You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

ssh_key_verify.go 1.4KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354
  1. // Copyright 2021 The Gitea Authors. All rights reserved.
  2. // SPDX-License-Identifier: MIT
  3. package asymkey
  4. import (
  5. "bytes"
  6. "code.gitea.io/gitea/models/db"
  7. "code.gitea.io/gitea/modules/log"
  8. "github.com/42wim/sshsig"
  9. )
  10. // VerifySSHKey marks a SSH key as verified
  11. func VerifySSHKey(ownerID int64, fingerprint, token, signature string) (string, error) {
  12. ctx, committer, err := db.TxContext(db.DefaultContext)
  13. if err != nil {
  14. return "", err
  15. }
  16. defer committer.Close()
  17. key := new(PublicKey)
  18. has, err := db.GetEngine(ctx).Where("owner_id = ? AND fingerprint = ?", ownerID, fingerprint).Get(key)
  19. if err != nil {
  20. return "", err
  21. } else if !has {
  22. return "", ErrKeyNotExist{}
  23. }
  24. err = sshsig.Verify(bytes.NewBuffer([]byte(token)), []byte(signature), []byte(key.Content), "gitea")
  25. if err != nil {
  26. // edge case for Windows based shells that will add CR LF if piped to ssh-keygen command
  27. // see https://github.com/PowerShell/PowerShell/issues/5974
  28. if sshsig.Verify(bytes.NewBuffer([]byte(token+"\r\n")), []byte(signature), []byte(key.Content), "gitea") != nil {
  29. log.Error("Unable to validate token signature. Error: %v", err)
  30. return "", ErrSSHInvalidTokenSignature{
  31. Fingerprint: key.Fingerprint,
  32. }
  33. }
  34. }
  35. key.Verified = true
  36. if _, err := db.GetEngine(ctx).ID(key.ID).Cols("verified").Update(key); err != nil {
  37. return "", err
  38. }
  39. if err := committer.Commit(); err != nil {
  40. return "", err
  41. }
  42. return key.Fingerprint, nil
  43. }