X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=blobdiff_plain;f=src%2Fwgtpkg-digsig.c;h=94f1d289bf6a85244cb05d1cfc6cb08f9a0d923b;hb=956e7c57d15bde67d7392aab01a9c0fc6906bbd4;hp=e5a8d74ca43cae967bb9254e3c4d4c31ac0fa2cb;hpb=c0fc18e47e49dd4e3cc2f09452a19297dad63f9c;p=src%2Fapp-framework-main.git diff --git a/src/wgtpkg-digsig.c b/src/wgtpkg-digsig.c index e5a8d74..94f1d28 100644 --- a/src/wgtpkg-digsig.c +++ b/src/wgtpkg-digsig.c @@ -1,5 +1,5 @@ /* - Copyright 2015 IoT.bzh + Copyright (C) 2015-2020 IoT.bzh author: José Bollo @@ -29,7 +29,11 @@ #include "verbose.h" -#include "wgtpkg.h" +#include "wgtpkg-files.h" +#include "wgtpkg-workdir.h" +#include "wgtpkg-certs.h" +#include "wgtpkg-xmlsec.h" +#include "wgtpkg-digsig.h" @@ -304,7 +308,7 @@ int verify_digsig(struct filedesc *fdesc) int res, fd; assert ((fdesc->flags & flag_signature) != 0); - DEBUG("-- checking file %s",fdesc->name); + DEBUG("-- checking file %s", fdesc->name); /* reset the flags */ file_clear_flags(); @@ -332,18 +336,32 @@ int verify_digsig(struct filedesc *fdesc) } /* check all the signature files */ -int check_all_signatures() +int check_all_signatures(int allow_none) { int rc, irc; unsigned int i, n; struct filedesc *fdesc; n = signature_count(); + if (n == 0) { + if (!allow_none) { + ERROR("no signature found"); + return -1; + } + return 0; + } + + rc = xmlsec_init(); + if (rc < 0) { + ERROR("can't check signature"); + return rc; + } + rc = 0; - for (i = n ; i-- > 0 ; ) { - fdesc = signature_of_index(i); + for (i = n ; i ; ) { + fdesc = signature_of_index(--i); irc = verify_digsig(fdesc); - if (!irc) + if (irc < 0) rc = irc; } @@ -353,11 +371,12 @@ int check_all_signatures() /* create a signature of 'index' (0 for author, other values for distributors) using the private 'key' (filename) and the certificates 'certs' (filenames) as trusted chain */ -int create_digsig(int index, const char *key, const char **certs) +int create_digsig(unsigned int index, const char *key, const char **certs) { struct filedesc *fdesc; xmlDocPtr doc; - int rc, len, fd; + int rc, fd; + long len; xmlSaveCtxtPtr ctx; rc = -1; @@ -400,4 +419,92 @@ error: return rc; } +/* create a digital signature(s) from environment data */ +int create_auto_digsig() +{ + static const char envvar_prefix[] = "WGTPKG_AUTOSIGN_"; + extern char **environ; + + char **enviter; + char *var; + char *iter; + char *equal; + unsigned int num; + char *keyfile; + const char *certfiles[10]; + int ncert; + int rc; + int i; + + rc = 0; + /* enumerate environment variables */ + enviter = environ; + while (rc == 0 && (var = *enviter++) != NULL) { + /* check the prefix */ + if (0 != strncmp(var, envvar_prefix, sizeof(envvar_prefix) - 1)) + continue; /* not an auto sign variable */ + DEBUG("autosign found %s", var); + + /* check the num */ + iter = &var[sizeof(envvar_prefix) - 1]; + if (*iter < '0' || *iter > '9') { + ERROR("bad autosign key found: %s", var); + rc = -1; + continue; + } + + /* compute the number */ + num = (unsigned int)(*iter++ - '0'); + while (*iter >= '0' && *iter <= '9') + num = 10 * num + (unsigned int)(*iter++ - '0'); + + /* next char must be = */ + if (*iter != '=' || !iter[1]) { + /* it is not an error to have an empty autosign */ + WARNING("ignoring autosign key %.*s", (int)(iter - var), var); + continue; + } + + /* auto signing with num */ + INFO("autosign key %u found", num); + + /* compute key and certificates */ + equal = iter++; + keyfile = iter; + *equal = 0; + ncert = 0; + while (ncert < (int)((sizeof certfiles / sizeof *certfiles) - 1) + && (iter = strchr(iter, ':')) != NULL) { + *iter++ = 0; + certfiles[ncert++] = iter; + } + certfiles[ncert] = NULL; + + /* check the parameters */ + if (access(keyfile, R_OK) != 0) { + ERROR("autosign %u can't access private key %s", num, keyfile); + rc = -1; + } + for(i = 0 ; i < ncert ; i++) { + if (access(certfiles[i], R_OK) != 0) { + ERROR("autosign %u can't access certificate %s", num, certfiles[i]); + rc = -1; + } + } + + /* sign now */ + if (rc == 0) { + rc = xmlsec_init(); + if (rc == 0) { + rc = create_digsig(num, keyfile, certfiles); + } + } + + /* restore stolen chars */ + while(ncert) + *(char*)(certfiles[--ncert] - 1) = ':'; + *equal = '='; + } + return rc; +}