From 721226cd57b623e65b9f65ce768d9d7b92952ecc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 23 Apr 2025 16:27:49 +0000 Subject: [PATCH] chore(deps): bump aead.dev/minisign from 0.2.0 to 0.3.0 Bumps [aead.dev/minisign](https://github.com/aead/minisign) from 0.2.0 to 0.3.0. - [Release notes](https://github.com/aead/minisign/releases) - [Commits](https://github.com/aead/minisign/compare/v0.2.0...v0.3.0) --- updated-dependencies: - dependency-name: aead.dev/minisign dependency-version: 0.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 7 +- vendor/aead.dev/minisign/.golangci.yml | 34 +++--- vendor/aead.dev/minisign/Makefile | 53 +++++++++ vendor/aead.dev/minisign/README.md | 52 +++++---- vendor/aead.dev/minisign/minisign.go | 2 +- vendor/aead.dev/minisign/minisign.pub | 2 + vendor/aead.dev/minisign/private.go | 146 +++++++++++++++++++------ vendor/aead.dev/minisign/public.go | 34 ++++-- vendor/aead.dev/minisign/signature.go | 84 +++++++------- vendor/modules.txt | 4 +- 11 files changed, 294 insertions(+), 126 deletions(-) create mode 100644 vendor/aead.dev/minisign/Makefile create mode 100644 vendor/aead.dev/minisign/minisign.pub diff --git a/go.mod b/go.mod index e3e843f48..04d23e616 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/lacework/go-sdk/v2 go 1.24.0 require ( - aead.dev/minisign v0.2.0 + aead.dev/minisign v0.3.0 cloud.google.com/go/compute v1.29.0 cloud.google.com/go/compute/metadata v0.6.0 cloud.google.com/go/oslogin v1.14.2 diff --git a/go.sum b/go.sum index 8cab1b8ef..01e7c969d 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -aead.dev/minisign v0.2.0 h1:kAWrq/hBRu4AARY6AlciO83xhNnW9UaC8YipS2uhLPk= -aead.dev/minisign v0.2.0/go.mod h1:zdq6LdSd9TbuSxchxwhpA9zEb9YXcVGoE8JakuiGaIQ= +aead.dev/minisign v0.3.0 h1:8Xafzy5PEVZqYDNP60yJHARlW1eOQtsKNp/Ph2c0vRA= +aead.dev/minisign v0.3.0/go.mod h1:NLvG3Uoq3skkRMDuc3YHpWUTMTrSExqm+Ij73W13F6Y= cloud.google.com/go v0.116.0 h1:B3fRrSDkLRt5qSHWe40ERJvhvnQwdZiHu0bJOpldweE= cloud.google.com/go v0.116.0/go.mod h1:cEPSRWPzZEswwdr9BxE6ChEn01dWlTaF05LiC2Xs70U= cloud.google.com/go/auth v0.13.0 h1:8Fu8TZy167JkW8Tj3q7dIkr2v4cndv41ouecJx0PAHs= @@ -379,7 +379,6 @@ go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190530122614-20be4c3c3ed5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= @@ -428,7 +427,6 @@ golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210228012217-479acdf4ea46/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -445,7 +443,6 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20= golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= -golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= diff --git a/vendor/aead.dev/minisign/.golangci.yml b/vendor/aead.dev/minisign/.golangci.yml index 71952ecca..eb8422176 100644 --- a/vendor/aead.dev/minisign/.golangci.yml +++ b/vendor/aead.dev/minisign/.golangci.yml @@ -1,32 +1,34 @@ linters-settings: - golint: - min-confidence: 0 - misspell: locale: US + staticcheck: + checks: ["all", "-SA1019"] + linters: disable-all: true enable: - - typecheck + - durationcheck + - gocritic + - gofmt - goimports - - misspell + - gomodguard - govet - - golint - ineffassign - - gosimple - - deadcode - - unparam - - unused - - structcheck - - prealloc - - maligned + - misspell + - revive + - staticcheck + - tenv + - typecheck - unconvert + - unused issues: exclude-use-default: false exclude: - - should have a package comment - - error strings should not be capitalized or end with punctuation or a newline + - "package-comments: should have a package comment" + - "exitAfterDefer:" + - "captLocal:" + service: - golangci-lint-version: 1.35.0 # use the fixed version to not introduce new linters unexpectedly + golangci-lint-version: 1.57.2 # use the fixed version to not introduce new linters unexpectedly diff --git a/vendor/aead.dev/minisign/Makefile b/vendor/aead.dev/minisign/Makefile new file mode 100644 index 000000000..c1cae9347 --- /dev/null +++ b/vendor/aead.dev/minisign/Makefile @@ -0,0 +1,53 @@ +ifneq ($(shell go env GOBIN),) + GOBIN := $(shell go env GOBIN) +else + GOBIN := $(shell $(go env GOPATH)/bin) +endif + +.PHONY: build check release test lint update-tools + +build: + @mkdir -m 0755 -p ${GOBIN} + @CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -o ${GOBIN}/minisign ./cmd/minisign + +check: + @gofmt -d . && echo No formatting issue found. + @govulncheck ./... + +release: +ifneq ($(shell git status -s) , ) + @(echo "Repository contains modified files." && exit 1) +else + @echo -n Building minisign ${VERSION} for linux/amd64... + @GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -o ./minisign ./cmd/minisign + @tar -czf minisign-linux-amd64.tar.gz ./minisign ./LICENSE ./README.md + @echo " DONE." + + @echo -n Building minisign ${VERSION} for linux/arm64... + @GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -o ./minisign ./cmd/minisign + @tar -czf minisign-linux-arm64.tar.gz ./minisign ./LICENSE ./README.md + @echo " DONE." + + @echo -n Building minisign ${VERSION} for darwin/arm64... + @GOOS=darwin GOARCH=arm64 CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -o ./minisign ./cmd/minisign + @tar -czf minisign-darwin-arm64.tar.gz ./minisign ./LICENSE ./README.md + @echo " DONE." + + @echo -n Building minisign ${VERSION} for windows/amd64... + @GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -o ./minisign ./cmd/minisign + @zip -q minisign-windows-amd64.zip ./minisign ./LICENSE ./README.md + @echo " DONE." + + @rm ./minisign +endif + +test: + @CGO_ENABLED=0 go test -ldflags "-s -w" ./... + +lint: + @go vet ./... + @golangci-lint run --config ./.golangci.yml + +update-tools: + @CGO_ENABLED=0 go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest + @CGO_ENABLED=0 go install golang.org/x/vuln/cmd/govulncheck@latest diff --git a/vendor/aead.dev/minisign/README.md b/vendor/aead.dev/minisign/README.md index d6723b714..ade9f314b 100644 --- a/vendor/aead.dev/minisign/README.md +++ b/vendor/aead.dev/minisign/README.md @@ -3,6 +3,7 @@ [![latest](https://badgen.net/github/tag/aead/minisign)](https://github.com/aead/minisign/releases/latest) # minisign + minisign is a dead simple tool to sign files and verify signatures. ``` @@ -37,13 +38,16 @@ This is a Go implementation of the [original C implementation](https://github.co ``` Usage: - minisign -G [-p ] [-s ] + minisign -G [-p ] [-s ] [-W] + minisign -R [-s ] [-p ] + minisign -C [-s ] [-W] minisign -S [-x ] [-s ] [-c ] [-t ] -m ... minisign -V [-H] [-x ] [-p | -P ] [-o] [-q | -Q ] -m - minisign -R [-s ] [-p ] - + Options: - -G Generate a new public/secret key pair. + -G Generate a new public/secret key pair. + -R Re-create a public key file from a secret key. + -C Change or remove the password of the secret key. -S Sign files with a secret key. -V Verify files with a public key. -m The file to sign or verify. @@ -52,33 +56,41 @@ Options: -p Public key file (default: ./minisign.pub) -P Public key as base64 string -s Secret key file (default: $HOME/.minisign/minisign.key) + -W Do not encrypt/decrypt the secret key with a password. -x Signature file (default: .minisig) -c Add a one-line untrusted comment. -t Add a one-line trusted comment. -q Quiet mode. Suppress output. -Q Pretty quiet mode. Combined with -V, only print the trusted comment. - -R Re-create a public key file from a secret key. -f Combined with -G or -R, overwrite any existing public/secret key pair. -v Print version information. ``` ## Installation -On windows, linux and macOS, you can use the pre-built binaries: -| OS | ARCH | Latest Release | -|:---------:|:-------:|:-----------------------------------------------------------------------------------------------------------------------| -| Linux | amd64 | [minisign-linux-amd64.tar.gz](https://github.com/aead/minisign/releases/download/v0.1.2/minisign-linux-amd64.tar.gz) | -| Linux | arm64 | [minisign-linux-arm64.tar.gz](https://github.com/aead/minisign/releases/download/v0.1.2/minisign-linux-arm64.tar.gz) | -| MacOS | arm64 | [minisign-darwin-arm64.tar.gz](https://github.com/aead/minisign/releases/download/v0.1.2/minisign-darwin-arm64.tar.gz) | -| MacOS | amd64 | [minisign-darwin-amd64.tar.gz](https://github.com/aead/minisign/releases/download/v0.1.2/minisign-darwin-amd64.tar.gz) | -| Windows | amd64 | [minisign-windows-amd64.zip](https://github.com/aead/minisign/releases/download/v0.1.2/minisign-windows-amd64.zip) | - -If your system has [Go1.16+](https://golang.org/dl/), you can build from source: +With an up-to-date Go toolchain: ``` -git clone https://aead.dev/minisign && cd minisign -go build -o . aead.dev/minisign/cmd/minisign +go install aead.dev/minisign/cmd/minisign@latest ``` +On windows, linux and macOS, you can also use the pre-built binaries: +| OS | ARCH | Latest Release | +|:---------:|:-------:|:-----------------------------------------------------------------------------------------------------------------------| +| Linux | amd64 | [minisign-linux-amd64.tar.gz](https://github.com/aead/minisign/releases/download/v0.3.0/minisign-linux-amd64.tar.gz) | +| Linux | arm64 | [minisign-linux-arm64.tar.gz](https://github.com/aead/minisign/releases/download/v0.3.0/minisign-linux-arm64.tar.gz) | +| MacOS | arm64 | [minisign-darwin-arm64.tar.gz](https://github.com/aead/minisign/releases/download/v0.3.0/minisign-darwin-arm64.tar.gz) | +| Windows | amd64 | [minisign-windows-amd64.zip](https://github.com/aead/minisign/releases/download/v0.3.0/minisign-windows-amd64.zip) | + +From source: +1. Clone the repository + ``` + git clone https://aead.dev/minisign && cd minisign + ``` +2. Build the binary + ``` + make build + ``` + ## Library ```Go @@ -100,14 +112,14 @@ import ( func main() { var message = []byte("Hello World!") - public, private, err := minisign.GenerateKey(rand.Reader) + publicKey, privateKey, err := minisign.GenerateKey(rand.Reader) if err != nil { log.Fatalln(err) } - signature := minisign.Sign(private, message) + signature := minisign.Sign(privateKey, message) - if !minisign.Verify(public, message, signature) { + if !minisign.Verify(publicKey, message, signature) { log.Fatalln("signature verification failed") } log.Println(string(message)) diff --git a/vendor/aead.dev/minisign/minisign.go b/vendor/aead.dev/minisign/minisign.go index 01e489425..dd68ea5d0 100644 --- a/vendor/aead.dev/minisign/minisign.go +++ b/vendor/aead.dev/minisign/minisign.go @@ -162,7 +162,7 @@ func Verify(publicKey PublicKey, message, signature []byte) bool { } func sign(privateKey PrivateKey, message []byte, trustedComment, untrustedComment string, isHashed bool) []byte { - var algorithm = EdDSA + algorithm := EdDSA if isHashed { algorithm = HashEdDSA } diff --git a/vendor/aead.dev/minisign/minisign.pub b/vendor/aead.dev/minisign/minisign.pub new file mode 100644 index 000000000..e71929102 --- /dev/null +++ b/vendor/aead.dev/minisign/minisign.pub @@ -0,0 +1,2 @@ +untrusted comment: minisign public key D7E531EE76B2FC6F +RWRv/LJ27jHl10fMd7ozqYIs8zOaPqWf6EjnWSqkOpOQiD1UJpOgCFm0 diff --git a/vendor/aead.dev/minisign/private.go b/vendor/aead.dev/minisign/private.go index 10b52ce42..fd77f4dcd 100644 --- a/vendor/aead.dev/minisign/private.go +++ b/vendor/aead.dev/minisign/private.go @@ -12,8 +12,9 @@ import ( "encoding/base64" "encoding/binary" "errors" + "fmt" "io" - "io/ioutil" + "os" "strconv" "strings" "time" @@ -25,7 +26,7 @@ import ( // PrivateKeyFromFile reads and decrypts the private key // file with the given password. func PrivateKeyFromFile(password, path string) (PrivateKey, error) { - bytes, err := ioutil.ReadFile(path) + bytes, err := os.ReadFile(path) if err != nil { return PrivateKey{}, err } @@ -34,8 +35,7 @@ func PrivateKeyFromFile(password, path string) (PrivateKey, error) { // PrivateKey is a minisign private key. // -// A private key can sign messages to prove the -// their origin and authenticity. +// A private key can sign messages to prove their origin and authenticity. // // PrivateKey implements the crypto.Signer interface. type PrivateKey struct { @@ -101,9 +101,75 @@ func (p PrivateKey) Equal(x crypto.PrivateKey) bool { return p.id == xx.id && subtle.ConstantTimeCompare(p.bytes[:], xx.bytes[:]) == 1 } +// MarshalText returns a textual representation of the private key. +// +// For password-protected private keys refer to [EncryptKey]. +func (p PrivateKey) MarshalText() ([]byte, error) { + // A non-encrypted private key has the same format as an encrypted one. + // However, the salt, and auth. tag are set to all zero. + var b [privateKeySize]byte + + binary.LittleEndian.PutUint16(b[:], EdDSA) + binary.LittleEndian.PutUint16(b[2:], algorithmNone) + binary.LittleEndian.PutUint16(b[4:], algorithmBlake2b) + + binary.LittleEndian.PutUint64(b[54:], p.id) + copy(b[62:], p.bytes[:]) + + // It seems odd that the comment says: "encrypted secret key". + // However, the original C implementation behaves like this. + const comment = "untrusted comment: minisign encrypted secret key\n" + encodedBytes := make([]byte, len(comment)+base64.StdEncoding.EncodedLen(len(b))) + copy(encodedBytes, []byte(comment)) + base64.StdEncoding.Encode(encodedBytes[len(comment):], b[:]) + return encodedBytes, nil +} + +// UnmarshalText decodes a textual representation of the private key into p. +// +// It returns an error if the private key is encrypted. For decrypting +// password-protected private keys refer to [DecryptKey]. +func (p *PrivateKey) UnmarshalText(text []byte) error { + text = trimUntrustedComment(text) + b := make([]byte, base64.StdEncoding.DecodedLen(len(text))) + n, err := base64.StdEncoding.Decode(b, text) + if err != nil { + return fmt.Errorf("minisign: invalid private key: %v", err) + } + b = b[:n] + + if len(b) != privateKeySize { + return errors.New("minisign: invalid private key") + } + + var ( + kType = binary.LittleEndian.Uint16(b) + kdf = binary.LittleEndian.Uint16(b[2:]) + hType = binary.LittleEndian.Uint16(b[4:]) + key = b[54:126] + ) + if kType != EdDSA { + return fmt.Errorf("minisign: invalid private key: invalid key type '%d'", kType) + } + if kdf == algorithmScrypt { + return errors.New("minisign: private key is encrypted") + } + if kdf != algorithmNone { + return fmt.Errorf("minisign: invalid private key: invalid KDF '%d'", kdf) + } + if hType != algorithmBlake2b { + return fmt.Errorf("minisign: invalid private key: invalid hash type '%d'", hType) + } + + p.id = binary.LittleEndian.Uint64(key) + copy(p.bytes[:], key[8:]) + return nil +} + const ( - scryptAlgorithm = 0x6353 // hex value for "Sc" - blake2bAlgorithm = 0x3242 // hex value for "B2" + algorithmNone = 0x0000 // hex value for KDF when key is not encrypted + algorithmScrypt = 0x6353 // hex value for "Sc" + algorithmBlake2b = 0x3242 // hex value for "B2" scryptOpsLimit = 0x2000000 // max. Scrypt ops limit based on libsodium scryptMemLimit = 0x40000000 // max. Scrypt mem limit based on libsodium @@ -125,8 +191,8 @@ func EncryptKey(password string, privateKey PrivateKey) ([]byte, error) { var bytes [privateKeySize]byte binary.LittleEndian.PutUint16(bytes[0:], EdDSA) - binary.LittleEndian.PutUint16(bytes[2:], scryptAlgorithm) - binary.LittleEndian.PutUint16(bytes[4:], blake2bAlgorithm) + binary.LittleEndian.PutUint16(bytes[2:], algorithmScrypt) + binary.LittleEndian.PutUint16(bytes[4:], algorithmBlake2b) const ( // TODO(aead): Callers may want to customize the cost parameters defaultOps = 33554432 // libsodium OPS_LIMIT_SENSITIVE @@ -144,60 +210,76 @@ func EncryptKey(password string, privateKey PrivateKey) ([]byte, error) { return encodedBytes, nil } +// IsEncrypted reports whether the private key is encrypted. +func IsEncrypted(privateKey []byte) bool { + privateKey = trimUntrustedComment(privateKey) + bytes := make([]byte, base64.StdEncoding.DecodedLen(len(privateKey))) + n, err := base64.StdEncoding.Decode(bytes, privateKey) + if err != nil { + return false + } + bytes = bytes[:n] + + return len(bytes) >= 4 && binary.LittleEndian.Uint16(bytes[2:]) == algorithmScrypt +} + var errDecrypt = errors.New("minisign: decryption failed") // DecryptKey tries to decrypt the encrypted private key with // the given password. func DecryptKey(password string, privateKey []byte) (PrivateKey, error) { privateKey = trimUntrustedComment(privateKey) - bytes := make([]byte, base64.StdEncoding.DecodedLen(len(privateKey))) - n, err := base64.StdEncoding.Decode(bytes, privateKey) + b := make([]byte, base64.StdEncoding.DecodedLen(len(privateKey))) + n, err := base64.StdEncoding.Decode(b, privateKey) if err != nil { return PrivateKey{}, err } - bytes = bytes[:n] + b = b[:n] - if len(bytes) != privateKeySize { + if len(b) != privateKeySize { return PrivateKey{}, errDecrypt } - if a := binary.LittleEndian.Uint16(bytes[:2]); a != EdDSA { + var ( + kType = binary.LittleEndian.Uint16(b) + kdf = binary.LittleEndian.Uint16(b[2:]) + hType = binary.LittleEndian.Uint16(b[4:]) + salt = b[6:38] + scryptOps = binary.LittleEndian.Uint64(b[38:]) + scryptMem = binary.LittleEndian.Uint64(b[46:]) + ciphertext = b[54:] + ) + if kType != EdDSA { return PrivateKey{}, errDecrypt } - if a := binary.LittleEndian.Uint16(bytes[2:4]); a != scryptAlgorithm { + if kdf != algorithmScrypt { return PrivateKey{}, errDecrypt } - if a := binary.LittleEndian.Uint16(bytes[4:6]); a != blake2bAlgorithm { + if hType != algorithmBlake2b { return PrivateKey{}, errDecrypt } - - var ( - scryptOps = binary.LittleEndian.Uint64(bytes[38:46]) - scryptMem = binary.LittleEndian.Uint64(bytes[46:54]) - ) if scryptOps > scryptOpsLimit { return PrivateKey{}, errDecrypt } if scryptMem > scryptMemLimit { return PrivateKey{}, errDecrypt } - var salt [32]byte - copy(salt[:], bytes[6:38]) - privateKeyBytes, err := decryptKey(password, salt[:], scryptOps, scryptMem, bytes[54:]) + + plaintext, err := decryptKey(password, salt, scryptOps, scryptMem, ciphertext) if err != nil { return PrivateKey{}, err } key := PrivateKey{ - id: binary.LittleEndian.Uint64(privateKeyBytes[:8]), + id: binary.LittleEndian.Uint64(plaintext), } - copy(key.bytes[:], privateKeyBytes[8:]) + copy(key.bytes[:], plaintext[8:]) return key, nil } // encryptKey encrypts the plaintext and returns a ciphertext by: -// 1. tag = BLAKE2b-256(EdDSA-const || plaintext) -// 2. keystream = Scrypt(password, salt, convert(ops, mem)) -// 3. ciphertext = (plaintext || tag) ⊕ keystream +// 1. tag = BLAKE2b-256(EdDSA-const || plaintext) +// 2. keystream = Scrypt(password, salt, convert(ops, mem)) +// 3. ciphertext = (plaintext || tag) ⊕ keystream // // Therefore, decryptKey converts the ops and mem cost parameters // to the (N, r, p)-tuple expected by Scrypt. @@ -233,9 +315,9 @@ func encryptKey(password string, salt []byte, ops, mem uint64, plaintext []byte) } // decryptKey decrypts the ciphertext and returns a plaintext by: -// 1. keystream = Scrypt(password, salt, convert(ops, mem)) -// 2. plaintext || tag = ciphertext ⊕ keystream -// 3. Check that: tag == BLAKE2b-256(EdDSA-const || plaintext) +// 1. keystream = Scrypt(password, salt, convert(ops, mem)) +// 2. plaintext || tag = ciphertext ⊕ keystream +// 3. Check that: tag == BLAKE2b-256(EdDSA-const || plaintext) // // Therefore, decryptKey converts the ops and mem cost parameters to // the (N, r, p)-tuple expected by Scrypt. @@ -271,7 +353,7 @@ func decryptKey(password string, salt []byte, ops, mem uint64, ciphertext []byte binary.LittleEndian.PutUint16(message[:2], EdDSA) copy(message[2:], privateKeyBytes) - if sum := blake2b.Sum256(message[:]); subtle.ConstantTimeCompare(sum[:], checksum[:]) != 1 { + if sum := blake2b.Sum256(message[:]); subtle.ConstantTimeCompare(sum[:], checksum) != 1 { return nil, errDecrypt } return privateKeyBytes, nil diff --git a/vendor/aead.dev/minisign/public.go b/vendor/aead.dev/minisign/public.go index f445034fc..0d86e0ff5 100644 --- a/vendor/aead.dev/minisign/public.go +++ b/vendor/aead.dev/minisign/public.go @@ -1,3 +1,7 @@ +// Copyright (c) 2021 Andreas Auernhammer. All rights reserved. +// Use of this source code is governed by a license that can be +// found in the LICENSE file. + package minisign import ( @@ -7,15 +11,16 @@ import ( "encoding/binary" "errors" "fmt" - "io/ioutil" + "os" "strconv" "strings" ) -// PublicKeyFromFile reads a new PublicKey from the -// given file. -func PublicKeyFromFile(path string) (PublicKey, error) { - bytes, err := ioutil.ReadFile(path) +const publicKeySize = 2 + 8 + ed25519.PublicKeySize + +// PublicKeyFromFile reads a PublicKey from the given file. +func PublicKeyFromFile(filename string) (PublicKey, error) { + bytes, err := os.ReadFile(filename) if err != nil { return PublicKey{}, err } @@ -53,7 +58,7 @@ func (p PublicKey) Equal(x crypto.PublicKey) bool { // String returns a base64 string representation of the PublicKey p. func (p PublicKey) String() string { - var bytes [2 + 8 + ed25519.PublicKeySize]byte + var bytes [publicKeySize]byte binary.LittleEndian.PutUint16(bytes[:2], EdDSA) binary.LittleEndian.PutUint64(bytes[2:10], p.ID()) copy(bytes[10:], p.bytes[:]) @@ -65,12 +70,17 @@ func (p PublicKey) String() string { // // It never returns an error. func (p PublicKey) MarshalText() ([]byte, error) { - var comment = "untrusted comment: minisign public key: " + strings.ToUpper(strconv.FormatUint(p.ID(), 16)) + "\n" - return []byte(comment + p.String()), nil + s := make([]byte, 0, 113) // Size of a public key in text format + s = append(s, "untrusted comment: minisign public key: "...) + s = append(s, strings.ToUpper(strconv.FormatUint(p.ID(), 16))...) + s = append(s, '\n') + s = append(s, p.String()...) + return s, nil } -// UnmarshalText parses text as textual-encoded public key. -// It returns an error if text is not a well-formed public key. +// UnmarshalText decodes a textual representation of a public key into p. +// +// It returns an error in case of a malformed key. func (p *PublicKey) UnmarshalText(text []byte) error { text = trimUntrustedComment(text) bytes := make([]byte, base64.StdEncoding.DecodedLen(len(text))) @@ -78,9 +88,9 @@ func (p *PublicKey) UnmarshalText(text []byte) error { if err != nil { return fmt.Errorf("minisign: invalid public key: %v", err) } - bytes = bytes[:n] // Adjust b/c text may contain '\r' or '\n' which would have been ignored during decoding. + bytes = bytes[:n] // Adjust since text may contain '\r' or '\n' which would have been ignored during decoding. - if n = len(bytes); n != 2+8+ed25519.PublicKeySize { + if n = len(bytes); n != publicKeySize { return errors.New("minisign: invalid public key length " + strconv.Itoa(n)) } if a := binary.LittleEndian.Uint16(bytes[:2]); a != EdDSA { diff --git a/vendor/aead.dev/minisign/signature.go b/vendor/aead.dev/minisign/signature.go index e49900dbd..112f11610 100644 --- a/vendor/aead.dev/minisign/signature.go +++ b/vendor/aead.dev/minisign/signature.go @@ -10,15 +10,14 @@ import ( "encoding/binary" "errors" "fmt" - "io/ioutil" + "os" "strconv" "strings" ) -// SignatureFromFile reads a new Signature from the -// given file. -func SignatureFromFile(file string) (Signature, error) { - bytes, err := ioutil.ReadFile(file) +// SignatureFromFile reads a Signature from the given file. +func SignatureFromFile(filename string) (Signature, error) { + bytes, err := os.ReadFile(filename) if err != nil { return Signature{}, err } @@ -35,20 +34,20 @@ func SignatureFromFile(file string) (Signature, error) { // // A signature is generated when signing a message with // a private key: -// signature = Sign(privateKey, message) +// +// signature = Sign(privateKey, message) // // The signature of a message can then be verified with the // corresponding public key: -// if Verify(publicKey, message, signature) { -// // => signature is valid -// // => message has been signed with correspoding private key -// } // +// if Verify(publicKey, message, signature) { +// // => signature is valid +// // => message has been signed with correspoding private key +// } type Signature struct { _ [0]func() // enforce named assignment and prevent direct comparison - // Algorithm is the signature algorithm. It is either - // EdDSA or HashEdDSA. + // Algorithm is the signature algorithm. It is either EdDSA or HashEdDSA. Algorithm uint16 // KeyID may be the 64 bit ID of the private key that was used @@ -88,25 +87,7 @@ type Signature struct { // In contrast to MarshalText, String does not fail if s is // not a valid minisign signature. func (s Signature) String() string { - var buffer strings.Builder - buffer.WriteString("untrusted comment: ") - buffer.WriteString(s.UntrustedComment) - buffer.WriteByte('\n') - - var signature [2 + 8 + ed25519.SignatureSize]byte - binary.LittleEndian.PutUint16(signature[:2], s.Algorithm) - binary.LittleEndian.PutUint64(signature[2:10], s.KeyID) - copy(signature[10:], s.Signature[:]) - - buffer.WriteString(base64.StdEncoding.EncodeToString(signature[:])) - buffer.WriteByte('\n') - - buffer.WriteString("trusted comment: ") - buffer.WriteString(s.TrustedComment) - buffer.WriteByte('\n') - - buffer.WriteString(base64.StdEncoding.EncodeToString(s.CommentSignature[:])) - return buffer.String() + return string(encodeSignature(&s)) } // Equal reports whether s and x have equivalent values. @@ -122,18 +103,18 @@ func (s Signature) Equal(x Signature) bool { // MarshalText returns a textual representation of the Signature s. // -// It returns an error if s cannot be a valid signature - e.g. -// because the signature algorithm is neither EdDSA nor HashEdDSA. +// It returns an error if s cannot be a valid signature, for example. +// when s.Algorithm is neither EdDSA nor HashEdDSA. func (s Signature) MarshalText() ([]byte, error) { if s.Algorithm != EdDSA && s.Algorithm != HashEdDSA { return nil, errors.New("minisign: invalid signature algorithm " + strconv.Itoa(int(s.Algorithm))) } - return []byte(s.String()), nil + return encodeSignature(&s), nil } -// UnmarshalText parses text as textual-encoded signature. -// It returns an error if text is not a well-formed minisign -// signature. +// UnmarshalText decodes a textual representation of a signature into s. +// +// It returns an error in case of a malformed signature. func (s *Signature) UnmarshalText(text []byte) error { segments := strings.SplitN(string(text), "\n", 4) if len(segments) != 4 { @@ -184,3 +165,32 @@ func (s *Signature) UnmarshalText(text []byte) error { copy(s.CommentSignature[:], commentSignature) return nil } + +// encodeSignature encodes s into its textual representation. +func encodeSignature(s *Signature) []byte { + var signature [2 + 8 + ed25519.SignatureSize]byte + binary.LittleEndian.PutUint16(signature[:], s.Algorithm) + binary.LittleEndian.PutUint64(signature[2:], s.KeyID) + copy(signature[10:], s.Signature[:]) + + b := make([]byte, 0, 228+len(s.TrustedComment)+len(s.UntrustedComment)) // Size of a signature in text format + b = append(b, "untrusted comment: "...) + b = append(b, s.UntrustedComment...) + b = append(b, '\n') + + // TODO(aead): use base64.StdEncoding.EncodeAppend once Go1.21 is dropped + n := len(b) + b = b[:n+base64.StdEncoding.EncodedLen(len(signature))] + base64.StdEncoding.Encode(b[n:], signature[:]) + b = append(b, '\n') + + b = append(b, "trusted comment: "...) + b = append(b, s.TrustedComment...) + b = append(b, '\n') + + // TODO(aead): use base64.StdEncoding.EncodeAppend once Go1.21 is dropped + n = len(b) + b = b[:n+base64.StdEncoding.EncodedLen(len(s.CommentSignature))] + base64.StdEncoding.Encode(b[n:], s.CommentSignature[:]) + return append(b, '\n') +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 0ea22289b..0916ee668 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,5 +1,5 @@ -# aead.dev/minisign v0.2.0 -## explicit; go 1.16 +# aead.dev/minisign v0.3.0 +## explicit; go 1.21 aead.dev/minisign # cloud.google.com/go v0.116.0 ## explicit; go 1.21