diff options
author | Jeremy Kerr <jeremy.kerr@canonical.com> | 2012-05-12 23:11:46 -0700 |
---|---|---|
committer | Jeremy Kerr <jeremy.kerr@canonical.com> | 2012-05-12 23:12:18 -0700 |
commit | e404a4d412227c4fc980dd97b15579f44c900757 (patch) | |
tree | e11112780a3d56686cd08b230ff247dc3820909e | |
parent | d5f1a61b99746afe93a9966b077713022638281b (diff) | |
download | sbsigntools-e404a4d412227c4fc980dd97b15579f44c900757.tar.gz |
verify: move idc-related parsing to idc.c
Extract the IDC-parsing code from IDC_check_hash, and use it to
initialise a BIO. This BIO can then be used to perform the PKCS7
verification.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
-rw-r--r-- | idc.c | 40 | ||||
-rw-r--r-- | idc.h | 5 | ||||
-rw-r--r-- | sbverify.c | 28 |
3 files changed, 46 insertions, 27 deletions
@@ -217,20 +217,48 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image) return 0; } -int IDC_check_hash(struct image *image, PKCS7 *p7) +struct idc *IDC_get(PKCS7 *p7, BIO *bio) { - unsigned char sha[SHA256_DIGEST_LENGTH]; - const unsigned char *buf; + const unsigned char *buf, *idcbuf; ASN1_STRING *str; IDC *idc; - image_hash_sha256(image, sha); - /* extract the idc from the signed PKCS7 'other' data */ str = p7->d.sign->contents->d.other->value.asn1_string; - buf = ASN1_STRING_data(str); + idcbuf = buf = ASN1_STRING_data(str); idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str)); + /* If we were passed a BIO, write the idc data, minus type and length, + * to the BIO. This can be used to PKCS7_verify the idc */ + if (bio) { + uint32_t idclen; + uint8_t tmp; + + tmp = idcbuf[1]; + + if (!(tmp & 0x80)) { + idclen = tmp & 0x7f; + idcbuf += 2; + } else if ((tmp & 0x82) == 0x82) { + idclen = (idcbuf[2] << 8) + + idcbuf[3]; + idcbuf += 4; + } + + BIO_write(bio, idcbuf, idclen); + } + + return idc; +} + +int IDC_check_hash(struct idc *idc, struct image *image) +{ + unsigned char sha[SHA256_DIGEST_LENGTH]; + const unsigned char *buf; + ASN1_STRING *str; + + image_hash_sha256(image, sha); + /* check hash algorithm sanity */ if (OBJ_cmp(idc->digest->alg->algorithm, OBJ_nid2obj(NID_sha256))) { fprintf(stderr, "Invalid algorithm type\n"); @@ -23,8 +23,11 @@ #include <openssl/pkcs7.h> +struct idc; + int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image); -int IDC_check_hash(struct image *image, PKCS7 *p7); +struct idc *IDC_get(PKCS7 *p7, BIO *bio); +int IDC_check_hash(struct idc *idc, struct image *image); #endif /* IDC_H */ @@ -40,9 +40,9 @@ int main(int argc, char **argv) struct cert_table_header *header; enum verify_status status; struct image *image; - uint8_t *idcbuf, tmp; const uint8_t *buf; - int idclen, rc; + struct idc *idc; + int rc; BIO *idcbio; PKCS7 *p7; @@ -70,29 +70,17 @@ int main(int argc, char **argv) buf = (void *)(header + 1); p7 = d2i_PKCS7(NULL, &buf, header->size); - rc = IDC_check_hash(image, p7); - if (rc) + idcbio = BIO_new(BIO_s_mem()); + idc = IDC_get(p7, idcbio); + if (!idc) goto out; - idcbuf = p7->d.sign->contents->d.other->value.asn1_string->data; - - /* we don't include the type and length data in the hash */ - tmp = idcbuf[1]; - if (!(tmp & 0x80)) { - idclen = tmp & 0x7f; - idcbuf += 2; - } else if ((tmp & 0x82) == 0x82) { - idclen = (idcbuf[2] << 8) + - idcbuf[3]; - idcbuf += 4; - } - - idcbio = BIO_new(BIO_s_mem()); - BIO_write(idcbio, idcbuf, idclen); + rc = IDC_check_hash(idc, image); + if (rc) + goto out; rc = PKCS7_verify(p7, NULL, NULL, idcbio, NULL, PKCS7_BINARY | PKCS7_NOVERIFY); - if (!rc) { printf("PKCS7 verification failed\n"); ERR_print_errors_fp(stderr); |