rpms
/
pesign
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

merge into: rpms:master
Branches Tags
rpms:master
rpms:f38-riscv64
rpms:f37-riscv64
rpms:f36
rpms:f37
rpms:main
rpms:rawhide
rpms:f35
rpms:f33
rpms:master-riscv64
rpms:f29
rpms:f30
rpms:f28
rpms:f25
rpms:f27
rpms:f26
rpms:f24
rpms:f23
rpms:f22
rpms:f21
rpms:f20
rpms:el6
rpms:f19
rpms:f18
...
pull from: rpms:f25
Branches Tags
rpms:f38-riscv64
rpms:f37-riscv64
rpms:f36
rpms:f37
rpms:main
rpms:rawhide
rpms:f35
rpms:f33
rpms:master-riscv64
rpms:f29
rpms:f30
rpms:master
rpms:f28
rpms:f25
rpms:f27
rpms:f26
rpms:f24
rpms:f23
rpms:f22
rpms:f21
rpms:f20
rpms:el6
rpms:f19
rpms:f18

6 Commits
master ... f25

Author SHA1 Message Date
Peter Jones d248159b95 Maybe fewer typoes would be better. 
Signed-off-by: Peter Jones <pjones@redhat.com>
 2017-08-15 12:34:55 -04:00
Peter Jones e82e9090a7 Update to match f26 and f27 builds. 
Signed-off-by: Peter Jones <pjones@redhat.com>
 2017-08-15 11:18:06 -04:00
Peter Jones 21140f4937 Try to fix the db problem nirik is seeing trying to upgrade the builders. 
Signed-off-by: Peter Jones <pjones@redhat.com>
 2017-08-10 14:23:40 -04:00
Peter Jones 619ff5355b Don't Req: or BuildReq: coolkey or opensc; those belong in system deploy 
scripts.
  Related: rhbz#1349073

Signed-off-by: Peter Jones <pjones@redhat.com>
 2017-01-06 14:28:19 -05:00
Peter Jones 271270e85b Don't Req: or BuildReq: coolkey or opensc; those belong in system deploy 
scripts.
  Related: rhbz#1349073

Signed-off-by: Peter Jones <pjones@redhat.com>
 2017-01-06 13:40:44 -05:00
Peter Jones 4677d7067c Build as -4 to make bodhi happy. 
Signed-off-by: Peter Jones <pjones@redhat.com>
 2016-08-17 09:33:42 -04:00
31 changed files with 2221 additions and 23 deletions
Show Stats Expand all files Collapse all files

6
0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
View File

@ -1,8 +1,8 @@
From 33bcca8303cad962606df3bfc6a031a9b0626375 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 21 Apr 2016 10:47:34 -0400
Subject: [PATCH] cms: kill generate_integer(), it doesn't build on i686 and
it's unused.
Subject: [PATCH 01/29] cms: kill generate_integer(), it doesn't build on i686
and it's unused.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
@ -68,5 +68,5 @@ index 7d77faf..c7d7268 100644
extern int wrap_in_set(cms_context *cms, SECItem *der, SECItem **items);
extern int wrap_in_seq(cms_context *cms, SECItem *der,
--
2.5.5
2.13.4

4
0002-Fix-command-line-parsing.patch
View File

@ -1,7 +1,7 @@
From 5be0515dee24308fd7e270bf2e0fb5e5a7a78f32 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Thu, 9 Jun 2016 14:30:37 +0200
Subject: [PATCH 2/2] Fix command line parsing
Subject: [PATCH 02/29] Fix command line parsing
The gettext translation domain should be passed as .arg, not .descrip,
otherwise popt won't process any of the command line options (it stops
@ -69,5 +69,5 @@ index 1328fe9..0d49c1a 100644
.shortName = 'D',
.argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
--
2.9.2
2.13.4

26
0003-gcc-don-t-error-on-stuff-in-includes.patch Normal file
View File

@ -0,0 +1,26 @@
From 6de291458cbab99bcc317e282c16e1523d6de9b8 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 10 Aug 2016 17:12:39 -0400
Subject: [PATCH 03/29] gcc: don't error on stuff in includes.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Make.defaults | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Make.defaults b/Make.defaults
index c97b452..3511080 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -19,7 +19,7 @@ PKG_CONFIG = $(CROSS_COMPILE)pkg-config
CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
CCLD := $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \
- -Wall -Werror -Wextra
+ -Wall -Werror -Wextra -Wno-error=cpp
AS := $(CROSS_COMPILE)as
AR := $(CROSS_COMPILE)gcc-ar
RANLIB := $(CROSS_COMPILE)gcc-ranlib
--
2.13.4

39
0004-Fix-certficate-argument-name.patch Normal file
View File

@ -0,0 +1,39 @@
From b20fc54c08e8afe1365e56cacade3ec39984da8d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 18 Apr 2017 19:00:34 -0400
Subject: [PATCH 04/29] Fix "certficate" argument name.
This fixes our typoed argument name by making the incorrectly spelled
version be a popt alias, and fixing the real implementation to be
spelled right in pesign.c .
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.c | 2 +-
src/pesign.popt | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/pesign.c b/src/pesign.c
index af374b6..279a17a 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -438,7 +438,7 @@ main(int argc, char *argv[])
.arg = &ctxp->outfile,
.descrip = "specify output file",
.argDescrip = "<outfile>" },
- {.longName = "certficate",
+ {.longName = "certificate",
.shortName = 'c',
.argInfo = POPT_ARG_STRING,
.arg = &certname,
diff --git a/src/pesign.popt b/src/pesign.popt
index 7b3385d..5a97748 100644
--- a/src/pesign.popt
+++ b/src/pesign.popt
@@ -1,2 +1,3 @@
pesign alias --cert --certificate
+pesign alias --certficate --certificate
pesign alias --daemon --daemonize
--
2.13.4

26
0005-Fix-description-of-ascii-armor-option-in-manpage.patch Normal file
View File

@ -0,0 +1,26 @@
From 7bc8e8b04c74be5c4e0ebf211affc37cf9f5db37 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Mon, 27 Jun 2016 15:38:38 +0200
Subject: [PATCH 05/29] Fix description of --ascii-armor option in manpage
The --ascii option does not exist.
---
src/pesign.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pesign.1 b/src/pesign.1
index 47d1aec..29ae060 100644
--- a/src/pesign.1
+++ b/src/pesign.1
@@ -81,7 +81,7 @@ Export the public key specified by \-\-certificate to \fIoutkey\fR
Export the certificate specified by \-\-certificate to \fIoutcert\fR
.TP
-\fB-\-ascii\fR
+\fB-\-ascii\-armor\fR
Use ascii armoring on exported certificates.
.TP
--
2.13.4

22
0006-Make-ascii-work-since-we-documented-it.patch Normal file
View File

@ -0,0 +1,22 @@
From 9f411f4e797e983d2e8cb51dc5b9ab8db250c2e3 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 18 Apr 2017 19:05:40 -0400
Subject: [PATCH 06/29] Make --ascii work, since we documented it.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.popt | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/pesign.popt b/src/pesign.popt
index 5a97748..5ae0c5c 100644
--- a/src/pesign.popt
+++ b/src/pesign.popt
@@ -1,3 +1,4 @@
pesign alias --cert --certificate
pesign alias --certficate --certificate
pesign alias --daemon --daemonize
+pesign alias --ascii --ascii-armor
--
2.13.4

32
0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch Normal file
View File

@ -0,0 +1,32 @@
From d618de733865eab359890b4e677c368a133dad99 Mon Sep 17 00:00:00 2001
From: Pat Riehecky <riehecky@fnal.gov>
Date: Mon, 7 Nov 2016 11:37:08 -0600
Subject: [PATCH 07/29] Switch pesign client to also accept token/cert macros
rather than use hard coded values
---
src/macros.pesign | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 18e5b5e..69280e9 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -41,11 +41,11 @@
--certdir ${nss} -c signer %{-o} \
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
elif [ -S /var/run/pesign/socket ]; then \
- %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
- -c "/CN=Fedora Secure Boot Signer" \\\
+ %{_pesign_client} -t %{__pesign_token} \\\
+ -c %{__pesign_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
else \
- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
+ %{_pesign} -t %{__pesign_token} -c %{__pesign_cert} \\\
--certdir ${_pesign_nssdir} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
fi \
--
2.13.4

25
0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch Normal file
View File

@ -0,0 +1,25 @@
From 2cd211bcc612ad8cb99c778461ca02a9f3e5e44b Mon Sep 17 00:00:00 2001
From: David Michael <david.michael@coreos.com>
Date: Thu, 16 Feb 2017 15:08:30 -0800
Subject: [PATCH 08/29] pesigcheck: Verify with the cert as an object signer
---
src/certdb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/certdb.c b/src/certdb.c
index 2a08042..b7c99bb 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -339,7 +339,7 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
}
/* Verify the signature */
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
- certUsageSSLServer,
+ certUsageObjectSigner,
digest, HASH_AlgSHA256,
PR_FALSE, atTime);
if (!result) {
--
2.13.4

47
0009-pesigcheck-make-certfile-actually-work.patch Normal file
View File

@ -0,0 +1,47 @@
From e0238e2363f9668aee07b2e44a8f358e694551c0 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 24 Apr 2017 15:18:10 -0400
Subject: [PATCH 09/29] pesigcheck: make --certfile actually work
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesigcheck.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 0d49c1a..d7be542 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -130,7 +130,7 @@ check_signature(pesigcheck_context *ctx)
cert_iter iter;
generate_digest(ctx->cms_ctx, ctx->inpe, 1);
-
+
if (check_db_hash(DBX, ctx) == FOUND)
return -1;
@@ -225,6 +225,11 @@ main(int argc, char *argv[])
.argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
.arg = (void *)callback,
.descrip = (void *)ctxp },
+ {.longName = "certfile",
+ .shortName = 'c',
+ .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
+ .arg = (void *)callback,
+ .descrip = (void *)ctxp },
{.longName = "in",
.shortName = 'i',
.argInfo = POPT_ARG_STRING,
@@ -258,7 +263,7 @@ main(int argc, char *argv[])
.shortName = 'c',
.argInfo = POPT_ARG_STRING,
.arg = &certfile,
- .descrip = "the certificate (in DER form) for verification ",
+ .descrip = "import certfile (in DER encoding) for allowed certificate",
.argDescrip = "<certfile>" },
POPT_AUTOALIAS
POPT_AUTOHELP
--
2.13.4

27
0010-signerInfos-make-sure-err-is-always-initialized.patch Normal file
View File

@ -0,0 +1,27 @@
From 799808b265ac6f82fa1268fd696d70357acce69c Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:15:07 -0400
Subject: [PATCH 10/29] signerInfos: make sure err is always initialized
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/signed_data.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/signed_data.c b/src/signed_data.c
index 721db90..9e0af23 100644
--- a/src/signed_data.c
+++ b/src/signed_data.c
@@ -132,7 +132,8 @@ int
generate_signerInfo_list(cms_context *cms, SpcSignerInfo ***signerInfo_list_p, SignerInfoType type)
{
SpcSignerInfo **signerInfo_list;
- int err, rc;
+ int err = 0;
+ int rc;
if (!signerInfo_list_p)
return -1;
--
2.13.4

26
0011-pesign-make-pesign-h-tell-you-the-file-name.patch Normal file
View File

@ -0,0 +1,26 @@
From 868b42b338d919917ea31cfbf0f96e9586947eaf Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:23:36 -0400
Subject: [PATCH 11/29] pesign: make "pesign -h" tell you the file name.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pesign.c b/src/pesign.c
index 279a17a..5879cfc 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -387,7 +387,7 @@ print_digest(pesign_context *pctx)
if (!ctx)
return;
- printf("hash: ");
+ printf("%s ", pctx->infile);
int j = ctx->selected_digest;
for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
printf("%02x",
--
2.13.4

104
0012-Add-coverity-build-scripts.patch Normal file
View File

@ -0,0 +1,104 @@
From 95327e6d9bd4f70980acd8fd6c9524265990dc4d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 10 May 2017 10:49:57 -0400
Subject: [PATCH 12/29] Add coverity build scripts
Signed-off-by: Peter Jones <pjones@redhat.com>
---
.gitignore | 1 +
Make.coverity | 37 +++++++++++++++++++++++++++++++++++++
Make.defaults | 2 ++
Make.rules | 4 ++++
Makefile | 1 +
5 files changed, 45 insertions(+)
create mode 100644 Make.coverity
diff --git a/.gitignore b/.gitignore
index 1635ba2..847e172 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@
*.tar.*
*.rpm
core.*
+cov-int
diff --git a/Make.coverity b/Make.coverity
new file mode 100644
index 0000000..b80b091
--- /dev/null
+++ b/Make.coverity
@@ -0,0 +1,37 @@
+include $(TOPDIR)/Make.version
+include $(TOPDIR)/Make.rules
+include $(TOPDIR)/Make.defaults
+
+COV_EMAIL=$(call get-config,coverity.email)
+COV_TOKEN=$(call get-config,coverity.token)
+COV_URL=$(call get-config,coverity.url)
+COV_FILE=$(NAME)-coverity-$(VERSION)-$(COMMIT_ID).tar.bz2
+
+cov-int : clean
+ cov-build --dir cov-int make all
+
+cov-clean :
+ @rm -vf $(NAME)-coverity-*.tar.*
+ @if [[ -d cov-int ]]; then rm -rf cov-int && echo "removed 'cov-int'"; fi
+
+cov-file : | $(COV_FILE)
+
+$(COV_FILE) : cov-int
+ tar caf $@ cov-int
+
+cov-upload :
+ @if [[ -n "$(COV_URL)" ]] && \
+ [[ -n "$(COV_TOKEN)" ]] && \
+ [[ -n "$(COV_EMAIL)" ]] ; \
+ then \
+ echo curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \
+ curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \
+ else \
+ echo Coverity output is in $(COV_FILE) ; \
+ fi
+
+coverity : cov-file cov-upload
+
+clean : | cov-clean
+
+.PHONY : coverity cov-upload cov-clean cov-file
diff --git a/Make.defaults b/Make.defaults
index 3511080..39b78f0 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -1,3 +1,5 @@
+NAME = pesign
+COMMIT_ID ?= $(shell git log -1 --pretty=%H 2>/dev/null || echo master)
prefix ?= /usr/
prefix := $(abspath $(prefix))/
libdir ?= $(prefix)lib64/
diff --git a/Make.rules b/Make.rules
index af5ecfe..5e3c83d 100644
--- a/Make.rules
+++ b/Make.rules
@@ -79,3 +79,7 @@ endef
$(TOPDIR)/libdpe/%.a $(TOPDIR)/libdpe/% :
$(MAKE) -C $(TOPDIR)/libdpe $(notdir $@)
+
+define get-config =
+$(shell git config --local --get "$(NAME).$(1)")
+endef
diff --git a/Makefile b/Makefile
index db8eb7e..ca1a359 100644
--- a/Makefile
+++ b/Makefile
@@ -4,6 +4,7 @@ TOPDIR = $(realpath .)
include $(TOPDIR)/Make.version
include $(TOPDIR)/Make.rules
include $(TOPDIR)/Make.defaults
+include $(TOPDIR)/Make.coverity
SUBDIRS := include libdpe src
--
2.13.4

25
0013-Document-implicit-fallthrough.patch Normal file
View File

@ -0,0 +1,25 @@
From 4b9e7cf3e869de36daf2ea705b9efef55ae87ef8 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Sat, 8 Jul 2017 16:31:18 -0400
Subject: [PATCH 13/29] Document implicit fallthrough.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/authvar.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/authvar.c b/src/authvar.c
index ad659ca..03e0c47 100644
--- a/src/authvar.c
+++ b/src/authvar.c
@@ -511,6 +511,7 @@ main(int argc, char *argv[])
case IMPORT|SET:
case IMPORT|SIGN|SET:
fprintf(stderr, "authvar: not implemented\n");
+ /* fallthrough. */
case IMPORT|SIGN|EXPORT:
default:
fprintf(stderr, "authvar: invalid flags: ");
--
2.13.4

50
0014-Actually-setfacl-each-directory-of-our-key-storage.patch Normal file
View File

@ -0,0 +1,50 @@
From a95e28e5cb10d417c81c8720e8521eb63793da37 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 16 May 2016 15:25:53 -0400
Subject: [PATCH 14/29] Actually setfacl /each/ directory of our key storage.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize-groups | 6 +++---
src/pesign-authorize-users | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
index a4f895e..cf51fb6 100644
--- a/src/pesign-authorize-groups
+++ b/src/pesign-authorize-groups
@@ -18,10 +18,10 @@ if [ -r /etc/pesign/groups ]; then
setfacl -m g:${group}:rw /var/run/pesign/socket
fi
fi
- for x in /etc/pki/pesign* ; do
+ for x in /etc/pki/pesign*/ ; do
if [ -d ${x} ]; then
- setfacl -m g:${group}:rx /etc/pki/pesign
- for y in ${x}/{cert8,key3,secmod}.db ; do
+ setfacl -m g:${group}:rx ${x}
+ for y in ${x}{cert8,key3,secmod}.db ; do
setfacl -m g:${group}:rw ${y}
done
fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
index 8b9a885..940138e 100644
--- a/src/pesign-authorize-users
+++ b/src/pesign-authorize-users
@@ -18,10 +18,10 @@ if [ -r /etc/pesign/users ]; then
setfacl -m g:${username}:rw /var/run/pesign/socket
fi
fi
- for x in /etc/pki/pesign* ; do
+ for x in /etc/pki/pesign*/ ; do
if [ -d ${x} ]; then
- setfacl -m g:${username}:rx /etc/pki/pesign
- for y in ${x}/{cert8,key3,secmod}.db ; do
+ setfacl -m g:${username}:rx ${x}
+ for y in ${x}{cert8,key3,secmod}.db ; do
setfacl -m g:${username}:rw ${y}
done
fi
--
2.13.4

59
0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch Normal file
View File

@ -0,0 +1,59 @@
From a3cc2ad5d49ed61187527281da351e80d8f76a89 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 22 Aug 2016 13:31:38 -0400
Subject: [PATCH 15/29] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array
indices.
That was all kinds of wrong.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/oid.c | 10 +++++++---
src/oid.h | 1 +
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/oid.c b/src/oid.c
index 9d8154f..7037e1e 100644
--- a/src/oid.c
+++ b/src/oid.c
@@ -33,6 +33,7 @@ static uint8_t oiddata[] = {
0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0f,
0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x15,
0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01,
+ 0x2b, 0x06, 0x01, 0x04, 0x01, 0x92, 0x08, 0x10, 0x01, 0x02,
};
#define OID(num, desc_s, oidtype, length, value) \
@@ -53,11 +54,14 @@ static struct {
OID(SPC_STATEMENT_TYPE_OBJID, "Statement Type", siDEROID, 10,
&oiddata[10]),
OID(SPC_PE_IMAGE_DATA_OBJID, "PE Image Data", siDEROID, 10,
- &oiddata[30]),
+ &oiddata[20]),
OID(SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, "Individual Key", siDEROID,
- 10, &oiddata[40]),
+ 10, &oiddata[30]),
OID(szOID_CERTSRV_CA_VERSION, "Certification server CA version",
- siAsciiString, 9, &oiddata[50]),
+ siAsciiString, 9, &oiddata[40]),
+ OID(SHIM_EKU_MODULE_SIGNING_ONLY,
+ "Certificate is used for kernel modules only", siDEROID, 10,
+ &oiddata[49]),
{ .oid = END_OID_LIST }
};
diff --git a/src/oid.h b/src/oid.h
index 599f49d..0e00781 100644
--- a/src/oid.h
+++ b/src/oid.h
@@ -25,6 +25,7 @@ typedef enum {
SPC_PE_IMAGE_DATA_OBJID, /* 1.3.6.1.4.1.311.2.1.15 */
SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, /* 1.3.6.1.4.1.311.2.1.21 */
szOID_CERTSRV_CA_VERSION, /* 1.3.6.1.4.1.311.21.1 */
+ SHIM_EKU_MODULE_SIGNING_ONLY, /* 1.3.6.1.4.1.2312.16.1.2 */
END_OID_LIST
} ms_oid_t;
--
2.13.4

197
0016-efikeygen-add-modsign.patch Normal file
View File

@ -0,0 +1,197 @@
From 9b4b12928c0450ac69d83293e179eec439465c03 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 22 Aug 2016 13:43:56 -0400
Subject: [PATCH 16/29] efikeygen: add --modsign
---
src/cms_common.c | 29 ++++++++++++++++++++++++++++
src/cms_common.h | 1 +
src/efikeygen.c | 59 ++++++++++++++++++++++++++++++++++++++++++++------------
3 files changed, 77 insertions(+), 12 deletions(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index 6a4e6a7..2df2cfe 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -715,6 +715,35 @@ make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
return 0;
}
+static SEC_ASN1Template EKUOidSequence[] = {
+ {
+ .kind = SEC_ASN1_OBJECT_ID,
+ .offset = 0,
+ .sub = &SEC_AnyTemplate,
+ .size = sizeof (SECItem),
+ },
+ { 0 }
+};
+
+int
+make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag)
+{
+ void *rv;
+ SECOidData *oid_data;
+
+ oid_data = SECOID_FindOIDByTag(oid_tag);
+ if (!oid_data)
+ cmsreterr(-1, cms, "could not encode eku oid data");
+
+ rv = SEC_ASN1EncodeItem(cms->arena, encoded, &oid_data->oid,
+ EKUOidSequence);
+ if (rv == NULL)
+ cmsreterr(-1, cms, "could not encode eku oid data");
+
+ encoded->type = siBuffer;
+ return 0;
+}
+
int
generate_octet_string(cms_context *cms, SECItem *encoded, SECItem *original)
{
diff --git a/src/cms_common.h b/src/cms_common.h
index c7d7268..7a31273 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -123,6 +123,7 @@ extern int wrap_in_seq(cms_context *cms, SECItem *der,
SECItem *items, int num_items);
extern int make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
SECItem *original);
+extern int make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag);
extern int generate_validity(cms_context *cms, SECItem *der, time_t start,
time_t end);
extern int generate_common_name(cms_context *cms, SECItem *der, char *cn);
diff --git a/src/efikeygen.c b/src/efikeygen.c
index 8a515a5..9390578 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -49,6 +49,7 @@
#include <libdpe/libdpe.h>
#include "cms_common.h"
+#include "oid.h"
#include "util.h"
typedef struct {
@@ -249,20 +250,34 @@ add_basic_constraints(cms_context *cms, void *extHandle)
}
static int
-add_extended_key_usage(cms_context *cms, void *extHandle)
+add_extended_key_usage(cms_context *cms, int modsign_only, void *extHandle)
{
- SECItem value = {
- .data = (unsigned char *)"\x30\x0a\x06\x08\x2b\x06\x01"
- "\x05\x05\x07\x03\x03",
- .len = 12,
- .type = siBuffer
- };
+ SECItem values[2];
+ SECItem wrapped = { 0 };
+ SECStatus status;
+ SECOidTag tag;
+ int rc;
+
+ if (modsign_only < 1 || modsign_only > 2)
+ cmsreterr(-1, cms, "could not encode extended key usage");
+ rc = make_eku_oid(cms, &values[0], SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
+ if (rc < 0)
+ cmsreterr(-1, cms, "could not encode extended key usage");
+
+ tag = find_ms_oid_tag(SHIM_EKU_MODULE_SIGNING_ONLY);
+ printf("tag: %d\n", tag);
+ rc = make_eku_oid(cms, &values[1], tag);
+ if (rc < 0)
+ cmsreterr(-1, cms, "could not encode extended key usage");
+
+ rc = wrap_in_seq(cms, &wrapped, values, modsign_only);
+ if (rc < 0)
+ cmsreterr(-1, cms, "could not encode extended key usage");
- SECStatus status;
status = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE,
- &value, PR_FALSE, PR_TRUE);
+ &wrapped, PR_FALSE, PR_TRUE);
if (status != SECSuccess)
cmsreterr(-1, cms, "could not encode extended key usage");
@@ -294,7 +309,7 @@ static int
add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
int is_ca, int is_self_signed, SECKEYPublicKey *pubkey,
SECKEYPublicKey *spubkey,
- char *url)
+ char *url, int modsign_only)
{
void *mark = PORT_ArenaMark(cms->arena);
@@ -319,7 +334,7 @@ add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
if (rc < 0)
cmsreterr(-1, cms, "could not generate certificate extensions");
- rc = add_extended_key_usage(cms, extHandle);
+ rc = add_extended_key_usage(cms, modsign_only, extHandle);
if (rc < 0)
cmsreterr(-1, cms, "could not generate certificate extensions");
@@ -469,6 +484,7 @@ int main(int argc, char *argv[])
{
int is_ca = 0;
int is_self_signed = -1;
+ int modsign_only = 0;
char *tokenname = "NSS Certificate DB";
char *signer = NULL;
char *nickname = NULL;
@@ -522,6 +538,18 @@ int main(int argc, char *argv[])
.descrip = "Generate a self-signed certificate" },
/* stuff about the generated key */
+ {.longName = "kernel",
+ .shortName = 'k',
+ .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
+ .arg = &modsign_only,
+ .val = 1,
+ .descrip = "Generate a kernel-signing certificate" },
+ {.longName = "module",
+ .shortName = 'm',
+ .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
+ .arg = &modsign_only,
+ .val = 2,
+ .descrip = "Generate a module-signing certificate" },
{.longName = "nickname",
.shortName = 'n',
.argInfo = POPT_ARG_STRING,
@@ -628,6 +656,9 @@ int main(int argc, char *argv[])
liberr(1, "could not allocate cms context");
}
+ if (modsign_only < 1 || modsign_only > 2)
+ errx(1, "either --kernel or --module must be used");
+
SECStatus status = NSS_InitReadWrite(dbdir);
if (status != SECSuccess)
nsserr(1, "could not initialize NSS");
@@ -639,6 +670,10 @@ int main(int argc, char *argv[])
SECKEYPublicKey *pubkey = NULL;
SECKEYPrivateKey *privkey = NULL;
+ status = register_oids(cms);
+ if (status != SECSuccess)
+ nsserr(1, "Could not register OIDs");
+
PK11SlotInfo *slot = NULL;
if (pubfile) {
rc = get_pubkey_from_file(pubfile, &pubkey);
@@ -713,7 +748,7 @@ int main(int argc, char *argv[])
crq = CERT_CreateCertificateRequest(name, spki, &attributes);
rc = add_extensions_to_crq(cms, crq, is_ca, is_self_signed, pubkey,
- spubkey, url);
+ spubkey, url, modsign_only);
if (rc < 0)
exit(1);
--
2.13.4

121
0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch Normal file
View File

@ -0,0 +1,121 @@
From 0456758e0c0873d1251bdf77d27f0f6175cbf289 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:25:02 -0400
Subject: [PATCH 17/29] check_cert_db(): try even harder to pick a reasonable
validation time.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 66 insertions(+), 9 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index b7c99bb..1a4baf1 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -250,12 +250,53 @@ check_db_hash(db_specifier which, pesigcheck_context *ctx)
return check_db(which, ctx, check_hash, NULL, 0);
}
-static PRTime
-determine_reasonable_time(CERTCertificate *cert)
+static void
+find_cert_times(SEC_PKCS7ContentInfo *cinfo,
+ PRTime *notBefore, PRTime *notAfter)
{
- PRTime notBefore, notAfter;
- CERT_GetCertTimes(cert, &notBefore, &notAfter);
- return notBefore;
+ CERTCertDBHandle *defaultdb, *certdb;
+ SEC_PKCS7SignedData *sdp;
+ CERTCertificate **certs = NULL;
+ SECItem **rawcerts;
+ int i, certcount;
+ SECStatus rv;
+
+ if (cinfo->contentTypeTag->offset != SEC_OID_PKCS7_SIGNED_DATA) {
+err:
+ *notBefore = 0;
+ *notAfter = 0x7fffffffffffffff;
+ return;
+ }
+
+ sdp = cinfo->content.signedData;
+ rawcerts = sdp->rawCerts;
+
+ defaultdb = CERT_GetDefaultCertDB();
+
+ certdb = defaultdb;
+ if (certdb == NULL)
+ goto err;
+
+ certcount = 0;
+ if (rawcerts != NULL) {
+ for (; rawcerts[certcount] != NULL; certcount++)
+ ;
+ }
+ rv = CERT_ImportCerts(certdb, certUsageObjectSigner, certcount,
+ rawcerts, &certs, PR_FALSE, PR_FALSE, NULL);
+ if (rv != SECSuccess)
+ goto err;
+
+ for (i = 0; i < certcount; i++) {
+ PRTime nb = 0, na = 0x7fffffffffff;
+ CERT_GetCertTimes(certs[i], &nb, &na);
+ if (*notBefore < nb)
+ *notBefore = nb;
+ if (*notAfter > na)
+ *notAfter = na;
+ }
+
+ CERT_DestroyCertArray(certs, certcount);
}
static db_status
@@ -271,6 +312,8 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
PRBool result;
SECStatus rv;
db_status status = NOT_FOUND;
+ PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
+ PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
efi_guid_t efi_x509 = efi_guid_x509_cert;
@@ -327,16 +370,30 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
}
cert->timeOK = PR_TRUE;
+ find_cert_times(cinfo, &notBefore, &notAfter);
+ if (earlyNow < notBefore)
+ earlyNow = notBefore;
+ if (lateNow > notAfter)
+ lateNow = notAfter;
+
SECItem *eTime;
PRTime atTime;
// atTime = determine_reasonable_time(cert);
eTime = SEC_PKCS7GetSigningTime(cinfo);
if (eTime != NULL) {
- if (DER_DecodeTimeChoice (&atTime, eTime) != SECSuccess)
- atTime = determine_reasonable_time(cert);
- } else {
- atTime = determine_reasonable_time(cert);
+ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
+ if (earlyNow < atTime)
+ earlyNow = atTime;
+ if (lateNow > atTime)
+ lateNow = atTime;
+ }
}
+
+ if (lateNow < earlyNow)
+ printf("Impossible time constraints: %ld <= %ld\n",
+ earlyNow / 1000000, lateNow / 1000000);
+ atTime = earlyNow / 2 + lateNow / 2;
+
/* Verify the signature */
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
certUsageObjectSigner,
--
2.13.4

137
0018-show-which-db-we-re-checking.patch Normal file
View File

@ -0,0 +1,137 @@
From 01b89fb7a191f4639a93c5a7c47a80752118ba95 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:58:50 -0400
Subject: [PATCH 18/29] show which db we're checking
---
src/certdb.c | 35 ++++++++++++++++++++++++++++++++++-
src/pesigcheck_context.c | 2 ++
src/pesigcheck_context.h | 1 +
3 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/src/certdb.c b/src/certdb.c
index 1a4baf1..673e074 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -18,6 +18,7 @@
*/
#include <fcntl.h>
+#include <libgen.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
@@ -42,17 +43,33 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile,
return -1;
db->type = type;
-
db->fd = open(dbfile, O_RDONLY);
if (db->fd < 0) {
save_errno(free(db));
return -1;
}
+ char *path = strdup(dbfile);
+ if (!path) {
+ save_errno(close(db->fd);
+ free(db));
+ return -1;
+ }
+
+ db->path = basename(path);
+ db->path = strdup(db->path);
+ free(path);
+ if (!db->path) {
+ save_errno(close(db->fd);
+ free(db));
+ return -1;
+ }
+
struct stat sb;
int rc = fstat(db->fd, &sb);
if (rc < 0) {
save_errno(close(db->fd);
+ free(db->path);
free(db));
return -1;
}
@@ -65,6 +82,7 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile,
rc = read_file(db->fd, (char **)&db->map, &sz);
if (rc < 0) {
save_errno(close(db->fd);
+ free(db->path);
free(db));
return -1;
}
@@ -133,6 +151,7 @@ add_cert_file(pesigcheck_context *ctx, const char *filename)
#define DB_PATH "/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
#define MOK_PATH "/sys/firmware/efi/efivars/MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23"
#define DBX_PATH "/sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
+#define MOKX_PATH "/sys/firmware/efi/efivars/MokListXRT-605dab50-e046-4300-abb6-3dd810dd8b23"
void
init_cert_db(pesigcheck_context *ctx, int use_system_dbs)
@@ -167,6 +186,18 @@ init_cert_db(pesigcheck_context *ctx, int use_system_dbs)
"database \"%s\": %m\n", DBX_PATH);
exit(1);
}
+
+ rc = add_db_file(ctx, DBX, MOKX_PATH, DB_EFIVAR);
+ if (rc < 0 && errno != ENOENT) {
+ fprintf(stderr, "pesigcheck: Could not add key database "
+ "\"%s\": %m\n", MOKX_PATH);
+ exit(1);
+ }
+
+ if (ctx->dbx == NULL) {
+ fprintf(stderr, "pesigcheck: warning: "
+ "No key recovation database available\n");
+ }
}
typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,
@@ -187,6 +218,8 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
sig.type = siBuffer;
while (dbl) {
+ printf("Searching %s %s\n", which == DB ? "db" : "dbx",
+ dbl->path);
EFI_SIGNATURE_LIST *certlist;
EFI_SIGNATURE_DATA *cert;
size_t dbsize = dbl->datalen;
diff --git a/src/pesigcheck_context.c b/src/pesigcheck_context.c
index b934cbe..5a355b1 100644
--- a/src/pesigcheck_context.c
+++ b/src/pesigcheck_context.c
@@ -87,6 +87,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx)
munmap(db->map, db->size);
close(db->fd);
ctx->db = db->next;
+ free(db->path);
free(db);
}
while (ctx->dbx) {
@@ -95,6 +96,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx)
if (db->type == DB_CERT)
free(db->data);
munmap(db->map, db->size);
+ free(db->path);
close(db->fd);
ctx->dbx = db->next;
free(db);
diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
index 1b916e3..7b5cc89 100644
--- a/src/pesigcheck_context.h
+++ b/src/pesigcheck_context.h
@@ -34,6 +34,7 @@ typedef enum {
struct dblist {
db_f_type type;
+ char *path;
int fd;
struct dblist *next;
size_t size;
--
2.13.4

97
0019-more-about-the-time.patch Normal file
View File

@ -0,0 +1,97 @@
From 713e61448a6ffa3e6029a7c89fad61b8cb08c9ff Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 17:00:46 -0400
Subject: [PATCH 19/29] more about the time
---
src/certdb.c | 59 +++++++++++++++++++++++++++++++++--------------------------
1 file changed, 33 insertions(+), 26 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index 673e074..1078a8a 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -345,8 +345,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
PRBool result;
SECStatus rv;
db_status status = NOT_FOUND;
+ PRTime atTime = PR_Now();
+ SECItem *eTime;
PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
- PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
+ PRTime notBefore, notAfter;
efi_guid_t efi_x509 = efi_guid_x509_cert;
@@ -358,6 +360,36 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
if (!cinfo)
goto out;
+ notBefore = earlyNow;
+ notAfter = lateNow;
+ find_cert_times(cinfo, &notBefore, &notAfter);
+ if (earlyNow < notBefore)
+ earlyNow = notBefore;
+ if (lateNow > notAfter)
+ lateNow = notAfter;
+
+ // atTime = determine_reasonable_time(cert);
+ eTime = SEC_PKCS7GetSigningTime(cinfo);
+ if (eTime != NULL) {
+ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
+ if (earlyNow < atTime)
+ earlyNow = atTime;
+ if (lateNow > atTime)
+ lateNow = atTime;
+ }
+ }
+
+ if (lateNow < earlyNow)
+ printf("Signature has impossible time constraint: %ld <= %ld\n",
+ earlyNow / 1000000, lateNow / 1000000);
+ atTime = earlyNow / 2 + lateNow / 2;
+
+
+ cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
+ NULL, NULL);
+ if (!cinfo)
+ goto out;
+
/* Generate the digest of contentInfo */
/* XXX support only sha256 for now */
digest = SECITEM_AllocItem(NULL, NULL, 32);
@@ -401,31 +433,6 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
PORT_ErrorToString(PORT_GetError()));
goto out;
}
- cert->timeOK = PR_TRUE;
-
- find_cert_times(cinfo, &notBefore, &notAfter);
- if (earlyNow < notBefore)
- earlyNow = notBefore;
- if (lateNow > notAfter)
- lateNow = notAfter;
-
- SECItem *eTime;
- PRTime atTime;
- // atTime = determine_reasonable_time(cert);
- eTime = SEC_PKCS7GetSigningTime(cinfo);
- if (eTime != NULL) {
- if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
- if (earlyNow < atTime)
- earlyNow = atTime;
- if (lateNow > atTime)
- lateNow = atTime;
- }
- }
-
- if (lateNow < earlyNow)
- printf("Impossible time constraints: %ld <= %ld\n",
- earlyNow / 1000000, lateNow / 1000000);
- atTime = earlyNow / 2 + lateNow / 2;
/* Verify the signature */
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
--
2.13.4

419
0020-try-to-say-why-something-fails.patch Normal file
View File

@ -0,0 +1,419 @@
From 81583146602bba96728fa7544c8e856b32c22ee4 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 17:01:13 -0400
Subject: [PATCH 20/29] try to say why something fails
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 15 ++-
src/certdb.h | 2 +-
src/pesigcheck.c | 244 ++++++++++++++++++++++++++++++++++++++++++-----
src/pesigcheck_context.h | 1 +
4 files changed, 233 insertions(+), 29 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index 1078a8a..fae80af 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -205,7 +205,7 @@ typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,
static db_status
check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
- void *data, ssize_t datalen)
+ void *data, ssize_t datalen, SECItem *match)
{
SECItem pkcs7sig, sig;
dblist *dbl = which == DB ? ctx->db : ctx->dbx;
@@ -241,8 +241,12 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
found = check(ctx, &sig,
&certlist->SignatureType,
&pkcs7sig);
- if (found == FOUND)
+ if (found == FOUND) {
+ if (match)
+ memcpy(match, &sig,
+ sizeof(sig));
return FOUND;
+ }
cert = (EFI_SIGNATURE_DATA *)((uint8_t *)cert +
certlist->SignatureSize);
}
@@ -280,7 +284,7 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
db_status
check_db_hash(db_specifier which, pesigcheck_context *ctx)
{
- return check_db(which, ctx, check_hash, NULL, 0);
+ return check_db(which, ctx, check_hash, NULL, 0, NULL);
}
static void
@@ -459,7 +463,8 @@ out:
}
db_status
-check_db_cert(db_specifier which, pesigcheck_context *ctx, void *data, ssize_t datalen)
+check_db_cert(db_specifier which, pesigcheck_context *ctx,
+ void *data, ssize_t datalen, SECItem *match)
{
- return check_db(which, ctx, check_cert, data, datalen);
+ return check_db(which, ctx, check_cert, data, datalen, match);
}
diff --git a/src/certdb.h b/src/certdb.h
index ccf3c87..8402299 100644
--- a/src/certdb.h
+++ b/src/certdb.h
@@ -43,7 +43,7 @@ typedef struct {
extern db_status check_db_hash(db_specifier which, pesigcheck_context *ctx);
extern db_status check_db_cert(db_specifier which, pesigcheck_context *ctx,
- void *data, ssize_t datalen);
+ void *data, ssize_t datalen, SECItem *match);
extern void init_cert_db(pesigcheck_context *ctx, int use_system_dbs);
extern int add_cert_db(pesigcheck_context *ctx, const char *filename);
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index d7be542..c8e1086 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -17,7 +17,9 @@
* Author(s): Peter Jones <pjones@redhat.com>
*/
+#include <err.h>
#include <fcntl.h>
+#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -88,7 +90,8 @@ check_inputs(pesigcheck_context *ctx)
}
static int
-cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
+cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen,
+ SECItem *digest_out)
{
SECItem sig, *pe_digest, *content;
uint8_t *digest;
@@ -109,6 +112,12 @@ cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
pe_digest = ctx->cms_ctx->digests[0].pe_digest;
content = cinfo->content.signedData->contentInfo.content.data;
digest = content->data + content->len - pe_digest->len;
+ if (digest_out) {
+ digest_out->data = malloc(pe_digest->len);
+ digest_out->len = pe_digest->len;
+ digest_out->type = pe_digest->type;
+ memcpy(digest_out->data, digest, pe_digest->len);
+ }
if (memcmp(pe_digest->data, digest, pe_digest->len) != 0)
goto out;
@@ -120,22 +129,149 @@ out:
return ret;
}
+struct reason {
+ enum {
+ WHITELISTED = 0,
+ INVALID = 1,
+ BLACKLISTED = 2,
+ NO_WHITELIST = 3,
+ } reason;
+ enum {
+ NONE = 0,
+ DIGEST = 1,
+ SIGNATURE = 2,
+ } type;
+ union {
+ struct {
+ SECItem digest;
+ };
+ struct {
+ SECItem sig;
+ SECItem db_cert;
+ };
+ };
+};
+
+static void
+print_digest(SECItem *digest)
+{
+ char buf[digest->len * 2 + 2];
+
+ for (unsigned int i = 0; i < digest->len; i++)
+ snprintf(buf + i * 2, digest->len * 2, "%02x",
+ digest->data[i]);
+ buf[digest->len * 2] = '\0';
+ printf("%s\n", buf);
+}
+
+static void
+print_certificate(SECItem *cert)
+{
+ printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
+ printf("cert: %p\n", cert);
+}
+
+static void
+print_signatures(SECItem *database_cert, SECItem *signature)
+{
+ printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
+ print_certificate(database_cert);
+ print_certificate(signature);
+}
+
+static void
+print_reason(struct reason *reason)
+{
+ switch (reason->reason) {
+ case WHITELISTED:
+ printf("Whitelist entry: ");
+ if (reason->type == DIGEST)
+ print_digest(&reason->digest);
+ else if (reason->type == SIGNATURE)
+ print_signatures(&reason->sig, &reason->db_cert);
+ else
+ errx(1, "Unknown data type %d\n", reason->type);
+ break;
+ case INVALID:
+ if (reason->type == DIGEST) {
+ printf("Invalid digest: ");
+ print_digest(&reason->digest);
+ } else if (reason->type == SIGNATURE) {
+ printf("Invalid signature: ");
+ print_signatures(&reason->sig, &reason->db_cert);
+ } else {
+ errx(1, "Unknown data type %d\n", reason->type);
+ }
+ break;
+ case BLACKLISTED:
+ if (reason->type == DIGEST) {
+ printf("Invalid digest: ");
+ print_digest(&reason->digest);
+ } else if (reason->type == SIGNATURE) {
+ printf("Invalid signature: ");
+ print_signatures(&reason->sig, &reason->db_cert);
+ } else {
+ errx(1, "Unknown data type %d\n", reason->type);
+ }
+ break;
+ case NO_WHITELIST:
+ if (reason->type == NONE)
+ printf("No matching whitelist entry.\n");
+ else
+ errx(1, "Invalid data type %d\n", reason->type);
+ break;
+ default:
+ errx(1, "Unknown reason type %d\n", reason->reason);
+ break;
+ }
+}
+
+static void
+get_digest(pesigcheck_context *ctx, SECItem *digest)
+{
+ struct cms_context *cms = ctx->cms_ctx;
+ struct digest *cms_digest = &cms->digests[cms->selected_digest];
+
+ memcpy(digest, cms_digest->pe_digest, sizeof (*digest));
+}
+
static int
-check_signature(pesigcheck_context *ctx)
+check_signature(pesigcheck_context *ctx, int *nreasons,
+ struct reason **reasons)
{
- int has_valid_cert = 0;
- int has_invalid_cert = 0;
+ bool has_valid_cert = false;
+ bool is_invalid = false;
+ struct reason *reasonps = NULL, *reason;
+ int num_reasons = 16;
+ int nreason = 0;
int rc = 0;
+ int ret = -1;
cert_iter iter;
+ reasonps = calloc(sizeof(struct reason), 512);
+ if (!reasonps)
+ err(1, "check_signature");
+
generate_digest(ctx->cms_ctx, ctx->inpe, 1);
- if (check_db_hash(DBX, ctx) == FOUND)
- return -1;
+ if (check_db_hash(DBX, ctx) == FOUND) {
+ reason = &reasonps[nreason];
+ reason->reason = BLACKLISTED;
+ reason->type = DIGEST;
+ get_digest(ctx, &reason->digest);
+ reason += 1;
+ is_invalid = true;
+ }
- if (check_db_hash(DB, ctx) == FOUND)
- has_valid_cert = 1;
+ if (check_db_hash(DB, ctx) == FOUND) {
+ reason = &reasonps[nreason];
+ reason->reason = WHITELISTED;
+ reason->type = DIGEST;
+ get_digest(ctx, &reason->digest);
+ nreason += 1;
+ has_valid_cert = true;
+ }
rc = cert_iter_init(&iter, ctx->inpe);
if (rc < 0)
@@ -145,32 +281,81 @@ check_signature(pesigcheck_context *ctx)
ssize_t datalen;
while (1) {
+ /*
+ * Make sure we always have enough for this iteration of the
+ * loop, plus one "NO_WHITELIST" entry at the end.
+ */
+ if (nreason >= num_reasons - 4) {
+ struct reason *new_reasons;
+
+ num_reasons += 16;
+
+ new_reasons = calloc(sizeof(struct reason), num_reasons);
+ if (!new_reasons)
+ err(1, "check_signature");
+ reasonps = new_reasons;
+ }
+
rc = next_cert(&iter, &data, &datalen);
if (rc <= 0)
break;
- if (cert_matches_digest(ctx, data, datalen) < 0) {
- has_invalid_cert = 1;
- break;
+ reason = &reasonps[nreason];
+ if (cert_matches_digest(ctx, data, datalen,
+ &reason->digest) < 0) {
+ reason->reason = INVALID;
+ reason->type = DIGEST;
+ nreason += 1;
+ is_invalid = true;
}
- if (check_db_cert(DBX, ctx, data, datalen) == FOUND) {
- has_invalid_cert = 1;
- break;
+ reason = &reasonps[nreason];
+ if (check_db_cert(DBX, ctx, data, datalen,
+ &reason->db_cert) == FOUND) {
+ reason->reason = INVALID;
+ reason->type = SIGNATURE;
+ reason->sig.data = data;
+ reason->sig.len = datalen;
+ reason->type = siBuffer;
+ nreason += 1;
+ is_invalid = true;
}
- if (check_db_cert(DB, ctx, data, datalen) == FOUND)
- has_valid_cert = 1;
+ reason = &reasonps[nreason];
+ if (check_db_cert(DB, ctx, data, datalen,
+ &reason->db_cert) == FOUND) {
+ reason->reason = WHITELISTED;
+ reason->type = SIGNATURE;
+ reason->sig.data = data;
+ reason->sig.len = datalen;
+ reason->type = siBuffer;
+ nreason += 1;
+ has_valid_cert = true;
+ }
}
err:
- if (has_invalid_cert)
- return -1;
+ if (has_valid_cert != true) {
+ if (is_invalid != true) {
+ reason = &reasonps[nreason];
+ reason->reason = NO_WHITELIST;
+ reason->type = NONE;
+ nreason += 1;
+ }
+ is_invalid = true;
+ }
- if (has_valid_cert)
- return 0;
+ if (is_invalid == false)
+ ret = 0;
- return -1;
+ if (nreasons && reasons) {
+ *nreasons = nreason;
+ *reasons = reasonps;
+ } else {
+ free(reasonps);
+ }
+
+ return ret;
}
void
@@ -204,6 +389,9 @@ main(int argc, char *argv[])
pesigcheck_context ctx, *ctxp = &ctx;
+ struct reason *reasons = NULL;
+ int nreasons = 0;
+
char *dbfile = NULL;
char *dbxfile = NULL;
char *certfile = NULL;
@@ -242,6 +430,12 @@ main(int argc, char *argv[])
.arg = &ctx.quiet,
.val = 1,
.descrip = "return only; no text output." },
+ {.longName = "verbose",
+ .shortName = 'v',
+ .argInfo = POPT_BIT_SET,
+ .arg = &ctx.verbose,
+ .val = 1,
+ .descrip = "print reasons for success and failure." },
{.longName = "no-system-db",
.shortName = 'n',
.argInfo = POPT_ARG_INT,
@@ -308,12 +502,16 @@ main(int argc, char *argv[])
exit(1);
}
- rc = check_signature(ctxp);
+ rc = check_signature(ctxp, &nreasons, &reasons);
- close_input(ctxp);
+ if (!ctx.quiet && ctx.verbose) {
+ for (int i = 0; i < nreasons; i++)
+ print_reason(&reasons[i]);
+ }
if (!ctx.quiet)
printf("pesigcheck: \"%s\" is %s.\n", ctx.infile,
rc >= 0 ? "valid" : "invalid");
+ close_input(ctxp);
pesigcheck_context_fini(&ctx);
NSS_Shutdown();
diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
index 7b5cc89..aec415e 100644
--- a/src/pesigcheck_context.h
+++ b/src/pesigcheck_context.h
@@ -61,6 +61,7 @@ typedef struct pesigcheck_context {
Pe *inpe;
int quiet;
+ int verbose;
hashlist *hashes;
--
2.13.4

34
0021-Fix-race-condition-in-SEC_GetPassword.patch Normal file
View File

@ -0,0 +1,34 @@
From a40c584691ae071e93e8adf4e5c05bcd90c68159 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Sat, 6 May 2017 22:45:34 +0200
Subject: [PATCH 21/29] Fix race condition in SEC_GetPassword
A side effect of echoOff is to discard unread input, so if we print the
prompt before echoOff, the user (or process) at the other end might
react to it by writing the password in between those steps, which is
then discarded. This bit me when trying to drive pesign with an expect
script.
Signed-off-by: Julien Cristau <jcristau@debian.org>
---
src/password.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/password.c b/src/password.c
index cd1c07e..d4eae0d 100644
--- a/src/password.c
+++ b/src/password.c
@@ -71,9 +71,9 @@ static char *SEC_GetPassword(FILE *input, FILE *output, char *prompt,
for (;;) {
/* Prompt for password */
if (isTTY) {
+ echoOff(infd);
fprintf(output, "%s", prompt);
fflush (output);
- echoOff(infd);
}
fgets ( phrase, sizeof(phrase), input);
--
2.13.4

27
0022-sysvinit-Create-the-socket-directory-at-runtime.patch Normal file
View File

@ -0,0 +1,27 @@
From 27afa5a4ea8de1679603f5871935096280d0b12e Mon Sep 17 00:00:00 2001
From: David Michael <david.michael@coreos.com>
Date: Tue, 13 Jun 2017 13:20:16 -0700
Subject: [PATCH 22/29] sysvinit: Create the socket directory at runtime
This better supports non-systemd configurations with tmpfs on /run.
---
src/pesign.sysvinit.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index d8fffca..dc508d8 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -20,6 +20,9 @@ RETVAL=0
start(){
echo -n "Starting pesign: "
+ mkdir /var/run/pesign 2>/dev/null &&
+ chown pesign:pesign /var/run/pesign &&
+ chmod 0770 /var/run/pesign
daemon /usr/bin/pesign --daemonize
RETVAL=$?
echo
--
2.13.4

217
0023-Better-authorization-scripts.-Again.patch Normal file
View File

@ -0,0 +1,217 @@
From 31560e2784722b986b8a73cc28e3510870180b07 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 8 Aug 2017 15:44:44 -0400
Subject: [PATCH 23/29] Better authorization scripts. Again.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/Makefile | 12 ++++++----
src/pesign-authorize | 56 +++++++++++++++++++++++++++++++++++++++++++++
src/pesign-authorize-groups | 30 ------------------------
src/pesign-authorize-users | 30 ------------------------
src/pesign.service.in | 3 +--
src/pesign.sysvinit.in | 3 +--
6 files changed, 65 insertions(+), 69 deletions(-)
create mode 100755 src/pesign-authorize
delete mode 100644 src/pesign-authorize-groups
delete mode 100644 src/pesign-authorize-users
diff --git a/src/Makefile b/src/Makefile
index 654b792..84ad130 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
SVCTARGETS=pesign.sysvinit pesign.service
-TARGETS=$(BINTARGETS) $(SVCTARGETS)
+TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
all : deps $(TARGETS)
@@ -65,6 +65,9 @@ install_sysvinit: pesign.sysvinit
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
+pesign-users pesign-groups :
+ echo pesign > $@
+
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
@@ -88,10 +91,9 @@ install :
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
- $(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/
- $(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/
+ $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users
- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups
+ $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
+ $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
.PHONY: all deps clean install
diff --git a/src/pesign-authorize b/src/pesign-authorize
new file mode 100755
index 0000000..a496f60
--- /dev/null
+++ b/src/pesign-authorize
@@ -0,0 +1,56 @@
+#!/bin/bash
+set -e
+set -u
+
+#
+# With /run/pesign/socket on tmpfs, a simple way of restoring the
+# acls for specific users is useful
+#
+# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
+#
+
+# License: GPLv2
+declare -a fileusers=()
+declare -a dirusers=()
+for user in $(cat /etc/pesign/users); do
+ dirusers[${#dirusers[@]}]=-m
+ dirusers[${#dirusers[@]}]="u:$user:rwx"
+ fileusers[${#fileusers[@]}]=-m
+ fileusers[${#fileusers[@]}]="u:$user:rw"
+done
+
+declare -a filegroups=()
+declare -a dirgroups=()
+for group in $(cat /etc/pesign/groups); do
+ dirgroups[${#dirgroups[@]}]=-m
+ dirgroups[${#dirgroups[@]}]="g:$group:rwx"
+ filegroups[${#filegroups[@]}]=-m
+ filegroups[${#filegroups[@]}]="g:$group:rw"
+done
+
+update_subdir() {
+ subdir=$1 && shift
+
+ setfacl -bk "${subdir}"
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
+ for x in "${subdir}"* ; do
+ if [ -d "${x}" ]; then
+ setfacl -bk ${x}
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
+ update_subdir "${x}/"
+ elif [ -e "${x}" ]; then
+ setfacl -bk ${x}
+ setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
+ else
+ :;
+ fi
+ done
+}
+
+for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+ if [ -d "${x}" ]; then
+ update_subdir "${x}"
+ else
+ :;
+ fi
+done
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
deleted file mode 100644
index cf51fb6..0000000
--- a/src/pesign-authorize-groups
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-set -e
-
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific groups is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
-# License: GPLv2
-
-if [ -r /etc/pesign/groups ]; then
- for group in $(cat /etc/pesign/groups); do
- if [ -d /var/run/pesign ]; then
- setfacl -m g:${group}:rx /var/run/pesign
- if [ -e /var/run/pesign/socket ]; then
- setfacl -m g:${group}:rw /var/run/pesign/socket
- fi
- fi
- for x in /etc/pki/pesign*/ ; do
- if [ -d ${x} ]; then
- setfacl -m g:${group}:rx ${x}
- for y in ${x}{cert8,key3,secmod}.db ; do
- setfacl -m g:${group}:rw ${y}
- done
- fi
- done
- done
-fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
deleted file mode 100644
index 940138e..0000000
--- a/src/pesign-authorize-users
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-set -e
-
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific users is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
-# License: GPLv2
-
-if [ -r /etc/pesign/users ]; then
- for username in $(cat /etc/pesign/users); do
- if [ -d /var/run/pesign ]; then
- setfacl -m g:${username}:rx /var/run/pesign
- if [ -e /var/run/pesign/socket ]; then
- setfacl -m g:${username}:rw /var/run/pesign/socket
- fi
- fi
- for x in /etc/pki/pesign*/ ; do
- if [ -d ${x} ]; then
- setfacl -m g:${username}:rx ${x}
- for y in ${x}{cert8,key3,secmod}.db ; do
- setfacl -m g:${username}:rw ${y}
- done
- fi
- done
- done
-fi
diff --git a/src/pesign.service.in b/src/pesign.service.in
index aaa408e..c75a000 100644
--- a/src/pesign.service.in
+++ b/src/pesign.service.in
@@ -6,5 +6,4 @@ PrivateTmp=true
Type=forking
PIDFile=/var/run/pesign.pid
ExecStart=/usr/bin/pesign --daemonize
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
+ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index dc508d8..b0e0f84 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -27,8 +27,7 @@ start(){
RETVAL=$?
echo
touch /var/lock/subsys/pesign
- @@LIBEXECDIR@@/pesign/pesign-authorize-users
- @@LIBEXECDIR@@/pesign/pesign-authorize-groups
+ @@LIBEXECDIR@@/pesign/pesign-authorize
}
stop(){
--
2.13.4

95
0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch Normal file
View File

@ -0,0 +1,95 @@
From a7b0f7e1ce2de1acea9a8c286a0ff3dd9bc245cb Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 8 Aug 2017 17:28:19 -0400
Subject: [PATCH 24/29] Make the daemon also try to give better errors on
-EPERM etc.
Basically 6796e5f but also for the daemon. This also tries to fix them
up to save errno better, for more accurate reporting.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/daemon.c | 27 +++++++++++++++++++++++++--
src/pesign.c | 8 ++++++--
2 files changed, 31 insertions(+), 4 deletions(-)
diff --git a/src/daemon.c b/src/daemon.c
index 7f694b2..942d576 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -19,6 +19,7 @@
#include <errno.h>
#include <fcntl.h>
+#include <glob.h>
#include <poll.h>
#include <pwd.h>
#include <signal.h>
@@ -1104,10 +1105,32 @@ daemonize(cms_context *cms_ctx, char *certdir, int do_fork)
"pesignd starting (pid %d)", ctx.pid);
SECStatus status = NSS_Init(certdir);
+ int error = errno;
if (status != SECSuccess) {
+ char *globpattern = NULL;
+ rc = asprintf(&globpattern, "%s/cert*.db",
+ certdir);
+ if (rc > 0) {
+ glob_t globbuf;
+ memset(&globbuf, 0, sizeof(globbuf));
+ rc = glob(globpattern, GLOB_ERR, NULL,
+ &globbuf);
+ if (rc != 0) {
+ errno = error;
+ ctx.backup_cms->log(ctx.backup_cms,
+ ctx.priority|LOG_NOTICE,
+ "Could not open NSS database (\"%s\"): %m",
+ PORT_ErrorToString(PORT_GetError()));
+ exit(1);
+ }
+ }
+ }
+ if (status != SECSuccess) {
+ errno = error;
ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_NOTICE,
- "Could not initialize nss: %s\n",
- PORT_ErrorToString(PORT_GetError()));
+ "Could not initialize nss.\n"
+ "NSS says \"%s\" errno says \"%m\"\n",
+ PORT_ErrorToString(PORT_GetError()));
exit(1);
}
diff --git a/src/pesign.c b/src/pesign.c
index 5879cfc..6ceda34 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -660,10 +660,12 @@ main(int argc, char *argv[])
if (!daemon) {
SECStatus status;
+ int error;
if (need_db) {
status = NSS_Init(certdir);
if (status != SECSuccess) {
char *globpattern = NULL;
+ error = errno;
rc = asprintf(&globpattern, "%s/cert*.db",
certdir);
if (rc > 0) {
@@ -680,8 +682,10 @@ main(int argc, char *argv[])
} else
status = NSS_NoDB_Init(NULL);
if (status != SECSuccess) {
- errx(1, "Could not initialize nss. NSS says \"%s\" errno says \"%m\"\n",
- PORT_ErrorToString(PORT_GetError()));
+ errno = error;
+ errx(1, "Could not initialize nss.\n"
+ "NSS says \"%s\" errno says \"%m\"\n",
+ PORT_ErrorToString(PORT_GetError()));
}
status = register_oids(ctxp->cms_ctx);
--
2.13.4

31
0025-certdb-fix-PRTime-printfs-for-i686.patch Normal file
View File

@ -0,0 +1,31 @@
From bc1043bf2b428971e29a61a341da9a57595bada5 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 9 Aug 2017 17:40:33 -0400
Subject: [PATCH 25/29] certdb: fix PRTime printfs for i686
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index fae80af..29c9502 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -384,11 +384,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
}
if (lateNow < earlyNow)
- printf("Signature has impossible time constraint: %ld <= %ld\n",
- earlyNow / 1000000, lateNow / 1000000);
+ printf("Signature has impossible time constraint: %lld <= %lld\n",
+ earlyNow / 1000000LL, lateNow / 1000000LL);
atTime = earlyNow / 2 + lateNow / 2;
-
cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
NULL, NULL);
if (!cinfo)
--
2.13.4

41
0026-Clean-up-gcc-command-lines-a-little.patch Normal file
View File

@ -0,0 +1,41 @@
From a44115c9b4f43a1a7219f897bd33555e653d2e20 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 10 Aug 2017 10:02:38 -0400
Subject: [PATCH 26/29] Clean up gcc command lines a little
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Make.defaults | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/Make.defaults b/Make.defaults
index 39b78f0..b6c0381 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -20,8 +20,7 @@ CROSS_COMPILE ?= $(bindir)
PKG_CONFIG = $(CROSS_COMPILE)pkg-config
CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
CCLD := $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
-CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \
- -Wall -Werror -Wextra -Wno-error=cpp
+CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments -Wno-error=cpp
AS := $(CROSS_COMPILE)as
AR := $(CROSS_COMPILE)gcc-ar
RANLIB := $(CROSS_COMPILE)gcc-ranlib
@@ -36,10 +35,10 @@ ARCH := $(shell uname -m | sed s,i[3456789]86,ia32,)
SOFLAGS = -shared
clang_cflags =
-gcc_cflags = -Wmaybe-uninitialized
+gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches
cflags = $(CFLAGS) $(ARCH3264) \
- -Wall -Werror -Wno-cpp -Wsign-compare -Wno-unused-result \
- -Wno-unused-function\
+ -Wall -Werror -Wextra -Wsign-compare -Wno-unused-result \
+ -Wno-unused-function -Wsign-compare \
-std=gnu11 -fshort-wchar -fPIC -flto -fno-strict-aliasing \
-fno-merge-constants -fkeep-inline-functions \
-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \
--
2.13.4

54
0027-Make-pesign-users-groups-static-in-the-repo.patch Normal file
View File

@ -0,0 +1,54 @@
From a133d051c3f8acf3e058e92711eb528c3c0f41f9 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 10 Aug 2017 10:03:37 -0400
Subject: [PATCH 27/29] Make pesign-{users,groups} static in the repo.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/Makefile | 5 +----
src/pesign-groups | 1 +
src/pesign-users | 1 +
3 files changed, 3 insertions(+), 4 deletions(-)
create mode 100644 src/pesign-groups
create mode 100644 src/pesign-users
diff --git a/src/Makefile b/src/Makefile
index 84ad130..7d68fa1 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
SVCTARGETS=pesign.sysvinit pesign.service
-TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
+TARGETS=$(BINTARGETS) $(SVCTARGETS)
all : deps $(TARGETS)
@@ -65,9 +65,6 @@ install_sysvinit: pesign.sysvinit
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
-pesign-users pesign-groups :
- echo pesign > $@
-
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
diff --git a/src/pesign-groups b/src/pesign-groups
new file mode 100644
index 0000000..7f57cc5
--- /dev/null
+++ b/src/pesign-groups
@@ -0,0 +1 @@
+pesign
diff --git a/src/pesign-users b/src/pesign-users
new file mode 100644
index 0000000..7f57cc5
--- /dev/null
+++ b/src/pesign-users
@@ -0,0 +1 @@
+pesign
--
2.13.4

43
0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch Normal file
View File

@ -0,0 +1,43 @@
From 025eb8aea94761fdc45507b6192aafdef80d4842 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 9 Aug 2017 17:31:31 -0400
Subject: [PATCH 28/29] rpm: Make the client signer use the fedora values
unless overridden
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 69280e9..22a3ee6 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -9,6 +9,9 @@
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
+%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}}
+%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}}
+
%_pesign /usr/bin/pesign
%_pesign_client /usr/bin/pesign-client
@@ -41,11 +44,11 @@
--certdir ${nss} -c signer %{-o} \
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
elif [ -S /var/run/pesign/socket ]; then \
- %{_pesign_client} -t %{__pesign_token} \\\
- -c %{__pesign_cert} \\\
+ %{_pesign_client} -t %{__pesign_client_token} \\\
+ -c %{__pesign_client_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
else \
- %{_pesign} -t %{__pesign_token} -c %{__pesign_cert} \\\
+ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
--certdir ${_pesign_nssdir} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
fi \
--
2.13.4

39
0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch Normal file
View File

@ -0,0 +1,39 @@
From 86a6b02e4b95ab3629446e71895cc5e57ad4482f Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 14 Aug 2017 11:37:43 -0400
Subject: [PATCH 29/29] Make macros.pesign error in kojibuilder if we don't
have perms on the socket
---
src/macros.pesign | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/macros.pesign b/src/macros.pesign
index 22a3ee6..1665b4c 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -43,6 +43,21 @@
%{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
--certdir ${nss} -c signer %{-o} \
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
+ elif [ "%{vendor}" == "Fedora Project" -a \\\
+ "$(id -un)" == "mockbuild" -a \\\
+ "$(uname -m)" == "x86_64" ] && \\\
+ grep -q ID=fedora /etc/os-release && \\\
+ [[ "%{_buildhost}" =~ ^bkernel.* ]] && \\\
+ ! [ -S /var/run/pesign/socket ]; then \
+ echo "No socket even though this is %{_buildhost}" \
+ ls -ld /var/run/pesign || : \
+ getfacl /var/run/pesign || : \
+ ls -l /var/run/pesign/socket || : \
+ getfacl /var/run/pesign/socket || : \
+ echo =========== env ============== \
+ set \
+ echo =========== env ============== \
+ exit 1 \
elif [ -S /var/run/pesign/socket ]; then \
%{_pesign_client} -t %{__pesign_client_token} \\\
-c %{__pesign_client_cert} \\\
--
2.13.4

91
pesign.py Normal file
View File

@ -0,0 +1,91 @@
#!/usr/bin/python3
#
# Copyright 2017 Peter Jones <Peter Jones@random>
#
# Distributed under terms of the GPLv3 license.
"""
mock plugin to make sure pesign and mockbuild users have the right uid and
gid.
"""
from mockbuild.trace_decorator import getLog, traceLog
import mockbuild.util
requires_api_version = "1.1"
@traceLog()
def init(plugins, conf, buildroot):
""" hello """
Pesign(plugins, conf, buildroot)
def getuid(name):
""" get a uid for a user name """
output = mockbuild.util.do(["getent", "passwd", "%s" % (name,)],
returnOutput=1, printOutput=True)
output = output.split(':')
return output[2], output[3]
def getgid(name):
""" get a gid for a group name """
output = mockbuild.util.do(["getent", "group", "%s" % (name,)],
returnOutput=1, printOutput=True)
return output.split(':')[2]
def newgroup(name, gid, rootdir):
""" create a group with a gid """
getLog().info("creating group %s with gid %s" % (name, gid))
mockbuild.util.do(["groupadd",
"-g", "%s" % (gid,),
"-R", "%s" % (rootdir,),
"%s" % (name,),
])
def newuser(name, uid, gid, rootdir):
""" create a user with a uid """
getLog().info("creating user %s with uid %s" % (name, uid))
mockbuild.util.do(["useradd",
"-u", "%s" % (uid,),
"-g", "%s" % (gid,),
"-R", "%s" % (rootdir,),
"%s" % (name,)])
class Pesign(object):
""" Creates some stuff in our mock root """
# pylint: disable=too-few-public-methods
@traceLog()
def __init__(self, plugins, conf, buildroot):
""" Effectively we're doing:
getent group pesign >/dev/null || groupadd -r pesign
getent passwd pesign >/dev/null || \
useradd -r -g pesign -d /var/run/pesign -s /sbin/nologin \
-c "Group for the pesign signing daemon" pesign
"""
self.buildroot = buildroot
self.pesign_opts = conf
self.config = buildroot.config
self.state = buildroot.state
self.users = {}
self.groups = {}
plugins.add_hook("postinit", self._pesignPostInitHook)
@traceLog()
def _pesignPostInitHook(self):
""" find our uid and gid lists """
for user in self.pesign_opts['users']:
uid, gid = getuid(user)
self.users[user] = [user, uid, gid]
for group in self.pesign_opts['groups']:
gid = getgid(group)
self.groups[group] = [group, gid]
# create our users
rootdir = self.buildroot.make_chroot_path()
for name, gid in self.groups.values():
newgroup(name, gid, rootdir)
for name, uid, gid in self.users.values():
newuser(name, uid, gid, rootdir)
# -*- coding: utf-8 -*-
# vim:fenc=utf-8:tw=75

83
pesign.spec
View File

@ -3,19 +3,23 @@
Summary: Signing utility for UEFI binaries
Name: pesign
Version: 0.112
Release: 3%{?dist}
Release: 20%{?dist}
Group: Development/System
License: GPLv2
URL: https://github.com/vathpela/pesign
Obsoletes: pesign-rh-test-certs <= 0.111-7
BuildRequires: git nspr nss nss-util popt-devel
BuildRequires: coolkey opensc nss-tools
BuildRequires: nss-tools
BuildRequires: nspr-devel >= 4.9.2-1
BuildRequires: nss-devel >= 3.13.6-1
BuildRequires: efivar-devel >= 26-1
BuildRequires: efivar-devel >= 30-4
BuildRequires: libuuid-devel
BuildRequires: tar xz
Requires: nspr nss nss-util popt rpm coolkey opensc
BuildRequires: python3-rpm-macros python3
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
BuildRequires: systemd
%endif
Requires: nspr nss nss-util popt rpm
Requires(pre): shadow-utils
ExclusiveArch: %{ix86} x86_64 ia64 aarch64 arm
%if 0%{?rhel} >= 7
@ -24,9 +28,37 @@ BuildRequires: rh-signing-tools >= 1.20-2
Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
Source1: certs.tar.xz
Source2: pesign.py
Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
Patch0002: 0002-Fix-command-line-parsing.patch
Patch0003: 0003-gcc-don-t-error-on-stuff-in-includes.patch
Patch0004: 0004-Fix-certficate-argument-name.patch
Patch0005: 0005-Fix-description-of-ascii-armor-option-in-manpage.patch
Patch0006: 0006-Make-ascii-work-since-we-documented-it.patch
Patch0007: 0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch
Patch0008: 0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch
Patch0009: 0009-pesigcheck-make-certfile-actually-work.patch
Patch0010: 0010-signerInfos-make-sure-err-is-always-initialized.patch
Patch0011: 0011-pesign-make-pesign-h-tell-you-the-file-name.patch
Patch0012: 0012-Add-coverity-build-scripts.patch
Patch0013: 0013-Document-implicit-fallthrough.patch
Patch0014: 0014-Actually-setfacl-each-directory-of-our-key-storage.patch
Patch0015: 0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch
Patch0016: 0016-efikeygen-add-modsign.patch
Patch0017: 0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch
Patch0018: 0018-show-which-db-we-re-checking.patch
Patch0019: 0019-more-about-the-time.patch
Patch0020: 0020-try-to-say-why-something-fails.patch
Patch0021: 0021-Fix-race-condition-in-SEC_GetPassword.patch
Patch0022: 0022-sysvinit-Create-the-socket-directory-at-runtime.patch
Patch0023: 0023-Better-authorization-scripts.-Again.patch
Patch0024: 0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch
Patch0025: 0025-certdb-fix-PRTime-printfs-for-i686.patch
Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch
Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch
Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
%description
This package contains the pesign utility for signing UEFI binaries as
@ -76,6 +108,9 @@ rm -vf %{buildroot}/usr/share/doc/pesign-%{version}/COPYING
# and find-debuginfo.sh has some pretty awful deficencies too...
cp -av libdpe/*.[ch] src/
install -d -m 0755 %{buildroot}%{python3_sitelib}/mockbuild/plugins/
install -m 0755 %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
%pre
getent group pesign >/dev/null || groupadd -r pesign
getent passwd pesign >/dev/null || \
@ -86,19 +121,15 @@ exit 0
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
%post
%systemd_post pesign.service
modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
-libfile %{_libdir}/pkcs11/opensc-pkcs11.so >/dev/null
#modutil -force -dbdir %{_sysconfdir}/pki/pesign -add coolkey \
# -libfile %%{_libdir}/pkcs11/libcoolkeypk11.so
#%%posttrans
#%%{_libexecdir}/pesign/pesign-authorize
%preun
%systemd_preun pesign.service
%postun
%systemd_postun_with_restart pesign.service
%else
%post
modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
-libfile %{_libdir}/pkcs11/opensc-pkcs11.so >/dev/null
%endif
%files
@ -114,18 +145,15 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
%{_bindir}/pesign-client
%dir %{_libexecdir}/pesign/
%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign/
%attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
%config(noreplace) %attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/
%attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/*
%{_libexecdir}/pesign/pesign-authorize-users
%{_libexecdir}/pesign/pesign-authorize-groups
%config(noreplace) %attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/*
%{_libexecdir}/pesign/pesign-authorize
%config(noreplace)/%{_sysconfdir}/pesign/users
%config(noreplace)/%{_sysconfdir}/pesign/groups
%{_sysconfdir}/popt.d/pesign.popt
%{macrosdir}/macros.pesign
%{_mandir}/man*/*
%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign
%attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
%dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name}
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid
@ -133,8 +161,27 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
%{_tmpfilesdir}/pesign.conf
%{_unitdir}/pesign.service
%endif
%{python3_sitelib}/mockbuild/plugins/*/pesign.*
%{python3_sitelib}/mockbuild/plugins/pesign.*
%changelog
* Tue Aug 15 2017 Peter Jones <pjones@redhat.com> - 0.112-20
- Maybe fewer typoes would be better.
* Tue Aug 15 2017 Peter Jones <pjones@redhat.com> - 0.112-19
- Update to match f26 and f27 builds.
* Thu Aug 10 2017 Peter Jones <pjones@redhat.com> - 0.112-6
- Try to fix the db problem nirik is seeing trying to upgrade the builders.
* Fri Jan 06 2017 Peter Jones <pjones@redhat.com> - 0.112-5
- Don't Req: or BuildReq: coolkey or opensc; those belong in system deploy
scripts.
Related: rhbz#1349073
* Wed Aug 17 2016 Peter Jones <pjones@redhat.com> - 0.112-4
- Build as -4 to make bodhi happy.
* Fri Aug 12 2016 Adam Williamson <awilliam@redhat.com> - 0.112-3
- backport fix for command line parsing from upstream master