Opkg support for smime (pkcs7) packages list signing

Thanks to Camille Moncelier <moncelier@devlife.org>
http://groups.google.com/group/opkg-devel/browse_thread/thread/6071ce290d5ceb77?utoken=qjR-TC0AAADKDldt5ZXsDDLs9sWCpWZI1zgeariQUwksg5ob1tmaFTCAL7MTcQRO6S85GfHgQ_k

As promised :) here is a patch allowing opkg to authenticate
a package list using smime and openssl instead of gpgme

Example:

 Sign a package list:
openssl smime -sign -in /path/to/repo/Packages \
       -signer /root/server.pem -binary \
       -outform PEM -out /path/to/repo/Packages.sig

 Configuration in /etc/opkg/opkg.conf
option check_signature 1
option signature_ca_file /etc/serverCA.pem
 option signature_ca_path /path/to/certs/dir

 opkg update
Downloading http://repo:8000/Packages
Updated list of available packages in /usr/lib/opkg/lists/angstrom
Downloading http://repo:8000/Packages.sig
Signature check passed

 Package list corruption or MIM:
Downloading http://repo:8000/Packages
Updated list of available packages in /usr/lib/opkg/lists/angstrom
Downloading http://repo:8000/Packages.sig
Signature check failed
Collected errors:
 * Verification failure

Camille Moncelier
http://devlife.org/

git-svn-id: http://opkg.googlecode.com/svn/trunk@221 e8e0d7a0-c8d9-11dd-a880-a1081c7ac358

diff --git a/configure.ac b/configure.ac
index 9c108f3f8dd27d5f1c7e4313d9df70a2bd324c90..579a10549fd6296cd3e28f7cf8a2b9e9bc057f43 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -48,6 +48,17 @@ if test "x$want_sha256" = "xyes"; then
 fi
 AM_CONDITIONAL(HAVE_SHA256, test "x$want_sha256" = "xyes")
 
+# check for openssl
+AC_ARG_ENABLE(openssl,
+              AC_HELP_STRING([--enable-openssl], [Enable signature checking with OpenSSL
+      [[default=no]] ]),
+    [want_openssl="$enableval"], [want_openssl="no"])
+
+if test "x$want_openssl" = "xyes"; then
+  PKG_CHECK_MODULES(OPENSSL, openssl)
+  AC_DEFINE(HAVE_OPENSSL, 1, [Define if you want OpenSSL support])
+fi
+
 
 dnl **********
 dnl GPGME
@@ -171,6 +182,18 @@ if test x$opkgetcdir = x; then
 fi
 
 
+dnl Some special cases for the wow64 build
+if test "x$want_gpgme" = "xyes"
+then
+       if test "x$want_openssl" = "xyes"
+       then
+       AC_MSG_ERROR([--enable-gpg and --enable-openssl are mutually exclusive.
+Use --disable-gpg if you want OpenSSL smime signatures])
+       fi
+fi
+
+
+
 AC_SUBST(opkglibdir)
 AC_SUBST(opkgetcdir)
 

diff --git a/libopkg/args.c b/libopkg/args.c
index ef2b4960e227e389b69b34dbbb3c1a51bf1c74ed..bbe2e4d4ca3e02d3c8a48466d067ae47d1642808 100644 (file)
--- a/libopkg/args.c
+++ b/libopkg/args.c
@@ -62,7 +62,7 @@ int args_init(args_t *args)
      if (conf_file_dir == NULL || conf_file_dir[0] == '\0') {
          conf_file_dir = ARGS_DEFAULT_CONF_FILE_DIR;
      }
-     sprintf_alloc(&args->conf_file, "%s/%s", conf_file_dir,
+     sprintf_alloc(&args->conf_file, "%s/%s", OPKGETCDIR,
                   ARGS_DEFAULT_CONF_FILE_NAME);
 
      args->force_defaults = ARGS_DEFAULT_FORCE_DEFAULTS;

diff --git a/libopkg/opkg.c b/libopkg/opkg.c
index a20023e34341fae40ac9ef706b0fb1f2d5fd6ad2..c6a86eae225c0759c37c2376e58b4ff8a148739c 100644 (file)
--- a/libopkg/opkg.c
+++ b/libopkg/opkg.c
@@ -852,7 +852,7 @@ opkg_update_package_lists (opkg_t *opkg, opkg_progress_callback_t progress_callb
     }
     free (url);
 
-#ifdef HAVE_GPGME
+#if defined(HAVE_GPGME) || defined(HAVE_OPENSSL)
     if ( opkg->conf->check_signature ) {
         char *sig_file_name;
         /* download detached signitures to verify the package lists */

diff --git a/libopkg/opkg_cmd.c b/libopkg/opkg_cmd.c
index 6ac847a775b0d04862807418eaa45b16a7d84777..4a0410ce32774e5de927421aa14ed54f05dd5978 100644 (file)
--- a/libopkg/opkg_cmd.c
+++ b/libopkg/opkg_cmd.c
@@ -259,8 +259,7 @@ static int opkg_update_cmd(opkg_conf_t *conf, int argc, char **argv)
                            list_file_name);
          }
          free(url);
-
-#ifdef HAVE_GPGME
+#if defined(HAVE_GPGME) || defined(HAVE_OPENSSL)
           if (conf->check_signature) {
               /* download detached signitures to verify the package lists */
               /* get the url for the sig file */
@@ -273,7 +272,8 @@ static int opkg_update_cmd(opkg_conf_t *conf, int argc, char **argv)
               /* create temporary file for it */
               char *tmp_file_name;
 
-              sprintf_alloc (&tmp_file_name, "%s/%s", tmp, "Packages.sig");
+              /* Put the signature in the right place */
+              sprintf_alloc (&tmp_file_name, "%s/%s.sig", lists_dir, src->name);
 
               err = opkg_download(conf, url, tmp_file_name, NULL, NULL);
               if (err) {
@@ -287,7 +287,8 @@ static int opkg_update_cmd(opkg_conf_t *conf, int argc, char **argv)
                   else
                       opkg_message (conf, OPKG_NOTICE, "Signature check failed\n");
               }
-              unlink (tmp_file_name);
+              /* We shouldn't unlink the signature ! */
+              // unlink (tmp_file_name);
               free (tmp_file_name);
               free (url);
           }

diff --git a/libopkg/opkg_conf.c b/libopkg/opkg_conf.c
index 4d1306e8d49cefc1e7b7b640a4963e607ad73c24..472b3191438223daab415a60acdf28b1f5be846f 100644 (file)
--- a/libopkg/opkg_conf.c
+++ b/libopkg/opkg_conf.c
@@ -75,6 +75,8 @@ int opkg_init_options_array(const opkg_conf_t *conf, opkg_option_t **options)
          { "proxy_user", OPKG_OPT_TYPE_STRING, &conf->proxy_user },
          { "query-all", OPKG_OPT_TYPE_BOOL, &conf->query_all },
          { "verbosity", OPKG_OPT_TYPE_BOOL, &conf->verbosity },
+         { "signature_ca_file", OPKG_OPT_TYPE_STRING, &conf->signature_ca_file },
+         { "signature_ca_path", OPKG_OPT_TYPE_STRING, &conf->signature_ca_path },
          { NULL }
      };
 

diff --git a/libopkg/opkg_conf.h b/libopkg/opkg_conf.h
index ca2661b9ea76c36c3e692b9fbf5f2a5a0f7a7196..4bd50e59d38c3fc6fcecf82d410ce69866729d23 100644 (file)
--- a/libopkg/opkg_conf.h
+++ b/libopkg/opkg_conf.h
@@ -82,6 +82,9 @@ struct opkg_conf
      char *proxy_user;
      char *proxy_passwd;
 
+     char *signature_ca_file;
+     char *signature_ca_path;
+
      hash_table_t pkg_hash;
      hash_table_t file_hash;
      hash_table_t obs_file_hash;

diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c
index f185f22af84fd0c8873b519b87c47df77c231704..e31c49c478354dd804faf56c2697befa8163b36d 100644 (file)
--- a/libopkg/opkg_download.c
+++ b/libopkg/opkg_download.c
@@ -20,8 +20,17 @@
 #ifdef HAVE_CURL
 #include <curl/curl.h>
 #endif
-#ifdef HAVE_GPGME
+#if defined(HAVE_GPGME)
 #include <gpgme.h>
+#elif defined(HAVE_OPENSSL)
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/hmac.h>
+
 #endif
 
 #include "includes.h"
@@ -35,6 +44,12 @@
 #include "str_util.h"
 #include "opkg_defines.h"
 
+
+#ifdef HAVE_OPENSSL
+static X509_STORE *setup_verify(opkg_conf_t *conf, char *CAfile, char *CApath);
+static void init_openssl(void);
+#endif
+
 int opkg_download(opkg_conf_t *conf, const char *src,
   const char *dest_file_name, curl_progress_func cb, void *data)
 {
@@ -307,7 +322,7 @@ int opkg_prepare_url_for_install(opkg_conf_t *conf, const char *url, char **name
 int
 opkg_verify_file (opkg_conf_t *conf, char *text_file, char *sig_file)
 {
-#ifdef HAVE_GPGME
+#if defined HAVE_GPGME
     if (conf->check_signature == 0 )
         return 0;
     int status = -1;
@@ -374,8 +389,131 @@ opkg_verify_file (opkg_conf_t *conf, char *text_file, char *sig_file)
     gpgme_data_release (text);
     gpgme_release (ctx);
 
+    return status;
+#elif defined HAVE_OPENSSL
+    X509_STORE *store = NULL;
+    PKCS7 *p7 = NULL;
+    BIO *in = NULL, *indata = NULL;
+
+    // Sig check failed by default !
+    int status = -1;
+
+    init_openssl();
+
+    // Set-up the key store
+    if(!(store = setup_verify(conf, conf->signature_ca_file, conf->signature_ca_path))){
+        opkg_message(conf, OPKG_ERROR,
+                "Can't open CA certificates\n");
+        goto verify_file_end;
+    }
+
+    // Open a BIO to read the sig file
+    if (!(in = BIO_new_file(sig_file, "rb"))){
+        opkg_message(conf, OPKG_ERROR,
+                "Can't open signature file %s\n", sig_file);
+        goto verify_file_end;
+    }
+
+    // Read the PKCS7 block contained in the sig file
+    p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
+    if(!p7){
+        opkg_message(conf, OPKG_ERROR,
+                "Can't read signature file (Corrupted ?)\n");
+        goto verify_file_end;
+    }
+
+    // Open the Package file to authenticate
+    if (!(indata = BIO_new_file(text_file, "rb"))){
+        opkg_message(conf, OPKG_ERROR,
+                "Can't open file %s\n", text_file);
+        goto verify_file_end;
+    }
+
+    // Let's verify the autenticity !
+    if (PKCS7_verify(p7, NULL, store, indata, NULL, PKCS7_BINARY) != 1){
+        // Get Off My Lawn!
+        opkg_message(conf, OPKG_ERROR,
+                "Verification failure\n");
+    }else{
+        // Victory !
+        status = 0;
+    }
+
+verify_file_end:
+    BIO_free(in);
+    BIO_free(indata);
+    PKCS7_free(p7);
+    X509_STORE_free(store);
+
     return status;
 #else
     return 0;
 #endif
 }
+
+
+#if defined HAVE_OPENSSL
+static X509_STORE *setup_verify(opkg_conf_t *conf, char *CAfile, char *CApath){
+    X509_STORE *store = NULL;
+    X509_LOOKUP *lookup = NULL;
+
+    if(!(store = X509_STORE_new())){
+        // Something bad is happening...
+        goto end;
+    }
+
+    // adds the X509 file lookup method
+    lookup = X509_STORE_add_lookup(store,X509_LOOKUP_file());
+    if (lookup == NULL){
+        goto end;
+    }
+
+    // Autenticating against one CA file
+    if (CAfile) {
+        if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) {
+            // Invalid CA => Bye bye
+            opkg_message(conf, OPKG_ERROR,
+                    "Error loading file %s\n", CAfile);
+            goto end;
+        }
+    } else {
+        X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
+    }
+
+    // Now look into CApath directory if supplied
+    lookup = X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
+    if (lookup == NULL){
+        goto end;
+    }
+
+    if (CApath) {
+        if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) {
+            opkg_message(conf, OPKG_ERROR,
+                    "Error loading directory %s\n", CApath);
+            goto end;
+        }
+    } else {
+        X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
+    }
+
+    // All right !
+    ERR_clear_error();
+    return store;
+
+end:
+
+    X509_STORE_free(store);
+    return NULL;
+
+}
+
+static void init_openssl(void){
+    static int init = 0;
+
+    if(!init){      
+        OpenSSL_add_all_algorithms();       
+        ERR_load_crypto_strings();
+        init = 1;
+    }
+}
+#endif

diff --git a/libopkg/opkg_install.c b/libopkg/opkg_install.c
index 750ea652cf6229c55dd9903053091f70da3f2388..1bcaf2545126b129fc4231dc569c9a6254398c2b 100644 (file)
--- a/libopkg/opkg_install.c
+++ b/libopkg/opkg_install.c
@@ -837,7 +837,7 @@ int opkg_install_pkg(opkg_conf_t *conf, pkg_t *pkg, int from_upgrade)
      }
 
      /* check that the repository is valid */
-     #if HAVE_GPGME
+     #if defined(HAVE_GPGME) || defined(HAVE_OPENSSL)
      char *list_file_name, *sig_file_name, *lists_dir;
 
      /* check to ensure the package has come from a repository */
@@ -854,6 +854,8 @@ int opkg_install_pkg(opkg_conf_t *conf, pkg_t *pkg, int from_upgrade)
        {
          if (opkg_verify_file (conf, list_file_name, sig_file_name))
            return OPKG_INSTALL_ERR_SIGNATURE;
+       }else{
+         return OPKG_INSTALL_ERR_SIGNATURE;
        }
 
        free (lists_dir);