/*
- Copyright 2015 IoT.bzh
+ Copyright (C) 2015-2020 IoT.bzh
author: José Bollo <jose.bollo@iot.bzh>
#include "verbose.h"
-#include "wgtpkg.h"
+#include "wgtpkg-files.h"
+#include "wgtpkg-workdir.h"
+#include "wgtpkg-certs.h"
+#include "wgtpkg-xmlsec.h"
+#include "wgtpkg-digsig.h"
int res, fd;
assert ((fdesc->flags & flag_signature) != 0);
- DEBUG("-- checking file %s",fdesc->name);
+ DEBUG("-- checking file %s", fdesc->name);
/* reset the flags */
file_clear_flags();
}
/* check all the signature files */
-int check_all_signatures()
+int check_all_signatures(int allow_none)
{
int rc, irc;
unsigned int i, n;
struct filedesc *fdesc;
n = signature_count();
+ if (n == 0) {
+ if (!allow_none) {
+ ERROR("no signature found");
+ return -1;
+ }
+ return 0;
+ }
+
+ rc = xmlsec_init();
+ if (rc < 0) {
+ ERROR("can't check signature");
+ return rc;
+ }
+
rc = 0;
- for (i = n ; i-- > 0 ; ) {
- fdesc = signature_of_index(i);
+ for (i = n ; i ; ) {
+ fdesc = signature_of_index(--i);
irc = verify_digsig(fdesc);
- if (!irc)
+ if (irc < 0)
rc = irc;
}
/* create a signature of 'index' (0 for author, other values for distributors)
using the private 'key' (filename) and the certificates 'certs' (filenames)
as trusted chain */
-int create_digsig(int index, const char *key, const char **certs)
+int create_digsig(unsigned int index, const char *key, const char **certs)
{
struct filedesc *fdesc;
xmlDocPtr doc;
- int rc, len, fd;
+ int rc, fd;
+ long len;
xmlSaveCtxtPtr ctx;
rc = -1;
return rc;
}
+/* create a digital signature(s) from environment data */
+int create_auto_digsig()
+{
+ static const char envvar_prefix[] = "WGTPKG_AUTOSIGN_";
+ extern char **environ;
+
+ char **enviter;
+ char *var;
+ char *iter;
+ char *equal;
+ unsigned int num;
+ char *keyfile;
+ const char *certfiles[10];
+ int ncert;
+ int rc;
+ int i;
+
+ rc = 0;
+ /* enumerate environment variables */
+ enviter = environ;
+ while (rc == 0 && (var = *enviter++) != NULL) {
+ /* check the prefix */
+ if (0 != strncmp(var, envvar_prefix, sizeof(envvar_prefix) - 1))
+ continue; /* not an auto sign variable */
+ DEBUG("autosign found %s", var);
+
+ /* check the num */
+ iter = &var[sizeof(envvar_prefix) - 1];
+ if (*iter < '0' || *iter > '9') {
+ ERROR("bad autosign key found: %s", var);
+ rc = -1;
+ continue;
+ }
+
+ /* compute the number */
+ num = (unsigned int)(*iter++ - '0');
+ while (*iter >= '0' && *iter <= '9')
+ num = 10 * num + (unsigned int)(*iter++ - '0');
+
+ /* next char must be = */
+ if (*iter != '=' || !iter[1]) {
+ /* it is not an error to have an empty autosign */
+ WARNING("ignoring autosign key %.*s", (int)(iter - var), var);
+ continue;
+ }
+
+ /* auto signing with num */
+ INFO("autosign key %u found", num);
+
+ /* compute key and certificates */
+ equal = iter++;
+ keyfile = iter;
+ *equal = 0;
+ ncert = 0;
+ while (ncert < (int)((sizeof certfiles / sizeof *certfiles) - 1)
+ && (iter = strchr(iter, ':')) != NULL) {
+ *iter++ = 0;
+ certfiles[ncert++] = iter;
+ }
+ certfiles[ncert] = NULL;
+
+ /* check the parameters */
+ if (access(keyfile, R_OK) != 0) {
+ ERROR("autosign %u can't access private key %s", num, keyfile);
+ rc = -1;
+ }
+ for(i = 0 ; i < ncert ; i++) {
+ if (access(certfiles[i], R_OK) != 0) {
+ ERROR("autosign %u can't access certificate %s", num, certfiles[i]);
+ rc = -1;
+ }
+ }
+
+ /* sign now */
+ if (rc == 0) {
+ rc = xmlsec_init();
+ if (rc == 0) {
+ rc = create_digsig(num, keyfile, certfiles);
+ }
+ }
+
+ /* restore stolen chars */
+ while(ncert)
+ *(char*)(certfiles[--ncert] - 1) = ':';
+ *equal = '=';
+ }
+ return rc;
+}