* [PATCH] Opkg support for smime (pkcs7) packages list signing
[not found] <baaef4710910150931l7c4c7afl6f2b7d7b10c2f0b1@mail.gmail.com>
@ 2009-10-15 16:34 ` Camille Moncelier
2009-10-26 15:06 ` Florian Boor
0 siblings, 1 reply; 3+ messages in thread
From: Camille Moncelier @ 2009-10-15 16:34 UTC (permalink / raw)
To: opkg-devel; +Cc: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 956 bytes --]
As promised :) here is a patch allowing opkg to authenticate
a package list using smime and openssl instead of gpgme
Example:
# Sign a package list:
openssl smime -sign -in /path/to/repo/Packages \
-signer /root/server.pem -binary \
-outform PEM -out /path/to/repo/Packages.sig
# Configuration in /etc/opkg/opkg.conf
option check_signature 1
option signature_ca_file /etc/serverCA.pem
# option signature_ca_path /path/to/certs/dir
# opkg update
Downloading http://repo:8000/Packages
Updated list of available packages in /usr/lib/opkg/lists/angstrom
Downloading http://repo:8000/Packages.sig
Signature check passed
# Package list corruption or MIM:
Downloading http://repo:8000/Packages
Updated list of available packages in /usr/lib/opkg/lists/angstrom
Downloading http://repo:8000/Packages.sig
Signature check failed
Collected errors:
* Verification failure
Camille Moncelier
http://devlife.org/
[-- Attachment #2: opkg-read-only-x509-smime-package-list-signature-support.patch --]
[-- Type: application/octet-stream, Size: 9345 bytes --]
Index: libopkg/opkg_cmd.c
===================================================================
--- libopkg/opkg_cmd.c (revision 219)
+++ libopkg/opkg_cmd.c (working copy)
@@ -259,8 +259,7 @@
list_file_name);
}
free(url);
-
-#ifdef HAVE_GPGME
+#if defined(HAVE_GPGME) || defined(HAVE_OPENSSL)
if (conf->check_signature) {
/* download detached signitures to verify the package lists */
/* get the url for the sig file */
@@ -273,7 +272,8 @@
/* create temporary file for it */
char *tmp_file_name;
- sprintf_alloc (&tmp_file_name, "%s/%s", tmp, "Packages.sig");
+ /* Put the signature in the right place */
+ sprintf_alloc (&tmp_file_name, "%s/%s.sig", lists_dir, src->name);
err = opkg_download(conf, url, tmp_file_name, NULL, NULL);
if (err) {
@@ -287,7 +287,8 @@
else
opkg_message (conf, OPKG_NOTICE, "Signature check failed\n");
}
- unlink (tmp_file_name);
+ /* We shouldn't unlink the signature ! */
+ // unlink (tmp_file_name);
free (tmp_file_name);
free (url);
}
Index: libopkg/opkg.c
===================================================================
--- libopkg/opkg.c (revision 219)
+++ libopkg/opkg.c (working copy)
@@ -850,7 +850,7 @@
}
free (url);
-#ifdef HAVE_GPGME
+#if defined(HAVE_GPGME) || defined(HAVE_OPENSSL)
if ( opkg->conf->check_signature ) {
char *sig_file_name;
/* download detached signitures to verify the package lists */
Index: libopkg/opkg_conf.c
===================================================================
--- libopkg/opkg_conf.c (revision 219)
+++ libopkg/opkg_conf.c (working copy)
@@ -75,6 +75,8 @@
{ "proxy_user", OPKG_OPT_TYPE_STRING, &conf->proxy_user },
{ "query-all", OPKG_OPT_TYPE_BOOL, &conf->query_all },
{ "verbosity", OPKG_OPT_TYPE_BOOL, &conf->verbosity },
+ { "signature_ca_file", OPKG_OPT_TYPE_STRING, &conf->signature_ca_file },
+ { "signature_ca_path", OPKG_OPT_TYPE_STRING, &conf->signature_ca_path },
{ NULL }
};
Index: libopkg/opkg_conf.h
===================================================================
--- libopkg/opkg_conf.h (revision 219)
+++ libopkg/opkg_conf.h (working copy)
@@ -82,6 +82,9 @@
char *proxy_user;
char *proxy_passwd;
+ char *signature_ca_file;
+ char *signature_ca_path;
+
hash_table_t pkg_hash;
hash_table_t file_hash;
hash_table_t obs_file_hash;
Index: libopkg/opkg_download.c
===================================================================
--- libopkg/opkg_download.c (revision 219)
+++ libopkg/opkg_download.c (working copy)
@@ -20,8 +20,17 @@
#ifdef HAVE_CURL
#include <curl/curl.h>
#endif
-#ifdef HAVE_GPGME
+#if defined(HAVE_GPGME)
#include <gpgme.h>
+#elif defined(HAVE_OPENSSL)
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/hmac.h>
+
#endif
#include "includes.h"
@@ -35,6 +44,12 @@
#include "str_util.h"
#include "opkg_defines.h"
+
+#ifdef HAVE_OPENSSL
+static X509_STORE *setup_verify(opkg_conf_t *conf, char *CAfile, char *CApath);
+static void init_openssl(void);
+#endif
+
int opkg_download(opkg_conf_t *conf, const char *src,
const char *dest_file_name, curl_progress_func cb, void *data)
{
@@ -307,7 +322,7 @@
int
opkg_verify_file (opkg_conf_t *conf, char *text_file, char *sig_file)
{
-#ifdef HAVE_GPGME
+#if defined HAVE_GPGME
if (conf->check_signature == 0 )
return 0;
int status = -1;
@@ -375,7 +390,130 @@
gpgme_release (ctx);
return status;
+#elif defined HAVE_OPENSSL
+ X509_STORE *store = NULL;
+ PKCS7 *p7 = NULL;
+ BIO *in = NULL, *indata = NULL;
+
+ // Sig check failed by default !
+ int status = -1;
+
+ init_openssl();
+
+ // Set-up the key store
+ if(!(store = setup_verify(conf, conf->signature_ca_file, conf->signature_ca_path))){
+ opkg_message(conf, OPKG_ERROR,
+ "Can't open CA certificates\n");
+ goto verify_file_end;
+ }
+
+ // Open a BIO to read the sig file
+ if (!(in = BIO_new_file(sig_file, "rb"))){
+ opkg_message(conf, OPKG_ERROR,
+ "Can't open signature file %s\n", sig_file);
+ goto verify_file_end;
+ }
+
+ // Read the PKCS7 block contained in the sig file
+ p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
+ if(!p7){
+ opkg_message(conf, OPKG_ERROR,
+ "Can't read signature file (Corrupted ?)\n");
+ goto verify_file_end;
+ }
+
+ // Open the Package file to authenticate
+ if (!(indata = BIO_new_file(text_file, "rb"))){
+ opkg_message(conf, OPKG_ERROR,
+ "Can't open file %s\n", text_file);
+ goto verify_file_end;
+ }
+
+ // Let's verify the autenticity !
+ if (PKCS7_verify(p7, NULL, store, indata, NULL, PKCS7_BINARY) != 1){
+ // Get Off My Lawn!
+ opkg_message(conf, OPKG_ERROR,
+ "Verification failure\n");
+ }else{
+ // Victory !
+ status = 0;
+ }
+
+verify_file_end:
+ BIO_free(in);
+ BIO_free(indata);
+ PKCS7_free(p7);
+ X509_STORE_free(store);
+
+ return status;
#else
return 0;
#endif
}
+
+
+#if defined HAVE_OPENSSL
+static X509_STORE *setup_verify(opkg_conf_t *conf, char *CAfile, char *CApath){
+ X509_STORE *store = NULL;
+ X509_LOOKUP *lookup = NULL;
+
+ if(!(store = X509_STORE_new())){
+ // Something bad is happening...
+ goto end;
+ }
+
+ // adds the X509 file lookup method
+ lookup = X509_STORE_add_lookup(store,X509_LOOKUP_file());
+ if (lookup == NULL){
+ goto end;
+ }
+
+ // Autenticating against one CA file
+ if (CAfile) {
+ if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) {
+ // Invalid CA => Bye bye
+ opkg_message(conf, OPKG_ERROR,
+ "Error loading file %s\n", CAfile);
+ goto end;
+ }
+ } else {
+ X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
+ }
+
+ // Now look into CApath directory if supplied
+ lookup = X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
+ if (lookup == NULL){
+ goto end;
+ }
+
+ if (CApath) {
+ if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) {
+ opkg_message(conf, OPKG_ERROR,
+ "Error loading directory %s\n", CApath);
+ goto end;
+ }
+ } else {
+ X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
+ }
+
+ // All right !
+ ERR_clear_error();
+ return store;
+
+end:
+
+ X509_STORE_free(store);
+ return NULL;
+
+}
+
+static void init_openssl(void){
+ static int init = 0;
+
+ if(!init){
+ OpenSSL_add_all_algorithms();
+ ERR_load_crypto_strings();
+ init = 1;
+ }
+}
+#endif
Index: libopkg/opkg_install.c
===================================================================
--- libopkg/opkg_install.c (revision 219)
+++ libopkg/opkg_install.c (working copy)
@@ -834,7 +834,7 @@
}
/* check that the repository is valid */
- #if HAVE_GPGME
+ #if defined(HAVE_GPGME) || defined(HAVE_OPENSSL)
char *list_file_name, *sig_file_name, *lists_dir;
/* check to ensure the package has come from a repository */
@@ -851,6 +851,8 @@
{
if (opkg_verify_file (conf, list_file_name, sig_file_name))
return OPKG_INSTALL_ERR_SIGNATURE;
+ }else{
+ return OPKG_INSTALL_ERR_SIGNATURE;
}
free (lists_dir);
Index: libopkg/args.c
===================================================================
--- libopkg/args.c (revision 219)
+++ libopkg/args.c (working copy)
@@ -62,7 +62,7 @@
if (conf_file_dir == NULL || conf_file_dir[0] == '\0') {
conf_file_dir = ARGS_DEFAULT_CONF_FILE_DIR;
}
- sprintf_alloc(&args->conf_file, "%s/%s", conf_file_dir,
+ sprintf_alloc(&args->conf_file, "%s/%s", OPKGETCDIR,
ARGS_DEFAULT_CONF_FILE_NAME);
args->force_defaults = ARGS_DEFAULT_FORCE_DEFAULTS;
Index: configure.ac
===================================================================
--- configure.ac (revision 219)
+++ configure.ac (working copy)
@@ -37,7 +37,18 @@
AC_DEFINE(HAVE_CURL, 1, [Define if you want CURL support])
fi
+# check for openssl
+AC_ARG_ENABLE(openssl,
+ AC_HELP_STRING([--enable-openssl], [Enable signature checking with OpenSSL
+ [[default=no]] ]),
+ [want_openssl="$enableval"], [want_openssl="no"])
+if test "x$want_openssl" = "xyes"; then
+ PKG_CHECK_MODULES(OPENSSL, openssl)
+ AC_DEFINE(HAVE_OPENSSL, 1, [Define if you want OpenSSL support])
+fi
+
+
dnl **********
dnl GPGME
dnl **********
@@ -160,6 +171,18 @@
fi
+dnl Some special cases for the wow64 build
+if test "x$want_gpgme" = "xyes"
+then
+ if test "x$want_openssl" = "xyes"
+ then
+ AC_MSG_ERROR([--enable-gpg and --enable-openssl are mutually exclusive.
+Use --disable-gpg if you want OpenSSL smime signatures])
+ fi
+fi
+
+
+
AC_SUBST(opkglibdir)
AC_SUBST(opkgetcdir)
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Opkg support for smime (pkcs7) packages list signing
2009-10-15 16:34 ` [PATCH] Opkg support for smime (pkcs7) packages list signing Camille Moncelier
@ 2009-10-26 15:06 ` Florian Boor
2009-10-26 20:16 ` [opkg-devel] " Camille Moncelier
0 siblings, 1 reply; 3+ messages in thread
From: Florian Boor @ 2009-10-26 15:06 UTC (permalink / raw)
To: openembedded-devel; +Cc: opkg-devel
Hi,
Camille Moncelier schrieb:
> As promised :) here is a patch allowing opkg to authenticate
> a package list using smime and openssl instead of gpgme
nice, this might be an interesting feature in future. Any reaction from the opkg
maintainers so far?
Greetings
Florian
--
The dream of yesterday Florian Boor
is the hope of today Tel: +49 271-771091-15
and the reality of tomorrow. Fax: +49 271-771091-19
[Robert Hutchings Goddard, 1904] florian.boor@kernelconcepts.de
http://www.kernelconcepts.de/en
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [opkg-devel] Re: [PATCH] Opkg support for smime (pkcs7) packages list signing
2009-10-26 15:06 ` Florian Boor
@ 2009-10-26 20:16 ` Camille Moncelier
0 siblings, 0 replies; 3+ messages in thread
From: Camille Moncelier @ 2009-10-26 20:16 UTC (permalink / raw)
To: opkg-devel; +Cc: openembedded-devel
Nope, no reactions, it seems opkg mainteners are quite busy sometimes.
On Mon, Oct 26, 2009 at 4:06 PM, Florian Boor
<florian.boor@kernelconcepts.de> wrote:
>
> Hi,
>
> Camille Moncelier schrieb:
>> As promised :) here is a patch allowing opkg to authenticate
>> a package list using smime and openssl instead of gpgme
>
> nice, this might be an interesting feature in future. Any reaction from the opkg
> maintainers so far?
>
> Greetings
>
> Florian
>
> --
> The dream of yesterday Florian Boor
> is the hope of today Tel: +49 271-771091-15
> and the reality of tomorrow. Fax: +49 271-771091-19
> [Robert Hutchings Goddard, 1904] florian.boor@kernelconcepts.de
> http://www.kernelconcepts.de/en
>
> --~--~---------~--~----~------------~-------~--~----~
> You received this message because you are subscribed to the Google Groups "opkg-devel" group.
> To post to this group, send email to opkg-devel@googlegroups.com
> To unsubscribe from this group, send email to opkg-devel+unsubscribe@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/opkg-devel?hl=en
> -~----------~----~----~----~------~----~------~--~---
>
>
--
Camille Moncelier
http://devlife.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-10-26 20:18 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <baaef4710910150931l7c4c7afl6f2b7d7b10c2f0b1@mail.gmail.com>
2009-10-15 16:34 ` [PATCH] Opkg support for smime (pkcs7) packages list signing Camille Moncelier
2009-10-26 15:06 ` Florian Boor
2009-10-26 20:16 ` [opkg-devel] " Camille Moncelier
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.