allow issue to append existing cert and be strictly quiet
authorDaniel Golle <daniel@makrotopia.org>
Fri, 8 Jun 2018 00:49:18 +0000 (02:49 +0200)
committerDaniel Golle <daniel@makrotopia.org>
Thu, 14 Jun 2018 16:51:22 +0000 (18:51 +0200)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This work was sponsored by WIO (wiowireless.com)

ucert.c

diff --git a/ucert.c b/ucert.c
index 32fa523ff46910c204c2e8eea5292a239b57a5ea..d5652e8510e862af845ba01b57f0179f6e506a5a 100644 (file)
--- a/ucert.c
+++ b/ucert.c
@@ -276,7 +276,8 @@ static int chain_verify(const char *msgfile, const char *pubkeyfile,
                                      blob_len(cobj->cert[CERT_ATTR_PAYLOAD]));
                        if (!containertb[CERT_CT_ATTR_PAYLOAD]) {
                                ret = 1;
-                               fprintf(stderr, "no ucert in signed payload\n");
+                               if (!quiet)
+                                       fprintf(stderr, "no ucert in signed payload\n");
                                goto clean_and_return;
                        }
                        blobmsg_parse(cert_payload_policy,
@@ -290,7 +291,8 @@ static int chain_verify(const char *msgfile, const char *pubkeyfile,
                            !payloadtb[CERT_PL_ATTR_EXPIRETIME] ||
                            !payloadtb[CERT_PL_ATTR_PUBKEY]) {
                                ret = 1;
-                               fprintf(stderr, "missing mandatory ucert attributes\n");
+                               if (!quiet)
+                                       fprintf(stderr, "missing mandatory ucert attributes\n");
                                goto clean_and_return;
                        }
                        certtype = blobmsg_get_u32(payloadtb[CERT_PL_ATTR_CERTTYPE]);
@@ -299,7 +301,8 @@ static int chain_verify(const char *msgfile, const char *pubkeyfile,
 
                        if (certtype != CERTTYPE_AUTH) {
                                ret = 2;
-                               fprintf(stderr, "wrong certificate type\n");
+                               if (!quiet)
+                                       fprintf(stderr, "wrong certificate type\n");
                                goto clean_and_return;
                        }
 
@@ -307,7 +310,8 @@ static int chain_verify(const char *msgfile, const char *pubkeyfile,
                        if (tv.tv_sec < validfrom ||
                            tv.tv_sec >= expiresat) {
                                ret = 3;
-                               fprintf(stderr, "certificate expired\n");
+                               if (!quiet)
+                                       fprintf(stderr, "certificate expired\n");
                                goto clean_and_return;
                        }
 
@@ -342,13 +346,14 @@ static int chain_verify(const char *msgfile, const char *pubkeyfile,
                                              pubkeydir, extsigfile, quiet);
                                unlink(extsigfile);
                        } else {
-                               fprintf(stderr, "stray trailing signature without anything to verify!\n");
+                               if (!quiet)
+                                       fprintf(stderr, "stray trailing signature without anything to verify!\n");
                                ret = 1;
                        };
                }
        }
 
-       if (checkmsg == -1)
+       if (checkmsg == -1 && !quiet)
                fprintf(stderr, "missing signature to verify message!\n");
 
 clean_and_return:
@@ -386,14 +391,14 @@ static int cert_dump(const char *certfile) {
        unsigned int count = 0;
 
        if (cert_load(certfile, &certchain)) {
-               fprintf(stderr, "cannot parse cert\n");
+               if (!quiet)
+                       fprintf(stderr, "cannot parse cert\n");
                return 1;
        }
 
        list_for_each_entry(cobj, &certchain, list) {
-               fprintf(stderr, "=== CHAIN ELEMENT %02u ===\n", ++count);
+               fprintf(stdout, "=== CHAIN ELEMENT %02u ===\n", ++count);
                cert_dump_blob(cobj->cert);
-               fprintf(stderr, "========================\n");
        }
 
        return 0;
@@ -415,11 +420,6 @@ static int cert_issue(const char *certfile, const char *pubkeyfile, const char *
        char pkfp[17];
        char tmpdir[] = "/tmp/ucert-XXXXXX";
 
-       if (stat(certfile, &st) == 0) {
-               fprintf(stderr, "certfile %s exists, won't overwrite.\n", certfile);
-               return -1;
-       }
-
        pkf = fopen(pubkeyfile, "r");
        if (!pkf)
                return -1;
@@ -479,7 +479,7 @@ static int cert_issue(const char *certfile, const char *pubkeyfile, const char *
                blob_put(&certbuf, CERT_ATTR_SIGNATURE, sigb, siglen);
                blob_put(&certbuf, CERT_ATTR_PAYLOAD, blob_data(payloadbuf.head), blob_len(payloadbuf.head));
                snprintf(fname, sizeof(fname) - 1, "%s%s", certfile, revoker?".revoke":"");
-               write_file(fname, certbuf.head, blob_raw_len(certbuf.head), false);
+               write_file(fname, certbuf.head, blob_raw_len(certbuf.head), true);
                blob_buf_free(&certbuf);
                blob_buf_free(&payloadbuf);
 
@@ -507,14 +507,16 @@ static int cert_process_revoker(const char *certfile, const char *pubkeydir) {
        int ret;
 
        if (cert_load(certfile, &certchain)) {
-               fprintf(stderr, "cannot parse cert\n");
+               if (!quiet)
+                       fprintf(stderr, "cannot parse cert\n");
                return 1;
        }
 
        list_for_each_entry(cobj, &certchain, list) {
-               /* blob has payload, verify that using signature */
                if (!cobj->cert[CERT_ATTR_PAYLOAD])
                        return 2;
+
+               /* blob has payload, verify that using signature */
                ret = cert_verify_blob(cobj->cert, NULL, pubkeydir);
                if (ret)
                        return ret;
@@ -525,7 +527,8 @@ static int cert_process_revoker(const char *certfile, const char *pubkeydir) {
                              blob_data(cobj->cert[CERT_ATTR_PAYLOAD]),
                              blob_len(cobj->cert[CERT_ATTR_PAYLOAD]));
                if (!containertb[CERT_CT_ATTR_PAYLOAD]) {
-                       fprintf(stderr, "no ucert in signed payload\n");
+                       if (!quiet)
+                               fprintf(stderr, "no ucert in signed payload\n");
                        return 2;
                }
 
@@ -538,7 +541,8 @@ static int cert_process_revoker(const char *certfile, const char *pubkeydir) {
                if (!payloadtb[CERT_PL_ATTR_CERTTYPE] ||
                    !payloadtb[CERT_PL_ATTR_VALIDFROMTIME] ||
                    !payloadtb[CERT_PL_ATTR_KEY_FINGERPRINT]) {
-                       fprintf(stderr, "missing mandatory ucert attributes\n");
+                       if (!quiet)
+                               fprintf(stderr, "missing mandatory ucert attributes\n");
                        return 2;
                }
 
@@ -547,7 +551,8 @@ static int cert_process_revoker(const char *certfile, const char *pubkeydir) {
                fingerprint = blobmsg_get_string(payloadtb[CERT_PL_ATTR_KEY_FINGERPRINT]);
 
                if (certtype != CERTTYPE_REVOKE) {
-                       fprintf(stderr, "wrong certificate type\n");
+                       if (!quiet)
+                               fprintf(stderr, "wrong certificate type\n");
                        return 2;
                }
 
@@ -586,7 +591,8 @@ static int cert_verify(const char *certfile, const char *pubkeyfile, const char
        static LIST_HEAD(certchain);
 
        if (cert_load(certfile, &certchain)) {
-               fprintf(stderr, "cannot parse cert\n");
+               if (!quiet)
+                       fprintf(stderr, "cannot parse cert\n");
                return 1;
        }