Support expiration of metadata by package archivesscratch/package-security

Expiring package metadata is done by checking the timestamp in package archive file. This is intended to limit the effectiveness of a replay attack. The onus is on the package archives to implement a secure and reasonable policy. (Debian uses 7 days before metadata expires.) Together with package checksums, this adds sufficient protection against metadata replay attacks. (Bug#19479) * lisp/emacs-lisp/package.el (package-check-timestamp): New defcustom. (bad-timestamp): New error. (package--parse-header-from-buffer) (package--parse-valid-until-from-buffer) (package--parse-last-updated-from-buffer) (package--archive-verify-timestamp) (package--archive-verify-not-expired) (package--compare-archive-timestamps) (package--check-archive-timestamp): New defuns. (package--download-one-archive): Check timestamp of the 'archive-contents' file using above functions. It is only checked if it exists, which makes this change backwards compatible. * lisp/calendar/iso8601.el (iso8601-parse): Add autoload cookie. * test/lisp/emacs-lisp/package-tests.el (package-test-parse-valid-until-from-buffer) (package-test-parse-last-updated-from-buffer) (package-test-archive-verify-timestamp) (package-test-check-archive-timestamp) (package-test-check-archive-timestamp/not-expired) (package-test-check-archive-timestamp/expired): New tests. * test/lisp/emacs-lisp/package-resources/archives/older/archive-contents: * test/lisp/emacs-lisp/package-resources/archives/newer/archive-contents: New files. * doc/lispref/package.texi (Package Archives, Archive Web Server): Document how to increase the security of a package archive using checksums, signing and timestamps.
author: Stefan Kangas 2020-09-07 07:31:56 +0200
committer: Stefan Kangas 2020-11-22 00:38:35 +0100
commit: bcde5f86c5a7f3a84115807520631a4f12fb6f70 (patch)
tree: 6254f8d19ef474f965567ce7922b84ed93312a19 /test
parent: 733e674af4f66ba7e9f0614b931c44484acce2b9 (diff)
download: emacs-scratch/package-security.tar.gz
emacs-scratch/package-security.zip
3 files changed, 63 insertions, 0 deletions
diff --git a/test/lisp/emacs-lisp/package-resources/archives/newer/archive-contents b/test/lisp/emacs-lisp/package-resources/archives/newer/archive-contents
new file mode 100644
index 00000000000..59a79970b6b
--- /dev/null
+++ b/test/lisp/emacs-lisp/package-resources/archives/newer/archive-contents
@@ -0,0 +1 @@
+;; Last-Updated: 2020-06-01T00:00:00.000Z
diff --git a/test/lisp/emacs-lisp/package-resources/archives/older/archive-contents b/test/lisp/emacs-lisp/package-resources/archives/older/archive-contents
new file mode 100644
index 00000000000..193a6b5ab94
--- /dev/null
+++ b/test/lisp/emacs-lisp/package-resources/archives/older/archive-contents
@@ -0,0 +1 @@
+;; Last-Updated: 2019-01-01T00:00:00.000Z
diff --git a/test/lisp/emacs-lisp/package-tests.el b/test/lisp/emacs-lisp/package-tests.el
index a81506d626b..b0da54a3015 100644
--- a/test/lisp/emacs-lisp/package-tests.el
+++ b/test/lisp/emacs-lisp/package-tests.el
@@ -857,6 +857,67 @@ If the rest succeed, just ignore the unsupported one."
      (insert "7")
      (should-error (package--verify-package-size pkg-desc)))))
+(ert-deftest package-test-parse-valid-until-from-buffer ()
+  (with-temp-buffer
+    (insert ";; Valid-Until: 2020-05-01T15:43:35.000Z\n(foo bar baz)")
+    (should (equal (package--parse-valid-until-from-buffer "foo")
+                   '(24236 17319)))))
+(ert-deftest package-test-parse-last-updated-from-buffer ()
+  (with-temp-buffer
+    (insert ";; Last-Updated: 2020-05-01T15:43:35.000Z\n(foo bar baz)")
+    (should (equal (package--parse-last-updated-from-buffer "foo")
+                   '(24236 17319)))))
+(defun package-tests--parse-last-updated (timestamp)
+  (with-temp-buffer
+    (insert timestamp)
+    (package--parse-last-updated-from-buffer "test")))
+(ert-deftest package-test-archive-verify-timestamp ()
+  (let ((a (package-tests--parse-last-updated
+            ";; Last-Updated: 2020-05-01T15:43:35.000Z\n"))
+        (b (package-tests--parse-last-updated
+            ";; Last-Updated: 2020-06-01T15:43:35.000Z\n"))
+        (c (package-tests--parse-last-updated
+            ";; Last-Updated: 2020-07-01T15:43:35.000Z\n")))
+    (should (package--archive-verify-timestamp b nil "foo"))
+    (should (package--archive-verify-timestamp b a "foo"))
+    (should (package--archive-verify-timestamp c a "foo"))
+    (should (package--archive-verify-timestamp c b "foo"))
+    ;; Signal error.
+    (should-error (package--archive-verify-timestamp a b "foo")
+                  :type 'bad-timestamp)
+    (should-error (package--archive-verify-timestamp a c "foo")
+                  :type 'bad-timestamp)
+    (should-error (package--archive-verify-timestamp b c "foo")
+                  :type 'bad-timestamp)
+    (should-error (package--archive-verify-timestamp nil a "foo")
+                  :type 'bad-timestamp)))
+(ert-deftest package-test-check-archive-timestamp ()
+  (let ((package-user-dir package-test-data-dir))
+    (with-temp-buffer
+      (insert ";; Last-Updated: 2020-01-01T00:00:00.000Z\n")
+      (package--check-archive-timestamp "older")
+      (package--check-archive-timestamp "missing")
+      (should-error (package--check-archive-timestamp "newer")
+                    :type 'bad-timestamp))))
+(ert-deftest package-test-check-archive-timestamp/not-expired ()
+  (let ((package-user-dir package-test-data-dir))
+    (with-temp-buffer
+      (insert ";; Last-Updated: 2020-01-01T00:00:00.000Z\n"
+              ";; Valid-Until: 2999-01-02T00:00:00.000Z\n")
+      (should-not (package--check-archive-timestamp "older")))))
+(ert-deftest package-test-check-archive-timestamp/expired ()
+  (let ((package-user-dir package-test-data-dir))
+    (with-temp-buffer
+      (insert ";; Last-Updated: 2020-01-01T00:00:00.000Z\n"
+              ";; Valid-Until: 2020-01-02T00:00:00.000Z\n")
+      (should-error (package--check-archive-timestamp "older")))))
 ;;; Tests for package-x features.
author	Stefan Kangas	2020-09-07 07:31:56 +0200
committer	Stefan Kangas	2020-11-22 00:38:35 +0100
commit	bcde5f86c5a7f3a84115807520631a4f12fb6f70 (patch)
tree	6254f8d19ef474f965567ce7922b84ed93312a19 /test
parent	733e674af4f66ba7e9f0614b931c44484acce2b9 (diff)
download	emacs-scratch/package-security.tar.gz emacs-scratch/package-security.zip

diff --git a/test/lisp/emacs-lisp/package-resources/archives/newer/archive-contents b/test/lisp/emacs-lisp/package-resources/archives/newer/archive-contents new file mode 100644 index 00000000000..59a79970b6b --- /dev/null +++ b/test/lisp/emacs-lisp/package-resources/archives/newer/archive-contents
@@ -0,0 +1 @@
			;; Last-Updated: 2020-06-01T00:00:00.000Z


diff --git a/test/lisp/emacs-lisp/package-resources/archives/older/archive-contents b/test/lisp/emacs-lisp/package-resources/archives/older/archive-contents new file mode 100644 index 00000000000..193a6b5ab94 --- /dev/null +++ b/test/lisp/emacs-lisp/package-resources/archives/older/archive-contents
@@ -0,0 +1 @@
			;; Last-Updated: 2019-01-01T00:00:00.000Z


diff --git a/test/lisp/emacs-lisp/package-tests.el b/test/lisp/emacs-lisp/package-tests.el index a81506d626b..b0da54a3015 100644 --- a/test/lisp/emacs-lisp/package-tests.el +++ b/test/lisp/emacs-lisp/package-tests.el
@@ -857,6 +857,67 @@ If the rest succeed, just ignore the unsupported one."
857	(insert "7")	857	(insert "7")
858	(should-error (package--verify-package-size pkg-desc)))))	858	(should-error (package--verify-package-size pkg-desc)))))
859		859
		860	(ert-deftest package-test-parse-valid-until-from-buffer ()
		861	(with-temp-buffer
		862	(insert ";; Valid-Until: 2020-05-01T15:43:35.000Z\n(foo bar baz)")
		863	(should (equal (package--parse-valid-until-from-buffer "foo")
		864	'(24236 17319)))))
		865
		866	(ert-deftest package-test-parse-last-updated-from-buffer ()
		867	(with-temp-buffer
		868	(insert ";; Last-Updated: 2020-05-01T15:43:35.000Z\n(foo bar baz)")
		869	(should (equal (package--parse-last-updated-from-buffer "foo")
		870	'(24236 17319)))))
		871
		872	(defun package-tests--parse-last-updated (timestamp)
		873	(with-temp-buffer
		874	(insert timestamp)
		875	(package--parse-last-updated-from-buffer "test")))
		876
		877	(ert-deftest package-test-archive-verify-timestamp ()
		878	(let ((a (package-tests--parse-last-updated
		879	";; Last-Updated: 2020-05-01T15:43:35.000Z\n"))
		880	(b (package-tests--parse-last-updated
		881	";; Last-Updated: 2020-06-01T15:43:35.000Z\n"))
		882	(c (package-tests--parse-last-updated
		883	";; Last-Updated: 2020-07-01T15:43:35.000Z\n")))
		884	(should (package--archive-verify-timestamp b nil "foo"))
		885	(should (package--archive-verify-timestamp b a "foo"))
		886	(should (package--archive-verify-timestamp c a "foo"))
		887	(should (package--archive-verify-timestamp c b "foo"))
		888	;; Signal error.
		889	(should-error (package--archive-verify-timestamp a b "foo")
		890	:type 'bad-timestamp)
		891	(should-error (package--archive-verify-timestamp a c "foo")
		892	:type 'bad-timestamp)
		893	(should-error (package--archive-verify-timestamp b c "foo")
		894	:type 'bad-timestamp)
		895	(should-error (package--archive-verify-timestamp nil a "foo")
		896	:type 'bad-timestamp)))
		897
		898	(ert-deftest package-test-check-archive-timestamp ()
		899	(let ((package-user-dir package-test-data-dir))
		900	(with-temp-buffer
		901	(insert ";; Last-Updated: 2020-01-01T00:00:00.000Z\n")
		902	(package--check-archive-timestamp "older")
		903	(package--check-archive-timestamp "missing")
		904	(should-error (package--check-archive-timestamp "newer")
		905	:type 'bad-timestamp))))
		906
		907	(ert-deftest package-test-check-archive-timestamp/not-expired ()
		908	(let ((package-user-dir package-test-data-dir))
		909	(with-temp-buffer
		910	(insert ";; Last-Updated: 2020-01-01T00:00:00.000Z\n"
		911	";; Valid-Until: 2999-01-02T00:00:00.000Z\n")
		912	(should-not (package--check-archive-timestamp "older")))))
		913
		914	(ert-deftest package-test-check-archive-timestamp/expired ()
		915	(let ((package-user-dir package-test-data-dir))
		916	(with-temp-buffer
		917	(insert ";; Last-Updated: 2020-01-01T00:00:00.000Z\n"
		918	";; Valid-Until: 2020-01-02T00:00:00.000Z\n")
		919	(should-error (package--check-archive-timestamp "older")))))
		920
860		921
861	;;; Tests for package-x features.	922	;;; Tests for package-x features.
862		923