From patchwork Mon Aug 27 13:06:40 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Denis Osterland-Heim X-Patchwork-Id: 962512 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=googlegroups.com (client-ip=2a00:1450:4864:20::238; helo=mail-lj1-x238.google.com; envelope-from=swupdate+bncbaabba7pr7oakgqemhzhxda@googlegroups.com; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=diehl.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=googlegroups.com header.i=@googlegroups.com header.b="h1ob+s/K"; dkim-atps=neutral Received: from mail-lj1-x238.google.com (mail-lj1-x238.google.com [IPv6:2a00:1450:4864:20::238]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41zXGw5fzyz9s2P for ; Mon, 27 Aug 2018 23:07:20 +1000 (AEST) Received: by mail-lj1-x238.google.com with SMTP id e12-v6sf2587101ljk.3 for ; Mon, 27 Aug 2018 06:07:20 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1535375236; cv=pass; d=google.com; s=arc-20160816; b=HthdB5pYJkWIo8DQecSN95x58NZrVvriRJOQEIo9UVXDXaiu+iTNfjYb/thJTcDTfX 01Z2M0WEqfBh7ZIQxCG3dmV1CW7DOtAyHAVmThW0SByKS/yp2Tbh5gsle+gpSmCs8iNg hcpJC8rGCTcBwy+L7EOGg3mltdcyouYoagHbn4cKNN1D87mag+VJnwECUgvjvqGaLFva QHjWy2xQ86ABUAtddKoTRRVh+sL4kABY4I7qAmTkOBqhuBYDpnGpv0FZB0YlfyJULe6K EJ/BWBbMy6AIjDVc3yuuSqqXtBrsmVIpJ0d+sCmZj3+4ZCWmV0vE8mkdCaO0SBTOelu8 bQ0g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:mime-version :content-transfer-encoding:content-language:accept-language :in-reply-to:references:message-id:date:thread-index:thread-topic :subject:cc:to:from:arc-authentication-results:arc-message-signature :sender:dkim-signature:arc-authentication-results; bh=sAf/Se3a5EHOKQZq2GnaDAYSh2XUZVZWics9Jv+DaI8=; b=MlfUdiTyd/h47VrfofU//XOIDJ/HB5jkFvvclearxFb9mJevEid7rCc1Ea7Fk8GTK+ rihIxUieqdYz30PZZvDy727Gi50petL5EN6XEa/gnhUyUNy3S+rr4LvEe5ruQt2WbXxB BsQuG2NwEuUUsqTdGh2NrWo2oHkSI5BSmlCwT01rGp3VnNl/59siQfdlb6n3aZWWY+UC +O7/4c+4dS3Sjm9ffOMDByt8frt0AbV988GBPZhPNcj7NphmC53rmU9jSWLsvmypOflE pOWLmwYDpvsH3mlFKS6EjICXfxld62/rY2kPIHN2Fdjbc9Wysi7Lmmt8/ZJL3b4G/IuN S5RQ== ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of prvs=770855156=denis.osterland@diehl.com designates 193.201.238.219 as permitted sender) smtp.mailfrom="prvs=770855156=denis.osterland@diehl.com" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :content-transfer-encoding:mime-version:x-original-sender :x-original-authentication-results:precedence:mailing-list:list-id :list-post:list-help:list-archive:list-subscribe:list-unsubscribe; bh=sAf/Se3a5EHOKQZq2GnaDAYSh2XUZVZWics9Jv+DaI8=; b=h1ob+s/Ka3/jk49+NpqLzqiWwkmLw1lnOmfJgVp/01To7aopH8nDh1NJAluiYahjuA Ohj2nkA93LC+S50DUJ+NN7PFT9qbPhdVXgfjP9cw7s35ITyMXtHuzrBe7wsYHeInHiE7 keM3/7UhnwpaDHq0ZU/F7aUJTIHGj32Be+wGcXiEqNspWp67YkFDlqd48+91lLw1hq3I OCVPhKqqhF6ji6qwxpgLzpGt4ZuSqApv2v2S1G0rm78u2FTD+JGL/M7K7ytnGvwDy/1u xcsu4ituIafNe1fV5/Ow1umdr8FmhhVPui1/BVR+pMC2gj9u4rrZJAEdCk17kJSZNivv U2gg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=sender:x-gm-message-state:from:to:cc:subject:thread-topic :thread-index:date:message-id:references:in-reply-to:accept-language :content-language:content-transfer-encoding:mime-version :x-original-sender:x-original-authentication-results:precedence :mailing-list:list-id:x-spam-checked-in-group:list-post:list-help :list-archive:list-subscribe:list-unsubscribe; bh=sAf/Se3a5EHOKQZq2GnaDAYSh2XUZVZWics9Jv+DaI8=; b=Q3X03a/HAhEqdH5T55YxORUg5Z/Gl3jT4tmwgd8o4hfiiDH3J2bI9XoiNisu0P/dUT vCSd6pD5GYt8Qe4UASrB4TkENCegjxtHOw1PZrqQxjzMOyFPqf4UthZvxCcSNPVTJGUo qK+Q2hE4uBxHvnOtawgXhj606UCaY51bJciOncHeNO1qyCymrG/FisQYijBDuZUgm35t vt3Yg1JzwK1bfw8WDbE0/TJjO1Dsiyh5fS6/bM/ToJSvq23gChYvGH52Do5gFZIIFkpp ezt+Abwda5E6wqp6nf4D3E/0GUPXuHrquqk4NACcTSfOwH+FTELcJCpBHa+uOrvERHEg s+qQ== Sender: swupdate@googlegroups.com X-Gm-Message-State: APzg51CE8Wd25Dewsu1iPWzzRI9TjZziDRutsplPi66Ys6CjK5BsZk9A oOkLSXaaAVD9B4bADiu2mqE= X-Google-Smtp-Source: ANB0VdaMqiSYYczne3o4bJp0JuG8zbLCjVQBy5sHuqcTg5dOHRBuFeU0gnl5wXpzHBlxgbMyuMRzNw== X-Received: by 2002:a19:b581:: with SMTP id g1-v6mr75759lfk.0.1535375236031; Mon, 27 Aug 2018 06:07:16 -0700 (PDT) X-BeenThere: swupdate@googlegroups.com Received: by 2002:a19:93d5:: with SMTP id w82-v6ls801809lfk.27.gmail; Mon, 27 Aug 2018 06:07:15 -0700 (PDT) X-Received: by 2002:a19:1f44:: with SMTP id f65-v6mr638769lff.20.1535375235395; Mon, 27 Aug 2018 06:07:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535375235; cv=none; d=google.com; s=arc-20160816; b=cV6uxa9KSe+NeW29uEMBN1XSSaIiqAh8rUVoP3Y738Hq+8oC7HK/9ktjN3YYocgmXd 3LTW06dDRrPvzfKW6dICgtT/iTFdXN6J0P1OQ69GLW74WINysICKe+P2P4I34aed9qw+ lvRNdXhhWWCPHrWxx/OXQ71vJyyy2NuD9hV4mMSz35U/MsosGudDvCNn1W3t6Dn3a2Xe vExyIYDOcOoOiMa/QAdRARDiKQEQkcm+URIlzulSAO+nNjsMZ+9f+eLzM7o48H67tzFL 7DoL/PVQeMzOs/16rTyD4UGgUABG4bih/GTtD2pYwul2UaIxj5LAd19iOJ6wfX+axqYO vlsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:content-transfer-encoding:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:arc-authentication-results; bh=+8UKXYFuQG4KcsmUjKWRNn7Ri4fXAfdxlsVRerQb+IU=; b=vd+/WnF8RQzH3Eem5enToOJHNvNow32wKskb4NHNZAn7SLWFj7mkuGDaR41GXeu/W1 qJ4wlPNojpzXu/k5QtuMSz4BRcFdSivZ224qUwz2PEwxfvBe6LGLybVp1/ofdIklO7gW aM5rtXkynHbMx67HOdJcAHzH+xsd+rq4hU2z5TdV8l6Kh56UUKE9SzmK4W22FAxTze+F wEj/miSrNpBSreESsNclok4w2Q6uM0HNla0uwOlbBYAHnBM7zuAiioH3r6jPS0Jsgyly vqfRJ+64lGvEIrWrOW9cUw0dSUzlsbk6tgaTlm6Ib7oxjmW4b/hbHHZga3pHCVQsfPJM daTQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of prvs=770855156=denis.osterland@diehl.com designates 193.201.238.219 as permitted sender) smtp.mailfrom="prvs=770855156=denis.osterland@diehl.com" Received: from enterprise01.smtp.diehl.com (enterprise01.smtp.diehl.com. [193.201.238.219]) by gmr-mx.google.com with ESMTPS id 81-v6si611430lfs.0.2018.08.27.06.07.15 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Aug 2018 06:07:15 -0700 (PDT) Received-SPF: pass (google.com: domain of prvs=770855156=denis.osterland@diehl.com designates 193.201.238.219 as permitted sender) client-ip=193.201.238.219; X-$ESA-Groupmapping: true X-IronPort-AV: E=Sophos;i="5.53,295,1531778400"; d="scan'208";a="55669173" From: Denis OSTERLAND To: "swupdate@googlegroups.com" CC: Denis OSTERLAND Subject: [swupdate] [PATCH 1/2] signature: allow to verify signers common name Thread-Topic: [PATCH 1/2] signature: allow to verify signers common name Thread-Index: AQHUPgbLRF0/s/rh4ECHuiuZ1tHwXw== Date: Mon, 27 Aug 2018 13:06:40 +0000 Message-ID: <20180827130255.815-2-Denis.Osterland@diehl.com> References: <20180827130255.815-1-Denis.Osterland@diehl.com> In-Reply-To: <20180827130255.815-1-Denis.Osterland@diehl.com> Accept-Language: de-DE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: Evolution 3.18.5.2-0ubuntu3.2 MIME-Version: 1.0 X-TrailerSkip: 1 X-GBS-PROC: byQFdw3ukCM+zy1/poiPc+F4D7siYKQkLOKIXoB7VXFCGsh3HORHEp6X33PQRM18 X-Original-Sender: denis.osterland@diehl.com X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of prvs=770855156=denis.osterland@diehl.com designates 193.201.238.219 as permitted sender) smtp.mailfrom="prvs=770855156=denis.osterland@diehl.com" Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: swupdate@googlegroups.com X-Google-Group-Id: 605343134186 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , Add a string config "forced-signer-name" to specify the expected common name of signers certificate. Signed-off-by: Denis Osterland --- core/parser.c | 2 +- core/swupdate.c | 2 ++ corelib/verify_signature.c | 74 ++++++++++++++++++++++++++++++++++++-- include/sslapi.h | 2 +- include/swupdate.h | 1 + 5 files changed, 77 insertions(+), 4 deletions(-) diff --git a/core/parser.c b/core/parser.c index c10d712..a5f93e2 100644 --- a/core/parser.c +++ b/core/parser.c @@ -227,7 +227,7 @@ int parse(struct swupdate_cfg *sw, const char *descfile) strcpy(sigfile, descfile); strcat(sigfile, ".sig"); - ret = swupdate_verify_file(sw->dgst, sigfile, descfile); + ret = swupdate_verify_file(sw, sigfile, descfile); free(sigfile); if (ret) diff --git a/core/swupdate.c b/core/swupdate.c index b1e115d..bba8718 100644 --- a/core/swupdate.c +++ b/core/swupdate.c @@ -478,6 +478,8 @@ static int read_globals_settings(void *elem, void *data) get_field(LIBCFG_PARSER, elem, "syslog", &sw->globals.syslog_enabled); GET_FIELD_STRING(LIBCFG_PARSER, elem, "no-downgrading", sw->globals.current_version); + GET_FIELD_STRING(LIBCFG_PARSER, elem, "forced-signer-name", + sw->globals.forced_signer_name); if (strlen(sw->globals.current_version)) sw->globals.no_downgrading = 1; diff --git a/corelib/verify_signature.c b/corelib/verify_signature.c index 5c9324e..4df24ba 100644 --- a/corelib/verify_signature.c +++ b/corelib/verify_signature.c @@ -108,9 +108,10 @@ static int verify_final(struct swupdate_digest *dgst, unsigned char *sig, unsign return rc; } -int swupdate_verify_file(struct swupdate_digest *dgst, const char *sigfile, +int swupdate_verify_file(struct swupdate_cfg *sw, const char *sigfile, const char *file) { + struct swupdate_digest *dgst = sw->dgst; FILE *fp = NULL; BIO *sigbio; int siglen = 0; @@ -288,9 +289,72 @@ static X509_STORE *load_cert_chain(const char *file) return castore; } -int swupdate_verify_file(struct swupdate_digest *dgst, const char *sigfile, +static int check_common_name(X509_NAME *subject, + const char name[SWUPDATE_GENERAL_STRING_SIZE]) +{ + int i, ret = 1; + + for (i = X509_NAME_get_index_by_NID(subject, NID_commonName, -1); + (ret < 2) && (i > -1); + i = X509_NAME_get_index_by_NID(subject, NID_commonName, i)) { + X509_NAME_ENTRY *e = X509_NAME_get_entry(subject, i); + ASN1_STRING *d = X509_NAME_ENTRY_get_data(e); + unsigned char* cn; + int len = ASN1_STRING_to_UTF8(&cn, d); + bool matches = (len == (int)strlen(name)) + && (memcmp(name, cn, len) == 0); + + OPENSSL_free(cn); + if (!matches) { + ERROR("common name '%s' does not match expected '%s'", + (const char*)cn, name); + ret = 2; + } else { + ret = 0; + } + } + + if (ret == 0) { + char *subj = X509_NAME_oneline(subject, NULL, 0); + + TRACE("verified signer cert: %s", subj); + OPENSSL_free(subj); + } + + return ret; +} + +static int check_signer_name(CMS_ContentInfo *cms, + const char name[SWUPDATE_GENERAL_STRING_SIZE]) +{ + STACK_OF(CMS_SignerInfo) *infos = CMS_get0_SignerInfos(cms); + STACK_OF(X509) *crts = CMS_get1_certs(cms); + int i, ret = 1; + + if (name[0] == '\0') + return 0; + + for (i = 0; i < sk_CMS_SignerInfo_num(infos); ++i) { + CMS_SignerInfo *si = sk_CMS_SignerInfo_value(infos, i); + int j; + + for (j = 0; j < sk_X509_num(crts); ++j) { + X509 *crt = sk_X509_value(crts, j); + + if (CMS_SignerInfo_cert_cmp(si, crt) == 0) { + ret = check_common_name( + X509_get_subject_name(crt), name); + } + } + } + + return ret; +} + +int swupdate_verify_file(struct swupdate_cfg *sw, const char *sigfile, const char *file) { + struct swupdate_digest *dgst = sw->dgst; int status = -EFAULT; CMS_ContentInfo *cms = NULL; BIO *content_bio = NULL; @@ -311,6 +375,12 @@ int swupdate_verify_file(struct swupdate_digest *dgst, const char *sigfile, goto out; } + if (check_signer_name(cms, sw->globals.forced_signer_name)) { + ERROR("failed to verify signer name"); + status = -EFAULT; + goto out; + } + /* Open the content file (data which was signed) */ content_bio = BIO_new_file(file, "rb"); if (!content_bio) { diff --git a/include/sslapi.h b/include/sslapi.h index 1d24dfb..862e470 100644 --- a/include/sslapi.h +++ b/include/sslapi.h @@ -83,7 +83,7 @@ int swupdate_HASH_update(struct swupdate_digest *dgst, unsigned char *buf, int swupdate_HASH_final(struct swupdate_digest *dgst, unsigned char *md_value, unsigned int *md_len); void swupdate_HASH_cleanup(struct swupdate_digest *dgst); -int swupdate_verify_file(struct swupdate_digest *dgst, const char *sigfile, +int swupdate_verify_file(struct swupdate_cfg *sw, const char *sigfile, const char *file); int swupdate_HASH_compare(unsigned char *hash1, unsigned char *hash2); diff --git a/include/swupdate.h b/include/swupdate.h index 741d24c..a8778a4 100644 --- a/include/swupdate.h +++ b/include/swupdate.h @@ -112,6 +112,7 @@ struct swupdate_global_cfg { char aeskeyfname[SWUPDATE_GENERAL_STRING_SIZE]; char postupdatecmd[SWUPDATE_GENERAL_STRING_SIZE]; char current_version[SWUPDATE_GENERAL_STRING_SIZE]; + char forced_signer_name[SWUPDATE_GENERAL_STRING_SIZE]; }; struct swupdate_cfg { From patchwork Mon Aug 27 13:06:40 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Denis Osterland-Heim X-Patchwork-Id: 962511 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=googlegroups.com (client-ip=2a00:1450:4864:20::440; helo=mail-wr1-x440.google.com; envelope-from=swupdate+bncbaabbypor7oakgqeukdy66i@googlegroups.com; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=diehl.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=googlegroups.com header.i=@googlegroups.com header.b="mS1gJsso"; dkim-atps=neutral Received: from mail-wr1-x440.google.com (mail-wr1-x440.google.com [IPv6:2a00:1450:4864:20::440]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41zXGD1tPVz9s47 for ; Mon, 27 Aug 2018 23:06:44 +1000 (AEST) Received: by mail-wr1-x440.google.com with SMTP id z77-v6sf15244925wrb.20 for ; Mon, 27 Aug 2018 06:06:43 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1535375201; cv=pass; d=google.com; s=arc-20160816; b=FxYE+CfPPx/CQUFSptdvJH93fz6rw3dGo3wjBf76lx4Ogb+Cbbm5uvSMcLqAn1Bhi4 rrP+5fEJRoLBIXJhsOi6mqx3GTwdpBpSl/aeAqex0kmMxxRDBCrhBhQjPUD2usGfOepe y8S6aI/LhuGJr0wLDMzAr7K21jCgKbbplFfgKv6gZ07BAte5WnM8IORF0zrnYY1aBsoR DbGcAIiEtVyviJLnMjcfsqUIFJXdHJ9b6WMIYF1Z/DxtahTGwxGXXw+pJu/348Xx8WKZ 80r3l6KcTa4QRM7BmKtu+zeL6S2C3I8jO89ja3EwlasNFT+jfNUYgEq1H0cmYOmVhc+h Xg6w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:mime-version :content-transfer-encoding:content-language:accept-language :in-reply-to:references:message-id:date:thread-index:thread-topic :subject:cc:to:from:arc-authentication-results:arc-message-signature :sender:dkim-signature:arc-authentication-results; bh=u43XZXNGphjQTAfrgvVjmacJ9szkKX6KhblPG6JB8j4=; b=J1NPBiBlOtMGy4z52MNIn5rJytjrETKxuWkPTRVYYGuTuoVBz/dtCQf1+Faik3xa3o rWdD7usacMnyVkmDZ29ThWNAdOk3gD3xn2N9eNCkUNzFn/WtoCYCRbwUvPhDDaydHCCj dNftWESU8ZDP2SLvhqOr3OX6DSy4e8scDSjw6o9gGGCTHvPyJsLTgvmxUCHx4rM8ZgbC Mm7TnzS0HEyVZq05PvjzlE1E8kCW9SCA8DSPWA13ojVYa6NY8Zg4WmriOOOEVzoBD5Y1 uePjoKfOUysYhbZSu/gdtCfvkrkE4kZejFGPOxC6plAKDDkQqUJiUXlbPC0AwA8QeSUn 2pBw== ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of prvs=770855156=denis.osterland@diehl.com designates 193.201.238.219 as permitted sender) smtp.mailfrom="prvs=770855156=denis.osterland@diehl.com" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :content-transfer-encoding:mime-version:x-original-sender :x-original-authentication-results:precedence:mailing-list:list-id :list-post:list-help:list-archive:list-subscribe:list-unsubscribe; bh=u43XZXNGphjQTAfrgvVjmacJ9szkKX6KhblPG6JB8j4=; b=mS1gJssoQ3WrJ0FcgSoDRqOOKl12TSKK2B9X/9leeUobAj93OWTYdCzXHoYCXRsxAv AZ/OV4ENHpj6iNrXdSIToxOwT0TXC22+gO+OM5QqJgY5Ew0P0beUtzwfvffjnEurWv3J 3BP0F1EJaZ+nmEMW472/ywMdbq6K1S4rWsDN+EGB/8tatAYUnt/g1CsFbokLuoCNZyaS roP11aQQ3PfnUEUE2Av37aSwIP62f1NUxbMQ5FNL6NcnrUAmSGSeSxGG+VtNXEbETh42 dL88wKKBekmTn/Av0jA0BtsRQeLV7miswdFB99ofjlBPcQ6Ta0FkZex/VkWG7iT5Ldk0 V3hA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=sender:x-gm-message-state:from:to:cc:subject:thread-topic :thread-index:date:message-id:references:in-reply-to:accept-language :content-language:content-transfer-encoding:mime-version :x-original-sender:x-original-authentication-results:precedence :mailing-list:list-id:x-spam-checked-in-group:list-post:list-help :list-archive:list-subscribe:list-unsubscribe; bh=u43XZXNGphjQTAfrgvVjmacJ9szkKX6KhblPG6JB8j4=; b=EIUsEDlVjUqfGNfNAnDWbvQHwsgsgl1EN6Dk0dyrM2fX1lkEzb1rSZQcTNq3cZ6WTT CWtmzupACW4hCQJ/kXEb5Tg6EgHn9P4fv4908hzvoN03X+cmeBNPZFFFxYadPzhg9eUY +Bg6ka364RFYHKK73qXmlsO/B1gOr4AEsmrixpdK95ypyubzgXFM1RF4hhjOVbvdrmwt zhv8f1FnYKLsWe389vCEzqBL+aus6TQaRnD0FID3M+p+eIh/9hX0JqNzlHbB3UXubSA0 GajrnZjJaZ7KUzJb/T5T7OWj83Y/wc3AIczk9nr3CI3711klt1ubwW2Qa4RbmOgi76Dw ghSA== Sender: swupdate@googlegroups.com X-Gm-Message-State: APzg51CaBE3JhFv09kjhnD1aB2tN3CQfbpYGm0j7eSESlOXa3kT+uoDe lQXw1dcpSZbTNxHe/sZadGY= X-Google-Smtp-Source: ANB0VdaiyxXWY3wXKapHSmcOctlBiu/bbCSFURjKj0h7OxH/Haar2CtBQFnpU3ACNYkTwj84F5SOtw== X-Received: by 2002:adf:9a72:: with SMTP id z105-v6mr132451wrb.0.1535375201941; Mon, 27 Aug 2018 06:06:41 -0700 (PDT) X-BeenThere: swupdate@googlegroups.com Received: by 2002:adf:ac16:: with SMTP id v22-v6ls4101138wrc.7.gmail; Mon, 27 Aug 2018 06:06:41 -0700 (PDT) X-Received: by 2002:a5d:64d2:: with SMTP id y18-v6mr1041651wrv.17.1535375201577; Mon, 27 Aug 2018 06:06:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535375201; cv=none; d=google.com; s=arc-20160816; b=H1SXrMwgwoqahkhN8EHu4jzg/F4v97Jxdf6QLqW1/oblHoQ6g+7A1l5B26xjR1wLsP HZutSNY2lT2GGdMske3GH6UQmXalkoG+Kxr/W9qp1Ek+3NWBuLdhfWEfeJI7aO1vSiSs 9ON7VXQB5TRc6SHDZuJOVoQKja6HfQfzMv6UHoZkWUj8aZq3dR8VwX7SX9Clz3i7/sqp JE9iXAsqjMPVZRg16CYfKX+emAsDUFFJnu18jwTwnhnkmmt6Apne6oMxkX0ei5JFBKM1 SFV7aEyBJGhHVj+wtlMag24q54n9LNyPRXx6V7ijBfiqdhUz8DEHvbFtZbsibgSEAFO1 GaDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:content-transfer-encoding:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:arc-authentication-results; bh=jnq9zA8gdrQfn5v5V5PtzG061vMQD+tp/gZDWWwJ62s=; b=fW/TyUktroFMC2HV9vmm3MqTXfC2gZtYFAtKvLLFX7C2gAZl+1/azkUYJ8XqcWlxpq jzMhePx0tiEZdMKR1b5c2BP5mlN3pRp8qjH7b7Nf1TL6uzlTprKXTNNGeLRh+vG/503m mhsu8QkxkjKy96N+x/EvwiAKzxQDMohIZ7ojfiBfFpnzoN7xxnWUlP5xlKkAVK2bVMeN HdfDEwwdGn8fFXOpB3Mc3AOPzenNKGP4uT05GZFeRFWnvpNpk9XzxSuQBrcQ+W/K93Ac 8pXUOOVaqRwjz9rsbGXNgaTxFCDI2ALPcfCEap5+7b5TweWNmmp8Y+9DmORntzxuLZzW IVWQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of prvs=770855156=denis.osterland@diehl.com designates 193.201.238.219 as permitted sender) smtp.mailfrom="prvs=770855156=denis.osterland@diehl.com" Received: from enterprise01.smtp.diehl.com (enterprise01.smtp.diehl.com. [193.201.238.219]) by gmr-mx.google.com with ESMTPS id l15-v6si421777wre.2.2018.08.27.06.06.41 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Aug 2018 06:06:41 -0700 (PDT) Received-SPF: pass (google.com: domain of prvs=770855156=denis.osterland@diehl.com designates 193.201.238.219 as permitted sender) client-ip=193.201.238.219; X-$ESA-Groupmapping: true X-IronPort-AV: E=Sophos;i="5.53,295,1531778400"; d="scan'208";a="55669156" From: Denis OSTERLAND To: "swupdate@googlegroups.com" CC: Denis OSTERLAND Subject: [swupdate] [PATCH 2/2] acceptance-tests: add tests for signer common name check Thread-Topic: [PATCH 2/2] acceptance-tests: add tests for signer common name check Thread-Index: AQHUPgbLXzzUSvHVhEWx3Va4azRo3g== Date: Mon, 27 Aug 2018 13:06:40 +0000 Message-ID: <20180827130255.815-3-Denis.Osterland@diehl.com> References: <20180827130255.815-1-Denis.Osterland@diehl.com> In-Reply-To: <20180827130255.815-1-Denis.Osterland@diehl.com> Accept-Language: de-DE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: Evolution 3.18.5.2-0ubuntu3.2 MIME-Version: 1.0 X-TrailerSkip: 1 X-GBS-PROC: PkB65aL1SqtESF35r/jQn4Tru9f0ntxj7RRQManWcZWczhzyBS8Qna1XDMcDdIpU X-Original-Sender: denis.osterland@diehl.com X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of prvs=770855156=denis.osterland@diehl.com designates 193.201.238.219 as permitted sender) smtp.mailfrom="prvs=770855156=denis.osterland@diehl.com" Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: swupdate@googlegroups.com X-Google-Group-Id: 605343134186 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , Add tests to verify signers common name check implementation. Signed-off-by: Denis Osterland --- scripts/acceptance-tests/CheckImage.mk | 35 +++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/scripts/acceptance-tests/CheckImage.mk b/scripts/acceptance-tests/CheckImage.mk index 6e0fecd..bff7c24 100644 --- a/scripts/acceptance-tests/CheckImage.mk +++ b/scripts/acceptance-tests/CheckImage.mk @@ -18,7 +18,7 @@ # # test commands for --check command-line option # -SWU_CHECK_BASE = ./swupdate -l 5 -c $(if $(CONFIG_SIGNED_IMAGES),-k $(obj)/cacert.pem) +SWU_CHECK_BASE = ./swupdate -l 5 -c $(if $(CONFIG_SIGNED_IMAGES),-k $(obj)/cacert.pem) $(if $(strip $(filter %.cfg, $^)), -f $(filter %.cfg, $^)) SWU_CHECK = $(SWU_CHECK_BASE) $(if $(CONFIG_HW_COMPATIBILITY),-H test:1) $(if $(strip $(filter-out FORCE,$<)),-i $<) $(if $(strip $(KBUILD_VERBOSE:0=)),,>/dev/null 2>&1) quiet_cmd_swu_check_assert_false = RUN $@ @@ -53,6 +53,8 @@ tests-$(CONFIG_LIBCONFIG) += ValidImageTest tests-y += InvOptsNoImg tests-$(CONFIG_MONGOOSE) += InvOptsCheckWithWeb tests-$(CONFIG_SURICATTA) += InvOptsCheckWithSur +tests-$(CONFIG_SIGNED_IMAGES) += InvSigNameCheck +tests-$(CONFIG_SIGNED_IMAGES) += ValidSigNameCheck # # file not found test @@ -180,3 +182,34 @@ $(obj)/signer.pem $(obj)/cacert.pem: %/sw-description.sig :: %/sw-description $(obj)/signer.pem $(call cmd,sign_desc) + +# +# invalid signer name +# +PHONY += InvSigNameCheck +InvSigNameCheck: $(obj)/ValidImage.swu $(obj)/InvSigNameCheck.cfg FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem) + $(call cmd,swu_check_assert_false) + +clean-files += InvSigNameCheck.cfg +$(obj)/InvSigNameCheck.cfg: + $(Q)printf "\ +globals: {\n\ + forced-signer-name = \"shall be different\";\n\ +};\n\ +" > $@ + +# +# valid signer name +# +PHONY += ValidSigNameCheck +ValidSigNameCheck: $(obj)/ValidImage.swu $(obj)/ValidSigNameCheck.cfg FORCE $(if $(CONFIG_SIGNED_IMAGES), $(obj)/cacert.pem) + $(call cmd,swu_check_assert_true) + +clean-files += ValidSigNameCheck.cfg +$(obj)/ValidSigNameCheck.cfg: + $(Q)printf "\ +globals: {\n\ + forced-signer-name = \"OpenSSL test S/MIME signer 1\";\n\ +};\n\ +" > $@ +