diff options
author | José Bollo <jose.bollo@iot.bzh> | 2020-02-27 17:12:55 +0100 |
---|---|---|
committer | José Bollo <jose.bollo@iot.bzh> | 2020-02-28 12:39:07 +0100 |
commit | 956e7c57d15bde67d7392aab01a9c0fc6906bbd4 (patch) | |
tree | 57ab4679060160c510fc45f92e20f0e5df8fdc9c | |
parent | c5d922d7085c980edad3764687e2488a1b0907d0 (diff) |
Add feature of autosigning widgets
This adds the ability to automatically sign the
widgets that are packaged.
This is done by defining in the environment of
the packaging process the variables
WGTPKG_AUTOSIGN_X=key-filepath[:cert-filepath]...
Where X is a number.
If such variable exist, signatures are generated
in the directory of the packaged or signed widget,
one for each variable, replacing any existing one.
Obviously, nothing is done if no such variable exist.
The generated signature file depends on X.
- 0 is for file author-signature.xml
- X is for file signature-X.xml
The program wgtpkg-pack automatically include that
behaviour by default. An option allows to remove it.
Bug-AGL: SPEC-2840
Change-Id: I00bc4a4d094f71b307e467f984f20d3d4cc3c7bd
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-rw-r--r-- | src/main-wgtpkg-pack.c | 18 | ||||
-rw-r--r-- | src/wgtpkg-digsig.c | 88 | ||||
-rw-r--r-- | src/wgtpkg-digsig.h | 3 |
3 files changed, 107 insertions, 2 deletions
diff --git a/src/main-wgtpkg-pack.c b/src/main-wgtpkg-pack.c index e448497..5e9a18f 100644 --- a/src/main-wgtpkg-pack.c +++ b/src/main-wgtpkg-pack.c @@ -31,6 +31,7 @@ #include "wgtpkg-files.h" #include "wgtpkg-workdir.h" #include "wgtpkg-zip.h" +#include "wgtpkg-digsig.h" const char appname[] = "wgtpkg-pack"; @@ -55,7 +56,9 @@ static void usage() "\n" " -o wgtfile the output widget file\n" " -f force overwriting\n" + " -N no auto-sign" " -q quiet\n" + " -S auto-sign" " -v verbose\n" " -V version\n" "\n", @@ -67,7 +70,9 @@ static struct option options[] = { { "output", required_argument, NULL, 'o' }, { "force", no_argument, NULL, 'f' }, { "help", no_argument, NULL, 'h' }, + { "no-auto-sign",no_argument, NULL, 'N' }, { "quiet", no_argument, NULL, 'q' }, + { "auto-sign", no_argument, NULL, 'S' }, { "verbose", no_argument, NULL, 'v' }, { "version", no_argument, NULL, 'V' }, { NULL, 0, NULL, 0 } @@ -76,12 +81,13 @@ static struct option options[] = { /* install the widgets of the list */ int main(int ac, char **av) { - int i, force; + int i, force, autosign; char *wgtfile, *directory, *x; struct stat s; LOGUSER(appname); + autosign = 1; force = 0; wgtfile = directory = NULL; for (;;) { @@ -105,9 +111,15 @@ int main(int ac, char **av) case 'h': usage(); return 0; + case 'N': + autosign = 0; + break; case 'V': version(); return 0; + case 'S': + autosign = 1; + break; case ':': ERROR("missing argument"); return 1; @@ -174,10 +186,12 @@ int main(int ac, char **av) if (set_workdir(".", 0)) return 1; - if (fill_files()) return 1; + if (autosign && create_auto_digsig() < 0) + return 1; + return !!zwrite(wgtfile); } diff --git a/src/wgtpkg-digsig.c b/src/wgtpkg-digsig.c index d190d23..94f1d28 100644 --- a/src/wgtpkg-digsig.c +++ b/src/wgtpkg-digsig.c @@ -419,4 +419,92 @@ error: return rc; } +/* create a digital signature(s) from environment data */ +int create_auto_digsig() +{ + static const char envvar_prefix[] = "WGTPKG_AUTOSIGN_"; + extern char **environ; + + char **enviter; + char *var; + char *iter; + char *equal; + unsigned int num; + char *keyfile; + const char *certfiles[10]; + int ncert; + int rc; + int i; + + rc = 0; + /* enumerate environment variables */ + enviter = environ; + while (rc == 0 && (var = *enviter++) != NULL) { + /* check the prefix */ + if (0 != strncmp(var, envvar_prefix, sizeof(envvar_prefix) - 1)) + continue; /* not an auto sign variable */ + DEBUG("autosign found %s", var); + + /* check the num */ + iter = &var[sizeof(envvar_prefix) - 1]; + if (*iter < '0' || *iter > '9') { + ERROR("bad autosign key found: %s", var); + rc = -1; + continue; + } + + /* compute the number */ + num = (unsigned int)(*iter++ - '0'); + while (*iter >= '0' && *iter <= '9') + num = 10 * num + (unsigned int)(*iter++ - '0'); + + /* next char must be = */ + if (*iter != '=' || !iter[1]) { + /* it is not an error to have an empty autosign */ + WARNING("ignoring autosign key %.*s", (int)(iter - var), var); + continue; + } + + /* auto signing with num */ + INFO("autosign key %u found", num); + + /* compute key and certificates */ + equal = iter++; + keyfile = iter; + *equal = 0; + ncert = 0; + while (ncert < (int)((sizeof certfiles / sizeof *certfiles) - 1) + && (iter = strchr(iter, ':')) != NULL) { + *iter++ = 0; + certfiles[ncert++] = iter; + } + certfiles[ncert] = NULL; + + /* check the parameters */ + if (access(keyfile, R_OK) != 0) { + ERROR("autosign %u can't access private key %s", num, keyfile); + rc = -1; + } + for(i = 0 ; i < ncert ; i++) { + if (access(certfiles[i], R_OK) != 0) { + ERROR("autosign %u can't access certificate %s", num, certfiles[i]); + rc = -1; + } + } + + /* sign now */ + if (rc == 0) { + rc = xmlsec_init(); + if (rc == 0) { + rc = create_digsig(num, keyfile, certfiles); + } + } + + /* restore stolen chars */ + while(ncert) + *(char*)(certfiles[--ncert] - 1) = ':'; + *equal = '='; + } + return rc; +} diff --git a/src/wgtpkg-digsig.h b/src/wgtpkg-digsig.h index defcfa1..a1cc32d 100644 --- a/src/wgtpkg-digsig.h +++ b/src/wgtpkg-digsig.h @@ -26,3 +26,6 @@ extern int create_digsig(unsigned int index, const char *key, const char **certs /* check the signatures of the current directory */ extern int check_all_signatures(int allow_none); +/* create a digital signature(s) from environment data */ +extern int create_auto_digsig(); + |