SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 11:55:40 +01:00
Code Issues Releases Activity Actions

Change openpgp key providing code to use local directory

Browse source 
* Adjust provider and aggregator to copy the used openpgp pubkey into a locally
  provided directory `openpgp` beside the `prodiver-metadata.json`.
  This more robust and self-reliant than using a public pubkey server,
  which is the reason why the CSAF 2.0 csd02 mentions it as example in
  "7.1.20 Requirement 20: Public OpenPGP Key".
 * Improve aggregator by removing a typo `aggreator` from one written paths.
   (Done with this change as it also affects the openpgp/ paths writing.)

solve #85
This commit is contained in:
Sascha L. Teichmann 2022-06-09 10:42:44 +02:00 committed by GitHub
parent a849ac0d5f
commit 69f0f3499a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 229 additions and 97 deletions
Download patch file Download diff file Expand all files Collapse all files

23
cmd/csaf_provider/actions.go
View file

@ -55,12 +55,6 @@ func (c *controller) handleSignature(
data []byte,
) (string, *crypto.Key, error) {
// Either way ... we need the key.
key, err := c.cfg.loadCryptoKey()
if err != nil {
return "", nil, err
}
// Was the signature given via request?
if c.cfg.UploadSignature {
sigText := r.FormValue("signature")
@ -73,7 +67,12 @@ func (c *controller) handleSignature(
return "", nil, err
}
// Use as public key
// Use the public key
key, err := loadCryptoKeyFromFile(c.cfg.OpenPGPPublicKey)
if err != nil {
return "", nil, err
}
signRing, err := crypto.NewKeyRing(key)
if err != nil {
return "", nil, err
@ -91,13 +90,18 @@ func (c *controller) handleSignature(
// Sign ourself
// Use the private key
key, err := loadCryptoKeyFromFile(c.cfg.OpenPGPPrivateKey)
if err != nil {
return "", nil, err
}
if passwd := r.FormValue("passphrase"); !c.cfg.NoPassphrase && passwd != "" {
if key, err = key.Unlock([]byte(passwd)); err != nil {
return "", nil, err
}
}
// Use as private key
signRing, err := crypto.NewKeyRing(key)
if err != nil {
return "", nil, err
@ -317,7 +321,8 @@ func (c *controller) upload(r *http.Request) (interface{}, error) {
warn("Publishers in provider metadata and CSAF do not match.")
}
pmd.SetPGP(key.GetFingerprint(), c.cfg.GetOpenPGPURL(key))
fingerprint := strings.ToUpper(key.GetFingerprint())
pmd.SetPGP(fingerprint, c.cfg.openPGPPublicURL(fingerprint))
return nil
},