image: add functions to add and remove signatures
Rather than setting ->sigbuf directly, add two functions to handle image signature addition and removal: image_add_signature(image, sig, sigsize); image_remove_signature(image); And warn when a signature is to be overwritten. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
This commit is contained in:
parent
36e79114d2
commit
d27647ba69
7 changed files with 56 additions and 12 deletions
20
image.c
20
image.c
|
@ -390,6 +390,26 @@ int image_hash_sha256(struct image *image, uint8_t digest[])
|
|||
return !rc;
|
||||
}
|
||||
|
||||
int image_add_signature(struct image *image, void *sig, int size)
|
||||
{
|
||||
/* we only support one signature at present */
|
||||
if (image->sigbuf) {
|
||||
fprintf(stderr, "warning: overwriting existing signature\n");
|
||||
talloc_free(image->sigbuf);
|
||||
}
|
||||
image->sigbuf = sig;
|
||||
image->sigsize = size;
|
||||
return 0;
|
||||
}
|
||||
|
||||
void image_remove_signature(struct image *image)
|
||||
{
|
||||
if (image->sigbuf)
|
||||
talloc_free(image->sigbuf);
|
||||
image->sigbuf = NULL;
|
||||
image->sigsize = 0;
|
||||
}
|
||||
|
||||
int image_write(struct image *image, const char *filename)
|
||||
{
|
||||
struct cert_table_header cert_table_header;
|
||||
|
|
2
image.h
2
image.h
|
@ -92,6 +92,8 @@ struct image *image_load(const char *filename);
|
|||
|
||||
int image_find_regions(struct image *image);
|
||||
int image_hash_sha256(struct image *image, uint8_t digest[]);
|
||||
int image_add_signature(struct image *, void *sig, int size);
|
||||
void image_remove_signature(struct image *image);
|
||||
int image_write(struct image *image, const char *filename);
|
||||
int image_write_detached(struct image *image, const char *filename);
|
||||
|
||||
|
|
|
@ -133,11 +133,10 @@ static int attach_sig(struct image *image, const char *image_filename,
|
|||
goto out;
|
||||
}
|
||||
|
||||
image->sigbuf = sigbuf;
|
||||
image->sigsize = size;
|
||||
image_add_signature(image, sigbuf, size);
|
||||
|
||||
tmp_buf = sigbuf;
|
||||
p7 = d2i_PKCS7(NULL, &tmp_buf, image->sigsize);
|
||||
p7 = d2i_PKCS7(NULL, &tmp_buf, size);
|
||||
if (!p7) {
|
||||
fprintf(stderr, "Unable to parse signature data in file: %s\n",
|
||||
sig_filename);
|
||||
|
@ -168,8 +167,7 @@ static int remove_sig(struct image *image, const char *image_filename)
|
|||
{
|
||||
int rc;
|
||||
|
||||
image->sigbuf = NULL;
|
||||
image->sigsize = 0;
|
||||
image_remove_signature(image);
|
||||
|
||||
rc = image_write(image, image_filename);
|
||||
if (rc)
|
||||
|
|
13
sbsign.c
13
sbsign.c
|
@ -112,8 +112,8 @@ int main(int argc, char **argv)
|
|||
{
|
||||
const char *keyfilename, *certfilename;
|
||||
struct sign_context *ctx;
|
||||
uint8_t *buf;
|
||||
int rc, c;
|
||||
uint8_t *buf, *tmp;
|
||||
int rc, c, sigsize;
|
||||
|
||||
ctx = talloc_zero(NULL, struct sign_context);
|
||||
|
||||
|
@ -220,12 +220,13 @@ int main(int argc, char **argv)
|
|||
if (rc)
|
||||
return EXIT_FAILURE;
|
||||
|
||||
ctx->image->sigsize = i2d_PKCS7(p7, NULL);
|
||||
ctx->image->sigbuf = buf = talloc_array(ctx->image,
|
||||
uint8_t, ctx->image->sigsize);
|
||||
i2d_PKCS7(p7, &buf);
|
||||
sigsize = i2d_PKCS7(p7, NULL);
|
||||
tmp = buf = talloc_array(ctx->image, uint8_t, sigsize);
|
||||
i2d_PKCS7(p7, &tmp);
|
||||
ERR_print_errors_fp(stdout);
|
||||
|
||||
image_add_signature(ctx->image, buf, sigsize);
|
||||
|
||||
if (ctx->detached)
|
||||
image_write_detached(ctx->image, ctx->outfilename);
|
||||
else
|
||||
|
|
|
@ -45,7 +45,9 @@ TESTS = sign-verify.sh \
|
|||
verify-missing-image.sh \
|
||||
verify-missing-cert.sh \
|
||||
sign-invalidattach-verify.sh \
|
||||
cert-table-header.sh
|
||||
cert-table-header.sh \
|
||||
resign-warning.sh \
|
||||
reattach-warning.sh
|
||||
|
||||
EXTRA_DIST = $(test_lds) test.S $(TESTS) $(check_SCRIPTS)
|
||||
CLEANFILES = $(test_key) $(test_cert) $(test_image)
|
||||
|
|
12
tests/reattach-warning.sh
Executable file
12
tests/reattach-warning.sh
Executable file
|
@ -0,0 +1,12 @@
|
|||
#!/bin/bash -e
|
||||
|
||||
. "$srcdir/common.sh"
|
||||
|
||||
signed="test.signed"
|
||||
sig="test.sig"
|
||||
|
||||
"$sbsign" --cert "$cert" --key "$key" --detached --output "$sig" "$image"
|
||||
cp "$image" "$signed"
|
||||
"$sbattach" --attach "$sig" "$signed"
|
||||
"$sbattach" --attach "$sig" "$signed" 2>&1 |
|
||||
grep '^warning: overwriting'
|
9
tests/resign-warning.sh
Executable file
9
tests/resign-warning.sh
Executable file
|
@ -0,0 +1,9 @@
|
|||
#!/bin/bash -e
|
||||
|
||||
. "$srcdir/common.sh"
|
||||
|
||||
signed="test.signed"
|
||||
|
||||
"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image"
|
||||
"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$signed" 2>&1 |
|
||||
grep '^warning: overwriting'
|
Loading…
Reference in a new issue