From 096337a241d13ff37f696bf8445420422d9dbde8 Mon Sep 17 00:00:00 2001 From: David Anderson Date: Thu, 4 Sep 2008 12:50:54 +0000 Subject: [PATCH] - Add support for code-signing using x509 certificates (from Attila Marosi) svn path=/trunk/boinc/; revision=15958 --- checkin_notes | 13 +++++++++ client/client_types.C | 4 +-- client/client_types.h | 4 +-- client/cs_files.C | 12 ++++----- lib/Makefile.am | 2 +- lib/{certificate.C => cert_sig.C} | 45 +++++++++++++------------------ lib/{certificate.h => cert_sig.h} | 8 +++--- lib/crypt.C | 18 ++++++++++++- lib/crypt.h | 21 +++------------ 9 files changed, 65 insertions(+), 62 deletions(-) rename lib/{certificate.C => cert_sig.C} (85%) rename lib/{certificate.h => cert_sig.h} (94%) diff --git a/checkin_notes b/checkin_notes index 809489082b..428319bca7 100644 --- a/checkin_notes +++ b/checkin_notes @@ -7170,3 +7170,16 @@ David 4 Sep 2008 sched/ handle_request.C sched_config.C,h + +David 4 Sep 2008 + - Add support for code-signing using x509 certificates + (from Attila Marosi) + + client/ + client_types.C,h + cs_files.C + log_flags.C,h + lib/ + Makefile.am + cert_sig.C,h (new) + crypt.C,h diff --git a/client/client_types.C b/client/client_types.C index ee47076b4f..e1d913fc28 100644 --- a/client/client_types.C +++ b/client/client_types.C @@ -636,7 +636,7 @@ FILE_INFO::FILE_INFO() { strcpy(signed_xml, ""); strcpy(xml_signature, ""); strcpy(file_signature, ""); - certificates = 0; + cert_sigs = 0; } FILE_INFO::~FILE_INFO() { @@ -747,7 +747,7 @@ int FILE_INFO::parse(MIOFILE& in, bool from_server) { continue; } if (match_tag(buf, "")) { - if (!certificates->parse_miofile_embed(in)) { + if (!cert_sigs->parse_miofile_embed(in)) { msg_printf(0, MSG_INTERNAL_ERROR, "FILE_INFO::parse(): cannot parse \n"); return ERR_XML_PARSE; diff --git a/client/client_types.h b/client/client_types.h index 74dbc2a18b..c5eb52cd74 100644 --- a/client/client_types.h +++ b/client/client_types.h @@ -31,7 +31,7 @@ #endif #include "md5_file.h" -#include "certificate.h" +#include "cert_sig.h" #include "hostinfo.h" #include "coproc.h" #include "miofile.h" @@ -95,7 +95,7 @@ public: // this is the signature std::string error_msg; // if permanent error occurs during file xfer, // it's recorded here - CERTIFICATES* certificates; + CERT_SIGS* cert_sigs; FILE_INFO(); ~FILE_INFO(); diff --git a/client/cs_files.C b/client/cs_files.C index e4083d5518..9ad7f1f3e9 100644 --- a/client/cs_files.C +++ b/client/cs_files.C @@ -36,7 +36,7 @@ #include "crypt.h" #include "str_util.h" #include "filesys.h" -#include "certificate.h" +#include "cert_sig.h" #include "error_numbers.h" #include "file_names.h" @@ -92,15 +92,15 @@ int CLIENT_STATE::make_project_dirs() { // Is app signed by one of the Application Certifiers? // bool FILE_INFO::verify_file_certs() { - string file; + char file[256]; bool retval = false; if (!is_dir(CERTIFICATE_DIRECTORY)) return false; DIRREF dir = dir_open(CERTIFICATE_DIRECTORY); - while (dir_scan(file, dir)) { - if (cert_verify_file(certificates, file.c_str(), CERTIFICATE_DIRECTORY)) { + while (dir_scan(file, dir, sizeof(dir))) { + if (cert_verify_file(cert_sigs, file, CERTIFICATE_DIRECTORY)) { msg_printf(project, MSG_INFO, - "Signature verified using certificate %s", file.c_str() + "Signature verified using certificate %s", file ); retval = true; break; @@ -159,7 +159,7 @@ int FILE_INFO::verify_file(bool strict, bool show_errors) { if (!strict) return 0; if (signature_required) { - if (!strlen(file_signature) && !certificates) { + if (!strlen(file_signature) && !cert_sigs) { msg_printf(project, MSG_INTERNAL_ERROR, "Application file %s missing signature", name ); diff --git a/lib/Makefile.am b/lib/Makefile.am index 3b8b2ac5d7..8ed411d9bd 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -56,7 +56,7 @@ endif libboinc_a_SOURCES = \ app_ipc.C \ base64.C \ - certificate.C \ + cert_sig.C \ coproc.C \ crypt.C \ diagnostics.C \ diff --git a/lib/certificate.C b/lib/cert_sig.C similarity index 85% rename from lib/certificate.C rename to lib/cert_sig.C index d58f18dc81..ea9d2bcae5 100644 --- a/lib/certificate.C +++ b/lib/cert_sig.C @@ -21,40 +21,40 @@ #include #include "miofile.h" #include "error_numbers.h" -#include "certificate.h" +#include "cert_sig.h" -CERTIFICATE::CERTIFICATE() { +CERT_SIG::CERT_SIG() { this->clear(); } -CERTIFICATE::~CERTIFICATE() { +CERT_SIG::~CERT_SIG() { // TODO } -void CERTIFICATE::clear() { +void CERT_SIG::clear() { this->type = MD5_HASH; // md5 hash by default memset(this->subject, 0, sizeof(this->subject)); memset(this->signature, 0, sizeof(this->signature)); } -CERTIFICATES::CERTIFICATES() { +CERT_SIGS::CERT_SIGS() { // TODO } -CERTIFICATES::~CERTIFICATES() { +CERT_SIGS::~CERT_SIGS() { // TODO } -void CERTIFICATES::clear() { +void CERT_SIGS::clear() { this->signatures.clear(); } -int CERTIFICATES::count() { +int CERT_SIGS::count() { return this->signatures.size(); } -int CERTIFICATES::parse(XML_PARSER &xp) { - CERTIFICATE sig; +int CERT_SIGS::parse(XML_PARSER &xp) { + CERT_SIG sig; int is_tag = false; int in_entry = false; int in_sig = false; @@ -62,12 +62,12 @@ int CERTIFICATES::parse(XML_PARSER &xp) { char tag[4096]; char buf[256]; - //printf("CERTIFICATES::parse() starts.\n"); + //printf("CERT_SIGS::parse() starts.\n"); //fflush(stdout); while (!xp.get(tag, sizeof(tag), (bool&)is_tag)) { if (!strcmp(tag, "/signatures")) { - //printf("CERTIFICATES::parse() ends.\n"); + //printf("CERT_SIGS::parse() ends.\n"); //fflush(stdout); return !in_entry && !in_sig && parsed_one; } @@ -77,7 +77,7 @@ int CERTIFICATES::parse(XML_PARSER &xp) { continue; } if (!is_tag) { - printf("(CERTIFICATES): unexpected text: %s\n", tag); + printf("(CERT_SIGS): unexpected text: %s\n", tag); continue; } if (in_entry) { @@ -128,12 +128,12 @@ int CERTIFICATES::parse(XML_PARSER &xp) { return false; } -int CERTIFICATES::parse_miofile_embed(MIOFILE &mf) { +int CERT_SIGS::parse_miofile_embed(MIOFILE &mf) { XML_PARSER xp(&mf); return this->parse(xp); } -int CERTIFICATES::parse_file(const char* filename) { +int CERT_SIGS::parse_file(const char* filename) { FILE* f; int retval; @@ -151,7 +151,7 @@ int CERTIFICATES::parse_file(const char* filename) { return retval; } -int CERTIFICATES::parse_buffer(char* buf) { +int CERT_SIGS::parse_buffer(char* buf) { MIOFILE mf; int retval; @@ -161,7 +161,7 @@ int CERTIFICATES::parse_buffer(char* buf) { return retval; } -int CERTIFICATES::parse_buffer_embed(char* buf) { +int CERT_SIGS::parse_buffer_embed(char* buf) { MIOFILE mf; char tag[4096]; int is_tag; @@ -181,16 +181,7 @@ int CERTIFICATES::parse_buffer_embed(char* buf) { return false; } -void CERTIFICATES::dump() { - MIOFILE m; - char buf[4096]; - - m.init_buf_write((char *)buf, 4096); - this->write(m, 4096); - printf("%s", buf); -} - -int CERTIFICATES::write(MIOFILE &f) { +int CERT_SIGS::write(MIOFILE &f) { if (this->signatures.size()==0) return true; f.printf("\n"); diff --git a/lib/certificate.h b/lib/cert_sig.h similarity index 94% rename from lib/certificate.h rename to lib/cert_sig.h index 1d3738b09f..90ac508aee 100644 --- a/lib/certificate.h +++ b/lib/cert_sig.h @@ -41,9 +41,9 @@ struct CERT_SIG { class CERT_SIGS { public: - std::vector cert_sigs; - CERT_SIG(); - ~CERT_SIG(); + std::vector signatures; + CERT_SIGS(); + ~CERT_SIGS(); // // Parses an .xml signature file with the following structure: // @@ -64,12 +64,10 @@ public: int parse_file(const char* filename); int parse_buffer(char* buf); int write(MIOFILE &f); - int write(MIOFILE &f, int max); // Parses from an already opened MIOFILE, the pointer should have // passed the opening tag (no check is done for that). int parse_miofile_embed(MIOFILE &mf); int parse_buffer_embed(char* buf); - void dump(); void clear(); int count(); // return the total number of signatures. private: diff --git a/lib/crypt.C b/lib/crypt.C index 14306d6abe..8ddae49c50 100644 --- a/lib/crypt.C +++ b/lib/crypt.C @@ -25,9 +25,23 @@ #include #include #include +#include +#include +#include #endif +#include +#include +#include +#include +#include +#include +#include +#include + + #include "md5_file.h" +#include "cert_sig.h" #include "error_numbers.h" #include "crypt.h" @@ -491,7 +505,9 @@ int check_validity_of_cert(const char *cFile, const unsigned char *md5_md, unsig return retval; } -int cert_verify_file(SIGNATURES* signatures, const char* origFile, char* trustLocation) { +int cert_verify_file( + CERT_SIGS* signatures, const char* origFile, char* trustLocation +) { MD5_CTX md5CTX; int of, rbytes; struct stat ostat; diff --git a/lib/crypt.h b/lib/crypt.h index b0abc618dc..90a4bcb65c 100644 --- a/lib/crypt.h +++ b/lib/crypt.h @@ -22,24 +22,9 @@ // We use our own data structures (R_RSA_PUBLIC_KEY and R_RSA_PRIVATE_KEY) // to store keys in either case. -// Only define these here if they haven't been defined elsewhere -#if !(defined(USE_OPENSSL) || defined(USE_RSAEURO)) -#define USE_OPENSSL 1 -//#define USE_RSAEURO 1 -#endif - #include #include -#ifdef USE_RSAEURO -#include "rsaeuro.h" -extern "C" { -#include "rsa.h" -} - -#endif - -#ifdef USE_OPENSSL #include #define MAX_RSA_MODULUS_BITS 1024 @@ -72,8 +57,6 @@ extern void openssl_to_keys( extern void private_to_openssl(R_RSA_PRIVATE_KEY& priv, RSA* rp); extern void public_to_openssl(R_RSA_PUBLIC_KEY& pub, RSA* rp); -#endif - struct KEY { unsigned short int bits; unsigned char data[1]; @@ -138,7 +121,9 @@ extern int check_validity_of_cert( unsigned char *sfileMsg, const int sfsize, char* caPath ); +class CERT_SIGS; + int cert_verify_file( - SIGNATURES* signatures, const char* origFile, char* trustLocation + CERT_SIGS* signatures, const char* origFile, char* trustLocation ); #endif