Redo how the repository keys are stored.

- Repository keys are now stored in a new directory on metadir (/var/db/xbps):

	<metadir>/key>

- Repository keys are stored with the hex fingerprint of its RSA
  public key in a plist dictionary:

	<metadir>/keys/xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.plist

- Drop xbps-rkeys(8) and merge its functionality into xbps-install(8) and
  xbps-query(8).

- xbps-query(8) -vL now shows some more details of remote repositories:

 3134 http://localhost:8000 (RSA signed, verified)
      Signed-by: Void Linux
      4096 60:ae:0c:d6:f0:95:17:80:bc:93:46:7a:89:af:a3:2d
   16 http://localhost:8000/nonfree (RSA signed, verified)
      Signed-by: Void Linux
      4096 60:ae:0c:d6:f0:95:17:80:bc:93:46:7a:89:af:a3:2d

Bump XBPS_API_VERSION.

lib/initend.c

@@ -256,8 +256,6 @@ xbps_end(struct xbps_handle *xhp)
 
 	if (xbps_object_type(xhp->pkgdb_revdeps) != XBPS_TYPE_UNKNOWN)
 		xbps_object_release(xhp->pkgdb_revdeps);
-	if (xbps_object_type(xhp->repokeys) != XBPS_TYPE_UNKNOWN)
-		xbps_object_release(xhp->repokeys);
 
 	xbps_fetch_unset_cache_connection();
 	cfg_free(xhp->cfg);

lib/pubkey2fp.c

@@ -43,7 +43,26 @@ SshEncodeBuffer(unsigned char *pEncoding, int bufferLen, unsigned char *pBuffer)
 	return index + bufferLen;
 }
 
-unsigned char *
+static char *
+fp2str(unsigned const char *fp, unsigned int len)
+{
+	unsigned int i, c = 0;
+	char res[48], cur[4];
+
+	for (i = 0; i < len; i++) {
+		if (i > 0)
+			c = i*3;
+		sprintf(cur, "%02x", fp[i]);
+		res[c] = cur[0];
+		res[c+1] = cur[1];
+		res[c+2] = ':';
+	}
+	res[c+2] = '\0';
+
+	return strdup(res);
+}
+
+char *
 xbps_pubkey2fp(struct xbps_handle *xhp, xbps_data_t pubkey)
 {
 	EVP_MD_CTX mdctx;
@@ -51,9 +70,10 @@ xbps_pubkey2fp(struct xbps_handle *xhp, xbps_data_t pubkey)
 	RSA *pRsa = NULL;
 	BIO *bio = NULL;
 	const void *pubkeydata;
-	unsigned char *md_value = NULL;
+	unsigned char md_value[EVP_MAX_MD_SIZE];
 	unsigned char *nBytes = NULL, *eBytes = NULL, *pEncoding = NULL;
 	unsigned int md_len = 0;
+	char *hexfpstr = NULL;
 	int index = 0, nLen = 0, eLen = 0, encodingLength = 0;
 
 	ERR_load_crypto_strings();
@@ -112,14 +132,13 @@ xbps_pubkey2fp(struct xbps_handle *xhp, xbps_data_t pubkey)
 	EVP_MD_CTX_init(&mdctx);
 	EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL);
 	EVP_DigestUpdate(&mdctx, pEncoding, encodingLength);
-	md_value = malloc(EVP_MAX_MD_SIZE);
-	if (EVP_DigestFinal_ex(&mdctx, md_value, &md_len) == 0) {
-		free(md_value);
-		md_value = NULL;
-	} else {
-		md_value[md_len] = '\0';
-	}
+	if (EVP_DigestFinal_ex(&mdctx, md_value, &md_len) == 0)
+		goto error;
 	EVP_MD_CTX_cleanup(&mdctx);
+	/*
+	 * Convert result to a compatible OpenSSH hex fingerprint.
+	 */
+	hexfpstr = fp2str(md_value, md_len);
 
 error:
 	if (bio)
@@ -138,5 +157,5 @@ error:
 	EVP_cleanup();
 	ERR_free_strings();
 
-	return md_value;
+	return hexfpstr;
 }

lib/repo.c

@@ -91,6 +91,7 @@ repo_get_dict(struct xbps_repo *repo, const char *fname)
 struct xbps_repo *
 xbps_repo_open(struct xbps_handle *xhp, const char *url)
 {
+	xbps_dictionary_t meta;
 	struct xbps_repo *repo;
 	struct stat st;
 	const char *arch;
@@ -119,14 +120,12 @@ xbps_repo_open(struct xbps_handle *xhp, const char *url)
 		repofile = xbps_repo_path(xhp, url);
 	}
 
-	repo = malloc(sizeof(struct xbps_repo));
+	repo = calloc(1, sizeof(struct xbps_repo));
 	assert(repo);
 
 	repo->xhp = xhp;
 	repo->uri = url;
 	repo->ar = archive_read_new();
-	repo->is_verified = false;
-	repo->is_signed = false;
 	repo->is_remote = is_remote;
 	archive_read_support_compression_gzip(repo->ar);
 	archive_read_support_format_tar(repo->ar);
@@ -157,10 +156,18 @@ xbps_repo_open(struct xbps_handle *xhp, const char *url)
 		repo = NULL;
 		goto out;
 	}
-	if ((repo->meta = repo_get_dict(repo, XBPS_REPOIDX_META)))
-		repo->is_signed = true;
+	if (!is_remote)
+		goto out;
+
+	if ((meta = repo_get_dict(repo, XBPS_REPOIDX_META))) {
+		repo->is_signed = true;
+		repo->signature = xbps_dictionary_get(meta, "signature");
+		xbps_dictionary_get_cstring_nocopy(meta, "signature-by", &repo->signedby);
+		repo->pubkey = xbps_dictionary_get(meta, "public-key");
+		xbps_dictionary_get_uint16(meta, "public-key-size", &repo->pubkey_size);
+		repo->hexfp = xbps_pubkey2fp(repo->xhp, repo->pubkey);
+	}
 
-	repo->idxfiles = NULL;
 out:
 	free(repofile);
 	return repo;
@@ -198,10 +205,6 @@ xbps_repo_close(struct xbps_repo *repo)
 	if (repo->ar != NULL)
 		archive_read_finish(repo->ar);
 
-	if (repo->meta != NULL) {
-		xbps_object_release(repo->meta);
-		repo->meta = NULL;
-	}
 	if (repo->idx != NULL) {
 		xbps_object_release(repo->idx);
 		repo->idx = NULL;
@@ -210,6 +213,8 @@ xbps_repo_close(struct xbps_repo *repo)
 		xbps_object_release(repo->idxfiles);
 		repo->idxfiles = NULL;
 	}
+	if (repo->hexfp != NULL)
+		free(repo->hexfp);
 }
 
 xbps_dictionary_t

lib/repo_keys.c

@@ -27,6 +27,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
+#include <libgen.h>
 
 #include <openssl/err.h>
 #include <openssl/sha.h>
@@ -39,11 +40,8 @@
 int
 xbps_repo_key_import(struct xbps_repo *repo)
 {
-	xbps_dictionary_t repokeyd, newmetad = NULL;
-	xbps_data_t rpubkey;
-	const char *signedby;
-	unsigned char *fp = NULL;
-	char *rkeypath = NULL;
+	xbps_dictionary_t repokeyd = NULL;
+	char *p, *dbkeyd, *rkeyfile = NULL;
 	int import, rv = 0;
 
 	assert(repo);
@@ -55,93 +53,80 @@ xbps_repo_key_import(struct xbps_repo *repo)
 	/*
 	 * If repository does not have required metadata plist, ignore it.
 	 */
-	if (xbps_dictionary_count(repo->meta) == 0) {
+	if (repo->signature == NULL && repo->pubkey == NULL) {
 		xbps_dbg_printf(repo->xhp,
 		    "[repo] `%s' unsigned repository!\n", repo->uri);
 		return 0;
 	}
-	/*
-	 * Check if the public key has been stored for this repository.
-	 */
-	rkeypath = xbps_xasprintf("%s/%s", repo->xhp->metadir, XBPS_REPOKEYS);
-	if (repo->xhp->repokeys == NULL) {
-		repo->xhp->repokeys = xbps_dictionary_internalize_from_file(rkeypath);
-		if (xbps_object_type(repo->xhp->repokeys) != XBPS_TYPE_DICTIONARY)
-			repo->xhp->repokeys = xbps_dictionary_create();
-	}
-	repokeyd = xbps_dictionary_get(repo->xhp->repokeys, repo->uri);
-	if (xbps_object_type(repokeyd) == XBPS_TYPE_DICTIONARY) {
-		if (xbps_dictionary_get(repokeyd, "public-key")) {
-			xbps_dbg_printf(repo->xhp,
-			    "[repo] `%s' public key already stored.\n",
-			    repo->uri);
-			goto out;
-		}
-	}
 	/*
 	 * Check the repository provides a working public-key data object.
 	 */
-	rpubkey = xbps_dictionary_get(repo->meta, "public-key");
-	if (xbps_object_type(rpubkey) != XBPS_TYPE_DATA) {
-		rv = EINVAL;
+	repo->is_signed = true;
+	if (repo->hexfp == NULL) {
 		xbps_dbg_printf(repo->xhp,
-		    "[repo] `%s' invalid public-key object!\n", repo->uri);
+		    "[repo] `%s': invalid hex fingerprint: %s\n",
+		    repo->uri, strerror(errno));
+		rv = EINVAL;
+		goto out;
+	}
+	/*
+	 * Check if the public key is alredy stored.
+	 */
+	rkeyfile = xbps_xasprintf("%s/keys/%s.plist",
+	    repo->xhp->metadir, repo->hexfp);
+	repokeyd = xbps_dictionary_internalize_from_zfile(rkeyfile);
+	if (xbps_object_type(repokeyd) == XBPS_TYPE_DICTIONARY) {
+		xbps_dbg_printf(repo->xhp,
+		    "[repo] `%s' public key already stored.\n", repo->uri);
 		goto out;
 	}
-	repo->is_signed = true;
 	/*
 	 * Notify the client and take appropiate action to import
 	 * the repository public key. Pass back the public key openssh fingerprint
 	 * to the client.
 	 */
-	fp = xbps_pubkey2fp(repo->xhp, rpubkey);
-	if (fp == NULL) {
-		xbps_dbg_printf(repo->xhp,
-		    "[repo] `%s': failed to compute hex fingerprint: %s\n",
-		    repo->uri, strerror(errno));
-		rv = EINVAL;
-		goto out;
-	}
-	xbps_dictionary_get_cstring_nocopy(repo->meta, "signature-by", &signedby);
-	import = xbps_set_cb_state(repo->xhp, XBPS_STATE_REPO_KEY_IMPORT,
-			0, (const char *)fp,
-			"`%s' repository is RSA signed by \"%s\"",
-			repo->uri, signedby);
-	free(fp);
+	import = xbps_set_cb_state(repo->xhp, XBPS_STATE_REPO_KEY_IMPORT, 0,
+			repo->hexfp, "`%s' repository has been RSA signed by \"%s\"",
+			repo->uri, repo->signedby);
 	if (import <= 0) {
 		rv = EAGAIN;
 		goto out;
 	}
-	/*
-	 * Add the meta dictionary into XBPS_REPOKEYS and externalize it.
-	 */
-	newmetad = xbps_dictionary_copy_mutable(repo->meta);
-	xbps_dictionary_remove(newmetad, "signature");
-	xbps_dictionary_set(repo->xhp->repokeys, repo->uri, newmetad);
 
-	if (access(repo->xhp->metadir, R_OK|W_OK) == -1) {
+	p = strdup(rkeyfile);
+	dbkeyd = dirname(p);
+	assert(dbkeyd);
+	if (access(dbkeyd, R_OK|W_OK) == -1) {
 		if (errno == ENOENT) {
-			xbps_mkpath(repo->xhp->metadir, 0755);
+			xbps_mkpath(dbkeyd, 0755);
 		} else {
 			rv = errno;
 			xbps_dbg_printf(repo->xhp,
-			    "[repo] `%s' cannot create metadir: %s\n",
-			    repo->uri, strerror(errno));
+			    "[repo] `%s' cannot create %s: %s\n",
+			    repo->uri, dbkeyd, strerror(errno));
+			free(p);
 			goto out;
 		}
 	}
-	if (!xbps_dictionary_externalize_to_file(repo->xhp->repokeys, rkeypath)) {
+	free(p);
+
+	repokeyd = xbps_dictionary_create();
+	xbps_dictionary_set(repokeyd, "public-key", repo->pubkey);
+	xbps_dictionary_set_uint16(repokeyd, "public-key-size", repo->pubkey_size);
+	xbps_dictionary_set_cstring_nocopy(repokeyd, "signature-by", repo->signedby);
+
+	if (!xbps_dictionary_externalize_to_zfile(repokeyd, rkeyfile)) {
 		rv = errno;
 		xbps_dbg_printf(repo->xhp,
 		    "[repo] `%s' failed to externalize %s: %s\n",
-		    repo->uri, XBPS_REPOKEYS, strerror(rv));
+		    repo->uri, rkeyfile, strerror(rv));
 	}
 
 out:
-	if (newmetad)
-		xbps_object_release(newmetad);
-	if (rkeypath)
-		free(rkeypath);
+	if (repokeyd)
+		xbps_object_release(repokeyd);
+	if (rkeyfile)
+		free(rkeyfile);
 	return rv;
 }
 
@@ -195,32 +180,36 @@ int HIDDEN
 xbps_repo_key_verify(struct xbps_repo *repo)
 {
 	xbps_dictionary_t repokeyd;
-	xbps_data_t sigdata, pubkey;
-	char *idx_xml;
+	xbps_data_t xbps_pubkey;
+	char *idx_xml, *rkeyfile;
 
-	if (repo->xhp->repokeys == NULL)
-		return ENOENT;
+	if (!repo->signature || !repo->hexfp)
+		return EINVAL;
 
-	repokeyd = xbps_dictionary_get(repo->xhp->repokeys, repo->uri);
-	if (xbps_dictionary_count(repokeyd) == 0) {
-		xbps_dbg_printf(repo->xhp,
-		    "[repo] `%s': empty %s dictionary\n",
-		    repo->uri, XBPS_REPOKEYS);
-		return ENOENT;
+	rkeyfile = xbps_xasprintf("%s/keys/%s.plist",
+	    repo->xhp->metadir, repo->hexfp);
+	repokeyd = xbps_dictionary_internalize_from_zfile(rkeyfile);
+	free(rkeyfile);
+	if (xbps_object_type(repokeyd) != XBPS_TYPE_DICTIONARY)
+		return EINVAL;
+
+	xbps_pubkey = xbps_dictionary_get(repokeyd, "public-key");
+	if (xbps_object_type(xbps_pubkey) != XBPS_TYPE_DATA) {
+		xbps_object_release(repokeyd);
+		return EINVAL;
 	}
 
 	idx_xml = xbps_dictionary_externalize(repo->idx);
-	assert(idx_xml);
+	if (idx_xml == NULL) {
+		xbps_object_release(repokeyd);
+		return EINVAL;
+	}
 
-	sigdata = xbps_dictionary_get(repo->meta, "signature");
-	assert(xbps_object_type(sigdata) == XBPS_TYPE_DATA);
-	pubkey = xbps_dictionary_get(repokeyd, "public-key");
-	assert(xbps_object_type(pubkey) == XBPS_TYPE_DATA);
-	/* XXX ignore 'signature-type' for now */
-	if (rsa_verify_buf(repo, sigdata, pubkey, idx_xml) == 0)
+	if (rsa_verify_buf(repo, repo->signature, xbps_pubkey, idx_xml) == 0)
 		repo->is_verified = true;
 
 	free(idx_xml);
+	xbps_object_release(repokeyd);
 
 	return repo->is_verified ? 0 : EPERM;
 }

lib/rpool.c

@@ -52,7 +52,6 @@ xbps_rpool_init(struct xbps_handle *xhp)
 {
 	struct rpool *rp;
 	const char *repouri;
-	char *p;
 	bool foundrepo = false;
 	int retval, rv = 0;
 
@@ -61,10 +60,6 @@ xbps_rpool_init(struct xbps_handle *xhp)
 	if (xhp->rpool_initialized)
 		return 0;
 
-	p = xbps_xasprintf("%s/%s", xhp->metadir, XBPS_REPOKEYS);
-	xhp->repokeys = xbps_dictionary_internalize_from_file(p);
-	free(p);
-
 	for (unsigned int i = 0; i < xbps_array_count(xhp->repositories); i++) {
 		rp = malloc(sizeof(struct rpool));
 		assert(rp);
@@ -89,10 +84,12 @@ xbps_rpool_init(struct xbps_handle *xhp)
 				retval = xbps_repo_key_verify(rp->repo);
 				if (retval == 0) {
 					/* signed, verified */
-					xbps_set_cb_state(xhp, XBPS_STATE_REPO_SIGVERIFIED, 0, NULL, NULL);
+					xbps_set_cb_state(xhp, XBPS_STATE_REPO_SIGVERIFIED,
+					    0, repouri, NULL);
 				} else if (retval == EPERM) {
 					/* signed, unverified */
-					xbps_set_cb_state(xhp, XBPS_STATE_REPO_SIGUNVERIFIED, 0, NULL, NULL);
+					xbps_set_cb_state(xhp, XBPS_STATE_REPO_SIGUNVERIFIED,
+					    0, repouri, NULL);
 					xbps_repo_invalidate(rp->repo);
 				} else {
 					/* any error */