Fcalva/chibi-scheme
1
0
Fork 0
mirror of https://github.com/ashinn/chibi-scheme.git synced 2025-05-19 13:49:17 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Don't verify rsa keys on the server-side by default, even if present.

Browse source 
Consider a cron job to verify offline.
This commit is contained in:
Alex Shinn 2015-05-06 14:22:44 +09:00
parent 7fa00eb48a
commit 218ceb9144
1 changed files with 8 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
lib/chibi/snow/fort.scm
View file

@ -76,17 +76,20 @@
(email (assoc-get (cdr sig-spec) 'email)) (email (assoc-get (cdr sig-spec) 'email))
(rsa-key-sexp (find (rsa-identity=? email) (rsa-key-sexp (find (rsa-identity=? email)
(repo-publishers cfg))) (repo-publishers cfg)))
(rsa-key (and (pair? rsa-key-sexp) (verify-rsa? (conf-get cfg 'verify-signatures?))
(rsa-key (and verify-rsa?
(pair? rsa-key-sexp)
(extract-rsa-public-key (cdr rsa-key-sexp))))) (extract-rsa-public-key (cdr rsa-key-sexp)))))
(cond (cond
((not (equal? digest actual-digest)) ((not (equal? digest actual-digest))
(string-append "the " digest-name " digest in the signature <" digest (string-append "the " digest-name " digest in the signature <" digest
"> didn't match the actual value: <" actual-digest ">")) "> didn't match the actual value: <" actual-digest ">"))
((not rsa-key) ((and rsa-key-sexp (not rsa-key))
(string-append "unknown publisher: " email)) (string-append "unknown publisher: " email))
((not (rsa-verify? rsa-key ((and verify-rsa?
(not (rsa-verify? rsa-key
(maybe-parse-hex digest) (maybe-parse-hex digest)
(maybe-parse-hex sig))) (maybe-parse-hex sig))))
(log-error "digest: " digest " sig: " (maybe-parse-hex sig) (log-error "digest: " digest " sig: " (maybe-parse-hex sig)
" verify: " (rsa-encrypt rsa-key digest)) " verify: " (rsa-encrypt rsa-key digest))
"rsa signature did not match") "rsa signature did not match")