fileio: Unify key & cert loading

Rather than duplicating the key & certificate loading in each tool,
unify it in a fileio object.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
This commit is contained in:
Jeremy Kerr 2012-08-03 10:36:38 +08:00
parent d27647ba69
commit d19b993024
6 changed files with 138 additions and 88 deletions

View file

@ -5,7 +5,7 @@ bin_PROGRAMS = sbsign sbverify sbattach sbvarsign
coff_headers = coff/external.h coff/pe.h coff/i386.h coff/x86_64.h coff_headers = coff/external.h coff/pe.h coff/i386.h coff/x86_64.h
common_SOURCES = idc.c idc.h image.c image.h $(coff_headers) common_SOURCES = idc.c idc.h image.c image.h fileio.c fileio.h $(coff_headers)
common_LDADD = lib/ccan/libccan.a $(libcrypto_LIBS) common_LDADD = lib/ccan/libccan.a $(libcrypto_LIBS)
common_CFLAGS = -I$(srcdir)/lib/ccan/ common_CFLAGS = -I$(srcdir)/lib/ccan/
@ -21,7 +21,7 @@ sbattach_SOURCES = sbattach.c $(common_SOURCES)
sbattach_LDADD = $(common_LDADD) sbattach_LDADD = $(common_LDADD)
sbattach_CFLAGS = $(AM_CFLAGS) $(common_CFLAGS) sbattach_CFLAGS = $(AM_CFLAGS) $(common_CFLAGS)
sbvarsign_SOURCES = sbvarsign.c sbvarsign_SOURCES = sbvarsign.c $(common_SOURCES)
sbvarsign_LDADD = $(common_LDADD) $(uuid_LIBS) sbvarsign_LDADD = $(common_LDADD) $(uuid_LIBS)
sbvarsign_CPPFLAGS = $(EFI_CPPFLAGS) sbvarsign_CPPFLAGS = $(EFI_CPPFLAGS)
sbvarsign_CFLAGS = $(AM_CFLAGS) $(uuid_CFLAGS) $(common_CFLAGS) sbvarsign_CFLAGS = $(AM_CFLAGS) $(uuid_CFLAGS) $(common_CFLAGS)

80
fileio.c Normal file
View file

@ -0,0 +1,80 @@
/*
* Copyright (C) 2012 Jeremy Kerr <jeremy.kerr@canonical.com>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 3
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
* USA.
*
* In addition, as a special exception, the copyright holders give
* permission to link the code of portions of this program with the OpenSSL
* library under certain conditions as described in each individual source file,
* and distribute linked combinations including the two.
*
* You must obey the GNU General Public License in all respects for all
* of the code used other than OpenSSL. If you modify file(s) with this
* exception, you may extend this exception to your version of the
* file(s), but you are not obligated to do so. If you do not wish to do
* so, delete this exception statement from your version. If you delete
* this exception statement from all source files in the program, then
* also delete it here.
*/
#include <stdio.h>
#include <openssl/bio.h>
#include <openssl/pem.h>
#include <openssl/err.h>
#include "fileio.h"
EVP_PKEY *fileio_read_pkey(const char *filename)
{
EVP_PKEY *key = NULL;
BIO *bio;
bio = BIO_new_file(filename, "r");
if (!bio)
goto out;
key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
out:
BIO_free_all(bio);
if (!key) {
fprintf(stderr, "Can't load key from file '%s'\n", filename);
ERR_print_errors_fp(stderr);
}
return key;
}
X509 *fileio_read_cert(const char *filename)
{
X509 *cert = NULL;
BIO *bio;
bio = BIO_new_file(filename, "r");
if (!bio)
goto out;
cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
out:
BIO_free_all(bio);
if (!cert) {
fprintf(stderr, "Can't load certificate from file '%s'\n",
filename);
ERR_print_errors_fp(stderr);
}
return cert;
}

42
fileio.h Normal file
View file

@ -0,0 +1,42 @@
/*
* Copyright (C) 2012 Jeremy Kerr <jeremy.kerr@canonical.com>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 3
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
* USA.
*
* In addition, as a special exception, the copyright holders give
* permission to link the code of portions of this program with the OpenSSL
* library under certain conditions as described in each individual source file,
* and distribute linked combinations including the two.
*
* You must obey the GNU General Public License in all respects for all
* of the code used other than OpenSSL. If you modify file(s) with this
* exception, you may extend this exception to your version of the
* file(s), but you are not obligated to do so. If you do not wish to do
* so, delete this exception statement from your version. If you delete
* this exception statement from all source files in the program, then
* also delete it here.
*/
#ifndef FILEIO_H
#define FILEIO_H
#include <openssl/evp.h>
#include <openssl/x509.h>
EVP_PKEY *fileio_read_pkey(const char *filename);
X509 *fileio_read_cert(const char *filename);
#endif /* FILEIO_H */

View file

@ -53,6 +53,7 @@
#include "idc.h" #include "idc.h"
#include "image.h" #include "image.h"
#include "fileio.h"
static const char *toolname = "sbsign"; static const char *toolname = "sbsign";
@ -185,20 +186,13 @@ int main(int argc, char **argv)
OpenSSL_add_all_digests(); OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers(); OpenSSL_add_all_ciphers();
BIO *privkey_bio = BIO_new_file(keyfilename, "r"); EVP_PKEY *pkey = fileio_read_pkey(keyfilename);
EVP_PKEY *pkey = PEM_read_bio_PrivateKey(privkey_bio, NULL, NULL, NULL); if (!pkey)
if (!pkey) {
fprintf(stderr, "error reading private key %s\n", keyfilename);
return EXIT_FAILURE; return EXIT_FAILURE;
}
BIO *cert_bio = BIO_new_file(certfilename, "r"); X509 *cert = fileio_read_cert(certfilename);
X509 *cert = PEM_read_bio_X509(cert_bio, NULL, NULL, NULL); if (!cert)
if (!cert) {
fprintf(stderr, "error reading certificate %s\n", certfilename);
return EXIT_FAILURE; return EXIT_FAILURE;
}
const EVP_MD *md = EVP_get_digestbyname("SHA256"); const EVP_MD *md = EVP_get_digestbyname("SHA256");

View file

@ -55,6 +55,7 @@
#include <ccan/talloc/talloc.h> #include <ccan/talloc/talloc.h>
#include "efi-varauth.h" #include "efi-varauth.h"
#include "fileio.h"
static const char *toolname = "sbvarsign"; static const char *toolname = "sbvarsign";
@ -262,55 +263,6 @@ static int set_timestamp(EFI_TIME *timestamp)
return 0; return 0;
} }
static int load_key(struct varsign_context *ctx, const char *filename)
{
BIO *bio;
bio = BIO_new_file(filename, "r");
if (!bio)
goto err;
ctx->key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
if (!ctx->key)
goto err;
BIO_free_all(bio);
return 0;
err:
if (bio)
BIO_free_all(bio);
fprintf(stderr, "Can't load key from file '%s'\n", filename);
ERR_print_errors_fp(stderr);
return -1;
}
static int load_cert(struct varsign_context *ctx, const char *filename)
{
BIO *bio;
bio = BIO_new_file(filename, "r");
if (!bio)
goto err;
ctx->cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
if (!ctx->cert)
goto err;
BIO_free_all(bio);
return 0;
err:
if (bio)
BIO_free_all(bio);
fprintf(stderr, "Can't load certificate from file '%s'\n", filename);
ERR_print_errors_fp(stderr);
return -1;
}
static int add_auth_descriptor(struct varsign_context *ctx) static int add_auth_descriptor(struct varsign_context *ctx)
{ {
EFI_VARIABLE_AUTHENTICATION_2 *auth; EFI_VARIABLE_AUTHENTICATION_2 *auth;
@ -605,10 +557,12 @@ int main(int argc, char **argv)
if (read_var_data(ctx)) if (read_var_data(ctx))
return EXIT_FAILURE; return EXIT_FAILURE;
if (load_key(ctx, keyfilename)) ctx->key = fileio_read_pkey(keyfilename);
if (!ctx->key)
return EXIT_FAILURE; return EXIT_FAILURE;
if (load_cert(ctx, certfilename)) ctx->cert = fileio_read_cert(certfilename);
if (!ctx->cert)
return EXIT_FAILURE; return EXIT_FAILURE;
/* do the signing */ /* do the signing */

View file

@ -46,6 +46,7 @@
#include "image.h" #include "image.h"
#include "idc.h" #include "idc.h"
#include "fileio.h"
#include <openssl/err.h> #include <openssl/err.h>
#include <openssl/bio.h> #include <openssl/bio.h>
@ -90,34 +91,13 @@ static void version(void)
int load_cert(X509_STORE *certs, const char *filename) int load_cert(X509_STORE *certs, const char *filename)
{ {
X509 *cert; X509 *cert;
BIO *bio;
bio = NULL; cert = fileio_read_cert(filename);
cert = NULL; if (!cert)
return -1;
bio = BIO_new_file(filename, "r");
if (!bio) {
fprintf(stderr, "Couldn't open file %s\n", filename);
goto err;
}
cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
if (!cert) {
fprintf(stderr, "Couldn't read certificate file %s\n",
filename);
goto err;
}
X509_STORE_add_cert(certs, cert); X509_STORE_add_cert(certs, cert);
return 0; return 0;
err:
ERR_print_errors_fp(stderr);
if (cert)
X509_free(cert);
if (bio)
BIO_free(bio);
return -1;
} }
static int load_image_signature_data(struct image *image, static int load_image_signature_data(struct image *image,