Commit graph

144 commits

Author SHA1 Message Date
Jeremy Kerr
b05afccde0 tests: Add a few simple tests
Add a few tests for the sign, verify, attach and detach code. These
require some additional infrastructure to create a sample PE/COFF
executable, plus a key & cert for testing.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 14:23:26 +08:00
Jeremy Kerr
0c5de30566 Remove unused test.c file
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-13 10:02:59 +08:00
Jeremy Kerr
edf1d26d49 sbattach: Add too to manage detached signatures
Add a third tool (`sbattach`) to attach and detach signatures from
PE/COFF files.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-12 17:47:38 +08:00
Jeremy Kerr
be7559abfe image: Add facility to write unsigned images
Change image_write_signed to image_write, and conditionally write the
signature if one is present.

This will allow us to write unsigned images when detaching a sig from an
image.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-12 10:19:08 +08:00
Jeremy Kerr
a8f1453a53 sbsign,sbverify: Update getopt_long optstrings
The optstrings for sbsign and sbverify are out of sync with the long
options, this change brings them up to date.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-11 19:49:28 +08:00
Jeremy Kerr
dc9ffc752f sbverify: Add support for detached signatures
Allow sbverify to read PKCS7 data from a separate file with the
'--detached <file>' option.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-11 17:19:15 +08:00
Jeremy Kerr
f457bb21f1 sbverify: Split image signature table reading to separate function
We'd like to read detached signatures too, so split the
signature-buffer-reading code into a separate function.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-11 17:04:17 +08:00
Jeremy Kerr
ffc1f41ace Fix warnings from added -W flags
Fix a few warnings:

 idc.c: In function ‘IDC_get’:
 idc.c:248:12: warning: ‘idclen’ may be used uninitialised in this function [-Wuninitialized]

 image.c: In function ‘image_load’:
 image.c:37:15: warning: unused variable ‘bytes_read’ [-Wunused-variable]

Plus, a bunch of strict-aliasing warnings:

 image.c:101:2: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
 [ similar warnings trimmed ]

when compiling image.c. Since struct external_PEI_DOS_hdr uses char[]
types for all members, we need to use accessors here.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-11 16:54:42 +08:00
Jeremy Kerr
34edfd6348 automake: Add -Wall -Wextra CFLAGS
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-11 15:59:48 +08:00
Jeremy Kerr
3c9815acc6 sbsign: Add --detached option to create detached PKCS7 signatures
Add an option (--detached) to sbsign, which creates a detached
signature, rather than embedding it in the PE/COFF signature table.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-11 15:59:48 +08:00
Jeremy Kerr
f98a885cfa sbsign: fix flag for verbose operation
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-11 14:54:57 +08:00
Jeremy Kerr
9786761e4f docs: Fix manpage creation
$(builddir) should be $(top_builddir), and we need a valid definition of
MKDIR_P to create the docs.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-06-11 14:37:33 +08:00
Adam Conrad
b0619274fd autogen.sh: Fix ccan_module assignment
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-29 09:33:05 +08:00
Jeremy Kerr
9a4440676c image: use read_write_all from ccan
Rather than using our own functions for reading/writing an entire
buffer, use ccan's.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-28 22:44:39 +08:00
Jeremy Kerr
3bb18f8ed9 image: Fix format specifier for 32-bit builds
Use %t rather than assuming typeof(ptr - int) == unsigned long.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-28 22:35:48 +08:00
Jeremy Kerr
3def238360 autoconfiscate
Add autoconf & automake metadata, plus required files for automake to
run without complaint.

Requires an update to ccan, to get the --build-type argument to
create-ccan-tree.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-28 22:35:48 +08:00
Jeremy Kerr
42c7160576 docs: Add initial manpages
Mostly generated from help2man output.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-24 15:17:26 +08:00
Jeremy Kerr
fcf3cdf70a sbsign,sbverify: help2man-ize usage output
Update the usage output of sbsign and sbverify so that it can be better
parsed by help2man. Also, add --version and --help.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-24 15:17:25 +08:00
Jeremy Kerr
e83712388f Makefile: Add dist targets
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-24 15:17:24 +08:00
Jeremy Kerr
c74f1ceeb1 ccan: Add ccan import logic
Add make logic to import lib/ccan from lib/ccan.git. We need to set some
dependencies on $(obj) to ensure the the ccan headers are available
before starting the main build.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-24 15:17:24 +08:00
Jeremy Kerr
90c4c8718e Move ccan submodule
Move the ccan git submodule to lib/ccan.git, so we can use ccan's
create-ccan-tree utility.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-24 15:17:18 +08:00
Jeremy Kerr
3e6c9347be Remove unused header
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-15 14:19:00 +08:00
Jeremy Kerr
e27f10f6c2 Remove pkcs7-simple test file
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-14 16:30:12 +08:00
Jeremy Kerr
f4b2d3618f Makefile: add install target
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-14 16:06:01 +08:00
Jeremy Kerr
40bc6428d1 Makefile: Comment components
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-14 15:57:10 +08:00
Jeremy Kerr
17f77a9aab sbverify: clean up openssl init
Remove a duplicate call to ERR_load_crypto_strings, and move the digest
init earlier.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-14 15:53:26 +08:00
Jeremy Kerr
c48e3922ca sbverify: add check for invalid PKCS7 data
Make sure d2i_PKCS7 returned a PKCS7 structure.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-14 15:52:03 +08:00
Jeremy Kerr
e3d6afbd61 sbverify: Add certificate chain verification
Add an option (--cert <file>) to specify a root certificate (or
certificates) to use as a trusted CA.

Verification can be disabled with --no-verify.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-14 15:48:30 +08:00
Jeremy Kerr
e404a4d412 verify: move idc-related parsing to idc.c
Extract the IDC-parsing code from IDC_check_hash, and use it to
initialise a BIO. This BIO can then be used to perform the PKCS7
verification.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-12 23:12:18 -07:00
Jeremy Kerr
d5f1a61b99 sbsign: fix incorrect check for certificate load
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-12 21:35:09 -07:00
Jeremy Kerr
ef7966087d image: reformat gap warnings
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-12 21:32:23 -07:00
Jeremy Kerr
f7f7ad00a3 image: add cert table to image size
Don't warn when the certificate table is the only un-hashed data.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-12 21:31:43 -07:00
Jeremy Kerr
4e89b9a1ee sbverify: Add check for image hash
Add a check to match the calculated image's hash against the one found
in the PKCS7 IndirectDataContext

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-12 21:21:20 -07:00
Jeremy Kerr
b929aaa655 sbverify: check for presence of signature table
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-12 10:47:21 -07:00
Jeremy Kerr
7c256bc407 Makefile: add $(tools) var
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-12 09:48:51 -07:00
Jeremy Kerr
902cb928b6 sbsigntool -> sbsign
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-12 09:45:22 -07:00
Jeremy Kerr
b3dc6529eb image: open output file with O_TRUNC
Prevents weirdness when overwriting old files.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-05-12 09:44:17 -07:00
Jeremy Kerr
fcf663b560 sbsigntooL: expand usage info
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-04-24 09:09:57 +08:00
Jeremy Kerr
0e9c5f7496 Add GPLv3 text in COPYING
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-04-24 09:01:05 +08:00
Jeremy Kerr
348a43e3f1 coff: remove unneeded coff includes
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-04-24 08:38:57 +08:00
Jeremy Kerr
1d3ebb7b24 Add copyright comments
GPLv3; the sources include parts of binutils, include parts of ccan,
and have been partially based of osslsigntool.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-04-23 18:14:42 +08:00
Jeremy Kerr
da5568e8ff image: warn about potential checksum differences
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-04-23 17:42:45 +08:00
Jeremy Kerr
d8eadfcc24 idc: allocate using the image context
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-04-23 17:36:08 +08:00
Jeremy Kerr
3b802fe3da Initial commit
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
2012-04-23 17:25:19 +08:00