@@ -57,7 +57,9 @@ static const char *pubkeyfile;
static const char *pubkeydir;
static const char *sigfile;
static const char *seckeyfile;
+#ifndef VERIFYONLY
static const char *comment;
+#endif
static bool quiet;
static enum {
CMD_NONE,
@@ -139,21 +141,6 @@ get_base64_file(const char *file, void *dest, int size, void *buf, int buflen)
return b64_decode(buf, dest, size) == size;
}
-static void write_file(const char *name, const uint8_t *fingerprint,
- const char *prefix, char *buf)
-{
- FILE *f;
-
- f = open_file(name, false);
- fputs("untrusted comment: ", f);
- if (comment)
- fputs(comment, f);
- else
- fprintf(f, "%s %016"PRIx64, prefix,
- fingerprint_u64(fingerprint));
- fprintf(f, "\n%s\n", buf);
- fclose(f);
-}
static int verify(const char *msgfile)
{
@@ -208,6 +195,47 @@ static int verify(const char *msgfile)
return 0;
}
+static int fingerprint(void)
+{
+ struct seckey skey;
+ struct pubkey pkey;
+ struct sig sig;
+ char buf[512];
+ uint8_t *fp;
+
+ if (seckeyfile &&
+ get_base64_file(seckeyfile, &skey, sizeof(skey), buf, sizeof(buf)))
+ fp = skey.fingerprint;
+ else if (pubkeyfile &&
+ get_base64_file(pubkeyfile, &pkey, sizeof(pkey), buf, sizeof(buf)))
+ fp = pkey.fingerprint;
+ else if (sigfile &&
+ get_base64_file(sigfile, &sig, sizeof(sig), buf, sizeof(buf)))
+ fp = sig.fingerprint;
+ else
+ return 1;
+
+ fprintf(stdout, "%016"PRIx64"\n", fingerprint_u64(fp));
+ return 0;
+}
+
+#ifndef VERIFYONLY
+static void write_file(const char *name, const uint8_t *fingerprint,
+ const char *prefix, char *buf)
+{
+ FILE *f;
+
+ f = open_file(name, false);
+ fputs("untrusted comment: ", f);
+ if (comment)
+ fputs(comment, f);
+ else
+ fprintf(f, "%s %016"PRIx64, prefix,
+ fingerprint_u64(fingerprint));
+ fprintf(f, "\n%s\n", buf);
+ fclose(f);
+}
+
static int sign(const char *msgfile)
{
struct seckey skey;
@@ -256,29 +284,6 @@ static int sign(const char *msgfile)
return 0;
}
-static int fingerprint(void)
-{
- struct seckey skey;
- struct pubkey pkey;
- struct sig sig;
- char buf[512];
- uint8_t *fp;
-
- if (seckeyfile &&
- get_base64_file(seckeyfile, &skey, sizeof(skey), buf, sizeof(buf)))
- fp = skey.fingerprint;
- else if (pubkeyfile &&
- get_base64_file(pubkeyfile, &pkey, sizeof(pkey), buf, sizeof(buf)))
- fp = pkey.fingerprint;
- else if (sigfile &&
- get_base64_file(sigfile, &sig, sizeof(sig), buf, sizeof(buf)))
- fp = sig.fingerprint;
- else
- return 1;
-
- fprintf(stdout, "%016"PRIx64"\n", fingerprint_u64(fp));
- return 0;
-}
static int generate(void)
{
@@ -332,6 +337,7 @@ static int generate(void)
return 0;
}
+#endif
static int usage(const char *cmd)
{
@@ -339,17 +345,21 @@ static int usage(const char *cmd)
"Usage: %s <command> <options>\n"
"Commands:\n"
" -V: verify (needs at least -m and -p|-P)\n"
- " -S: sign (needs at least -m and -s)\n"
" -F: print key fingerprint of public/secret key or signature\n"
+#ifndef VERIFYONLY
+ " -S: sign (needs at least -m and -s)\n"
" -G: generate a new keypair (needs at least -p and -s)\n"
+#endif
"Options:\n"
+#ifndef VERIFYONLY
" -c <comment>: add comment to keys\n"
- " -m <file>: message file\n"
+ " -s <file>: secret key file (sign/fingerprint only)\n"
+#endif
+ " -x <file>: signature file (defaults to <message file>.sig)\n"
" -p <file>: public key file (verify/fingerprint only)\n"
" -P <path>: public key directory (verify only)\n"
+ " -m <file>: message file\n"
" -q: quiet (do not print verification result, use return code only)\n"
- " -s <file>: secret key file (sign/fingerprint only)\n"
- " -x <file>: signature file (defaults to <message file>.sig)\n"
"\n",
cmd);
return 1;
@@ -373,18 +383,23 @@ int main(int argc, char **argv)
case 'V':
set_cmd(argv[0], CMD_VERIFY);
break;
- case 'S':
- set_cmd(argv[0], CMD_SIGN);
- break;
case 'F':
set_cmd(argv[0], CMD_FINGERPRINT);
break;
+#ifndef VERIFYONLY
+ case 'S':
+ set_cmd(argv[0], CMD_SIGN);
+ break;
case 'G':
set_cmd(argv[0], CMD_GENERATE);
break;
case 'c':
comment = optarg;
break;
+#endif
+ case 's':
+ seckeyfile = optarg;
+ break;
case 'm':
msgfile = optarg;
break;
@@ -394,9 +409,6 @@ int main(int argc, char **argv)
case 'p':
pubkeyfile = optarg;
break;
- case 's':
- seckeyfile = optarg;
- break;
case 'x':
sigfile = optarg;
break;
@@ -425,20 +437,22 @@ int main(int argc, char **argv)
if ((!pubkeyfile && !pubkeydir) || !msgfile)
return usage(argv[0]);
return verify(msgfile);
- case CMD_SIGN:
- if (!seckeyfile || !msgfile || !sigfile)
- return usage(argv[0]);
- return sign(msgfile);
case CMD_FINGERPRINT:
if (!!seckeyfile + !!pubkeyfile + !!sigfile != 1) {
fprintf(stderr, "Need one secret/public key or signature\n");
return usage(argv[0]);
}
return fingerprint();
+#ifndef VERIFYONLY
+ case CMD_SIGN:
+ if (!seckeyfile || !msgfile || !sigfile)
+ return usage(argv[0]);
+ return sign(msgfile);
case CMD_GENERATE:
if (!seckeyfile || !pubkeyfile)
return usage(argv[0]);
return generate();
+#endif
default:
return usage(argv[0]);
}
The reimplementation of signify called usign is used for both opkg package list and sysupgrade verification. Currently usign support all features per default, including key generation and signing of of mesages. Inspired by Petrs work on the signify port[0] I tried to add similar ifndef conditions to reduce the code size. If VERIFYONLY is set, the usign binary size is reduced by 4kB. Only the functions `-V` for verification and `-F` for fingerprint printing are enabled. [0]: https://github.com/openwrt/openwrt/pull/2911 Signed-off-by: Paul Spooren <mail@aparcar.org> --- main.c | 118 ++++++++++++++++++++++++++++++++------------------------- 1 file changed, 66 insertions(+), 52 deletions(-)