pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/netpgpverify Update netpgpverify (and libnetp...
details: https://anonhg.NetBSD.org/pkgsrc/rev/568735a2958d
branches: trunk
changeset: 646160:568735a2958d
user: agc <agc%pkgsrc.org@localhost>
date: Thu Feb 05 00:21:57 2015 +0000
description:
Update netpgpverify (and libnetpgpverify) to version 20150205
+ recognise signatures made by subkeys as well as by primary keys
+ print out the relevant key which signed the file, even if it's
a subkey and not the primary key itself.
+ keep the same API as before
with many thanks to Jonathan Perkin
diffstat:
security/netpgpverify/Makefile | 4 +-
security/netpgpverify/files/Makefile.bsd | 4 +-
security/netpgpverify/files/chk.sh | 4 +-
security/netpgpverify/files/digest-20121220.tgz | Bin
security/netpgpverify/files/joyent-pubring.gpg | Bin
security/netpgpverify/files/libverify.c | 69 ++++++++++++++++-------
security/netpgpverify/files/verify.h | 6 +-
7 files changed, 58 insertions(+), 29 deletions(-)
diffs (245 lines):
diff -r 724d3ae5ea8b -r 568735a2958d security/netpgpverify/Makefile
--- a/security/netpgpverify/Makefile Thu Feb 05 00:17:50 2015 +0000
+++ b/security/netpgpverify/Makefile Thu Feb 05 00:21:57 2015 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.12 2015/02/03 21:34:57 agc Exp $
+# $NetBSD: Makefile,v 1.13 2015/02/05 00:21:57 agc Exp $
-DISTNAME= netpgpverify-20150204
+DISTNAME= netpgpverify-20150205
CATEGORIES= security
MASTER_SITES= # empty
DISTFILES= # empty
diff -r 724d3ae5ea8b -r 568735a2958d security/netpgpverify/files/Makefile.bsd
--- a/security/netpgpverify/files/Makefile.bsd Thu Feb 05 00:17:50 2015 +0000
+++ b/security/netpgpverify/files/Makefile.bsd Thu Feb 05 00:21:57 2015 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.bsd,v 1.7 2015/02/04 17:53:39 agc Exp $
+# $NetBSD: Makefile.bsd,v 1.8 2015/02/05 00:21:57 agc Exp $
PROG=netpgpverify
@@ -41,3 +41,5 @@
uudecode 1keytest.gpg.uu
./${PROG} -k 1keypubring.gpg 1keytest.gpg
rm -f 1keytest.gpg
+ @echo "testing signing with a subkey"
+ ./chk.sh -k joyent-pubring.gpg digest-20121220.tgz
diff -r 724d3ae5ea8b -r 568735a2958d security/netpgpverify/files/chk.sh
--- a/security/netpgpverify/files/chk.sh Thu Feb 05 00:17:50 2015 +0000
+++ b/security/netpgpverify/files/chk.sh Thu Feb 05 00:21:57 2015 +0000
@@ -1,6 +1,6 @@
#! /bin/sh
-# $NetBSD: chk.sh,v 1.3 2015/01/31 22:00:55 agc Exp $
+# $NetBSD: chk.sh,v 1.4 2015/02/05 00:21:57 agc Exp $
# Copyright (c) 2013,2014,2015 Alistair Crooks <agc%NetBSD.org@localhost>
# All rights reserved.
@@ -103,7 +103,7 @@
echo "Hash: ${digest}" >> ${dir}/${name}.sig
echo "" >> ${dir}/${name}.sig
cat ${dir}/+PKG_HASH ${dir}/+PKG_GPG_SIGNATURE >> ${dir}/${name}.sig
- (cd ${dir} && netpgpverify -k pubring.gpg ${name}.sig) || die "Bad signature"
+ (cd ${dir} && ${here}/netpgpverify -k pubring.gpg ${name}.sig) || die "Bad signature"
else
echo "=== Using gpg to verify the package signature ==="
gpg --recv --keyserver pgp.mit.edu 0x6F3AF5E2
diff -r 724d3ae5ea8b -r 568735a2958d security/netpgpverify/files/digest-20121220.tgz
Binary file security/netpgpverify/files/digest-20121220.tgz has changed
diff -r 724d3ae5ea8b -r 568735a2958d security/netpgpverify/files/joyent-pubring.gpg
Binary file security/netpgpverify/files/joyent-pubring.gpg has changed
diff -r 724d3ae5ea8b -r 568735a2958d security/netpgpverify/files/libverify.c
--- a/security/netpgpverify/files/libverify.c Thu Feb 05 00:17:50 2015 +0000
+++ b/security/netpgpverify/files/libverify.c Thu Feb 05 00:21:57 2015 +0000
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2012 Alistair Crooks <agc%NetBSD.org@localhost>
+ * Copyright (c) 2012,2013,2014,2015 Alistair Crooks <agc%NetBSD.org@localhost>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -1473,14 +1473,16 @@
/* print a primary key, per RFC 4880 */
static size_t
-fmt_primary(char *s, size_t size, pgpv_primarykey_t *primary, const char *modifiers)
+fmt_primary(char *s, size_t size, pgpv_primarykey_t *primary, unsigned subkey, const char *modifiers)
{
pgpv_signed_userid_t *userid;
+ pgpv_pubkey_t *pubkey;
unsigned i;
unsigned j;
size_t cc;
- cc = fmt_pubkey(s, size, &primary->primary, "signature ");
+ pubkey = (subkey == 0) ? &primary->primary : &ARRAY_ELEMENT(primary->signed_subkeys, subkey - 1).subkey;
+ cc = fmt_pubkey(s, size, pubkey, "signature ");
cc += fmt_userid(&s[cc], size - cc, primary, primary->primary_userid);
for (i = 0 ; i < ARRAY_COUNT(primary->signed_userids) ; i++) {
if (i != primary->primary_userid) {
@@ -2438,7 +2440,7 @@
return 1;
}
-/* match the calculated signature against the oen in the signature packet */
+/* match the calculated signature against the one in the signature packet */
static int
match_sig(pgpv_cursor_t *cursor, pgpv_signature_t *signature, pgpv_pubkey_t *pubkey, uint8_t *data, size_t size)
{
@@ -2520,25 +2522,29 @@
/* return the formatted entry for the primary key desired */
size_t
-pgpv_get_entry(pgpv_t *pgp, unsigned ent, char **ret, const char *modifiers)
+pgpv_get_entry(pgpv_t *pgp, unsigned ent, char **s, const char *modifiers)
{
- size_t cc;
+ unsigned subkey;
+ unsigned prim;
+ size_t cc;
- if (ret == NULL || pgp == NULL || ent >= ARRAY_COUNT(pgp->primaries)) {
+ prim = ((ent >> 8) & 0xffffff);
+ subkey = (ent & 0xff);
+ if (s == NULL || pgp == NULL || prim >= ARRAY_COUNT(pgp->primaries)) {
return 0;
}
- *ret = NULL;
- cc = ARRAY_ELEMENT(pgp->primaries, ent).fmtsize;
+ *s = NULL;
+ cc = ARRAY_ELEMENT(pgp->primaries, prim).fmtsize;
if (modifiers == NULL || (strcasecmp(modifiers, "trust") != 0 && strcasecmp(modifiers, "subkeys") != 0)) {
modifiers = "no-subkeys";
}
if (strcasecmp(modifiers, "trust") == 0) {
cc *= 2048;
}
- if ((*ret = calloc(1, cc)) == NULL) {
+ if ((*s = calloc(1, cc)) == NULL) {
return 0;
}
- return fmt_primary(*ret, cc, &ARRAY_ELEMENT(pgp->primaries, ent), modifiers);
+ return fmt_primary(*s, cc, &ARRAY_ELEMENT(pgp->primaries, prim), subkey, modifiers);
}
/* fixup key id, with birth, keyalg and hashalg value from signature */
@@ -2558,12 +2564,15 @@
/* find key id */
static int
-find_keyid(pgpv_t *pgp, const char *strkeyid, uint8_t *keyid)
+find_keyid(pgpv_t *pgp, const char *strkeyid, uint8_t *keyid, unsigned *sub)
{
- unsigned i;
- uint8_t binkeyid[PGPV_KEYID_LEN];
- size_t off;
- size_t cmp;
+ pgpv_signed_subkey_t *subkey;
+ pgpv_primarykey_t *prim;
+ unsigned i;
+ unsigned j;
+ uint8_t binkeyid[PGPV_KEYID_LEN];
+ size_t off;
+ size_t cmp;
if (strkeyid == NULL && keyid == NULL) {
return 0;
@@ -2575,27 +2584,43 @@
memcpy(binkeyid, keyid, sizeof(binkeyid));
cmp = PGPV_KEYID_LEN;
}
+ *sub = 0;
off = PGPV_KEYID_LEN - cmp;
for (i = 0 ; i < ARRAY_COUNT(pgp->primaries) ; i++) {
- if (memcmp(&ARRAY_ELEMENT(pgp->primaries, i).primary.keyid[off], &binkeyid[off], cmp) == 0) {
+ prim = &ARRAY_ELEMENT(pgp->primaries, i);
+ if (memcmp(&prim->primary.keyid[off], &binkeyid[off], cmp) == 0) {
return i;
}
+ for (j = 0 ; j < ARRAY_COUNT(prim->signed_subkeys) ; j++) {
+ subkey = &ARRAY_ELEMENT(prim->signed_subkeys, j);
+ if (memcmp(&subkey->subkey.keyid[off], &binkeyid[off], cmp) == 0) {
+ *sub = j + 1;
+ return i;
+ }
+ }
+
}
return -1;
}
/* match the signature with the id indexed by 'primary' */
static int
-match_sig_id(pgpv_cursor_t *cursor, pgpv_signature_t *signature, pgpv_litdata_t *litdata, unsigned primary)
+match_sig_id(pgpv_cursor_t *cursor, pgpv_signature_t *signature, pgpv_litdata_t *litdata, unsigned primary, unsigned sub)
{
+ pgpv_primarykey_t *prim;
pgpv_pubkey_t *pubkey;
uint8_t *data;
size_t insize;
- pubkey = &ARRAY_ELEMENT(cursor->pgp->primaries, primary).primary;
cursor->sigtime = signature->birth;
/* calc hash on data packet */
data = get_literal_data(cursor, litdata, &insize);
+ if (sub == 0) {
+ pubkey = &ARRAY_ELEMENT(cursor->pgp->primaries, primary).primary;
+ return match_sig(cursor, signature, pubkey, data, insize);
+ }
+ prim = &ARRAY_ELEMENT(cursor->pgp->primaries, primary);
+ pubkey = &ARRAY_ELEMENT(prim->signed_subkeys, sub - 1).subkey;
return match_sig(cursor, signature, pubkey, data, insize);
}
@@ -2646,6 +2671,7 @@
pgpv_signature_t *signature;
pgpv_onepass_t *onepass;
pgpv_litdata_t *litdata;
+ unsigned sub;
size_t pkt;
char strkeyid[PGPV_STR_KEYID_LEN];
int j;
@@ -2697,15 +2723,16 @@
if (cursor->pgp->ssh) {
fixup_ssh_keyid(cursor->pgp, signature, "sha1");
}
- if ((j = find_keyid(cursor->pgp, NULL, onepass->keyid)) < 0) {
+ if ((j = find_keyid(cursor->pgp, NULL, onepass->keyid, &sub)) < 0) {
fmt_binary(strkeyid, sizeof(strkeyid), onepass->keyid, (unsigned)sizeof(onepass->keyid));
snprintf(cursor->why, sizeof(cursor->why), "Signature key id %s not found ", strkeyid);
return 0;
}
- if (!match_sig_id(cursor, signature, litdata, (unsigned)j)) {
+ if (!match_sig_id(cursor, signature, litdata, (unsigned)j, sub)) {
return 0;
}
ARRAY_APPEND(cursor->datacookies, pkt);
+ j = ((j & 0xffffff) << 8) | (sub & 0xff);
ARRAY_APPEND(cursor->found, j);
return pkt + 1;
}
diff -r 724d3ae5ea8b -r 568735a2958d security/netpgpverify/files/verify.h
--- a/security/netpgpverify/files/verify.h Thu Feb 05 00:17:50 2015 +0000
+++ b/security/netpgpverify/files/verify.h Thu Feb 05 00:21:57 2015 +0000
@@ -23,9 +23,9 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef NETPGP_VERIFY_H_
-#define NETPGP_VERIFY_H_ 20150204
+#define NETPGP_VERIFY_H_ 20150205
-#define NETPGPVERIFY_VERSION "netpgpverify portable 20150204"
+#define NETPGPVERIFY_VERSION "netpgpverify portable 20150205"
#include <sys/types.h>
@@ -263,7 +263,7 @@
char *op; /* operation we're doing */
char *value; /* value we're searching for */
void *ptr; /* for regexps etc */
- PGPV_ARRAY(uint32_t, found); /* array of matched subscripts */
+ PGPV_ARRAY(uint32_t, found); /* array of matched pimary key subscripts */
PGPV_ARRAY(size_t, datacookies); /* cookies to retrieve matched data */
int64_t sigtime; /* time of signature */
char why[PGPV_REASON_LEN]; /* reason for bad signature */
Home |
Main Index |
Thread Index |
Old Index