66
67
{ "cert", required_argument, NULL, 'c' },
67
68
{ "no-verify", no_argument, NULL, 'n' },
68
69
{ "detached", required_argument, NULL, 'd' },
70
{ "verbose", no_argument, NULL, 'v' },
69
71
{ "help", no_argument, NULL, 'h' },
70
72
{ "version", no_argument, NULL, 'V' },
71
73
{ NULL, 0, NULL, 0 },
105
static void print_signature_info(PKCS7 *p7)
107
char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
108
PKCS7_SIGNER_INFO *si;
112
printf("image signature issuers:\n");
114
for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(p7->d.sign->signer_info);
116
si = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, i);
117
X509_NAME_oneline(si->issuer_and_serial->issuer,
118
issuer_name, cert_name_len);
119
printf(" - %s\n", issuer_name);
122
printf("image signature certificates:\n");
124
for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
125
cert = sk_X509_value(p7->d.sign->cert, i);
126
X509_NAME_oneline(cert->cert_info->subject,
127
subject_name, cert_name_len);
128
X509_NAME_oneline(cert->cert_info->issuer,
129
issuer_name, cert_name_len);
131
printf(" - subject: %s\n", subject_name);
132
printf(" issuer: %s\n", issuer_name);
136
static void print_certificate_store_certs(X509_STORE *certs)
138
char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
142
printf("certificate store:\n");
144
for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
145
obj = sk_X509_OBJECT_value(certs->objs, i);
147
if (obj->type != X509_LU_X509)
150
X509_NAME_oneline(obj->data.x509->cert_info->subject,
151
subject_name, cert_name_len);
152
X509_NAME_oneline(obj->data.x509->cert_info->issuer,
153
issuer_name, cert_name_len);
155
printf(" - subject: %s\n", subject_name);
156
printf(" issuer: %s\n", issuer_name);
103
160
static int load_image_signature_data(struct image *image,
104
161
uint8_t **buf, size_t *len)
123
180
return fileio_read_file(image, filename, buf, len);
183
static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
187
obj.type = X509_LU_X509;
188
obj.data.x509 = cert;
190
return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
126
193
static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
128
195
int err = X509_STORE_CTX_get_error(ctx);
132
199
&& ctx->cert->ex_xkusage == XKU_CODE_SIGN)
202
/* all certs given with the --cert argument are trusted */
203
else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
204
err == X509_V_ERR_CERT_UNTRUSTED) {
206
if (cert_in_store(ctx->current_cert, ctx))