sbsigntool: update to support openssl-1.1.0

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
This commit is contained in:
Lans Zhang
2017-08-15 13:11:45 +08:00
parent 2c265a6fc3
commit c912483e87
3 changed files with 209 additions and 0 deletions
@@ -19,6 +19,8 @@ SRC_URI = "\
file://Fix-for-multi-sign.patch \
file://sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch \
file://image-fix-the-segment-fault-caused-by-the-uninitiali.patch \
file://Fix-the-deprecated-ASN1_STRING_data.patch \
file://Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch \
"
SRCREV="951ee95a301674c046f55330cd7460e1314deff2"
@@ -0,0 +1,49 @@
From c5d321ded2020441b0d064e03b7b07358d3f71da Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Tue, 15 Aug 2017 10:55:40 +0800
Subject: [PATCH] Fix the deprecated ASN1_STRING_data()
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
src/idc.c | 4 ++--
src/sbkeysync.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/idc.c b/src/idc.c
index 236cefd..8feaa11 100644
--- a/src/idc.c
+++ b/src/idc.c
@@ -238,7 +238,7 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio)
/* extract the idc from the signed PKCS7 'other' data */
str = p7->d.sign->contents->d.other->value.asn1_string;
- idcbuf = buf = ASN1_STRING_data(str);
+ idcbuf = buf = (const unsigned char *)ASN1_STRING_get0_data(str);
idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
/* If we were passed a BIO, write the idc data, minus type and length,
@@ -289,7 +289,7 @@ int IDC_check_hash(struct idc *idc, struct image *image)
}
/* check hash against the one we calculated from the image */
- buf = ASN1_STRING_data(str);
+ buf = (const unsigned char *)ASN1_STRING_get0_data(str);
if (memcmp(buf, sha, sizeof(sha))) {
fprintf(stderr, "Hash doesn't match image\n");
fprintf(stderr, " got: %s\n", sha256_str(buf));
diff --git a/src/sbkeysync.c b/src/sbkeysync.c
index a63d3b8..ef028ef 100644
--- a/src/sbkeysync.c
+++ b/src/sbkeysync.c
@@ -210,7 +210,7 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
serial = x509->cert_info->serialNumber;
key->id_len = ASN1_STRING_length(serial);
- key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
+ key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
key->description = talloc_array(key, char, description_len);
X509_NAME_oneline(x509->cert_info->subject,
--
2.7.5
@@ -0,0 +1,158 @@
From ddf7f08d27d6a44eb62928b33c66204ffa3d7edb Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Tue, 15 Aug 2017 13:05:14 +0800
Subject: [PATCH] Update OpenSSL API usage to support OpenSSL 1.1
Most structure definitions in OpenSSL are now opaque and we must call
the appropriate accessor functions to get information from them.
Not all the accessors are available in older versions, so define the
missing accessors as macros.
The X509_retrieve_match() function is no longer usable, as we cannot
initialise an X509_OBJECT ourselves. Instead, iterate over the
certificate store and use X509_OBJECT_get_type and X509_cmp to
compare certificates.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
src/sbkeysync.c | 7 +++----
src/sbverify.c | 52 ++++++++++++++++++++++++++++++++++++++--------------
2 files changed, 41 insertions(+), 18 deletions(-)
diff --git a/src/sbkeysync.c b/src/sbkeysync.c
index ef028ef..19e3064 100644
--- a/src/sbkeysync.c
+++ b/src/sbkeysync.c
@@ -204,16 +204,15 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
return -1;
/* we use the X509 serial number as the key ID */
- if (!x509->cert_info || !x509->cert_info->serialNumber)
+ serial = X509_get_serialNumber(x509);
+ if (!serial)
goto out;
- serial = x509->cert_info->serialNumber;
-
key->id_len = ASN1_STRING_length(serial);
key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
key->description = talloc_array(key, char, description_len);
- X509_NAME_oneline(x509->cert_info->subject,
+ X509_NAME_oneline(X509_get_subject_name(x509),
key->description, description_len);
rc = 0;
diff --git a/src/sbverify.c b/src/sbverify.c
index fb03d21..0aed71a 100644
--- a/src/sbverify.c
+++ b/src/sbverify.c
@@ -55,6 +55,14 @@
#include <openssl/pem.h>
#include <openssl/x509v3.h>
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
+#define X509_OBJECT_get_type(obj) ((obj)->type)
+#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
+#define X509_STORE_get0_objects(certs) ((certs)->objs)
+#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
+#endif
+
static const char *toolname = "sbverify";
static const int cert_name_len = 160;
@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *p7)
for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
cert = sk_X509_value(p7->d.sign->cert, i);
- X509_NAME_oneline(cert->cert_info->subject,
+ X509_NAME_oneline(X509_get_subject_name(cert),
subject_name, cert_name_len);
- X509_NAME_oneline(cert->cert_info->issuer,
+ X509_NAME_oneline(X509_get_issuer_name(cert),
issuer_name, cert_name_len);
printf(" - subject: %s\n", subject_name);
@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *p7)
static void print_certificate_store_certs(X509_STORE *certs)
{
char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
+ STACK_OF(X509_OBJECT) *objs;
X509_OBJECT *obj;
+ X509 *cert;
int i;
printf("certificate store:\n");
- for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
- obj = sk_X509_OBJECT_value(certs->objs, i);
+ objs = X509_STORE_get0_objects(certs);
+
+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+ obj = sk_X509_OBJECT_value(objs, i);
- if (obj->type != X509_LU_X509)
+ if (X509_OBJECT_get_type(obj) != X509_LU_X509)
continue;
- X509_NAME_oneline(obj->data.x509->cert_info->subject,
+ cert = X509_OBJECT_get0_X509(obj);
+
+ X509_NAME_oneline(X509_get_subject_name(cert),
subject_name, cert_name_len);
- X509_NAME_oneline(obj->data.x509->cert_info->issuer,
+ X509_NAME_oneline(X509_get_issuer_name(cert),
issuer_name, cert_name_len);
printf(" - subject: %s\n", subject_name);
@@ -182,12 +196,21 @@ static int load_detached_signature_data(struct image *image,
static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
{
- X509_OBJECT obj;
+ STACK_OF(X509_OBJECT) *objs;
+ X509_OBJECT *obj;
+ int i;
+
+ objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
- obj.type = X509_LU_X509;
- obj.data.x509 = cert;
+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+ obj = sk_X509_OBJECT_value(objs, i);
- return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
+ if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
+ !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
+ return 1;
+ }
+
+ return 0;
}
static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
@@ -195,15 +218,16 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
int err = X509_STORE_CTX_get_error(ctx);
/* also accept code-signing keys */
- if (err == X509_V_ERR_INVALID_PURPOSE
- && ctx->cert->ex_xkusage == XKU_CODE_SIGN)
+ if (err == X509_V_ERR_INVALID_PURPOSE &&
+ X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx))
+ == XKU_CODE_SIGN)
status = 1;
/* all certs given with the --cert argument are trusted */
else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
err == X509_V_ERR_CERT_UNTRUSTED) {
- if (cert_in_store(ctx->current_cert, ctx))
+ if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx))
status = 1;
}
--
2.7.5