vbatts/sbsigntools
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

sbverify: Add --verbose option

Browse source 
Add an option to print the certificate & signature info while verifying
a signed image.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
This commit is contained in:
Jeremy Kerr 2012-10-10 15:56:58 +08:00
parent cd51a26911
commit c98692a71f
1 changed files with 67 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
src/sbverify.c
View file

@ -56,6 +56,7 @@
#include <openssl/x509v3.h> #include <openssl/x509v3.h>
static const char *toolname = "sbverify"; static const char *toolname = "sbverify";
static const int cert_name_len = 160;
enum verify_status { enum verify_status {
VERIFY_FAIL = 0, VERIFY_FAIL = 0,
@ -66,6 +67,7 @@ static struct option options[] = {
{ "cert", required_argument, NULL, 'c' }, { "cert", required_argument, NULL, 'c' },
{ "no-verify", no_argument, NULL, 'n' }, { "no-verify", no_argument, NULL, 'n' },
{ "detached", required_argument, NULL, 'd' }, { "detached", required_argument, NULL, 'd' },
{ "verbose", no_argument, NULL, 'v' },
{ "help", no_argument, NULL, 'h' }, { "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, 'V' }, { "version", no_argument, NULL, 'V' },
{ NULL, 0, NULL, 0 }, { NULL, 0, NULL, 0 },
@ -100,6 +102,61 @@ int load_cert(X509_STORE *certs, const char *filename)
return 0; return 0;
} }
static void print_signature_info(PKCS7 *p7)
{
char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
PKCS7_SIGNER_INFO *si;
X509 *cert;
int i;
printf("image signature issuers:\n");
for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(p7->d.sign->signer_info);
i++) {
si = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, i);
X509_NAME_oneline(si->issuer_and_serial->issuer,
issuer_name, cert_name_len);
printf(" - %s\n", issuer_name);
}
printf("image signature certificates:\n");
for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
cert = sk_X509_value(p7->d.sign->cert, i);
X509_NAME_oneline(cert->cert_info->subject,
subject_name, cert_name_len);
X509_NAME_oneline(cert->cert_info->issuer,
issuer_name, cert_name_len);
printf(" - subject: %s\n", subject_name);
printf(" issuer: %s\n", issuer_name);
}
}
static void print_certificate_store_certs(X509_STORE *certs)
{
char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
X509_OBJECT *obj;
int i;
printf("certificate store:\n");
for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
obj = sk_X509_OBJECT_value(certs->objs, i);
if (obj->type != X509_LU_X509)
continue;
X509_NAME_oneline(obj->data.x509->cert_info->subject,
subject_name, cert_name_len);
X509_NAME_oneline(obj->data.x509->cert_info->issuer,
issuer_name, cert_name_len);
printf(" - subject: %s\n", subject_name);
printf(" issuer: %s\n", issuer_name);
}
}
static int load_image_signature_data(struct image *image, static int load_image_signature_data(struct image *image,
uint8_t **buf, size_t *len) uint8_t **buf, size_t *len)
{ {
@ -146,12 +203,14 @@ int main(int argc, char **argv)
uint8_t *sig_buf; uint8_t *sig_buf;
size_t sig_size; size_t sig_size;
struct idc *idc; struct idc *idc;
bool verbose;
BIO *idcbio; BIO *idcbio;
PKCS7 *p7; PKCS7 *p7;
status = VERIFY_FAIL; status = VERIFY_FAIL;
certs = X509_STORE_new(); certs = X509_STORE_new();
verify = 1; verify = 1;
verbose = false;
detached_sig_filename = NULL; detached_sig_filename = NULL;
OpenSSL_add_all_digests(); OpenSSL_add_all_digests();
@ -175,6 +234,9 @@ int main(int argc, char **argv)
case 'n': case 'n':
verify = 0; verify = 0;
break; break;
case 'v':
verbose = true;
break;
case 'V': case 'V':
version(); version();
return EXIT_SUCCESS; return EXIT_SUCCESS;
@ -218,6 +280,11 @@ int main(int argc, char **argv)
goto out; goto out;
} }
if (verbose) {
print_signature_info(p7);
print_certificate_store_certs(certs);
}
idcbio = BIO_new(BIO_s_mem()); idcbio = BIO_new(BIO_s_mem());
idc = IDC_get(p7, idcbio); idc = IDC_get(p7, idcbio);
if (!idc) if (!idc)