Code Review
/
src
/
app-framework-main.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
review
|
tree
raw
|
inline
| side by side
Refactor ALLOW_NO_SIGNATURE compile flag
[src/app-framework-main.git]
/
src
/
wgtpkg-digsig.c
diff --git
a/src/wgtpkg-digsig.c
b/src/wgtpkg-digsig.c
index
3aa4da3
..
d190d23
100644
(file)
--- a/
src/wgtpkg-digsig.c
+++ b/
src/wgtpkg-digsig.c
@@
-1,5
+1,7
@@
/*
/*
- Copyright 2015 IoT.bzh
+ Copyright (C) 2015-2020 IoT.bzh
+
+ author: José Bollo <jose.bollo@iot.bzh>
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@
-16,7
+18,6
@@
#include <string.h>
#include <string.h>
-#include <syslog.h>
#include <assert.h>
#include <fcntl.h>
#include <unistd.h>
#include <assert.h>
#include <fcntl.h>
#include <unistd.h>
@@
-28,7
+29,11
@@
#include "verbose.h"
#include "verbose.h"
-#include "wgtpkg.h"
+#include "wgtpkg-files.h"
+#include "wgtpkg-workdir.h"
+#include "wgtpkg-certs.h"
+#include "wgtpkg-xmlsec.h"
+#include "wgtpkg-digsig.h"
@@
-83,7
+88,7
@@
static xmlNodePtr search_for(const char *attrname, const char *value)
val = xmlGetProp(iter, attrname);
if (val != NULL && !strcmp(val, value)) {
if (result != NULL) {
val = xmlGetProp(iter, attrname);
if (val != NULL && !strcmp(val, value)) {
if (result != NULL) {
-
syslog(LOG_ERR,
"duplicated %s %s", attrname, value);
+
ERROR(
"duplicated %s %s", attrname, value);
free(val);
return NULL;
}
free(val);
return NULL;
}
@@
-105,7
+110,7
@@
static xmlNodePtr search_for(const char *attrname, const char *value)
iter = next;
}
if (result == NULL)
iter = next;
}
if (result == NULL)
-
syslog(LOG_ERR,
"node of %s '%s' not found", attrname, value);
+
ERROR(
"node of %s '%s' not found", attrname, value);
return result;
}
return result;
}
@@
-130,30
+135,30
@@
static int check_one_reference(xmlNodePtr ref)
/* get the uri */
uri = xmlGetProp(ref, "URI");
if (uri == NULL) {
/* get the uri */
uri = xmlGetProp(ref, "URI");
if (uri == NULL) {
-
syslog(LOG_ERR,
"attribute URI of element <Reference> not found");
+
ERROR(
"attribute URI of element <Reference> not found");
goto error;
}
/* parse the uri */
u = xmlParseURI(uri);
if (!u) {
goto error;
}
/* parse the uri */
u = xmlParseURI(uri);
if (!u) {
-
syslog(LOG_ERR,
"error while parsing URI %s", uri);
+
ERROR(
"error while parsing URI %s", uri);
goto error2;
}
/* check that unexpected parts are not there */
if (u->scheme || u->opaque || u->authority || u->server || u->user || u->query) {
goto error2;
}
/* check that unexpected parts are not there */
if (u->scheme || u->opaque || u->authority || u->server || u->user || u->query) {
-
syslog(LOG_ERR,
"unexpected uri component in %s", uri);
+
ERROR(
"unexpected uri component in %s", uri);
goto error3;
}
/* check path and fragment */
if (!u->path && !u->fragment) {
goto error3;
}
/* check path and fragment */
if (!u->path && !u->fragment) {
-
syslog(LOG_ERR,
"invalid uri %s", uri);
+
ERROR(
"invalid uri %s", uri);
goto error3;
}
if (u->path && u->fragment) {
goto error3;
}
if (u->path && u->fragment) {
-
syslog(LOG_ERR,
"not allowed to sign foreign fragment in %s", uri);
+
ERROR(
"not allowed to sign foreign fragment in %s", uri);
goto error3;
}
goto error3;
}
@@
-161,15
+166,15
@@
static int check_one_reference(xmlNodePtr ref)
/* check that the path is valid */
fdesc = file_of_name(u->path);
if (fdesc == NULL) {
/* check that the path is valid */
fdesc = file_of_name(u->path);
if (fdesc == NULL) {
-
syslog(LOG_ERR,
"reference to unknown file %s", u->path);
+
ERROR(
"reference to unknown file %s", u->path);
goto error3;
}
if (fdesc->type != type_file) {
goto error3;
}
if (fdesc->type != type_file) {
-
syslog(LOG_ERR,
"reference to directory %s", u->path);
+
ERROR(
"reference to directory %s", u->path);
goto error3;
}
if ((fdesc->flags & flag_distributor_signature) != 0) {
goto error3;
}
if ((fdesc->flags & flag_distributor_signature) != 0) {
-
syslog(LOG_ERR,
"reference to signature %s", u->path);
+
ERROR(
"reference to signature %s", u->path);
goto error3;
}
fdesc->flags |= flag_referenced;
goto error3;
}
fdesc->flags |= flag_referenced;
@@
-188,18
+193,37
@@
error:
static int check_references(xmlNodePtr sinfo)
{
static int check_references(xmlNodePtr sinfo)
{
+ unsigned int i, n, flags;
+ struct filedesc *f;
+ int result;
xmlNodePtr elem;
xmlNodePtr elem;
+ result = 0;
elem = sinfo->children;
while (elem != NULL) {
if (is_element(elem, "Reference"))
if (check_one_reference(elem))
elem = sinfo->children;
while (elem != NULL) {
if (is_element(elem, "Reference"))
if (check_one_reference(elem))
- re
turn
-1;
+ re
sult =
-1;
elem = elem->next;
}
elem = elem->next;
}
- return 0;
+
+ n = file_count();
+ i = 0;
+ while(i < n) {
+ f = file_of_index(i++);
+ if (f->type == type_file) {
+ flags = f->flags;
+ if (!(flags & (flag_signature | flag_referenced))) {
+ ERROR("file not referenced in signature: %s", f->name);
+ result = -1;
+ }
+ }
+ }
+
+ return result;
}
}
+
static int get_certificates(xmlNodePtr kinfo)
{
xmlNodePtr n1, n2;
static int get_certificates(xmlNodePtr kinfo)
{
xmlNodePtr n1, n2;
@@
-214,7
+238,7
@@
static int get_certificates(xmlNodePtr kinfo)
if (is_element(n2, "X509Certificate")) {
b = xmlNodeGetContent(n2);
if (b == NULL) {
if (is_element(n2, "X509Certificate")) {
b = xmlNodeGetContent(n2);
if (b == NULL) {
-
syslog(LOG_ERR,
"xmlNodeGetContent of X509Certificate failed");
+
ERROR(
"xmlNodeGetContent of X509Certificate failed");
return -1;
}
rc = add_certificate_b64(b);
return -1;
}
rc = add_certificate_b64(b);
@@
-240,19
+264,19
@@
static int checkdocument()
rootsig = xmlDocGetRootElement(document);
if (!is_node(rootsig, "Signature")) {
rootsig = xmlDocGetRootElement(document);
if (!is_node(rootsig, "Signature")) {
-
syslog(LOG_ERR,
"root element <Signature> not found");
+
ERROR(
"root element <Signature> not found");
goto error;
}
sinfo = next_element(rootsig->children);
if (!is_node(sinfo, "SignedInfo")) {
goto error;
}
sinfo = next_element(rootsig->children);
if (!is_node(sinfo, "SignedInfo")) {
-
syslog(LOG_ERR,
"element <SignedInfo> not found");
+
ERROR(
"element <SignedInfo> not found");
goto error;
}
svalue = next_element(sinfo->next);
if (!is_node(svalue, "SignatureValue")) {
goto error;
}
svalue = next_element(sinfo->next);
if (!is_node(svalue, "SignatureValue")) {
-
syslog(LOG_ERR,
"element <SignatureValue> not found");
+
ERROR(
"element <SignatureValue> not found");
goto error;
}
goto error;
}
@@
-284,7
+308,7
@@
int verify_digsig(struct filedesc *fdesc)
int res, fd;
assert ((fdesc->flags & flag_signature) != 0);
int res, fd;
assert ((fdesc->flags & flag_signature) != 0);
-
debug("-- checking file %s",
fdesc->name);
+
DEBUG("-- checking file %s",
fdesc->name);
/* reset the flags */
file_clear_flags();
/* reset the flags */
file_clear_flags();
@@
-293,37
+317,51
@@
int verify_digsig(struct filedesc *fdesc)
/* reads and xml parses the signature file */
fd = openat(workdirfd, fdesc->name, O_RDONLY);
if (fd < 0) {
/* reads and xml parses the signature file */
fd = openat(workdirfd, fdesc->name, O_RDONLY);
if (fd < 0) {
-
syslog(LOG_ERR,
"cant't open file %s", fdesc->name);
+
ERROR(
"cant't open file %s", fdesc->name);
return -1;
}
document = xmlReadFd(fd, fdesc->name, NULL, 0);
close(fd);
if (document == NULL) {
return -1;
}
document = xmlReadFd(fd, fdesc->name, NULL, 0);
close(fd);
if (document == NULL) {
-
syslog(LOG_ERR,
"xml parse of file %s failed", fdesc->name);
+
ERROR(
"xml parse of file %s failed", fdesc->name);
return -1;
}
res = checkdocument();
if (res)
return -1;
}
res = checkdocument();
if (res)
-
syslog(LOG_ERR,
"previous error was during check of file %s", fdesc->name);
+
ERROR(
"previous error was during check of file %s", fdesc->name);
xmlFreeDoc(document);
return res;
}
/* check all the signature files */
xmlFreeDoc(document);
return res;
}
/* check all the signature files */
-int check_all_signatures()
+int check_all_signatures(
int allow_none
)
{
int rc, irc;
unsigned int i, n;
struct filedesc *fdesc;
n = signature_count();
{
int rc, irc;
unsigned int i, n;
struct filedesc *fdesc;
n = signature_count();
+ if (n == 0) {
+ if (!allow_none) {
+ ERROR("no signature found");
+ return -1;
+ }
+ return 0;
+ }
+
+ rc = xmlsec_init();
+ if (rc < 0) {
+ ERROR("can't check signature");
+ return rc;
+ }
+
rc = 0;
rc = 0;
- for (i = n ; i
-- > 0
; ) {
- fdesc = signature_of_index(i);
+ for (i = n ; i ; ) {
+ fdesc = signature_of_index(
--
i);
irc = verify_digsig(fdesc);
irc = verify_digsig(fdesc);
- if (
!irc
)
+ if (
irc < 0
)
rc = irc;
}
rc = irc;
}
@@
-333,11
+371,12
@@
int check_all_signatures()
/* create a signature of 'index' (0 for author, other values for distributors)
using the private 'key' (filename) and the certificates 'certs' (filenames)
as trusted chain */
/* create a signature of 'index' (0 for author, other values for distributors)
using the private 'key' (filename) and the certificates 'certs' (filenames)
as trusted chain */
-int create_digsig(int index, const char *key, const char **certs)
+int create_digsig(
unsigned
int index, const char *key, const char **certs)
{
struct filedesc *fdesc;
xmlDocPtr doc;
{
struct filedesc *fdesc;
xmlDocPtr doc;
- int rc, len, fd;
+ int rc, fd;
+ long len;
xmlSaveCtxtPtr ctx;
rc = -1;
xmlSaveCtxtPtr ctx;
rc = -1;
@@
-355,18
+394,18
@@
int create_digsig(int index, const char *key, const char **certs)
/* save the doc as file */
fd = openat(workdirfd, fdesc->name, O_WRONLY|O_CREAT|O_TRUNC, 0644);
if (fd < 0) {
/* save the doc as file */
fd = openat(workdirfd, fdesc->name, O_WRONLY|O_CREAT|O_TRUNC, 0644);
if (fd < 0) {
-
syslog(LOG_ERR,
"cant open %s for write", fdesc->name);
+
ERROR(
"cant open %s for write", fdesc->name);
goto error2;
}
ctx = xmlSaveToFd(fd, NULL, XML_SAVE_FORMAT);
if (!ctx) {
goto error2;
}
ctx = xmlSaveToFd(fd, NULL, XML_SAVE_FORMAT);
if (!ctx) {
-
syslog(LOG_ERR,
"xmlSaveToFd failed for %s", fdesc->name);
+
ERROR(
"xmlSaveToFd failed for %s", fdesc->name);
goto error3;
}
len = xmlSaveDoc(ctx, doc);
if (len < 0) {
goto error3;
}
len = xmlSaveDoc(ctx, doc);
if (len < 0) {
-
syslog(LOG_ERR,
"xmlSaveDoc to %s failed", fdesc->name);
- goto error
2
;
+
ERROR(
"xmlSaveDoc to %s failed", fdesc->name);
+ goto error
4
;
}
rc = 0;
}
rc = 0;