Try a completely different thing for the test certs...

Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
Peter Jones 2015-12-01 15:21:31 -05:00
parent d9833768d9
commit 6765b54235
10 changed files with 179 additions and 246 deletions

View File

@ -1,50 +0,0 @@
From 2ced112a031c65791f04d46ce73f6d64a17ad069 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 20 Nov 2015 19:19:49 -0500
Subject: [PATCH 1/2] Don't setfacl when the socket or dir aren't there.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize-groups | 8 ++++++--
src/pesign-authorize-users | 8 ++++++--
2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
index e3864ce..2222809 100644
--- a/src/pesign-authorize-groups
+++ b/src/pesign-authorize-groups
@@ -11,7 +11,11 @@
if [[ -r /etc/pesign/groups ]]; then
for group in $(cat /etc/pesign/groups); do
- setfacl -m g:${group}:rx /var/run/pesign
- setfacl -m g:${group}:rw /var/run/pesign/socket
+ if [ -d /var/run/pesign ]; then
+ setfacl -m g:${group}:rx /var/run/pesign
+ if [ -e /var/run/pesign/socket ]; then
+ setfacl -m g:${group}:rw /var/run/pesign/socket
+ fi
+ fi
done
fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
index e500204..22bddec 100644
--- a/src/pesign-authorize-users
+++ b/src/pesign-authorize-users
@@ -11,7 +11,11 @@
if [[ -r /etc/pesign/users ]]; then
for username in $(cat /etc/pesign/users); do
- setfacl -m u:${username}:rx /var/run/pesign
- setfacl -m u:${username}:rw /var/run/pesign/socket
+ if [ -d /var/run/pesign ]; then
+ setfacl -m g:${username}:rx /var/run/pesign
+ if [ -e /var/run/pesign/socket ]; then
+ setfacl -m g:${username}:rw /var/run/pesign/socket
+ fi
+ fi
done
fi
--
2.5.0

View File

@ -0,0 +1,63 @@
From 6796e5f7b0ab1eb08f92887ae0427cf5a4120e0b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Sun, 8 Nov 2015 14:42:29 -0500
Subject: [PATCH 1/5] pesign: when nss fails to tell us -EPERM or -ENOENT,
figure it out.
This should make -EPERM problems much easier for the user to diagnose.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/src/pesign.c b/src/pesign.c
index 1d72657..09b6a2b 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -17,7 +17,9 @@
* Author(s): Peter Jones <pjones@redhat.com>
*/
+#include <err.h>
#include <fcntl.h>
+#include <glob.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -576,14 +578,28 @@ main(int argc, char *argv[])
if (!daemon) {
SECStatus status;
- if (need_db)
+ if (need_db) {
status = NSS_Init(certdir);
- else
+ if (status != SECSuccess) {
+ char *globpattern = NULL;
+ rc = asprintf(&globpattern, "%s/cert*.db",
+ certdir);
+ if (rc > 0) {
+ glob_t globbuf;
+ memset(&globbuf, 0, sizeof(globbuf));
+ rc = glob(globpattern, GLOB_ERR, NULL,
+ &globbuf);
+ if (rc != 0) {
+ err(1, "Could not open NSS database (\"%s\")",
+ PORT_ErrorToString(PORT_GetError()));
+ }
+ }
+ }
+ } else
status = NSS_NoDB_Init(NULL);
if (status != SECSuccess) {
- fprintf(stderr, "Could not initialize nss: %s\n",
+ errx(1, "Could not initialize nss. NSS says \"%s\" errno says \"%m\"\n",
PORT_ErrorToString(PORT_GetError()));
- exit(1);
}
status = register_oids(ctxp->cms_ctx);
--
2.5.0

View File

@ -1,41 +0,0 @@
From 4abf6bc506a31ae3e21ae736a44cea992c6ba6c1 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 20 Nov 2015 19:21:39 -0500
Subject: [PATCH 2/2] setfacl the db as well
---
src/pesign-authorize-groups | 4 ++++
src/pesign-authorize-users | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
index 2222809..e0f679d 100644
--- a/src/pesign-authorize-groups
+++ b/src/pesign-authorize-groups
@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/groups ]]; then
setfacl -m g:${group}:rw /var/run/pesign/socket
fi
fi
+ if [ -d /etc/pki/pesign ]; then
+ setfacl -m g:${group}:rx /etc/pki/pesign
+ setfacl -m u:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+ fi
done
fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
index 22bddec..997c8a3 100644
--- a/src/pesign-authorize-users
+++ b/src/pesign-authorize-users
@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/users ]]; then
setfacl -m g:${username}:rw /var/run/pesign/socket
fi
fi
+ if [ -d /etc/pki/pesign ]; then
+ setfacl -m g:${username}:rx /etc/pki/pesign
+ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+ fi
done
fi
--
2.5.0

View File

@ -0,0 +1,39 @@
From 1a9a8eefe8f9a9b21996151a5afd956df22921ea Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 19 Nov 2015 11:36:59 -0500
Subject: [PATCH 2/5] setfacl the nss DBs to our authorized users, not just the
socket.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize-groups | 2 ++
src/pesign-authorize-users | 2 ++
2 files changed, 4 insertions(+)
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
index e3864ce..2236bea 100644
--- a/src/pesign-authorize-groups
+++ b/src/pesign-authorize-groups
@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/groups ]]; then
for group in $(cat /etc/pesign/groups); do
setfacl -m g:${group}:rx /var/run/pesign
setfacl -m g:${group}:rw /var/run/pesign/socket
+ setfacl -m g:${username}:rx /etc/pki/pesign
+ setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
done
fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
index e500204..9c38a25 100644
--- a/src/pesign-authorize-users
+++ b/src/pesign-authorize-users
@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/users ]]; then
for username in $(cat /etc/pesign/users); do
setfacl -m u:${username}:rx /var/run/pesign
setfacl -m u:${username}:rw /var/run/pesign/socket
+ setfacl -m u:${username}:rx /etc/pki/pesign
+ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
done
fi
--
2.5.0

View File

@ -1,7 +1,7 @@
From 4c70ae807156099bf027b57a94b7eae0a810b947 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 20 Nov 2015 19:19:49 -0500
Subject: [PATCH 2/3] Don't setfacl when the socket or dir aren't there.
Subject: [PATCH 3/5] Don't setfacl when the socket or dir aren't there.
Signed-off-by: Peter Jones <pjones@redhat.com>
---

View File

@ -1,112 +0,0 @@
From 54dd12c2653dc3aecdd73b9ffb2a85d92e39d858 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 30 Nov 2015 15:34:35 -0500
Subject: [PATCH 4/4] Gripe about pesign-rh-test-certs not being installed
---
src/Makefile | 7 +++++--
src/macros.pesign | 10 ++++++++--
src/missing-stuff.txt | 11 +++++++++++
src/pesign-authorize.service.in | 8 ++++++++
4 files changed, 32 insertions(+), 4 deletions(-)
create mode 100644 src/missing-stuff.txt
create mode 100644 src/pesign-authorize.service.in
diff --git a/src/Makefile b/src/Makefile
index af3fd07..9e27ee6 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -6,7 +6,7 @@ include $(TOPDIR)/Make.rules
include $(TOPDIR)/Make.defaults
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
-SVCTARGETS=pesign.sysvinit pesign.service
+SVCTARGETS=pesign.sysvinit pesign.service pesign-authorize.service
TARGETS=$(BINTARGETS) $(SVCTARGETS)
all : deps $(TARGETS)
@@ -53,11 +53,12 @@ clean :
@rm -rfv *.o *.a *.so $(TARGETS)
@rm -rfv .*.d
-install_systemd: pesign.service
+install_systemd: pesign.service pesign-authorize.service
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libdatadir)tmpfiles.d/
$(INSTALL) -m 644 tmpfiles.conf $(INSTALLROOT)$(libdatadir)tmpfiles.d/pesign.conf
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libdatadir)systemd/system/
$(INSTALL) -m 644 pesign.service $(INSTALLROOT)$(libdatadir)systemd/system/
+ $(INSTALL) -m 644 pesign-authorize.service $(INSTALLROOT)$(libdatadir)systemd/system/
install_sysvinit: pesign.sysvinit
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
@@ -84,6 +85,8 @@ install :
$(INSTALL) -m 644 efisiglist.1 $(INSTALLROOT)$(mandir)man1/
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
+ $(INSTALL) -d -m 755 $(INSTALLROOT)/usr/share/doc/pesign/
+ $(INSTALL) -m 644 missing-stuff.txt $(INSTALLROOT)/usr/share/doc/pesign/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/
diff --git a/src/macros.pesign b/src/macros.pesign
index 39374ce..3197ed7 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -7,7 +7,7 @@
# And magically get the right thing.
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
-%__pesign_cert %{!?pe_signing_cert:-c "Red Hat Test Certificate"}%{?pe_signing_cert:-c "%{pe_signing_cert}"}
+%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
%_pesign /usr/bin/pesign
%_pesign_client /usr/bin/pesign-client
@@ -41,7 +41,13 @@
-c "/CN=Fedora Secure Boot Signer" \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
else \
- %{_pesign} %{__pesign_token} %{__pesign_cert} \\\
+ if ! certutil -d /etc/pki/pesign -L -n %{__pesign_cert} >/dev/null 2>&1 ; then \ \
+ if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
+ cat /usr/share/doc/pesign/missing-stuff.txt 1>&2 \
+ exit 1 \
+ fi \
+ fi \
+ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
fi \
else \
diff --git a/src/missing-stuff.txt b/src/missing-stuff.txt
new file mode 100644
index 0000000..55b68e3
--- /dev/null
+++ b/src/missing-stuff.txt
@@ -0,0 +1,11 @@
+
+
+You are attempting to sign the with the "Red Hat Test Certificate",
+which is not installed or cannot be accessed. If you mean to be signing
+with this key, ensure that the "pesign-rh-test-certs" package is
+installed and that your user name is listed in "/etc/pesign/users", and
+then run:
+
+ systemctl restart pesign-authorize.service
+
+
diff --git a/src/pesign-authorize.service.in b/src/pesign-authorize.service.in
new file mode 100644
index 0000000..ccb1d4f
--- /dev/null
+++ b/src/pesign-authorize.service.in
@@ -0,0 +1,8 @@
+[Unit]
+Description=Pesign database authentication management service
+
+[Service]
+PrivateTmp=true
+Type=oneshot
+ExecStart=@@LIBEXECDIR@@/pesign/pesign-authorize-users
+ExecStart=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
--
2.5.0

View File

@ -1,7 +1,7 @@
From f7a16f89f3ed327d3e2f4ce897917c2966fb427d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 20 Nov 2015 19:21:39 -0500
Subject: [PATCH 3/3] setfacl the db as well
Subject: [PATCH 4/5] setfacl the db as well
And also get all our "-m [ug]:${name}:$perm" arguments right.

View File

@ -0,0 +1,62 @@
From bfa02b50f9bbb60c3b04f159864aa4a87b0020e2 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 30 Nov 2015 15:34:35 -0500
Subject: [PATCH 5/5] Do a better job of isolating pesign-rh-test-crap
---
src/Makefile | 1 +
src/macros.pesign | 10 ++++++++--
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/Makefile b/src/Makefile
index af3fd07..1822d3f 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -65,6 +65,7 @@ install_sysvinit: pesign.sysvinit
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
+ $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
$(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
diff --git a/src/macros.pesign b/src/macros.pesign
index 39374ce..9644940 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -7,7 +7,7 @@
# And magically get the right thing.
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
-%__pesign_cert %{!?pe_signing_cert:-c "Red Hat Test Certificate"}%{?pe_signing_cert:-c "%{pe_signing_cert}"}
+%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
%_pesign /usr/bin/pesign
%_pesign_client /usr/bin/pesign-client
@@ -21,6 +21,10 @@
# -a <input ca cert filename> # rhel only
# -s # perform signing
%pesign(i:o:C:e:c:n:a:s) \
+ _pesign_nssdir=/etc/pki/pesign \
+ if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
+ _pesign_nssdir=/etc/pki/pesign-rh-test \
+ fi \
if [ -x %{_pesign} ] && \\\
[ "%{_target_cpu}" == "x86_64" -o \\\
"%{_target_cpu}" == "aarch64" ]; then \
@@ -39,9 +43,11 @@
elif [ -S /var/run/pesign/socket ]; then \
%{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
-c "/CN=Fedora Secure Boot Signer" \\\
+ --certdir ${_pesign_nssdir} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
else \
- %{_pesign} %{__pesign_token} %{__pesign_cert} \\\
+ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
+ --certdir ${_pesign_nssdir} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
fi \
else \
--
2.5.0

View File

@ -6,8 +6,8 @@ Version: 0.111
Release: 5%{?dist}
Group: Development/System
License: GPLv2
Recommends: pesign-rh-test-certs
URL: https://github.com/vathpela/pesign
Obsoletes: rh-test-certs <= 0.111-5
BuildRequires: git nspr nss nss-util popt-devel
BuildRequires: coolkey opensc nss-tools
BuildRequires: nspr-devel >= 4.9.2-1
@ -25,24 +25,16 @@ BuildRequires: rh-signing-tools >= 1.20-2
Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
Source1: certs.tar.xz
Patch0001: 0001-Fix-one-more-Wsign-compare-problem-I-missed.patch
Patch10001: 0001-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
Patch10002: 0002-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
Patch10003: 0003-setfacl-the-db-as-well.patch
Patch10004: 0004-Gripe-about-pesign-rh-test-certs-not-being-installed.patch
Patch10001: 0001-pesign-when-nss-fails-to-tell-us-EPERM-or-ENOENT-fig.patch
Patch10002: 0002-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
Patch10003: 0003-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
Patch10004: 0004-setfacl-the-db-as-well.patch
Patch10005: 0005-Do-a-better-job-of-isolating-pesign-rh-test-crap.patch
%description
This package contains the pesign utility for signing UEFI binaries as
well as other associated tools.
%package rh-test-certs
Summary: Test keys for pesign
Group: Development/System
License: GPLv2
Requires: pesign = %{version}-%{release}
%description rh-test-certs
This package contains test keys for use with pesign
%prep
%setup -q -a 0
%setup -a 1 -D -c -n pesign-%{version}/
@ -72,7 +64,9 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \
rm -rf %{buildroot}/boot %{buildroot}/usr/include
rm -rf %{buildroot}%{_libdir}/libdpe*
mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign/
mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
cp -a etc/pki/pesign/* %{buildroot}%{_sysconfdir}/pki/pesign/
cp -a etc/pki/pesign-rh-test/* %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
if [ %{macrosdir} != %{_sysconfdir}/rpm ]; then
mkdir -p %{buildroot}%{macrosdir}
@ -89,24 +83,6 @@ getent passwd pesign >/dev/null || \
-c "Group for the pesign signing daemon" pesign
exit 0
%post rh-test-certs
certutil --merge -d %{_sysconfdir}/pki/pesign/ --source-dir %{_sysconfdir}/pki/pesign/rh-test-certs/
if getent passwd mockbuild >/dev/null ; then
if ! grep -q mockbuild %{_sysconfdir}/pesign/users ; then
echo mockbuild >> %{_sysconfdir}/pesign/users
%{_libexecdir}/pesign/pesign-authorize-users
fi
fi
%preun rh-test-certs
if [ "$1" -eq 0 ]; then
if certutil -d %{_sysconfdir}/pki/pesign -L -n "Red Hat Test Certificate" >/dev/null 2>&1 ; then
certutil -d %{_sysconfdir}/pki/pesign -F -n "Red Hat Test Certificate" >/dev/null 2>&1 || :
certutil -d %{_sysconfdir}/pki/pesign -D -n "Red Hat Test Certificate" >/dev/null 2>&1 || :
certutil -d %{_sysconfdir}/pki/pesign -D -n "Red Hat Test CA" >/dev/null 2>&1 || :
fi
fi
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
%post
%systemd_post pesign.service
@ -114,7 +90,6 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
-libfile %{_libdir}/pkcs11/opensc-pkcs11.so >/dev/null
#modutil -force -dbdir %{_sysconfdir}/pki/pesign -add coolkey \
# -libfile %%{_libdir}/pkcs11/libcoolkeypk11.so
%preun
%systemd_preun pesign.service
@ -138,14 +113,16 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
%{_bindir}/pesign
%{_bindir}/pesign-client
%dir %{_libexecdir}/pesign/
%exclude %{_sysconfdir}/pki/pesign/rh-test-certs/
%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign/
%attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/
%attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/*
%{_libexecdir}/pesign/pesign-authorize-users
%{_libexecdir}/pesign/pesign-authorize-groups
%config(noreplace)/%{_sysconfdir}/pesign/users
%config(noreplace)/%{_sysconfdir}/pesign/groups
%{_sysconfdir}/popt.d/pesign.popt
%{macrosdir}/macros.pesign
%{_docdir}/pesign/missing-stuff.txt
%{_mandir}/man*/*
%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign
%attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
@ -155,13 +132,8 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
%{_tmpfilesdir}/pesign.conf
%{_unitdir}/pesign.service
%{_unitdir}/pesign-authorize.service
%endif
%files rh-test-certs
%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign/rh-test-certs/
%attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/rh-test-certs/*
%changelog
* Mon Nov 30 2015 Peter Jones <pjones@redhat.com> - 0.111-5
- setfacl even harder.

View File

@ -1,2 +1,2 @@
37bb2a79934feda0327e0fb4d9e5b08e certs.tar.xz
b2c6b74c2475a1442634d1386d888c24 pesign-0.111.tar.bz2
e377e0bc924287ee09356a239c5f51a8 certs.tar.xz