nil, fmt.Errorf("parsing assertion headers: %v", err) 672 } 673 674 typeStr, _ := headers["type"].(string) 675 typ := Type(typeStr) 676 677 length, err := checkIntWithDefault(headers, "body-length", 0) 678 if err != nil { 679 return nil, fmt.Errorf("assertion: %v", err) 680 } 681 if typMaxBodySize := d.typeMaxBodySize[typ]; typMaxBodySize != 0 && length > typMaxBodySize { 682 return nil, fmt.Errorf("assertion body length %d exceeds maximum body size %d for %q assertions", length, typMaxBodySize, typ.Name) 683 } else if length > d.defaultMaxBodySize { 684 return nil, fmt.Errorf("assertion body length %d exceeds maximum body size", length) 685 } 686 687 // save the headers before we try to read more, and setup to capture 688 // the whole content in a buffer 689 contentBuf := bytes.NewBuffer(make([]byte, 0, len(headAndSep)+length)) 690 contentBuf.Write(headAndSep) 691 692 if length > 0 { 693 // read the body if length != 0 694 body, err := d.readExact(length) 695 if err != nil { 696 return nil, err 697 } 698 contentBuf.Write(body) 699 } 700 701 // try to read the end of body a.k.a content/signature separator 702 endOfBody, err := d.readUntil(nlnl, d.maxSigSize) 703 if err != nil && err != io.EOF { 704 return nil, fmt.Errorf("error reading assertion trailer: %v", err) 705 } 706 707 var sig []byte 708 if bytes.Equal(endOfBody, nlnl) { 709 // we got the nlnl content/signature separator, read the signature now and the assertion/assertion nlnl separation 710 sig, err = d.readUntil(nlnl, d.maxSigSize) 711 if err != nil && err != io.EOF { 712 return nil, fmt.Errorf("error reading assertion signature: %v", err) 713 } 714 } else { 715 // we got the signature directly which is a ok format only if body length == 0 716 if length > 0 { 717 return nil, fmt.Errorf("missing content/signature separator") 718 } 719 sig = endOfBody 720 contentBuf.Truncate(headLen) 721 } 722 723 // normalize sig ending newlines 724 if bytes.HasSuffix(sig, nlnl) { 725 sig = sig[:len(sig)-1] 726 } 727 728 finalContent := contentBuf.Bytes() 729 var finalBody []byte 730 if length > 0 { 731 finalBody = finalContent[headLen+len(nlnl):] 732 } 733 734 finalSig := make([]byte, len(sig)) 735 copy(finalSig, sig) 736 737 return assemble(headers, finalBody, finalContent, finalSig) 738 } 739 740 func checkIteration(headers map[string]interface{}, name string) (int, error) { 741 iternum, err := checkIntWithDefault(headers, name, 0) 742 if err != nil { 743 return -1, err 744 } 745 if iternum < 0 { 746 return -1, fmt.Errorf("%s should be positive: %v", name, iternum) 747 } 748 return iternum, nil 749 } 750 751 func checkFormat(headers map[string]interface{}) (int, error) { 752 return checkIteration(headers, "format") 753 } 754 755 func checkRevision(headers map[string]interface{}) (int, error) { 756 return checkIteration(headers, "revision") 757 } 758 759 // Assemble assembles an assertion from its components. 760 func Assemble(headers map[string]interface{}, body, content, signature []byte) (Assertion, error) { 761 err := checkHeaders(headers) 762 if err != nil { 763 return nil, err 764 } 765 return assemble(headers, body, content, signature) 766 } 767 768 // assemble is the internal variant of Assemble, assumes headers are already checked for supported types 769 func assemble(headers map[string]interface{}, body, content, signature []byte) (Assertion, error) { 770 length, err := checkIntWithDefault(headers, "body-length", 0) 771 if err != nil { 772 return nil, fmt.Errorf("assertion: %v", err) 773 } 774 if length != len(body) { 775 return nil, fmt.Errorf("assertion body length and declared body-length don't match: %v != %v", len(body), length) 776 } 777 778 if !utf8.Valid(body) { 779 return nil, fmt.Errorf("body is not utf8") 780 } 781 782 if _, err := checkDigest(headers, "sign-key-sha3-384", crypto.SHA3_384); err != nil { 783 return nil, fmt.Errorf("assertion: %v", err) 784 } 785 786 typ, err := checkNotEmptyString(headers, "type") 787 if err != nil { 788 return nil, fmt.Errorf("assertion: %v", err) 789 } 790 assertType := Type(typ) 791 if assertType == nil { 792 return nil, fmt.Errorf("unknown assertion type: %q", typ) 793 } 794 795 if assertType.flags&noAuthority == 0 { 796 if _, err := checkNotEmptyString(headers, "authority-id"); err != nil { 797 return nil, fmt.Errorf("assertion: %v", err) 798 } 799 } else { 800 _, ok := headers["authority-id"] 801 if ok { 802 return nil, fmt.Errorf("%q assertion cannot have authority-id set", assertType.Name) 803 } 804 } 805 806 formatnum, err := checkFormat(headers) 807 if err != nil { 808 return nil, fmt.Errorf("assertion: %v", err) 809 } 810 811 for _, primKey := range assertType.PrimaryKey { 812 if _, err := checkPrimaryKey(headers, primKey); err != nil { 813 return nil, fmt.Errorf("assertion %s: %v", assertType.Name, err) 814 } 815 } 816 817 revision, err := checkRevision(headers) 818 if err != nil { 819 return nil, fmt.Errorf("assertion: %v", err) 820 } 821 822 if len(signature) == 0 { 823 return nil, fmt.Errorf("empty assertion signature") 824 } 825 826 assert, err := assertType.assembler(assertionBase{ 827 headers: headers, 828 body: body, 829 format: formatnum, 830 revision: revision, 831 content: content, 832 signature: signature, 833 }) 834 if err != nil { 835 return nil, fmt.Errorf("assertion %s: %v", assertType.Name, err) 836 } 837 return assert, nil 838 } 839 840 func writeHeader(buf *bytes.Buffer, headers map[string]interface{}, name string) { 841 appendEntry(buf, fmt.Sprintf("%s:", name), headers[name], 0) 842 } 843 844 func assembleAndSign(assertType *AssertionType, headers map[string]interface{}, body []byte, privKey PrivateKey) (Assertion, error) { 845 err := checkAssertType(assertType) 846 if err != nil { 847 return nil, err 848 } 849 850 withAuthority := assertType.flags&noAuthority == 0 851 852 err = checkHeaders(headers) 853 if err != nil { 854 return nil, err 855 } 856 857 // there's no hint at all that we will need non-textual bodies, 858 // make sure we actually enforce that 859 if !utf8.Valid(body) { 860 return nil, fmt.Errorf("assertion body is not utf8") 861 } 862 863 finalHeaders := copyHeaders(headers) 864 bodyLength := len(body) 865 finalBody := make([]byte, bodyLength) 866 copy(finalBody, body) 867 finalHeaders["type"] = assertType.Name 868 finalHeaders["body-length"] = strconv.Itoa(bodyLength) 869 finalHeaders["sign-key-sha3-384"] = privKey.PublicKey().ID() 870 871 if withAuthority { 872 if _, err := checkNotEmptyString(finalHeaders, "authority-id"); err != nil { 873 return nil, err 874 } 875 } else { 876 _, ok := finalHeaders["authority-id"] 877 if ok { 878 return nil, fmt.Errorf("%q assertion cannot have authority-id set", assertType.Name) 879 } 880 } 881 882 formatnum, err := checkFormat(finalHeaders) 883 if err != nil { 884 return nil, err 885 } 886 887 if formatnum > assertType.MaxSupportedFormat() { 888 return nil, fmt.Errorf("cannot sign %q assertion with format %d higher than max supported format %d", assertType.Name, formatnum, assertType.MaxSupportedFormat()) 889 } 890 891 suggestedFormat, err := SuggestFormat(assertType, finalHeaders, finalBody) 892 if err != nil { 893 return nil, err 894 } 895 896 if suggestedFormat > formatnum { 897 return nil, fmt.Errorf("cannot sign %q assertion with format set to %d lower than min format %d covering included features", assertType.Name, formatnum, suggestedFormat) 898 } 899 900 revision, err := checkRevision(finalHeaders) 901 if err != nil { 902 return nil, err 903 } 904 905 buf := bytes.NewBufferString("type: ") 906 buf.WriteString(assertType.Name) 907 908 if formatnum > 0 { 909 writeHeader(buf, finalHeaders, "format") 910 } else { 911 delete(finalHeaders, "format") 912 } 913 914 if withAuthority { 915 writeHeader(buf, finalHeaders, "authority-id") 916 } 917 918 if revision > 0 { 919 writeHeader(buf, finalHeaders, "revision") 920 } else { 921 delete(finalHeaders, "revision") 922 } 923 written := map[string]bool{ 924 "type": true, 925 "format": true, 926 "authority-id": true, 927 "revision": true, 928 "body-length": true, 929 "sign-key-sha3-384": true, 930 } 931 for _, primKey := range assertType.PrimaryKey { 932 if _, err := checkPrimaryKey(finalHeaders, primKey); err != nil { 933 return nil, err 934 } 935 writeHeader(buf, finalHeaders, primKey) 936 written[primKey] = true 937 } 938 939 // emit other headers in lexicographic order 940 otherKeys := make([]string, 0, len(finalHeaders)) 941 for name := range finalHeaders { 942 if !written[name] { 943 otherKeys = append(otherKeys, name) 944 } 945 } 946 sort.Strings(otherKeys) 947 for _, k := range otherKeys { 948 writeHeader(buf, finalHeaders, k) 949 } 950 951 // body-length and body 952 if bodyLength > 0 { 953 writeHeader(buf, finalHeaders, "body-length") 954 } else { 955 delete(finalHeaders, "body-length") 956 } 957 958 // signing key reference 959 writeHeader(buf, finalHeaders, "sign-key-sha3-384") 960 961 if bodyLength > 0 { 962 buf.Grow(bodyLength + 2) 963 buf.Write(nlnl) 964 buf.Write(finalBody) 965 } else { 966 finalBody = nil 967 } 968 content := buf.Bytes() 969 970 signature, err := signContent(content, privKey) 971 if err != nil { 972 return nil, fmt.Errorf("cannot sign assertion: %v", err) 973 } 974 // be 'cat' friendly, add a ignored newline to the signature which is the last part of the encoded assertion 975 signature = append(signature, '\n') 976 977 assert, err := assertType.assembler(assertionBase{ 978 headers: finalHeaders, 979 body: finalBody, 980 format: formatnum, 981 revision: revision, 982 content: content, 983 signature: signature, 984 }) 985 if err != nil { 986 return nil, fmt.Errorf("cannot assemble assertion %s: %v", assertType.Name, err) 987 } 988 return assert, nil 989 } 990 991 // SignWithoutAuthority assembles an assertion without a set authority with the provided information and signs it with the given private key. 992 func SignWithoutAuthority(assertType *AssertionType, headers map[string]interface{}, body []byte, privKey PrivateKey) (Assertion, error) { 993 if assertType.flags&noAuthority == 0 { 994 return nil, fmt.Errorf("cannot sign assertions needing a definite authority with SignWithoutAuthority") 995 } 996 return assembleAndSign(assertType, headers, body, privKey) 997 } 998 999 // Encode serializes an assertion. 1000 func Encode(assert Assertion) []byte { 1001 content, signature := assert.Signature() 1002 needed := len(content) + 2 + len(signature) 1003 buf := bytes.NewBuffer(make([]byte, 0, needed)) 1004 buf.Write(content) 1005 buf.Write(nlnl) 1006 buf.Write(signature) 1007 return buf.Bytes() 1008 } 1009 1010 // Encoder emits a stream of assertions bundled by separating them with double newlines. 1011 type Encoder struct { 1012 wr io.Writer 1013 nextSep []byte 1014 } 1015 1016 // NewEncoder returns a Encoder to emit a stream of assertions to a writer. 1017 func NewEncoder(w io.Writer) *Encoder { 1018 return &Encoder{wr: w} 1019 } 1020 1021 func (enc *Encoder) writeSep(last byte) error { 1022 if last != '\n' { 1023 _, err := enc.wr.Write(nl) 1024 if err != nil { 1025 return err 1026 } 1027 } 1028 enc.nextSep = nl 1029 return nil 1030 } 1031 1032 // WriteEncoded writes the encoded assertion into the stream with the required separator. 1033 func (enc *Encoder) WriteEncoded(encoded []byte) error { 1034 sz := len(encoded) 1035 if sz == 0 { 1036 return fmt.Errorf("internal error: encoded assertion cannot be empty") 1037 } 1038 1039 _, err := enc.wr.Write(enc.nextSep) 1040 if err != nil { 1041 return err 1042 } 1043 1044 _, err = enc.wr.Write(encoded) 1045 if err != nil { 1046 return err 1047 } 1048 1049 return enc.writeSep(encoded[sz-1]) 1050 } 1051 1052 // WriteContentSignature writes the content and signature of an assertion into the stream with all the required separators. 1053 func (enc *Encoder) WriteContentSignature(content, signature []byte) error { 1054 if len(content) == 0 { 1055 return fmt.Errorf("internal error: content cannot be empty") 1056 } 1057 1058 sz := len(signature) 1059 if sz == 0 { 1060 return fmt.Errorf("internal error: signature cannot be empty") 1061 } 1062 1063 _, err := enc.wr.Write(enc.nextSep) 1064 if err != nil { 1065 return err 1066 } 1067 1068 _, err = enc.wr.Write(content) 1069 if err != nil { 1070 return err 1071 } 1072 _, err = enc.wr.Write(nlnl) 1073 if err != nil { 1074 return err 1075 } 1076 _, err = enc.wr.Write(signature) 1077 if err != nil { 1078 return err 1079 } 1080 1081 return enc.writeSep(signature[sz-1]) 1082 } 1083 1084 // Encode emits the assertion into the stream with the required separator. 1085 // Errors here are always about writing given that Encode() itself cannot error. 1086 func (enc *Encoder) Encode(assert Assertion) error { 1087 return enc.WriteContentSignature(assert.Signature()) 1088 } 1089 1090 // SignatureCheck checks the signature of the assertion against the given public key. Useful for assertions with no authority. 1091 func SignatureCheck(assert Assertion, pubKey PublicKey) error { 1092 content, encodedSig := assert.Signature() 1093 sig, err := decodeSignature(encodedSig) 1094 if err != nil { 1095 return err 1096 } 1097 err = pubKey.verify(content, sig) 1098 if err != nil { 1099 return fmt.Errorf("failed signature verification: %v", err) 1100 } 1101 return nil 1102 }