diff --git a/README b/README index fdeed07..0de60c1 100644 --- a/README +++ b/README @@ -8,21 +8,7 @@ sbsigntool - Signing utility for UEFI secure boot See file ./INSTALL for building and installation instructions. -Original development was done at: +Main git repository: git://kernel.ubuntu.com/jk/sbsigntool.git -The current maintained fork resides at: - - https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/ - -And a very low volume mailing list for bugs and patches is setup at - - sbsigntools@groups.io - -Thanks to groups.io policies, non-members can post to this list, but -non-member postings are moderated until released (so they won't show -up immediately). The list archives are available: - - https://groups.io/g/sbsigntools/topics - sbsigntool is free software. See the file COPYING for copying conditions. diff --git a/configure.ac b/configure.ac index 8a5340a..1459e91 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([sbsigntool], [0.9.5], [James.Bottomley@HansenPartnership.com]) +AC_INIT([sbsigntool], [0.9.2], [James.Bottomley@HansenPartnership.com]) AM_INIT_AUTOMAKE() @@ -55,12 +55,9 @@ AC_DEFINE_UNQUOTED(HAVE_LITTLE_ENDIAN, $little_endian, [Little-endian system]) AC_DEFINE_UNQUOTED(HAVE_BIG_ENDIAN, $big_endian, [Big-endian system]) PKG_PROG_PKG_CONFIG() -PKG_CHECK_MODULES(libcrypto, [libcrypto >= 3.0.0], - [ac_have_openssl3=1], - [PKG_CHECK_MODULES(libcrypto, libcrypto, - [], - AC_MSG_ERROR([libcrypto (from the OpenSSL package) is required]))]) -AM_CONDITIONAL(HAVE_OPENSSL3, test "$ac_have_openssl3" = "1") +PKG_CHECK_MODULES(libcrypto, libcrypto, + [], + AC_MSG_ERROR([libcrypto (from the OpenSSL package) is required])) PKG_CHECK_MODULES(uuid, uuid, [], @@ -68,7 +65,7 @@ PKG_CHECK_MODULES(uuid, uuid, dnl gnu-efi headers require extra include dirs EFI_ARCH=$(uname -m | sed 's/i.86/ia32/;s/arm.*/arm/') -AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aarch64" -o "$EFI_ARCH" = riscv64 ]) +AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aarch64" ]) ## # no consistent view of where gnu-efi should dump the efi stuff, so find it diff --git a/docs/Makefile.am b/docs/Makefile.am index 89ed110..1b5a588 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -1,9 +1,8 @@ -man1_MANS = sbsign.1 sbverify.1 sbattach.1 sbvarsign.1 sbsiglist.1 \ - sbkeysync.1 +man1_MANS = sbsign.1 sbverify.1 sbattach.1 sbvarsign.1 sbsiglist.1 EXTRA_DIST = sbsign.1.in sbverify.1.in sbattach.1.in \ - sbvarsign.1.in sbsiglist.1.in sbkeysync.1.in + sbvarsign.1.in sbsiglist.1.in CLEANFILES = $(man1_MANS) $(builddir)/%.1: $(srcdir)/%.1.in $(top_builddir)/src/% diff --git a/docs/sbkeysync.1.in b/docs/sbkeysync.1.in deleted file mode 100644 index 00aa509..0000000 --- a/docs/sbkeysync.1.in +++ /dev/null @@ -1,2 +0,0 @@ -[name] -sbkeysync - UEFI secure boot key synchronization tool diff --git a/src/Makefile.am b/src/Makefile.am index 38f93ff..19a7766 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -4,14 +4,10 @@ bin_PROGRAMS = sbsign sbverify sbattach sbvarsign sbsiglist sbkeysync coff_headers = coff/external.h coff/pe.h AM_CFLAGS = -Wall -Wextra --std=gnu99 -if HAVE_OPENSSL3 -AM_CFLAGS += -DOPENSSL_API_COMPAT=0x10100000L -endif - common_SOURCES = idc.c idc.h image.c image.h fileio.c fileio.h \ efivars.h $(coff_headers) common_LDADD = ../lib/ccan/libccan.a $(libcrypto_LIBS) -common_CFLAGS = -I$(top_srcdir)/lib/ccan/ -Werror +common_CFLAGS = -I$(top_srcdir)/lib/ccan/ sbsign_SOURCES = sbsign.c $(common_SOURCES) sbsign_LDADD = $(common_LDADD) diff --git a/src/coff/pe.h b/src/coff/pe.h index 198f23d..0d1036e 100644 --- a/src/coff/pe.h +++ b/src/coff/pe.h @@ -152,7 +152,6 @@ #define IMAGE_FILE_MACHINE_TRICORE 0x0520 #define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 #define IMAGE_FILE_MACHINE_AARCH64 0xaa64 -#define IMAGE_FILE_MACHINE_RISCV64 0x5064 #define IMAGE_SUBSYSTEM_UNKNOWN 0 #define IMAGE_SUBSYSTEM_NATIVE 1 diff --git a/src/idc.c b/src/idc.c index 0a82218..236cefd 100644 --- a/src/idc.c +++ b/src/idc.c @@ -189,7 +189,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image) idc->data->type = OBJ_nid2obj(peid_nid); idc->data->value = ASN1_TYPE_new(); - type_set_sequence(image, idc->data->value, peid, ASN1_ITEM_rptr(IDC_PEID)); + type_set_sequence(image, idc->data->value, peid, &IDC_PEID_it); idc->digest->alg->parameter = ASN1_TYPE_new(); idc->digest->alg->algorithm = OBJ_nid2obj(NID_sha256); @@ -238,11 +238,7 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio) /* extract the idc from the signed PKCS7 'other' data */ str = p7->d.sign->contents->d.other->value.asn1_string; -#if OPENSSL_VERSION_NUMBER < 0x10100000L idcbuf = buf = ASN1_STRING_data(str); -#else - idcbuf = buf = ASN1_STRING_get0_data(str); -#endif idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str)); /* If we were passed a BIO, write the idc data, minus type and length, @@ -293,11 +289,7 @@ int IDC_check_hash(struct idc *idc, struct image *image) } /* check hash against the one we calculated from the image */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L buf = ASN1_STRING_data(str); -#else - buf = ASN1_STRING_get0_data(str); -#endif if (memcmp(buf, sha, sizeof(sha))) { fprintf(stderr, "Hash doesn't match image\n"); fprintf(stderr, " got: %s\n", sha256_str(buf)); diff --git a/src/image.c b/src/image.c index a828b5a..745191f 100644 --- a/src/image.c +++ b/src/image.c @@ -162,6 +162,7 @@ static void image_pecoff_update_checksum(struct image *image) { bool is_signed = image->sigsize && image->sigbuf; uint32_t checksum; + struct cert_table_header *cert_table = image->cert_table; /* We carefully only include the signature data in the checksum (and * in the file length) if we're outputting the signature. Otherwise, @@ -179,13 +180,16 @@ static void image_pecoff_update_checksum(struct image *image) (void *)(image->checksum + 1)); if (is_signed) { + checksum = csum_bytes(checksum, + cert_table, sizeof(*cert_table)); + checksum = csum_bytes(checksum, image->sigbuf, image->sigsize); } checksum += image->data_size; if (is_signed) - checksum += image->sigsize; + checksum += sizeof(*cert_table) + image->sigsize; *(image->checksum) = cpu_to_le32(checksum); } @@ -239,7 +243,6 @@ static int image_pecoff_parse(struct image *image) switch (magic) { case IMAGE_FILE_MACHINE_AMD64: case IMAGE_FILE_MACHINE_AARCH64: - case IMAGE_FILE_MACHINE_RISCV64: rc = image_pecoff_parse_64(image); break; case IMAGE_FILE_MACHINE_I386: diff --git a/src/sbattach.c b/src/sbattach.c index 809e24c..a0c01b8 100644 --- a/src/sbattach.c +++ b/src/sbattach.c @@ -233,11 +233,7 @@ int main(int argc, char **argv) ERR_load_crypto_strings(); OpenSSL_add_all_digests(); -#if OPENSSL_VERSION_NUMBER < 0x10100000L OPENSSL_config(NULL); -#else - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); -#endif /* here we may get highly unlikely failures or we'll get a * complaint about FIPS signatures (usually becuase the FIPS * module isn't present). In either case ignore the errors diff --git a/src/sbkeysync.c b/src/sbkeysync.c index 7748990..7b17f40 100644 --- a/src/sbkeysync.c +++ b/src/sbkeysync.c @@ -54,11 +54,9 @@ #include "fileio.h" #include "efivars.h" -static struct statfs statfstype; - #define EFIVARS_MOUNTPOINT "/sys/firmware/efi/efivars" -#define PSTORE_FSTYPE ((typeof(statfstype.f_type))0x6165676C) -#define EFIVARS_FSTYPE ((typeof(statfstype.f_type))0xde5e81e4) +#define PSTORE_FSTYPE 0x6165676C +#define EFIVARS_FSTYPE 0xde5e81e4 #define EFI_IMAGE_SECURITY_DATABASE_GUID \ { 0xd719b2cb, 0x3d3a, 0x4596, \ @@ -210,11 +208,7 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len) goto out; key->id_len = ASN1_STRING_length(serial); -#if OPENSSL_VERSION_NUMBER < 0x10100000L key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len); -#else - key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len); -#endif key->description = talloc_array(key, char, description_len); X509_NAME_oneline(X509_get_subject_name(x509), @@ -889,12 +883,10 @@ int main(int argc, char **argv) { bool use_default_keystore_dirs; struct sync_context *ctx; - int rc; use_default_keystore_dirs = true; ctx = talloc_zero(NULL, struct sync_context); list_head_init(&ctx->new_keys); - rc = EXIT_SUCCESS; for (;;) { int idx, c; @@ -938,11 +930,7 @@ int main(int argc, char **argv) ERR_load_crypto_strings(); OpenSSL_add_all_digests(); OpenSSL_add_all_ciphers(); -#if OPENSSL_VERSION_NUMBER < 0x10100000L OPENSSL_config(NULL); -#else - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); -#endif /* here we may get highly unlikely failures or we'll get a * complaint about FIPS signatures (usually becuase the FIPS * module isn't present). In either case ignore the errors @@ -987,10 +975,10 @@ int main(int argc, char **argv) if (ctx->verbose) print_new_keys(ctx); - if (!ctx->dry_run && insert_new_keys(ctx)) - rc = EXIT_FAILURE; + if (!ctx->dry_run) + insert_new_keys(ctx); talloc_free(ctx); - return rc; + return EXIT_SUCCESS; } diff --git a/src/sbsign.c b/src/sbsign.c index 898fe66..ff1fdfd 100644 --- a/src/sbsign.c +++ b/src/sbsign.c @@ -49,8 +49,6 @@ #include #include #include -#include -#include #include @@ -77,7 +75,6 @@ static struct option options[] = { { "help", no_argument, NULL, 'h' }, { "version", no_argument, NULL, 'V' }, { "engine", required_argument, NULL, 'e'}, - { "addcert", required_argument, NULL, 'a'}, { NULL, 0, NULL, 0 }, }; @@ -91,7 +88,6 @@ static void usage(void) "\t--key signing key (PEM-encoded RSA " "private key)\n" "\t--cert certificate (x509 certificate)\n" - "\t--addcert additional intermediate certificates in a file\n" "\t--detached write a detached signature, instead of\n" "\t a signed binary\n" "\t--output write signed data to \n" @@ -116,43 +112,9 @@ static void set_default_outfilename(struct sign_context *ctx) ctx->infilename, extension); } -static int add_intermediate_certs(PKCS7 *p7, const char *filename) -{ - STACK_OF(X509_INFO) *certs; - X509_INFO *cert; - BIO *bio = NULL; - int i; - - bio = BIO_new(BIO_s_file()); - if (!bio || BIO_read_filename(bio, filename) <=0) { - fprintf(stderr, - "error in reading intermediate certificates file\n"); - ERR_print_errors_fp(stderr); - return -1; - } - - certs = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL); - if (!certs) { - fprintf(stderr, - "error in parsing intermediate certificates file\n"); - ERR_print_errors_fp(stderr); - return -1; - } - - for (i = 0; i < sk_X509_INFO_num(certs); i++) { - cert = sk_X509_INFO_value(certs, i); - PKCS7_add_certificate(p7, cert->x509); - } - - sk_X509_INFO_pop_free(certs, X509_INFO_free); - BIO_free_all(bio); - - return 0; -} - int main(int argc, char **argv) { - const char *keyfilename, *certfilename, *addcertfilename, *engine; + const char *keyfilename, *certfilename, *engine; struct sign_context *ctx; uint8_t *buf, *tmp; int rc, c, sigsize; @@ -162,12 +124,11 @@ int main(int argc, char **argv) keyfilename = NULL; certfilename = NULL; - addcertfilename = NULL; engine = NULL; for (;;) { int idx; - c = getopt_long(argc, argv, "o:c:k:dvVhe:a:", options, &idx); + c = getopt_long(argc, argv, "o:c:k:dvVhe:", options, &idx); if (c == -1) break; @@ -196,9 +157,6 @@ int main(int argc, char **argv) case 'e': engine = optarg; break; - case 'a': - addcertfilename = optarg; - break; } } @@ -231,14 +189,9 @@ int main(int argc, char **argv) talloc_steal(ctx, ctx->image); ERR_load_crypto_strings(); - ERR_load_BIO_strings(); OpenSSL_add_all_digests(); OpenSSL_add_all_ciphers(); -#if OPENSSL_VERSION_NUMBER < 0x10100000L OPENSSL_config(NULL); -#else - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); -#endif /* here we may get highly unlikely failures or we'll get a * complaint about FIPS signatures (usually becuase the FIPS * module isn't present). In either case ignore the errors @@ -275,9 +228,6 @@ int main(int argc, char **argv) if (rc) return EXIT_FAILURE; - if (addcertfilename && add_intermediate_certs(p7, addcertfilename)) - return EXIT_FAILURE; - sigsize = i2d_PKCS7(p7, NULL); tmp = buf = talloc_array(ctx->image, uint8_t, sigsize); i2d_PKCS7(p7, &tmp); diff --git a/src/sbvarsign.c b/src/sbvarsign.c index 58031ec..ebf625c 100644 --- a/src/sbvarsign.c +++ b/src/sbvarsign.c @@ -105,6 +105,7 @@ static uint32_t default_attrs = EFI_VARIABLE_NON_VOLATILE | static uint32_t attr_invalid = 0xffffffffu; static const char *attr_prefix = "EFI_VARIABLE_"; +static const EFI_GUID default_guid = EFI_GLOBAL_VARIABLE; static const EFI_GUID cert_pkcs7_guid = EFI_CERT_TYPE_PKCS7_GUID; static void set_default_outfilename(struct varsign_context *ctx) @@ -211,7 +212,7 @@ static int set_timestamp(EFI_TIME *timestamp) /* copy to our EFI-specific time structure. Other fields (Nanosecond, * TimeZone, Daylight and Pad) are defined to be zero */ memset(timestamp, 0, sizeof(*timestamp)); - timestamp->Year = 1900 + tm->tm_year; + timestamp->Year = tm->tm_year; timestamp->Month = tm->tm_mon; timestamp->Day = tm->tm_mday; timestamp->Hour = tm->tm_hour; @@ -251,7 +252,7 @@ static int add_auth_descriptor(struct varsign_context *ctx) md = EVP_get_digestbyname("SHA256"); p7 = PKCS7_new(); - flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP | PKCS7_NOATTR;; + flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP;; PKCS7_set_type(p7, NID_pkcs7_signed); PKCS7_content_new(p7, NID_pkcs7_data); @@ -332,7 +333,7 @@ int write_signed(struct varsign_context *ctx, int include_attrs) printf("Wrote signed data:\n"); if (include_attrs) { i = sizeof(ctx->var_attrs); - printf(" [%04lx:%04zx] attrs\n", 0l, i); + printf(" [%04zx:%04zx] attrs\n", 0l, i); } printf(" [%04zx:%04x] authentication descriptor\n", @@ -512,11 +513,7 @@ int main(int argc, char **argv) OpenSSL_add_all_digests(); OpenSSL_add_all_ciphers(); ERR_load_crypto_strings(); -#if OPENSSL_VERSION_NUMBER < 0x10100000L OPENSSL_config(NULL); -#else - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); -#endif /* here we may get highly unlikely failures or we'll get a * complaint about FIPS signatures (usually becuase the FIPS * module isn't present). In either case ignore the errors diff --git a/src/sbverify.c b/src/sbverify.c index 8f14f35..3920d91 100644 --- a/src/sbverify.c +++ b/src/sbverify.c @@ -210,7 +210,8 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx) == XKU_CODE_SIGN) status = 1; - else if (err == X509_V_ERR_CERT_UNTRUSTED || + else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || + err == X509_V_ERR_CERT_UNTRUSTED || err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT || err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) { /* all certs given with the --cert argument are trusted */ @@ -220,7 +221,6 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx) } else if (err == X509_V_ERR_CERT_HAS_EXPIRED || err == X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD || err == X509_V_ERR_CERT_NOT_YET_VALID || - err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || err == X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD) /* UEFI explicitly allows expired certificates */ status = 1; @@ -239,7 +239,7 @@ int main(int argc, char **argv) uint8_t *sig_buf; size_t sig_size; struct idc *idc; - int verbose; + bool verbose; BIO *idcbio; PKCS7 *p7; int sig_count = 0; @@ -247,16 +247,12 @@ int main(int argc, char **argv) status = VERIFY_FAIL; certs = X509_STORE_new(); list = 0; - verbose = 0; + verbose = false; detached_sig_filename = NULL; OpenSSL_add_all_digests(); ERR_load_crypto_strings(); -#if OPENSSL_VERSION_NUMBER < 0x10100000L OPENSSL_config(NULL); -#else - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); -#endif /* here we may get highly unlikely failures or we'll get a * complaint about FIPS signatures (usually becuase the FIPS * module isn't present). In either case ignore the errors @@ -282,7 +278,7 @@ int main(int argc, char **argv) list = 1; break; case 'v': - verbose++; + verbose = true; break; case 'V': version(); @@ -337,8 +333,7 @@ int main(int argc, char **argv) if (verbose || list) { print_signature_info(p7); - if (verbose > 1) - print_certificate_store_certs(certs); + //print_certificate_store_certs(certs); } if (list) diff --git a/tests/Makefile.am b/tests/Makefile.am index 93f46e2..a6606f0 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -3,10 +3,6 @@ AUTOMAKE_OPTIONS = parallel-tests test_key = private-key.rsa test_cert = public-cert.pem -ca_key = ca-key.ec -ca_cert = ca-cert.pem -int_key = int-key.ec -int_cert = int-cert.pem test_arches = $(EFI_ARCH) check_PROGRAMS = test.pecoff @@ -35,25 +31,11 @@ check_SCRIPTS = test-wrapper.sh AM_CFLAGS=-fpic -I/usr/include/efi -I/usr/include/efi/$(EFI_ARCH) -%.rsa: Makefile +$(test_key): Makefile openssl genrsa -out $@ 2048 -%.ec: Makefile - openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -out $@ - -$(ca_cert): $(ca_key) Makefile - openssl req -x509 -days 1 -sha256 -subj '/CN=CA Key/' -new -key $< -out $@ - -$(int_cert): $(int_key) $(ca_cert) Makefile - openssl req -new -subj '/CN=Intermediate Certificate/' -key $< -out tmp.req - echo -e "[ca]\nbasicConstraints = critical, CA:true\n" > ca.cnf - openssl x509 -req -sha256 -CA $(ca_cert) -CAkey $(ca_key) -in tmp.req -set_serial 1 -days 1 -extfile ca.cnf -extensions ca -out $@ - -rm -f tmp.req ca.cnf - -$(test_cert): $(test_key) $(int_cert) Makefile - openssl req -new -subj '/CN=Signer Certificate/' -key $< -out tmp.req - openssl x509 -req -sha256 -CA $(int_cert) -CAkey $(int_key) -in tmp.req -set_serial 1 -days 1 -out $@ - -rm -f tmp.req +$(test_cert): $(test_key) Makefile + openssl req -x509 -sha256 -subj '/' -new -key $< -out $@ TESTS = sign-verify.sh \ sign-verify-detached.sh \ @@ -83,5 +65,4 @@ AM_TESTS_ENVIRONMENT = TEST_ARCHES='$(test_arches)'; export TEST_ARCHES; SH_LOG_COMPILER = $(srcdir)/test-wrapper.sh EXTRA_DIST = test.S $(TESTS) $(check_SCRIPTS) -CLEANFILES = $(test_key) $(test_cert) $(int_key) $(int_cert) $(ca_key) \ - $(ca_cert) +CLEANFILES = $(test_key) $(test_cert) diff --git a/tests/sign-attach-verify.sh b/tests/sign-attach-verify.sh index 21ed6db..2ae6e70 100755 --- a/tests/sign-attach-verify.sh +++ b/tests/sign-attach-verify.sh @@ -3,19 +3,7 @@ sig="test.sig" signed="test.signed" -"$sbsign" --cert "$cert" --key "$key" --detached --output "$sig" "$image" || exit 1 -cp "$image" "$signed" || exit 1 -"$sbattach" --attach "$sig" "$signed" || exit 1 -"$sbverify" --cert "$cert" "$signed" || exit 1 -"$sbverify" --cert "$intcert" "$signed" || exit 1 -# there's no intermediate cert in the image so it can't chain to the ca which -# is why this should fail -"$sbverify" --cert "$cacert" "$signed" && exit 1 - -# now add intermediates -"$sbsign" --cert "$cert" --key "$key" --addcert "$intcert" --detached --output "$sig" "$image" || exit 1 -cp "$image" "$signed" || exit 1 -"$sbattach" --attach "$sig" "$signed" || exit 1 -"$sbverify" --cert "$cert" "$signed" || exit 1 -"$sbverify" --cert "$intcert" "$signed" || exit 1 -"$sbverify" --cert "$cacert" "$signed" || exit 1 +"$sbsign" --cert "$cert" --key "$key" --detached --output "$sig" "$image" +cp "$image" "$signed" +"$sbattach" --attach "$sig" "$signed" +"$sbverify" --cert "$cert" "$signed" diff --git a/tests/sign-verify-detached.sh b/tests/sign-verify-detached.sh index d2959be..7b045e4 100755 --- a/tests/sign-verify-detached.sh +++ b/tests/sign-verify-detached.sh @@ -2,16 +2,5 @@ sig="test.sig" -"$sbsign" --cert "$cert" --key "$key" --detached --output $sig "$image" || exit 1 -"$sbverify" --cert "$cert" --detached $sig "$image" || exit 1 -"$sbverify" --cert "$intcert" --detached $sig "$image" || exit 1 -# should fail because no intermediate -"$sbverify" --cert "$cacert" --detached $sig "$image" && exit 1 - -# now make sure everything succeeds with the intermediate added -"$sbsign" --cert "$cert" --key "$key" --addcert "$intcert" --detached --output $sig "$image" || exit 1 -"$sbverify" --cert "$cert" --detached $sig "$image" || exit 1 -"$sbverify" --cert "$intcert" --detached $sig "$image" || exit 1 -"$sbverify" --cert "$cacert" --detached $sig "$image" || exit 1 - -exit 0 +"$sbsign" --cert "$cert" --key "$key" --detached --output $sig "$image" +"$sbverify" --cert "$cert" --detached $sig "$image" diff --git a/tests/sign-verify.sh b/tests/sign-verify.sh index a61aff8..cf493f3 100755 --- a/tests/sign-verify.sh +++ b/tests/sign-verify.sh @@ -2,16 +2,5 @@ signed="test.signed" -"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image" || exit 1 -"$sbverify" --cert "$cert" "$signed" || exit 1 -"$sbverify" --cert "$intcert" "$signed" || exit 1 -# there's no intermediate cert in the image so it can't chain to the ca which -# is why this should fail -"$sbverify" --cert "$cacert" "$signed" && exit 1 - -# now add the intermediates and each level should succeed -"$sbsign" --cert "$cert" --addcert "$intcert" --key "$key" --output "$signed" "$image" || exit 1 -"$sbverify" --cert "$cert" "$signed" || exit 1 -"$sbverify" --cert "$intcert" "$signed" || exit 1 -"$sbverify" --cert "$cacert" "$signed" || exit 1 - +"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image" +"$sbverify" --cert "$cert" "$signed" diff --git a/tests/test-wrapper.sh b/tests/test-wrapper.sh index 4ef6710..b9c6cf1 100755 --- a/tests/test-wrapper.sh +++ b/tests/test-wrapper.sh @@ -11,12 +11,8 @@ sbattach=$bindir/sbattach key="$datadir/private-key.rsa" cert="$datadir/public-cert.pem" -intkey="$datadir/int-key.ec" -intcert="$datadir/int-cert.pem" -cakey="$datadir/ca-key.ec" -cacert="$datadir/ca-cert.pem" -export basedir datadir bindir sbsign sbverify sbattach key cert intkey intcert cakey cacert +export basedir datadir bindir sbsign sbverify sbattach key cert # 'test' needs to be an absolute path, as we will cd to a temporary # directory before running the test