mirror of
https://github.com/NixOS/nix.git
synced 2025-11-26 04:00:59 +01:00
Separate headers from source files
The short answer for why we need to do this is so we can consistently do `#include "nix/..."`. Without this change, there are ways to still make that work, but they are hacky, and they have downsides such as making it harder to make sure headers from the wrong Nix library (e..g. `libnixexpr` headers in `libnixutil`) aren't being used. The C API alraedy used `nix_api_*`, so its headers are *not* put in subdirectories accordingly. Progress on #7876 We resisted doing this for a while because it would be annoying to not have the header source file pairs close by / easy to change file path/name from one to the other. But I am ameliorating that with symlinks in the next commit.
This commit is contained in:
John Ericson
parent
326548bae5
commit
f3e1c47f47
664 changed files with 2974 additions and 2913 deletions
|
|
@ -1,7 +1,7 @@
|
|||
#include "signature/local-keys.hh"
|
||||
#include "nix/signature/local-keys.hh"
|
||||
|
||||
#include "file-system.hh"
|
||||
#include "util.hh"
|
||||
#include "nix/file-system.hh"
|
||||
#include "nix/util.hh"
|
||||
#include <sodium.h>
|
||||
|
||||
namespace nix {
|
||||
|
|
|
|||
|
|
@ -1,107 +0,0 @@
|
|||
#pragma once
|
||||
///@file
|
||||
|
||||
#include "types.hh"
|
||||
|
||||
#include <map>
|
||||
|
||||
namespace nix {
|
||||
|
||||
/**
|
||||
* Except where otherwise noted, Nix serializes keys and signatures in
|
||||
* the form:
|
||||
*
|
||||
* ```
|
||||
* <name>:<key/signature-in-Base64>
|
||||
* ```
|
||||
*/
|
||||
struct BorrowedCryptoValue {
|
||||
std::string_view name;
|
||||
std::string_view payload;
|
||||
|
||||
/**
|
||||
* This splits on the colon, the user can then separated decode the
|
||||
* Base64 payload separately.
|
||||
*/
|
||||
static BorrowedCryptoValue parse(std::string_view);
|
||||
};
|
||||
|
||||
struct Key
|
||||
{
|
||||
std::string name;
|
||||
std::string key;
|
||||
|
||||
std::string to_string() const;
|
||||
|
||||
protected:
|
||||
|
||||
/**
|
||||
* Construct Key from a string in the format
|
||||
* ‘<name>:<key-in-base64>’.
|
||||
*
|
||||
* @param sensitiveValue Avoid displaying the raw Base64 in error
|
||||
* messages to avoid leaking private keys.
|
||||
*/
|
||||
Key(std::string_view s, bool sensitiveValue);
|
||||
|
||||
Key(std::string_view name, std::string && key)
|
||||
: name(name), key(std::move(key)) { }
|
||||
};
|
||||
|
||||
struct PublicKey;
|
||||
|
||||
struct SecretKey : Key
|
||||
{
|
||||
SecretKey(std::string_view s);
|
||||
|
||||
/**
|
||||
* Return a detached signature of the given string.
|
||||
*/
|
||||
std::string signDetached(std::string_view s) const;
|
||||
|
||||
PublicKey toPublicKey() const;
|
||||
|
||||
static SecretKey generate(std::string_view name);
|
||||
|
||||
private:
|
||||
SecretKey(std::string_view name, std::string && key)
|
||||
: Key(name, std::move(key)) { }
|
||||
};
|
||||
|
||||
struct PublicKey : Key
|
||||
{
|
||||
PublicKey(std::string_view data);
|
||||
|
||||
/**
|
||||
* @return true iff `sig` and this key's names match, and `sig` is a
|
||||
* correct signature over `data` using the given public key.
|
||||
*/
|
||||
bool verifyDetached(std::string_view data, std::string_view sigs) const;
|
||||
|
||||
/**
|
||||
* @return true iff `sig` is a correct signature over `data` using the
|
||||
* given public key.
|
||||
*
|
||||
* @param just the Base64 signature itself, not a colon-separated pair of a
|
||||
* public key name and signature.
|
||||
*/
|
||||
bool verifyDetachedAnon(std::string_view data, std::string_view sigs) const;
|
||||
|
||||
private:
|
||||
PublicKey(std::string_view name, std::string && key)
|
||||
: Key(name, std::move(key)) { }
|
||||
friend struct SecretKey;
|
||||
};
|
||||
|
||||
/**
|
||||
* Map from key names to public keys
|
||||
*/
|
||||
typedef std::map<std::string, PublicKey> PublicKeys;
|
||||
|
||||
/**
|
||||
* @return true iff ‘sig’ is a correct signature over ‘data’ using one
|
||||
* of the given public keys.
|
||||
*/
|
||||
bool verifyDetached(std::string_view data, std::string_view sig, const PublicKeys & publicKeys);
|
||||
|
||||
}
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
#include "signature/signer.hh"
|
||||
#include "error.hh"
|
||||
#include "nix/signature/signer.hh"
|
||||
#include "nix/error.hh"
|
||||
|
||||
#include <sodium.h>
|
||||
|
||||
|
|
|
|||
|
|
@ -1,61 +0,0 @@
|
|||
#pragma once
|
||||
|
||||
#include "types.hh"
|
||||
#include "signature/local-keys.hh"
|
||||
|
||||
#include <map>
|
||||
#include <optional>
|
||||
|
||||
namespace nix {
|
||||
|
||||
/**
|
||||
* An abstract signer
|
||||
*
|
||||
* Derive from this class to implement a custom signature scheme.
|
||||
*
|
||||
* It is only necessary to implement signature of bytes and provide a
|
||||
* public key.
|
||||
*/
|
||||
struct Signer
|
||||
{
|
||||
virtual ~Signer() = default;
|
||||
|
||||
/**
|
||||
* Sign the given data, creating a (detached) signature.
|
||||
*
|
||||
* @param data data to be signed.
|
||||
*
|
||||
* @return the [detached
|
||||
* signature](https://en.wikipedia.org/wiki/Detached_signature),
|
||||
* i.e. just the signature itself without a copy of the signed data.
|
||||
*/
|
||||
virtual std::string signDetached(std::string_view data) const = 0;
|
||||
|
||||
/**
|
||||
* View the public key associated with this `Signer`.
|
||||
*/
|
||||
virtual const PublicKey & getPublicKey() = 0;
|
||||
};
|
||||
|
||||
using Signers = std::map<std::string, Signer*>;
|
||||
|
||||
/**
|
||||
* Local signer
|
||||
*
|
||||
* The private key is held in this machine's RAM
|
||||
*/
|
||||
struct LocalSigner : Signer
|
||||
{
|
||||
LocalSigner(SecretKey && privateKey);
|
||||
|
||||
std::string signDetached(std::string_view s) const override;
|
||||
|
||||
const PublicKey & getPublicKey() override;
|
||||
|
||||
private:
|
||||
|
||||
SecretKey privateKey;
|
||||
PublicKey publicKey;
|
||||
};
|
||||
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue