From 29dd6c45bc2579d012ac78ba3100a2485c78ff1d Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Mon, 15 Jul 2024 18:42:54 +0200 Subject: gpgv: Add IsAssertedPubKeyAlgo() function This checks whether a public key algorithm is asserted. --- test/libapt/assert_pubkeyalgo_test.cc | 56 +++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 test/libapt/assert_pubkeyalgo_test.cc (limited to 'test') diff --git a/test/libapt/assert_pubkeyalgo_test.cc b/test/libapt/assert_pubkeyalgo_test.cc new file mode 100644 index 000000000..88a070bbe --- /dev/null +++ b/test/libapt/assert_pubkeyalgo_test.cc @@ -0,0 +1,56 @@ +#include + +#include +#include + +#include "common.h" + +TEST(AssertPubKeyAlgo_Test, test) +{ + EXPECT_TRUE(IsAssertedPubKeyAlgo("rsa2048", ">=rsa2048")); + _error->DumpErrors(); + EXPECT_TRUE(_error->empty()); + + EXPECT_TRUE(IsAssertedPubKeyAlgo("rsa2048", "another,>=rsa2048")); + EXPECT_TRUE(_error->empty()); + + EXPECT_FALSE(IsAssertedPubKeyAlgo("rsa2048", ">=rsa2049")); + EXPECT_TRUE(_error->empty()); + + EXPECT_TRUE(IsAssertedPubKeyAlgo("ed25519", ">=rsa2048,ed25519")); + EXPECT_TRUE(_error->empty()); +} + +TEST(AssertPubKeyAlgo_Test, CanOnlyCompareRSA) +{ + std::string msg; + EXPECT_FALSE(IsAssertedPubKeyAlgo("ed25519", ">=ed25519")); + EXPECT_TRUE(_error->PopMessage(msg)); + EXPECT_EQ("Unrecognized public key specification '>=ed25519' in option >=ed25519", msg); + EXPECT_TRUE(_error->empty()); +} + +TEST(AssertPubKeyAlgo_Test, EmptyOption) +{ + std::string msg; + EXPECT_FALSE(IsAssertedPubKeyAlgo("ed25519", "")); + EXPECT_TRUE(_error->empty()); + + EXPECT_FALSE(IsAssertedPubKeyAlgo("ed25519", ",")); + EXPECT_TRUE(_error->PopMessage(msg)); + EXPECT_EQ("Empty item in public key assertion string option ,", msg); + EXPECT_TRUE(_error->empty()); + + EXPECT_FALSE(IsAssertedPubKeyAlgo("ed25519", "moo,")); + EXPECT_TRUE(_error->empty()); + + EXPECT_FALSE(IsAssertedPubKeyAlgo("ed25519", "moo,,")); + EXPECT_TRUE(_error->PopMessage(msg)); + EXPECT_EQ("Empty item in public key assertion string option moo,,", msg); + EXPECT_TRUE(_error->empty()); + + EXPECT_FALSE(IsAssertedPubKeyAlgo("ed25519", ",moo")); + EXPECT_TRUE(_error->PopMessage(msg)); + EXPECT_EQ("Empty item in public key assertion string option ,moo", msg); + EXPECT_TRUE(_error->empty()); +} -- cgit v1.2.3-70-g09d2 From 47deb766c0a11c54d122197531279677545459af Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Mon, 15 Jul 2024 19:13:58 +0200 Subject: Only revoke weak RSA keys for now, add 'next' and 'future' levels Algorithms not in the next level give a warning, algorithms in not in the future level introduce an audit message for the --audit flag. next: >=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512 future: >=rsa3072,ed25519,ed448 LP: #2073126 --- apt-pkg/init.cc | 4 +++- doc/examples/configure-index | 2 ++ methods/gpgv.cc | 11 ++++++++++ test/integration/test-method-gpgv | 43 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 59 insertions(+), 1 deletion(-) (limited to 'test') diff --git a/apt-pkg/init.cc b/apt-pkg/init.cc index 487f94f20..d71d9541f 100644 --- a/apt-pkg/init.cc +++ b/apt-pkg/init.cc @@ -131,7 +131,9 @@ bool pkgInitConfig(Configuration &Cnf) Cnf.Set("APT::Build-Essential::", "build-essential"); Cnf.CndSet("APT::Install-Recommends", true); Cnf.CndSet("APT::Install-Suggests", false); - Cnf.CndSet("APT::Key::Assert-Pubkey-Algo", ">=rsa2048,ed25519,ed448"); + Cnf.CndSet("APT::Key::Assert-Pubkey-Algo", ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1"); + Cnf.CndSet("APT::Key::Assert-Pubkey-Algo::Next", ">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512"); + Cnf.CndSet("APT::Key::Assert-Pubkey-Algo::Future", ">=rsa3072,ed25519,ed448"); Cnf.CndSet("Dir","/"); // State diff --git a/doc/examples/configure-index b/doc/examples/configure-index index 6bcf8e354..72ce1fe3a 100644 --- a/doc/examples/configure-index +++ b/doc/examples/configure-index @@ -776,6 +776,8 @@ apt::key::masterkeyring ""; apt::key::archivekeyringuri ""; apt::key::net-update-enabled ""; apt::key::assert-pubkey-algo ""; +apt::key::assert-pubkey-algo::next ""; +apt::key::assert-pubkey-algo::future ""; apt::ftparchive::release::patterns ""; apt::ftparchive::release::validtime ""; diff --git a/methods/gpgv.cc b/methods/gpgv.cc index fc37b83dc..4a0866555 100644 --- a/methods/gpgv.cc +++ b/methods/gpgv.cc @@ -262,6 +262,17 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile, { return IsTheSameKey(fpr, goodsig); }), Signers.Good.end()); } + else if (not IsAssertedPubKeyAlgo(pkstr, "APT::Key::Assert-Pubkey-Algo::Next")) + { + std::string reason; + Signers.SoonWorthless.push_back({fpr, pkstr}); + } + else if (not IsAssertedPubKeyAlgo(pkstr, "APT::Key::Assert-Pubkey-Algo::Future")) + { + std::string reason; + strprintf(reason, _("%s will be deprecated in a future release"), pkstr.c_str()); + Signers.LaterWorthless.push_back({fpr, reason}); + } } else if (strncmp(buffer, GNUPGGOODSIG, sizeof(GNUPGGOODSIG)-1) == 0) PushEntryWithKeyID(Signers.Good, buffer, Debug); diff --git a/test/integration/test-method-gpgv b/test/integration/test-method-gpgv index 0f014e3d1..ffaa72c8f 100755 --- a/test/integration/test-method-gpgv +++ b/test/integration/test-method-gpgv @@ -48,6 +48,14 @@ testrun() { [GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE [GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 rsa1024' + testgpgv 'Not asserted in the next level' 'SoonWorthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, ' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) +[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE +[GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 brainpoolP256r1' + + testgpgv 'Not asserted in the future level' 'LaterWorthless: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, ' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE!' '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) +[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE +[GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 nistp256' + testgpgv 'Good subkey signed with long keyid' 'Good: GOODSIG 5B6896415D44C43E' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, 4281DEDBD466EAE8C1F4157E5B6896415D44C43E!' '[GNUPG:] GOODSIG 5B6896415D44C43E Sebastian Subkey [GNUPG:] VALIDSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E 2018-08-16 1534459673 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE' testgpgv 'Good subkey signed with fingerprint' 'Good: GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E' '34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE, 4281DEDBD466EAE8C1F4157E5B6896415D44C43E!' '[GNUPG:] GOODSIG 4281DEDBD466EAE8C1F4157E5B6896415D44C43E Sebastian Subkey @@ -108,6 +116,9 @@ gpgvmethod() { Config-Item: Debug::Acquire::gpgv=1 Config-Item: Dir::Bin::apt-key=./faked-apt-key Config-Item: APT::Hashes::SHA1::Weak=true +Config-Item: APT::Key::Assert-Pubkey-Algo=>=rsa2048,nistp256,brainpoolP256r1 +Config-Item: APT::Key::Assert-Pubkey-Algo::Next=>=rsa2048,nistp256 +Config-Item: APT::Key::Assert-Pubkey-Algo::Future=>=rsa2048 600 URI Acquire URI: file://${TMPWORKINGDIRECTORY}/message.sig @@ -121,6 +132,9 @@ gpgvmethod() { Config-Item: Debug::Acquire::gpgv=1 Config-Item: Dir::Bin::apt-key=./faked-apt-key Config-Item: APT::Hashes::SHA1::Weak=true +Config-Item: APT::Key::Assert-Pubkey-Algo=>=rsa2048,nistp256,brainpoolP256r1 +Config-Item: APT::Key::Assert-Pubkey-Algo::Next=>=rsa2048,nistp256 +Config-Item: APT::Key::Assert-Pubkey-Algo::Future=>=rsa2048 600 URI Acquire URI: file://${TMPWORKINGDIRECTORY}/message.sig @@ -135,6 +149,9 @@ gpgvmethod() { Config-Item: Debug::Acquire::gpgv=1 Config-Item: Dir::Bin::apt-key=./faked-apt-key Config-Item: APT::Hashes::SHA1::Weak=true +Config-Item: APT::Key::Assert-Pubkey-Algo=>=rsa2048,nistp256,brainpoolP256r1 +Config-Item: APT::Key::Assert-Pubkey-Algo::Next=>=rsa2048,nistp256 +Config-Item: APT::Key::Assert-Pubkey-Algo::Future=>=rsa2048 600 URI Acquire URI: file://${TMPWORKINGDIRECTORY}/message.sig @@ -158,6 +175,9 @@ gpgvmethod() { Config-Item: Debug::Acquire::gpgv=1 Config-Item: Dir::Bin::apt-key=./faked-apt-key Config-Item: APT::Hashes::SHA1::Weak=true +Config-Item: APT::Key::Assert-Pubkey-Algo=>=rsa2048,nistp256,brainpoolP256r1 +Config-Item: APT::Key::Assert-Pubkey-Algo::Next=>=rsa2048,nistp256 +Config-Item: APT::Key::Assert-Pubkey-Algo::Future=>=rsa2048 600 URI Acquire URI: file://${TMPWORKINGDIRECTORY}/message.sig @@ -199,3 +219,26 @@ echo '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Sebastian Subkey [GNUPG:] VALIDSIG 0000000000000000000000000000000000000000 2018-08-16 1534459673 0 4 0 1 11 00 4281DEDBD466EAE8C1F4157E5B6896415D44C43E' > gpgv.output testfailure apt update -o Dir::Bin::apt-key="./faked-apt-key" -o Debug::pkgAcquire::Worker=1 -o Debug::Acquire::gpgv=1 rm -rf rootdir/var/lib/apt/lists + +gpgvmethod() { + echo "601 Configuration +Config-Item: Debug::Acquire::gpgv=1 +Config-Item: Dir::Bin::apt-key=./faked-apt-key +Config-Item: APT::Hashes::SHA1::Weak=true +Config-Item: APT::Key::Assert-Pubkey-Algo::Next=>=invalid + +600 URI Acquire +URI: file://${TMPWORKINGDIRECTORY}/message.sig +Filename: ${TMPWORKINGDIRECTORY}/message.data +Signed-By: 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE! +" | runapt "${METHODSDIR}/gpgv" +} + + +echo '[GNUPG:] GOODSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) +[GNUPG:] VALIDSIG 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 2016-09-01 1472742625 0 4 0 1 11 00 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE +[GNUPG:] ASSERT_PUBKEY_ALGO 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE 1 brainpoolP256r1' > gpgv.output + +msgtest "Warns about invalid specification" ">=invalid" +gpgvmethod >method.output 2>&1 || true +testsuccess --nomsg grep "Message: Unrecognized public key specification '>=invalid' in option APT::Key::Assert-Pubkey-Algo::Next" method.output -- cgit v1.2.3-70-g09d2