You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
417 lines
11 KiB
417 lines
11 KiB
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Peter Jones <pjones@redhat.com>
|
|
Date: Tue, 25 Apr 2017 17:01:13 -0400
|
|
Subject: [PATCH] try to say why something fails
|
|
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
---
|
|
src/certdb.c | 15 ++-
|
|
src/pesigcheck.c | 244 ++++++++++++++++++++++++++++++++++++++++++-----
|
|
src/certdb.h | 2 +-
|
|
src/pesigcheck_context.h | 1 +
|
|
4 files changed, 233 insertions(+), 29 deletions(-)
|
|
|
|
diff --git a/src/certdb.c b/src/certdb.c
|
|
index 1078a8a..fae80af 100644
|
|
--- a/src/certdb.c
|
|
+++ b/src/certdb.c
|
|
@@ -205,7 +205,7 @@ typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,
|
|
|
|
static db_status
|
|
check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
|
|
- void *data, ssize_t datalen)
|
|
+ void *data, ssize_t datalen, SECItem *match)
|
|
{
|
|
SECItem pkcs7sig, sig;
|
|
dblist *dbl = which == DB ? ctx->db : ctx->dbx;
|
|
@@ -241,8 +241,12 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
|
|
found = check(ctx, &sig,
|
|
&certlist->SignatureType,
|
|
&pkcs7sig);
|
|
- if (found == FOUND)
|
|
+ if (found == FOUND) {
|
|
+ if (match)
|
|
+ memcpy(match, &sig,
|
|
+ sizeof(sig));
|
|
return FOUND;
|
|
+ }
|
|
cert = (EFI_SIGNATURE_DATA *)((uint8_t *)cert +
|
|
certlist->SignatureSize);
|
|
}
|
|
@@ -280,7 +284,7 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
|
|
db_status
|
|
check_db_hash(db_specifier which, pesigcheck_context *ctx)
|
|
{
|
|
- return check_db(which, ctx, check_hash, NULL, 0);
|
|
+ return check_db(which, ctx, check_hash, NULL, 0, NULL);
|
|
}
|
|
|
|
static void
|
|
@@ -459,7 +463,8 @@ out:
|
|
}
|
|
|
|
db_status
|
|
-check_db_cert(db_specifier which, pesigcheck_context *ctx, void *data, ssize_t datalen)
|
|
+check_db_cert(db_specifier which, pesigcheck_context *ctx,
|
|
+ void *data, ssize_t datalen, SECItem *match)
|
|
{
|
|
- return check_db(which, ctx, check_cert, data, datalen);
|
|
+ return check_db(which, ctx, check_cert, data, datalen, match);
|
|
}
|
|
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
|
|
index d7be542..c8e1086 100644
|
|
--- a/src/pesigcheck.c
|
|
+++ b/src/pesigcheck.c
|
|
@@ -17,7 +17,9 @@
|
|
* Author(s): Peter Jones <pjones@redhat.com>
|
|
*/
|
|
|
|
+#include <err.h>
|
|
#include <fcntl.h>
|
|
+#include <stdbool.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
@@ -88,7 +90,8 @@ check_inputs(pesigcheck_context *ctx)
|
|
}
|
|
|
|
static int
|
|
-cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
|
|
+cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen,
|
|
+ SECItem *digest_out)
|
|
{
|
|
SECItem sig, *pe_digest, *content;
|
|
uint8_t *digest;
|
|
@@ -109,6 +112,12 @@ cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
|
|
pe_digest = ctx->cms_ctx->digests[0].pe_digest;
|
|
content = cinfo->content.signedData->contentInfo.content.data;
|
|
digest = content->data + content->len - pe_digest->len;
|
|
+ if (digest_out) {
|
|
+ digest_out->data = malloc(pe_digest->len);
|
|
+ digest_out->len = pe_digest->len;
|
|
+ digest_out->type = pe_digest->type;
|
|
+ memcpy(digest_out->data, digest, pe_digest->len);
|
|
+ }
|
|
if (memcmp(pe_digest->data, digest, pe_digest->len) != 0)
|
|
goto out;
|
|
|
|
@@ -120,22 +129,149 @@ out:
|
|
return ret;
|
|
}
|
|
|
|
+struct reason {
|
|
+ enum {
|
|
+ WHITELISTED = 0,
|
|
+ INVALID = 1,
|
|
+ BLACKLISTED = 2,
|
|
+ NO_WHITELIST = 3,
|
|
+ } reason;
|
|
+ enum {
|
|
+ NONE = 0,
|
|
+ DIGEST = 1,
|
|
+ SIGNATURE = 2,
|
|
+ } type;
|
|
+ union {
|
|
+ struct {
|
|
+ SECItem digest;
|
|
+ };
|
|
+ struct {
|
|
+ SECItem sig;
|
|
+ SECItem db_cert;
|
|
+ };
|
|
+ };
|
|
+};
|
|
+
|
|
+static void
|
|
+print_digest(SECItem *digest)
|
|
+{
|
|
+ char buf[digest->len * 2 + 2];
|
|
+
|
|
+ for (unsigned int i = 0; i < digest->len; i++)
|
|
+ snprintf(buf + i * 2, digest->len * 2, "%02x",
|
|
+ digest->data[i]);
|
|
+ buf[digest->len * 2] = '\0';
|
|
+ printf("%s\n", buf);
|
|
+}
|
|
+
|
|
+static void
|
|
+print_certificate(SECItem *cert)
|
|
+{
|
|
+ printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
|
|
+ printf("cert: %p\n", cert);
|
|
+}
|
|
+
|
|
+static void
|
|
+print_signatures(SECItem *database_cert, SECItem *signature)
|
|
+{
|
|
+ printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
|
|
+ print_certificate(database_cert);
|
|
+ print_certificate(signature);
|
|
+}
|
|
+
|
|
+static void
|
|
+print_reason(struct reason *reason)
|
|
+{
|
|
+ switch (reason->reason) {
|
|
+ case WHITELISTED:
|
|
+ printf("Whitelist entry: ");
|
|
+ if (reason->type == DIGEST)
|
|
+ print_digest(&reason->digest);
|
|
+ else if (reason->type == SIGNATURE)
|
|
+ print_signatures(&reason->sig, &reason->db_cert);
|
|
+ else
|
|
+ errx(1, "Unknown data type %d\n", reason->type);
|
|
+ break;
|
|
+ case INVALID:
|
|
+ if (reason->type == DIGEST) {
|
|
+ printf("Invalid digest: ");
|
|
+ print_digest(&reason->digest);
|
|
+ } else if (reason->type == SIGNATURE) {
|
|
+ printf("Invalid signature: ");
|
|
+ print_signatures(&reason->sig, &reason->db_cert);
|
|
+ } else {
|
|
+ errx(1, "Unknown data type %d\n", reason->type);
|
|
+ }
|
|
+ break;
|
|
+ case BLACKLISTED:
|
|
+ if (reason->type == DIGEST) {
|
|
+ printf("Invalid digest: ");
|
|
+ print_digest(&reason->digest);
|
|
+ } else if (reason->type == SIGNATURE) {
|
|
+ printf("Invalid signature: ");
|
|
+ print_signatures(&reason->sig, &reason->db_cert);
|
|
+ } else {
|
|
+ errx(1, "Unknown data type %d\n", reason->type);
|
|
+ }
|
|
+ break;
|
|
+ case NO_WHITELIST:
|
|
+ if (reason->type == NONE)
|
|
+ printf("No matching whitelist entry.\n");
|
|
+ else
|
|
+ errx(1, "Invalid data type %d\n", reason->type);
|
|
+ break;
|
|
+ default:
|
|
+ errx(1, "Unknown reason type %d\n", reason->reason);
|
|
+ break;
|
|
+ }
|
|
+}
|
|
+
|
|
+static void
|
|
+get_digest(pesigcheck_context *ctx, SECItem *digest)
|
|
+{
|
|
+ struct cms_context *cms = ctx->cms_ctx;
|
|
+ struct digest *cms_digest = &cms->digests[cms->selected_digest];
|
|
+
|
|
+ memcpy(digest, cms_digest->pe_digest, sizeof (*digest));
|
|
+}
|
|
+
|
|
static int
|
|
-check_signature(pesigcheck_context *ctx)
|
|
+check_signature(pesigcheck_context *ctx, int *nreasons,
|
|
+ struct reason **reasons)
|
|
{
|
|
- int has_valid_cert = 0;
|
|
- int has_invalid_cert = 0;
|
|
+ bool has_valid_cert = false;
|
|
+ bool is_invalid = false;
|
|
+ struct reason *reasonps = NULL, *reason;
|
|
+ int num_reasons = 16;
|
|
+ int nreason = 0;
|
|
int rc = 0;
|
|
+ int ret = -1;
|
|
|
|
cert_iter iter;
|
|
|
|
+ reasonps = calloc(sizeof(struct reason), 512);
|
|
+ if (!reasonps)
|
|
+ err(1, "check_signature");
|
|
+
|
|
generate_digest(ctx->cms_ctx, ctx->inpe, 1);
|
|
|
|
- if (check_db_hash(DBX, ctx) == FOUND)
|
|
- return -1;
|
|
+ if (check_db_hash(DBX, ctx) == FOUND) {
|
|
+ reason = &reasonps[nreason];
|
|
+ reason->reason = BLACKLISTED;
|
|
+ reason->type = DIGEST;
|
|
+ get_digest(ctx, &reason->digest);
|
|
+ reason += 1;
|
|
+ is_invalid = true;
|
|
+ }
|
|
|
|
- if (check_db_hash(DB, ctx) == FOUND)
|
|
- has_valid_cert = 1;
|
|
+ if (check_db_hash(DB, ctx) == FOUND) {
|
|
+ reason = &reasonps[nreason];
|
|
+ reason->reason = WHITELISTED;
|
|
+ reason->type = DIGEST;
|
|
+ get_digest(ctx, &reason->digest);
|
|
+ nreason += 1;
|
|
+ has_valid_cert = true;
|
|
+ }
|
|
|
|
rc = cert_iter_init(&iter, ctx->inpe);
|
|
if (rc < 0)
|
|
@@ -145,32 +281,81 @@ check_signature(pesigcheck_context *ctx)
|
|
ssize_t datalen;
|
|
|
|
while (1) {
|
|
+ /*
|
|
+ * Make sure we always have enough for this iteration of the
|
|
+ * loop, plus one "NO_WHITELIST" entry at the end.
|
|
+ */
|
|
+ if (nreason >= num_reasons - 4) {
|
|
+ struct reason *new_reasons;
|
|
+
|
|
+ num_reasons += 16;
|
|
+
|
|
+ new_reasons = calloc(sizeof(struct reason), num_reasons);
|
|
+ if (!new_reasons)
|
|
+ err(1, "check_signature");
|
|
+ reasonps = new_reasons;
|
|
+ }
|
|
+
|
|
rc = next_cert(&iter, &data, &datalen);
|
|
if (rc <= 0)
|
|
break;
|
|
|
|
- if (cert_matches_digest(ctx, data, datalen) < 0) {
|
|
- has_invalid_cert = 1;
|
|
- break;
|
|
+ reason = &reasonps[nreason];
|
|
+ if (cert_matches_digest(ctx, data, datalen,
|
|
+ &reason->digest) < 0) {
|
|
+ reason->reason = INVALID;
|
|
+ reason->type = DIGEST;
|
|
+ nreason += 1;
|
|
+ is_invalid = true;
|
|
}
|
|
|
|
- if (check_db_cert(DBX, ctx, data, datalen) == FOUND) {
|
|
- has_invalid_cert = 1;
|
|
- break;
|
|
+ reason = &reasonps[nreason];
|
|
+ if (check_db_cert(DBX, ctx, data, datalen,
|
|
+ &reason->db_cert) == FOUND) {
|
|
+ reason->reason = INVALID;
|
|
+ reason->type = SIGNATURE;
|
|
+ reason->sig.data = data;
|
|
+ reason->sig.len = datalen;
|
|
+ reason->type = siBuffer;
|
|
+ nreason += 1;
|
|
+ is_invalid = true;
|
|
}
|
|
|
|
- if (check_db_cert(DB, ctx, data, datalen) == FOUND)
|
|
- has_valid_cert = 1;
|
|
+ reason = &reasonps[nreason];
|
|
+ if (check_db_cert(DB, ctx, data, datalen,
|
|
+ &reason->db_cert) == FOUND) {
|
|
+ reason->reason = WHITELISTED;
|
|
+ reason->type = SIGNATURE;
|
|
+ reason->sig.data = data;
|
|
+ reason->sig.len = datalen;
|
|
+ reason->type = siBuffer;
|
|
+ nreason += 1;
|
|
+ has_valid_cert = true;
|
|
+ }
|
|
}
|
|
|
|
err:
|
|
- if (has_invalid_cert)
|
|
- return -1;
|
|
+ if (has_valid_cert != true) {
|
|
+ if (is_invalid != true) {
|
|
+ reason = &reasonps[nreason];
|
|
+ reason->reason = NO_WHITELIST;
|
|
+ reason->type = NONE;
|
|
+ nreason += 1;
|
|
+ }
|
|
+ is_invalid = true;
|
|
+ }
|
|
|
|
- if (has_valid_cert)
|
|
- return 0;
|
|
+ if (is_invalid == false)
|
|
+ ret = 0;
|
|
|
|
- return -1;
|
|
+ if (nreasons && reasons) {
|
|
+ *nreasons = nreason;
|
|
+ *reasons = reasonps;
|
|
+ } else {
|
|
+ free(reasonps);
|
|
+ }
|
|
+
|
|
+ return ret;
|
|
}
|
|
|
|
void
|
|
@@ -204,6 +389,9 @@ main(int argc, char *argv[])
|
|
|
|
pesigcheck_context ctx, *ctxp = &ctx;
|
|
|
|
+ struct reason *reasons = NULL;
|
|
+ int nreasons = 0;
|
|
+
|
|
char *dbfile = NULL;
|
|
char *dbxfile = NULL;
|
|
char *certfile = NULL;
|
|
@@ -242,6 +430,12 @@ main(int argc, char *argv[])
|
|
.arg = &ctx.quiet,
|
|
.val = 1,
|
|
.descrip = "return only; no text output." },
|
|
+ {.longName = "verbose",
|
|
+ .shortName = 'v',
|
|
+ .argInfo = POPT_BIT_SET,
|
|
+ .arg = &ctx.verbose,
|
|
+ .val = 1,
|
|
+ .descrip = "print reasons for success and failure." },
|
|
{.longName = "no-system-db",
|
|
.shortName = 'n',
|
|
.argInfo = POPT_ARG_INT,
|
|
@@ -308,12 +502,16 @@ main(int argc, char *argv[])
|
|
exit(1);
|
|
}
|
|
|
|
- rc = check_signature(ctxp);
|
|
+ rc = check_signature(ctxp, &nreasons, &reasons);
|
|
|
|
- close_input(ctxp);
|
|
+ if (!ctx.quiet && ctx.verbose) {
|
|
+ for (int i = 0; i < nreasons; i++)
|
|
+ print_reason(&reasons[i]);
|
|
+ }
|
|
if (!ctx.quiet)
|
|
printf("pesigcheck: \"%s\" is %s.\n", ctx.infile,
|
|
rc >= 0 ? "valid" : "invalid");
|
|
+ close_input(ctxp);
|
|
pesigcheck_context_fini(&ctx);
|
|
|
|
NSS_Shutdown();
|
|
diff --git a/src/certdb.h b/src/certdb.h
|
|
index ccf3c87..8402299 100644
|
|
--- a/src/certdb.h
|
|
+++ b/src/certdb.h
|
|
@@ -43,7 +43,7 @@ typedef struct {
|
|
|
|
extern db_status check_db_hash(db_specifier which, pesigcheck_context *ctx);
|
|
extern db_status check_db_cert(db_specifier which, pesigcheck_context *ctx,
|
|
- void *data, ssize_t datalen);
|
|
+ void *data, ssize_t datalen, SECItem *match);
|
|
|
|
extern void init_cert_db(pesigcheck_context *ctx, int use_system_dbs);
|
|
extern int add_cert_db(pesigcheck_context *ctx, const char *filename);
|
|
diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
|
|
index 7b5cc89..aec415e 100644
|
|
--- a/src/pesigcheck_context.h
|
|
+++ b/src/pesigcheck_context.h
|
|
@@ -61,6 +61,7 @@ typedef struct pesigcheck_context {
|
|
Pe *inpe;
|
|
|
|
int quiet;
|
|
+ int verbose;
|
|
|
|
hashlist *hashes;
|
|
|