--- /dev/null
+/*
+ Copyright 2015 IoT.bzh
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+
+#include <string.h>
+#include <syslog.h>
+#include <assert.h>
+
+#include <libxml/parser.h>
+#include <libxml/tree.h>
+#include <libxml/uri.h>
+
+
+#include "wgtpkg.h"
+
+
+
+static const char uri_role_author[] = "http://www.w3.org/ns/widgets-digsig#role-author";
+static const char uri_role_distributor[] = "http://www.w3.org/ns/widgets-digsig#role-distributor";
+static const char uri_profile[] = "http://www.w3.org/ns/widgets-digsig#profile";
+
+
+/* global data */
+static xmlDocPtr document; /* the document */
+
+/* facility to get the first element node (skip text nodes) starting with 'node' */
+static xmlNodePtr next_element(xmlNodePtr node)
+{
+ while (node && node->type != XML_ELEMENT_NODE)
+ node = node->next;
+ return node;
+}
+
+/* is the 'node' an element node of 'name'? */
+static int is_element(xmlNodePtr node, const char *name)
+{
+ return node->type == XML_ELEMENT_NODE
+ && !strcmp(name, node->name);
+}
+
+/* is the 'node' an element node of 'name'? */
+static int is_node(xmlNodePtr node, const char *name)
+{
+ return node != NULL && is_element(node, name);
+}
+
+#if 0
+/* facility to get the first element node (skip text nodes) starting with 'node' */
+static xmlNodePtr next_element_type(xmlNodePtr node, const char *name)
+{
+ while (node && node->type != XML_ELEMENT_NODE && strcmp(name, node->name))
+ node = node->next;
+ return node;
+}
+
+/* search the element node of id. NOTE : not optimized at all */
+static xmlNodePtr search_for(const char *attrname, const char *value)
+{
+ char *val;
+ xmlNodePtr iter, next;
+ xmlNodePtr result;
+
+ result = NULL;
+ iter = xmlDocGetRootElement(document);
+ while (iter != NULL) {
+ val = xmlGetProp(iter, attrname);
+ if (val != NULL && !strcmp(val, value)) {
+ if (result != NULL) {
+ syslog(LOG_ERR, "duplicated %s %s", attrname, value);
+ free(val);
+ return NULL;
+ }
+ result = iter;
+ }
+ free(val);
+ next = next_element(iter->children);
+ if (next == NULL) {
+ /* no child, try sibling */
+ next = next_element(iter->next);
+ if (next == NULL) {
+ iter = iter->parent;
+ while (iter != NULL && next == NULL) {
+ next = next_element(iter->next);
+ iter = iter->parent;
+ }
+ }
+ }
+ iter = next;
+ }
+ if (result == NULL)
+ syslog(LOG_ERR, "node of %s '%s' not found", attrname, value);
+ return result;
+}
+
+/* search the element node of id. NOTE : not optimized at all */
+static xmlNodePtr search_id(const char *id)
+{
+ return search_for("Id", id);
+}
+#endif
+
+/* check the digest of one element */
+static int check_one_reference(xmlNodePtr ref)
+{
+ int rc;
+ char *uri;
+ xmlURIPtr u;
+ struct filedesc *fdesc;
+
+ /* start */
+ rc = -1;
+
+ /* get the uri */
+ uri = xmlGetProp(ref, "URI");
+ if (uri == NULL) {
+ syslog(LOG_ERR, "attribute URI of element <Reference> not found");
+ goto error;
+ }
+
+ /* parse the uri */
+ u = xmlParseURI(uri);
+ if (!u) {
+ syslog(LOG_ERR, "error while parsing URI %s", uri);
+ goto error2;
+ }
+
+ /* check that unexpected parts are not there */
+ if (u->scheme || u->opaque || u->authority || u->server || u->user || u->query) {
+ syslog(LOG_ERR, "unexpected uri component in %s", uri);
+ goto error3;
+ }
+
+ /* check path and fragment */
+ if (!u->path && !u->fragment) {
+ syslog(LOG_ERR, "invalid uri %s", uri);
+ goto error3;
+ }
+ if (u->path && u->fragment) {
+ syslog(LOG_ERR, "not allowed to sign foreign fragment in %s", uri);
+ goto error3;
+ }
+
+ if (u->path) {
+ /* check that the path is valid */
+ fdesc = file_of_name(u->path);
+ if (fdesc == NULL) {
+ syslog(LOG_ERR, "reference to unknown file %s", u->path);
+ goto error3;
+ }
+ if (fdesc->type != type_file) {
+ syslog(LOG_ERR, "reference to directory %s", u->path);
+ goto error3;
+ }
+ if ((fdesc->flags & flag_distributor_signature) != 0) {
+ syslog(LOG_ERR, "reference to signature %s", u->path);
+ goto error3;
+ }
+ fdesc->flags |= flag_referenced;
+ rc = 0;
+ } else {
+ rc = 0;
+ }
+
+error3:
+ xmlFreeURI(u);
+error2:
+ xmlFree(uri);
+error:
+ return rc;
+}
+
+static int check_references(xmlNodePtr sinfo)
+{
+ xmlNodePtr elem;
+
+ elem = sinfo->children;
+ while (elem != NULL) {
+ if (is_element(elem, "Reference"))
+ if (check_one_reference(elem))
+ return -1;
+ elem = elem->next;
+ }
+ return 0;
+}
+
+static int get_certificates(xmlNodePtr kinfo)
+{
+ xmlNodePtr n1, n2;
+ char *b;
+ int rc;
+
+ n1 = kinfo->children;
+ while (n1) {
+ if (is_element(n1, "X509Data")) {
+ n2 = n1->children;
+ while (n2) {
+ if (is_element(n2, "X509Certificate")) {
+ b = xmlNodeGetContent(n2);
+ if (b == NULL) {
+ syslog(LOG_ERR, "xmlNodeGetContent of X509Certificate failed");
+ return -1;
+ }
+ rc = add_certificate_b64(b);
+ xmlFree(b);
+ if (rc)
+ return rc;
+ }
+ n2 = n2->next;
+ }
+ }
+ n1 = n1->next;
+ }
+ return 0;
+}
+
+/* checks the current document */
+static int checkdocument()
+{
+ int rc;
+ xmlNodePtr sinfo, svalue, kinfo, objs, rootsig;
+
+ rc = -1;
+
+ rootsig = xmlDocGetRootElement(document);
+ if (!is_node(rootsig, "Signature")) {
+ syslog(LOG_ERR, "root element <Signature> not found");
+ goto error;
+ }
+
+ sinfo = next_element(rootsig->children);
+ if (!is_node(sinfo, "SignedInfo")) {
+ syslog(LOG_ERR, "element <SignedInfo> not found");
+ goto error;
+ }
+
+ svalue = next_element(sinfo->next);
+ if (!is_node(svalue, "SignatureValue")) {
+ syslog(LOG_ERR, "element <SignatureValue> not found");
+ goto error;
+ }
+
+ kinfo = next_element(svalue->next);
+ if (is_node(kinfo, "KeyInfo")) {
+ objs = kinfo->next;
+ } else {
+ objs = kinfo;
+ kinfo = NULL;
+ }
+
+ rc = check_references(sinfo);
+ if (rc)
+ goto error;
+
+ rc = xmlsec_verify(rootsig);
+ if (rc)
+ goto error;
+
+ rc = get_certificates(kinfo);
+
+error:
+ return rc;
+}
+
+/* verify the digital signature of the file described by 'fdesc' */
+int verify_digsig(struct filedesc *fdesc)
+{
+ int res;
+
+ assert ((fdesc->flags & flag_signature) != 0);
+ debug("-- checking file %s",fdesc->name);
+
+ /* reset the flags */
+ file_clear_flags();
+ clear_certificates();
+
+ /* reads and xml parses the signature file */
+ document = xmlReadFile(fdesc->name, NULL, 0);
+ if (document == NULL) {
+ syslog(LOG_ERR, "xml parse of file %s failed", fdesc->name);
+ return -1;
+ }
+
+ res = checkdocument();
+ if (res)
+ syslog(LOG_ERR, "previous error was during check of file %s", fdesc->name);
+
+ xmlFreeDoc(document);
+ return res;
+}
+
+/* check all the signature files */
+int check_all_signatures()
+{
+ int rc, irc;
+ unsigned int i, n;
+ struct filedesc *fdesc;
+
+ n = signature_count();
+ rc = 0;
+ for (i = n ; i-- > 0 ; ) {
+ fdesc = signature_of_index(i);
+ irc = verify_digsig(fdesc);
+ if (!irc)
+ rc = irc;
+ }
+
+ return rc;
+}
+
+/* create a signature of 'index' (0 for author, other values for distributors)
+using the private 'key' (filename) and the certificates 'certs' (filenames)
+as trusted chain */
+int create_digsig(int index, const char *key, const char **certs)
+{
+ struct filedesc *fdesc;
+ xmlDocPtr doc;
+ int rc, len;
+
+ rc = -1;
+
+ /* create the doc */
+ doc = xmlsec_create(index, key, certs);
+ if (doc == NULL)
+ goto error;
+
+ /* instanciate the filename */
+ fdesc = create_signature(index);
+ if (fdesc == NULL)
+ goto error2;
+
+ /* save the doc as file */
+ len = xmlSaveFormatFileEnc(fdesc->name, doc, NULL, 0);
+ if (len < 0) {
+ syslog(LOG_ERR, "xmlSaveFormatFileEnc to %s failed", fdesc->name);
+ goto error2;
+ }
+
+ rc = 0;
+error2:
+ xmlFreeDoc(doc);
+error:
+ return rc;
+}
+
+
Code Review / src / app-framework-main.git / blobdiff