From c37d51279a04324086e4b8f677e7bbd5b4a6bc71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Wed, 19 Aug 2020 18:26:54 +0200 Subject: [PATCH] Use core-go's crypto for webhook signing --- gitsrht-update-hook/go.mod | 1 - gitsrht-update-hook/go.sum | 10 --------- gitsrht-update-hook/webhooks.go | 38 ++++----------------------------- 3 files changed, 4 insertions(+), 45 deletions(-) diff --git a/gitsrht-update-hook/go.mod b/gitsrht-update-hook/go.mod index cad4ba1..fcef2ee 100644 --- a/gitsrht-update-hook/go.mod +++ b/gitsrht-update-hook/go.mod @@ -11,6 +11,5 @@ require ( github.com/mattn/go-runewidth v0.0.9 github.com/pkg/errors v0.9.1 github.com/vaughan0/go-ini v0.0.0-20130923145212-a98ad7ee00ec - golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de gopkg.in/yaml.v2 v2.3.0 ) diff --git a/gitsrht-update-hook/go.sum b/gitsrht-update-hook/go.sum index eae0f8c..dafc159 100644 --- a/gitsrht-update-hook/go.sum +++ b/gitsrht-update-hook/go.sum @@ -19,8 +19,6 @@ github.com/go-git/go-git v4.7.0+incompatible h1:+W9rgGY4DOKKdX2x6HxSR7HNeTxqiKrO github.com/go-git/go-git-fixtures/v4 v4.0.1/go.mod h1:m+ICp2rF3jDhFgEZ/8yziagdT1C+ZpZcrJjappBCDSw= github.com/go-git/go-git/v5 v5.1.0 h1:HxJn9g/E7eYvKW3Fm7Jt4ee8LXfPOm/H1cdDu8vEssk= github.com/go-git/go-git/v5 v5.1.0/go.mod h1:ZKfuPUoY1ZqIG4QG9BDBh3G4gLM5zvPuSJAozQrZuyM= -github.com/go-redis/redis v6.15.6+incompatible h1:H9evprGPLI8+ci7fxQx6WNZHJSb7be8FqJQRhdQZ5Sg= -github.com/go-redis/redis v6.15.6+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= github.com/go-redis/redis v6.15.9+incompatible h1:K0pv1D7EQUjfyoMql+r/jZqCLizCGKFlFgcHWWmHQjg= github.com/go-redis/redis v6.15.9+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -37,18 +35,13 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/lib/pq v1.2.0 h1:LXpIM/LZ5xGFhOpXAQUIMM1HdyqzVYM13zNdjCEEcA0= -github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.8.0 h1:9xohqzkUwzR4Ga4ivdTcawVS89YSDVxXMa3xJX3cGzg= github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= -github.com/mattn/go-runewidth v0.0.6 h1:V2iyH+aX9C5fsYCpK60U8BYIvmhqxuOL3JZcqc1NB7k= -github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0= github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= -github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -63,7 +56,6 @@ github.com/xanzy/ssh-agent v0.2.1 h1:TCbipTQL2JiiCprBWx9frJ2eJlCYT00NmctrHxVAr70 github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4= golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073 h1:xMPOj6Pz6UipU1wXLkrtqpHbR0AVFnyPEQq/wRWz9lM= golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de h1:ikNHVSjEfnvz6sxdSPCaPt572qowuyMDMJLLm3Db3ig= golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -85,7 +77,5 @@ gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo= -gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/gitsrht-update-hook/webhooks.go b/gitsrht-update-hook/webhooks.go index fd720c9..40d2cd2 100644 --- a/gitsrht-update-hook/webhooks.go +++ b/gitsrht-update-hook/webhooks.go @@ -2,9 +2,6 @@ package main import ( "bytes" - "crypto/rand" - "encoding/base64" - "encoding/hex" "fmt" "io/ioutil" "log" @@ -17,11 +14,7 @@ import ( "github.com/google/uuid" "github.com/mattn/go-runewidth" - "golang.org/x/crypto/ed25519" -) - -var ( - privkey ed25519.PrivateKey + "git.sr.ht/~sircmpwn/core-go/crypto" ) type WebhookSubscription struct { @@ -58,38 +51,16 @@ type WebhookPayload struct { Refs []UpdatedRef `json:"refs"` } -func initWebhookKey() { - b64key, ok := config.Get("webhooks", "private-key") - if !ok { - logger.Fatalf("No webhook key configured") - } - seed, err := base64.StdEncoding.DecodeString(b64key) - if err != nil { - logger.Fatalf("base64 decode webhooks private key: %v", err) - } - privkey = ed25519.NewKeyFromSeed(seed) -} - var ansi = regexp.MustCompile("\x1B\\[[0-?]*[ -/]*[@-~]") func deliverWebhooks(subs []WebhookSubscription, payload []byte, printResponse bool) []WebhookDelivery { var deliveries []WebhookDelivery - initWebhookKey() client := &http.Client{Timeout: 5 * time.Second} for _, sub := range subs { - var ( - nonceSeed []byte = make([]byte, 8) - nonceHex []byte = make([]byte, 16) - ) - _, err := rand.Read(nonceSeed) - if err != nil { - logger.Fatalf("generate nonce: %v", err) - } - hex.Encode(nonceHex, nonceSeed) - signature := ed25519.Sign(privkey, append(payload, nonceHex...)) + nonce, signature := crypto.SignWebhookPayload(payload, logger, config) deliveryUuid := uuid.New().String() body := bytes.NewBuffer(payload) @@ -97,9 +68,8 @@ func deliverWebhooks(subs []WebhookSubscription, req.Header.Add("Content-Type", "application/json") req.Header.Add("X-Webhook-Event", "repo:post-update") req.Header.Add("X-Webhook-Delivery", deliveryUuid) - req.Header.Add("X-Payload-Nonce", string(nonceHex)) - req.Header.Add("X-Payload-Signature", - base64.StdEncoding.EncodeToString(signature)) + req.Header.Add("X-Payload-Nonce", nonce) + req.Header.Add("X-Payload-Signature", signature) var requestHeaders bytes.Buffer for name, values := range req.Header { -- 2.38.4