mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-07-17 05:06:59 +00:00
sbsigntool: update to support openssl-1.1.0
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
This commit is contained in:
@@ -19,6 +19,8 @@ SRC_URI = "\
|
|||||||
file://Fix-for-multi-sign.patch \
|
file://Fix-for-multi-sign.patch \
|
||||||
file://sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch \
|
file://sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch \
|
||||||
file://image-fix-the-segment-fault-caused-by-the-uninitiali.patch \
|
file://image-fix-the-segment-fault-caused-by-the-uninitiali.patch \
|
||||||
|
file://Fix-the-deprecated-ASN1_STRING_data.patch \
|
||||||
|
file://Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch \
|
||||||
"
|
"
|
||||||
SRCREV="951ee95a301674c046f55330cd7460e1314deff2"
|
SRCREV="951ee95a301674c046f55330cd7460e1314deff2"
|
||||||
|
|
||||||
|
|||||||
+49
@@ -0,0 +1,49 @@
|
|||||||
|
From c5d321ded2020441b0d064e03b7b07358d3f71da Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lans Zhang <jia.zhang@windriver.com>
|
||||||
|
Date: Tue, 15 Aug 2017 10:55:40 +0800
|
||||||
|
Subject: [PATCH] Fix the deprecated ASN1_STRING_data()
|
||||||
|
|
||||||
|
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
||||||
|
---
|
||||||
|
src/idc.c | 4 ++--
|
||||||
|
src/sbkeysync.c | 2 +-
|
||||||
|
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/idc.c b/src/idc.c
|
||||||
|
index 236cefd..8feaa11 100644
|
||||||
|
--- a/src/idc.c
|
||||||
|
+++ b/src/idc.c
|
||||||
|
@@ -238,7 +238,7 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio)
|
||||||
|
|
||||||
|
/* extract the idc from the signed PKCS7 'other' data */
|
||||||
|
str = p7->d.sign->contents->d.other->value.asn1_string;
|
||||||
|
- idcbuf = buf = ASN1_STRING_data(str);
|
||||||
|
+ idcbuf = buf = (const unsigned char *)ASN1_STRING_get0_data(str);
|
||||||
|
idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
|
||||||
|
|
||||||
|
/* If we were passed a BIO, write the idc data, minus type and length,
|
||||||
|
@@ -289,7 +289,7 @@ int IDC_check_hash(struct idc *idc, struct image *image)
|
||||||
|
}
|
||||||
|
|
||||||
|
/* check hash against the one we calculated from the image */
|
||||||
|
- buf = ASN1_STRING_data(str);
|
||||||
|
+ buf = (const unsigned char *)ASN1_STRING_get0_data(str);
|
||||||
|
if (memcmp(buf, sha, sizeof(sha))) {
|
||||||
|
fprintf(stderr, "Hash doesn't match image\n");
|
||||||
|
fprintf(stderr, " got: %s\n", sha256_str(buf));
|
||||||
|
diff --git a/src/sbkeysync.c b/src/sbkeysync.c
|
||||||
|
index a63d3b8..ef028ef 100644
|
||||||
|
--- a/src/sbkeysync.c
|
||||||
|
+++ b/src/sbkeysync.c
|
||||||
|
@@ -210,7 +210,7 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
|
||||||
|
serial = x509->cert_info->serialNumber;
|
||||||
|
|
||||||
|
key->id_len = ASN1_STRING_length(serial);
|
||||||
|
- key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
|
||||||
|
+ key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
|
||||||
|
|
||||||
|
key->description = talloc_array(key, char, description_len);
|
||||||
|
X509_NAME_oneline(x509->cert_info->subject,
|
||||||
|
--
|
||||||
|
2.7.5
|
||||||
|
|
||||||
+158
@@ -0,0 +1,158 @@
|
|||||||
|
From ddf7f08d27d6a44eb62928b33c66204ffa3d7edb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lans Zhang <jia.zhang@windriver.com>
|
||||||
|
Date: Tue, 15 Aug 2017 13:05:14 +0800
|
||||||
|
Subject: [PATCH] Update OpenSSL API usage to support OpenSSL 1.1
|
||||||
|
|
||||||
|
Most structure definitions in OpenSSL are now opaque and we must call
|
||||||
|
the appropriate accessor functions to get information from them.
|
||||||
|
Not all the accessors are available in older versions, so define the
|
||||||
|
missing accessors as macros.
|
||||||
|
|
||||||
|
The X509_retrieve_match() function is no longer usable, as we cannot
|
||||||
|
initialise an X509_OBJECT ourselves. Instead, iterate over the
|
||||||
|
certificate store and use X509_OBJECT_get_type and X509_cmp to
|
||||||
|
compare certificates.
|
||||||
|
|
||||||
|
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||||
|
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
||||||
|
---
|
||||||
|
src/sbkeysync.c | 7 +++----
|
||||||
|
src/sbverify.c | 52 ++++++++++++++++++++++++++++++++++++++--------------
|
||||||
|
2 files changed, 41 insertions(+), 18 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/sbkeysync.c b/src/sbkeysync.c
|
||||||
|
index ef028ef..19e3064 100644
|
||||||
|
--- a/src/sbkeysync.c
|
||||||
|
+++ b/src/sbkeysync.c
|
||||||
|
@@ -204,16 +204,15 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
/* we use the X509 serial number as the key ID */
|
||||||
|
- if (!x509->cert_info || !x509->cert_info->serialNumber)
|
||||||
|
+ serial = X509_get_serialNumber(x509);
|
||||||
|
+ if (!serial)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
- serial = x509->cert_info->serialNumber;
|
||||||
|
-
|
||||||
|
key->id_len = ASN1_STRING_length(serial);
|
||||||
|
key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
|
||||||
|
|
||||||
|
key->description = talloc_array(key, char, description_len);
|
||||||
|
- X509_NAME_oneline(x509->cert_info->subject,
|
||||||
|
+ X509_NAME_oneline(X509_get_subject_name(x509),
|
||||||
|
key->description, description_len);
|
||||||
|
|
||||||
|
rc = 0;
|
||||||
|
diff --git a/src/sbverify.c b/src/sbverify.c
|
||||||
|
index fb03d21..0aed71a 100644
|
||||||
|
--- a/src/sbverify.c
|
||||||
|
+++ b/src/sbverify.c
|
||||||
|
@@ -55,6 +55,14 @@
|
||||||
|
#include <openssl/pem.h>
|
||||||
|
#include <openssl/x509v3.h>
|
||||||
|
|
||||||
|
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
|
+#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
|
||||||
|
+#define X509_OBJECT_get_type(obj) ((obj)->type)
|
||||||
|
+#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
|
||||||
|
+#define X509_STORE_get0_objects(certs) ((certs)->objs)
|
||||||
|
+#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
static const char *toolname = "sbverify";
|
||||||
|
static const int cert_name_len = 160;
|
||||||
|
|
||||||
|
@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *p7)
|
||||||
|
|
||||||
|
for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
|
||||||
|
cert = sk_X509_value(p7->d.sign->cert, i);
|
||||||
|
- X509_NAME_oneline(cert->cert_info->subject,
|
||||||
|
+ X509_NAME_oneline(X509_get_subject_name(cert),
|
||||||
|
subject_name, cert_name_len);
|
||||||
|
- X509_NAME_oneline(cert->cert_info->issuer,
|
||||||
|
+ X509_NAME_oneline(X509_get_issuer_name(cert),
|
||||||
|
issuer_name, cert_name_len);
|
||||||
|
|
||||||
|
printf(" - subject: %s\n", subject_name);
|
||||||
|
@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *p7)
|
||||||
|
static void print_certificate_store_certs(X509_STORE *certs)
|
||||||
|
{
|
||||||
|
char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
|
||||||
|
+ STACK_OF(X509_OBJECT) *objs;
|
||||||
|
X509_OBJECT *obj;
|
||||||
|
+ X509 *cert;
|
||||||
|
int i;
|
||||||
|
|
||||||
|
printf("certificate store:\n");
|
||||||
|
|
||||||
|
- for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
|
||||||
|
- obj = sk_X509_OBJECT_value(certs->objs, i);
|
||||||
|
+ objs = X509_STORE_get0_objects(certs);
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
|
||||||
|
+ obj = sk_X509_OBJECT_value(objs, i);
|
||||||
|
|
||||||
|
- if (obj->type != X509_LU_X509)
|
||||||
|
+ if (X509_OBJECT_get_type(obj) != X509_LU_X509)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
- X509_NAME_oneline(obj->data.x509->cert_info->subject,
|
||||||
|
+ cert = X509_OBJECT_get0_X509(obj);
|
||||||
|
+
|
||||||
|
+ X509_NAME_oneline(X509_get_subject_name(cert),
|
||||||
|
subject_name, cert_name_len);
|
||||||
|
- X509_NAME_oneline(obj->data.x509->cert_info->issuer,
|
||||||
|
+ X509_NAME_oneline(X509_get_issuer_name(cert),
|
||||||
|
issuer_name, cert_name_len);
|
||||||
|
|
||||||
|
printf(" - subject: %s\n", subject_name);
|
||||||
|
@@ -182,12 +196,21 @@ static int load_detached_signature_data(struct image *image,
|
||||||
|
|
||||||
|
static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
|
||||||
|
{
|
||||||
|
- X509_OBJECT obj;
|
||||||
|
+ STACK_OF(X509_OBJECT) *objs;
|
||||||
|
+ X509_OBJECT *obj;
|
||||||
|
+ int i;
|
||||||
|
+
|
||||||
|
+ objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
|
||||||
|
|
||||||
|
- obj.type = X509_LU_X509;
|
||||||
|
- obj.data.x509 = cert;
|
||||||
|
+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
|
||||||
|
+ obj = sk_X509_OBJECT_value(objs, i);
|
||||||
|
|
||||||
|
- return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
|
||||||
|
+ if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
|
||||||
|
+ !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
|
||||||
|
@@ -195,15 +218,16 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
|
||||||
|
int err = X509_STORE_CTX_get_error(ctx);
|
||||||
|
|
||||||
|
/* also accept code-signing keys */
|
||||||
|
- if (err == X509_V_ERR_INVALID_PURPOSE
|
||||||
|
- && ctx->cert->ex_xkusage == XKU_CODE_SIGN)
|
||||||
|
+ if (err == X509_V_ERR_INVALID_PURPOSE &&
|
||||||
|
+ X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx))
|
||||||
|
+ == XKU_CODE_SIGN)
|
||||||
|
status = 1;
|
||||||
|
|
||||||
|
/* all certs given with the --cert argument are trusted */
|
||||||
|
else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
|
||||||
|
err == X509_V_ERR_CERT_UNTRUSTED) {
|
||||||
|
|
||||||
|
- if (cert_in_store(ctx->current_cert, ctx))
|
||||||
|
+ if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx))
|
||||||
|
status = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.7.5
|
||||||
|
|
||||||
Reference in New Issue
Block a user