Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Properly verify the publickey signing #1

Merged
merged 4 commits into from
Jun 1, 2022
Merged

Properly verify the publickey signing #1

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
49f71fc
Properly verify the publickey signing
zeripath Jun 1, 2022
e854bc3
comments in VerifyCert
zeripath Jun 1, 2022
47d5487
parseauthorizedkey instead
zeripath Jun 1, 2022
777ce2c
slight renames;
zeripath Jun 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 30 additions & 29 deletions services/auth/httpsign.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,13 +53,12 @@ func (h *HTTPSign) Verify(req *http.Request, w http.ResponseWriter, store DataSt
}

var (
u *user_model.User
validpk *asymkey_model.PublicKey
err error
)

// Handle SSH certificates
if len(req.Header.Get("X-Ssh-Certificate")) != 0 {
// Handle Signature signed by SSH certificates
if len(setting.SSH.TrustedUserCAKeys) == 0 {
return nil
}
Expand All @@ -71,21 +70,16 @@ func (h *HTTPSign) Verify(req *http.Request, w http.ResponseWriter, store DataSt
return nil
}
} else {
keyID, err := GetKeyID(req)
if err != nil {
log.Debug("GetKeyID failed: %v", err)
return nil
}

validpk, err = VerifyPubKey(req, keyID)
// Handle Signature signed by Public Key
validpk, err = VerifyPubKey(req)
if err != nil {
log.Debug("VerifyPubKey on request from %s: failed: %v", req.RemoteAddr, err)
log.Warn("Failed authentication attempt from %s", req.RemoteAddr)
return nil
}
}

u, err = user_model.GetUserByID(validpk.OwnerID)
u, err := user_model.GetUserByID(validpk.OwnerID)
if err != nil {
log.Error("GetUserByID: %v", err)
return nil
Expand All @@ -98,7 +92,14 @@ func (h *HTTPSign) Verify(req *http.Request, w http.ResponseWriter, store DataSt
return u
}

func VerifyPubKey(r *http.Request, keyID string) (*asymkey_model.PublicKey, error) {
func VerifyPubKey(r *http.Request) (*asymkey_model.PublicKey, error) {
verifier, err := httpsig.NewVerifier(r)
if err != nil {
return nil, fmt.Errorf("httpsig.NewVerifier failed: %s", err)
}

keyID := verifier.KeyId()

validpk, err := asymkey_model.SearchPublicKey(0, keyID)
if err != nil {
return nil, err
Expand All @@ -108,6 +109,15 @@ func VerifyPubKey(r *http.Request, keyID string) (*asymkey_model.PublicKey, erro
return nil, fmt.Errorf("no public key found for keyid %s", keyID)
}

pk, err := ssh.ParsePublicKey([]byte(validpk[0].Content))
42wim marked this conversation as resolved.
Show resolved Hide resolved
if err != nil {
return nil, err
}

if err := doVerify(verifier, []ssh.PublicKey{pk}); err != nil {
return nil, err
}

return validpk[0], nil
}

Expand Down Expand Up @@ -197,19 +207,20 @@ func doVerify(verifier httpsig.Verifier, publickeys []ssh.PublicKey) error {
for _, pubkey := range publickeys {
cryptoPubkey := pubkey.(ssh.CryptoPublicKey).CryptoPublicKey()

var algo httpsig.Algorithm
var algos []httpsig.Algorithm

switch {
case strings.HasPrefix(pubkey.Type(), "ssh-ed25519"):
algo = httpsig.ED25519
algos = []httpsig.Algorithm{httpsig.ED25519}
case strings.HasPrefix(pubkey.Type(), "ssh-rsa"):
algo = httpsig.RSA_SHA1
algos = []httpsig.Algorithm{httpsig.RSA_SHA1, httpsig.RSA_SHA256, httpsig.RSA_SHA512}
42wim marked this conversation as resolved.
Show resolved Hide resolved
}

err := verifier.Verify(cryptoPubkey, algo)
if err == nil {
verified = true
break
for _, algo := range algos {
err := verifier.Verify(cryptoPubkey, algo)
if err == nil {
verified = true
break
}
}
}

Expand All @@ -219,13 +230,3 @@ func doVerify(verifier httpsig.Verifier, publickeys []ssh.PublicKey) error {

return errors.New("verification failed")
}

// GetKeyID returns the keyid from the httpsignature or an error if doesn't exist
func GetKeyID(r *http.Request) (string, error) {
verifier, err := httpsig.NewVerifier(r)
if err != nil {
return "", fmt.Errorf("httpsig.NewVerifier failed: %s", err)
}

return verifier.KeyId(), nil
}