Compare commits

...

No commits in common. "c8s" and "a10s" have entirely different histories.
c8s ... a10s

40 changed files with 305 additions and 2474 deletions

9
.gitignore vendored
View File

@ -1,4 +1,7 @@
SOURCES/certs.tar.xz
SOURCES/pesign-0.112.tar.bz2
/pesign-*.tar.bz2
clog
/rh-test-certs.tar.bz2
*.rpm
/certs.tar.xz
/pesign-0.112.tar.bz2
.build*.log
/pesign-*/

View File

@ -1,72 +0,0 @@
From 33bcca8303cad962606df3bfc6a031a9b0626375 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 21 Apr 2016 10:47:34 -0400
Subject: [PATCH 01/29] cms: kill generate_integer(), it doesn't build on i686
and it's unused.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/cms_common.c | 34 ----------------------------------
src/cms_common.h | 1 -
2 files changed, 35 deletions(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index b19bc62..6a4e6a7 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -641,40 +641,6 @@ generate_string(cms_context *cms, SECItem *der, char *str)
return 0;
}
-static SEC_ASN1Template IntegerTemplate[] = {
- {.kind = SEC_ASN1_INTEGER,
- .offset = 0,
- .sub = NULL,
- .size = sizeof(long),
- },
- { 0 },
-};
-
-int
-generate_integer(cms_context *cms, SECItem *der, unsigned long integer)
-{
- void *ret;
-
- uint32_t u32;
-
- SECItem input = {
- .data = (void *)&integer,
- .len = sizeof(integer),
- .type = siUnsignedInteger,
- };
-
- if (integer < 0x100000000) {
- u32 = integer & 0xffffffffUL;
- input.data = (void *)&u32;
- input.len = sizeof(u32);
- }
-
- ret = SEC_ASN1EncodeItem(cms->arena, der, &input, IntegerTemplate);
- if (ret == NULL)
- cmsreterr(-1, cms, "could not encode data");
- return 0;
-}
-
int
generate_time(cms_context *cms, SECItem *encoded, time_t when)
{
diff --git a/src/cms_common.h b/src/cms_common.h
index 7d77faf..c7d7268 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -117,7 +117,6 @@ extern int generate_object_id(cms_context *ctx, SECItem *encoded,
SECOidTag tag);
extern int generate_empty_sequence(cms_context *ctx, SECItem *encoded);
extern int generate_time(cms_context *ctx, SECItem *encoded, time_t when);
-extern int generate_integer(cms_context *cms, SECItem *der, unsigned long integer);
extern int generate_string(cms_context *cms, SECItem *der, char *str);
extern int wrap_in_set(cms_context *cms, SECItem *der, SECItem **items);
extern int wrap_in_seq(cms_context *cms, SECItem *der,
--
2.13.4

View File

@ -0,0 +1,27 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nicolas Frayer <nfrayer@redhat.com>
Date: Mon, 20 Feb 2023 15:26:20 +0100
Subject: [PATCH] cms_common: Fixed Segmentation fault
When running efikeygen, the binary crashes with a segfault due
to dereferencing a **ptr instead of a *ptr.
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
(cherry picked from commit 227435af461f38fc4abeafe02884675ad4b1feb4)
---
src/cms_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index 24576f2..89d946a 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -956,7 +956,7 @@ find_certificate_by_issuer_and_sn(cms_context *cms,
if (!ias)
cnreterr(-1, cms, "invalid issuer and serial number");
- return find_certificate_by_callback(cms, match_issuer_and_serial, &ias, cert);
+ return find_certificate_by_callback(cms, match_issuer_and_serial, ias, cert);
}
int

View File

@ -1,73 +0,0 @@
From 5be0515dee24308fd7e270bf2e0fb5e5a7a78f32 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Thu, 9 Jun 2016 14:30:37 +0200
Subject: [PATCH 02/29] Fix command line parsing
The gettext translation domain should be passed as .arg, not .descrip,
otherwise popt won't process any of the command line options (it stops
looping over the struct poptOption array when an entry has unset
longName, shortName and arg).
Signed-off-by: Julien Cristau <jcristau@debian.org>
---
src/client.c | 2 +-
src/efikeygen.c | 2 +-
src/efisiglist.c | 2 +-
src/pesigcheck.c | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/client.c b/src/client.c
index 028419f..575c873 100644
--- a/src/client.c
+++ b/src/client.c
@@ -555,7 +555,7 @@ main(int argc, char *argv[])
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
{.longName = "token",
.shortName = 't',
.argInfo = POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
diff --git a/src/efikeygen.c b/src/efikeygen.c
index 6278849..8a515a5 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -486,7 +486,7 @@ int main(int argc, char *argv[])
poptContext optCon;
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
/* global nss-ish things */
{.longName = "dbdir",
.shortName = 'd',
diff --git a/src/efisiglist.c b/src/efisiglist.c
index cd3f1ae..40d6a93 100644
--- a/src/efisiglist.c
+++ b/src/efisiglist.c
@@ -126,7 +126,7 @@ main(int argc, char *argv[])
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
{.longName = "infile",
.shortName = 'i',
.argInfo = POPT_ARG_STRING,
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 1328fe9..0d49c1a 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -214,7 +214,7 @@ main(int argc, char *argv[])
poptContext optCon;
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
{.longName = "dbfile",
.shortName = 'D',
.argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
--
2.13.4

View File

@ -0,0 +1,41 @@
From 1f9e2fa0b4d872fdd01ca3ba81b04dfb1211a187 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Fri, 2 Feb 2024 09:32:48 -0500
Subject: [PATCH] Fix reversed calloc() arguments
The prototype is "void *calloc(size_t nelem, size_t elsize);"
These two instances had them reversed, almost certainly leading to
buffer overflow issues. This was detected by
-Werror=calloc-transposed-args on gcc.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/pesigcheck.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 6dc67f76a81..8119cf10a7b 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -240,7 +240,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
cert_iter iter;
- reasonps = calloc(sizeof(struct reason), 512);
+ reasonps = calloc(512, sizeof(struct reason));
if (!reasonps)
err(1, "check_signature");
@@ -281,7 +281,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
num_reasons += 16;
- new_reasons = calloc(sizeof(struct reason), num_reasons);
+ new_reasons = calloc(num_reasons, sizeof(struct reason));
if (!new_reasons)
err(1, "check_signature");
reasonps = new_reasons;
--
2.41.0

View File

@ -0,0 +1,25 @@
From e41a36c966e56fd82a9782551765b1fe8f198272 Mon Sep 17 00:00:00 2001
From: Andrew Lukoshko <alukoshko@almalinux.org>
Date: Thu, 8 Aug 2024 21:15:58 +0000
Subject: [PATCH] Add versioned x86_64 arches support
---
src/pesign-rpmbuild-helper.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
index 9dee56e..51234db 100644
--- a/src/pesign-rpmbuild-helper.in
+++ b/src/pesign-rpmbuild-helper.in
@@ -144,7 +144,7 @@ main() {
fi
target_cpu="${target_cpu/i?86/ia32}"
- target_cpu="${target_cpu/x86_64/x64}"
+ target_cpu="${target_cpu/x86_64*/x64}"
target_cpu="${target_cpu/aarch64/aa64}"
target_cpu="${target_cpu/arm*/arm/}"
--
2.43.5

View File

@ -1,26 +0,0 @@
From 6de291458cbab99bcc317e282c16e1523d6de9b8 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 10 Aug 2016 17:12:39 -0400
Subject: [PATCH 03/29] gcc: don't error on stuff in includes.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Make.defaults | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Make.defaults b/Make.defaults
index c97b452..3511080 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -19,7 +19,7 @@ PKG_CONFIG = $(CROSS_COMPILE)pkg-config
CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
CCLD := $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \
- -Wall -Werror -Wextra
+ -Wall -Werror -Wextra -Wno-error=cpp
AS := $(CROSS_COMPILE)as
AR := $(CROSS_COMPILE)gcc-ar
RANLIB := $(CROSS_COMPILE)gcc-ranlib
--
2.13.4

View File

@ -1,39 +0,0 @@
From b20fc54c08e8afe1365e56cacade3ec39984da8d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 18 Apr 2017 19:00:34 -0400
Subject: [PATCH 04/29] Fix "certficate" argument name.
This fixes our typoed argument name by making the incorrectly spelled
version be a popt alias, and fixing the real implementation to be
spelled right in pesign.c .
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.c | 2 +-
src/pesign.popt | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/pesign.c b/src/pesign.c
index af374b6..279a17a 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -438,7 +438,7 @@ main(int argc, char *argv[])
.arg = &ctxp->outfile,
.descrip = "specify output file",
.argDescrip = "<outfile>" },
- {.longName = "certficate",
+ {.longName = "certificate",
.shortName = 'c',
.argInfo = POPT_ARG_STRING,
.arg = &certname,
diff --git a/src/pesign.popt b/src/pesign.popt
index 7b3385d..5a97748 100644
--- a/src/pesign.popt
+++ b/src/pesign.popt
@@ -1,2 +1,3 @@
pesign alias --cert --certificate
+pesign alias --certficate --certificate
pesign alias --daemon --daemonize
--
2.13.4

View File

@ -1,26 +0,0 @@
From 7bc8e8b04c74be5c4e0ebf211affc37cf9f5db37 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Mon, 27 Jun 2016 15:38:38 +0200
Subject: [PATCH 05/29] Fix description of --ascii-armor option in manpage
The --ascii option does not exist.
---
src/pesign.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pesign.1 b/src/pesign.1
index 47d1aec..29ae060 100644
--- a/src/pesign.1
+++ b/src/pesign.1
@@ -81,7 +81,7 @@ Export the public key specified by \-\-certificate to \fIoutkey\fR
Export the certificate specified by \-\-certificate to \fIoutcert\fR
.TP
-\fB-\-ascii\fR
+\fB-\-ascii\-armor\fR
Use ascii armoring on exported certificates.
.TP
--
2.13.4

View File

@ -1,22 +0,0 @@
From 9f411f4e797e983d2e8cb51dc5b9ab8db250c2e3 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 18 Apr 2017 19:05:40 -0400
Subject: [PATCH 06/29] Make --ascii work, since we documented it.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.popt | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/pesign.popt b/src/pesign.popt
index 5a97748..5ae0c5c 100644
--- a/src/pesign.popt
+++ b/src/pesign.popt
@@ -1,3 +1,4 @@
pesign alias --cert --certificate
pesign alias --certficate --certificate
pesign alias --daemon --daemonize
+pesign alias --ascii --ascii-armor
--
2.13.4

View File

@ -1,32 +0,0 @@
From d618de733865eab359890b4e677c368a133dad99 Mon Sep 17 00:00:00 2001
From: Pat Riehecky <riehecky@fnal.gov>
Date: Mon, 7 Nov 2016 11:37:08 -0600
Subject: [PATCH 07/29] Switch pesign client to also accept token/cert macros
rather than use hard coded values
---
src/macros.pesign | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 18e5b5e..69280e9 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -41,11 +41,11 @@
--certdir ${nss} -c signer %{-o} \
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
elif [ -S /var/run/pesign/socket ]; then \
- %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
- -c "/CN=Fedora Secure Boot Signer" \\\
+ %{_pesign_client} -t %{__pesign_token} \\\
+ -c %{__pesign_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
else \
- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
+ %{_pesign} -t %{__pesign_token} -c %{__pesign_cert} \\\
--certdir ${_pesign_nssdir} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
fi \
--
2.13.4

View File

@ -1,25 +0,0 @@
From 2cd211bcc612ad8cb99c778461ca02a9f3e5e44b Mon Sep 17 00:00:00 2001
From: David Michael <david.michael@coreos.com>
Date: Thu, 16 Feb 2017 15:08:30 -0800
Subject: [PATCH 08/29] pesigcheck: Verify with the cert as an object signer
---
src/certdb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/certdb.c b/src/certdb.c
index 2a08042..b7c99bb 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -339,7 +339,7 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
}
/* Verify the signature */
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
- certUsageSSLServer,
+ certUsageObjectSigner,
digest, HASH_AlgSHA256,
PR_FALSE, atTime);
if (!result) {
--
2.13.4

View File

@ -1,47 +0,0 @@
From e0238e2363f9668aee07b2e44a8f358e694551c0 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 24 Apr 2017 15:18:10 -0400
Subject: [PATCH 09/29] pesigcheck: make --certfile actually work
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesigcheck.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 0d49c1a..d7be542 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -130,7 +130,7 @@ check_signature(pesigcheck_context *ctx)
cert_iter iter;
generate_digest(ctx->cms_ctx, ctx->inpe, 1);
-
+
if (check_db_hash(DBX, ctx) == FOUND)
return -1;
@@ -225,6 +225,11 @@ main(int argc, char *argv[])
.argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
.arg = (void *)callback,
.descrip = (void *)ctxp },
+ {.longName = "certfile",
+ .shortName = 'c',
+ .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
+ .arg = (void *)callback,
+ .descrip = (void *)ctxp },
{.longName = "in",
.shortName = 'i',
.argInfo = POPT_ARG_STRING,
@@ -258,7 +263,7 @@ main(int argc, char *argv[])
.shortName = 'c',
.argInfo = POPT_ARG_STRING,
.arg = &certfile,
- .descrip = "the certificate (in DER form) for verification ",
+ .descrip = "import certfile (in DER encoding) for allowed certificate",
.argDescrip = "<certfile>" },
POPT_AUTOALIAS
POPT_AUTOHELP
--
2.13.4

View File

@ -1,27 +0,0 @@
From 799808b265ac6f82fa1268fd696d70357acce69c Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:15:07 -0400
Subject: [PATCH 10/29] signerInfos: make sure err is always initialized
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/signed_data.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/signed_data.c b/src/signed_data.c
index 721db90..9e0af23 100644
--- a/src/signed_data.c
+++ b/src/signed_data.c
@@ -132,7 +132,8 @@ int
generate_signerInfo_list(cms_context *cms, SpcSignerInfo ***signerInfo_list_p, SignerInfoType type)
{
SpcSignerInfo **signerInfo_list;
- int err, rc;
+ int err = 0;
+ int rc;
if (!signerInfo_list_p)
return -1;
--
2.13.4

View File

@ -1,26 +0,0 @@
From 868b42b338d919917ea31cfbf0f96e9586947eaf Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:23:36 -0400
Subject: [PATCH 11/29] pesign: make "pesign -h" tell you the file name.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pesign.c b/src/pesign.c
index 279a17a..5879cfc 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -387,7 +387,7 @@ print_digest(pesign_context *pctx)
if (!ctx)
return;
- printf("hash: ");
+ printf("%s ", pctx->infile);
int j = ctx->selected_digest;
for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
printf("%02x",
--
2.13.4

View File

@ -1,104 +0,0 @@
From 95327e6d9bd4f70980acd8fd6c9524265990dc4d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 10 May 2017 10:49:57 -0400
Subject: [PATCH 12/29] Add coverity build scripts
Signed-off-by: Peter Jones <pjones@redhat.com>
---
.gitignore | 1 +
Make.coverity | 37 +++++++++++++++++++++++++++++++++++++
Make.defaults | 2 ++
Make.rules | 4 ++++
Makefile | 1 +
5 files changed, 45 insertions(+)
create mode 100644 Make.coverity
diff --git a/.gitignore b/.gitignore
index 1635ba2..847e172 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@
*.tar.*
*.rpm
core.*
+cov-int
diff --git a/Make.coverity b/Make.coverity
new file mode 100644
index 0000000..b80b091
--- /dev/null
+++ b/Make.coverity
@@ -0,0 +1,37 @@
+include $(TOPDIR)/Make.version
+include $(TOPDIR)/Make.rules
+include $(TOPDIR)/Make.defaults
+
+COV_EMAIL=$(call get-config,coverity.email)
+COV_TOKEN=$(call get-config,coverity.token)
+COV_URL=$(call get-config,coverity.url)
+COV_FILE=$(NAME)-coverity-$(VERSION)-$(COMMIT_ID).tar.bz2
+
+cov-int : clean
+ cov-build --dir cov-int make all
+
+cov-clean :
+ @rm -vf $(NAME)-coverity-*.tar.*
+ @if [[ -d cov-int ]]; then rm -rf cov-int && echo "removed 'cov-int'"; fi
+
+cov-file : | $(COV_FILE)
+
+$(COV_FILE) : cov-int
+ tar caf $@ cov-int
+
+cov-upload :
+ @if [[ -n "$(COV_URL)" ]] && \
+ [[ -n "$(COV_TOKEN)" ]] && \
+ [[ -n "$(COV_EMAIL)" ]] ; \
+ then \
+ echo curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \
+ curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \
+ else \
+ echo Coverity output is in $(COV_FILE) ; \
+ fi
+
+coverity : cov-file cov-upload
+
+clean : | cov-clean
+
+.PHONY : coverity cov-upload cov-clean cov-file
diff --git a/Make.defaults b/Make.defaults
index 3511080..39b78f0 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -1,3 +1,5 @@
+NAME = pesign
+COMMIT_ID ?= $(shell git log -1 --pretty=%H 2>/dev/null || echo master)
prefix ?= /usr/
prefix := $(abspath $(prefix))/
libdir ?= $(prefix)lib64/
diff --git a/Make.rules b/Make.rules
index af5ecfe..5e3c83d 100644
--- a/Make.rules
+++ b/Make.rules
@@ -79,3 +79,7 @@ endef
$(TOPDIR)/libdpe/%.a $(TOPDIR)/libdpe/% :
$(MAKE) -C $(TOPDIR)/libdpe $(notdir $@)
+
+define get-config =
+$(shell git config --local --get "$(NAME).$(1)")
+endef
diff --git a/Makefile b/Makefile
index db8eb7e..ca1a359 100644
--- a/Makefile
+++ b/Makefile
@@ -4,6 +4,7 @@ TOPDIR = $(realpath .)
include $(TOPDIR)/Make.version
include $(TOPDIR)/Make.rules
include $(TOPDIR)/Make.defaults
+include $(TOPDIR)/Make.coverity
SUBDIRS := include libdpe src
--
2.13.4

View File

@ -1,25 +0,0 @@
From 4b9e7cf3e869de36daf2ea705b9efef55ae87ef8 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Sat, 8 Jul 2017 16:31:18 -0400
Subject: [PATCH 13/29] Document implicit fallthrough.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/authvar.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/authvar.c b/src/authvar.c
index ad659ca..03e0c47 100644
--- a/src/authvar.c
+++ b/src/authvar.c
@@ -511,6 +511,7 @@ main(int argc, char *argv[])
case IMPORT|SET:
case IMPORT|SIGN|SET:
fprintf(stderr, "authvar: not implemented\n");
+ /* fallthrough. */
case IMPORT|SIGN|EXPORT:
default:
fprintf(stderr, "authvar: invalid flags: ");
--
2.13.4

View File

@ -1,50 +0,0 @@
From a95e28e5cb10d417c81c8720e8521eb63793da37 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 16 May 2016 15:25:53 -0400
Subject: [PATCH 14/29] Actually setfacl /each/ directory of our key storage.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize-groups | 6 +++---
src/pesign-authorize-users | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
index a4f895e..cf51fb6 100644
--- a/src/pesign-authorize-groups
+++ b/src/pesign-authorize-groups
@@ -18,10 +18,10 @@ if [ -r /etc/pesign/groups ]; then
setfacl -m g:${group}:rw /var/run/pesign/socket
fi
fi
- for x in /etc/pki/pesign* ; do
+ for x in /etc/pki/pesign*/ ; do
if [ -d ${x} ]; then
- setfacl -m g:${group}:rx /etc/pki/pesign
- for y in ${x}/{cert8,key3,secmod}.db ; do
+ setfacl -m g:${group}:rx ${x}
+ for y in ${x}{cert8,key3,secmod}.db ; do
setfacl -m g:${group}:rw ${y}
done
fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
index 8b9a885..940138e 100644
--- a/src/pesign-authorize-users
+++ b/src/pesign-authorize-users
@@ -18,10 +18,10 @@ if [ -r /etc/pesign/users ]; then
setfacl -m g:${username}:rw /var/run/pesign/socket
fi
fi
- for x in /etc/pki/pesign* ; do
+ for x in /etc/pki/pesign*/ ; do
if [ -d ${x} ]; then
- setfacl -m g:${username}:rx /etc/pki/pesign
- for y in ${x}/{cert8,key3,secmod}.db ; do
+ setfacl -m g:${username}:rx ${x}
+ for y in ${x}{cert8,key3,secmod}.db ; do
setfacl -m g:${username}:rw ${y}
done
fi
--
2.13.4

View File

@ -1,59 +0,0 @@
From a3cc2ad5d49ed61187527281da351e80d8f76a89 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 22 Aug 2016 13:31:38 -0400
Subject: [PATCH 15/29] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array
indices.
That was all kinds of wrong.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/oid.c | 10 +++++++---
src/oid.h | 1 +
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/oid.c b/src/oid.c
index 9d8154f..7037e1e 100644
--- a/src/oid.c
+++ b/src/oid.c
@@ -33,6 +33,7 @@ static uint8_t oiddata[] = {
0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0f,
0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x15,
0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01,
+ 0x2b, 0x06, 0x01, 0x04, 0x01, 0x92, 0x08, 0x10, 0x01, 0x02,
};
#define OID(num, desc_s, oidtype, length, value) \
@@ -53,11 +54,14 @@ static struct {
OID(SPC_STATEMENT_TYPE_OBJID, "Statement Type", siDEROID, 10,
&oiddata[10]),
OID(SPC_PE_IMAGE_DATA_OBJID, "PE Image Data", siDEROID, 10,
- &oiddata[30]),
+ &oiddata[20]),
OID(SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, "Individual Key", siDEROID,
- 10, &oiddata[40]),
+ 10, &oiddata[30]),
OID(szOID_CERTSRV_CA_VERSION, "Certification server CA version",
- siAsciiString, 9, &oiddata[50]),
+ siAsciiString, 9, &oiddata[40]),
+ OID(SHIM_EKU_MODULE_SIGNING_ONLY,
+ "Certificate is used for kernel modules only", siDEROID, 10,
+ &oiddata[49]),
{ .oid = END_OID_LIST }
};
diff --git a/src/oid.h b/src/oid.h
index 599f49d..0e00781 100644
--- a/src/oid.h
+++ b/src/oid.h
@@ -25,6 +25,7 @@ typedef enum {
SPC_PE_IMAGE_DATA_OBJID, /* 1.3.6.1.4.1.311.2.1.15 */
SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, /* 1.3.6.1.4.1.311.2.1.21 */
szOID_CERTSRV_CA_VERSION, /* 1.3.6.1.4.1.311.21.1 */
+ SHIM_EKU_MODULE_SIGNING_ONLY, /* 1.3.6.1.4.1.2312.16.1.2 */
END_OID_LIST
} ms_oid_t;
--
2.13.4

View File

@ -1,197 +0,0 @@
From 9b4b12928c0450ac69d83293e179eec439465c03 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 22 Aug 2016 13:43:56 -0400
Subject: [PATCH 16/29] efikeygen: add --modsign
---
src/cms_common.c | 29 ++++++++++++++++++++++++++++
src/cms_common.h | 1 +
src/efikeygen.c | 59 ++++++++++++++++++++++++++++++++++++++++++++------------
3 files changed, 77 insertions(+), 12 deletions(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index 6a4e6a7..2df2cfe 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -715,6 +715,35 @@ make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
return 0;
}
+static SEC_ASN1Template EKUOidSequence[] = {
+ {
+ .kind = SEC_ASN1_OBJECT_ID,
+ .offset = 0,
+ .sub = &SEC_AnyTemplate,
+ .size = sizeof (SECItem),
+ },
+ { 0 }
+};
+
+int
+make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag)
+{
+ void *rv;
+ SECOidData *oid_data;
+
+ oid_data = SECOID_FindOIDByTag(oid_tag);
+ if (!oid_data)
+ cmsreterr(-1, cms, "could not encode eku oid data");
+
+ rv = SEC_ASN1EncodeItem(cms->arena, encoded, &oid_data->oid,
+ EKUOidSequence);
+ if (rv == NULL)
+ cmsreterr(-1, cms, "could not encode eku oid data");
+
+ encoded->type = siBuffer;
+ return 0;
+}
+
int
generate_octet_string(cms_context *cms, SECItem *encoded, SECItem *original)
{
diff --git a/src/cms_common.h b/src/cms_common.h
index c7d7268..7a31273 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -123,6 +123,7 @@ extern int wrap_in_seq(cms_context *cms, SECItem *der,
SECItem *items, int num_items);
extern int make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
SECItem *original);
+extern int make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag);
extern int generate_validity(cms_context *cms, SECItem *der, time_t start,
time_t end);
extern int generate_common_name(cms_context *cms, SECItem *der, char *cn);
diff --git a/src/efikeygen.c b/src/efikeygen.c
index 8a515a5..9390578 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -49,6 +49,7 @@
#include <libdpe/libdpe.h>
#include "cms_common.h"
+#include "oid.h"
#include "util.h"
typedef struct {
@@ -249,20 +250,34 @@ add_basic_constraints(cms_context *cms, void *extHandle)
}
static int
-add_extended_key_usage(cms_context *cms, void *extHandle)
+add_extended_key_usage(cms_context *cms, int modsign_only, void *extHandle)
{
- SECItem value = {
- .data = (unsigned char *)"\x30\x0a\x06\x08\x2b\x06\x01"
- "\x05\x05\x07\x03\x03",
- .len = 12,
- .type = siBuffer
- };
+ SECItem values[2];
+ SECItem wrapped = { 0 };
+ SECStatus status;
+ SECOidTag tag;
+ int rc;
+
+ if (modsign_only < 1 || modsign_only > 2)
+ cmsreterr(-1, cms, "could not encode extended key usage");
+ rc = make_eku_oid(cms, &values[0], SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
+ if (rc < 0)
+ cmsreterr(-1, cms, "could not encode extended key usage");
+
+ tag = find_ms_oid_tag(SHIM_EKU_MODULE_SIGNING_ONLY);
+ printf("tag: %d\n", tag);
+ rc = make_eku_oid(cms, &values[1], tag);
+ if (rc < 0)
+ cmsreterr(-1, cms, "could not encode extended key usage");
+
+ rc = wrap_in_seq(cms, &wrapped, values, modsign_only);
+ if (rc < 0)
+ cmsreterr(-1, cms, "could not encode extended key usage");
- SECStatus status;
status = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE,
- &value, PR_FALSE, PR_TRUE);
+ &wrapped, PR_FALSE, PR_TRUE);
if (status != SECSuccess)
cmsreterr(-1, cms, "could not encode extended key usage");
@@ -294,7 +309,7 @@ static int
add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
int is_ca, int is_self_signed, SECKEYPublicKey *pubkey,
SECKEYPublicKey *spubkey,
- char *url)
+ char *url, int modsign_only)
{
void *mark = PORT_ArenaMark(cms->arena);
@@ -319,7 +334,7 @@ add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
if (rc < 0)
cmsreterr(-1, cms, "could not generate certificate extensions");
- rc = add_extended_key_usage(cms, extHandle);
+ rc = add_extended_key_usage(cms, modsign_only, extHandle);
if (rc < 0)
cmsreterr(-1, cms, "could not generate certificate extensions");
@@ -469,6 +484,7 @@ int main(int argc, char *argv[])
{
int is_ca = 0;
int is_self_signed = -1;
+ int modsign_only = 0;
char *tokenname = "NSS Certificate DB";
char *signer = NULL;
char *nickname = NULL;
@@ -522,6 +538,18 @@ int main(int argc, char *argv[])
.descrip = "Generate a self-signed certificate" },
/* stuff about the generated key */
+ {.longName = "kernel",
+ .shortName = 'k',
+ .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
+ .arg = &modsign_only,
+ .val = 1,
+ .descrip = "Generate a kernel-signing certificate" },
+ {.longName = "module",
+ .shortName = 'm',
+ .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
+ .arg = &modsign_only,
+ .val = 2,
+ .descrip = "Generate a module-signing certificate" },
{.longName = "nickname",
.shortName = 'n',
.argInfo = POPT_ARG_STRING,
@@ -628,6 +656,9 @@ int main(int argc, char *argv[])
liberr(1, "could not allocate cms context");
}
+ if (modsign_only < 1 || modsign_only > 2)
+ errx(1, "either --kernel or --module must be used");
+
SECStatus status = NSS_InitReadWrite(dbdir);
if (status != SECSuccess)
nsserr(1, "could not initialize NSS");
@@ -639,6 +670,10 @@ int main(int argc, char *argv[])
SECKEYPublicKey *pubkey = NULL;
SECKEYPrivateKey *privkey = NULL;
+ status = register_oids(cms);
+ if (status != SECSuccess)
+ nsserr(1, "Could not register OIDs");
+
PK11SlotInfo *slot = NULL;
if (pubfile) {
rc = get_pubkey_from_file(pubfile, &pubkey);
@@ -713,7 +748,7 @@ int main(int argc, char *argv[])
crq = CERT_CreateCertificateRequest(name, spki, &attributes);
rc = add_extensions_to_crq(cms, crq, is_ca, is_self_signed, pubkey,
- spubkey, url);
+ spubkey, url, modsign_only);
if (rc < 0)
exit(1);
--
2.13.4

View File

@ -1,121 +0,0 @@
From 0456758e0c0873d1251bdf77d27f0f6175cbf289 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:25:02 -0400
Subject: [PATCH 17/29] check_cert_db(): try even harder to pick a reasonable
validation time.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 66 insertions(+), 9 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index b7c99bb..1a4baf1 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -250,12 +250,53 @@ check_db_hash(db_specifier which, pesigcheck_context *ctx)
return check_db(which, ctx, check_hash, NULL, 0);
}
-static PRTime
-determine_reasonable_time(CERTCertificate *cert)
+static void
+find_cert_times(SEC_PKCS7ContentInfo *cinfo,
+ PRTime *notBefore, PRTime *notAfter)
{
- PRTime notBefore, notAfter;
- CERT_GetCertTimes(cert, &notBefore, &notAfter);
- return notBefore;
+ CERTCertDBHandle *defaultdb, *certdb;
+ SEC_PKCS7SignedData *sdp;
+ CERTCertificate **certs = NULL;
+ SECItem **rawcerts;
+ int i, certcount;
+ SECStatus rv;
+
+ if (cinfo->contentTypeTag->offset != SEC_OID_PKCS7_SIGNED_DATA) {
+err:
+ *notBefore = 0;
+ *notAfter = 0x7fffffffffffffff;
+ return;
+ }
+
+ sdp = cinfo->content.signedData;
+ rawcerts = sdp->rawCerts;
+
+ defaultdb = CERT_GetDefaultCertDB();
+
+ certdb = defaultdb;
+ if (certdb == NULL)
+ goto err;
+
+ certcount = 0;
+ if (rawcerts != NULL) {
+ for (; rawcerts[certcount] != NULL; certcount++)
+ ;
+ }
+ rv = CERT_ImportCerts(certdb, certUsageObjectSigner, certcount,
+ rawcerts, &certs, PR_FALSE, PR_FALSE, NULL);
+ if (rv != SECSuccess)
+ goto err;
+
+ for (i = 0; i < certcount; i++) {
+ PRTime nb = 0, na = 0x7fffffffffff;
+ CERT_GetCertTimes(certs[i], &nb, &na);
+ if (*notBefore < nb)
+ *notBefore = nb;
+ if (*notAfter > na)
+ *notAfter = na;
+ }
+
+ CERT_DestroyCertArray(certs, certcount);
}
static db_status
@@ -271,6 +312,8 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
PRBool result;
SECStatus rv;
db_status status = NOT_FOUND;
+ PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
+ PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
efi_guid_t efi_x509 = efi_guid_x509_cert;
@@ -327,16 +370,30 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
}
cert->timeOK = PR_TRUE;
+ find_cert_times(cinfo, &notBefore, &notAfter);
+ if (earlyNow < notBefore)
+ earlyNow = notBefore;
+ if (lateNow > notAfter)
+ lateNow = notAfter;
+
SECItem *eTime;
PRTime atTime;
// atTime = determine_reasonable_time(cert);
eTime = SEC_PKCS7GetSigningTime(cinfo);
if (eTime != NULL) {
- if (DER_DecodeTimeChoice (&atTime, eTime) != SECSuccess)
- atTime = determine_reasonable_time(cert);
- } else {
- atTime = determine_reasonable_time(cert);
+ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
+ if (earlyNow < atTime)
+ earlyNow = atTime;
+ if (lateNow > atTime)
+ lateNow = atTime;
+ }
}
+
+ if (lateNow < earlyNow)
+ printf("Impossible time constraints: %ld <= %ld\n",
+ earlyNow / 1000000, lateNow / 1000000);
+ atTime = earlyNow / 2 + lateNow / 2;
+
/* Verify the signature */
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
certUsageObjectSigner,
--
2.13.4

View File

@ -1,137 +0,0 @@
From 01b89fb7a191f4639a93c5a7c47a80752118ba95 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:58:50 -0400
Subject: [PATCH 18/29] show which db we're checking
---
src/certdb.c | 35 ++++++++++++++++++++++++++++++++++-
src/pesigcheck_context.c | 2 ++
src/pesigcheck_context.h | 1 +
3 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/src/certdb.c b/src/certdb.c
index 1a4baf1..673e074 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -18,6 +18,7 @@
*/
#include <fcntl.h>
+#include <libgen.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
@@ -42,17 +43,33 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile,
return -1;
db->type = type;
-
db->fd = open(dbfile, O_RDONLY);
if (db->fd < 0) {
save_errno(free(db));
return -1;
}
+ char *path = strdup(dbfile);
+ if (!path) {
+ save_errno(close(db->fd);
+ free(db));
+ return -1;
+ }
+
+ db->path = basename(path);
+ db->path = strdup(db->path);
+ free(path);
+ if (!db->path) {
+ save_errno(close(db->fd);
+ free(db));
+ return -1;
+ }
+
struct stat sb;
int rc = fstat(db->fd, &sb);
if (rc < 0) {
save_errno(close(db->fd);
+ free(db->path);
free(db));
return -1;
}
@@ -65,6 +82,7 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile,
rc = read_file(db->fd, (char **)&db->map, &sz);
if (rc < 0) {
save_errno(close(db->fd);
+ free(db->path);
free(db));
return -1;
}
@@ -133,6 +151,7 @@ add_cert_file(pesigcheck_context *ctx, const char *filename)
#define DB_PATH "/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
#define MOK_PATH "/sys/firmware/efi/efivars/MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23"
#define DBX_PATH "/sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
+#define MOKX_PATH "/sys/firmware/efi/efivars/MokListXRT-605dab50-e046-4300-abb6-3dd810dd8b23"
void
init_cert_db(pesigcheck_context *ctx, int use_system_dbs)
@@ -167,6 +186,18 @@ init_cert_db(pesigcheck_context *ctx, int use_system_dbs)
"database \"%s\": %m\n", DBX_PATH);
exit(1);
}
+
+ rc = add_db_file(ctx, DBX, MOKX_PATH, DB_EFIVAR);
+ if (rc < 0 && errno != ENOENT) {
+ fprintf(stderr, "pesigcheck: Could not add key database "
+ "\"%s\": %m\n", MOKX_PATH);
+ exit(1);
+ }
+
+ if (ctx->dbx == NULL) {
+ fprintf(stderr, "pesigcheck: warning: "
+ "No key recovation database available\n");
+ }
}
typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,
@@ -187,6 +218,8 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
sig.type = siBuffer;
while (dbl) {
+ printf("Searching %s %s\n", which == DB ? "db" : "dbx",
+ dbl->path);
EFI_SIGNATURE_LIST *certlist;
EFI_SIGNATURE_DATA *cert;
size_t dbsize = dbl->datalen;
diff --git a/src/pesigcheck_context.c b/src/pesigcheck_context.c
index b934cbe..5a355b1 100644
--- a/src/pesigcheck_context.c
+++ b/src/pesigcheck_context.c
@@ -87,6 +87,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx)
munmap(db->map, db->size);
close(db->fd);
ctx->db = db->next;
+ free(db->path);
free(db);
}
while (ctx->dbx) {
@@ -95,6 +96,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx)
if (db->type == DB_CERT)
free(db->data);
munmap(db->map, db->size);
+ free(db->path);
close(db->fd);
ctx->dbx = db->next;
free(db);
diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
index 1b916e3..7b5cc89 100644
--- a/src/pesigcheck_context.h
+++ b/src/pesigcheck_context.h
@@ -34,6 +34,7 @@ typedef enum {
struct dblist {
db_f_type type;
+ char *path;
int fd;
struct dblist *next;
size_t size;
--
2.13.4

View File

@ -1,97 +0,0 @@
From 713e61448a6ffa3e6029a7c89fad61b8cb08c9ff Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 17:00:46 -0400
Subject: [PATCH 19/29] more about the time
---
src/certdb.c | 59 +++++++++++++++++++++++++++++++++--------------------------
1 file changed, 33 insertions(+), 26 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index 673e074..1078a8a 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -345,8 +345,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
PRBool result;
SECStatus rv;
db_status status = NOT_FOUND;
+ PRTime atTime = PR_Now();
+ SECItem *eTime;
PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
- PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
+ PRTime notBefore, notAfter;
efi_guid_t efi_x509 = efi_guid_x509_cert;
@@ -358,6 +360,36 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
if (!cinfo)
goto out;
+ notBefore = earlyNow;
+ notAfter = lateNow;
+ find_cert_times(cinfo, &notBefore, &notAfter);
+ if (earlyNow < notBefore)
+ earlyNow = notBefore;
+ if (lateNow > notAfter)
+ lateNow = notAfter;
+
+ // atTime = determine_reasonable_time(cert);
+ eTime = SEC_PKCS7GetSigningTime(cinfo);
+ if (eTime != NULL) {
+ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
+ if (earlyNow < atTime)
+ earlyNow = atTime;
+ if (lateNow > atTime)
+ lateNow = atTime;
+ }
+ }
+
+ if (lateNow < earlyNow)
+ printf("Signature has impossible time constraint: %ld <= %ld\n",
+ earlyNow / 1000000, lateNow / 1000000);
+ atTime = earlyNow / 2 + lateNow / 2;
+
+
+ cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
+ NULL, NULL);
+ if (!cinfo)
+ goto out;
+
/* Generate the digest of contentInfo */
/* XXX support only sha256 for now */
digest = SECITEM_AllocItem(NULL, NULL, 32);
@@ -401,31 +433,6 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
PORT_ErrorToString(PORT_GetError()));
goto out;
}
- cert->timeOK = PR_TRUE;
-
- find_cert_times(cinfo, &notBefore, &notAfter);
- if (earlyNow < notBefore)
- earlyNow = notBefore;
- if (lateNow > notAfter)
- lateNow = notAfter;
-
- SECItem *eTime;
- PRTime atTime;
- // atTime = determine_reasonable_time(cert);
- eTime = SEC_PKCS7GetSigningTime(cinfo);
- if (eTime != NULL) {
- if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
- if (earlyNow < atTime)
- earlyNow = atTime;
- if (lateNow > atTime)
- lateNow = atTime;
- }
- }
-
- if (lateNow < earlyNow)
- printf("Impossible time constraints: %ld <= %ld\n",
- earlyNow / 1000000, lateNow / 1000000);
- atTime = earlyNow / 2 + lateNow / 2;
/* Verify the signature */
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
--
2.13.4

View File

@ -1,419 +0,0 @@
From 81583146602bba96728fa7544c8e856b32c22ee4 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 17:01:13 -0400
Subject: [PATCH 20/29] try to say why something fails
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 15 ++-
src/certdb.h | 2 +-
src/pesigcheck.c | 244 ++++++++++++++++++++++++++++++++++++++++++-----
src/pesigcheck_context.h | 1 +
4 files changed, 233 insertions(+), 29 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index 1078a8a..fae80af 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -205,7 +205,7 @@ typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,
static db_status
check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
- void *data, ssize_t datalen)
+ void *data, ssize_t datalen, SECItem *match)
{
SECItem pkcs7sig, sig;
dblist *dbl = which == DB ? ctx->db : ctx->dbx;
@@ -241,8 +241,12 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
found = check(ctx, &sig,
&certlist->SignatureType,
&pkcs7sig);
- if (found == FOUND)
+ if (found == FOUND) {
+ if (match)
+ memcpy(match, &sig,
+ sizeof(sig));
return FOUND;
+ }
cert = (EFI_SIGNATURE_DATA *)((uint8_t *)cert +
certlist->SignatureSize);
}
@@ -280,7 +284,7 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
db_status
check_db_hash(db_specifier which, pesigcheck_context *ctx)
{
- return check_db(which, ctx, check_hash, NULL, 0);
+ return check_db(which, ctx, check_hash, NULL, 0, NULL);
}
static void
@@ -459,7 +463,8 @@ out:
}
db_status
-check_db_cert(db_specifier which, pesigcheck_context *ctx, void *data, ssize_t datalen)
+check_db_cert(db_specifier which, pesigcheck_context *ctx,
+ void *data, ssize_t datalen, SECItem *match)
{
- return check_db(which, ctx, check_cert, data, datalen);
+ return check_db(which, ctx, check_cert, data, datalen, match);
}
diff --git a/src/certdb.h b/src/certdb.h
index ccf3c87..8402299 100644
--- a/src/certdb.h
+++ b/src/certdb.h
@@ -43,7 +43,7 @@ typedef struct {
extern db_status check_db_hash(db_specifier which, pesigcheck_context *ctx);
extern db_status check_db_cert(db_specifier which, pesigcheck_context *ctx,
- void *data, ssize_t datalen);
+ void *data, ssize_t datalen, SECItem *match);
extern void init_cert_db(pesigcheck_context *ctx, int use_system_dbs);
extern int add_cert_db(pesigcheck_context *ctx, const char *filename);
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index d7be542..c8e1086 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -17,7 +17,9 @@
* Author(s): Peter Jones <pjones@redhat.com>
*/
+#include <err.h>
#include <fcntl.h>
+#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -88,7 +90,8 @@ check_inputs(pesigcheck_context *ctx)
}
static int
-cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
+cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen,
+ SECItem *digest_out)
{
SECItem sig, *pe_digest, *content;
uint8_t *digest;
@@ -109,6 +112,12 @@ cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
pe_digest = ctx->cms_ctx->digests[0].pe_digest;
content = cinfo->content.signedData->contentInfo.content.data;
digest = content->data + content->len - pe_digest->len;
+ if (digest_out) {
+ digest_out->data = malloc(pe_digest->len);
+ digest_out->len = pe_digest->len;
+ digest_out->type = pe_digest->type;
+ memcpy(digest_out->data, digest, pe_digest->len);
+ }
if (memcmp(pe_digest->data, digest, pe_digest->len) != 0)
goto out;
@@ -120,22 +129,149 @@ out:
return ret;
}
+struct reason {
+ enum {
+ WHITELISTED = 0,
+ INVALID = 1,
+ BLACKLISTED = 2,
+ NO_WHITELIST = 3,
+ } reason;
+ enum {
+ NONE = 0,
+ DIGEST = 1,
+ SIGNATURE = 2,
+ } type;
+ union {
+ struct {
+ SECItem digest;
+ };
+ struct {
+ SECItem sig;
+ SECItem db_cert;
+ };
+ };
+};
+
+static void
+print_digest(SECItem *digest)
+{
+ char buf[digest->len * 2 + 2];
+
+ for (unsigned int i = 0; i < digest->len; i++)
+ snprintf(buf + i * 2, digest->len * 2, "%02x",
+ digest->data[i]);
+ buf[digest->len * 2] = '\0';
+ printf("%s\n", buf);
+}
+
+static void
+print_certificate(SECItem *cert)
+{
+ printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
+ printf("cert: %p\n", cert);
+}
+
+static void
+print_signatures(SECItem *database_cert, SECItem *signature)
+{
+ printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
+ print_certificate(database_cert);
+ print_certificate(signature);
+}
+
+static void
+print_reason(struct reason *reason)
+{
+ switch (reason->reason) {
+ case WHITELISTED:
+ printf("Whitelist entry: ");
+ if (reason->type == DIGEST)
+ print_digest(&reason->digest);
+ else if (reason->type == SIGNATURE)
+ print_signatures(&reason->sig, &reason->db_cert);
+ else
+ errx(1, "Unknown data type %d\n", reason->type);
+ break;
+ case INVALID:
+ if (reason->type == DIGEST) {
+ printf("Invalid digest: ");
+ print_digest(&reason->digest);
+ } else if (reason->type == SIGNATURE) {
+ printf("Invalid signature: ");
+ print_signatures(&reason->sig, &reason->db_cert);
+ } else {
+ errx(1, "Unknown data type %d\n", reason->type);
+ }
+ break;
+ case BLACKLISTED:
+ if (reason->type == DIGEST) {
+ printf("Invalid digest: ");
+ print_digest(&reason->digest);
+ } else if (reason->type == SIGNATURE) {
+ printf("Invalid signature: ");
+ print_signatures(&reason->sig, &reason->db_cert);
+ } else {
+ errx(1, "Unknown data type %d\n", reason->type);
+ }
+ break;
+ case NO_WHITELIST:
+ if (reason->type == NONE)
+ printf("No matching whitelist entry.\n");
+ else
+ errx(1, "Invalid data type %d\n", reason->type);
+ break;
+ default:
+ errx(1, "Unknown reason type %d\n", reason->reason);
+ break;
+ }
+}
+
+static void
+get_digest(pesigcheck_context *ctx, SECItem *digest)
+{
+ struct cms_context *cms = ctx->cms_ctx;
+ struct digest *cms_digest = &cms->digests[cms->selected_digest];
+
+ memcpy(digest, cms_digest->pe_digest, sizeof (*digest));
+}
+
static int
-check_signature(pesigcheck_context *ctx)
+check_signature(pesigcheck_context *ctx, int *nreasons,
+ struct reason **reasons)
{
- int has_valid_cert = 0;
- int has_invalid_cert = 0;
+ bool has_valid_cert = false;
+ bool is_invalid = false;
+ struct reason *reasonps = NULL, *reason;
+ int num_reasons = 16;
+ int nreason = 0;
int rc = 0;
+ int ret = -1;
cert_iter iter;
+ reasonps = calloc(sizeof(struct reason), 512);
+ if (!reasonps)
+ err(1, "check_signature");
+
generate_digest(ctx->cms_ctx, ctx->inpe, 1);
- if (check_db_hash(DBX, ctx) == FOUND)
- return -1;
+ if (check_db_hash(DBX, ctx) == FOUND) {
+ reason = &reasonps[nreason];
+ reason->reason = BLACKLISTED;
+ reason->type = DIGEST;
+ get_digest(ctx, &reason->digest);
+ reason += 1;
+ is_invalid = true;
+ }
- if (check_db_hash(DB, ctx) == FOUND)
- has_valid_cert = 1;
+ if (check_db_hash(DB, ctx) == FOUND) {
+ reason = &reasonps[nreason];
+ reason->reason = WHITELISTED;
+ reason->type = DIGEST;
+ get_digest(ctx, &reason->digest);
+ nreason += 1;
+ has_valid_cert = true;
+ }
rc = cert_iter_init(&iter, ctx->inpe);
if (rc < 0)
@@ -145,32 +281,81 @@ check_signature(pesigcheck_context *ctx)
ssize_t datalen;
while (1) {
+ /*
+ * Make sure we always have enough for this iteration of the
+ * loop, plus one "NO_WHITELIST" entry at the end.
+ */
+ if (nreason >= num_reasons - 4) {
+ struct reason *new_reasons;
+
+ num_reasons += 16;
+
+ new_reasons = calloc(sizeof(struct reason), num_reasons);
+ if (!new_reasons)
+ err(1, "check_signature");
+ reasonps = new_reasons;
+ }
+
rc = next_cert(&iter, &data, &datalen);
if (rc <= 0)
break;
- if (cert_matches_digest(ctx, data, datalen) < 0) {
- has_invalid_cert = 1;
- break;
+ reason = &reasonps[nreason];
+ if (cert_matches_digest(ctx, data, datalen,
+ &reason->digest) < 0) {
+ reason->reason = INVALID;
+ reason->type = DIGEST;
+ nreason += 1;
+ is_invalid = true;
}
- if (check_db_cert(DBX, ctx, data, datalen) == FOUND) {
- has_invalid_cert = 1;
- break;
+ reason = &reasonps[nreason];
+ if (check_db_cert(DBX, ctx, data, datalen,
+ &reason->db_cert) == FOUND) {
+ reason->reason = INVALID;
+ reason->type = SIGNATURE;
+ reason->sig.data = data;
+ reason->sig.len = datalen;
+ reason->type = siBuffer;
+ nreason += 1;
+ is_invalid = true;
}
- if (check_db_cert(DB, ctx, data, datalen) == FOUND)
- has_valid_cert = 1;
+ reason = &reasonps[nreason];
+ if (check_db_cert(DB, ctx, data, datalen,
+ &reason->db_cert) == FOUND) {
+ reason->reason = WHITELISTED;
+ reason->type = SIGNATURE;
+ reason->sig.data = data;
+ reason->sig.len = datalen;
+ reason->type = siBuffer;
+ nreason += 1;
+ has_valid_cert = true;
+ }
}
err:
- if (has_invalid_cert)
- return -1;
+ if (has_valid_cert != true) {
+ if (is_invalid != true) {
+ reason = &reasonps[nreason];
+ reason->reason = NO_WHITELIST;
+ reason->type = NONE;
+ nreason += 1;
+ }
+ is_invalid = true;
+ }
- if (has_valid_cert)
- return 0;
+ if (is_invalid == false)
+ ret = 0;
- return -1;
+ if (nreasons && reasons) {
+ *nreasons = nreason;
+ *reasons = reasonps;
+ } else {
+ free(reasonps);
+ }
+
+ return ret;
}
void
@@ -204,6 +389,9 @@ main(int argc, char *argv[])
pesigcheck_context ctx, *ctxp = &ctx;
+ struct reason *reasons = NULL;
+ int nreasons = 0;
+
char *dbfile = NULL;
char *dbxfile = NULL;
char *certfile = NULL;
@@ -242,6 +430,12 @@ main(int argc, char *argv[])
.arg = &ctx.quiet,
.val = 1,
.descrip = "return only; no text output." },
+ {.longName = "verbose",
+ .shortName = 'v',
+ .argInfo = POPT_BIT_SET,
+ .arg = &ctx.verbose,
+ .val = 1,
+ .descrip = "print reasons for success and failure." },
{.longName = "no-system-db",
.shortName = 'n',
.argInfo = POPT_ARG_INT,
@@ -308,12 +502,16 @@ main(int argc, char *argv[])
exit(1);
}
- rc = check_signature(ctxp);
+ rc = check_signature(ctxp, &nreasons, &reasons);
- close_input(ctxp);
+ if (!ctx.quiet && ctx.verbose) {
+ for (int i = 0; i < nreasons; i++)
+ print_reason(&reasons[i]);
+ }
if (!ctx.quiet)
printf("pesigcheck: \"%s\" is %s.\n", ctx.infile,
rc >= 0 ? "valid" : "invalid");
+ close_input(ctxp);
pesigcheck_context_fini(&ctx);
NSS_Shutdown();
diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
index 7b5cc89..aec415e 100644
--- a/src/pesigcheck_context.h
+++ b/src/pesigcheck_context.h
@@ -61,6 +61,7 @@ typedef struct pesigcheck_context {
Pe *inpe;
int quiet;
+ int verbose;
hashlist *hashes;
--
2.13.4

View File

@ -1,34 +0,0 @@
From a40c584691ae071e93e8adf4e5c05bcd90c68159 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Sat, 6 May 2017 22:45:34 +0200
Subject: [PATCH 21/29] Fix race condition in SEC_GetPassword
A side effect of echoOff is to discard unread input, so if we print the
prompt before echoOff, the user (or process) at the other end might
react to it by writing the password in between those steps, which is
then discarded. This bit me when trying to drive pesign with an expect
script.
Signed-off-by: Julien Cristau <jcristau@debian.org>
---
src/password.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/password.c b/src/password.c
index cd1c07e..d4eae0d 100644
--- a/src/password.c
+++ b/src/password.c
@@ -71,9 +71,9 @@ static char *SEC_GetPassword(FILE *input, FILE *output, char *prompt,
for (;;) {
/* Prompt for password */
if (isTTY) {
+ echoOff(infd);
fprintf(output, "%s", prompt);
fflush (output);
- echoOff(infd);
}
fgets ( phrase, sizeof(phrase), input);
--
2.13.4

View File

@ -1,27 +0,0 @@
From 27afa5a4ea8de1679603f5871935096280d0b12e Mon Sep 17 00:00:00 2001
From: David Michael <david.michael@coreos.com>
Date: Tue, 13 Jun 2017 13:20:16 -0700
Subject: [PATCH 22/29] sysvinit: Create the socket directory at runtime
This better supports non-systemd configurations with tmpfs on /run.
---
src/pesign.sysvinit.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index d8fffca..dc508d8 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -20,6 +20,9 @@ RETVAL=0
start(){
echo -n "Starting pesign: "
+ mkdir /var/run/pesign 2>/dev/null &&
+ chown pesign:pesign /var/run/pesign &&
+ chmod 0770 /var/run/pesign
daemon /usr/bin/pesign --daemonize
RETVAL=$?
echo
--
2.13.4

View File

@ -1,217 +0,0 @@
From 31560e2784722b986b8a73cc28e3510870180b07 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 8 Aug 2017 15:44:44 -0400
Subject: [PATCH 23/29] Better authorization scripts. Again.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/Makefile | 12 ++++++----
src/pesign-authorize | 56 +++++++++++++++++++++++++++++++++++++++++++++
src/pesign-authorize-groups | 30 ------------------------
src/pesign-authorize-users | 30 ------------------------
src/pesign.service.in | 3 +--
src/pesign.sysvinit.in | 3 +--
6 files changed, 65 insertions(+), 69 deletions(-)
create mode 100755 src/pesign-authorize
delete mode 100644 src/pesign-authorize-groups
delete mode 100644 src/pesign-authorize-users
diff --git a/src/Makefile b/src/Makefile
index 654b792..84ad130 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
SVCTARGETS=pesign.sysvinit pesign.service
-TARGETS=$(BINTARGETS) $(SVCTARGETS)
+TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
all : deps $(TARGETS)
@@ -65,6 +65,9 @@ install_sysvinit: pesign.sysvinit
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
+pesign-users pesign-groups :
+ echo pesign > $@
+
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
@@ -88,10 +91,9 @@ install :
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
- $(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/
- $(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/
+ $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users
- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups
+ $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
+ $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
.PHONY: all deps clean install
diff --git a/src/pesign-authorize b/src/pesign-authorize
new file mode 100755
index 0000000..a496f60
--- /dev/null
+++ b/src/pesign-authorize
@@ -0,0 +1,56 @@
+#!/bin/bash
+set -e
+set -u
+
+#
+# With /run/pesign/socket on tmpfs, a simple way of restoring the
+# acls for specific users is useful
+#
+# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
+#
+
+# License: GPLv2
+declare -a fileusers=()
+declare -a dirusers=()
+for user in $(cat /etc/pesign/users); do
+ dirusers[${#dirusers[@]}]=-m
+ dirusers[${#dirusers[@]}]="u:$user:rwx"
+ fileusers[${#fileusers[@]}]=-m
+ fileusers[${#fileusers[@]}]="u:$user:rw"
+done
+
+declare -a filegroups=()
+declare -a dirgroups=()
+for group in $(cat /etc/pesign/groups); do
+ dirgroups[${#dirgroups[@]}]=-m
+ dirgroups[${#dirgroups[@]}]="g:$group:rwx"
+ filegroups[${#filegroups[@]}]=-m
+ filegroups[${#filegroups[@]}]="g:$group:rw"
+done
+
+update_subdir() {
+ subdir=$1 && shift
+
+ setfacl -bk "${subdir}"
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
+ for x in "${subdir}"* ; do
+ if [ -d "${x}" ]; then
+ setfacl -bk ${x}
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
+ update_subdir "${x}/"
+ elif [ -e "${x}" ]; then
+ setfacl -bk ${x}
+ setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
+ else
+ :;
+ fi
+ done
+}
+
+for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+ if [ -d "${x}" ]; then
+ update_subdir "${x}"
+ else
+ :;
+ fi
+done
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
deleted file mode 100644
index cf51fb6..0000000
--- a/src/pesign-authorize-groups
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-set -e
-
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific groups is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
-# License: GPLv2
-
-if [ -r /etc/pesign/groups ]; then
- for group in $(cat /etc/pesign/groups); do
- if [ -d /var/run/pesign ]; then
- setfacl -m g:${group}:rx /var/run/pesign
- if [ -e /var/run/pesign/socket ]; then
- setfacl -m g:${group}:rw /var/run/pesign/socket
- fi
- fi
- for x in /etc/pki/pesign*/ ; do
- if [ -d ${x} ]; then
- setfacl -m g:${group}:rx ${x}
- for y in ${x}{cert8,key3,secmod}.db ; do
- setfacl -m g:${group}:rw ${y}
- done
- fi
- done
- done
-fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
deleted file mode 100644
index 940138e..0000000
--- a/src/pesign-authorize-users
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-set -e
-
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific users is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
-# License: GPLv2
-
-if [ -r /etc/pesign/users ]; then
- for username in $(cat /etc/pesign/users); do
- if [ -d /var/run/pesign ]; then
- setfacl -m g:${username}:rx /var/run/pesign
- if [ -e /var/run/pesign/socket ]; then
- setfacl -m g:${username}:rw /var/run/pesign/socket
- fi
- fi
- for x in /etc/pki/pesign*/ ; do
- if [ -d ${x} ]; then
- setfacl -m g:${username}:rx ${x}
- for y in ${x}{cert8,key3,secmod}.db ; do
- setfacl -m g:${username}:rw ${y}
- done
- fi
- done
- done
-fi
diff --git a/src/pesign.service.in b/src/pesign.service.in
index aaa408e..c75a000 100644
--- a/src/pesign.service.in
+++ b/src/pesign.service.in
@@ -6,5 +6,4 @@ PrivateTmp=true
Type=forking
PIDFile=/var/run/pesign.pid
ExecStart=/usr/bin/pesign --daemonize
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
+ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index dc508d8..b0e0f84 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -27,8 +27,7 @@ start(){
RETVAL=$?
echo
touch /var/lock/subsys/pesign
- @@LIBEXECDIR@@/pesign/pesign-authorize-users
- @@LIBEXECDIR@@/pesign/pesign-authorize-groups
+ @@LIBEXECDIR@@/pesign/pesign-authorize
}
stop(){
--
2.13.4

View File

@ -1,95 +0,0 @@
From a7b0f7e1ce2de1acea9a8c286a0ff3dd9bc245cb Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 8 Aug 2017 17:28:19 -0400
Subject: [PATCH 24/29] Make the daemon also try to give better errors on
-EPERM etc.
Basically 6796e5f but also for the daemon. This also tries to fix them
up to save errno better, for more accurate reporting.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/daemon.c | 27 +++++++++++++++++++++++++--
src/pesign.c | 8 ++++++--
2 files changed, 31 insertions(+), 4 deletions(-)
diff --git a/src/daemon.c b/src/daemon.c
index 7f694b2..942d576 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -19,6 +19,7 @@
#include <errno.h>
#include <fcntl.h>
+#include <glob.h>
#include <poll.h>
#include <pwd.h>
#include <signal.h>
@@ -1104,10 +1105,32 @@ daemonize(cms_context *cms_ctx, char *certdir, int do_fork)
"pesignd starting (pid %d)", ctx.pid);
SECStatus status = NSS_Init(certdir);
+ int error = errno;
if (status != SECSuccess) {
+ char *globpattern = NULL;
+ rc = asprintf(&globpattern, "%s/cert*.db",
+ certdir);
+ if (rc > 0) {
+ glob_t globbuf;
+ memset(&globbuf, 0, sizeof(globbuf));
+ rc = glob(globpattern, GLOB_ERR, NULL,
+ &globbuf);
+ if (rc != 0) {
+ errno = error;
+ ctx.backup_cms->log(ctx.backup_cms,
+ ctx.priority|LOG_NOTICE,
+ "Could not open NSS database (\"%s\"): %m",
+ PORT_ErrorToString(PORT_GetError()));
+ exit(1);
+ }
+ }
+ }
+ if (status != SECSuccess) {
+ errno = error;
ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_NOTICE,
- "Could not initialize nss: %s\n",
- PORT_ErrorToString(PORT_GetError()));
+ "Could not initialize nss.\n"
+ "NSS says \"%s\" errno says \"%m\"\n",
+ PORT_ErrorToString(PORT_GetError()));
exit(1);
}
diff --git a/src/pesign.c b/src/pesign.c
index 5879cfc..6ceda34 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -660,10 +660,12 @@ main(int argc, char *argv[])
if (!daemon) {
SECStatus status;
+ int error;
if (need_db) {
status = NSS_Init(certdir);
if (status != SECSuccess) {
char *globpattern = NULL;
+ error = errno;
rc = asprintf(&globpattern, "%s/cert*.db",
certdir);
if (rc > 0) {
@@ -680,8 +682,10 @@ main(int argc, char *argv[])
} else
status = NSS_NoDB_Init(NULL);
if (status != SECSuccess) {
- errx(1, "Could not initialize nss. NSS says \"%s\" errno says \"%m\"\n",
- PORT_ErrorToString(PORT_GetError()));
+ errno = error;
+ errx(1, "Could not initialize nss.\n"
+ "NSS says \"%s\" errno says \"%m\"\n",
+ PORT_ErrorToString(PORT_GetError()));
}
status = register_oids(ctxp->cms_ctx);
--
2.13.4

View File

@ -1,31 +0,0 @@
From bc1043bf2b428971e29a61a341da9a57595bada5 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 9 Aug 2017 17:40:33 -0400
Subject: [PATCH 25/29] certdb: fix PRTime printfs for i686
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index fae80af..29c9502 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -384,11 +384,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
}
if (lateNow < earlyNow)
- printf("Signature has impossible time constraint: %ld <= %ld\n",
- earlyNow / 1000000, lateNow / 1000000);
+ printf("Signature has impossible time constraint: %lld <= %lld\n",
+ earlyNow / 1000000LL, lateNow / 1000000LL);
atTime = earlyNow / 2 + lateNow / 2;
-
cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
NULL, NULL);
if (!cinfo)
--
2.13.4

View File

@ -1,41 +0,0 @@
From a44115c9b4f43a1a7219f897bd33555e653d2e20 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 10 Aug 2017 10:02:38 -0400
Subject: [PATCH 26/29] Clean up gcc command lines a little
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Make.defaults | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/Make.defaults b/Make.defaults
index 39b78f0..b6c0381 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -20,8 +20,7 @@ CROSS_COMPILE ?= $(bindir)
PKG_CONFIG = $(CROSS_COMPILE)pkg-config
CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
CCLD := $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
-CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \
- -Wall -Werror -Wextra -Wno-error=cpp
+CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments -Wno-error=cpp
AS := $(CROSS_COMPILE)as
AR := $(CROSS_COMPILE)gcc-ar
RANLIB := $(CROSS_COMPILE)gcc-ranlib
@@ -36,10 +35,10 @@ ARCH := $(shell uname -m | sed s,i[3456789]86,ia32,)
SOFLAGS = -shared
clang_cflags =
-gcc_cflags = -Wmaybe-uninitialized
+gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches
cflags = $(CFLAGS) $(ARCH3264) \
- -Wall -Werror -Wno-cpp -Wsign-compare -Wno-unused-result \
- -Wno-unused-function\
+ -Wall -Werror -Wextra -Wsign-compare -Wno-unused-result \
+ -Wno-unused-function -Wsign-compare \
-std=gnu11 -fshort-wchar -fPIC -flto -fno-strict-aliasing \
-fno-merge-constants -fkeep-inline-functions \
-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \
--
2.13.4

View File

@ -1,54 +0,0 @@
From a133d051c3f8acf3e058e92711eb528c3c0f41f9 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 10 Aug 2017 10:03:37 -0400
Subject: [PATCH 27/29] Make pesign-{users,groups} static in the repo.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/Makefile | 5 +----
src/pesign-groups | 1 +
src/pesign-users | 1 +
3 files changed, 3 insertions(+), 4 deletions(-)
create mode 100644 src/pesign-groups
create mode 100644 src/pesign-users
diff --git a/src/Makefile b/src/Makefile
index 84ad130..7d68fa1 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
SVCTARGETS=pesign.sysvinit pesign.service
-TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
+TARGETS=$(BINTARGETS) $(SVCTARGETS)
all : deps $(TARGETS)
@@ -65,9 +65,6 @@ install_sysvinit: pesign.sysvinit
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
-pesign-users pesign-groups :
- echo pesign > $@
-
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
diff --git a/src/pesign-groups b/src/pesign-groups
new file mode 100644
index 0000000..7f57cc5
--- /dev/null
+++ b/src/pesign-groups
@@ -0,0 +1 @@
+pesign
diff --git a/src/pesign-users b/src/pesign-users
new file mode 100644
index 0000000..7f57cc5
--- /dev/null
+++ b/src/pesign-users
@@ -0,0 +1 @@
+pesign
--
2.13.4

View File

@ -1,43 +0,0 @@
From 025eb8aea94761fdc45507b6192aafdef80d4842 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 9 Aug 2017 17:31:31 -0400
Subject: [PATCH 28/29] rpm: Make the client signer use the fedora values
unless overridden
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 69280e9..22a3ee6 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -9,6 +9,9 @@
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
+%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}}
+%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}}
+
%_pesign /usr/bin/pesign
%_pesign_client /usr/bin/pesign-client
@@ -41,11 +44,11 @@
--certdir ${nss} -c signer %{-o} \
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
elif [ -S /var/run/pesign/socket ]; then \
- %{_pesign_client} -t %{__pesign_token} \\\
- -c %{__pesign_cert} \\\
+ %{_pesign_client} -t %{__pesign_client_token} \\\
+ -c %{__pesign_client_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
else \
- %{_pesign} -t %{__pesign_token} -c %{__pesign_cert} \\\
+ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
--certdir ${_pesign_nssdir} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
fi \
--
2.13.4

View File

@ -1,39 +0,0 @@
From 86a6b02e4b95ab3629446e71895cc5e57ad4482f Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 14 Aug 2017 11:37:43 -0400
Subject: [PATCH 29/29] Make macros.pesign error in kojibuilder if we don't
have perms on the socket
---
src/macros.pesign | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/macros.pesign b/src/macros.pesign
index 22a3ee6..1665b4c 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -43,6 +43,21 @@
%{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
--certdir ${nss} -c signer %{-o} \
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
+ elif [ "%{vendor}" == "Fedora Project" -a \\\
+ "$(id -un)" == "mockbuild" -a \\\
+ "$(uname -m)" == "x86_64" ] && \\\
+ grep -q ID=fedora /etc/os-release && \\\
+ [[ "%{_buildhost}" =~ ^bkernel.* ]] && \\\
+ ! [ -S /var/run/pesign/socket ]; then \
+ echo "No socket even though this is %{_buildhost}" \
+ ls -ld /var/run/pesign || : \
+ getfacl /var/run/pesign || : \
+ ls -l /var/run/pesign/socket || : \
+ getfacl /var/run/pesign/socket || : \
+ echo =========== env ============== \
+ set \
+ echo =========== env ============== \
+ exit 1 \
elif [ -S /var/run/pesign/socket ]; then \
%{_pesign_client} -t %{__pesign_client_token} \\\
-c %{__pesign_client_cert} \\\
--
2.13.4

View File

@ -1,151 +0,0 @@
From cd26e9e9a7816efe2c1ce9c36d9cb14988c70dc9 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 8 Nov 2021 17:58:09 -0500
Subject: [PATCH] Replace /var/run with /run
This change is in violation of the FHS and is forced by systemd being
obnoxious and logging warnings about it as if it's some kind of problem.
This commit is a subset of the work in
02d473fbfd782863a0dcef7e44822d1e7e56a4b3,
f97d3b04a2eafb42272ede24e1353dd0a7f4347c,
5f9058677e7241cc88b4e8620654bbaa08a4bce4, and
cffa10d9b5eec9a9def3533b181a32b64fc29913 (all by pjones) because they
don't backport well.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/Makefile | 2 +-
src/daemon.h | 4 ++--
src/macros.pesign | 12 ++++++------
src/pesign-authorize | 2 +-
src/pesign.service.in | 2 +-
src/pesign.sysvinit.in | 10 +++++-----
src/tmpfiles.conf | 2 +-
7 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/src/Makefile b/src/Makefile
index 7d68fa1..a11e2b4 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -68,7 +68,7 @@ install_sysvinit: pesign.sysvinit
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
diff --git a/src/daemon.h b/src/daemon.h
index d97eab9..db42c16 100644
--- a/src/daemon.h
+++ b/src/daemon.h
@@ -49,7 +49,7 @@ typedef enum {
} pesignd_cmd;
#define PESIGND_VERSION 0x2a9edaf0
-#define SOCKPATH "/var/run/pesign/socket"
-#define PIDFILE "/var/run/pesign.pid"
+#define SOCKPATH "/run/pesign/socket"
+#define PIDFILE "/run/pesign.pid"
#endif /* DAEMON_H */
diff --git a/src/macros.pesign b/src/macros.pesign
index dfdac02..f135c29 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -48,17 +48,17 @@
"$(uname -m)" == "x86_64" ] && \\\
grep -q ID=fedora /etc/os-release && \\\
[[ "%{_buildhost}" =~ ^bkernel.* ]] && \\\
- ! [ -S /var/run/pesign/socket ]; then \
+ ! [ -S /run/pesign/socket ]; then \
echo "No socket even though this is %{_buildhost}" \
- ls -ld /var/run/pesign || : \
- getfacl /var/run/pesign || : \
- ls -l /var/run/pesign/socket || : \
- getfacl /var/run/pesign/socket || : \
+ ls -ld /run/pesign || : \
+ getfacl /run/pesign || : \
+ ls -l /run/pesign/socket || : \
+ getfacl /run/pesign/socket || : \
echo =========== env ============== \
set \
echo =========== env ============== \
exit 1 \
- elif [ -S /var/run/pesign/socket ]; then \
+ elif [ -S /run/pesign/socket ]; then \
%{_pesign_client} -t %{__pesign_client_token} \\\
-c %{__pesign_client_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
diff --git a/src/pesign-authorize b/src/pesign-authorize
index a496f60..83a30cd 100755
--- a/src/pesign-authorize
+++ b/src/pesign-authorize
@@ -47,7 +47,7 @@ update_subdir() {
done
}
-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+for x in /run/pesign/ /etc/pki/pesign*/ ; do
if [ -d "${x}" ]; then
update_subdir "${x}"
else
diff --git a/src/pesign.service.in b/src/pesign.service.in
index c75a000..4ac2199 100644
--- a/src/pesign.service.in
+++ b/src/pesign.service.in
@@ -4,6 +4,6 @@ Description=Pesign signing daemon
[Service]
PrivateTmp=true
Type=forking
-PIDFile=/var/run/pesign.pid
+PIDFile=/run/pesign.pid
ExecStart=/usr/bin/pesign --daemonize
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index b0e0f84..bf8edec 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -4,7 +4,7 @@
#
# chkconfig: - 50 50
# processname: /usr/bin/pesign
-# pidfile: /var/run/pesign.pid
+# pidfile: /run/pesign.pid
### BEGIN INIT INFO
# Provides: pesign
# Default-Start:
@@ -20,9 +20,9 @@ RETVAL=0
start(){
echo -n "Starting pesign: "
- mkdir /var/run/pesign 2>/dev/null &&
- chown pesign:pesign /var/run/pesign &&
- chmod 0770 /var/run/pesign
+ mkdir /run/pesign 2>/dev/null &&
+ chown pesign:pesign /run/pesign &&
+ chmod 0770 /run/pesign
daemon /usr/bin/pesign --daemonize
RETVAL=$?
echo
@@ -32,7 +32,7 @@ start(){
stop(){
echo -n "Stopping pesign: "
- killproc -p /var/run/pesign.pid pesignd
+ killproc -p /run/pesign.pid pesignd
RETVAL=$?
echo
rm -f /var/lock/subsys/pesign
diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf
index c1cf355..3375ad5 100644
--- a/src/tmpfiles.conf
+++ b/src/tmpfiles.conf
@@ -1 +1 @@
-D /var/run/pesign 0770 pesign pesign -
+D /run/pesign 0770 pesign pesign -
--
2.33.0

View File

@ -1,46 +0,0 @@
From d1a7496d18dc1e230115b30fa09e4481c485a27d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 May 2019 11:28:38 -0400
Subject: [PATCH] efikeygen: Fix the build with nss 3.44
NSS 3.44 adds some certificate types, which changes a type and makes
some encoding stuff weird. As a result, we get:
gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o
In file included from /usr/local/include/nss/nss/cert.h:22,
from efikeygen.c:39:
efikeygen.c: In function 'add_cert_type':
/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow]
(NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
^
efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP'
unsigned char type = NS_CERT_TYPE_APP;
^~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
This is fixed by just making it an int.
Fixes github issue #48.
Signed-off-by: Peter Jones <pjones@redhat.com>
(cherry picked from commit b535d1ac5cbcdf18a97d97a92581e38080d9e521)
---
src/efikeygen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/efikeygen.c b/src/efikeygen.c
index 9390578..089e6a7 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -206,7 +206,7 @@ static int
add_cert_type(cms_context *cms, void *extHandle, int is_ca)
{
SECItem bitStringValue;
- unsigned char type = NS_CERT_TYPE_APP;
+ int type = NS_CERT_TYPE_APP;
if (is_ca)
type |= NS_CERT_TYPE_SSL_CA |
--
2.33.0

View File

@ -1,6 +1,6 @@
--- !Policy
product_versions:
- rhel-8
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.hardware-pesign.tier0.functional}
- !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.khw-gating-pesign-el10.tier1.functional}

0
noautobuild Normal file
View File

3
pesign.patches Normal file
View File

@ -0,0 +1,3 @@
Patch0001: 0001-cms_common-Fixed-Segmentation-fault.patch
Patch0002: 0002-Fix-reversed-calloc-arguments.patch
Patch0003: 0003-Add-versioned-x86_64-arches-support.patch

View File

@ -1,66 +1,55 @@
%global macrosdir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_sysconfdir}/rpm; echo $d)
# No. I have enough trouble already.
%undefine _auto_set_build_flags
Name: pesign
Summary: Signing utility for UEFI binaries
Version: 0.112
Release: 26%{?dist}
License: GPLv2
URL: https://github.com/vathpela/pesign
Version: 116
Release: 5%{?dist}.alma.1
License: GPL-2.0-only
URL: https://github.com/rhboot/pesign
Obsoletes: pesign-rh-test-certs <= 0.111-7
BuildRequires: git nspr nss nss-util popt-devel
BuildRequires: nss-tools
BuildRequires: nspr-devel >= 4.9.2-1
BuildRequires: nss-devel >= 3.13.6-1
BuildRequires: efivar-devel >= 31-1
BuildRequires: efivar-devel >= 38-1
BuildRequires: gcc
BuildRequires: git
BuildRequires: libuuid-devel
BuildRequires: tar xz
BuildRequires: python3-rpm-macros python3
BuildRequires: make
BuildRequires: mandoc
BuildRequires: nspr
BuildRequires: nspr-devel >= 4.9.2-1
BuildRequires: nss
BuildRequires: nss-devel >= 3.13.6-1
BuildRequires: nss-tools
BuildRequires: nss-util
BuildRequires: popt-devel
BuildRequires: python3
BuildRequires: python3-rpm-macros
BuildRequires: tar
BuildRequires: xz
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
BuildRequires: systemd
BuildRequires: systemd-rpm-macros
%endif
Requires: nspr nss nss-util nss-tools popt rpm
Requires: nspr
Requires: nss
Requires: nss-tools >= 3.53
Requires: nss-util
Requires: popt
Requires: rpm
Requires(pre): shadow-utils
ExclusiveArch: %{ix86} x86_64 ia64 aarch64 %{arm}
ExclusiveArch: %{ix86} x86_64 ia64 aarch64 %{arm} riscv64
%if 0%{?rhel} == 7
BuildRequires: rh-signing-tools >= 1.20-2
%endif
Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
Source0: https://github.com/rhboot/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
Source1: certs.tar.xz
Source2: pesign.py
Source3: pesign.patches
Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
Patch0002: 0002-Fix-command-line-parsing.patch
Patch0003: 0003-gcc-don-t-error-on-stuff-in-includes.patch
Patch0004: 0004-Fix-certficate-argument-name.patch
Patch0005: 0005-Fix-description-of-ascii-armor-option-in-manpage.patch
Patch0006: 0006-Make-ascii-work-since-we-documented-it.patch
Patch0007: 0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch
Patch0008: 0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch
Patch0009: 0009-pesigcheck-make-certfile-actually-work.patch
Patch0010: 0010-signerInfos-make-sure-err-is-always-initialized.patch
Patch0011: 0011-pesign-make-pesign-h-tell-you-the-file-name.patch
Patch0012: 0012-Add-coverity-build-scripts.patch
Patch0013: 0013-Document-implicit-fallthrough.patch
Patch0014: 0014-Actually-setfacl-each-directory-of-our-key-storage.patch
Patch0015: 0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch
Patch0016: 0016-efikeygen-add-modsign.patch
Patch0017: 0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch
Patch0018: 0018-show-which-db-we-re-checking.patch
Patch0019: 0019-more-about-the-time.patch
Patch0020: 0020-try-to-say-why-something-fails.patch
Patch0021: 0021-Fix-race-condition-in-SEC_GetPassword.patch
Patch0022: 0022-sysvinit-Create-the-socket-directory-at-runtime.patch
Patch0023: 0023-Better-authorization-scripts.-Again.patch
Patch0024: 0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch
Patch0025: 0025-certdb-fix-PRTime-printfs-for-i686.patch
Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch
Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch
Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
Patch0030: 0030-Replace-var-run-with-run.patch
Patch0031: 0031-efikeygen-Fix-the-build-with-nss-3.44.patch
# generate with tool
%include %{SOURCE3}
%description
This package contains the pesign utility for signing UEFI binaries as
@ -110,7 +99,7 @@ rm -vf %{buildroot}/usr/share/doc/pesign-%{version}/COPYING
cp -av libdpe/*.[ch] src/
install -d -m 0755 %{buildroot}%{python3_sitelib}/mockbuild/plugins/
install -m 0755 -p %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
install -m 0755 %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
%pre
getent group pesign >/dev/null || groupadd -r pesign
@ -123,38 +112,46 @@ exit 0
%post
%systemd_post pesign.service
#%%posttrans
#%%{_libexecdir}/pesign/pesign-authorize
%preun
%systemd_preun pesign.service
%postun
%systemd_postun_with_restart pesign.service
%posttrans
certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
# this is disabled currently because it breaks the fedora kernel build root
# generation - because we don't currently have a good way of populating
# /etc/pesign/{users,groups} before the buildroot is installed, or
# populating them and re-running pesign-authorize afterwards but before the
# package build of e.g. kernel
#%%{_libexecdir}/pesign/pesign-authorize
%endif
%files
%{!?_licensedir:%global license %%doc}
%license COPYING
%doc README TODO
%doc README.md TODO
%{_bindir}/authvar
%{_bindir}/efikeygen
%{_bindir}/efisiglist
%{_bindir}/pesigcheck
%{_bindir}/pesign
%{_bindir}/pesign-client
%{_bindir}/pesum
%dir %{_libexecdir}/pesign/
%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign/
%config(noreplace) %attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/
%config(noreplace) %attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/*
%{_libexecdir}/pesign/pesign-authorize
%{_libexecdir}/pesign/pesign-rpmbuild-helper
%config(noreplace)/%{_sysconfdir}/pesign/users
%config(noreplace)/%{_sysconfdir}/pesign/groups
%{_sysconfdir}/popt.d/pesign.popt
%{macrosdir}/macros.pesign
%{_mandir}/man*/*
%dir %attr(0770, pesign, pesign) /%{_rundir}/%{name}
%dir %attr(0770, pesign, pesign) %{_rundir}/%{name}
%ghost %attr(0660, -, -) %{_rundir}/%{name}/socket
%ghost %attr(0660, -, -) %{_rundir}/%{name}/pesign.pid
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
@ -165,21 +162,158 @@ exit 0
%{python3_sitelib}/mockbuild/plugins/pesign.*
%changelog
* Mon Nov 08 2021 Robbie Harwood <rharwood@redhat.com> - 0.112-26
- Perform the /var/run to /run "migration" stupidity
- Resolves: rhbz#1801976
* Thu Aug 08 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 116-5.alma.1
- Add versioned x86_64 arches support
* Mon Oct 01 2018 Peter Jones <pjones@redhat.com> - 0.112-25
- Preserve .py timestamp during install so .pyc/.pyo files have the same
timestamp on all arches, preventing rpmdiff from complaining.
Related: rhbz#1625388
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com>
- Bump release for June 2024 mass rebuild
* Fri Sep 28 2018 Peter Jones <pjones@redhat.com> - 0.112-24
- Require nss-tools at runtime so the rpm signing macros will have it
Resolves: rhbz#1625388
* Tue Mar 05 2024 Liu Yang <Yang.Liu.sn@gmail.com> - 116-4
- Add riscv64.
* Wed Aug 01 2018 Charalampos Stratakis <cstratak@redhat.com> - 0.112-23
- Rebuild for platform-python
* Fri Feb 02 2024 Peter Jones <pjones@redhat.com> - 116-3
- Fix incorrect calloc() invocations caught by -Wcalloc-transposed-args
* Mon Feb 20 2023 Nicolas Frayer <nfrayer@redhat.com> - 116-2
- cms_common: Fixed Segmentation fault
* Tue Jan 31 2023 Robbie Harwood <rharwood@redhat.com> - 116-1
- New upstream release (116)
- Resolves: CVE-2022-3560
* Wed Aug 31 2022 Robbie Harwood <rharwood@redhat.com> - 115-9
- Roll up to pjones's smartcard/cms fixes
* Tue Aug 02 2022 Robbie Harwood <rharwood@redhat.com> - 115-8
- Rebuild for python bytecode change
- See-also: #2107826
* Thu Jul 07 2022 Robbie Harwood <rharwood@redhat.com> - 115-6
- Fix formatting of man pages
- Resolves: #2104778
* Mon Apr 04 2022 Robbie Harwood <rharwood@redhat.com> - 115-5
- Detect presence of rpm-sign when checking for rhel-ness
* Fri Apr 01 2022 Robbie Harwood <rharwood@redhat.com> - 115-4
- Correctly handle rhel and centos macros
* Fri Mar 25 2022 Robbie Harwood <rharwood@redhat.com> - 115-3
- Add -D_GLIBCXX_ASSERTIONS to CPPFLAGS
* Thu Mar 24 2022 Robbie Harwood <rharwood@redhat.com> - 115-2
- Add support for non-koji signing in macros
- Resolves: #1880858
* Tue Mar 08 2022 Robbie Harwood <rharwood@redhat.com> - 115-1
- New upstream version (115)
* Mon Feb 14 2022 Robbie Harwood <rharwood@redhat.com> - 114-4
- Disable -fanalyzer since it's broken and pragmas don't work
- See-also: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104370
* Mon Feb 14 2022 Robbie Harwood <rharwood@redhat.com> - 114-3
- Fix explicit NULL deref when daemonizing
* Wed Feb 02 2022 Robbie Harwood <rharwood@redhat.com> - 114-2
- Attempt to fix signing parsing by dropping pesign_args
* Tue Feb 01 2022 Robbie Harwood <rharwood@redhat.com> - 114-1
- New upstream version (114)
* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 113-18
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 113-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 113-16
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 113-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Nov 16 2020 Jeff Law <law@redhat.com> - 113-14
- Turn off -Wfree-nonheap-object
* Mon Aug 03 2020 Peter Jones <pjones@redhat.com> - 113-13
- Add the rundir related stuff that was staged on my f32 checkout.
* Mon Aug 03 2020 Peter Jones <pjones@redhat.com> - 113-12
- Try to make kernel and fwupd both work at the same time.
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 113-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu Jul 16 2020 Peter Jones <pjones@redhat.com> - 113-10
- I really cannot figure out why bkernel01 thinks the certificate nickname
starts with /CN=, but it does, so I'm gonna stop fighting with the sand.
* Thu Jul 16 2020 Peter Jones <pjones@redhat.com> - 113-9
- Even more kernel build debugging...
* Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-8
- More kernel build debugging...
* Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-6
- Disable the pesign-authorize call in posttrans, until we can figure out a
better way to deal with that in the fedora kernel builder chroot setup
* Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-5
- Make pesign require nss-tools for the posttrans scriptlet
- Move most of macros.pesign to /usr/libexec/pesign/pesign-rpmbuild-helper
* Mon Jul 06 2020 Peter Jones <pjones@redhat.com> - 113-4
- Attempt to fix kernel signing failures caused by -3...
* Fri Jun 12 2020 Peter Jones <pjones@redhat.com> - 113-3
- Fix the signer name for fedora and some other minor nits
Related: rhbz#1708773
Related: rhbz#1678146
* Thu Jun 11 2020 Peter Jones <pjones@redhat.com> - 113-2
- Fix a signing protocol bug we introduced in 113 that makes the fedora
kernel builders fail.
Related: rhbz#1708773
* Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 113-1
- Update to 113 release
Resolves: rhbz#1708773
* Mon Jun 08 2020 Javier Martinez Canillas <javierm@redhat.com> - 0.112-31
- Switch default NSS database to SQLite format (pjones)
Resolves: rhbz#1827902
* Mon Feb 24 2020 Peter Jones <pjones@redhat.com> - 0.112-30
- Make sure the patch for -29 is actually in the build in f32, and
synchronize with master.
* Tue Feb 18 2020 Peter Jones <pjones@redhat.com> - 0.112-29
- Rebuild to match OpenSC's token name mangling change.
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-28
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue Nov 12 2019 Peter Jones <pjones@redhat.com> - 0.112-27
- Rebuild to fix an NSS API issue.
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-26
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Mar 6 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.112-25
- Fix build (#1675653)
- Add missing closing quote in macro (#1651020)
- Update obsolete /var/run/ path (#1678146)
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-25
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-24
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-23
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Mon Jan 22 2018 Peter Robinson <pbrobinson@fedoraproject.org> 0.112-22
- Minor spec cleanups, fix arm conditional

View File

@ -1,2 +1,2 @@
SHA512 (certs.tar.xz) = 5df34f507a365ef87320776c99cbfad76365693901c71eaf64fec008afb9acfd7b615da5906b92a070c864e74f44934395c3f474ce5b33844cfa3df49a8ad188
SHA512 (pesign-0.112.tar.bz2) = 96bff27ce5059f1ea299c21ac88998a0c17851b8b06ba2f3e286de5cd4d73651b670ac00ca035481faf9c963338527c89120c63ec891a95ce9ecb9130fbc5e5c
SHA512 (certs.tar.xz) = ddac535c786d1a23074534323c4ce89f907d4f82b19c5d3a9c814b145fbac1599cd2386cf20c28d22aee7d5c4db441f052bab9ee655de756117a0a0bc99b525f
SHA512 (pesign-116.tar.bz2) = be3e1083f5e9f889cb8f7c50a8ebe723542fb2f6d1de8de9b04a9f21526ebaa8ab1efc7d4be11bcb0bc9862fa4bc6f78ee35e4d3496dd3b8927170b97795d25c