From b2a3a0411c7e26d4805e6846e9413299e999b636 Mon Sep 17 00:00:00 2001 From: Gusted Date: Fri, 17 Jan 2025 03:17:10 +0000 Subject: [PATCH] [PORT] Remove SHA1 for support for ssh rsa signing (#31857) (#5303) https://github.com/go-fed/httpsig seems to be unmaintained. Switch to github.com/42wim/httpsig which has removed deprecated crypto and default sha256 signing for ssh rsa. No impact for those that use ed25519 ssh certificates. This is a breaking change for: - gitea.com/gitea/tea (go-sdk) - I'll be sending a PR there too - activitypub using deprecated crypto (is this actually used?) (cherry picked from commit 01dec7577a051d9bb30e91f6cf6653dc51a37d06) --- Conflict resolution: trivial Co-authored-by: Wim Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5303 Reviewed-by: Earl Warren --- go.mod | 4 ++-- go.sum | 4 ++-- modules/activitypub/client.go | 2 +- modules/setting/federation.go | 2 +- routers/api/v1/activitypub/reqsignature.go | 2 +- services/auth/httpsign.go | 4 ++-- tests/integration/api_httpsig_test.go | 2 +- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index e069a33996..48e9e49075 100644 --- a/go.mod +++ b/go.mod @@ -17,6 +17,7 @@ require ( codeberg.org/gusted/mcaptcha v0.0.0-20220723083913-4f3072e1d570 connectrpc.com/connect v1.17.0 gitea.com/lunny/levelqueue v0.4.2-0.20230414023320-3c0159fe0fe4 + github.com/42wim/httpsig v1.2.2 github.com/42wim/sshsig v0.0.0-20211121163825-841cf5bbc121 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 github.com/ProtonMail/go-crypto v1.1.4 @@ -43,7 +44,6 @@ require ( github.com/go-chi/cors v1.2.1 github.com/go-co-op/gocron v1.37.0 github.com/go-enry/go-enry/v2 v2.9.1 - github.com/go-fed/httpsig v1.1.1-0.20201223112313-55836744818e github.com/go-git/go-git/v5 v5.13.1 github.com/go-ldap/ldap/v3 v3.4.6 github.com/go-openapi/spec v0.20.14 @@ -131,7 +131,6 @@ require ( dario.cat/mergo v1.0.0 // indirect filippo.io/edwards25519 v1.1.0 // indirect git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20220703122237-02e73435a078 // indirect - github.com/42wim/httpsig v1.2.2 // indirect github.com/DataDog/zstd v1.5.5 // indirect github.com/GoogleCloudPlatform/grpc-gcp-go/grpcgcp v1.5.0 // indirect github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.2 // indirect @@ -184,6 +183,7 @@ require ( github.com/go-ap/errors v0.0.0-20231003111023-183eef4b31b7 // indirect github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect github.com/go-enry/go-oniguruma v1.2.1 // indirect + github.com/go-fed/httpsig v1.1.0 // indirect github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect github.com/go-git/go-billy/v5 v5.6.1 // indirect github.com/go-ini/ini v1.67.0 // indirect diff --git a/go.sum b/go.sum index 58abf76d25..28e1f22870 100644 --- a/go.sum +++ b/go.sum @@ -919,8 +919,8 @@ github.com/go-faster/city v1.0.1 h1:4WAxSZ3V2Ws4QRDrscLEDcibJY8uf41H6AhXDrNDcGw= github.com/go-faster/city v1.0.1/go.mod h1:jKcUJId49qdW3L1qKHH/3wPeUstCVpVSXTM6vO3VcTw= github.com/go-faster/errors v0.7.1 h1:MkJTnDoEdi9pDabt1dpWf7AA8/BaSYZqibYyhZ20AYg= github.com/go-faster/errors v0.7.1/go.mod h1:5ySTjWFiphBs07IKuiL69nxdfd5+fzh1u7FPGZP2quo= -github.com/go-fed/httpsig v1.1.1-0.20201223112313-55836744818e h1:oRq/fiirun5HqlEWMLIcDmLpIELlG4iGbd0s8iqgPi8= -github.com/go-fed/httpsig v1.1.1-0.20201223112313-55836744818e/go.mod h1:RCMrTZvN1bJYtofsG4rd5NaO5obxQ5xBkdiS7xsT7bM= +github.com/go-fed/httpsig v1.1.0 h1:9M+hb0jkEICD8/cAiNqEB66R87tTINszBRTjwjQzWcI= +github.com/go-fed/httpsig v1.1.0/go.mod h1:RCMrTZvN1bJYtofsG4rd5NaO5obxQ5xBkdiS7xsT7bM= github.com/go-fonts/dejavu v0.1.0/go.mod h1:4Wt4I4OU2Nq9asgDCteaAaWZOV24E+0/Pwo0gppep4g= github.com/go-fonts/latin-modern v0.2.0/go.mod h1:rQVLdDMK+mK1xscDwsqM5J8U2jrRa3T0ecnM9pNujks= github.com/go-fonts/liberation v0.1.1/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2HYqyqAO9z7GY= diff --git a/modules/activitypub/client.go b/modules/activitypub/client.go index 064d8984c1..645a4b8c8d 100644 --- a/modules/activitypub/client.go +++ b/modules/activitypub/client.go @@ -22,7 +22,7 @@ import ( "code.gitea.io/gitea/modules/proxy" "code.gitea.io/gitea/modules/setting" - "github.com/go-fed/httpsig" + "github.com/42wim/httpsig" ) const ( diff --git a/modules/setting/federation.go b/modules/setting/federation.go index aeb30683ea..edb18e0054 100644 --- a/modules/setting/federation.go +++ b/modules/setting/federation.go @@ -6,7 +6,7 @@ package setting import ( "code.gitea.io/gitea/modules/log" - "github.com/go-fed/httpsig" + "github.com/42wim/httpsig" ) // Federation settings diff --git a/routers/api/v1/activitypub/reqsignature.go b/routers/api/v1/activitypub/reqsignature.go index 6003f664a0..19d167b50b 100644 --- a/routers/api/v1/activitypub/reqsignature.go +++ b/routers/api/v1/activitypub/reqsignature.go @@ -18,8 +18,8 @@ import ( "code.gitea.io/gitea/modules/setting" gitea_context "code.gitea.io/gitea/services/context" + "github.com/42wim/httpsig" ap "github.com/go-ap/activitypub" - "github.com/go-fed/httpsig" ) func getPublicKeyFromResponse(b []byte, keyID *url.URL) (p crypto.PublicKey, err error) { diff --git a/services/auth/httpsign.go b/services/auth/httpsign.go index b604349f80..83a36bef23 100644 --- a/services/auth/httpsign.go +++ b/services/auth/httpsign.go @@ -17,7 +17,7 @@ import ( "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" - "github.com/go-fed/httpsig" + "github.com/42wim/httpsig" "golang.org/x/crypto/ssh" ) @@ -205,7 +205,7 @@ func doVerify(verifier httpsig.Verifier, sshPublicKeys []ssh.PublicKey) error { case strings.HasPrefix(publicKey.Type(), "ssh-ed25519"): algos = []httpsig.Algorithm{httpsig.ED25519} case strings.HasPrefix(publicKey.Type(), "ssh-rsa"): - algos = []httpsig.Algorithm{httpsig.RSA_SHA1, httpsig.RSA_SHA256, httpsig.RSA_SHA512} + algos = []httpsig.Algorithm{httpsig.RSA_SHA256, httpsig.RSA_SHA512} } for _, algo := range algos { if err := verifier.Verify(cryptoPubkey, algo); err == nil { diff --git a/tests/integration/api_httpsig_test.go b/tests/integration/api_httpsig_test.go index 30aed3cacc..cca477f5e1 100644 --- a/tests/integration/api_httpsig_test.go +++ b/tests/integration/api_httpsig_test.go @@ -15,7 +15,7 @@ import ( "code.gitea.io/gitea/modules/test" "code.gitea.io/gitea/tests" - "github.com/go-fed/httpsig" + "github.com/42wim/httpsig" "golang.org/x/crypto/ssh" )