remove unused stat variable and gettimeofday only once while verifying

[oweals/ucert.git] / ucert.c

diff --git a/ucert.c b/ucert.c
index 7e419d4d8b04700df3b6f06803706f5be3ba6185..6762ed8ae07fcb5e959e081ff93e6aedde307b4a 100644 (file)
--- a/ucert.c
+++ b/ucert.c
@@ -156,8 +156,15 @@ static int cert_load(const char *certfile, struct list_head *chain) {
                else
                        pos += blob_pad_len(bufpt);
 
+               if (!certtb[CERT_ATTR_SIGNATURE])
+                       /* no signature -> drop */
+                       break;
+
                cobj = calloc(1, sizeof(*cobj));
-               memcpy(cobj->cert, &certtb, sizeof(certtb));
+               cobj->cert[CERT_ATTR_SIGNATURE] = blob_memdup(certtb[CERT_ATTR_SIGNATURE]);
+               if (certtb[CERT_ATTR_PAYLOAD])
+                       cobj->cert[CERT_ATTR_PAYLOAD] = blob_memdup(certtb[CERT_ATTR_PAYLOAD]);
+
                list_add_tail(&cobj->list, chain);
                ret += pret;
                bufpt = blob_next(bufpt);
@@ -243,6 +250,7 @@ static int chain_verify(const char *msgfile, const char *pubkeyfile,
        char extsigfile[256] = {0};
        int ret = 1;
        int checkmsg = 0;
+       struct timeval tv;
 
        if (mkdtemp(tmpdir) == NULL)
                return errno;
@@ -250,10 +258,11 @@ static int chain_verify(const char *msgfile, const char *pubkeyfile,
        if (msgfile)
                checkmsg = -1;
 
+       gettimeofday(&tv, NULL);
+
        list_for_each_entry(cobj, chain, list) {
                /* blob has payload, verify that using signature */
                if (cobj->cert[CERT_ATTR_PAYLOAD]) {
-                       struct timeval tv;
                        uint64_t validfrom;
                        uint64_t expiresat;
                        uint32_t certtype;
@@ -269,7 +278,8 @@ static int chain_verify(const char *msgfile, const char *pubkeyfile,
                                      blob_len(cobj->cert[CERT_ATTR_PAYLOAD]));
                        if (!containertb[CERT_CT_ATTR_PAYLOAD]) {
                                ret = 1;
-                               fprintf(stderr, "no ucert in signed payload\n");
+                               if (!quiet)
+                                       fprintf(stderr, "no ucert in signed payload\n");
                                goto clean_and_return;
                        }
                        blobmsg_parse(cert_payload_policy,
@@ -283,7 +293,8 @@ static int chain_verify(const char *msgfile, const char *pubkeyfile,
                            !payloadtb[CERT_PL_ATTR_EXPIRETIME] ||
                            !payloadtb[CERT_PL_ATTR_PUBKEY]) {
                                ret = 1;
-                               fprintf(stderr, "missing mandatory ucert attributes\n");
+                               if (!quiet)
+                                       fprintf(stderr, "missing mandatory ucert attributes\n");
                                goto clean_and_return;
                        }
                        certtype = blobmsg_get_u32(payloadtb[CERT_PL_ATTR_CERTTYPE]);
@@ -292,15 +303,16 @@ static int chain_verify(const char *msgfile, const char *pubkeyfile,
 
                        if (certtype != CERTTYPE_AUTH) {
                                ret = 2;
-                               fprintf(stderr, "wrong certificate type\n");
+                               if (!quiet)
+                                       fprintf(stderr, "wrong certificate type\n");
                                goto clean_and_return;
                        }
 
-                       gettimeofday(&tv, NULL);
                        if (tv.tv_sec < validfrom ||
                            tv.tv_sec >= expiresat) {
                                ret = 3;
-                               fprintf(stderr, "certificate expired\n");
+                               if (!quiet)
+                                       fprintf(stderr, "certificate expired\n");
                                goto clean_and_return;
                        }
 
@@ -335,13 +347,14 @@ static int chain_verify(const char *msgfile, const char *pubkeyfile,
                                              pubkeydir, extsigfile, quiet);
                                unlink(extsigfile);
                        } else {
-                               fprintf(stderr, "stray trailing signature without anything to verify!\n");
+                               if (!quiet)
+                                       fprintf(stderr, "stray trailing signature without anything to verify!\n");
                                ret = 1;
                        };
                }
        }
 
-       if (checkmsg == -1)
+       if (checkmsg == -1 && !quiet)
                fprintf(stderr, "missing signature to verify message!\n");
 
 clean_and_return:
@@ -379,14 +392,14 @@ static int cert_dump(const char *certfile) {
        unsigned int count = 0;
 
        if (cert_load(certfile, &certchain)) {
-               fprintf(stderr, "cannot parse cert\n");
+               if (!quiet)
+                       fprintf(stderr, "cannot parse cert\n");
                return 1;
        }
 
        list_for_each_entry(cobj, &certchain, list) {
-               fprintf(stderr, "=== CHAIN ELEMENT %02u ===\n", ++count);
+               fprintf(stdout, "=== CHAIN ELEMENT %02u ===\n", ++count);
                cert_dump_blob(cobj->cert);
-               fprintf(stderr, "========================\n");
        }
 
        return 0;
@@ -397,7 +410,6 @@ static int cert_issue(const char *certfile, const char *pubkeyfile, const char *
        struct blob_buf certbuf;
        struct blob_buf payloadbuf;
        struct timeval tv;
-       struct stat st;
        int pklen, siglen;
        int revoker = 1;
        void *c;
@@ -408,11 +420,6 @@ static int cert_issue(const char *certfile, const char *pubkeyfile, const char *
        char pkfp[17];
        char tmpdir[] = "/tmp/ucert-XXXXXX";
 
-       if (stat(certfile, &st) == 0) {
-               fprintf(stderr, "certfile %s exists, won't overwrite.\n", certfile);
-               return -1;
-       }
-
        pkf = fopen(pubkeyfile, "r");
        if (!pkf)
                return -1;
@@ -472,7 +479,7 @@ static int cert_issue(const char *certfile, const char *pubkeyfile, const char *
                blob_put(&certbuf, CERT_ATTR_SIGNATURE, sigb, siglen);
                blob_put(&certbuf, CERT_ATTR_PAYLOAD, blob_data(payloadbuf.head), blob_len(payloadbuf.head));
                snprintf(fname, sizeof(fname) - 1, "%s%s", certfile, revoker?".revoke":"");
-               write_file(fname, certbuf.head, blob_raw_len(certbuf.head), false);
+               write_file(fname, certbuf.head, blob_raw_len(certbuf.head), true);
                blob_buf_free(&certbuf);
                blob_buf_free(&payloadbuf);
 
@@ -500,14 +507,18 @@ static int cert_process_revoker(const char *certfile, const char *pubkeydir) {
        int ret;
 
        if (cert_load(certfile, &certchain)) {
-               fprintf(stderr, "cannot parse cert\n");
+               if (!quiet)
+                       fprintf(stderr, "cannot parse cert\n");
                return 1;
        }
 
+       gettimeofday(&tv, NULL);
+
        list_for_each_entry(cobj, &certchain, list) {
-               /* blob has payload, verify that using signature */
                if (!cobj->cert[CERT_ATTR_PAYLOAD])
                        return 2;
+
+               /* blob has payload, verify that using signature */
                ret = cert_verify_blob(cobj->cert, NULL, pubkeydir);
                if (ret)
                        return ret;
@@ -518,7 +529,8 @@ static int cert_process_revoker(const char *certfile, const char *pubkeydir) {
                              blob_data(cobj->cert[CERT_ATTR_PAYLOAD]),
                              blob_len(cobj->cert[CERT_ATTR_PAYLOAD]));
                if (!containertb[CERT_CT_ATTR_PAYLOAD]) {
-                       fprintf(stderr, "no ucert in signed payload\n");
+                       if (!quiet)
+                               fprintf(stderr, "no ucert in signed payload\n");
                        return 2;
                }
 
@@ -531,7 +543,8 @@ static int cert_process_revoker(const char *certfile, const char *pubkeydir) {
                if (!payloadtb[CERT_PL_ATTR_CERTTYPE] ||
                    !payloadtb[CERT_PL_ATTR_VALIDFROMTIME] ||
                    !payloadtb[CERT_PL_ATTR_KEY_FINGERPRINT]) {
-                       fprintf(stderr, "missing mandatory ucert attributes\n");
+                       if (!quiet)
+                               fprintf(stderr, "missing mandatory ucert attributes\n");
                        return 2;
                }
 
@@ -540,11 +553,11 @@ static int cert_process_revoker(const char *certfile, const char *pubkeydir) {
                fingerprint = blobmsg_get_string(payloadtb[CERT_PL_ATTR_KEY_FINGERPRINT]);
 
                if (certtype != CERTTYPE_REVOKE) {
-                       fprintf(stderr, "wrong certificate type\n");
+                       if (!quiet)
+                               fprintf(stderr, "wrong certificate type\n");
                        return 2;
                }
 
-               gettimeofday(&tv, NULL);
                if (tv.tv_sec < validfrom) {
                        return 3;
                }
@@ -579,7 +592,8 @@ static int cert_verify(const char *certfile, const char *pubkeyfile, const char
        static LIST_HEAD(certchain);
 
        if (cert_load(certfile, &certchain)) {
-               fprintf(stderr, "cannot parse cert\n");
+               if (!quiet)
+                       fprintf(stderr, "cannot parse cert\n");
                return 1;
        }
 
@@ -669,7 +683,7 @@ int main(int argc, char *argv[]) {
                        pubkeydir = optarg;
                        break;
                case 'q':
-                       if (quiet || cmd == CMD_NONE)
+                       if (quiet)
                                return usage(argv[0]);
                        quiet = true;
                        break;