import pesign-0.112-27.el8_7

c8 imports/c8/pesign-0.112-27.el8_7
CentOS Sources 2 years ago committed by MSVSphere Packaging Team
commit 206ac56ac1

2
.gitignore vendored

@ -0,0 +1,2 @@
SOURCES/certs.tar.xz
SOURCES/pesign-0.112.tar.bz2

@ -0,0 +1,2 @@
53d9b43ef6eadb4512ce9738b5a6efbb40477983 SOURCES/certs.tar.xz
7cba5cfddabc425d0a927edfdd6865cc92f00c7b SOURCES/pesign-0.112.tar.bz2

@ -0,0 +1,69 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 21 Apr 2016 10:47:34 -0400
Subject: [PATCH] cms: kill generate_integer(), it doesn't build on i686 and
it's unused.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/cms_common.c | 34 ----------------------------------
src/cms_common.h | 1 -
2 files changed, 35 deletions(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index b19bc62..6a4e6a7 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -641,40 +641,6 @@ generate_string(cms_context *cms, SECItem *der, char *str)
return 0;
}
-static SEC_ASN1Template IntegerTemplate[] = {
- {.kind = SEC_ASN1_INTEGER,
- .offset = 0,
- .sub = NULL,
- .size = sizeof(long),
- },
- { 0 },
-};
-
-int
-generate_integer(cms_context *cms, SECItem *der, unsigned long integer)
-{
- void *ret;
-
- uint32_t u32;
-
- SECItem input = {
- .data = (void *)&integer,
- .len = sizeof(integer),
- .type = siUnsignedInteger,
- };
-
- if (integer < 0x100000000) {
- u32 = integer & 0xffffffffUL;
- input.data = (void *)&u32;
- input.len = sizeof(u32);
- }
-
- ret = SEC_ASN1EncodeItem(cms->arena, der, &input, IntegerTemplate);
- if (ret == NULL)
- cmsreterr(-1, cms, "could not encode data");
- return 0;
-}
-
int
generate_time(cms_context *cms, SECItem *encoded, time_t when)
{
diff --git a/src/cms_common.h b/src/cms_common.h
index 7d77faf..c7d7268 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -117,7 +117,6 @@ extern int generate_object_id(cms_context *ctx, SECItem *encoded,
SECOidTag tag);
extern int generate_empty_sequence(cms_context *ctx, SECItem *encoded);
extern int generate_time(cms_context *ctx, SECItem *encoded, time_t when);
-extern int generate_integer(cms_context *cms, SECItem *der, unsigned long integer);
extern int generate_string(cms_context *cms, SECItem *der, char *str);
extern int wrap_in_set(cms_context *cms, SECItem *der, SECItem **items);
extern int wrap_in_seq(cms_context *cms, SECItem *der,

@ -0,0 +1,70 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Thu, 9 Jun 2016 14:30:37 +0200
Subject: [PATCH] Fix command line parsing
The gettext translation domain should be passed as .arg, not .descrip,
otherwise popt won't process any of the command line options (it stops
looping over the struct poptOption array when an entry has unset
longName, shortName and arg).
Signed-off-by: Julien Cristau <jcristau@debian.org>
---
src/client.c | 2 +-
src/efikeygen.c | 2 +-
src/efisiglist.c | 2 +-
src/pesigcheck.c | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/client.c b/src/client.c
index 028419f..575c873 100644
--- a/src/client.c
+++ b/src/client.c
@@ -555,7 +555,7 @@ main(int argc, char *argv[])
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
{.longName = "token",
.shortName = 't',
.argInfo = POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
diff --git a/src/efikeygen.c b/src/efikeygen.c
index 6278849..8a515a5 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -486,7 +486,7 @@ int main(int argc, char *argv[])
poptContext optCon;
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
/* global nss-ish things */
{.longName = "dbdir",
.shortName = 'd',
diff --git a/src/efisiglist.c b/src/efisiglist.c
index cd3f1ae..40d6a93 100644
--- a/src/efisiglist.c
+++ b/src/efisiglist.c
@@ -126,7 +126,7 @@ main(int argc, char *argv[])
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
{.longName = "infile",
.shortName = 'i',
.argInfo = POPT_ARG_STRING,
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 1328fe9..0d49c1a 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -214,7 +214,7 @@ main(int argc, char *argv[])
poptContext optCon;
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
{.longName = "dbfile",
.shortName = 'D',
.argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,

@ -0,0 +1,23 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 10 Aug 2016 17:12:39 -0400
Subject: [PATCH] gcc: don't error on stuff in includes.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Make.defaults | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Make.defaults b/Make.defaults
index c97b452..3511080 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -19,7 +19,7 @@ PKG_CONFIG = $(CROSS_COMPILE)pkg-config
CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
CCLD := $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \
- -Wall -Werror -Wextra
+ -Wall -Werror -Wextra -Wno-error=cpp
AS := $(CROSS_COMPILE)as
AR := $(CROSS_COMPILE)gcc-ar
RANLIB := $(CROSS_COMPILE)gcc-ranlib

@ -0,0 +1,36 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 18 Apr 2017 19:00:34 -0400
Subject: [PATCH] Fix "certficate" argument name.
This fixes our typoed argument name by making the incorrectly spelled
version be a popt alias, and fixing the real implementation to be
spelled right in pesign.c .
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.c | 2 +-
src/pesign.popt | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/pesign.c b/src/pesign.c
index af374b6..279a17a 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -438,7 +438,7 @@ main(int argc, char *argv[])
.arg = &ctxp->outfile,
.descrip = "specify output file",
.argDescrip = "<outfile>" },
- {.longName = "certficate",
+ {.longName = "certificate",
.shortName = 'c',
.argInfo = POPT_ARG_STRING,
.arg = &certname,
diff --git a/src/pesign.popt b/src/pesign.popt
index 7b3385d..5a97748 100644
--- a/src/pesign.popt
+++ b/src/pesign.popt
@@ -1,2 +1,3 @@
pesign alias --cert --certificate
+pesign alias --certficate --certificate
pesign alias --daemon --daemonize

@ -0,0 +1,23 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Mon, 27 Jun 2016 15:38:38 +0200
Subject: [PATCH] Fix description of --ascii-armor option in manpage
The --ascii option does not exist.
---
src/pesign.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pesign.1 b/src/pesign.1
index 47d1aec..29ae060 100644
--- a/src/pesign.1
+++ b/src/pesign.1
@@ -81,7 +81,7 @@ Export the public key specified by \-\-certificate to \fIoutkey\fR
Export the certificate specified by \-\-certificate to \fIoutcert\fR
.TP
-\fB-\-ascii\fR
+\fB-\-ascii\-armor\fR
Use ascii armoring on exported certificates.
.TP

@ -0,0 +1,19 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 18 Apr 2017 19:05:40 -0400
Subject: [PATCH] Make --ascii work, since we documented it.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.popt | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/pesign.popt b/src/pesign.popt
index 5a97748..5ae0c5c 100644
--- a/src/pesign.popt
+++ b/src/pesign.popt
@@ -1,3 +1,4 @@
pesign alias --cert --certificate
pesign alias --certficate --certificate
pesign alias --daemon --daemonize
+pesign alias --ascii --ascii-armor

@ -0,0 +1,29 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Pat Riehecky <riehecky@fnal.gov>
Date: Mon, 7 Nov 2016 11:37:08 -0600
Subject: [PATCH] Switch pesign client to also accept token/cert macros rather
than use hard coded values
---
src/macros.pesign | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 18e5b5e..69280e9 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -41,11 +41,11 @@
--certdir ${nss} -c signer %{-o} \
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
elif [ -S /var/run/pesign/socket ]; then \
- %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
- -c "/CN=Fedora Secure Boot Signer" \\\
+ %{_pesign_client} -t %{__pesign_token} \\\
+ -c %{__pesign_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
else \
- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
+ %{_pesign} -t %{__pesign_token} -c %{__pesign_cert} \\\
--certdir ${_pesign_nssdir} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
fi \

@ -0,0 +1,22 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: David Michael <david.michael@coreos.com>
Date: Thu, 16 Feb 2017 15:08:30 -0800
Subject: [PATCH] pesigcheck: Verify with the cert as an object signer
---
src/certdb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/certdb.c b/src/certdb.c
index 2a08042..b7c99bb 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -339,7 +339,7 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
}
/* Verify the signature */
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
- certUsageSSLServer,
+ certUsageObjectSigner,
digest, HASH_AlgSHA256,
PR_FALSE, atTime);
if (!result) {

@ -0,0 +1,44 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 24 Apr 2017 15:18:10 -0400
Subject: [PATCH] pesigcheck: make --certfile actually work
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesigcheck.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 0d49c1a..d7be542 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -130,7 +130,7 @@ check_signature(pesigcheck_context *ctx)
cert_iter iter;
generate_digest(ctx->cms_ctx, ctx->inpe, 1);
-
+
if (check_db_hash(DBX, ctx) == FOUND)
return -1;
@@ -225,6 +225,11 @@ main(int argc, char *argv[])
.argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
.arg = (void *)callback,
.descrip = (void *)ctxp },
+ {.longName = "certfile",
+ .shortName = 'c',
+ .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
+ .arg = (void *)callback,
+ .descrip = (void *)ctxp },
{.longName = "in",
.shortName = 'i',
.argInfo = POPT_ARG_STRING,
@@ -258,7 +263,7 @@ main(int argc, char *argv[])
.shortName = 'c',
.argInfo = POPT_ARG_STRING,
.arg = &certfile,
- .descrip = "the certificate (in DER form) for verification ",
+ .descrip = "import certfile (in DER encoding) for allowed certificate",
.argDescrip = "<certfile>" },
POPT_AUTOALIAS
POPT_AUTOHELP

@ -0,0 +1,24 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:15:07 -0400
Subject: [PATCH] signerInfos: make sure err is always initialized
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/signed_data.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/signed_data.c b/src/signed_data.c
index 721db90..9e0af23 100644
--- a/src/signed_data.c
+++ b/src/signed_data.c
@@ -132,7 +132,8 @@ int
generate_signerInfo_list(cms_context *cms, SpcSignerInfo ***signerInfo_list_p, SignerInfoType type)
{
SpcSignerInfo **signerInfo_list;
- int err, rc;
+ int err = 0;
+ int rc;
if (!signerInfo_list_p)
return -1;

@ -0,0 +1,23 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:23:36 -0400
Subject: [PATCH] pesign: make "pesign -h" tell you the file name.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pesign.c b/src/pesign.c
index 279a17a..5879cfc 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -387,7 +387,7 @@ print_digest(pesign_context *pctx)
if (!ctx)
return;
- printf("hash: ");
+ printf("%s ", pctx->infile);
int j = ctx->selected_digest;
for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
printf("%02x",

@ -0,0 +1,101 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 10 May 2017 10:49:57 -0400
Subject: [PATCH] Add coverity build scripts
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Make.coverity | 37 +++++++++++++++++++++++++++++++++++++
Make.defaults | 2 ++
Make.rules | 4 ++++
Makefile | 1 +
.gitignore | 1 +
5 files changed, 45 insertions(+)
create mode 100644 Make.coverity
diff --git a/Make.coverity b/Make.coverity
new file mode 100644
index 0000000..b80b091
--- /dev/null
+++ b/Make.coverity
@@ -0,0 +1,37 @@
+include $(TOPDIR)/Make.version
+include $(TOPDIR)/Make.rules
+include $(TOPDIR)/Make.defaults
+
+COV_EMAIL=$(call get-config,coverity.email)
+COV_TOKEN=$(call get-config,coverity.token)
+COV_URL=$(call get-config,coverity.url)
+COV_FILE=$(NAME)-coverity-$(VERSION)-$(COMMIT_ID).tar.bz2
+
+cov-int : clean
+ cov-build --dir cov-int make all
+
+cov-clean :
+ @rm -vf $(NAME)-coverity-*.tar.*
+ @if [[ -d cov-int ]]; then rm -rf cov-int && echo "removed 'cov-int'"; fi
+
+cov-file : | $(COV_FILE)
+
+$(COV_FILE) : cov-int
+ tar caf $@ cov-int
+
+cov-upload :
+ @if [[ -n "$(COV_URL)" ]] && \
+ [[ -n "$(COV_TOKEN)" ]] && \
+ [[ -n "$(COV_EMAIL)" ]] ; \
+ then \
+ echo curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \
+ curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \
+ else \
+ echo Coverity output is in $(COV_FILE) ; \
+ fi
+
+coverity : cov-file cov-upload
+
+clean : | cov-clean
+
+.PHONY : coverity cov-upload cov-clean cov-file
diff --git a/Make.defaults b/Make.defaults
index 3511080..39b78f0 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -1,3 +1,5 @@
+NAME = pesign
+COMMIT_ID ?= $(shell git log -1 --pretty=%H 2>/dev/null || echo master)
prefix ?= /usr/
prefix := $(abspath $(prefix))/
libdir ?= $(prefix)lib64/
diff --git a/Make.rules b/Make.rules
index af5ecfe..5e3c83d 100644
--- a/Make.rules
+++ b/Make.rules
@@ -79,3 +79,7 @@ endef
$(TOPDIR)/libdpe/%.a $(TOPDIR)/libdpe/% :
$(MAKE) -C $(TOPDIR)/libdpe $(notdir $@)
+
+define get-config =
+$(shell git config --local --get "$(NAME).$(1)")
+endef
diff --git a/Makefile b/Makefile
index db8eb7e..ca1a359 100644
--- a/Makefile
+++ b/Makefile
@@ -4,6 +4,7 @@ TOPDIR = $(realpath .)
include $(TOPDIR)/Make.version
include $(TOPDIR)/Make.rules
include $(TOPDIR)/Make.defaults
+include $(TOPDIR)/Make.coverity
SUBDIRS := include libdpe src
diff --git a/.gitignore b/.gitignore
index 1635ba2..847e172 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@
*.tar.*
*.rpm
core.*
+cov-int

@ -0,0 +1,22 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Sat, 8 Jul 2017 16:31:18 -0400
Subject: [PATCH] Document implicit fallthrough.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/authvar.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/authvar.c b/src/authvar.c
index ad659ca..03e0c47 100644
--- a/src/authvar.c
+++ b/src/authvar.c
@@ -511,6 +511,7 @@ main(int argc, char *argv[])
case IMPORT|SET:
case IMPORT|SIGN|SET:
fprintf(stderr, "authvar: not implemented\n");
+ /* fallthrough. */
case IMPORT|SIGN|EXPORT:
default:
fprintf(stderr, "authvar: invalid flags: ");

@ -0,0 +1,47 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 16 May 2016 15:25:53 -0400
Subject: [PATCH] Actually setfacl /each/ directory of our key storage.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize-groups | 6 +++---
src/pesign-authorize-users | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
index a4f895e..cf51fb6 100644
--- a/src/pesign-authorize-groups
+++ b/src/pesign-authorize-groups
@@ -18,10 +18,10 @@ if [ -r /etc/pesign/groups ]; then
setfacl -m g:${group}:rw /var/run/pesign/socket
fi
fi
- for x in /etc/pki/pesign* ; do
+ for x in /etc/pki/pesign*/ ; do
if [ -d ${x} ]; then
- setfacl -m g:${group}:rx /etc/pki/pesign
- for y in ${x}/{cert8,key3,secmod}.db ; do
+ setfacl -m g:${group}:rx ${x}
+ for y in ${x}{cert8,key3,secmod}.db ; do
setfacl -m g:${group}:rw ${y}
done
fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
index 8b9a885..940138e 100644
--- a/src/pesign-authorize-users
+++ b/src/pesign-authorize-users
@@ -18,10 +18,10 @@ if [ -r /etc/pesign/users ]; then
setfacl -m g:${username}:rw /var/run/pesign/socket
fi
fi
- for x in /etc/pki/pesign* ; do
+ for x in /etc/pki/pesign*/ ; do
if [ -d ${x} ]; then
- setfacl -m g:${username}:rx /etc/pki/pesign
- for y in ${x}/{cert8,key3,secmod}.db ; do
+ setfacl -m g:${username}:rx ${x}
+ for y in ${x}{cert8,key3,secmod}.db ; do
setfacl -m g:${username}:rw ${y}
done
fi

@ -0,0 +1,56 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 22 Aug 2016 13:31:38 -0400
Subject: [PATCH] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array
indices.
That was all kinds of wrong.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/oid.c | 10 +++++++---
src/oid.h | 1 +
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/oid.c b/src/oid.c
index 9d8154f..7037e1e 100644
--- a/src/oid.c
+++ b/src/oid.c
@@ -33,6 +33,7 @@ static uint8_t oiddata[] = {
0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0f,
0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x15,
0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01,
+ 0x2b, 0x06, 0x01, 0x04, 0x01, 0x92, 0x08, 0x10, 0x01, 0x02,
};
#define OID(num, desc_s, oidtype, length, value) \
@@ -53,11 +54,14 @@ static struct {
OID(SPC_STATEMENT_TYPE_OBJID, "Statement Type", siDEROID, 10,
&oiddata[10]),
OID(SPC_PE_IMAGE_DATA_OBJID, "PE Image Data", siDEROID, 10,
- &oiddata[30]),
+ &oiddata[20]),
OID(SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, "Individual Key", siDEROID,
- 10, &oiddata[40]),
+ 10, &oiddata[30]),
OID(szOID_CERTSRV_CA_VERSION, "Certification server CA version",
- siAsciiString, 9, &oiddata[50]),
+ siAsciiString, 9, &oiddata[40]),
+ OID(SHIM_EKU_MODULE_SIGNING_ONLY,
+ "Certificate is used for kernel modules only", siDEROID, 10,
+ &oiddata[49]),
{ .oid = END_OID_LIST }
};
diff --git a/src/oid.h b/src/oid.h
index 599f49d..0e00781 100644
--- a/src/oid.h
+++ b/src/oid.h
@@ -25,6 +25,7 @@ typedef enum {
SPC_PE_IMAGE_DATA_OBJID, /* 1.3.6.1.4.1.311.2.1.15 */
SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, /* 1.3.6.1.4.1.311.2.1.21 */
szOID_CERTSRV_CA_VERSION, /* 1.3.6.1.4.1.311.21.1 */
+ SHIM_EKU_MODULE_SIGNING_ONLY, /* 1.3.6.1.4.1.2312.16.1.2 */
END_OID_LIST
} ms_oid_t;

@ -0,0 +1,195 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 22 Aug 2016 13:43:56 -0400
Subject: [PATCH] efikeygen: add --modsign
---
src/cms_common.c | 29 +++++++++++++++++++++++++++
src/efikeygen.c | 61 ++++++++++++++++++++++++++++++++++++++++++++------------
src/cms_common.h | 1 +
3 files changed, 78 insertions(+), 13 deletions(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index 6a4e6a7..2df2cfe 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -715,6 +715,35 @@ make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
return 0;
}
+static SEC_ASN1Template EKUOidSequence[] = {
+ {
+ .kind = SEC_ASN1_OBJECT_ID,
+ .offset = 0,
+ .sub = &SEC_AnyTemplate,
+ .size = sizeof (SECItem),
+ },
+ { 0 }
+};
+
+int
+make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag)
+{
+ void *rv;
+ SECOidData *oid_data;
+
+ oid_data = SECOID_FindOIDByTag(oid_tag);
+ if (!oid_data)
+ cmsreterr(-1, cms, "could not encode eku oid data");
+
+ rv = SEC_ASN1EncodeItem(cms->arena, encoded, &oid_data->oid,
+ EKUOidSequence);
+ if (rv == NULL)
+ cmsreterr(-1, cms, "could not encode eku oid data");
+
+ encoded->type = siBuffer;
+ return 0;
+}
+
int
generate_octet_string(cms_context *cms, SECItem *encoded, SECItem *original)
{
diff --git a/src/efikeygen.c b/src/efikeygen.c
index 8a515a5..9390578 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -49,6 +49,7 @@
#include <libdpe/libdpe.h>
#include "cms_common.h"
+#include "oid.h"
#include "util.h"
typedef struct {
@@ -249,20 +250,34 @@ add_basic_constraints(cms_context *cms, void *extHandle)
}
static int
-add_extended_key_usage(cms_context *cms, void *extHandle)
+add_extended_key_usage(cms_context *cms, int modsign_only, void *extHandle)
{
- SECItem value = {
- .data = (unsigned char *)"\x30\x0a\x06\x08\x2b\x06\x01"
- "\x05\x05\x07\x03\x03",
- .len = 12,
- .type = siBuffer
- };
-
-
+ SECItem values[2];
+ SECItem wrapped = { 0 };
SECStatus status;
+ SECOidTag tag;
+ int rc;
+
+ if (modsign_only < 1 || modsign_only > 2)
+ cmsreterr(-1, cms, "could not encode extended key usage");
+
+ rc = make_eku_oid(cms, &values[0], SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
+ if (rc < 0)
+ cmsreterr(-1, cms, "could not encode extended key usage");
+
+ tag = find_ms_oid_tag(SHIM_EKU_MODULE_SIGNING_ONLY);
+ printf("tag: %d\n", tag);
+ rc = make_eku_oid(cms, &values[1], tag);
+ if (rc < 0)
+ cmsreterr(-1, cms, "could not encode extended key usage");
+
+ rc = wrap_in_seq(cms, &wrapped, values, modsign_only);
+ if (rc < 0)
+ cmsreterr(-1, cms, "could not encode extended key usage");
+
status = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE,
- &value, PR_FALSE, PR_TRUE);
+ &wrapped, PR_FALSE, PR_TRUE);
if (status != SECSuccess)
cmsreterr(-1, cms, "could not encode extended key usage");
@@ -294,7 +309,7 @@ static int
add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
int is_ca, int is_self_signed, SECKEYPublicKey *pubkey,
SECKEYPublicKey *spubkey,
- char *url)
+ char *url, int modsign_only)
{
void *mark = PORT_ArenaMark(cms->arena);
@@ -319,7 +334,7 @@ add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
if (rc < 0)
cmsreterr(-1, cms, "could not generate certificate extensions");
- rc = add_extended_key_usage(cms, extHandle);
+ rc = add_extended_key_usage(cms, modsign_only, extHandle);
if (rc < 0)
cmsreterr(-1, cms, "could not generate certificate extensions");
@@ -469,6 +484,7 @@ int main(int argc, char *argv[])
{
int is_ca = 0;
int is_self_signed = -1;
+ int modsign_only = 0;
char *tokenname = "NSS Certificate DB";
char *signer = NULL;
char *nickname = NULL;
@@ -522,6 +538,18 @@ int main(int argc, char *argv[])
.descrip = "Generate a self-signed certificate" },
/* stuff about the generated key */
+ {.longName = "kernel",
+ .shortName = 'k',
+ .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
+ .arg = &modsign_only,
+ .val = 1,
+ .descrip = "Generate a kernel-signing certificate" },
+ {.longName = "module",
+ .shortName = 'm',
+ .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
+ .arg = &modsign_only,
+ .val = 2,
+ .descrip = "Generate a module-signing certificate" },
{.longName = "nickname",
.shortName = 'n',
.argInfo = POPT_ARG_STRING,
@@ -628,6 +656,9 @@ int main(int argc, char *argv[])
liberr(1, "could not allocate cms context");
}
+ if (modsign_only < 1 || modsign_only > 2)
+ errx(1, "either --kernel or --module must be used");
+
SECStatus status = NSS_InitReadWrite(dbdir);
if (status != SECSuccess)
nsserr(1, "could not initialize NSS");
@@ -639,6 +670,10 @@ int main(int argc, char *argv[])
SECKEYPublicKey *pubkey = NULL;
SECKEYPrivateKey *privkey = NULL;
+ status = register_oids(cms);
+ if (status != SECSuccess)
+ nsserr(1, "Could not register OIDs");
+
PK11SlotInfo *slot = NULL;
if (pubfile) {
rc = get_pubkey_from_file(pubfile, &pubkey);
@@ -713,7 +748,7 @@ int main(int argc, char *argv[])
crq = CERT_CreateCertificateRequest(name, spki, &attributes);
rc = add_extensions_to_crq(cms, crq, is_ca, is_self_signed, pubkey,
- spubkey, url);
+ spubkey, url, modsign_only);
if (rc < 0)
exit(1);
diff --git a/src/cms_common.h b/src/cms_common.h
index c7d7268..7a31273 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -123,6 +123,7 @@ extern int wrap_in_seq(cms_context *cms, SECItem *der,
SECItem *items, int num_items);
extern int make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
SECItem *original);
+extern int make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag);
extern int generate_validity(cms_context *cms, SECItem *der, time_t start,
time_t end);
extern int generate_common_name(cms_context *cms, SECItem *der, char *cn);

@ -0,0 +1,118 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:25:02 -0400
Subject: [PATCH] check_cert_db(): try even harder to pick a reasonable
validation time.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 66 insertions(+), 9 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index b7c99bb..1a4baf1 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -250,12 +250,53 @@ check_db_hash(db_specifier which, pesigcheck_context *ctx)
return check_db(which, ctx, check_hash, NULL, 0);
}
-static PRTime
-determine_reasonable_time(CERTCertificate *cert)
+static void
+find_cert_times(SEC_PKCS7ContentInfo *cinfo,
+ PRTime *notBefore, PRTime *notAfter)
{
- PRTime notBefore, notAfter;
- CERT_GetCertTimes(cert, &notBefore, &notAfter);
- return notBefore;
+ CERTCertDBHandle *defaultdb, *certdb;
+ SEC_PKCS7SignedData *sdp;
+ CERTCertificate **certs = NULL;
+ SECItem **rawcerts;
+ int i, certcount;
+ SECStatus rv;
+
+ if (cinfo->contentTypeTag->offset != SEC_OID_PKCS7_SIGNED_DATA) {
+err:
+ *notBefore = 0;
+ *notAfter = 0x7fffffffffffffff;
+ return;
+ }
+
+ sdp = cinfo->content.signedData;
+ rawcerts = sdp->rawCerts;
+
+ defaultdb = CERT_GetDefaultCertDB();
+
+ certdb = defaultdb;
+ if (certdb == NULL)
+ goto err;
+
+ certcount = 0;
+ if (rawcerts != NULL) {
+ for (; rawcerts[certcount] != NULL; certcount++)
+ ;
+ }
+ rv = CERT_ImportCerts(certdb, certUsageObjectSigner, certcount,
+ rawcerts, &certs, PR_FALSE, PR_FALSE, NULL);
+ if (rv != SECSuccess)
+ goto err;
+
+ for (i = 0; i < certcount; i++) {
+ PRTime nb = 0, na = 0x7fffffffffff;
+ CERT_GetCertTimes(certs[i], &nb, &na);
+ if (*notBefore < nb)
+ *notBefore = nb;
+ if (*notAfter > na)
+ *notAfter = na;
+ }
+
+ CERT_DestroyCertArray(certs, certcount);
}
static db_status
@@ -271,6 +312,8 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
PRBool result;
SECStatus rv;
db_status status = NOT_FOUND;
+ PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
+ PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
efi_guid_t efi_x509 = efi_guid_x509_cert;
@@ -327,16 +370,30 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
}
cert->timeOK = PR_TRUE;
+ find_cert_times(cinfo, &notBefore, &notAfter);
+ if (earlyNow < notBefore)
+ earlyNow = notBefore;
+ if (lateNow > notAfter)
+ lateNow = notAfter;
+
SECItem *eTime;
PRTime atTime;
// atTime = determine_reasonable_time(cert);
eTime = SEC_PKCS7GetSigningTime(cinfo);
if (eTime != NULL) {
- if (DER_DecodeTimeChoice (&atTime, eTime) != SECSuccess)
- atTime = determine_reasonable_time(cert);
- } else {
- atTime = determine_reasonable_time(cert);
+ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
+ if (earlyNow < atTime)
+ earlyNow = atTime;
+ if (lateNow > atTime)
+ lateNow = atTime;
+ }
}
+
+ if (lateNow < earlyNow)
+ printf("Impossible time constraints: %ld <= %ld\n",
+ earlyNow / 1000000, lateNow / 1000000);
+ atTime = earlyNow / 2 + lateNow / 2;
+
/* Verify the signature */
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
certUsageObjectSigner,

@ -0,0 +1,134 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:58:50 -0400
Subject: [PATCH] show which db we're checking
---
src/certdb.c | 35 ++++++++++++++++++++++++++++++++++-
src/pesigcheck_context.c | 2 ++
src/pesigcheck_context.h | 1 +
3 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/src/certdb.c b/src/certdb.c
index 1a4baf1..673e074 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -18,6 +18,7 @@
*/
#include <fcntl.h>
+#include <libgen.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
@@ -42,17 +43,33 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile,
return -1;
db->type = type;
-
db->fd = open(dbfile, O_RDONLY);
if (db->fd < 0) {
save_errno(free(db));
return -1;
}
+ char *path = strdup(dbfile);
+ if (!path) {
+ save_errno(close(db->fd);
+ free(db));
+ return -1;
+ }
+
+ db->path = basename(path);
+ db->path = strdup(db->path);
+ free(path);
+ if (!db->path) {
+ save_errno(close(db->fd);
+ free(db));
+ return -1;
+ }
+
struct stat sb;
int rc = fstat(db->fd, &sb);
if (rc < 0) {
save_errno(close(db->fd);
+ free(db->path);
free(db));
return -1;
}
@@ -65,6 +82,7 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile,
rc = read_file(db->fd, (char **)&db->map, &sz);
if (rc < 0) {
save_errno(close(db->fd);
+ free(db->path);
free(db));
return -1;
}
@@ -133,6 +151,7 @@ add_cert_file(pesigcheck_context *ctx, const char *filename)
#define DB_PATH "/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
#define MOK_PATH "/sys/firmware/efi/efivars/MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23"
#define DBX_PATH "/sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
+#define MOKX_PATH "/sys/firmware/efi/efivars/MokListXRT-605dab50-e046-4300-abb6-3dd810dd8b23"
void
init_cert_db(pesigcheck_context *ctx, int use_system_dbs)
@@ -167,6 +186,18 @@ init_cert_db(pesigcheck_context *ctx, int use_system_dbs)
"database \"%s\": %m\n", DBX_PATH);
exit(1);
}
+
+ rc = add_db_file(ctx, DBX, MOKX_PATH, DB_EFIVAR);
+ if (rc < 0 && errno != ENOENT) {
+ fprintf(stderr, "pesigcheck: Could not add key database "
+ "\"%s\": %m\n", MOKX_PATH);
+ exit(1);
+ }
+
+ if (ctx->dbx == NULL) {
+ fprintf(stderr, "pesigcheck: warning: "
+ "No key recovation database available\n");
+ }
}
typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,
@@ -187,6 +218,8 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
sig.type = siBuffer;
while (dbl) {
+ printf("Searching %s %s\n", which == DB ? "db" : "dbx",
+ dbl->path);
EFI_SIGNATURE_LIST *certlist;
EFI_SIGNATURE_DATA *cert;
size_t dbsize = dbl->datalen;
diff --git a/src/pesigcheck_context.c b/src/pesigcheck_context.c
index b934cbe..5a355b1 100644
--- a/src/pesigcheck_context.c
+++ b/src/pesigcheck_context.c
@@ -87,6 +87,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx)
munmap(db->map, db->size);
close(db->fd);
ctx->db = db->next;
+ free(db->path);
free(db);
}
while (ctx->dbx) {
@@ -95,6 +96,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx)
if (db->type == DB_CERT)
free(db->data);
munmap(db->map, db->size);
+ free(db->path);
close(db->fd);
ctx->dbx = db->next;
free(db);
diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
index 1b916e3..7b5cc89 100644
--- a/src/pesigcheck_context.h
+++ b/src/pesigcheck_context.h
@@ -34,6 +34,7 @@ typedef enum {
struct dblist {
db_f_type type;
+ char *path;
int fd;
struct dblist *next;
size_t size;

@ -0,0 +1,93 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 17:00:46 -0400
Subject: [PATCH] more about the time
---
src/certdb.c | 59 +++++++++++++++++++++++++++++++++--------------------------
1 file changed, 33 insertions(+), 26 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index 673e074..1078a8a 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -345,14 +345,46 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
PRBool result;
SECStatus rv;
db_status status = NOT_FOUND;
+ PRTime atTime = PR_Now();
+ SECItem *eTime;
PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
- PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
+ PRTime notBefore, notAfter;
efi_guid_t efi_x509 = efi_guid_x509_cert;
if (memcmp(sigtype, &efi_x509, sizeof(efi_guid_t)) != 0)
return NOT_FOUND;
+ cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
+ NULL, NULL);
+ if (!cinfo)
+ goto out;
+
+ notBefore = earlyNow;
+ notAfter = lateNow;
+ find_cert_times(cinfo, &notBefore, &notAfter);
+ if (earlyNow < notBefore)
+ earlyNow = notBefore;
+ if (lateNow > notAfter)
+ lateNow = notAfter;
+
+ // atTime = determine_reasonable_time(cert);
+ eTime = SEC_PKCS7GetSigningTime(cinfo);
+ if (eTime != NULL) {
+ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
+ if (earlyNow < atTime)
+ earlyNow = atTime;
+ if (lateNow > atTime)
+ lateNow = atTime;
+ }
+ }
+
+ if (lateNow < earlyNow)
+ printf("Signature has impossible time constraint: %ld <= %ld\n",
+ earlyNow / 1000000, lateNow / 1000000);
+ atTime = earlyNow / 2 + lateNow / 2;
+
+
cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
NULL, NULL);
if (!cinfo)
@@ -401,31 +433,6 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
PORT_ErrorToString(PORT_GetError()));
goto out;
}
- cert->timeOK = PR_TRUE;
-
- find_cert_times(cinfo, &notBefore, &notAfter);
- if (earlyNow < notBefore)
- earlyNow = notBefore;
- if (lateNow > notAfter)
- lateNow = notAfter;
-
- SECItem *eTime;
- PRTime atTime;
- // atTime = determine_reasonable_time(cert);
- eTime = SEC_PKCS7GetSigningTime(cinfo);
- if (eTime != NULL) {
- if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
- if (earlyNow < atTime)
- earlyNow = atTime;
- if (lateNow > atTime)
- lateNow = atTime;
- }
- }
-
- if (lateNow < earlyNow)
- printf("Impossible time constraints: %ld <= %ld\n",
- earlyNow / 1000000, lateNow / 1000000);
- atTime = earlyNow / 2 + lateNow / 2;
/* Verify the signature */
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,

@ -0,0 +1,416 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 17:01:13 -0400
Subject: [PATCH] try to say why something fails
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 15 ++-
src/pesigcheck.c | 244 ++++++++++++++++++++++++++++++++++++++++++-----
src/certdb.h | 2 +-
src/pesigcheck_context.h | 1 +
4 files changed, 233 insertions(+), 29 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index 1078a8a..fae80af 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -205,7 +205,7 @@ typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,
static db_status
check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
- void *data, ssize_t datalen)
+ void *data, ssize_t datalen, SECItem *match)
{
SECItem pkcs7sig, sig;
dblist *dbl = which == DB ? ctx->db : ctx->dbx;
@@ -241,8 +241,12 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
found = check(ctx, &sig,
&certlist->SignatureType,
&pkcs7sig);
- if (found == FOUND)
+ if (found == FOUND) {
+ if (match)
+ memcpy(match, &sig,
+ sizeof(sig));
return FOUND;
+ }
cert = (EFI_SIGNATURE_DATA *)((uint8_t *)cert +
certlist->SignatureSize);
}
@@ -280,7 +284,7 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
db_status
check_db_hash(db_specifier which, pesigcheck_context *ctx)
{
- return check_db(which, ctx, check_hash, NULL, 0);
+ return check_db(which, ctx, check_hash, NULL, 0, NULL);
}
static void
@@ -459,7 +463,8 @@ out:
}
db_status
-check_db_cert(db_specifier which, pesigcheck_context *ctx, void *data, ssize_t datalen)
+check_db_cert(db_specifier which, pesigcheck_context *ctx,
+ void *data, ssize_t datalen, SECItem *match)
{
- return check_db(which, ctx, check_cert, data, datalen);
+ return check_db(which, ctx, check_cert, data, datalen, match);
}
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index d7be542..c8e1086 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -17,7 +17,9 @@
* Author(s): Peter Jones <pjones@redhat.com>
*/
+#include <err.h>
#include <fcntl.h>
+#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -88,7 +90,8 @@ check_inputs(pesigcheck_context *ctx)
}
static int
-cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
+cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen,
+ SECItem *digest_out)
{
SECItem sig, *pe_digest, *content;
uint8_t *digest;
@@ -109,6 +112,12 @@ cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
pe_digest = ctx->cms_ctx->digests[0].pe_digest;
content = cinfo->content.signedData->contentInfo.content.data;
digest = content->data + content->len - pe_digest->len;
+ if (digest_out) {
+ digest_out->data = malloc(pe_digest->len);
+ digest_out->len = pe_digest->len;
+ digest_out->type = pe_digest->type;
+ memcpy(digest_out->data, digest, pe_digest->len);
+ }
if (memcmp(pe_digest->data, digest, pe_digest->len) != 0)
goto out;
@@ -120,22 +129,149 @@ out:
return ret;
}
+struct reason {
+ enum {
+ WHITELISTED = 0,
+ INVALID = 1,
+ BLACKLISTED = 2,
+ NO_WHITELIST = 3,
+ } reason;
+ enum {
+ NONE = 0,
+ DIGEST = 1,
+ SIGNATURE = 2,
+ } type;
+ union {
+ struct {
+ SECItem digest;
+ };
+ struct {
+ SECItem sig;
+ SECItem db_cert;
+ };
+ };
+};
+
+static void
+print_digest(SECItem *digest)
+{
+ char buf[digest->len * 2 + 2];
+
+ for (unsigned int i = 0; i < digest->len; i++)
+ snprintf(buf + i * 2, digest->len * 2, "%02x",
+ digest->data[i]);
+ buf[digest->len * 2] = '\0';
+ printf("%s\n", buf);
+}
+
+static void
+print_certificate(SECItem *cert)
+{
+ printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
+ printf("cert: %p\n", cert);
+}
+
+static void
+print_signatures(SECItem *database_cert, SECItem *signature)
+{
+ printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
+ print_certificate(database_cert);
+ print_certificate(signature);
+}
+
+static void
+print_reason(struct reason *reason)
+{
+ switch (reason->reason) {
+ case WHITELISTED:
+ printf("Whitelist entry: ");
+ if (reason->type == DIGEST)
+ print_digest(&reason->digest);
+ else if (reason->type == SIGNATURE)
+ print_signatures(&reason->sig, &reason->db_cert);
+ else
+ errx(1, "Unknown data type %d\n", reason->type);
+ break;
+ case INVALID:
+ if (reason->type == DIGEST) {
+ printf("Invalid digest: ");
+ print_digest(&reason->digest);
+ } else if (reason->type == SIGNATURE) {
+ printf("Invalid signature: ");
+ print_signatures(&reason->sig, &reason->db_cert);
+ } else {
+ errx(1, "Unknown data type %d\n", reason->type);
+ }
+ break;
+ case BLACKLISTED:
+ if (reason->type == DIGEST) {
+ printf("Invalid digest: ");
+ print_digest(&reason->digest);
+ } else if (reason->type == SIGNATURE) {
+ printf("Invalid signature: ");
+ print_signatures(&reason->sig, &reason->db_cert);
+ } else {
+ errx(1, "Unknown data type %d\n", reason->type);
+ }
+ break;
+ case NO_WHITELIST:
+ if (reason->type == NONE)
+ printf("No matching whitelist entry.\n");
+ else
+ errx(1, "Invalid data type %d\n", reason->type);
+ break;
+ default:
+ errx(1, "Unknown reason type %d\n", reason->reason);
+ break;
+ }
+}
+
+static void
+get_digest(pesigcheck_context *ctx, SECItem *digest)
+{
+ struct cms_context *cms = ctx->cms_ctx;
+ struct digest *cms_digest = &cms->digests[cms->selected_digest];
+
+ memcpy(digest, cms_digest->pe_digest, sizeof (*digest));
+}
+
static int
-check_signature(pesigcheck_context *ctx)
+check_signature(pesigcheck_context *ctx, int *nreasons,
+ struct reason **reasons)
{
- int has_valid_cert = 0;
- int has_invalid_cert = 0;
+ bool has_valid_cert = false;
+ bool is_invalid = false;
+ struct reason *reasonps = NULL, *reason;
+ int num_reasons = 16;
+ int nreason = 0;
int rc = 0;
+ int ret = -1;
cert_iter iter;
+ reasonps = calloc(sizeof(struct reason), 512);
+ if (!reasonps)
+ err(1, "check_signature");
+
generate_digest(ctx->cms_ctx, ctx->inpe, 1);
- if (check_db_hash(DBX, ctx) == FOUND)
- return -1;
+ if (check_db_hash(DBX, ctx) == FOUND) {
+ reason = &reasonps[nreason];
+ reason->reason = BLACKLISTED;
+ reason->type = DIGEST;
+ get_digest(ctx, &reason->digest);
+ reason += 1;
+ is_invalid = true;
+ }
- if (check_db_hash(DB, ctx) == FOUND)
- has_valid_cert = 1;
+ if (check_db_hash(DB, ctx) == FOUND) {
+ reason = &reasonps[nreason];
+ reason->reason = WHITELISTED;
+ reason->type = DIGEST;
+ get_digest(ctx, &reason->digest);
+ nreason += 1;
+ has_valid_cert = true;
+ }
rc = cert_iter_init(&iter, ctx->inpe);
if (rc < 0)
@@ -145,32 +281,81 @@ check_signature(pesigcheck_context *ctx)
ssize_t datalen;
while (1) {
+ /*
+ * Make sure we always have enough for this iteration of the
+ * loop, plus one "NO_WHITELIST" entry at the end.
+ */
+ if (nreason >= num_reasons - 4) {
+ struct reason *new_reasons;
+
+ num_reasons += 16;
+
+ new_reasons = calloc(sizeof(struct reason), num_reasons);
+ if (!new_reasons)
+ err(1, "check_signature");
+ reasonps = new_reasons;
+ }
+
rc = next_cert(&iter, &data, &datalen);
if (rc <= 0)
break;
- if (cert_matches_digest(ctx, data, datalen) < 0) {
- has_invalid_cert = 1;
- break;
+ reason = &reasonps[nreason];
+ if (cert_matches_digest(ctx, data, datalen,
+ &reason->digest) < 0) {
+ reason->reason = INVALID;
+ reason->type = DIGEST;
+ nreason += 1;
+ is_invalid = true;
}
- if (check_db_cert(DBX, ctx, data, datalen) == FOUND) {
- has_invalid_cert = 1;
- break;
+ reason = &reasonps[nreason];
+ if (check_db_cert(DBX, ctx, data, datalen,
+ &reason->db_cert) == FOUND) {
+ reason->reason = INVALID;
+ reason->type = SIGNATURE;
+ reason->sig.data = data;
+ reason->sig.len = datalen;
+ reason->type = siBuffer;
+ nreason += 1;
+ is_invalid = true;
}
- if (check_db_cert(DB, ctx, data, datalen) == FOUND)
- has_valid_cert = 1;
+ reason = &reasonps[nreason];
+ if (check_db_cert(DB, ctx, data, datalen,
+ &reason->db_cert) == FOUND) {
+ reason->reason = WHITELISTED;
+ reason->type = SIGNATURE;
+ reason->sig.data = data;
+ reason->sig.len = datalen;
+ reason->type = siBuffer;
+ nreason += 1;
+ has_valid_cert = true;
+ }
}
err:
- if (has_invalid_cert)
- return -1;
+ if (has_valid_cert != true) {
+ if (is_invalid != true) {
+ reason = &reasonps[nreason];
+ reason->reason = NO_WHITELIST;
+ reason->type = NONE;
+ nreason += 1;
+ }
+ is_invalid = true;
+ }
- if (has_valid_cert)
- return 0;
+ if (is_invalid == false)
+ ret = 0;
- return -1;
+ if (nreasons && reasons) {
+ *nreasons = nreason;
+ *reasons = reasonps;
+ } else {
+ free(reasonps);
+ }
+
+ return ret;
}
void
@@ -204,6 +389,9 @@ main(int argc, char *argv[])
pesigcheck_context ctx, *ctxp = &ctx;
+ struct reason *reasons = NULL;
+ int nreasons = 0;
+
char *dbfile = NULL;
char *dbxfile = NULL;
char *certfile = NULL;
@@ -242,6 +430,12 @@ main(int argc, char *argv[])
.arg = &ctx.quiet,
.val = 1,
.descrip = "return only; no text output." },
+ {.longName = "verbose",
+ .shortName = 'v',
+ .argInfo = POPT_BIT_SET,
+ .arg = &ctx.verbose,
+ .val = 1,
+ .descrip = "print reasons for success and failure." },
{.longName = "no-system-db",
.shortName = 'n',
.argInfo = POPT_ARG_INT,
@@ -308,12 +502,16 @@ main(int argc, char *argv[])
exit(1);
}
- rc = check_signature(ctxp);
+ rc = check_signature(ctxp, &nreasons, &reasons);
- close_input(ctxp);
+ if (!ctx.quiet && ctx.verbose) {
+ for (int i = 0; i < nreasons; i++)
+ print_reason(&reasons[i]);
+ }
if (!ctx.quiet)
printf("pesigcheck: \"%s\" is %s.\n", ctx.infile,
rc >= 0 ? "valid" : "invalid");
+ close_input(ctxp);
pesigcheck_context_fini(&ctx);
NSS_Shutdown();
diff --git a/src/certdb.h b/src/certdb.h
index ccf3c87..8402299 100644
--- a/src/certdb.h
+++ b/src/certdb.h
@@ -43,7 +43,7 @@ typedef struct {
extern db_status check_db_hash(db_specifier which, pesigcheck_context *ctx);
extern db_status check_db_cert(db_specifier which, pesigcheck_context *ctx,
- void *data, ssize_t datalen);
+ void *data, ssize_t datalen, SECItem *match);
extern void init_cert_db(pesigcheck_context *ctx, int use_system_dbs);
extern int add_cert_db(pesigcheck_context *ctx, const char *filename);
diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
index 7b5cc89..aec415e 100644
--- a/src/pesigcheck_context.h
+++ b/src/pesigcheck_context.h
@@ -61,6 +61,7 @@ typedef struct pesigcheck_context {
Pe *inpe;
int quiet;
+ int verbose;
hashlist *hashes;

@ -0,0 +1,31 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Sat, 6 May 2017 22:45:34 +0200
Subject: [PATCH] Fix race condition in SEC_GetPassword
A side effect of echoOff is to discard unread input, so if we print the
prompt before echoOff, the user (or process) at the other end might
react to it by writing the password in between those steps, which is
then discarded. This bit me when trying to drive pesign with an expect
script.
Signed-off-by: Julien Cristau <jcristau@debian.org>
---
src/password.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/password.c b/src/password.c
index cd1c07e..d4eae0d 100644
--- a/src/password.c
+++ b/src/password.c
@@ -71,9 +71,9 @@ static char *SEC_GetPassword(FILE *input, FILE *output, char *prompt,
for (;;) {
/* Prompt for password */
if (isTTY) {
+ echoOff(infd);
fprintf(output, "%s", prompt);
fflush (output);
- echoOff(infd);
}
fgets ( phrase, sizeof(phrase), input);

@ -0,0 +1,24 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: David Michael <david.michael@coreos.com>
Date: Tue, 13 Jun 2017 13:20:16 -0700
Subject: [PATCH] sysvinit: Create the socket directory at runtime
This better supports non-systemd configurations with tmpfs on /run.
---
src/pesign.sysvinit.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index d8fffca..dc508d8 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -20,6 +20,9 @@ RETVAL=0
start(){
echo -n "Starting pesign: "
+ mkdir /var/run/pesign 2>/dev/null &&
+ chown pesign:pesign /var/run/pesign &&
+ chmod 0770 /var/run/pesign
daemon /usr/bin/pesign --daemonize
RETVAL=$?
echo

@ -0,0 +1,214 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 8 Aug 2017 15:44:44 -0400
Subject: [PATCH] Better authorization scripts. Again.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/Makefile | 12 ++++++----
src/pesign-authorize | 56 +++++++++++++++++++++++++++++++++++++++++++++
src/pesign-authorize-groups | 30 ------------------------
src/pesign-authorize-users | 30 ------------------------
src/pesign.service.in | 3 +--
src/pesign.sysvinit.in | 3 +--
6 files changed, 65 insertions(+), 69 deletions(-)
create mode 100755 src/pesign-authorize
delete mode 100644 src/pesign-authorize-groups
delete mode 100644 src/pesign-authorize-users
diff --git a/src/Makefile b/src/Makefile
index 654b792..84ad130 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
SVCTARGETS=pesign.sysvinit pesign.service
-TARGETS=$(BINTARGETS) $(SVCTARGETS)
+TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
all : deps $(TARGETS)
@@ -65,6 +65,9 @@ install_sysvinit: pesign.sysvinit
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
+pesign-users pesign-groups :
+ echo pesign > $@
+
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
@@ -88,10 +91,9 @@ install :
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
- $(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/
- $(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/
+ $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users
- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups
+ $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
+ $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
.PHONY: all deps clean install
diff --git a/src/pesign-authorize b/src/pesign-authorize
new file mode 100755
index 0000000..a496f60
--- /dev/null
+++ b/src/pesign-authorize
@@ -0,0 +1,56 @@
+#!/bin/bash
+set -e
+set -u
+
+#
+# With /run/pesign/socket on tmpfs, a simple way of restoring the
+# acls for specific users is useful
+#
+# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
+#
+
+# License: GPLv2
+declare -a fileusers=()
+declare -a dirusers=()
+for user in $(cat /etc/pesign/users); do
+ dirusers[${#dirusers[@]}]=-m
+ dirusers[${#dirusers[@]}]="u:$user:rwx"
+ fileusers[${#fileusers[@]}]=-m
+ fileusers[${#fileusers[@]}]="u:$user:rw"
+done
+
+declare -a filegroups=()
+declare -a dirgroups=()
+for group in $(cat /etc/pesign/groups); do
+ dirgroups[${#dirgroups[@]}]=-m
+ dirgroups[${#dirgroups[@]}]="g:$group:rwx"
+ filegroups[${#filegroups[@]}]=-m
+ filegroups[${#filegroups[@]}]="g:$group:rw"
+done
+
+update_subdir() {
+ subdir=$1 && shift
+
+ setfacl -bk "${subdir}"
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
+ for x in "${subdir}"* ; do
+ if [ -d "${x}" ]; then
+ setfacl -bk ${x}
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
+ update_subdir "${x}/"
+ elif [ -e "${x}" ]; then
+ setfacl -bk ${x}
+ setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
+ else
+ :;
+ fi
+ done
+}
+
+for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+ if [ -d "${x}" ]; then
+ update_subdir "${x}"
+ else
+ :;
+ fi
+done
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
deleted file mode 100644
index cf51fb6..0000000
--- a/src/pesign-authorize-groups
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-set -e
-
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific groups is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
-# License: GPLv2
-
-if [ -r /etc/pesign/groups ]; then
- for group in $(cat /etc/pesign/groups); do
- if [ -d /var/run/pesign ]; then
- setfacl -m g:${group}:rx /var/run/pesign
- if [ -e /var/run/pesign/socket ]; then
- setfacl -m g:${group}:rw /var/run/pesign/socket
- fi
- fi
- for x in /etc/pki/pesign*/ ; do
- if [ -d ${x} ]; then
- setfacl -m g:${group}:rx ${x}
- for y in ${x}{cert8,key3,secmod}.db ; do
- setfacl -m g:${group}:rw ${y}
- done
- fi
- done
- done
-fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
deleted file mode 100644
index 940138e..0000000
--- a/src/pesign-authorize-users
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-set -e
-
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific users is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
-# License: GPLv2
-
-if [ -r /etc/pesign/users ]; then
- for username in $(cat /etc/pesign/users); do
- if [ -d /var/run/pesign ]; then
- setfacl -m g:${username}:rx /var/run/pesign
- if [ -e /var/run/pesign/socket ]; then
- setfacl -m g:${username}:rw /var/run/pesign/socket
- fi
- fi
- for x in /etc/pki/pesign*/ ; do
- if [ -d ${x} ]; then
- setfacl -m g:${username}:rx ${x}
- for y in ${x}{cert8,key3,secmod}.db ; do
- setfacl -m g:${username}:rw ${y}
- done
- fi
- done
- done
-fi
diff --git a/src/pesign.service.in b/src/pesign.service.in
index aaa408e..c75a000 100644
--- a/src/pesign.service.in
+++ b/src/pesign.service.in
@@ -6,5 +6,4 @@ PrivateTmp=true
Type=forking
PIDFile=/var/run/pesign.pid
ExecStart=/usr/bin/pesign --daemonize
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
+ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index dc508d8..b0e0f84 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -27,8 +27,7 @@ start(){
RETVAL=$?
echo
touch /var/lock/subsys/pesign
- @@LIBEXECDIR@@/pesign/pesign-authorize-users
- @@LIBEXECDIR@@/pesign/pesign-authorize-groups
+ @@LIBEXECDIR@@/pesign/pesign-authorize
}
stop(){

@ -0,0 +1,91 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 8 Aug 2017 17:28:19 -0400
Subject: [PATCH] Make the daemon also try to give better errors on -EPERM etc.
Basically 6796e5f but also for the daemon. This also tries to fix them
up to save errno better, for more accurate reporting.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/daemon.c | 27 +++++++++++++++++++++++++--
src/pesign.c | 8 ++++++--
2 files changed, 31 insertions(+), 4 deletions(-)
diff --git a/src/daemon.c b/src/daemon.c
index 7f694b2..942d576 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -19,6 +19,7 @@
#include <errno.h>
#include <fcntl.h>
+#include <glob.h>
#include <poll.h>
#include <pwd.h>
#include <signal.h>
@@ -1104,10 +1105,32 @@ daemonize(cms_context *cms_ctx, char *certdir, int do_fork)
"pesignd starting (pid %d)", ctx.pid);
SECStatus status = NSS_Init(certdir);
+ int error = errno;
if (status != SECSuccess) {
+ char *globpattern = NULL;
+ rc = asprintf(&globpattern, "%s/cert*.db",
+ certdir);
+ if (rc > 0) {
+ glob_t globbuf;
+ memset(&globbuf, 0, sizeof(globbuf));
+ rc = glob(globpattern, GLOB_ERR, NULL,
+ &globbuf);
+ if (rc != 0) {
+ errno = error;
+ ctx.backup_cms->log(ctx.backup_cms,
+ ctx.priority|LOG_NOTICE,
+ "Could not open NSS database (\"%s\"): %m",
+ PORT_ErrorToString(PORT_GetError()));
+ exit(1);
+ }
+ }
+ }
+ if (status != SECSuccess) {
+ errno = error;
ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_NOTICE,
- "Could not initialize nss: %s\n",
- PORT_ErrorToString(PORT_GetError()));
+ "Could not initialize nss.\n"
+ "NSS says \"%s\" errno says \"%m\"\n",
+ PORT_ErrorToString(PORT_GetError()));
exit(1);
}
diff --git a/src/pesign.c b/src/pesign.c
index 5879cfc..6ceda34 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -660,10 +660,12 @@ main(int argc, char *argv[])
if (!daemon) {
SECStatus status;
+ int error;
if (need_db) {
status = NSS_Init(certdir);
if (status != SECSuccess) {
char *globpattern = NULL;
+ error = errno;
rc = asprintf(&globpattern, "%s/cert*.db",
certdir);
if (rc > 0) {
@@ -680,8 +682,10 @@ main(int argc, char *argv[])
} else
status = NSS_NoDB_Init(NULL);
if (status != SECSuccess) {
- errx(1, "Could not initialize nss. NSS says \"%s\" errno says \"%m\"\n",
- PORT_ErrorToString(PORT_GetError()));
+ errno = error;
+ errx(1, "Could not initialize nss.\n"
+ "NSS says \"%s\" errno says \"%m\"\n",
+ PORT_ErrorToString(PORT_GetError()));
}
status = register_oids(ctxp->cms_ctx);

@ -0,0 +1,28 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 9 Aug 2017 17:40:33 -0400
Subject: [PATCH] certdb: fix PRTime printfs for i686
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index fae80af..29c9502 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -384,11 +384,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
}
if (lateNow < earlyNow)
- printf("Signature has impossible time constraint: %ld <= %ld\n",
- earlyNow / 1000000, lateNow / 1000000);
+ printf("Signature has impossible time constraint: %lld <= %lld\n",
+ earlyNow / 1000000LL, lateNow / 1000000LL);
atTime = earlyNow / 2 + lateNow / 2;
-
cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
NULL, NULL);
if (!cinfo)

@ -0,0 +1,38 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 10 Aug 2017 10:02:38 -0400
Subject: [PATCH] Clean up gcc command lines a little
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Make.defaults | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/Make.defaults b/Make.defaults
index 39b78f0..b6c0381 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -20,8 +20,7 @@ CROSS_COMPILE ?= $(bindir)
PKG_CONFIG = $(CROSS_COMPILE)pkg-config
CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
CCLD := $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
-CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \
- -Wall -Werror -Wextra -Wno-error=cpp
+CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments -Wno-error=cpp
AS := $(CROSS_COMPILE)as
AR := $(CROSS_COMPILE)gcc-ar
RANLIB := $(CROSS_COMPILE)gcc-ranlib
@@ -36,10 +35,10 @@ ARCH := $(shell uname -m | sed s,i[3456789]86,ia32,)
SOFLAGS = -shared
clang_cflags =
-gcc_cflags = -Wmaybe-uninitialized
+gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches
cflags = $(CFLAGS) $(ARCH3264) \
- -Wall -Werror -Wno-cpp -Wsign-compare -Wno-unused-result \
- -Wno-unused-function\
+ -Wall -Werror -Wextra -Wsign-compare -Wno-unused-result \
+ -Wno-unused-function -Wsign-compare \
-std=gnu11 -fshort-wchar -fPIC -flto -fno-strict-aliasing \
-fno-merge-constants -fkeep-inline-functions \
-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \

@ -0,0 +1,51 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 10 Aug 2017 10:03:37 -0400
Subject: [PATCH] Make pesign-{users,groups} static in the repo.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/Makefile | 5 +----
src/pesign-groups | 1 +
src/pesign-users | 1 +
3 files changed, 3 insertions(+), 4 deletions(-)
create mode 100644 src/pesign-groups
create mode 100644 src/pesign-users
diff --git a/src/Makefile b/src/Makefile
index 84ad130..7d68fa1 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
SVCTARGETS=pesign.sysvinit pesign.service
-TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
+TARGETS=$(BINTARGETS) $(SVCTARGETS)
all : deps $(TARGETS)
@@ -65,9 +65,6 @@ install_sysvinit: pesign.sysvinit
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
-pesign-users pesign-groups :
- echo pesign > $@
-
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
diff --git a/src/pesign-groups b/src/pesign-groups
new file mode 100644
index 0000000..7f57cc5
--- /dev/null
+++ b/src/pesign-groups
@@ -0,0 +1 @@
+pesign
diff --git a/src/pesign-users b/src/pesign-users
new file mode 100644
index 0000000..7f57cc5
--- /dev/null
+++ b/src/pesign-users
@@ -0,0 +1 @@
+pesign

@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 9 Aug 2017 17:31:31 -0400
Subject: [PATCH] rpm: Make the client signer use the fedora values unless
overridden
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 69280e9..22a3ee6 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -9,6 +9,9 @@
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
+%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}}
+%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}}
+
%_pesign /usr/bin/pesign
%_pesign_client /usr/bin/pesign-client
@@ -41,11 +44,11 @@
--certdir ${nss} -c signer %{-o} \
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
elif [ -S /var/run/pesign/socket ]; then \
- %{_pesign_client} -t %{__pesign_token} \\\
- -c %{__pesign_cert} \\\
+ %{_pesign_client} -t %{__pesign_client_token} \\\
+ -c %{__pesign_client_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
else \
- %{_pesign} -t %{__pesign_token} -c %{__pesign_cert} \\\
+ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
--certdir ${_pesign_nssdir} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
fi \

@ -0,0 +1,36 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 14 Aug 2017 11:37:43 -0400
Subject: [PATCH] Make macros.pesign error in kojibuilder if we don't have
perms on the socket
---
src/macros.pesign | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/macros.pesign b/src/macros.pesign
index 22a3ee6..dfdac02 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -43,6 +43,21 @@
%{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
--certdir ${nss} -c signer %{-o} \
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
+ elif [ "%{vendor}" == "Fedora Project" -a \\\
+ "$(id -un)" == "mockbuild" -a \\\
+ "$(uname -m)" == "x86_64" ] && \\\
+ grep -q ID=fedora /etc/os-release && \\\
+ [[ "%{_buildhost}" =~ ^bkernel.* ]] && \\\
+ ! [ -S /var/run/pesign/socket ]; then \
+ echo "No socket even though this is %{_buildhost}" \
+ ls -ld /var/run/pesign || : \
+ getfacl /var/run/pesign || : \
+ ls -l /var/run/pesign/socket || : \
+ getfacl /var/run/pesign/socket || : \
+ echo =========== env ============== \
+ set \
+ echo =========== env ============== \
+ exit 1 \
elif [ -S /var/run/pesign/socket ]; then \
%{_pesign_client} -t %{__pesign_client_token} \\\
-c %{__pesign_client_cert} \\\

@ -0,0 +1,148 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 8 Nov 2021 17:58:09 -0500
Subject: [PATCH] Replace /var/run with /run
This change is in violation of the FHS and is forced by systemd being
obnoxious and logging warnings about it as if it's some kind of problem.
This commit is a subset of the work in
02d473fbfd782863a0dcef7e44822d1e7e56a4b3,
f97d3b04a2eafb42272ede24e1353dd0a7f4347c,
5f9058677e7241cc88b4e8620654bbaa08a4bce4, and
cffa10d9b5eec9a9def3533b181a32b64fc29913 (all by pjones) because they
don't backport well.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/daemon.h | 4 ++--
src/Makefile | 2 +-
src/macros.pesign | 12 ++++++------
src/pesign-authorize | 2 +-
src/pesign.service.in | 2 +-
src/pesign.sysvinit.in | 10 +++++-----
src/tmpfiles.conf | 2 +-
7 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/src/daemon.h b/src/daemon.h
index d97eab9..db42c16 100644
--- a/src/daemon.h
+++ b/src/daemon.h
@@ -49,7 +49,7 @@ typedef enum {
} pesignd_cmd;
#define PESIGND_VERSION 0x2a9edaf0
-#define SOCKPATH "/var/run/pesign/socket"
-#define PIDFILE "/var/run/pesign.pid"
+#define SOCKPATH "/run/pesign/socket"
+#define PIDFILE "/run/pesign.pid"
#endif /* DAEMON_H */
diff --git a/src/Makefile b/src/Makefile
index 7d68fa1..a11e2b4 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -68,7 +68,7 @@ install_sysvinit: pesign.sysvinit
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
diff --git a/src/macros.pesign b/src/macros.pesign
index dfdac02..f135c29 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -48,17 +48,17 @@
"$(uname -m)" == "x86_64" ] && \\\
grep -q ID=fedora /etc/os-release && \\\
[[ "%{_buildhost}" =~ ^bkernel.* ]] && \\\
- ! [ -S /var/run/pesign/socket ]; then \
+ ! [ -S /run/pesign/socket ]; then \
echo "No socket even though this is %{_buildhost}" \
- ls -ld /var/run/pesign || : \
- getfacl /var/run/pesign || : \
- ls -l /var/run/pesign/socket || : \
- getfacl /var/run/pesign/socket || : \
+ ls -ld /run/pesign || : \
+ getfacl /run/pesign || : \
+ ls -l /run/pesign/socket || : \
+ getfacl /run/pesign/socket || : \
echo =========== env ============== \
set \
echo =========== env ============== \
exit 1 \
- elif [ -S /var/run/pesign/socket ]; then \
+ elif [ -S /run/pesign/socket ]; then \
%{_pesign_client} -t %{__pesign_client_token} \\\
-c %{__pesign_client_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
diff --git a/src/pesign-authorize b/src/pesign-authorize
index a496f60..83a30cd 100755
--- a/src/pesign-authorize
+++ b/src/pesign-authorize
@@ -47,7 +47,7 @@ update_subdir() {
done
}
-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+for x in /run/pesign/ /etc/pki/pesign*/ ; do
if [ -d "${x}" ]; then
update_subdir "${x}"
else
diff --git a/src/pesign.service.in b/src/pesign.service.in
index c75a000..4ac2199 100644
--- a/src/pesign.service.in
+++ b/src/pesign.service.in
@@ -4,6 +4,6 @@ Description=Pesign signing daemon
[Service]
PrivateTmp=true
Type=forking
-PIDFile=/var/run/pesign.pid
+PIDFile=/run/pesign.pid
ExecStart=/usr/bin/pesign --daemonize
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index b0e0f84..bf8edec 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -4,7 +4,7 @@
#
# chkconfig: - 50 50
# processname: /usr/bin/pesign
-# pidfile: /var/run/pesign.pid
+# pidfile: /run/pesign.pid
### BEGIN INIT INFO
# Provides: pesign
# Default-Start:
@@ -20,9 +20,9 @@ RETVAL=0
start(){
echo -n "Starting pesign: "
- mkdir /var/run/pesign 2>/dev/null &&
- chown pesign:pesign /var/run/pesign &&
- chmod 0770 /var/run/pesign
+ mkdir /run/pesign 2>/dev/null &&
+ chown pesign:pesign /run/pesign &&
+ chmod 0770 /run/pesign
daemon /usr/bin/pesign --daemonize
RETVAL=$?
echo
@@ -32,7 +32,7 @@ start(){
stop(){
echo -n "Stopping pesign: "
- killproc -p /var/run/pesign.pid pesignd
+ killproc -p /run/pesign.pid pesignd
RETVAL=$?
echo
rm -f /var/lock/subsys/pesign
diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf
index c1cf355..3375ad5 100644
--- a/src/tmpfiles.conf
+++ b/src/tmpfiles.conf
@@ -1 +1 @@
-D /var/run/pesign 0770 pesign pesign -
+D /run/pesign 0770 pesign pesign -

@ -0,0 +1,43 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 May 2019 11:28:38 -0400
Subject: [PATCH] efikeygen: Fix the build with nss 3.44
NSS 3.44 adds some certificate types, which changes a type and makes
some encoding stuff weird. As a result, we get:
gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o
In file included from /usr/local/include/nss/nss/cert.h:22,
from efikeygen.c:39:
efikeygen.c: In function 'add_cert_type':
/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow]
(NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
^
efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP'
unsigned char type = NS_CERT_TYPE_APP;
^~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
This is fixed by just making it an int.
Fixes github issue #48.
Signed-off-by: Peter Jones <pjones@redhat.com>
(cherry picked from commit b535d1ac5cbcdf18a97d97a92581e38080d9e521)
---
src/efikeygen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/efikeygen.c b/src/efikeygen.c
index 9390578..089e6a7 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -206,7 +206,7 @@ static int
add_cert_type(cms_context *cms, void *extHandle, int is_ca)
{
SECItem bitStringValue;
- unsigned char type = NS_CERT_TYPE_APP;
+ int type = NS_CERT_TYPE_APP;
if (is_ca)
type |= NS_CERT_TYPE_SSL_CA |

@ -0,0 +1,82 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 18 Jan 2023 14:00:22 -0500
Subject: [PATCH] Use normal file permissions instead of ACLs
Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
pesign-authorize is now deprecated and will be removed in a future
release.
Resolves: CVE-2022-3560
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 21d0c7afe0c0c23eee72a5e144995f0acb73b763)
---
src/pesign-authorize | 53 +++++-----------------------------------------------
1 file changed, 5 insertions(+), 48 deletions(-)
diff --git a/src/pesign-authorize b/src/pesign-authorize
index 83a30cd..b4e89e0 100755
--- a/src/pesign-authorize
+++ b/src/pesign-authorize
@@ -2,55 +2,12 @@
set -e
set -u
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific users is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
# License: GPLv2
-declare -a fileusers=()
-declare -a dirusers=()
-for user in $(cat /etc/pesign/users); do
- dirusers[${#dirusers[@]}]=-m
- dirusers[${#dirusers[@]}]="u:$user:rwx"
- fileusers[${#fileusers[@]}]=-m
- fileusers[${#fileusers[@]}]="u:$user:rw"
-done
-
-declare -a filegroups=()
-declare -a dirgroups=()
-for group in $(cat /etc/pesign/groups); do
- dirgroups[${#dirgroups[@]}]=-m
- dirgroups[${#dirgroups[@]}]="g:$group:rwx"
- filegroups[${#filegroups[@]}]=-m
- filegroups[${#filegroups[@]}]="g:$group:rw"
-done
-
-update_subdir() {
- subdir=$1 && shift
- setfacl -bk "${subdir}"
- setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
- for x in "${subdir}"* ; do
- if [ -d "${x}" ]; then
- setfacl -bk ${x}
- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
- update_subdir "${x}/"
- elif [ -e "${x}" ]; then
- setfacl -bk ${x}
- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
- else
- :;
- fi
- done
-}
+# This script is deprecated and will be removed in a future release.
-for x in /run/pesign/ /etc/pki/pesign*/ ; do
- if [ -d "${x}" ]; then
- update_subdir "${x}"
- else
- :;
- fi
+sleep 3
+for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
+ chown -R pesign:pesign "${x}" || true
+ chmod -R ug+rwX "${x}" || true
done

@ -0,0 +1,32 @@
Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
Patch0002: 0002-Fix-command-line-parsing.patch
Patch0003: 0003-gcc-don-t-error-on-stuff-in-includes.patch
Patch0004: 0004-Fix-certficate-argument-name.patch
Patch0005: 0005-Fix-description-of-ascii-armor-option-in-manpage.patch
Patch0006: 0006-Make-ascii-work-since-we-documented-it.patch
Patch0007: 0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch
Patch0008: 0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch
Patch0009: 0009-pesigcheck-make-certfile-actually-work.patch
Patch0010: 0010-signerInfos-make-sure-err-is-always-initialized.patch
Patch0011: 0011-pesign-make-pesign-h-tell-you-the-file-name.patch
Patch0012: 0012-Add-coverity-build-scripts.patch
Patch0013: 0013-Document-implicit-fallthrough.patch
Patch0014: 0014-Actually-setfacl-each-directory-of-our-key-storage.patch
Patch0015: 0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch
Patch0016: 0016-efikeygen-add-modsign.patch
Patch0017: 0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch
Patch0018: 0018-show-which-db-we-re-checking.patch
Patch0019: 0019-more-about-the-time.patch
Patch0020: 0020-try-to-say-why-something-fails.patch
Patch0021: 0021-Fix-race-condition-in-SEC_GetPassword.patch
Patch0022: 0022-sysvinit-Create-the-socket-directory-at-runtime.patch
Patch0023: 0023-Better-authorization-scripts.-Again.patch
Patch0024: 0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch
Patch0025: 0025-certdb-fix-PRTime-printfs-for-i686.patch
Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch
Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch
Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
Patch0030: 0030-Replace-var-run-with-run.patch
Patch0031: 0031-efikeygen-Fix-the-build-with-nss-3.44.patch
Patch0032: 0032-Use-normal-file-permissions-instead-of-ACLs.patch

@ -0,0 +1,91 @@
#!/usr/bin/python3
#
# Copyright 2017 Peter Jones <Peter Jones@random>
#
# Distributed under terms of the GPLv3 license.
"""
mock plugin to make sure pesign and mockbuild users have the right uid and
gid.
"""
from mockbuild.trace_decorator import getLog, traceLog
import mockbuild.util
requires_api_version = "1.1"
@traceLog()
def init(plugins, conf, buildroot):
""" hello """
Pesign(plugins, conf, buildroot)
def getuid(name):
""" get a uid for a user name """
output = mockbuild.util.do(["getent", "passwd", "%s" % (name,)],
returnOutput=1, printOutput=True)
output = output.split(':')
return output[2], output[3]
def getgid(name):
""" get a gid for a group name """
output = mockbuild.util.do(["getent", "group", "%s" % (name,)],
returnOutput=1, printOutput=True)
return output.split(':')[2]
def newgroup(name, gid, rootdir):
""" create a group with a gid """
getLog().info("creating group %s with gid %s" % (name, gid))
mockbuild.util.do(["groupadd",
"-g", "%s" % (gid,),
"-R", "%s" % (rootdir,),
"%s" % (name,),
])
def newuser(name, uid, gid, rootdir):
""" create a user with a uid """
getLog().info("creating user %s with uid %s" % (name, uid))
mockbuild.util.do(["useradd",
"-u", "%s" % (uid,),
"-g", "%s" % (gid,),
"-R", "%s" % (rootdir,),
"%s" % (name,)])
class Pesign(object):
""" Creates some stuff in our mock root """
# pylint: disable=too-few-public-methods
@traceLog()
def __init__(self, plugins, conf, buildroot):
""" Effectively we're doing:
getent group pesign >/dev/null || groupadd -r pesign
getent passwd pesign >/dev/null || \
useradd -r -g pesign -d /var/run/pesign -s /sbin/nologin \
-c "Group for the pesign signing daemon" pesign
"""
self.buildroot = buildroot
self.pesign_opts = conf
self.config = buildroot.config
self.state = buildroot.state
self.users = {}
self.groups = {}
plugins.add_hook("postinit", self._pesignPostInitHook)
@traceLog()
def _pesignPostInitHook(self):
""" find our uid and gid lists """
for user in self.pesign_opts['users']:
uid, gid = getuid(user)
self.users[user] = [user, uid, gid]
for group in self.pesign_opts['groups']:
gid = getgid(group)
self.groups[group] = [group, gid]
# create our users
rootdir = self.buildroot.make_chroot_path()
for name, gid in self.groups.values():
newgroup(name, gid, rootdir)
for name, uid, gid in self.users.values():
newuser(name, uid, gid, rootdir)
# -*- coding: utf-8 -*-
# vim:fenc=utf-8:tw=75

@ -0,0 +1,408 @@
%global macrosdir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_sysconfdir}/rpm; echo $d)
Name: pesign
Summary: Signing utility for UEFI binaries
Version: 0.112
Release: 27%{?dist}
License: GPLv2
URL: https://github.com/vathpela/pesign
Obsoletes: pesign-rh-test-certs <= 0.111-7
BuildRequires: git nspr nss nss-util popt-devel
BuildRequires: nss-tools
BuildRequires: nspr-devel >= 4.9.2-1
BuildRequires: nss-devel >= 3.13.6-1
BuildRequires: efivar-devel >= 31-1
BuildRequires: libuuid-devel
BuildRequires: tar xz
BuildRequires: python3-rpm-macros python3
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
BuildRequires: systemd
%endif
Requires: nspr nss nss-util nss-tools popt rpm
Requires(pre): shadow-utils
ExclusiveArch: %{ix86} x86_64 ia64 aarch64 %{arm}
%if 0%{?rhel} == 7
BuildRequires: rh-signing-tools >= 1.20-2
%endif
Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
Source1: certs.tar.xz
Source2: pesign.py
Source3: pesign.patches
%include %{SOURCE3}
%description
This package contains the pesign utility for signing UEFI binaries as
well as other associated tools.
%prep
%setup -q -T -b 0
%setup -q -T -D -c -n pesign-%{version}/ -a 1
git init
git config user.email "pesign-owner@fedoraproject.org"
git config user.name "Fedora Ninjas"
git add .
git commit -a -q -m "%{version} baseline."
git am %{patches} </dev/null
git config --unset user.email
git config --unset user.name
%build
make PREFIX=%{_prefix} LIBDIR=%{_libdir}
%install
mkdir -p %{buildroot}/%{_libdir}
make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \
install
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \
install_systemd
%endif
# there's some stuff that's not really meant to be shipped yet
rm -rf %{buildroot}/boot %{buildroot}/usr/include
rm -rf %{buildroot}%{_libdir}/libdpe*
mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign/
mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
cp -a etc/pki/pesign/* %{buildroot}%{_sysconfdir}/pki/pesign/
cp -a etc/pki/pesign-rh-test/* %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
if [ %{macrosdir} != %{_sysconfdir}/rpm ]; then
mkdir -p %{buildroot}%{macrosdir}
mv %{buildroot}%{_sysconfdir}/rpm/macros.pesign \
%{buildroot}%{macrosdir}
rmdir %{buildroot}%{_sysconfdir}/rpm
fi
rm -vf %{buildroot}/usr/share/doc/pesign-%{version}/COPYING
# and find-debuginfo.sh has some pretty awful deficencies too...
cp -av libdpe/*.[ch] src/
install -d -m 0755 %{buildroot}%{python3_sitelib}/mockbuild/plugins/
install -m 0755 -p %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
%pre
getent group pesign >/dev/null || groupadd -r pesign
getent passwd pesign >/dev/null || \
useradd -r -g pesign -d /run/pesign -s /sbin/nologin \
-c "Group for the pesign signing daemon" pesign
exit 0
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
%post
%systemd_post pesign.service
#%%posttrans
#%%{_libexecdir}/pesign/pesign-authorize
%preun
%systemd_preun pesign.service
%postun
%systemd_postun_with_restart pesign.service
%endif
%files
%{!?_licensedir:%global license %%doc}
%license COPYING
%doc README TODO
%{_bindir}/authvar
%{_bindir}/efikeygen
%{_bindir}/efisiglist
%{_bindir}/pesigcheck
%{_bindir}/pesign
%{_bindir}/pesign-client
%dir %{_libexecdir}/pesign/
%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign/
%config(noreplace) %attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/
%config(noreplace) %attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/*
%{_libexecdir}/pesign/pesign-authorize
%config(noreplace)/%{_sysconfdir}/pesign/users
%config(noreplace)/%{_sysconfdir}/pesign/groups
%{_sysconfdir}/popt.d/pesign.popt
%{macrosdir}/macros.pesign
%{_mandir}/man*/*
%dir %attr(0770, pesign, pesign) /%{_rundir}/%{name}
%ghost %attr(0660, -, -) %{_rundir}/%{name}/socket
%ghost %attr(0660, -, -) %{_rundir}/%{name}/pesign.pid
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
%{_tmpfilesdir}/pesign.conf
%{_unitdir}/pesign.service
%endif
%{python3_sitelib}/mockbuild/plugins/*/pesign.*
%{python3_sitelib}/mockbuild/plugins/pesign.*
%changelog
* Wed Jan 18 2023 Robbie Harwood <rharwood@redhat.com> - 0.112-27
- Deprecate pesign-authorize and drop ACL
- Resolves: CVE-2022-3560
* Mon Nov 08 2021 Robbie Harwood <rharwood@redhat.com> - 0.112-26
- Perform the /var/run to /run "migration" stupidity
- Resolves: rhbz#1801976
* Mon Oct 01 2018 Peter Jones <pjones@redhat.com> - 0.112-25
- Preserve .py timestamp during install so .pyc/.pyo files have the same
timestamp on all arches, preventing rpmdiff from complaining.
Related: rhbz#1625388
* Fri Sep 28 2018 Peter Jones <pjones@redhat.com> - 0.112-24
- Require nss-tools at runtime so the rpm signing macros will have it
Resolves: rhbz#1625388
* Wed Aug 01 2018 Charalampos Stratakis <cstratak@redhat.com> - 0.112-23
- Rebuild for platform-python
* Mon Jan 22 2018 Peter Robinson <pbrobinson@fedoraproject.org> 0.112-22
- Minor spec cleanups, fix arm conditional
* Fri Oct 06 2017 Troy Dawson <tdawson@redhat.com> - 0.112-21
- Cleanup spec file conditionals
* Tue Aug 15 2017 Peter Jones <pjones@redhat.com> - 0.112-20
- Maybe fewer typoes would be better.
* Tue Aug 15 2017 Peter Jones <pjones@redhat.com> - 0.112-19
- Update to match f26's build so new kernel builds will work.
* Thu Aug 10 2017 Peter Jones <pjones@redhat.com> - 0.112-10
- Try to fix the db problem nirik is seeing trying to upgrade the builders.
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sat Jul 08 2017 Peter Jones <pjones@redhat.com> - 0.112-7
- Rebuild for efivar-31-1.fc26
Related: rhbz#1468841
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Jan 06 2017 Peter Jones <pjones@redhat.com> - 0.112-5
- Don't Req: or BuildReq: coolkey or opensc; those belong in system deploy
scripts.
Related: rhbz#1349073
* Wed Aug 17 2016 Peter Jones <pjones@redhat.com> - 0.112-4
- Build as -4 to make bodhi happy.
* Fri Aug 12 2016 Adam Williamson <awilliam@redhat.com> - 0.112-3
- backport fix for command line parsing from upstream master
* Wed Aug 10 2016 Peter Jones <pjones@redhat.com> - 0.112-2
- Build with newer efivar.
* Wed Apr 20 2016 Peter Jones <pjones@redhat.com> - 0.112-1
- Update to 0.112
- Also fix up some spec file woes:
- dumb things in %%setup
- find-debuginfo.sh not working right for some source files...
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.111-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Thu Dec 10 2015 Peter Jones <pjones@redhat.com> - 0.111-7
- Obsolete pesign-rh-test-certs, it was in -1's update.
Resolves: rhbz#1283475
* Wed Dec 02 2015 Peter Jones <pjones@redhat.com> - 0.111-6
- *Don't* use --certdir if we're using the socket.
Related: rhbz#1283475
Related: rhbz#1284063
Related: rhbz#1284561
* Tue Dec 01 2015 Peter Jones <pjones@redhat.com> - 0.111-5
- Actually do a better job of choosing which cert to use when, so people will
stop seeing any of this problem. (Thanks for the thought, jforbes.)
Resolves: rhbz#1283475
Resolves: rhbz#1284063
Resolves: rhbz#1284561
* Mon Nov 30 2015 Peter Jones <pjones@redhat.com> - 0.111-5
- setfacl even harder.
Related: rhbz#1283475
Related: rhbz#1284063
Related: rhbz#1284561
* Fri Nov 20 2015 Peter Jones <pjones@redhat.com> - 0.111-3
- Better ACL setting code.
Related: rhbz#1283475
* Thu Nov 19 2015 Peter Jones <pjones@redhat.com> - 0.111-2
- Allow the mockbuild user to read the nss database if the account exists.
* Wed Oct 28 2015 Peter Jones <pjones@redhat.com> - 0.111-1
- Rebase to 0.111
- Split test certs out into a "Recommends" subpackage.
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.110-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Wed Mar 4 2015 Ville Skyttä <ville.skytta@iki.fi> - 0.110-2
- Install macros in %%{_rpmconfigdir}/macros.d where available (#1074281)
* Fri Oct 24 2014 Peter Jones <pjones@redhat.com> - 0.110-1
- Update to pesign-0.110
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.108-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.108-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Thu May 29 2014 Peter Jones <pjones@redhat.com> - 0.108-2
- Fix a networking problem nirik observed when reinstalling builders.
* Sat Aug 10 2013 Peter Jones <pjones@redhat.com> - 0.108-1
- Remove errant result files and raise an error from %%pesign
* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.106-3
- Add code for signing in RHEL 7
* Mon Aug 05 2013 Peter Jones <pjones@redhat.com> - 0.106-2
- Fix for new %%doc rules.
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.106-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Tue May 21 2013 Peter Jones <pjones@redhat.com> - 0.106-1
- Update to 0.106
- Hopefully fix the segfault dgilmore was seeing.
* Mon May 20 2013 Peter Jones <pjones@redhat.com> - 0.105-1
- Various bug fixes.
* Wed May 15 2013 Peter Jones <pjones@redhat.com> - 0.104-1
- Make sure alignment is correct on signature list entries
Resolves: rhbz#963361
- Make sure section alignment is correct if we have to extend the file
* Wed Feb 06 2013 Peter Jones <pjones@redhat.com> - 0.103-2
- Conditionalize systemd bits so they don't show up in RHEL 6 builds
* Tue Feb 05 2013 Peter Jones <pjones@redhat.com> - 0.103-1
- One more compiler problem. Let's expect a few more, shall we?
* Tue Feb 05 2013 Peter Jones <pjones@redhat.com> - 0.102-1
- Don't use --std=gnu11 because we have to work on RHEL 6 builders.
* Mon Feb 04 2013 Peter Jones <pjones@redhat.com> - 0.101-1
- Update to 0.101 to fix more "pesign -E" issues.
* Fri Nov 30 2012 Peter Jones <pjones@redhat.com> - 0.100-1
- Fix insertion of signatures from a file.
* Mon Nov 26 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.99-9
- Add a patch needed for new shim builds
* Fri Oct 19 2012 Peter Jones <pjones@redhat.com> - 0.99-8
- Get the Fedora signing token name right.
* Fri Oct 19 2012 Peter Jones <pjones@redhat.com>
- Add coolkey and opensc modules to pki database during %%install.
* Fri Oct 19 2012 Peter Jones <pjones@redhat.com> - 0.99-7
- setfacl u:kojibuilder:rw /var/run/pesign/socket
- Fix command line checking in client
- Add client stdin pin reading.
* Thu Oct 18 2012 Peter Jones <pjones@redhat.com> - 0.99-6
- Automatically select daemon as signer when using rpm macros.
* Thu Oct 18 2012 Peter Jones <pjones@redhat.com> - 0.99-5
- Make it work on the -el6 branch as well.
* Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-4
- Fix some more bugs found by valgrind and coverity.
- Don't build utils/ ; we're not using them and they're not ready anyway.
* Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-3
- Fix daemon startup bug from 0.99-2
* Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-2
- Fix various bugs from 0.99-1
- Don't make the database unreadable just yet.
* Mon Oct 15 2012 Peter Jones <pjones@redhat.com> - 0.99-1
- Update to 0.99
- Add documentation for client/server mode.
- Add --pinfd and --pinfile to server mode.
* Fri Oct 12 2012 Peter Jones <pjones@redhat.com> - 0.98-1
- Update to 0.98
- Add client/server mode.
* Mon Oct 01 2012 Peter Jones <pjones@redhat.com> - 0.10-5
- Fix missing section address fixup.
* Wed Aug 15 2012 Peter Jones <pjones@redhat.com> - 0.10-4
- Make macros.pesign even better (and make it work right for i686 packages)
* Tue Aug 14 2012 Peter Jones <pjones@redhat.com> - 0.10-3
- Only sign things on x86_64; all else ignore gracefully.
* Tue Aug 14 2012 Peter Jones <pjones@redhat.com> - 0.10-2
- Make macros.pesign more reliable
* Mon Aug 13 2012 Peter Jones <pjones@redhat.com> - 0.10-1
- Update to 0.10
- Include rpm macros to support easy custom signing of signed packages.
* Fri Aug 10 2012 Peter Jones <pjones@redhat.com> - 0.9-1
- Update to 0.9
- Bug fix from Gary Ching-Pang Lin
- Support NSS Token selection for use with smart cards.
* Wed Aug 08 2012 Peter Jones <pjones@redhat.com> - 0.8-1
- Update to 0.8
- Don't open the db read-write
- Fix permissions on keystore (everybody can sign with test keys)
* Wed Aug 08 2012 Peter Jones <pjones@redhat.com> - 0.7-2
- Include test keys.
* Mon Jul 30 2012 Peter Jones <pjones@redhat.com> - 0.7-1
- Update to 0.7
- Better fix for MS compatibility.
* Mon Jul 30 2012 Peter Jones <pjones@redhat.com> - 0.6-1
- Update to 0.6
- Bug-for-bug compatibility with signtool.exe .
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Wed Jul 11 2012 Peter Jones <pjones@redhat.com> - 0.5-1
- Rebase to 0.5
- Do more rigorous bounds checking when hashing a new binary.
* Tue Jul 10 2012 Peter Jones <pjones@redhat.com> - 0.3-2
- Rebase to 0.4
* Fri Jun 22 2012 Peter Jones <pjones@redhat.com> - 0.3-2
- Move man page to a more reasonable place.
* Fri Jun 22 2012 Peter Jones <pjones@redhat.com> - 0.3-1
- Update to upstream's 0.3 .
* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-4
- Do not build with smp flags.
* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-3
- Make it build on i686, though it's unclear it'll ever be necessary.
* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-2
- Fix compile problem with f18's compiler.
* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-1
- Fix some rpmlint complaints nirik pointed out
- Add popt-devel build dep
* Fri Jun 15 2012 Peter Jones <pjones@redhat.com> - 0.1-1
- First version of SRPM.
Loading…
Cancel
Save