read more than one cert from file

author Daniel Golle <daniel@makrotopia.org>

Thu, 7 Jun 2018 09:38:42 +0000 (11:38 +0200)

committer Daniel Golle <daniel@makrotopia.org>

Thu, 14 Jun 2018 16:51:22 +0000 (18:51 +0200)
author Daniel Golle <daniel@makrotopia.org>
Thu, 7 Jun 2018 09:38:42 +0000 (11:38 +0200)
committer Daniel Golle <daniel@makrotopia.org>
Thu, 14 Jun 2018 16:51:22 +0000 (18:51 +0200)
diff --git a/ucert.c b/ucert.c

index 51b421ed89ddddbd7be8ddbf83e2b6ebcf4d2042..a319529d1fb208fdf1c3dbfb139e7de12fcbeb83 100644 (file)
--- a/ucert.c
+++ b/ucert.c
@@ -95,7 +95,7 @@ static const struct blobmsg_policy cert_payload_policy[CERT_PL_ATTR_MAX] = {
  
  struct cert_object {
         struct list_head list;
  
  struct cert_object {
         struct list_head list;
-       struct blob_attr **cert;
+       struct blob_attr *cert[CERT_ATTR_MAX];
  };
  
  static int write_file(const char *filename, void *buf, size_t len, bool append) {
  };
  
  static int write_file(const char *filename, void *buf, size_t len, bool append) {
@@ -114,10 +114,11 @@ static int write_file(const char *filename, void *buf, size_t len, bool append)
  static int cert_load(const char *certfile, struct list_head *chain) {
         FILE *f;
         struct blob_attr *certtb[CERT_ATTR_MAX];
  static int cert_load(const char *certfile, struct list_head *chain) {
         FILE *f;
         struct blob_attr *certtb[CERT_ATTR_MAX];
+       struct blob_attr *bufpt;
         struct cert_object *cobj;
         char filebuf[CERT_BUF_LEN];
         struct cert_object *cobj;
         char filebuf[CERT_BUF_LEN];
-       int ret = 0;
-       int len;
+       int ret = 0, pret = 0;
+       int len, pos = 0;
  
         f = fopen(certfile, "r");
         if (!f)
  
         f = fopen(certfile, "r");
         if (!f)
@@ -132,18 +133,58 @@ static int cert_load(const char *certfile, struct list_head *chain) {
         if (ret)
                 return 1;
  
         if (ret)
                 return 1;
  
-       /* TODO: read more than one blob from file */
-       ret = blob_parse(filebuf, certtb, cert_policy, CERT_ATTR_MAX);
-       cobj = calloc(1, sizeof(*cobj));
-       cobj->cert = &certtb;
-       list_add_tail(&cobj->list, chain);
+       bufpt = (struct blob_attr *)filebuf;
+       do {
+               pret = blob_parse(bufpt, certtb, cert_policy, CERT_ATTR_MAX);
+               if (pret <= 0)
+                       /* no attributes found */
+                       break;
+
+               if (pos + blob_pad_len(bufpt) > len)
+                       /* blob exceeds filebuffer */
+                       break;
+               else
+                       pos += blob_pad_len(bufpt);
+
+               cobj = calloc(1, sizeof(*cobj));
+               memcpy(cobj->cert, &certtb, sizeof(certtb));
+               list_add_tail(&cobj->list, chain);
+               ret += pret;
+               bufpt = blob_next(bufpt);
+       /* repeat parsing while there is still enough remaining data in buffer */
+       } while(len > pos + sizeof(struct blob_attr));
  
         return (ret <= 0);
  }
  
  
         return (ret <= 0);
  }
  
-static int cert_append(const char *certfile, const char *pubkeyfile, const char *sigfile) {
-       fprintf(stderr, "not implemented\n");
-       return 1;
+static int cert_append(const char *certfile, const char *sigfile) {
+       FILE *fs;
+       char filebuf[CERT_BUF_LEN];
+       struct blob_buf sigbuf;
+       struct stat st;
+       int len;
+       int ret;
+
+       if (stat(certfile, &st) != 0) {
+               fprintf(stderr, "certfile %s doesn't exist, can't append.\n", certfile);
+               return -1;
+       }
+
+       fs = fopen(sigfile, "r");
+       if (!fs)
+               return 1;
+
+       len = fread(&filebuf, 1, CERT_BUF_LEN - 1, fs);
+       ret = ferror(fs) || !feof(fs) || (len < 64);
+       fclose(fs);
+       if (ret)
+               return 1;
+
+       blob_buf_init(&sigbuf, 0);
+       blob_put(&sigbuf, CERT_ATTR_SIGNATURE, filebuf, len);
+       ret = write_file(certfile, sigbuf.head, blob_raw_len(sigbuf.head), true);
+       blob_buf_free(&sigbuf);
+       return ret;
  }
  
  static int cert_verify_blob(struct blob_attr *cert[CERT_ATTR_MAX],
  }
  
  static int cert_verify_blob(struct blob_attr *cert[CERT_ATTR_MAX],
@@ -202,16 +243,17 @@ static int chain_verify(const char *msgfile, const char *pubkeyfile,
                 checkmsg = -1;
  
         list_for_each_entry(cobj, chain, list) {
                 checkmsg = -1;
  
         list_for_each_entry(cobj, chain, list) {
-               ret = cert_verify_blob(cobj->cert, chainedpubkey[0]?chainedpubkey:pubkeyfile, pubkeydir);
-               if (ret)
-                       goto clean_and_return;
-
+               /* blob has payload, verify that using signature */
                 if (cobj->cert[CERT_ATTR_PAYLOAD]) {
                         struct timeval tv;
                         uint64_t validfrom;
                         uint64_t expiresat;
                         uint32_t certtype;
  
                 if (cobj->cert[CERT_ATTR_PAYLOAD]) {
                         struct timeval tv;
                         uint64_t validfrom;
                         uint64_t expiresat;
                         uint32_t certtype;
  
+                       ret = cert_verify_blob(cobj->cert, chainedpubkey[0]?chainedpubkey:pubkeyfile, pubkeydir);
+                       if (ret)
+                               goto clean_and_return;
+
                         blobmsg_parse(cert_cont_policy,
                                       ARRAY_SIZE(cert_cont_policy),
                                       containertb,
                         blobmsg_parse(cert_cont_policy,
                                       ARRAY_SIZE(cert_cont_policy),
                                       containertb,
@@ -260,6 +302,7 @@ static int chain_verify(const char *msgfile, const char *pubkeyfile,
                                    blobmsg_data_len(payloadtb[CERT_PL_ATTR_PUBKEY]),
                                    false);
                 } else {
                                    blobmsg_data_len(payloadtb[CERT_PL_ATTR_PUBKEY]),
                                    false);
                 } else {
+               /* blob doesn't have payload, verify message using signature */
                         if (msgfile) {
                                 snprintf(extsigfile, sizeof(extsigfile) - 1, "%s/%s", tmpdir, "ext-sig");
                                 write_file(extsigfile,
                         if (msgfile) {
                                 snprintf(extsigfile, sizeof(extsigfile) - 1, "%s/%s", tmpdir, "ext-sig");
                                 write_file(extsigfile,
@@ -402,6 +445,9 @@ static int cert_issue(const char *certfile, const char *pubkeyfile, const char *
                 blob_put(&certbuf, CERT_ATTR_PAYLOAD, blob_data(payloadbuf.head), blob_len(payloadbuf.head));
                 snprintf(fname, sizeof(fname) - 1, "%s%s", certfile, revoker?".revoke":"");
                 write_file(fname, certbuf.head, blob_raw_len(certbuf.head), false);
                 blob_put(&certbuf, CERT_ATTR_PAYLOAD, blob_data(payloadbuf.head), blob_len(payloadbuf.head));
                 snprintf(fname, sizeof(fname) - 1, "%s%s", certfile, revoker?".revoke":"");
                 write_file(fname, certbuf.head, blob_raw_len(certbuf.head), false);
+               blob_buf_free(&certbuf);
+               blob_buf_free(&payloadbuf);
+
                 revoker--;
         }
  
                 revoker--;
         }
  
@@ -431,7 +477,7 @@ static int usage(const char *cmd)
         fprintf(stderr,
                 "Usage: %s <command> <options>\n"
                 "Commands:\n"
         fprintf(stderr,
                 "Usage: %s <command> <options>\n"
                 "Commands:\n"
-               "  -A:                  append (needs -c and -p and/or -x)\n"
+               "  -A:                  append (needs -c and -x)\n"
                 "  -D:                  dump\n"
                 "  -I:                  issue cert and revoker (needs -c and -p and -s)\n"
                 "  -R:                  process revoker certificate (needs -c)\n"
                 "  -D:                  dump\n"
                 "  -I:                  issue cert and revoker (needs -c and -p and -s)\n"
                 "  -R:                  process revoker certificate (needs -c)\n"
@@ -488,12 +534,12 @@ int main(int argc, char *argv[]) {
                 case 'P':
                         pubkeydir = optarg;
                         break;
                 case 'P':
                         pubkeydir = optarg;
                         break;
-               case 's':
-                       seckeyfile = optarg;
-                       break;
                 case 'q':
                         quiet = true;
                         break;
                 case 'q':
                         quiet = true;
                         break;
+               case 's':
+                       seckeyfile = optarg;
+                       break;
                 case 'x':
                         sigfile = optarg;
                         break;
                 case 'x':
                         sigfile = optarg;
                         break;
@@ -504,8 +550,8 @@ int main(int argc, char *argv[]) {
  
         switch (cmd) {
         case CMD_APPEND:
  
         switch (cmd) {
         case CMD_APPEND:
-               if (certfile && (pubkeyfile || sigfile))
-                       return cert_append(certfile, pubkeyfile, sigfile);
+               if (certfile && sigfile)
+                       return cert_append(certfile, sigfile);
                 else
                         return usage(argv[0]);
         case CMD_DUMP:
                 else
                         return usage(argv[0]);
         case CMD_DUMP:
author	Daniel Golle <daniel@makrotopia.org>
	Thu, 7 Jun 2018 09:38:42 +0000 (11:38 +0200)
committer	Daniel Golle <daniel@makrotopia.org>
	Thu, 14 Jun 2018 16:51:22 +0000 (18:51 +0200)