struct blob_attr *payloadtb[CERT_PL_ATTR_MAX];
char tmpdir[] = "/tmp/ucert-XXXXXX";
char chainedpubkey[256] = {0};
+ char chainedfp[17] = {0};
char extsigfile[256] = {0};
int ret = 1;
int checkmsg = 0;
blobmsg_data(payloadtb[CERT_PL_ATTR_PUBKEY]),
blobmsg_data_len(payloadtb[CERT_PL_ATTR_PUBKEY]),
false);
+
+ if (usign_f_pubkey(chainedfp, chainedpubkey)) {
+ if (!quiet)
+ fprintf(stderr, "cannot get fingerprint for chained key\n");
+ ret = 2;
+ goto clean_and_return;
+ }
+ if (pubkeydir && _usign_key_is_revoked(chainedfp, pubkeydir)) {
+ if (!quiet)
+ fprintf(stderr, "key %s has been revoked!\n", chainedfp);
+ ret = 4;
+ goto clean_and_return;
+ }
} else {
/* blob doesn't have payload, verify message using signature */
if (msgfile) {
if (!payloadtb[CERT_PL_ATTR_CERTTYPE] ||
!payloadtb[CERT_PL_ATTR_VALIDFROMTIME] ||
!payloadtb[CERT_PL_ATTR_KEY_FINGERPRINT]) {
- fprintf(stderr, "missing mandatory ucert attributes\n");
- return 2;
- }
+ fprintf(stderr, "missing mandatory ucert attributes\n");
+ return 2;
+ }
certtype = blobmsg_get_u32(payloadtb[CERT_PL_ATTR_CERTTYPE]);
validfrom = blobmsg_get_u64(payloadtb[CERT_PL_ATTR_VALIDFROMTIME]);
snprintf(rfname, sizeof(rfname)-1, "%s/%s", pubkeydir, fingerprint);
/* check if entry in pubkeydir exists */
if (stat(rfname, &st) == 0) {
- char tml[64] = {0};
- /* if it's an existing revoker deadlink we are happy */
- if (readlink(rfname, tml, sizeof(tml)) > 0 &&
- !strcmp(tml, ".revoked.")) {
+ if (_usign_key_is_revoked(fingerprint, pubkeydir)) {
if (!quiet)
fprintf(stdout, "existing revoker deadlink for key %s\n", fingerprint);
continue;
#include <stdbool.h>
+#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/wait.h>
#include "usign.h"
-int usign_v(const char *msgfile, const char *pubkeyfile,
- const char *pubkeydir, const char *sigfile, bool quiet) {
- pid_t pid;
- int status;
- const char *usign_argv[16] = {0};
- unsigned int usign_argc = 0;
-
- usign_argv[usign_argc++] = "/usr/bin/usign";
- usign_argv[usign_argc++] = "-V";
- usign_argv[usign_argc++] = "-m";
- usign_argv[usign_argc++] = msgfile;
-
- if (quiet)
- usign_argv[usign_argc++] = "-q";
-
- if (pubkeyfile) {
- usign_argv[usign_argc++] = "-p";
- usign_argv[usign_argc++] = pubkeyfile;
- }
-
- if (pubkeydir) {
- usign_argv[usign_argc++] = "-P";
- usign_argv[usign_argc++] = pubkeydir;
- }
-
- if (sigfile) {
- usign_argv[usign_argc++] = "-x";
- usign_argv[usign_argc++] = sigfile;
- }
-
- pid = fork();
- switch (pid) {
- case -1:
- return -1;
-
- case 0:
- if (execv(usign_argv[0], usign_argv))
- return -1;
-
- break;
-
- default:
- waitpid(pid, &status, 0);
- return WEXITSTATUS(status);
- }
-
- return -1;
-}
-
int usign_s(const char *msgfile, const char *seckeyfile, const char *sigfile, bool quiet) {
pid_t pid;
int status;
int usign_f_sig(char *fingerprint, const char *sigfile) {
return usign_f(fingerprint, NULL, NULL, sigfile);
}
+
+int _usign_key_is_revoked(const char *fingerprint, const char *pubkeydir) {
+ char tml[64] = {0};
+ char rfname[256] = {0};
+
+ snprintf(rfname, sizeof(rfname)-1, "%s/%s", pubkeydir, fingerprint);
+ if (readlink(rfname, tml, sizeof(tml)) > 0 &&
+ !strcmp(tml, ".revoked.")) {
+ return true;
+ };
+
+ return false;
+}
+
+int usign_v(const char *msgfile, const char *pubkeyfile,
+ const char *pubkeydir, const char *sigfile, bool quiet) {
+ pid_t pid;
+ int status;
+ const char *usign_argv[16] = {0};
+ unsigned int usign_argc = 0;
+ char fingerprint[17];
+
+ if (usign_f_sig(fingerprint, sigfile))
+ return 1;
+
+ if (pubkeydir && _usign_key_is_revoked(fingerprint, pubkeydir))
+ return 1;
+
+ usign_argv[usign_argc++] = "/usr/bin/usign";
+ usign_argv[usign_argc++] = "-V";
+ usign_argv[usign_argc++] = "-m";
+ usign_argv[usign_argc++] = msgfile;
+
+ if (quiet)
+ usign_argv[usign_argc++] = "-q";
+
+ if (pubkeyfile) {
+ usign_argv[usign_argc++] = "-p";
+ usign_argv[usign_argc++] = pubkeyfile;
+ }
+
+ if (pubkeydir) {
+ usign_argv[usign_argc++] = "-P";
+ usign_argv[usign_argc++] = pubkeydir;
+ }
+
+ if (sigfile) {
+ usign_argv[usign_argc++] = "-x";
+ usign_argv[usign_argc++] = sigfile;
+ }
+
+ pid = fork();
+ switch (pid) {
+ case -1:
+ return -1;
+
+ case 0:
+ if (execv(usign_argv[0], usign_argv))
+ return -1;
+
+ break;
+
+ default:
+ waitpid(pid, &status, 0);
+ return WEXITSTATUS(status);
+ }
+
+ return -1;
+}
projects / project / ucert.git / commitdiff