fix: variable bad scoping

Makefile

@@ -1,6 +1,8 @@
 SHELL := /bin/bash
 
-test:
+test: go-test keygen-test
+
+go-test:
 	go clean -testcache
 	go test -cover -v ./...
 
@@ -36,6 +38,13 @@ gitea-release: .mktools tools/gitea-release/bin/gitea-release.sh release
 		GITEA_RELEASE_ATTACHMENTS="$$(find release -type f -name '*.tar.gz')" \
 		tools/gitea-release/bin/gitea-release.sh
 
+keygen-test: tools/bash_unit/bin/bash_unit
+	tools/bash_unit/bin/bash_unit misc/bash_unit/keygen_test.sh
+
+tools/bash_unit/bin/bash_unit:
+	mkdir -p tools/bash_unit/bin
+	cd tools/bash_unit/bin && bash <(curl -s https://raw.githubusercontent.com/pgrange/bash_unit/master/install.sh)
+
 .PHONY: mktools
 mktools:
 	rm -rf .mktools

client/client.go

@@ -5,11 +5,11 @@ import (
 	"crypto/rsa"
 	"crypto/sha256"
 	"encoding/json"
-	"errors"
 	"net/http"
 	"time"
 
 	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/pkg/errors"
 
 	peering "forge.cadoles.com/Cadoles/go-http-peering"
 	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
@@ -52,7 +52,7 @@ func (c *Client) Advertise(attrs peering.PeerAttributes) error {
 	case http.StatusConflict:
 		return peering.ErrPeerExists
 	default:
-		return ErrUnexpectedResponse
+		return errors.Wrapf(ErrUnexpectedResponse, "unexpected http status code '%d'", res.StatusCode)
 	}
 }
 
@@ -76,7 +76,7 @@ func (c *Client) UpdateAttributes(attrs peering.PeerAttributes) error {
 	case http.StatusForbidden:
 		return ErrRejected
 	default:
-		return ErrUnexpectedResponse
+		return errors.Wrapf(ErrUnexpectedResponse, "unexpected http status code '%d'", res.StatusCode)
 	}
 }
 
@@ -96,7 +96,7 @@ func (c *Client) Ping() error {
 	case http.StatusForbidden:
 		return ErrRejected
 	default:
-		return ErrUnexpectedResponse
+		return errors.Wrapf(ErrUnexpectedResponse, "unexpected http status code '%d'", res.StatusCode)
 	}
 }
 

cmd/keygen/main.go

@@ -11,8 +11,10 @@ var (
 	createKeyCmd    = false
 	getPublicKeyCmd = false
 	createTokenCmd  = false
+	verifyTokenCmd  = false
 	debug           = false
 	keyFile         string
+	tokenFile       string
 	tokenIssuer     string
 	tokenPeerID     = uuid.New()
 	keySize         = 2048
@@ -28,12 +30,17 @@ func init() {
 		&createTokenCmd, "create-token", createTokenCmd,
 		"Create a new signed authentication token",
 	)
+	flag.BoolVar(
+		&verifyTokenCmd, "verify-token", verifyTokenCmd,
+		"Verify a token generated with the given key",
+	)
 	flag.BoolVar(
 		&getPublicKeyCmd, "get-public-key", getPublicKeyCmd,
 		"Get the PEM encoded public key associated with the private key",
 	)
 	flag.BoolVar(&debug, "debug", debug, "Debug mode")
 	flag.StringVar(&keyFile, "key", keyFile, "Path to the encrypted PEM encoded key")
+	flag.StringVar(&tokenFile, "token", tokenFile, "Path to the token to verify")
 	flag.StringVar(&tokenIssuer, "token-issuer", tokenIssuer, "Token issuer")
 	flag.StringVar(&tokenPeerID, "token-peer-id", tokenPeerID, "Token peer ID")
 	flag.IntVar(&keySize, "key-size", keySize, "Size of the private key")
@@ -48,6 +55,8 @@ func main() {
 		getPublicKey()
 	case createTokenCmd:
 		createToken()
+	case verifyTokenCmd:
+		verifyToken()
 	default:
 		flag.Usage()
 	}

cmd/keygen/util.go

@@ -2,13 +2,11 @@ package main
 
 import (
 	"bytes"
-	"crypto/rand"
 	"crypto/rsa"
-	"crypto/x509"
-	"encoding/pem"
 	"fmt"
 	"io/ioutil"
 	"os"
+	"strings"
 	"syscall"
 
 	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
@@ -47,25 +45,6 @@ func askPassphrase() ([]byte, error) {
 	return passphrase, nil
 }
 
-func privateKeyToEncryptedPEM(key *rsa.PrivateKey, passphrase []byte) ([]byte, error) {
-	if passphrase == nil {
-		return nil, errors.New("passphrase cannot be empty")
-	}
-
-	// Convert it to pem
-	block := &pem.Block{
-		Type:  "RSA PRIVATE KEY",
-		Bytes: x509.MarshalPKCS1PrivateKey(key),
-	}
-
-	block, err := x509.EncryptPEMBlock(rand.Reader, block.Type, block.Bytes, passphrase, x509.PEMCipherAES256)
-	if err != nil {
-		return nil, errors.WithStack(err)
-	}
-
-	return pem.EncodeToMemory(block), nil
-}
-
 func loadPrivateKey() (*rsa.PrivateKey, error) {
 	if keyFile == "" {
 		return nil, errors.New("you must specify a key file to load")
@@ -85,6 +64,19 @@ func loadPrivateKey() (*rsa.PrivateKey, error) {
 	return privateKey, nil
 }
 
+func loadToken() (string, error) {
+	if tokenFile == "" {
+		return "", errors.New("you must specify a token file to load")
+	}
+
+	token, err := os.ReadFile(tokenFile)
+	if err != nil {
+		return "", errors.WithStack(err)
+	}
+
+	return strings.TrimSpace(string(token)), nil
+}
+
 func handleError(err error) {
 	if !debug {
 		fmt.Printf("%+v\n", errors.WithStack(err))

cmd/keygen/verify_token.go

@@ -0,0 +1,55 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
+	"github.com/dgrijalva/jwt-go"
+	"github.com/pkg/errors"
+)
+
+func verifyToken() {
+	rawToken, err := loadToken()
+	if err != nil {
+		handleError(errors.WithStack(err))
+	}
+
+	privateKey, err := loadPrivateKey()
+	if err != nil {
+		handleError(errors.WithStack(err))
+	}
+
+	fn := func(token *jwt.Token) (interface{}, error) {
+		return &privateKey.PublicKey, nil
+	}
+
+	token, err := jwt.ParseWithClaims(rawToken, &peering.ServerTokenClaims{}, fn)
+	if err != nil {
+		validationError, ok := err.(*jwt.ValidationError)
+		if ok {
+			handleError(errors.WithStack(validationError.Inner))
+		}
+
+		handleError(errors.WithStack(err))
+	}
+
+	if !token.Valid {
+		handleError(errors.New("token is invalid"))
+	}
+
+	claims, ok := token.Claims.(*peering.ServerTokenClaims)
+	if !ok {
+		handleError(errors.New("unexpected token claims"))
+	}
+
+	data, err := json.MarshalIndent(claims, "", "  ")
+	if err != nil {
+		handleError(errors.WithStack(err))
+	}
+
+	fmt.Println("Token OK.")
+	fmt.Println("Claims:")
+	fmt.Println(string(data))
+
+}

crypto/pem.go

@@ -53,21 +53,21 @@ func DecodePEMEncryptedPrivateKey(key []byte, passphrase []byte) (*rsa.PrivateKe
 }
 
 func EncodePrivateKeyToEncryptedPEM(key *rsa.PrivateKey, passphrase []byte) ([]byte, error) {
-	if passphrase == nil {
-		return nil, errors.New("passphrase cannot be empty")
-	}
-
 	block := &pem.Block{
 		Type:  "RSA PRIVATE KEY",
 		Bytes: x509.MarshalPKCS1PrivateKey(key),
 	}
 
-	block, err := x509.EncryptPEMBlock(
+	if len(passphrase) != 0 {
-		rand.Reader, block.Type,
+		encryptedBlock, err := x509.EncryptPEMBlock(
-		block.Bytes, passphrase, x509.PEMCipherAES256,
+			rand.Reader, block.Type,
-	)
+			block.Bytes, passphrase, x509.PEMCipherAES256,
-	if err != nil {
+		)
-		return nil, errors.WithStack(err)
+		if err != nil {
+			return nil, errors.WithStack(err)
+		}
+
+		block = encryptedBlock
 	}
 
 	return pem.EncodeToMemory(block), nil

misc/bash_unit/keygen_test.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+KEYGEN_BIN=${KEYGEN_BIN:-go run ../../cmd/keygen}
+
+test_create_key_without_passphrase() {
+    local workspace=$(mktemp -d)
+
+    # Generate a new private key without passphrase
+    local key_path="${workspace}/private.key"
+    KEY_PASSPHRASE= $KEYGEN_BIN -create-key > "${key_path}"
+}
+
+test_create_key_with_passphrase() {
+    local workspace=$(mktemp -d)
+
+    # Generate a new private key with passphrase
+    local key_path="${workspace}/private.key"
+    KEY_PASSPHRASE=foobar $KEYGEN_BIN -create-key > "${key_path}"
+}
+
+test_verify_token_without_passphrase() {
+    local workspace=$(mktemp -d)
+    
+    # Generate a new private key without passphrase
+    local key_path="${workspace}/private.key"
+    KEY_PASSPHRASE= $KEYGEN_BIN -create-key > "${key_path}"
+
+    # Generate a new token
+    local token_path="${workspace}/token.jwt"
+    KEY_PASSPHRASE= $KEYGEN_BIN -create-token -key "${key_path}" > "${token_path}"
+
+    # Verify token
+    KEY_PASSPHRASE= $KEYGEN_BIN -verify-token -key "${key_path}" -token "${token_path}"  1>/dev/null
+}
+
+test_verify_token_with_passphrase() {
+    local workspace=$(mktemp -d)
+    
+    # Generate a new private key with passphrase
+    local key_path="${workspace}/private.key"
+    KEY_PASSPHRASE=foobar $KEYGEN_BIN -create-key > "${key_path}"
+
+    # Generate a new token
+    local token_path="${workspace}/token.jwt"
+    KEY_PASSPHRASE=foobar $KEYGEN_BIN -create-token -key "${key_path}" > "${token_path}"
+
+    # Verify token
+    KEY_PASSPHRASE=foobar $KEYGEN_BIN -verify-token -key "${key_path}" -token "${token_path}" 1>/dev/null
+}

misc/ci/Dockerfile

@@ -1,5 +1,5 @@
-FROM golang:1.19
+FROM reg.cadoles.com/proxy_cache/library/golang:1.21
 
-RUN apt-get update && apt-get install -y make upx-ucl curl ca-certificates bash jq
+RUN apt-get update && apt-get install -y make curl ca-certificates bash jq
 
 RUN curl -k https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/common/add-letsencrypt-ca.sh | bash

script/release

@@ -39,7 +39,7 @@ function build {
 
   if [ ! -z "${GPG_SIGNING_KEY}" ]; then
     echo "signing '$destdir/$name' with gpg key '$GPG_SIGNING_KEY'..."
-    gpg --sign --default-key "${GPG_SIGNING_KEY}" --detach-sign --output "$destdir/$name.sig" "$destdir/$name"
+    gpg --sign --default-key "${GPG_SIGNING_KEY}" --armor --detach-sign --output "$destdir/$name.sig" "$destdir/$name"
   fi
 }
 

server/handler.go

@@ -3,12 +3,12 @@ package server
 import (
 	"crypto/rsa"
 	"encoding/json"
-	"errors"
 	"net/http"
 	"time"
 
 	peering "forge.cadoles.com/Cadoles/go-http-peering"
 	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto"
+	"github.com/pkg/errors"
 )
 
 var (
@@ -34,7 +34,7 @@ func AdvertiseHandler(store peering.Store, key *rsa.PublicKey, funcs ...OptionFu
 
 		serverClaims, err := assertServerToken(key, serverToken)
 		if err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.Wrapf(err, "could not validate token '%s'", serverToken))
 			sendError(w, http.StatusUnauthorized)
 			return
 		}
@@ -43,54 +43,53 @@ func AdvertiseHandler(store peering.Store, key *rsa.PublicKey, funcs ...OptionFu
 
 		decoder := json.NewDecoder(r.Body)
 		if err := decoder.Decode(advertising); err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, ErrInvalidAdvertisingRequest)
 			return
 		}
 
 		if _, err := peeringCrypto.DecodePEMToPublicKey(advertising.PublicKey); err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, ErrInvalidAdvertisingRequest)
 			return
 		}
 
-		peer, err := store.Get(serverClaims.PeerID)
+		_, err = store.Get(serverClaims.PeerID)
-
 		if err == nil {
-			logger.Printf("[ERROR] %s", ErrPeerIDAlreadyInUse)
+			logger.Printf("[WARN] %s", errors.WithStack(ErrPeerIDAlreadyInUse))
 			options.ErrorHandler(w, r, ErrPeerIDAlreadyInUse)
 			return
 		}
 
-		if err != peering.ErrPeerNotFound {
+		if !errors.Is(err, peering.ErrPeerNotFound) {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
 
 		attrs := filterAttributes(options.PeerAttributes, advertising.Attributes)
 
-		peer, err = store.Create(serverClaims.PeerID, attrs)
+		peer, err := store.Create(serverClaims.PeerID, attrs)
 		if err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
 
 		if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
 
 		if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
 
 		if err := store.UpdatePublicKey(peer.ID, advertising.PublicKey); err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
@@ -117,39 +116,39 @@ func UpdateHandler(store peering.Store, funcs ...OptionFunc) http.HandlerFunc {
 
 		peerID, err := GetPeerID(r)
 		if err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
 
 		peer, err := store.Get(peerID)
 		if err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
 
 		if peer == nil {
-			logger.Printf("[ERROR] %s", ErrUnauthorized)
+			logger.Printf("[ERROR] %+v", errors.WithStack(ErrUnauthorized))
 			options.ErrorHandler(w, r, ErrUnauthorized)
 			return
 		}
 
 		if peer.Status == peering.StatusRejected {
-			logger.Printf("[ERROR] %s", ErrPeerRejected)
+			logger.Printf("[ERROR] %+v", errors.WithStack(ErrPeerRejected))
 			options.ErrorHandler(w, r, ErrPeerRejected)
 			return
 		}
 
 		if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
 
 		attrs := filterAttributes(options.PeerAttributes, update.Attributes)
 		if err := store.UpdateAttributes(peer.ID, attrs); err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
@@ -176,32 +175,32 @@ func PingHandler(store peering.Store, funcs ...OptionFunc) http.HandlerFunc {
 
 		peerID, err := GetPeerID(r)
 		if err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
 
 		peer, err := store.Get(peerID)
 		if err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
 
 		if peer == nil {
-			logger.Printf("[ERROR] %s", ErrUnauthorized)
+			logger.Printf("[ERROR] %+v", errors.WithStack(ErrUnauthorized))
 			options.ErrorHandler(w, r, ErrUnauthorized)
 			return
 		}
 
 		if peer.Status == peering.StatusRejected {
-			logger.Printf("[ERROR] %s", ErrPeerRejected)
+			logger.Printf("[ERROR] %+v", errors.WithStack(ErrPeerRejected))
 			options.ErrorHandler(w, r, ErrPeerRejected)
 			return
 		}
 
 		if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}

server/middleware.go

@@ -5,7 +5,6 @@ import (
 	"context"
 	"crypto/rsa"
 	"crypto/sha256"
-	"errors"
 	"io"
 	"io/ioutil"
 	"net/http"
@@ -15,6 +14,7 @@ import (
 
 	peering "forge.cadoles.com/Cadoles/go-http-peering"
 	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/pkg/errors"
 )
 
 const (
@@ -51,7 +51,7 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 
 			serverClaims, err := assertServerToken(key, serverToken)
 			if err != nil {
-				logger.Printf("[ERROR] %s", err)
+				logger.Printf("[ERROR] %+v", errors.WithStack(err))
 				sendError(w, http.StatusUnauthorized)
 				return
 			}
@@ -64,13 +64,13 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 				options.IgnoredClientTokenErrors...,
 			)
 			if err != nil {
-				logger.Printf("[ERROR] %s", err)
+				logger.Printf("[ERROR] %+v", errors.WithStack(err))
 				switch err {
 				case peering.ErrPeerNotFound:
 					sendError(w, http.StatusUnauthorized)
 				case ErrNotPeered:
 					if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
-						logger.Printf("[ERROR] %s", err)
+						logger.Printf("[ERROR] %+v", errors.WithStack(err))
 						sendError(w, http.StatusInternalServerError)
 						return
 					}
@@ -78,7 +78,7 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 					return
 				case ErrPeerRejected:
 					if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
-						logger.Printf("[ERROR] %s", err)
+						logger.Printf("[ERROR] %+v", errors.WithStack(err))
 						sendError(w, http.StatusInternalServerError)
 						return
 					}
@@ -92,19 +92,19 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 
 			match, body, err := assertBodySum(r.Body, clientClaims.BodySum)
 			if err != nil {
-				logger.Printf("[ERROR] %s", err)
+				logger.Printf("[ERROR] %+v", errors.WithStack(err))
 				sendError(w, http.StatusInternalServerError)
 				return
 			}
 
 			if !match {
-				logger.Printf("[ERROR] %s", ErrInvalidChecksum)
+				logger.Printf("[ERROR] %+v", errors.WithStack(ErrInvalidChecksum))
 				sendError(w, http.StatusBadRequest)
 				return
 			}
 
 			if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
-				logger.Printf("[ERROR] %s", err)
+				logger.Printf("[ERROR] %+v", errors.WithStack(err))
 				sendError(w, http.StatusInternalServerError)
 				return
 			}
@@ -183,7 +183,7 @@ func assertClientToken(peerID peering.PeerID, store peering.Store, clientToken s
 		if ok {
 			for _, c := range ignoredValidationErrors {
 				if validationError.Errors&c != 0 {
-					logger.Printf("ignoring token validation error: '%s'", validationError.Inner)
+					logger.Printf("ignoring token validation error: '%+v'", errors.WithStack(validationError.Inner))
 					return getPeeringClaims(token)
 				}
 			}