jojo/models/asymkey/ssh_key_verify.go

// Copyright 2021 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package asymkey

import (
	"bytes"
	"context"

	"forgejo.org/models/db"
	"forgejo.org/modules/log"
	"forgejo.org/modules/setting"

	"github.com/42wim/sshsig"
)

// VerifySSHKey marks a SSH key as verified
func VerifySSHKey(ctx context.Context, ownerID int64, fingerprint, token, signature string) (string, error) {
	ctx, committer, err := db.TxContext(ctx)
	if err != nil {
		return "", err
	}
	defer committer.Close()

	key := new(PublicKey)

	has, err := db.GetEngine(ctx).Where("owner_id = ? AND fingerprint = ?", ownerID, fingerprint).Get(key)
	if err != nil {
		return "", err
	} else if !has {
		return "", ErrKeyNotExist{}
	}

	err = sshsig.Verify(bytes.NewBuffer([]byte(token)), []byte(signature), []byte(key.Content), setting.Domain)
	if err != nil {
		// edge case for Windows based shells that will add CR LF if piped to ssh-keygen command
		// see https://github.com/PowerShell/PowerShell/issues/5974
		if sshsig.Verify(bytes.NewBuffer([]byte(token+"\r\n")), []byte(signature), []byte(key.Content), setting.Domain) != nil {
			log.Error("Unable to validate token signature. Error: %v", err)
			return "", ErrSSHInvalidTokenSignature{
				Fingerprint: key.Fingerprint,
			}
		}
	}

	key.Verified = true
	if _, err := db.GetEngine(ctx).ID(key.ID).Cols("verified").Update(key); err != nil {
		return "", err
	}

	if err := committer.Commit(); err != nil {
		return "", err
	}

	return key.Fingerprint, nil
}
Add support for ssh commit signing (#17743) * Add support for ssh commit signing * Split out ssh verification to separate file * Show ssh key fingerprint on commit page * Update sshsig lib * Make sure we verify against correct namespace * Add ssh public key verification via ssh signatures When adding a public ssh key also validate that this user actually owns the key by signing a token with the private key. * Remove some gpg references and make verify key optional * Fix spaces indentation * Update options/locale/locale_en-US.ini Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update templates/user/settings/keys_ssh.tmpl Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update options/locale/locale_en-US.ini Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update options/locale/locale_en-US.ini Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update models/ssh_key_commit_verification.go Co-authored-by: Gusted <williamzijl7@hotmail.com> * Reword ssh/gpg_key_success message * Change Badsignature to NoKeyFound * Add sign/verify tests * Fix upstream api changes to user_model User * Match exact on SSH signature * Fix code review remarks Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io> 2021-12-19 06:37:18 +01:00			`// Copyright 2021 The Gitea Authors. All rights reserved.`
Implement FSFE REUSE for golang files (#21840) Change all license headers to comply with REUSE specification. Fix #16132 Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github> Co-authored-by: John Olheiser <john.olheiser@gmail.com> 2022-11-27 13:20:29 -05:00			`// SPDX-License-Identifier: MIT`
Add support for ssh commit signing (#17743) * Add support for ssh commit signing * Split out ssh verification to separate file * Show ssh key fingerprint on commit page * Update sshsig lib * Make sure we verify against correct namespace * Add ssh public key verification via ssh signatures When adding a public ssh key also validate that this user actually owns the key by signing a token with the private key. * Remove some gpg references and make verify key optional * Fix spaces indentation * Update options/locale/locale_en-US.ini Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update templates/user/settings/keys_ssh.tmpl Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update options/locale/locale_en-US.ini Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update options/locale/locale_en-US.ini Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update models/ssh_key_commit_verification.go Co-authored-by: Gusted <williamzijl7@hotmail.com> * Reword ssh/gpg_key_success message * Change Badsignature to NoKeyFound * Add sign/verify tests * Fix upstream api changes to user_model User * Match exact on SSH signature * Fix code review remarks Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io> 2021-12-19 06:37:18 +01:00
			`package asymkey`

			`import (`
			`"bytes"`
Final round of `db.DefaultContext` refactor (#27587) Last part of #27065 2023-10-14 10:37:24 +02:00			`"context"`
Add support for ssh commit signing (#17743) * Add support for ssh commit signing * Split out ssh verification to separate file * Show ssh key fingerprint on commit page * Update sshsig lib * Make sure we verify against correct namespace * Add ssh public key verification via ssh signatures When adding a public ssh key also validate that this user actually owns the key by signing a token with the private key. * Remove some gpg references and make verify key optional * Fix spaces indentation * Update options/locale/locale_en-US.ini Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update templates/user/settings/keys_ssh.tmpl Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update options/locale/locale_en-US.ini Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update options/locale/locale_en-US.ini Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update models/ssh_key_commit_verification.go Co-authored-by: Gusted <williamzijl7@hotmail.com> * Reword ssh/gpg_key_success message * Change Badsignature to NoKeyFound * Add sign/verify tests * Fix upstream api changes to user_model User * Match exact on SSH signature * Fix code review remarks Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io> 2021-12-19 06:37:18 +01:00
chore: branding import path (#7337) - Massive replacement of changing `code.gitea.io/gitea` to `forgejo.org`. - Resolves forgejo/discussions#258 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7337 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Reviewed-by: Michael Kriese <michael.kriese@gmx.de> Reviewed-by: Beowulf <beowulf@beocode.eu> Reviewed-by: Panagiotis "Ivory" Vasilopoulos <git@n0toose.net> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz> 2025-03-27 19:40:14 +00:00			`"forgejo.org/models/db"`
			`"forgejo.org/modules/log"`
feat: use AppDomain for key verification (#10429) Fixes #10416 Followup to a hardcoded string in [gitea#17743](https://github.com/go-gitea/gitea/pull/17743) * instead of using a hardcoded namespace, use the configured application domain * `ssh-keygen` refuses to work with empty namespace, but `Domain` falls back to `localhost`: https://codeberg.org/forgejo/forgejo/src/commit/95dca7ff57955f5a08e656caf8ceb61c88201ff8/modules/setting/server.go#L192 * since `VerifySSHKey` verifies the namespace, I think that using a mostly-unique string instead of a hardcoded one doesn't hurt. Here's what `man ssh-keygen` says on the topic: > An additional signature namespace, used to prevent signature confusion across different domains of use (e.g. file signing vs email signing) must be provided via the -n flag. Namespaces are arbitrary strings, and may include: “file” for file signing, “email” for email signing. For custom uses, it is recommended to use names following a NAMESPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces. ## Testing There's a test `TestFromOpenSSH` but it uses a hardcoded default namespace `file`: https://codeberg.org/forgejo/forgejo/src/commit/95dca7ff57955f5a08e656caf8ceb61c88201ff8/models/asymkey/ssh_key_test.go#L334 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10429 Reviewed-by: Beowulf <beowulf@beocode.eu> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: 0ko <0ko@noreply.codeberg.org> Co-committed-by: 0ko <0ko@noreply.codeberg.org> 2025-12-17 17:01:14 +01:00			`"forgejo.org/modules/setting"`
Migration 204 use Sync2 (#18044) * format nit * Sync2 2021-12-20 18:58:38 +01:00
Add support for ssh commit signing (#17743) * Add support for ssh commit signing * Split out ssh verification to separate file * Show ssh key fingerprint on commit page * Update sshsig lib * Make sure we verify against correct namespace * Add ssh public key verification via ssh signatures When adding a public ssh key also validate that this user actually owns the key by signing a token with the private key. * Remove some gpg references and make verify key optional * Fix spaces indentation * Update options/locale/locale_en-US.ini Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update templates/user/settings/keys_ssh.tmpl Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update options/locale/locale_en-US.ini Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update options/locale/locale_en-US.ini Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update models/ssh_key_commit_verification.go Co-authored-by: Gusted <williamzijl7@hotmail.com> * Reword ssh/gpg_key_success message * Change Badsignature to NoKeyFound * Add sign/verify tests * Fix upstream api changes to user_model User * Match exact on SSH signature * Fix code review remarks Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io> 2021-12-19 06:37:18 +01:00			`"github.com/42wim/sshsig"`
			`)`

			`// VerifySSHKey marks a SSH key as verified`
Final round of `db.DefaultContext` refactor (#27587) Last part of #27065 2023-10-14 10:37:24 +02:00			`func VerifySSHKey(ctx context.Context, ownerID int64, fingerprint, token, signature string) (string, error) {`
			`ctx, committer, err := db.TxContext(ctx)`
Add support for ssh commit signing (#17743) * Add support for ssh commit signing * Split out ssh verification to separate file * Show ssh key fingerprint on commit page * Update sshsig lib * Make sure we verify against correct namespace * Add ssh public key verification via ssh signatures When adding a public ssh key also validate that this user actually owns the key by signing a token with the private key. * Remove some gpg references and make verify key optional * Fix spaces indentation * Update options/locale/locale_en-US.ini Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update templates/user/settings/keys_ssh.tmpl Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update options/locale/locale_en-US.ini Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update options/locale/locale_en-US.ini Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update models/ssh_key_commit_verification.go Co-authored-by: Gusted <williamzijl7@hotmail.com> * Reword ssh/gpg_key_success message * Change Badsignature to NoKeyFound * Add sign/verify tests * Fix upstream api changes to user_model User * Match exact on SSH signature * Fix code review remarks Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io> 2021-12-19 06:37:18 +01:00			`if err != nil {`
			`return "", err`
			`}`
			`defer committer.Close()`

			`key := new(PublicKey)`

			`has, err := db.GetEngine(ctx).Where("owner_id = ? AND fingerprint = ?", ownerID, fingerprint).Get(key)`
			`if err != nil {`
			`return "", err`
			`} else if !has {`
			`return "", ErrKeyNotExist{}`
			`}`

feat: use AppDomain for key verification (#10429) Fixes #10416 Followup to a hardcoded string in [gitea#17743](https://github.com/go-gitea/gitea/pull/17743) * instead of using a hardcoded namespace, use the configured application domain * `ssh-keygen` refuses to work with empty namespace, but `Domain` falls back to `localhost`: https://codeberg.org/forgejo/forgejo/src/commit/95dca7ff57955f5a08e656caf8ceb61c88201ff8/modules/setting/server.go#L192 * since `VerifySSHKey` verifies the namespace, I think that using a mostly-unique string instead of a hardcoded one doesn't hurt. Here's what `man ssh-keygen` says on the topic: > An additional signature namespace, used to prevent signature confusion across different domains of use (e.g. file signing vs email signing) must be provided via the -n flag. Namespaces are arbitrary strings, and may include: “file” for file signing, “email” for email signing. For custom uses, it is recommended to use names following a NAMESPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces. ## Testing There's a test `TestFromOpenSSH` but it uses a hardcoded default namespace `file`: https://codeberg.org/forgejo/forgejo/src/commit/95dca7ff57955f5a08e656caf8ceb61c88201ff8/models/asymkey/ssh_key_test.go#L334 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10429 Reviewed-by: Beowulf <beowulf@beocode.eu> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: 0ko <0ko@noreply.codeberg.org> Co-committed-by: 0ko <0ko@noreply.codeberg.org> 2025-12-17 17:01:14 +01:00			`err = sshsig.Verify(bytes.NewBuffer([]byte(token)), []byte(signature), []byte(key.Content), setting.Domain)`
Retry SSH key verification with additional CRLF if it failed (#28392) Windows-based shells will add a CRLF when piping the token into ssh-keygen command resulting in verification error. This resolves #21527. --------- Co-authored-by: Heiko Besemann <heiko.besemann@qbeyond.de> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> 2023-12-14 03:39:32 +01:00			`if err != nil {`
			`// edge case for Windows based shells that will add CR LF if piped to ssh-keygen command`
			`// see https://github.com/PowerShell/PowerShell/issues/5974`
feat: use AppDomain for key verification (#10429) Fixes #10416 Followup to a hardcoded string in [gitea#17743](https://github.com/go-gitea/gitea/pull/17743) * instead of using a hardcoded namespace, use the configured application domain * `ssh-keygen` refuses to work with empty namespace, but `Domain` falls back to `localhost`: https://codeberg.org/forgejo/forgejo/src/commit/95dca7ff57955f5a08e656caf8ceb61c88201ff8/modules/setting/server.go#L192 * since `VerifySSHKey` verifies the namespace, I think that using a mostly-unique string instead of a hardcoded one doesn't hurt. Here's what `man ssh-keygen` says on the topic: > An additional signature namespace, used to prevent signature confusion across different domains of use (e.g. file signing vs email signing) must be provided via the -n flag. Namespaces are arbitrary strings, and may include: “file” for file signing, “email” for email signing. For custom uses, it is recommended to use names following a NAMESPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces. ## Testing There's a test `TestFromOpenSSH` but it uses a hardcoded default namespace `file`: https://codeberg.org/forgejo/forgejo/src/commit/95dca7ff57955f5a08e656caf8ceb61c88201ff8/models/asymkey/ssh_key_test.go#L334 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10429 Reviewed-by: Beowulf <beowulf@beocode.eu> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: 0ko <0ko@noreply.codeberg.org> Co-committed-by: 0ko <0ko@noreply.codeberg.org> 2025-12-17 17:01:14 +01:00			`if sshsig.Verify(bytes.NewBuffer([]byte(token+"\r\n")), []byte(signature), []byte(key.Content), setting.Domain) != nil {`
Retry SSH key verification with additional CRLF if it failed (#28392) Windows-based shells will add a CRLF when piping the token into ssh-keygen command resulting in verification error. This resolves #21527. --------- Co-authored-by: Heiko Besemann <heiko.besemann@qbeyond.de> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> 2023-12-14 03:39:32 +01:00			`log.Error("Unable to validate token signature. Error: %v", err)`
			`return "", ErrSSHInvalidTokenSignature{`
			`Fingerprint: key.Fingerprint,`
			`}`
Add support for ssh commit signing (#17743) * Add support for ssh commit signing * Split out ssh verification to separate file * Show ssh key fingerprint on commit page * Update sshsig lib * Make sure we verify against correct namespace * Add ssh public key verification via ssh signatures When adding a public ssh key also validate that this user actually owns the key by signing a token with the private key. * Remove some gpg references and make verify key optional * Fix spaces indentation * Update options/locale/locale_en-US.ini Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update templates/user/settings/keys_ssh.tmpl Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update options/locale/locale_en-US.ini Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update options/locale/locale_en-US.ini Co-authored-by: Gusted <williamzijl7@hotmail.com> * Update models/ssh_key_commit_verification.go Co-authored-by: Gusted <williamzijl7@hotmail.com> * Reword ssh/gpg_key_success message * Change Badsignature to NoKeyFound * Add sign/verify tests * Fix upstream api changes to user_model User * Match exact on SSH signature * Fix code review remarks Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io> 2021-12-19 06:37:18 +01:00			`}`
			`}`

			`key.Verified = true`
			`if _, err := db.GetEngine(ctx).ID(key.ID).Cols("verified").Update(key); err != nil {`
			`return "", err`
			`}`

			`if err := committer.Commit(); err != nil {`
			`return "", err`
			`}`

			`return key.Fingerprint, nil`
			`}`