diff options
| author | Marc Espie <espie@cvs.openbsd.org> | 2009-04-14 17:53:59 +0000 |
|---|---|---|
| committer | Marc Espie <espie@cvs.openbsd.org> | 2009-04-14 17:53:59 +0000 |
| commit | 0eeedccf76bc2c7471d658552dead38ad5afbea9 (patch) | |
| tree | bbf9b52d2bae817a80f29da0813928d1638a8e8f /usr.sbin/pkg_add/OpenBSD/x509.pm | |
| parent | ed3a64d9765d596b326e1d8ef28e5c975a742929 (diff) | |
initial implementation of package signatures, based on x509 certificates and
smime detached signatures.
Diffstat (limited to 'usr.sbin/pkg_add/OpenBSD/x509.pm')
| -rw-r--r-- | usr.sbin/pkg_add/OpenBSD/x509.pm | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/usr.sbin/pkg_add/OpenBSD/x509.pm b/usr.sbin/pkg_add/OpenBSD/x509.pm new file mode 100644 index 00000000000..07d73a68627 --- /dev/null +++ b/usr.sbin/pkg_add/OpenBSD/x509.pm @@ -0,0 +1,108 @@ +# ex:ts=8 sw=4: +# $OpenBSD: x509.pm,v 1.1 2009/04/14 17:53:58 espie Exp $ +# +# Copyright (c) 2003-2007 Marc Espie <espie@openbsd.org> +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +use strict; +use warnings; + +package OpenBSD::x509; + +use OpenBSD::PackageInfo; +use OpenBSD::Paths; +use MIME::Base64; +use File::Temp qw/mkstemp/; + + +sub compute_signature +{ + my ($plist, $cert, $key) = @_; + + open my $fh, ">", $plist->infodir.CONTENTS; + $plist->write_no_sig($fh); + close $fh; + open(my $sighandle, "-|", OpenBSD::Paths->openssl, "smime", "-sign", + "-binary", "-signer", $cert ,"-in", $plist->infodir.CONTENTS, + "-inkey", $key, "-outform", "DEM") or die; + my $sig; + sysread($sighandle, $sig, 16384); + close($sighandle) or die "problem generating signature $!"; + + return encode_base64($sig, ''); +} + +sub dump_certificate_info +{ + my $fname2 = shift; + + open my $fh, "-|", OpenBSD::Paths->openssl, "asn1parse", + "-inform", "DEM", "-in", $fname2; + my %want = map {($_, 1)} + qw(countryName localityName organizationName + organizationalUnitName commonName emailAddress); + while (<$fh>) { + if (m/\sprim\:\s+OBJECT\s*\:(.*)\s*$/) { + my $objectname = $1; + $_ = <$fh>; + if (m/\sprim\:\s+[A-Z0-9]+\s*\:(.*)\s*$/) { + if ($want{$objectname}) { + print "$objectname=$1\n"; + } + } + } + } + close($fh); +} + +sub print_certificate_info +{ + my $plist = shift; + + my ($fh, $fname) = mkstemp("/tmp/pkgsig.XXXXXXXXX"); + print $fh decode_base64($plist->{'digital-signature'}->{b64sig}); + close $fh; + dump_certificate_info($fname); + unlink $fname; +} + +sub check_signature +{ + my ($plist, $state) = @_; + my $sig = $plist->get('digital-signature'); + if ($sig->{key} ne 'x509') { + $state->warn("Error: unknown signature style"); + return 0; + } + my ($fh, $fname) = mkstemp("/tmp/pkgcontent.XXXXXXXXX"); + my ($fh2, $fname2) = mkstemp("/tmp/pkgsig.XXXXXXXXX"); + $plist->write_no_sig($fh); + print $fh2 decode_base64($sig->{b64sig}); + close $fh; + close $fh2; + if (system (OpenBSD::Paths->openssl, "smime", "-verify", "-binary", + "-inform", "DEM", "-in", $fname2, "-content", $fname, + "-CAfile", OpenBSD::Paths->pkgca, "-out", "/dev/null") != 0) { + $state->warn("Bad signature"); + return 0; + } + if ($state->{verbose}) { + dump_certificate_info($fname2); + } + unlink $fname; + unlink $fname2; + return 1; +} + +1; |