← Back to branch summary

~ubuntu-branches/ubuntu/saucy/sbsigntool/saucy-proposed

« back to all changes in this revision

Viewing changes to src/sbverify.c

  • Committer: Package Import Robot
  • Author(s): Steve Langasek
  • Date: 2012-10-11 17:24:56 UTC
  • mfrom: (1.1.4)
  • Revision ID: package-import@ubuntu.com-20121011172456-nvbcxl0ong0xal8a
Tags: 0.6-0ubuntu1
https://launchpad.net/bugs/1063061
* New upstream release.
  - Uses the new mount point for the efivars directory, for compatibility
    with the pending upstream kernel patches and compatibility with what
    mountall is doing.  LP: #1063061.
  - Fixes sbverify verification of the pkcs7 bundles that Microsoft-signed
    binaries deliver to us, enabling us to do build-time verification of
    shim-signed.

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/sbverify.c
56
56
#include <openssl/x509v3.h>
57
57
 
58
58
static const char *toolname = "sbverify";
 
59
static const int cert_name_len = 160;
59
60
 
60
61
enum verify_status {
61
62
        VERIFY_FAIL = 0,
66
67
        { "cert", required_argument, NULL, 'c' },
67
68
        { "no-verify", no_argument, NULL, 'n' },
68
69
        { "detached", required_argument, NULL, 'd' },
 
70
        { "verbose", no_argument, NULL, 'v' },
69
71
        { "help", no_argument, NULL, 'h' },
70
72
        { "version", no_argument, NULL, 'V' },
71
73
        { NULL, 0, NULL, 0 },
100
102
        return 0;
101
103
}
102
104
 
 
105
static void print_signature_info(PKCS7 *p7)
 
106
{
 
107
        char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
 
108
        PKCS7_SIGNER_INFO *si;
 
109
        X509 *cert;
 
110
        int i;
 
111
 
 
112
        printf("image signature issuers:\n");
 
113
 
 
114
        for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(p7->d.sign->signer_info);
 
115
                        i++) {
 
116
                si = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, i);
 
117
                X509_NAME_oneline(si->issuer_and_serial->issuer,
 
118
                                issuer_name, cert_name_len);
 
119
                printf(" - %s\n", issuer_name);
 
120
        }
 
121
 
 
122
        printf("image signature certificates:\n");
 
123
 
 
124
        for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
 
125
                cert = sk_X509_value(p7->d.sign->cert, i);
 
126
                X509_NAME_oneline(cert->cert_info->subject,
 
127
                                subject_name, cert_name_len);
 
128
                X509_NAME_oneline(cert->cert_info->issuer,
 
129
                                issuer_name, cert_name_len);
 
130
 
 
131
                printf(" - subject: %s\n", subject_name);
 
132
                printf("   issuer:  %s\n", issuer_name);
 
133
        }
 
134
}
 
135
 
 
136
static void print_certificate_store_certs(X509_STORE *certs)
 
137
{
 
138
        char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
 
139
        X509_OBJECT *obj;
 
140
        int i;
 
141
 
 
142
        printf("certificate store:\n");
 
143
 
 
144
        for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
 
145
                obj = sk_X509_OBJECT_value(certs->objs, i);
 
146
 
 
147
                if (obj->type != X509_LU_X509)
 
148
                        continue;
 
149
 
 
150
                X509_NAME_oneline(obj->data.x509->cert_info->subject,
 
151
                                subject_name, cert_name_len);
 
152
                X509_NAME_oneline(obj->data.x509->cert_info->issuer,
 
153
                                issuer_name, cert_name_len);
 
154
 
 
155
                printf(" - subject: %s\n", subject_name);
 
156
                printf("   issuer:  %s\n", issuer_name);
 
157
        }
 
158
}
 
159
 
103
160
static int load_image_signature_data(struct image *image,
104
161
                uint8_t **buf, size_t *len)
105
162
{
123
180
        return fileio_read_file(image, filename, buf, len);
124
181
}
125
182
 
 
183
static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
 
184
{
 
185
        X509_OBJECT obj;
 
186
 
 
187
        obj.type = X509_LU_X509;
 
188
        obj.data.x509 = cert;
 
189
 
 
190
        return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
 
191
}
 
192
 
126
193
static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
127
194
{
128
195
        int err = X509_STORE_CTX_get_error(ctx);
132
199
                        && ctx->cert->ex_xkusage == XKU_CODE_SIGN)
133
200
                status = 1;
134
201
 
 
202
        /* all certs given with the --cert argument are trusted */
 
203
        else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
 
204
                        err == X509_V_ERR_CERT_UNTRUSTED) {
 
205
 
 
206
                if (cert_in_store(ctx->current_cert, ctx))
 
207
                        status = 1;
 
208
        }
 
209
 
135
210
        return status;
136
211
}
137
212
 
146
221
        uint8_t *sig_buf;
147
222
        size_t sig_size;
148
223
        struct idc *idc;
 
224
        bool verbose;
149
225
        BIO *idcbio;
150
226
        PKCS7 *p7;
151
227
 
152
228
        status = VERIFY_FAIL;
153
229
        certs = X509_STORE_new();
154
230
        verify = 1;
 
231
        verbose = false;
155
232
        detached_sig_filename = NULL;
156
233
 
157
234
        OpenSSL_add_all_digests();
175
252
                case 'n':
176
253
                        verify = 0;
177
254
                        break;
 
255
                case 'v':
 
256
                        verbose = true;
 
257
                        break;
178
258
                case 'V':
179
259
                        version();
180
260
                        return EXIT_SUCCESS;
218
298
                goto out;
219
299
        }
220
300
 
 
301
        if (verbose) {
 
302
                print_signature_info(p7);
 
303
                print_certificate_store_certs(certs);
 
304
        }
 
305
 
221
306
        idcbio = BIO_new(BIO_s_mem());
222
307
        idc = IDC_get(p7, idcbio);
223
308
        if (!idc)