Compare commits
16 commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
9cfca9fe7a | ||
|
|
75d8405eca | ||
|
|
d6e4bff8f1 | ||
|
|
25af2eb5e3 | ||
|
|
4b8fc11877 | ||
|
|
f12484869c | ||
|
|
d52f7bbb73 | ||
|
|
e17dc20591 | ||
|
|
ff96a59046 | ||
|
|
e3f7d27541 | ||
|
|
5aeb513916 | ||
|
|
6b7d5ccb28 | ||
|
|
311d6c2b9c | ||
|
|
6c2b07fa1c | ||
|
|
df27a417b9 | ||
|
|
7d6210e4b1 |
17 changed files with 189 additions and 38 deletions
13
configure.ac
13
configure.ac
|
|
@ -1,4 +1,4 @@
|
|||
AC_INIT([sbsigntool], [0.9.3], [James.Bottomley@HansenPartnership.com])
|
||||
AC_INIT([sbsigntool], [0.9.5], [James.Bottomley@HansenPartnership.com])
|
||||
|
||||
AM_INIT_AUTOMAKE()
|
||||
|
||||
|
|
@ -55,9 +55,12 @@ AC_DEFINE_UNQUOTED(HAVE_LITTLE_ENDIAN, $little_endian, [Little-endian system])
|
|||
AC_DEFINE_UNQUOTED(HAVE_BIG_ENDIAN, $big_endian, [Big-endian system])
|
||||
|
||||
PKG_PROG_PKG_CONFIG()
|
||||
PKG_CHECK_MODULES(libcrypto, libcrypto,
|
||||
[],
|
||||
AC_MSG_ERROR([libcrypto (from the OpenSSL package) is required]))
|
||||
PKG_CHECK_MODULES(libcrypto, [libcrypto >= 3.0.0],
|
||||
[ac_have_openssl3=1],
|
||||
[PKG_CHECK_MODULES(libcrypto, libcrypto,
|
||||
[],
|
||||
AC_MSG_ERROR([libcrypto (from the OpenSSL package) is required]))])
|
||||
AM_CONDITIONAL(HAVE_OPENSSL3, test "$ac_have_openssl3" = "1")
|
||||
|
||||
PKG_CHECK_MODULES(uuid, uuid,
|
||||
[],
|
||||
|
|
@ -65,7 +68,7 @@ PKG_CHECK_MODULES(uuid, uuid,
|
|||
|
||||
dnl gnu-efi headers require extra include dirs
|
||||
EFI_ARCH=$(uname -m | sed 's/i.86/ia32/;s/arm.*/arm/')
|
||||
AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aarch64" ])
|
||||
AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aarch64" -o "$EFI_ARCH" = riscv64 ])
|
||||
|
||||
##
|
||||
# no consistent view of where gnu-efi should dump the efi stuff, so find it
|
||||
|
|
|
|||
|
|
@ -1,8 +1,9 @@
|
|||
|
||||
man1_MANS = sbsign.1 sbverify.1 sbattach.1 sbvarsign.1 sbsiglist.1
|
||||
man1_MANS = sbsign.1 sbverify.1 sbattach.1 sbvarsign.1 sbsiglist.1 \
|
||||
sbkeysync.1
|
||||
|
||||
EXTRA_DIST = sbsign.1.in sbverify.1.in sbattach.1.in \
|
||||
sbvarsign.1.in sbsiglist.1.in
|
||||
sbvarsign.1.in sbsiglist.1.in sbkeysync.1.in
|
||||
CLEANFILES = $(man1_MANS)
|
||||
|
||||
$(builddir)/%.1: $(srcdir)/%.1.in $(top_builddir)/src/%
|
||||
|
|
|
|||
2
docs/sbkeysync.1.in
Normal file
2
docs/sbkeysync.1.in
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
[name]
|
||||
sbkeysync - UEFI secure boot key synchronization tool
|
||||
|
|
@ -4,10 +4,14 @@ bin_PROGRAMS = sbsign sbverify sbattach sbvarsign sbsiglist sbkeysync
|
|||
coff_headers = coff/external.h coff/pe.h
|
||||
AM_CFLAGS = -Wall -Wextra --std=gnu99
|
||||
|
||||
if HAVE_OPENSSL3
|
||||
AM_CFLAGS += -DOPENSSL_API_COMPAT=0x10100000L
|
||||
endif
|
||||
|
||||
common_SOURCES = idc.c idc.h image.c image.h fileio.c fileio.h \
|
||||
efivars.h $(coff_headers)
|
||||
common_LDADD = ../lib/ccan/libccan.a $(libcrypto_LIBS)
|
||||
common_CFLAGS = -I$(top_srcdir)/lib/ccan/
|
||||
common_CFLAGS = -I$(top_srcdir)/lib/ccan/ -Werror
|
||||
|
||||
sbsign_SOURCES = sbsign.c $(common_SOURCES)
|
||||
sbsign_LDADD = $(common_LDADD)
|
||||
|
|
|
|||
|
|
@ -152,6 +152,7 @@
|
|||
#define IMAGE_FILE_MACHINE_TRICORE 0x0520
|
||||
#define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169
|
||||
#define IMAGE_FILE_MACHINE_AARCH64 0xaa64
|
||||
#define IMAGE_FILE_MACHINE_RISCV64 0x5064
|
||||
|
||||
#define IMAGE_SUBSYSTEM_UNKNOWN 0
|
||||
#define IMAGE_SUBSYSTEM_NATIVE 1
|
||||
|
|
|
|||
10
src/idc.c
10
src/idc.c
|
|
@ -189,7 +189,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image)
|
|||
|
||||
idc->data->type = OBJ_nid2obj(peid_nid);
|
||||
idc->data->value = ASN1_TYPE_new();
|
||||
type_set_sequence(image, idc->data->value, peid, &IDC_PEID_it);
|
||||
type_set_sequence(image, idc->data->value, peid, ASN1_ITEM_rptr(IDC_PEID));
|
||||
|
||||
idc->digest->alg->parameter = ASN1_TYPE_new();
|
||||
idc->digest->alg->algorithm = OBJ_nid2obj(NID_sha256);
|
||||
|
|
@ -238,7 +238,11 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio)
|
|||
|
||||
/* extract the idc from the signed PKCS7 'other' data */
|
||||
str = p7->d.sign->contents->d.other->value.asn1_string;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
idcbuf = buf = ASN1_STRING_data(str);
|
||||
#else
|
||||
idcbuf = buf = ASN1_STRING_get0_data(str);
|
||||
#endif
|
||||
idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
|
||||
|
||||
/* If we were passed a BIO, write the idc data, minus type and length,
|
||||
|
|
@ -289,7 +293,11 @@ int IDC_check_hash(struct idc *idc, struct image *image)
|
|||
}
|
||||
|
||||
/* check hash against the one we calculated from the image */
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
buf = ASN1_STRING_data(str);
|
||||
#else
|
||||
buf = ASN1_STRING_get0_data(str);
|
||||
#endif
|
||||
if (memcmp(buf, sha, sizeof(sha))) {
|
||||
fprintf(stderr, "Hash doesn't match image\n");
|
||||
fprintf(stderr, " got: %s\n", sha256_str(buf));
|
||||
|
|
|
|||
|
|
@ -239,6 +239,7 @@ static int image_pecoff_parse(struct image *image)
|
|||
switch (magic) {
|
||||
case IMAGE_FILE_MACHINE_AMD64:
|
||||
case IMAGE_FILE_MACHINE_AARCH64:
|
||||
case IMAGE_FILE_MACHINE_RISCV64:
|
||||
rc = image_pecoff_parse_64(image);
|
||||
break;
|
||||
case IMAGE_FILE_MACHINE_I386:
|
||||
|
|
|
|||
|
|
@ -233,7 +233,11 @@ int main(int argc, char **argv)
|
|||
|
||||
ERR_load_crypto_strings();
|
||||
OpenSSL_add_all_digests();
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
OPENSSL_config(NULL);
|
||||
#else
|
||||
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
||||
#endif
|
||||
/* here we may get highly unlikely failures or we'll get a
|
||||
* complaint about FIPS signatures (usually becuase the FIPS
|
||||
* module isn't present). In either case ignore the errors
|
||||
|
|
|
|||
|
|
@ -54,9 +54,11 @@
|
|||
#include "fileio.h"
|
||||
#include "efivars.h"
|
||||
|
||||
static struct statfs statfstype;
|
||||
|
||||
#define EFIVARS_MOUNTPOINT "/sys/firmware/efi/efivars"
|
||||
#define PSTORE_FSTYPE 0x6165676C
|
||||
#define EFIVARS_FSTYPE 0xde5e81e4
|
||||
#define PSTORE_FSTYPE ((typeof(statfstype.f_type))0x6165676C)
|
||||
#define EFIVARS_FSTYPE ((typeof(statfstype.f_type))0xde5e81e4)
|
||||
|
||||
#define EFI_IMAGE_SECURITY_DATABASE_GUID \
|
||||
{ 0xd719b2cb, 0x3d3a, 0x4596, \
|
||||
|
|
@ -208,7 +210,11 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
|
|||
goto out;
|
||||
|
||||
key->id_len = ASN1_STRING_length(serial);
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
|
||||
#else
|
||||
key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
|
||||
#endif
|
||||
|
||||
key->description = talloc_array(key, char, description_len);
|
||||
X509_NAME_oneline(X509_get_subject_name(x509),
|
||||
|
|
@ -883,10 +889,12 @@ int main(int argc, char **argv)
|
|||
{
|
||||
bool use_default_keystore_dirs;
|
||||
struct sync_context *ctx;
|
||||
int rc;
|
||||
|
||||
use_default_keystore_dirs = true;
|
||||
ctx = talloc_zero(NULL, struct sync_context);
|
||||
list_head_init(&ctx->new_keys);
|
||||
rc = EXIT_SUCCESS;
|
||||
|
||||
for (;;) {
|
||||
int idx, c;
|
||||
|
|
@ -930,7 +938,11 @@ int main(int argc, char **argv)
|
|||
ERR_load_crypto_strings();
|
||||
OpenSSL_add_all_digests();
|
||||
OpenSSL_add_all_ciphers();
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
OPENSSL_config(NULL);
|
||||
#else
|
||||
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
||||
#endif
|
||||
/* here we may get highly unlikely failures or we'll get a
|
||||
* complaint about FIPS signatures (usually becuase the FIPS
|
||||
* module isn't present). In either case ignore the errors
|
||||
|
|
@ -975,10 +987,10 @@ int main(int argc, char **argv)
|
|||
if (ctx->verbose)
|
||||
print_new_keys(ctx);
|
||||
|
||||
if (!ctx->dry_run)
|
||||
insert_new_keys(ctx);
|
||||
if (!ctx->dry_run && insert_new_keys(ctx))
|
||||
rc = EXIT_FAILURE;
|
||||
|
||||
talloc_free(ctx);
|
||||
|
||||
return EXIT_SUCCESS;
|
||||
return rc;
|
||||
}
|
||||
|
|
|
|||
54
src/sbsign.c
54
src/sbsign.c
|
|
@ -49,6 +49,8 @@
|
|||
#include <openssl/evp.h>
|
||||
#include <openssl/asn1.h>
|
||||
#include <openssl/asn1t.h>
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/x509.h>
|
||||
|
||||
#include <ccan/talloc/talloc.h>
|
||||
|
||||
|
|
@ -75,6 +77,7 @@ static struct option options[] = {
|
|||
{ "help", no_argument, NULL, 'h' },
|
||||
{ "version", no_argument, NULL, 'V' },
|
||||
{ "engine", required_argument, NULL, 'e'},
|
||||
{ "addcert", required_argument, NULL, 'a'},
|
||||
{ NULL, 0, NULL, 0 },
|
||||
};
|
||||
|
||||
|
|
@ -88,6 +91,7 @@ static void usage(void)
|
|||
"\t--key <keyfile> signing key (PEM-encoded RSA "
|
||||
"private key)\n"
|
||||
"\t--cert <certfile> certificate (x509 certificate)\n"
|
||||
"\t--addcert <addcertfile> additional intermediate certificates in a file\n"
|
||||
"\t--detached write a detached signature, instead of\n"
|
||||
"\t a signed binary\n"
|
||||
"\t--output <file> write signed data to <file>\n"
|
||||
|
|
@ -112,9 +116,43 @@ static void set_default_outfilename(struct sign_context *ctx)
|
|||
ctx->infilename, extension);
|
||||
}
|
||||
|
||||
static int add_intermediate_certs(PKCS7 *p7, const char *filename)
|
||||
{
|
||||
STACK_OF(X509_INFO) *certs;
|
||||
X509_INFO *cert;
|
||||
BIO *bio = NULL;
|
||||
int i;
|
||||
|
||||
bio = BIO_new(BIO_s_file());
|
||||
if (!bio || BIO_read_filename(bio, filename) <=0) {
|
||||
fprintf(stderr,
|
||||
"error in reading intermediate certificates file\n");
|
||||
ERR_print_errors_fp(stderr);
|
||||
return -1;
|
||||
}
|
||||
|
||||
certs = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL);
|
||||
if (!certs) {
|
||||
fprintf(stderr,
|
||||
"error in parsing intermediate certificates file\n");
|
||||
ERR_print_errors_fp(stderr);
|
||||
return -1;
|
||||
}
|
||||
|
||||
for (i = 0; i < sk_X509_INFO_num(certs); i++) {
|
||||
cert = sk_X509_INFO_value(certs, i);
|
||||
PKCS7_add_certificate(p7, cert->x509);
|
||||
}
|
||||
|
||||
sk_X509_INFO_pop_free(certs, X509_INFO_free);
|
||||
BIO_free_all(bio);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
const char *keyfilename, *certfilename, *engine;
|
||||
const char *keyfilename, *certfilename, *addcertfilename, *engine;
|
||||
struct sign_context *ctx;
|
||||
uint8_t *buf, *tmp;
|
||||
int rc, c, sigsize;
|
||||
|
|
@ -124,11 +162,12 @@ int main(int argc, char **argv)
|
|||
|
||||
keyfilename = NULL;
|
||||
certfilename = NULL;
|
||||
addcertfilename = NULL;
|
||||
engine = NULL;
|
||||
|
||||
for (;;) {
|
||||
int idx;
|
||||
c = getopt_long(argc, argv, "o:c:k:dvVhe:", options, &idx);
|
||||
c = getopt_long(argc, argv, "o:c:k:dvVhe:a:", options, &idx);
|
||||
if (c == -1)
|
||||
break;
|
||||
|
||||
|
|
@ -157,6 +196,9 @@ int main(int argc, char **argv)
|
|||
case 'e':
|
||||
engine = optarg;
|
||||
break;
|
||||
case 'a':
|
||||
addcertfilename = optarg;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -189,9 +231,14 @@ int main(int argc, char **argv)
|
|||
talloc_steal(ctx, ctx->image);
|
||||
|
||||
ERR_load_crypto_strings();
|
||||
ERR_load_BIO_strings();
|
||||
OpenSSL_add_all_digests();
|
||||
OpenSSL_add_all_ciphers();
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
OPENSSL_config(NULL);
|
||||
#else
|
||||
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
||||
#endif
|
||||
/* here we may get highly unlikely failures or we'll get a
|
||||
* complaint about FIPS signatures (usually becuase the FIPS
|
||||
* module isn't present). In either case ignore the errors
|
||||
|
|
@ -228,6 +275,9 @@ int main(int argc, char **argv)
|
|||
if (rc)
|
||||
return EXIT_FAILURE;
|
||||
|
||||
if (addcertfilename && add_intermediate_certs(p7, addcertfilename))
|
||||
return EXIT_FAILURE;
|
||||
|
||||
sigsize = i2d_PKCS7(p7, NULL);
|
||||
tmp = buf = talloc_array(ctx->image, uint8_t, sigsize);
|
||||
i2d_PKCS7(p7, &tmp);
|
||||
|
|
|
|||
|
|
@ -105,7 +105,6 @@ static uint32_t default_attrs = EFI_VARIABLE_NON_VOLATILE |
|
|||
static uint32_t attr_invalid = 0xffffffffu;
|
||||
static const char *attr_prefix = "EFI_VARIABLE_";
|
||||
|
||||
static const EFI_GUID default_guid = EFI_GLOBAL_VARIABLE;
|
||||
static const EFI_GUID cert_pkcs7_guid = EFI_CERT_TYPE_PKCS7_GUID;
|
||||
|
||||
static void set_default_outfilename(struct varsign_context *ctx)
|
||||
|
|
@ -252,7 +251,7 @@ static int add_auth_descriptor(struct varsign_context *ctx)
|
|||
md = EVP_get_digestbyname("SHA256");
|
||||
|
||||
p7 = PKCS7_new();
|
||||
flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP;;
|
||||
flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP | PKCS7_NOATTR;;
|
||||
PKCS7_set_type(p7, NID_pkcs7_signed);
|
||||
|
||||
PKCS7_content_new(p7, NID_pkcs7_data);
|
||||
|
|
@ -333,7 +332,7 @@ int write_signed(struct varsign_context *ctx, int include_attrs)
|
|||
printf("Wrote signed data:\n");
|
||||
if (include_attrs) {
|
||||
i = sizeof(ctx->var_attrs);
|
||||
printf(" [%04zx:%04zx] attrs\n", 0l, i);
|
||||
printf(" [%04lx:%04zx] attrs\n", 0l, i);
|
||||
}
|
||||
|
||||
printf(" [%04zx:%04x] authentication descriptor\n",
|
||||
|
|
@ -513,7 +512,11 @@ int main(int argc, char **argv)
|
|||
OpenSSL_add_all_digests();
|
||||
OpenSSL_add_all_ciphers();
|
||||
ERR_load_crypto_strings();
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
OPENSSL_config(NULL);
|
||||
#else
|
||||
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
||||
#endif
|
||||
/* here we may get highly unlikely failures or we'll get a
|
||||
* complaint about FIPS signatures (usually becuase the FIPS
|
||||
* module isn't present). In either case ignore the errors
|
||||
|
|
|
|||
|
|
@ -210,8 +210,7 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
|
|||
== XKU_CODE_SIGN)
|
||||
status = 1;
|
||||
|
||||
else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
|
||||
err == X509_V_ERR_CERT_UNTRUSTED ||
|
||||
else if (err == X509_V_ERR_CERT_UNTRUSTED ||
|
||||
err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ||
|
||||
err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) {
|
||||
/* all certs given with the --cert argument are trusted */
|
||||
|
|
@ -221,6 +220,7 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
|
|||
} else if (err == X509_V_ERR_CERT_HAS_EXPIRED ||
|
||||
err == X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD ||
|
||||
err == X509_V_ERR_CERT_NOT_YET_VALID ||
|
||||
err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
|
||||
err == X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD)
|
||||
/* UEFI explicitly allows expired certificates */
|
||||
status = 1;
|
||||
|
|
@ -239,7 +239,7 @@ int main(int argc, char **argv)
|
|||
uint8_t *sig_buf;
|
||||
size_t sig_size;
|
||||
struct idc *idc;
|
||||
bool verbose;
|
||||
int verbose;
|
||||
BIO *idcbio;
|
||||
PKCS7 *p7;
|
||||
int sig_count = 0;
|
||||
|
|
@ -247,12 +247,16 @@ int main(int argc, char **argv)
|
|||
status = VERIFY_FAIL;
|
||||
certs = X509_STORE_new();
|
||||
list = 0;
|
||||
verbose = false;
|
||||
verbose = 0;
|
||||
detached_sig_filename = NULL;
|
||||
|
||||
OpenSSL_add_all_digests();
|
||||
ERR_load_crypto_strings();
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
OPENSSL_config(NULL);
|
||||
#else
|
||||
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
||||
#endif
|
||||
/* here we may get highly unlikely failures or we'll get a
|
||||
* complaint about FIPS signatures (usually becuase the FIPS
|
||||
* module isn't present). In either case ignore the errors
|
||||
|
|
@ -278,7 +282,7 @@ int main(int argc, char **argv)
|
|||
list = 1;
|
||||
break;
|
||||
case 'v':
|
||||
verbose = true;
|
||||
verbose++;
|
||||
break;
|
||||
case 'V':
|
||||
version();
|
||||
|
|
@ -333,7 +337,8 @@ int main(int argc, char **argv)
|
|||
|
||||
if (verbose || list) {
|
||||
print_signature_info(p7);
|
||||
//print_certificate_store_certs(certs);
|
||||
if (verbose > 1)
|
||||
print_certificate_store_certs(certs);
|
||||
}
|
||||
|
||||
if (list)
|
||||
|
|
|
|||
|
|
@ -3,6 +3,10 @@ AUTOMAKE_OPTIONS = parallel-tests
|
|||
|
||||
test_key = private-key.rsa
|
||||
test_cert = public-cert.pem
|
||||
ca_key = ca-key.ec
|
||||
ca_cert = ca-cert.pem
|
||||
int_key = int-key.ec
|
||||
int_cert = int-cert.pem
|
||||
test_arches = $(EFI_ARCH)
|
||||
|
||||
check_PROGRAMS = test.pecoff
|
||||
|
|
@ -31,11 +35,25 @@ check_SCRIPTS = test-wrapper.sh
|
|||
|
||||
AM_CFLAGS=-fpic -I/usr/include/efi -I/usr/include/efi/$(EFI_ARCH)
|
||||
|
||||
$(test_key): Makefile
|
||||
%.rsa: Makefile
|
||||
openssl genrsa -out $@ 2048
|
||||
|
||||
$(test_cert): $(test_key) Makefile
|
||||
openssl req -x509 -sha256 -subj '/' -new -key $< -out $@
|
||||
%.ec: Makefile
|
||||
openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -out $@
|
||||
|
||||
$(ca_cert): $(ca_key) Makefile
|
||||
openssl req -x509 -days 1 -sha256 -subj '/CN=CA Key/' -new -key $< -out $@
|
||||
|
||||
$(int_cert): $(int_key) $(ca_cert) Makefile
|
||||
openssl req -new -subj '/CN=Intermediate Certificate/' -key $< -out tmp.req
|
||||
echo -e "[ca]\nbasicConstraints = critical, CA:true\n" > ca.cnf
|
||||
openssl x509 -req -sha256 -CA $(ca_cert) -CAkey $(ca_key) -in tmp.req -set_serial 1 -days 1 -extfile ca.cnf -extensions ca -out $@
|
||||
-rm -f tmp.req ca.cnf
|
||||
|
||||
$(test_cert): $(test_key) $(int_cert) Makefile
|
||||
openssl req -new -subj '/CN=Signer Certificate/' -key $< -out tmp.req
|
||||
openssl x509 -req -sha256 -CA $(int_cert) -CAkey $(int_key) -in tmp.req -set_serial 1 -days 1 -out $@
|
||||
-rm -f tmp.req
|
||||
|
||||
TESTS = sign-verify.sh \
|
||||
sign-verify-detached.sh \
|
||||
|
|
@ -65,4 +83,5 @@ AM_TESTS_ENVIRONMENT = TEST_ARCHES='$(test_arches)'; export TEST_ARCHES;
|
|||
SH_LOG_COMPILER = $(srcdir)/test-wrapper.sh
|
||||
|
||||
EXTRA_DIST = test.S $(TESTS) $(check_SCRIPTS)
|
||||
CLEANFILES = $(test_key) $(test_cert)
|
||||
CLEANFILES = $(test_key) $(test_cert) $(int_key) $(int_cert) $(ca_key) \
|
||||
$(ca_cert)
|
||||
|
|
|
|||
|
|
@ -3,7 +3,19 @@
|
|||
sig="test.sig"
|
||||
signed="test.signed"
|
||||
|
||||
"$sbsign" --cert "$cert" --key "$key" --detached --output "$sig" "$image"
|
||||
cp "$image" "$signed"
|
||||
"$sbattach" --attach "$sig" "$signed"
|
||||
"$sbverify" --cert "$cert" "$signed"
|
||||
"$sbsign" --cert "$cert" --key "$key" --detached --output "$sig" "$image" || exit 1
|
||||
cp "$image" "$signed" || exit 1
|
||||
"$sbattach" --attach "$sig" "$signed" || exit 1
|
||||
"$sbverify" --cert "$cert" "$signed" || exit 1
|
||||
"$sbverify" --cert "$intcert" "$signed" || exit 1
|
||||
# there's no intermediate cert in the image so it can't chain to the ca which
|
||||
# is why this should fail
|
||||
"$sbverify" --cert "$cacert" "$signed" && exit 1
|
||||
|
||||
# now add intermediates
|
||||
"$sbsign" --cert "$cert" --key "$key" --addcert "$intcert" --detached --output "$sig" "$image" || exit 1
|
||||
cp "$image" "$signed" || exit 1
|
||||
"$sbattach" --attach "$sig" "$signed" || exit 1
|
||||
"$sbverify" --cert "$cert" "$signed" || exit 1
|
||||
"$sbverify" --cert "$intcert" "$signed" || exit 1
|
||||
"$sbverify" --cert "$cacert" "$signed" || exit 1
|
||||
|
|
|
|||
|
|
@ -2,5 +2,16 @@
|
|||
|
||||
sig="test.sig"
|
||||
|
||||
"$sbsign" --cert "$cert" --key "$key" --detached --output $sig "$image"
|
||||
"$sbverify" --cert "$cert" --detached $sig "$image"
|
||||
"$sbsign" --cert "$cert" --key "$key" --detached --output $sig "$image" || exit 1
|
||||
"$sbverify" --cert "$cert" --detached $sig "$image" || exit 1
|
||||
"$sbverify" --cert "$intcert" --detached $sig "$image" || exit 1
|
||||
# should fail because no intermediate
|
||||
"$sbverify" --cert "$cacert" --detached $sig "$image" && exit 1
|
||||
|
||||
# now make sure everything succeeds with the intermediate added
|
||||
"$sbsign" --cert "$cert" --key "$key" --addcert "$intcert" --detached --output $sig "$image" || exit 1
|
||||
"$sbverify" --cert "$cert" --detached $sig "$image" || exit 1
|
||||
"$sbverify" --cert "$intcert" --detached $sig "$image" || exit 1
|
||||
"$sbverify" --cert "$cacert" --detached $sig "$image" || exit 1
|
||||
|
||||
exit 0
|
||||
|
|
|
|||
|
|
@ -2,5 +2,16 @@
|
|||
|
||||
signed="test.signed"
|
||||
|
||||
"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image"
|
||||
"$sbverify" --cert "$cert" "$signed"
|
||||
"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image" || exit 1
|
||||
"$sbverify" --cert "$cert" "$signed" || exit 1
|
||||
"$sbverify" --cert "$intcert" "$signed" || exit 1
|
||||
# there's no intermediate cert in the image so it can't chain to the ca which
|
||||
# is why this should fail
|
||||
"$sbverify" --cert "$cacert" "$signed" && exit 1
|
||||
|
||||
# now add the intermediates and each level should succeed
|
||||
"$sbsign" --cert "$cert" --addcert "$intcert" --key "$key" --output "$signed" "$image" || exit 1
|
||||
"$sbverify" --cert "$cert" "$signed" || exit 1
|
||||
"$sbverify" --cert "$intcert" "$signed" || exit 1
|
||||
"$sbverify" --cert "$cacert" "$signed" || exit 1
|
||||
|
||||
|
|
|
|||
|
|
@ -11,8 +11,12 @@ sbattach=$bindir/sbattach
|
|||
|
||||
key="$datadir/private-key.rsa"
|
||||
cert="$datadir/public-cert.pem"
|
||||
intkey="$datadir/int-key.ec"
|
||||
intcert="$datadir/int-cert.pem"
|
||||
cakey="$datadir/ca-key.ec"
|
||||
cacert="$datadir/ca-cert.pem"
|
||||
|
||||
export basedir datadir bindir sbsign sbverify sbattach key cert
|
||||
export basedir datadir bindir sbsign sbverify sbattach key cert intkey intcert cakey cacert
|
||||
|
||||
# 'test' needs to be an absolute path, as we will cd to a temporary
|
||||
# directory before running the test
|
||||
|
|
|
|||
Loading…
Reference in a new issue