gocheese.go | 27 +++++++++++++++++++++++++-- gocheese.texi | 1 + refresh.go | 5 ++++- diff --git a/gocheese.go b/gocheese.go index 347a2f2967bc32e62fe9549c7565b111f820ecccb162d3839f1d92124d2632cd..3853940c5239b5dfcca0c448104ec33d79da8af96dd6b0c528562b30f92ce4ea 100644 --- a/gocheese.go +++ b/gocheese.go @@ -22,7 +22,10 @@ import ( "bytes" "context" + "crypto/sha256" + "crypto/tls" "encoding/hex" + "errors" "flag" "fmt" "io/ioutil" @@ -43,7 +46,7 @@ "golang.org/x/net/netutil" ) const ( - Version = "2.5.0" + Version = "2.6.0" HTMLBegin = ` @@ -95,6 +98,7 @@ norefreshURLPath = flag.String("norefresh", "/norefresh/", "Non-refreshing URL path") refreshURLPath = flag.String("refresh", "/simple/", "Auto-refreshing URL path") gpgUpdateURLPath = flag.String("gpgupdate", "/gpgupdate/", "GPG forceful refreshing URL path") pypiURL = flag.String("pypi", "https://pypi.org/simple/", "Upstream PyPI URL") + pypiCertHash = flag.String("pypi-cert-hash", "", "Authenticate PyPI by its X.509 certificate's SHA256 hash") passwdPath = flag.String("passwd", "passwd", "Path to file with authenticators") logTimestamped = flag.Bool("log-timestamped", false, "Prepend timestmap to log messages") passwdCheck = flag.Bool("passwd-check", false, "Test the -passwd file for syntax errors and exit") @@ -169,7 +173,7 @@ } var result bytes.Buffer result.WriteString(fmt.Sprintf(HTMLBegin, pkgName)) for _, algo := range knownHashAlgos { - for fn, _ := range files { + for fn := range files { if killed { // Skip expensive I/O when shutting down http.Error(w, "shutting down", http.StatusInternalServerError) @@ -298,6 +302,25 @@ if err != nil { log.Fatalln(err) } refreshPasswd() + if *pypiCertHash == "" { + pypiHTTPTransport = http.Transport{} + } else { + ourDgst, err := hex.DecodeString(*pypiCertHash) + if err != nil { + log.Fatalln(err) + } + pypiHTTPTransport = http.Transport{ + TLSClientConfig: &tls.Config{ + VerifyConnection: func(s tls.ConnectionState) error { + spki := s.VerifiedChains[0][0].RawSubjectPublicKeyInfo + theirDgst := sha256.Sum256(spki) + if bytes.Compare(ourDgst, theirDgst[:]) != 0 { + return errors.New("certificate's digest mismatch") + } + return nil + }}, + } + } ln, err := net.Listen("tcp", *bind) if err != nil { diff --git a/gocheese.texi b/gocheese.texi index 0cba468b54b9a7c472a9a733e23e41744621f61d01f98728ce7d54816ab1c0bb..86f250c2c98742662b78f208b2a2ca963dc14e0e08ae940bb86a637b458645e7 100644 --- a/gocheese.texi +++ b/gocheese.texi @@ -45,6 +45,7 @@ @item @url{https://pythonwheels.com/, Wheel} uploading support @item Integrity check of proxied packages: MD5, SHA256, SHA512, BLAKE2b-256 @item SHA256 checksums for stored packages @item Verifying of SHA256 checksum for uploaded packages +@item Ability to authenticate upstream PyPI with its X.509 certificate's hash @item Storing of uploaded GPG signatures @item Secure Argon2i (or SHA256) stored passwords hashing @item No YAML configuration, just command-line arguments diff --git a/refresh.go b/refresh.go index 48b609bb59762313f55a69f567805a975aaa23dfb9631db20f7e33ef0d81f3ee..88a93721f70eeddd170f7ed68e0395236f63df5cf20faee7ec32e57f463f9b1a 100644 --- a/refresh.go +++ b/refresh.go @@ -37,6 +37,8 @@ "golang.org/x/crypto/blake2b" ) +var pypiHTTPTransport http.Transport + func blake2b256New() hash.Hash { h, err := blake2b.New256(nil) if err != nil { @@ -54,7 +56,8 @@ ) bool { if _, err := os.Stat(filepath.Join(*root, pkgName, InternalFlag)); err == nil { return true } - resp, err := http.Get(*pypiURL + pkgName + "/") + c := http.Client{Transport: &pypiHTTPTransport} + resp, err := c.Get(*pypiURL + pkgName + "/") if err != nil { log.Println("error", r.RemoteAddr, "refresh", pkgName, err) http.Error(w, err.Error(), http.StatusBadGateway)