From 616fba376eff18460d941934b9f165064247a487 Mon Sep 17 00:00:00 2001 From: TommyLike Date: Thu, 13 Jul 2023 22:44:43 +0800 Subject: [PATCH] Check file content is empty before sending request to remote server --- README.md | 2 +- docs/how to sign kernelmodule file.md | 6 +++--- docs/how to sign rpm&srpm file.md | 4 ++-- docs/how to sign&verify a generic file.md | 4 ++-- docs/support-ca.md | 26 +++++++++++------------ src/client/worker/signer.rs | 4 ++++ src/util/error.rs | 2 ++ 7 files changed, 27 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 2876d57..8fd3f32 100644 --- a/README.md +++ b/README.md @@ -139,7 +139,7 @@ Now you can use this token to debug the control service API or use the pgp keys curl -k --header "Authorization:XmUICsVV48EjfkWYv3ch1eutRJOQh7mp3bRfmQDL" -v http(s)://localhost:8080/api/v1/keys/ ``` ```shell -RUST_BACKTRACE=full RUST_LOG=info ./target/debug/client --config add --key-id default-pgp --file-type rpm --key-type pgp .data/simple.rpm +RUST_BACKTRACE=full RUST_LOG=info ./target/debug/client --config add --key-name default-pgp --file-type rpm --key-type pgp .data/simple.rpm ``` ## OpenAPI Documentation Signatrust supports online openAPI documentation, once control server starts, navigate to `localhost:8080/api/swagger-ui/` and check the document. note you need to add correct `Authorization` diff --git a/docs/how to sign kernelmodule file.md b/docs/how to sign kernelmodule file.md index 953495f..770bf45 100644 --- a/docs/how to sign kernelmodule file.md +++ b/docs/how to sign kernelmodule file.md @@ -99,12 +99,12 @@ tommylike@ubuntu  ~/sign-kernelmodule  openssl asn1parse -inform der -in s ## Sign the KernelModule file with signatrust Signatrust support sign KernelModule file within the command as following: ```bash - RUST_BACKTRACE=full RUST_LOG=debug ./target/debug/client --config /path/to/client.toml add --key-id default-x509 --file-type kernel-module --key-type x509 .data/simple.ko + RUST_BACKTRACE=full RUST_LOG=debug ./target/debug/client --config /path/to/client.toml add --key-name default-x509 --file-type kernel-module --key-type x509 .data/simple.ko ``` Signatrust supports to resign a signed KernelModule file, that's to say instead of append the cert and metadata at the end of file, signatrust will try to parse the kernel module file and replace the signature when resigning. if you add the `--detached` flag, the signature will be detached from the file as `sign-file` tool, and the signature will be output to the file with the same name as the file to be signed, but with the extension .p7s appended to the file name. ```bash - RUST_BACKTRACE=full RUST_LOG=debug ./target/debug/client --config /path/to/client.toml add --key-id default-x509 --file-type kernel-module --key-type x509 --detached .data/simple.ko + RUST_BACKTRACE=full RUST_LOG=debug ./target/debug/client --config /path/to/client.toml add --key-name default-x509 --file-type kernel-module --key-type x509 --detached .data/simple.ko ``` ## Verify the Signature of KernelModule file @@ -112,7 +112,7 @@ In order to verify the signature of KernelModule file, you need to extract the s 1. Download the certificate from signatrust control-server and save it into local file(new.cert as below) in pem format: ```shell curl -X 'POST' \ - 'https://localhost:8080/api/v1/keys//certificate' \ + 'https://localhost:8080/api/v1/keys//certificate' \ -H 'accept: application/json' \ -H 'Authorization: cBnLPLXl1fA7fKDZnjg9fd9dSWw2RXtUH3MGFUtq' \ -d '' diff --git a/docs/how to sign rpm&srpm file.md b/docs/how to sign rpm&srpm file.md index 6bbe874..ef2672e 100644 --- a/docs/how to sign rpm&srpm file.md +++ b/docs/how to sign rpm&srpm file.md @@ -26,7 +26,7 @@ And these tags below will be used for signing: ## Sign the RPM&SRPM with Signatrust Signatrust support sign RPM file within the command as following: ```bash - RUST_BACKTRACE=full RUST_LOG=debug ./target/debug/client --config /path/to/client.toml add --key-id default-pgp --file-type rpm --key-type pgp .data/simple.rpm + RUST_BACKTRACE=full RUST_LOG=debug ./target/debug/client --config /path/to/client.toml add --key-name default-pgp --file-type rpm --key-type pgp .data/simple.rpm ``` ## Verify the Signature of RPM file @@ -34,7 +34,7 @@ In order to verify the signature of rpm file, you need to download the openPGP p 1. Download the public key from signatrust control-server and save into local file(new.key as below) in text format: ```shell curl -X 'POST' \ - 'https://localhost:8080/api/v1/keys//public_key' \ + 'https://localhost:8080/api/v1/keys//public_key' \ -H 'accept: application/json' \ -H 'Authorization: cBnLPLXl1fA7fKDZnjg9fd9dSWw2RXtUH3MGFUtq' \ -d '' diff --git a/docs/how to sign&verify a generic file.md b/docs/how to sign&verify a generic file.md index 3d985af..c2d9fa3 100644 --- a/docs/how to sign&verify a generic file.md +++ b/docs/how to sign&verify a generic file.md @@ -7,7 +7,7 @@ basically the sign system will read the whole file content, sign it with openPGP ## Sign the generic file with signatrust Signatrust supports sign a generic file with the following command: ```bash - RUST_BACKTRACE=full RUST_LOG=debug ./target/debug/client --config /path/to/client.toml add --key-id default-pgp --file-type generic --key-type pgp .data/somme-file.checksum + RUST_BACKTRACE=full RUST_LOG=debug ./target/debug/client --config /path/to/client.toml add --key-name default-pgp --file-type generic --key-type pgp .data/somme-file.checksum ``` and the `asc` file will be generated in the same directory with the original file. ``` @@ -42,7 +42,7 @@ brew install gnupg 2. Download the public key from signatrust control-server and save it into local file(pgp.public_key as below) in pem format: ```shell curl -X 'POST' \ - 'https://localhost:8080/api/v1/keys//public_key' \ + 'https://localhost:8080/api/v1/keys//public_key' \ -H 'accept: application/json' \ -H 'Authorization: cBnLPLXl1fA7fKDZnjg9fd9dSWw2RXtUH3MGFUtq' \ -d '' diff --git a/docs/support-ca.md b/docs/support-ca.md index 4ca0548..2a3c588 100644 --- a/docs/support-ca.md +++ b/docs/support-ca.md @@ -107,7 +107,7 @@ When generated, we can get the profile detail via inspecting certificate file: Signatrust Intermediate CA Authority Information Access: OCSP - URI:https://oscp.signatrust.osinfra.cn - CA Issuers - URI:https://signatrust.osinfra.cn/api/v1/keys//certificate + CA Issuers - URI:https://signatrust.osinfra.cn/api/v1/keys//certificate ``` The life cycle and functionality of the Intermediate Certificate Authority is defined as below: @@ -169,7 +169,7 @@ When generated, we can get the profile detail via inspecting certificate file: Signatrust Sign Certificate Authority Information Access: OCSP - URI:https://oscp.signatrust.osinfra.cn - CA Issuers - URI:https://signatrust.osinfra.cn/api/v1/keys//certificate + CA Issuers - URI:https://signatrust.osinfra.cn/api/v1/keys//certificate ``` The life cycle and functionality of the End Entity Certificate is defined as below: @@ -190,7 +190,7 @@ the CRL content would be updated every **7** days in design, and the generated c ```shell X509v3 CRL Distribution Points: Full Name: - URI:https://signatrust.osinfra.cn/api/v1/keys//crl + URI:https://signatrust.osinfra.cn/api/v1/keys//crl ``` ### Online Certificate Status Protocol The Online Certificate Status Protocol (OCSP) enables the client to determine the @@ -317,7 +317,7 @@ at the same time; within this proposal, the generation process will differ based We need to introduce a new endpoint to check the CRL status of a specific CA or intermediate CA, considering we already have the endpoint to export keys, we should update the export API to match the changes, the endpoint currently we have: ```shell - POST -H 'Authorization: XXXX' /api/v1/keys//export + POST -H 'Authorization: XXXX' /api/v1/keys//export Response in JSON: { "certificate": "string", @@ -328,7 +328,7 @@ The endpoint will be split into three individual and explicit endpoints: a. Get public key, it's only valid for `openPGP` keys and will get armored public key: ```shell - GET -H 'Authorization: XXXX' /api/v1/keys//public_key + GET -H 'Authorization: XXXX' /api/v1/keys//public_key Response in TEXT: -----BEGIN PGP PUBLIC KEY BLOCK----- @@ -337,7 +337,7 @@ a. Get public key, it's only valid for `openPGP` keys and will get armored publi ``` b. Get certificate, the endpoint only valid for `X509CA`, `X509ICA` and `X509EE` keys and will get PEM encoded certificate: ```shell - GET -H 'Authorization: XXXX' /api/v1/keys//certificate + GET -H 'Authorization: XXXX' /api/v1/keys//certificate Response in TEXT: -----BEGIN CERTIFICATE----- @@ -346,7 +346,7 @@ b. Get certificate, the endpoint only valid for `X509CA`, `X509ICA` and `X509EE` ``` c. Get CRL content, the endpoint is **public** and only valid for `X509CA` and `X509ICA` keys and will get the PEM encoded CRL: ```shell - GET /api/v1/keys//crl + GET /api/v1/keys//crl Response in TEXT: -----BEGIN X509 CRL----- @@ -356,16 +356,16 @@ c. Get CRL content, the endpoint is **public** and only valid for `X509CA` and ` #### Key operations We support request/cancel delete public keys via APIs as follows: ```shell -POST /api/v1/keys//request_delete -POST /api/v1/keys//cancel_delete +POST /api/v1/keys//request_delete +POST /api/v1/keys//cancel_delete ``` In order to support revoke certificates, we need to introduce a new group of APIs to revoke certificates, considering revoke and delete are belong to key operations, we propose to update those APIs in the following: ```shell -POST /api/v1/keys//action/request_delete -POST /api/v1/keys//action/cancel_delete -POST /api/v1/keys//action/request_revoke -POST /api/v1/keys//action/cancel_revoke +POST /api/v1/keys//action/request_delete +POST /api/v1/keys//action/cancel_delete +POST /api/v1/keys//action/request_revoke +POST /api/v1/keys//action/cancel_revoke ``` For the revoke API, we need to pass the reason in the request body as well, and the revoke reason will follow openssl recommendation: diff --git a/src/client/worker/signer.rs b/src/client/worker/signer.rs index 815e8fe..d00842c 100644 --- a/src/client/worker/signer.rs +++ b/src/client/worker/signer.rs @@ -68,6 +68,10 @@ impl SignHandler for RemoteSigner { key_id: item.key_id.clone(), }); } + if sign_segments.is_empty() { + *item.error.borrow_mut() = Err(Error::FileContentEmpty); + return item + } let result = self.client.sign_stream( tokio_stream::iter(sign_segments)).await; match result { diff --git a/src/util/error.rs b/src/util/error.rs index 270b76c..c05b35e 100644 --- a/src/util/error.rs +++ b/src/util/error.rs @@ -125,6 +125,8 @@ pub enum Error { PartialSuccessError, #[error("Error in sign or parse EFI image")] EFIError(String), + #[error("file content is empty")] + FileContentEmpty, } #[derive(Deserialize, Serialize, ToSchema)] -- Gitee