cmd/geth: implement vulnerability check (#21859)

* cmd/geth: implement vulnerability check * cmd/geth: use minisign to verify vulnerability feed * cmd/geth: add the test too * cmd/geth: more minisig/signify testing * cmd/geth: support multiple pubfiles for signing * cmd/geth: add @holiman minisig pubkey * cmd/geth: polishes on vulnerability check * cmd/geth: fix ineffassign linter nit * cmd/geth: add CVE to version check struct * cmd/geth/testdata: add missing testfile * cmd/geth: add more keys to versionchecker * cmd/geth: support file:// URLs in version check * cmd/geth: improve key ID printing when signature check fails Co-authored-by: Felix Lange <fjl@twurst.com>
2020-12-04 15:01:47 +01:00
parent 7770e41cb5
commit 15339cf1c9
17 changed files with 433 additions and 0 deletions
--- a/cmd/geth/version_check_test.go
+++ b/cmd/geth/version_check_test.go
@ -0,0 +1,79 @@
+// Copyright 2020 The go-ethereum Authors
+// This file is part of go-ethereum.
+//
+// go-ethereum is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// go-ethereum is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with go-ethereum. If not, see <http://www.gnu.org/licenses/>.
+
+package main
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"path/filepath"
+	"testing"
+)
+
+func TestVerification(t *testing.T) {
+	// Signatures generated with `minisign`
+	t.Run("minisig", func(t *testing.T) {
+		// For this test, the pubkey is in testdata/minisign.pub
+		// (the privkey is `minisign.sec`, if we want to expand this test. Password 'test' )
+		pub := "RWQkliYstQBOKOdtClfgC3IypIPX6TAmoEi7beZ4gyR3wsaezvqOMWsp"
+		testVerification(t, pub, "./testdata/vcheck/minisig-sigs/")
+	})
+	// Signatures generated with `signify-openbsd`
+	t.Run("signify-openbsd", func(t *testing.T) {
+		t.Skip("This currently fails, minisign expects 4 lines of data, signify provides only 2")
+		// For this test, the pubkey is in testdata/signifykey.pub
+		// (the privkey is `signifykey.sec`, if we want to expand this test. Password 'test' )
+		pub := "RWSKLNhZb0KdATtRT7mZC/bybI3t3+Hv/O2i3ye04Dq9fnT9slpZ1a2/"
+		testVerification(t, pub, "./testdata/vcheck/signify-sigs/")
+	})
+}
+
+func testVerification(t *testing.T, pubkey, sigdir string) {
+	// Data to verify
+	data, err := ioutil.ReadFile("./testdata/vcheck/data.json")
+	if err != nil {
+		t.Fatal(err)
+	}
+	// Signatures, with and without comments, both trusted and untrusted
+	files, err := ioutil.ReadDir(sigdir)
+	if err != nil {
+		t.Fatal(err)
+	}
+	for _, f := range files {
+		sig, err := ioutil.ReadFile(filepath.Join(sigdir, f.Name()))
+		if err != nil {
+			t.Fatal(err)
+		}
+		err = verifySignature([]string{pubkey}, data, sig)
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+}
+
+func TestJson(t *testing.T) {
+	data, _ := ioutil.ReadFile("./testdata/vcheck/data2.json")
+	var vulns []vulnJson
+	if err := json.Unmarshal(data, &vulns); err != nil {
+		t.Fatal(err)
+	}
+	if len(vulns) == 0 {
+		t.Fatal("expected data, got none")
+	}
+	if have, want := vulns[0].CVE, "correct"; have != want {
+		t.Errorf("have %v, want %v", have, want)
+	}
+}