aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/libstore/crypto.cc33
-rw-r--r--src/libstore/crypto.hh24
-rw-r--r--src/nix-store/nix-store.cc17
3 files changed, 45 insertions, 29 deletions
diff --git a/src/libstore/crypto.cc b/src/libstore/crypto.cc
index 9ec8abd22..135ced277 100644
--- a/src/libstore/crypto.cc
+++ b/src/libstore/crypto.cc
@@ -8,15 +8,15 @@
namespace nix {
-static std::pair<std::string, std::string> split(const string & s)
+static std::pair<std::string_view, std::string_view> split(std::string_view s)
{
size_t colon = s.find(':');
if (colon == std::string::npos || colon == 0)
return {"", ""};
- return {std::string(s, 0, colon), std::string(s, colon + 1)};
+ return {s.substr(0, colon), s.substr(colon + 1)};
}
-Key::Key(const string & s)
+Key::Key(std::string_view s)
{
auto ss = split(s);
@@ -29,7 +29,12 @@ Key::Key(const string & s)
key = base64Decode(key);
}
-SecretKey::SecretKey(const string & s)
+std::string Key::to_string() const
+{
+ return name + ":" + base64Encode(key);
+}
+
+SecretKey::SecretKey(std::string_view s)
: Key(s)
{
#if HAVE_SODIUM
@@ -45,7 +50,7 @@ SecretKey::SecretKey(const string & s)
}
#endif
-std::string SecretKey::signDetached(const std::string & data) const
+std::string SecretKey::signDetached(std::string_view data) const
{
#if HAVE_SODIUM
unsigned char sig[crypto_sign_BYTES];
@@ -69,7 +74,21 @@ PublicKey SecretKey::toPublicKey() const
#endif
}
-PublicKey::PublicKey(const string & s)
+SecretKey SecretKey::generate(std::string_view name)
+{
+#if HAVE_SODIUM
+ unsigned char pk[crypto_sign_PUBLICKEYBYTES];
+ unsigned char sk[crypto_sign_SECRETKEYBYTES];
+ if (crypto_sign_keypair(pk, sk) != 0)
+ throw Error("key generation failed");
+
+ return SecretKey(name, std::string((char *) sk, crypto_sign_SECRETKEYBYTES));
+#else
+ noSodium();
+#endif
+}
+
+PublicKey::PublicKey(std::string_view s)
: Key(s)
{
#if HAVE_SODIUM
@@ -84,7 +103,7 @@ bool verifyDetached(const std::string & data, const std::string & sig,
#if HAVE_SODIUM
auto ss = split(sig);
- auto key = publicKeys.find(ss.first);
+ auto key = publicKeys.find(std::string(ss.first));
if (key == publicKeys.end()) return false;
auto sig2 = base64Decode(ss.second);
diff --git a/src/libstore/crypto.hh b/src/libstore/crypto.hh
index 9110af3aa..03f85c103 100644
--- a/src/libstore/crypto.hh
+++ b/src/libstore/crypto.hh
@@ -13,32 +13,40 @@ struct Key
/* Construct Key from a string in the format
‘<name>:<key-in-base64>’. */
- Key(const std::string & s);
+ Key(std::string_view s);
+
+ std::string to_string() const;
protected:
- Key(const std::string & name, const std::string & key)
- : name(name), key(key) { }
+ Key(std::string_view name, std::string && key)
+ : name(name), key(std::move(key)) { }
};
struct PublicKey;
struct SecretKey : Key
{
- SecretKey(const std::string & s);
+ SecretKey(std::string_view s);
/* Return a detached signature of the given string. */
- std::string signDetached(const std::string & s) const;
+ std::string signDetached(std::string_view s) const;
PublicKey toPublicKey() const;
+
+ static SecretKey generate(std::string_view name);
+
+private:
+ SecretKey(std::string_view name, std::string && key)
+ : Key(name, std::move(key)) { }
};
struct PublicKey : Key
{
- PublicKey(const std::string & data);
+ PublicKey(std::string_view data);
private:
- PublicKey(const std::string & name, const std::string & key)
- : Key(name, key) { }
+ PublicKey(std::string_view name, std::string && key)
+ : Key(name, std::move(key)) { }
friend struct SecretKey;
};
diff --git a/src/nix-store/nix-store.cc b/src/nix-store/nix-store.cc
index e1ccece99..e43788bc3 100644
--- a/src/nix-store/nix-store.cc
+++ b/src/nix-store/nix-store.cc
@@ -19,10 +19,6 @@
#include <sys/stat.h>
#include <fcntl.h>
-#if HAVE_SODIUM
-#include <sodium.h>
-#endif
-
namespace nix_store {
@@ -980,18 +976,11 @@ static void opGenerateBinaryCacheKey(Strings opFlags, Strings opArgs)
string secretKeyFile = *i++;
string publicKeyFile = *i++;
-#if HAVE_SODIUM
- unsigned char pk[crypto_sign_PUBLICKEYBYTES];
- unsigned char sk[crypto_sign_SECRETKEYBYTES];
- if (crypto_sign_keypair(pk, sk) != 0)
- throw Error("key generation failed");
+ auto secretKey = SecretKey::generate(keyName);
- writeFile(publicKeyFile, keyName + ":" + base64Encode(string((char *) pk, crypto_sign_PUBLICKEYBYTES)));
+ writeFile(publicKeyFile, secretKey.toPublicKey().to_string());
umask(0077);
- writeFile(secretKeyFile, keyName + ":" + base64Encode(string((char *) sk, crypto_sign_SECRETKEYBYTES)));
-#else
- throw Error("Nix was not compiled with libsodium, required for signed binary cache support");
-#endif
+ writeFile(secretKeyFile, secretKey.to_string());
}