svn commit: r287811 - stable/9/usr.sbin/pkg

Tue Sep 15 06:21:35 UTC 2015

Author: bapt
Date: Tue Sep 15 06:21:33 2015
New Revision: 287811
URL: https://svnweb.freebsd.org/changeset/base/287811

Log:
  MFC: r287579, r287810 (adapted to old openssl APIs)
  
  Implement pubkey support for the bootstrap
  
  Note that to not interfer with finger print it expects a signature on pkg itself
  which is named pkg.txz.pubkeysign
  
  To generate it:
  echo -n "$(sha256 -q pkg.txz)" | openssl dgst -sha256 -sign /thekey \
      -binary -out ./pkg.txz.pubkeysig
  
  Note the "echo -n" which prevent signing the '\n' one would get otherwise
  
  PR:		202622

Modified:
  stable/9/usr.sbin/pkg/config.c
  stable/9/usr.sbin/pkg/config.h
  stable/9/usr.sbin/pkg/pkg.c
Directory Properties:
  stable/9/usr.sbin/pkg/   (props changed)

Modified: stable/9/usr.sbin/pkg/config.c
==============================================================================

--- stable/9/usr.sbin/pkg/config.c	Tue Sep 15 05:56:16 2015	(r287810)
+++ stable/9/usr.sbin/pkg/config.c	Tue Sep 15 06:21:33 2015	(r287811)
@@ -131,6 +131,15 @@ static struct config_entry c[] = {
 		false,
 		true,
 	},
+	[PUBKEY] = {
+		PKG_CONFIG_STRING,
+		"PUBKEY",
+		NULL,
+		NULL,
+		NULL,
+		false,
+		false
+	}
 };
 
 static const char *
@@ -347,6 +356,8 @@ config_parse(const ucl_object_t *obj, pk
 				sbuf_cpy(buf, "SIGNATURE_TYPE");
 			else if (strcasecmp(key, "fingerprints") == 0)
 				sbuf_cpy(buf, "FINGERPRINTS");
+			else if (strcasecmp(key, "pubkey") == 0)
+				sbuf_cpy(buf, "PUBKEY");
 			else if (strcasecmp(key, "enabled") == 0) {
 				if ((cur->type != UCL_BOOLEAN) ||
 				    !ucl_object_toboolean(cur))

Modified: stable/9/usr.sbin/pkg/config.h
==============================================================================
--- stable/9/usr.sbin/pkg/config.h	Tue Sep 15 05:56:16 2015	(r287810)
+++ stable/9/usr.sbin/pkg/config.h	Tue Sep 15 06:21:33 2015	(r287811)
@@ -40,6 +40,7 @@ typedef enum {
 	SIGNATURE_TYPE,
 	FINGERPRINTS,
 	REPOS_DIR,
+	PUBKEY,
 	CONFIG_SIZE
 } pkg_config_key;
 

Modified: stable/9/usr.sbin/pkg/pkg.c
==============================================================================
--- stable/9/usr.sbin/pkg/pkg.c	Tue Sep 15 05:56:16 2015	(r287810)
+++ stable/9/usr.sbin/pkg/pkg.c	Tue Sep 15 06:21:33 2015	(r287811)
@@ -66,6 +66,11 @@ struct sig_cert {
 	bool trusted;
 };
 
+struct pubkey {
+	unsigned char *sig;
+	int siglen;
+};
+
 typedef enum {
        HASH_UNKNOWN,
        HASH_SHA256,
@@ -481,7 +486,30 @@ cleanup:
 }
 
 static RSA *
-load_rsa_public_key_buf(unsigned char *cert, int certlen)
+load_rsa_public_key_file(const char *file)
+{
+	RSA *rsa = NULL;
+	BIO *bp;
+	char errbuf[1024];
+
+	bp = BIO_new_file(file, "r");
+	if (!bp)
+		errx(EXIT_FAILURE, "Unable to read %s", file);
+
+	if (!PEM_read_bio_RSA_PUBKEY(bp, &rsa, NULL, NULL)) {
+		warn("error reading public key: %s",
+		    ERR_error_string(ERR_get_error(), errbuf));
+		BIO_free(bp);
+		return (NULL);
+	}
+
+	BIO_free(bp);
+
+	return (rsa);
+}
+
+static RSA *
+load_rsa_public_key_buf(const unsigned char *cert, int certlen)
 {
 	RSA *rsa = NULL;
 	BIO *bp;
@@ -500,8 +528,8 @@ load_rsa_public_key_buf(unsigned char *c
 
 
 static bool
-rsa_verify_cert(int fd, unsigned char *key, int keylen,
-    unsigned char *sig, int siglen)
+rsa_verify_cert(int fd, const char *sigfile, const unsigned char *key,
+    int keylen, unsigned char *sig, int siglen)
 {
 	char sha256[SHA256_DIGEST_LENGTH *2 +1];
 	char hash[SHA256_DIGEST_LENGTH];
@@ -518,7 +546,11 @@ rsa_verify_cert(int fd, unsigned char *k
 
 	sha256_buf_bin(sha256, strlen(sha256), hash);
 
-	rsa = load_rsa_public_key_buf(key, keylen);
+	if (sigfile != NULL) {
+		rsa = load_rsa_public_key_file(sigfile);
+	} else {
+		rsa = load_rsa_public_key_buf(key, keylen);
+	}
 	if (rsa == NULL)
 		return (false);
 	ret = RSA_verify(NID_sha256, hash, sizeof(hash), sig, siglen, rsa);
@@ -533,6 +565,35 @@ rsa_verify_cert(int fd, unsigned char *k
 	return (true);
 }
 
+static struct pubkey *
+read_pubkey(int fd)
+{
+	struct pubkey *pk;
+	struct sbuf *sig;
+	char buf[4096];
+	int r;
+
+	if (lseek(fd, 0, 0) == -1) {
+		warn("lseek");
+		return (NULL);
+	}
+
+	sig = sbuf_new_auto();
+
+	while ((r = read(fd, buf, sizeof(buf))) >0) {
+		sbuf_bcat(sig, buf, r);
+	}
+
+	sbuf_finish(sig);
+	pk = calloc(1, sizeof(struct pubkey));
+	pk->siglen = sbuf_len(sig);
+	pk->sig = calloc(1, pk->siglen);
+	memcpy(pk->sig, sbuf_data(sig), pk->siglen);
+	sbuf_delete(sig);
+
+	return (pk);
+}
+
 static struct sig_cert *
 parse_cert(int fd) {
 	int my_fd;
@@ -606,6 +667,45 @@ parse_cert(int fd) {
 }
 
 static bool
+verify_pubsignature(int fd_pkg, int fd_sig)
+{
+	struct pubkey *pk;
+	const char *pubkey;
+	bool ret;
+
+	pk = NULL;
+	pubkey = NULL;
+	ret = false;
+	if (config_string(PUBKEY, &pubkey) != 0) {
+		warnx("No CONFIG_PUBKEY defined");
+		goto cleanup;
+	}
+
+	if ((pk = read_pubkey(fd_sig)) == NULL) {
+		warnx("Error reading signature");
+		goto cleanup;
+	}
+
+	/* Verify the signature. */
+	printf("Verifying signature with public key %s... ", pubkey);
+	if (rsa_verify_cert(fd_pkg, pubkey, NULL, 0, pk->sig,
+	    pk->siglen) == false) {
+		fprintf(stderr, "Signature is not valid\n");
+		goto cleanup;
+	}
+
+	ret = true;
+
+cleanup:
+	if (pk) {
+		free(pk->sig);
+		free(pk);
+	}
+
+	return (ret);
+}
+
+static bool
 verify_signature(int fd_pkg, int fd_sig)
 {
 	struct fingerprint_list *trusted, *revoked;
@@ -683,7 +783,7 @@ verify_signature(int fd_pkg, int fd_sig)
 
 	/* Verify the signature. */
 	printf("Verifying signature with trusted certificate %s... ", sc->name);
-	if (rsa_verify_cert(fd_pkg, sc->cert, sc->certlen, sc->sig,
+	if (rsa_verify_cert(fd_pkg, NULL, sc->cert, sc->certlen, sc->sig,
 	    sc->siglen) == false) {
 		printf("failed\n");
 		fprintf(stderr, "Signature is not valid\n");
@@ -751,24 +851,42 @@ bootstrap_pkg(bool force)
 
 	if (signature_type != NULL &&
 	    strcasecmp(signature_type, "NONE") != 0) {
-		if (strcasecmp(signature_type, "FINGERPRINTS") != 0) {
-			warnx("Signature type %s is not supported for "
-			    "bootstrapping.", signature_type);
-			goto cleanup;
-		}
+		if (strcasecmp(signature_type, "FINGERPRINTS") == 0) {
+
+			snprintf(tmpsig, MAXPATHLEN, "%s/pkg.txz.sig.XXXXXX",
+			    getenv("TMPDIR") ? getenv("TMPDIR") : _PATH_TMP);
+			snprintf(url, MAXPATHLEN, "%s/Latest/pkg.txz.sig",
+			    packagesite);
+
+			if ((fd_sig = fetch_to_fd(url, tmpsig)) == -1) {
+				fprintf(stderr, "Signature for pkg not "
+				    "available.\n");
+				goto fetchfail;
+			}
 
-		snprintf(tmpsig, MAXPATHLEN, "%s/pkg.txz.sig.XXXXXX",
-		    getenv("TMPDIR") ? getenv("TMPDIR") : _PATH_TMP);
-		snprintf(url, MAXPATHLEN, "%s/Latest/pkg.txz.sig",
-		    packagesite);
+			if (verify_signature(fd_pkg, fd_sig) == false)
+				goto cleanup;
+		} else if (strcasecmp(signature_type, "PUBKEY") == 0) {
 
-		if ((fd_sig = fetch_to_fd(url, tmpsig)) == -1) {
-			fprintf(stderr, "Signature for pkg not available.\n");
-			goto fetchfail;
-		}
+			snprintf(tmpsig, MAXPATHLEN,
+			    "%s/pkg.txz.pubkeysig.XXXXXX",
+			    getenv("TMPDIR") ? getenv("TMPDIR") : _PATH_TMP);
+			snprintf(url, MAXPATHLEN, "%s/Latest/pkg.txz.pubkeysig",
+			    packagesite);
+
+			if ((fd_sig = fetch_to_fd(url, tmpsig)) == -1) {
+				fprintf(stderr, "Signature for pkg not "
+				    "available.\n");
+				goto fetchfail;
+			}
 
-		if (verify_signature(fd_pkg, fd_sig) == false)
+			if (verify_pubsignature(fd_pkg, fd_sig) == false)
+				goto cleanup;
+		} else {
+			warnx("Signature type %s is not supported for "
+			    "bootstrapping.", signature_type);
 			goto cleanup;
+		}
 	}
 
 	if ((ret = extract_pkg_static(fd_pkg, pkgstatic, MAXPATHLEN)) == 0)
@@ -842,21 +960,37 @@ bootstrap_pkg_local(const char *pkgpath,
 	}
 	if (signature_type != NULL &&
 	    strcasecmp(signature_type, "NONE") != 0) {
-		if (strcasecmp(signature_type, "FINGERPRINTS") != 0) {
-			warnx("Signature type %s is not supported for "
-			    "bootstrapping.", signature_type);
-			goto cleanup;
-		}
+		if (strcasecmp(signature_type, "FINGERPRINTS") == 0) {
 
-		snprintf(path, sizeof(path), "%s.sig", pkgpath);
+			snprintf(path, sizeof(path), "%s.sig", pkgpath);
 
-		if ((fd_sig = open(path, O_RDONLY)) == -1) {
-			fprintf(stderr, "Signature for pkg not available.\n");
-			goto cleanup;
-		}
+			if ((fd_sig = open(path, O_RDONLY)) == -1) {
+				fprintf(stderr, "Signature for pkg not "
+				    "available.\n");
+				goto cleanup;
+			}
 
-		if (verify_signature(fd_pkg, fd_sig) == false)
+			if (verify_signature(fd_pkg, fd_sig) == false)
+				goto cleanup;
+
+		} else if (strcasecmp(signature_type, "PUBKEY") == 0) {
+
+			snprintf(path, sizeof(path), "%s.pubkeysig", pkgpath);
+
+			if ((fd_sig = open(path, O_RDONLY)) == -1) {
+				fprintf(stderr, "Signature for pkg not "
+				    "available.\n");
+				goto cleanup;
+			}
+
+			if (verify_pubsignature(fd_pkg, fd_sig) == false)
+				goto cleanup;
+
+		} else {
+			warnx("Signature type %s is not supported for "
+			    "bootstrapping.", signature_type);
 			goto cleanup;
+		}
 	}
 
 	if ((ret = extract_pkg_static(fd_pkg, pkgstatic, MAXPATHLEN)) == 0)
