Add artifact sign/verify via libsodium.

[bookshelfdave]

This PR adds artifact sign/verify via libsodium.

The following subcommands have been implemented:

hab artifact sign
hab artifact verify
hab origin key generate

hab archive has been renamed to hab artifact.

Note, this does not implement user or service keys, and also excludes encryption/decryption. I'm going to leave some commented out code in (any code that includes "box"), please ignore for now and I'll update it when this story is completed next week.

1 minute tutorial

0. Generate an origin key

./target/debug/hab origin key generate habitat

1. Make a tarfile that you want to sign:

tar cvJf chef-zlib.-1.2.8-20160310193228.xz /opt/bldr/pkgs/chef/zlib/1.2.8/20160310193228/

2. Create a signed artifact:

./target/debug/hab artifact sign chef-zlib.-1.2.8-20160310193228.xz chef-zlib.-1.2.8-20160310193228.hab --origin habitat

OR

export HABITAT_ORIGIN=habitat
./target/debug/hab artifact sign chef-zlib.-1.2.8-20160310193228.xz chef-zlib.-1.2.8-20160310193228.hab 

3. Look at the header:

head -3 chef-zlib.-1.2.8-20160310193228.hab

4. Skip verification and just access the tarball:

tail -n +4 chef-zlib.-1.2.8-20160310193228.hab | tar tvJ

5. Verify the artifact and extract it's contents

./target/debug/hab artifact verify ./chef-zlib.-1.2.8-20160310193228.hab ./out.xz

6. Make sure it worked:

tar tvJf out.xz

---

TODO:

• tests
• cleanup "find newest key code"
• tz on revision string generation
• don't output tar file on verify
• honor HABITAT_ORIGIN
• return a meaningful value out to the shell

Development notes

GPG still exists in the repo

I'll remove references to GPG in a later PR

sodiumoxide + libsodium-sys

While we are waiting for the generichash functions from this PR to be merged, we're pointing to a fork. The annoying thing about this is that we have to include the entire repo as a cargo override via components/.cargo/config and Cargo.toml . Once the PR is merged to the official repo, we can remove these files and continue in peace.

Compiling

In order to compile this today, you'll need the libsodium package installed and Rust needs to know how to link to libsodium via SODIUM_LIB_DIR.

export SODIUM_LIB_DIR=/opt/studios/src/opt/bldr/pkgs/chef/libsodium/1.0.8/20160406134120/lib
export LD_LIBRARY_PATH=${SODIUM_LIB_DIR}

I updated the depot and sup plans to include libsodium, but we'll need to address the plan that builds hab asap.

---

These are a prettier version of the docs I've embedded inside of hab_crypto.rs:

Habitat uses libsodium and it's Rust counterpart sodiumoxide for cryptographic operations.

Concepts and terminology:

• All public keys/certificates/signatures will be referred to as public.
• All secret or private keys will be referred to as secret.
• The word key by itself does not indicate public or secret. The only exception is if the word key appears as part of a file suffix, where it is then considered the secret key file.
• Origin - refers to build-time operations, including signing and verifification of an artifact.
• Organization - refers to run-time operations that can happen in Habitat, such as deploying a package signed in a different origin into your own organization.
• Signing keys - aka sig keys. These are used to sign and verify packages. Contains a sig.key file suffix. Sig keys are NOT compatible with box keys.
• Box keys - used for encryption/decryption of arbitrary data. Contains a .box.key file suffix. Box keys are NOT compatible with sig keys.
• Key revisions - Habitat can use several keys for any given user, service, or origin via different revision numbers. Revision numbers appear following the key name and are in the format
  {year}{month}{day}{hour24}{minute}{second}. For all user-facing cryptographic operations (sign/verify/encrypt/decrypt), the latest key is tried first, and upon failure, Habitat will try keys in reverse chronological order until success or there are no more keys. _TODO: key revisions are generated as part of a filename, but only the most recent key is used during crypto operations._

Example origin key file names ("sig" keys):

 habitat-201603312016.pub
 habitat-201603312016.sig.key
 your_company-201604021516.pub
 your_company-201604021516.sig.key

Example user keys ("box" keys)

 [email protected]
 [email protected]

Example Service keys:

 [email protected]

Habitat signed artifact format

A signed .hab artifact has 3 plaintext lines followed by a binary blob of data, which is the unsigned tarfile.

• The first plaintext line is the name of the origin signing key that was used to sign this artifact.
• The second plaintext line is the hashing algorithm used, which will be BLAKE2b unless our use of crypto is expanded some time in the future.
• The third plaintext line is a base64 signed value of the binary blob's base64 file hash. Signing uses a secret origin key, while verifying uses the public origin key. Thus, it it safe to distribute public origin keys.

Example header:

habitat-20160405144945
BLAKE2b
signed BLAKE2b signature
<binary-blob>

https://download.libsodium.org/doc/hashing/generic_hashing.html

It's possible to examine the contents of a .hab file from a Linux shell:

$ head -3 /opt/bldr/cache/pkgs/chef-glibc-2.22-20160310192356.bldr
habitat-20160405144945
BLAKE2b
w4yC7/QADdC+NfH/wgN5u4K94nMieb1TxTVzbSfpMwRQ4k+YwhLs1nDXSIbSC8jHdF/7/LqLWtgPvGDmoKIvBDI0aGpIcGdlNDJhMDBnQ3lsMVVFM0JvRlZGSHhXcnBuWWF0SllXTXo1ZDg9
# Note that this is an example signature only

It is also possible to extract a plain tarball from a signed .hab artifact using the following command:

tail -n +4 /tmp/somefile.hab > somefile.tar
# start at line 4, skipping the first 3 plaintext lines.

[bookshelfdave]

I'll make the verify subcommand return an appropriate exit code instead of spitting out the tar file.

[fnichol]

Could you alphabetize into the list? It should help with future merging

[fnichol]

@metadave I realize this might still be finishing up, but great work! You must have had fun with Rust/IO pushing all those files around.

[reset]

Did this become a problem? Why change directory instead of just pass the manifest-path?

[bookshelfdave]

yes, because of the components/.cargo/config file

[reset]

Thanks Cargo

[chef-delivery]

This PR has passed 'Verify' and is ready for review and approval!
Use: '@delivery approve' when code review is complete.

[reset]

This might be better served in the util module instead of crypto

[bookshelfdave]

agreed, I'll pull it out in my next few crypto PR's, as I have some more work do to w/ env vars etc.

[reset]

@metadave great work man, I'm looking forward to when they merge your changes ;). My comments are mostly just tips on how to be more fluent in Rust

[reset]

blast-off when ready

[bookshelfdave]

thanks so much for the review @reset @fnichol
review fixes pushed, getting ready to merge soon

[bookshelfdave]

Note, this needs to be merged after: #361

[chef-delivery]

This PR has passed 'Verify' and is ready for review and approval!
Use: '@delivery approve' when code review is complete.

[bookshelfdave]

@delivery approve

[chef-delivery]

Change: b7477faa-3da9-4c5d-b8a4-0697e52ae948 approved by: @metadave