vbatts/sbsigntools
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

sbattach: fix --detach

Browse source 
sbattach --detach isn't working, as we're not properly setting sigbuf in
image_pecoff parse.

This change ensures we populate sigbuf when we find a valid cert table.
Also, add a test case for this.

Bug report & initial patch from from Steve Langasek.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
This commit is contained in:
Jeremy Kerr 2012-08-02 16:43:08 +08:00
parent ca05adbc77
commit 36e79114d2
3 changed files with 31 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
image.c
View file

@ -47,6 +47,9 @@
#define DATA_DIR_CERT_TABLE 4 #define DATA_DIR_CERT_TABLE 4
#define CERT_TABLE_TYPE_PKCS 0x0002 /* PKCS signedData */
#define CERT_TABLE_REVISION 0x0200 /* revision 2 */
/** /**
* The PE/COFF headers export struct fields as arrays of chars. So, define * The PE/COFF headers export struct fields as arrays of chars. So, define
* a couple of accessor functions that allow fields to be deferenced as their * a couple of accessor functions that allow fields to be deferenced as their
@ -75,6 +78,7 @@ static uint16_t __pehdr_u16(char field[])
static int image_pecoff_parse(struct image *image) static int image_pecoff_parse(struct image *image)
{ {
struct cert_table_header *cert_table;
char nt_sig[] = {'P', 'E', 0, 0}; char nt_sig[] = {'P', 'E', 0, 0};
size_t size = image->size; size_t size = image->size;
uint32_t addr; uint32_t addr;
@ -142,9 +146,21 @@ static int image_pecoff_parse(struct image *image)
image->cert_table_size = image->data_dir_sigtable->size; image->cert_table_size = image->data_dir_sigtable->size;
if (image->cert_table_size) if (image->cert_table_size)
image->cert_table = image->buf + image->data_dir_sigtable->addr; cert_table = image->buf + image->data_dir_sigtable->addr;
else else
image->cert_table = NULL; cert_table = NULL;
image->cert_table = cert_table;
/* if we have a valid cert table header, populate sigbuf as a shadow
* copy of the cert table */
if (cert_table && cert_table->revision == CERT_TABLE_REVISION &&
cert_table->type == CERT_TABLE_TYPE_PKCS &&
cert_table->size < size) {
image->sigsize = cert_table->size;
image->sigbuf = talloc_memdup(image, cert_table + 1,
image->sigsize);
}
image->sections = pehdr_u16(image->pehdr->f_nscns); image->sections = pehdr_u16(image->pehdr->f_nscns);
image->scnhdr = (void *)(image->aouthdr+1); image->scnhdr = (void *)(image->aouthdr+1);
@ -387,8 +403,8 @@ int image_write(struct image *image, const char *filename)
if (is_signed) { if (is_signed) {
cert_table_header.size = image->sigsize + cert_table_header.size = image->sigsize +
sizeof(cert_table_header); sizeof(cert_table_header);
cert_table_header.revision = 0x0200; /* = revision 2 */ cert_table_header.revision = CERT_TABLE_REVISION;
cert_table_header.type = 0x0002; /* PKCS signedData */ cert_table_header.type = CERT_TABLE_TYPE_PKCS;
len = sizeof(cert_table_header) + image->sigsize; len = sizeof(cert_table_header) + image->sigsize;

1
tests/Makefile.am
View file

@ -37,6 +37,7 @@ $(test_cert): $(test_key) Makefile
TESTS = sign-verify.sh \ TESTS = sign-verify.sh \
sign-verify-detached.sh \ sign-verify-detached.sh \
sign-detach-verify.sh \
sign-attach-verify.sh \ sign-attach-verify.sh \
sign-missing-image.sh \ sign-missing-image.sh \
sign-missing-cert.sh \ sign-missing-cert.sh \

10
tests/sign-detach-verify.sh Executable file
View file

@ -0,0 +1,10 @@
#!/bin/bash -e
. "$srcdir/common.sh"
signed="test.signed"
sig="test.sig"
"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image"
"$sbattach" --detach "$sig" "$signed"
"$sbverify" --cert "$cert" --detached $sig "$image"