proxmox-mirrors/fwupd
1
0
Fork 0
mirror of https://git.proxmox.com/git/fwupd synced 2025-07-27 14:39:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

trivial: Split up the keyring setup and public key adding

Browse Source
This commit is contained in:
Richard Hughes 2017-08-18 10:58:47 +01:00
parent 6d0fc42685
commit 14047d7d24
7 changed files with 101 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
data/pki/LVFS-CA.pem Normal file
View File

@ -0,0 +1,27 @@
-----BEGIN CERTIFICATE-----
MIIEpzCCAw+gAwIBAgIBATANBgkqhkiG9w0BAQsFADA6MRAwDgYDVQQDEwdMVkZT
IENBMSYwJAYDVQQKEx1MaW51eCBWZW5kb3IgRmlybXdhcmUgUHJvamVjdDAeFw0x
NzA4MTgwOTA4NDNaFw0xODA4MTgwOTA4NDNaMDoxEDAOBgNVBAMTB0xWRlMgQ0Ex
JjAkBgNVBAoTHUxpbnV4IFZlbmRvciBGaXJtd2FyZSBQcm9qZWN0MIIBojANBgkq
hkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA1Pgc6P9S15B3nFNWKcZm6DHGlve2q7M9
+78Q/E0X6JwkFShC4RHxrc73TL8f9tV+F0CyZwsgb7BvurR7jAIBwby/T1feYZqo
McNmB7CkUeBlVC7pMV46h/1gkZDteGRzkwA4YRoSbDTcKzZQSqVEyFSnGCa7RsqH
MshEfYWZl7gxy6I2KhYAfOl9fUDfxeuvjvGDy55ilGEkabfHXy9q5TAT7rp/Rrvb
H/mq4iUbU9mvj9Khl96thvTewc7HA3hfYw+CUJPRUSvGMehgxwkCbbVWkA7B2E5z
mCblTqv0duy4+2664Jnm7CVJXQlJX2yPQOm/PF247iL9n7mjU8MlgYEcDEeGoRwQ
3FYgfU3gTRUKLBtzTWjQ1RXnLnCS51gXE95a0lPma5QaSQE7GReaHUEGKzglnrc/
6dD7Wh/gE7WsGe6d3j2xwjYqR10+DB6z0DT7bm3miSkibQrGSeKRcKWD1liGlXIP
P4d9KFpN9dIDCWKvlcY5NakMtM/6/4yNAgMBAAGjgbcwgbQwDwYDVR0TAQH/BAUw
AwEB/zAwBgNVHREEKTAnhhVodHRwOi8vd3d3LmZ3dXBkLm9yZy+BDnNpZ25AZnd1
cGQub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA8GA1UdDwEB/wQFAwMHBgAwHQYD
VR0OBBYEFDZoHeKph3x3vO5MXdOyLbbdInxWMCoGA1UdHwQjMCEwH6AdoBuGGWh0
dHA6Ly93d3cuZnd1cGQub3JnL3BraS8wDQYJKoZIhvcNAQELBQADggGBAJaRJy8D
ayuBwSE/TVcyEv4h6s+1ou54ruZjkEWDLDqbBrwNbTzm52pKQ03HDR0OLrK+ndZH
xwC2ar7MyNe2CFgUFr/RaYD10DEYW/qWUjZLvAbE37AaoG0CevJSSd0KnSJzJU7t
T+ztHvSn9q8AJ20xVsP7OcAqBN3qx2yrj6qs70mtn2UjsqIOz6VOs81J24wk7nnl
LAOln7elsLGdOI2mg4jbJZGf1YnKYn+oCye7OCAX8LqQnMGkHj+ZyBGLgl4lJ+Oi
oaaf/xAf2BRT6iKqx5tTNkYUZSZcEJMgk2HWI2XoZCjPfQfwn+Mbt40JcBwqQ28b
l1fAe6lqC+8t1KmjgywvpyzsssaRJXFjnlgoSjnnQYfmmKoURxpX87NcVtwfV60Q
HC4ZyT+zlhgQASBDMrkwGQ8/F0h5WG+OxdM7tg62Y9gcpb/q3x5fttxut9MmQOCC
vgzuugW+pyW75+cg7UpLOM8eAudAmFtEteUb7H9FW+KyBEMfUboCOCVF5w==
-----END CERTIFICATE-----

8
src/fu-engine.c
View File

@ -364,7 +364,9 @@ fu_engine_get_release_trust_flags (AsRelease *release,
kr = fu_engine_get_keyring_for_kind (keyring_kind, error); kr = fu_engine_get_keyring_for_kind (keyring_kind, error);
if (kr == NULL) if (kr == NULL)
return FALSE; return FALSE;
if (!fu_keyring_setup (kr, pki_dir, error)) if (!fu_keyring_setup (kr, error))
return FALSE;
if (!fu_keyring_add_public_keys (kr, pki_dir, error))
return FALSE; return FALSE;
kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature, &error_local); kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature, &error_local);
if (kr_result == NULL) { if (kr_result == NULL) {
@ -1524,7 +1526,9 @@ fu_engine_update_metadata (FuEngine *self, const gchar *remote_id,
kr = fu_engine_get_keyring_for_kind (keyring_kind, error); kr = fu_engine_get_keyring_for_kind (keyring_kind, error);
if (kr == NULL) if (kr == NULL)
return FALSE; return FALSE;
if (!fu_keyring_setup (kr, "/etc/pki/fwupd-metadata", error)) if (!fu_keyring_setup (kr, error))
return FALSE;
if (!fu_keyring_add_public_keys (kr, "/etc/pki/fwupd-metadata", error))
return FALSE; return FALSE;
kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig, error); kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig, error);
if (kr_result == NULL) if (kr_result == NULL)

21
src/fu-keyring-gpg.c
View File

@ -92,13 +92,11 @@ fu_keyring_gpg_add_public_key (FuKeyringGpg *self,
} }
static gboolean static gboolean
fu_keyring_gpg_setup (FuKeyring *keyring, const gchar *public_key_dir, GError **error) fu_keyring_gpg_setup (FuKeyring *keyring, GError **error)
{ {
FuKeyringGpg *self = FU_KEYRING_GPG (keyring); FuKeyringGpg *self = FU_KEYRING_GPG (keyring);
const gchar *fn_tmp;
gpgme_error_t rc; gpgme_error_t rc;
g_autofree gchar *gpg_home = NULL; g_autofree gchar *gpg_home = NULL;
g_autoptr(GDir) dir = NULL;
if (self->ctx != NULL) if (self->ctx != NULL)
return TRUE; return TRUE;
@ -166,20 +164,30 @@ fu_keyring_gpg_setup (FuKeyring *keyring, const gchar *public_key_dir, GError **
/* enable armor mode */ /* enable armor mode */
gpgme_set_armor (self->ctx, TRUE); gpgme_set_armor (self->ctx, TRUE);
return TRUE;
}
static gboolean
fu_keyring_gpg_add_public_keys (FuKeyring *keyring,
const gchar *path,
GError **error)
{
FuKeyringGpg *self = FU_KEYRING_GPG (keyring);
const gchar *fn_tmp;
g_autoptr(GDir) dir = NULL;
/* search all the public key files */ /* search all the public key files */
dir = g_dir_open (public_key_dir, 0, error); dir = g_dir_open (path, 0, error);
if (dir == NULL) if (dir == NULL)
return FALSE; return FALSE;
while ((fn_tmp = g_dir_read_name (dir)) != NULL) { while ((fn_tmp = g_dir_read_name (dir)) != NULL) {
g_autofree gchar *path_tmp = NULL; g_autofree gchar *path_tmp = NULL;
if (!g_str_has_prefix (fn_tmp, "GPG-KEY-")) if (!g_str_has_prefix (fn_tmp, "GPG-KEY-"))
continue; continue;
path_tmp = g_build_filename (public_key_dir, fn_tmp, NULL); path_tmp = g_build_filename (path, fn_tmp, NULL);
if (!fu_keyring_gpg_add_public_key (self, path_tmp, error)) if (!fu_keyring_gpg_add_public_key (self, path_tmp, error))
return FALSE; return FALSE;
} }
return TRUE; return TRUE;
} }
@ -327,6 +335,7 @@ fu_keyring_gpg_class_init (FuKeyringGpgClass *klass)
GObjectClass *object_class = G_OBJECT_CLASS (klass); GObjectClass *object_class = G_OBJECT_CLASS (klass);
FuKeyringClass *klass_app = FU_KEYRING_CLASS (klass); FuKeyringClass *klass_app = FU_KEYRING_CLASS (klass);
klass_app->setup = fu_keyring_gpg_setup; klass_app->setup = fu_keyring_gpg_setup;
klass_app->add_public_keys = fu_keyring_gpg_add_public_keys;
klass_app->verify_data = fu_keyring_gpg_verify_data; klass_app->verify_data = fu_keyring_gpg_verify_data;
object_class->finalize = fu_keyring_gpg_finalize; object_class->finalize = fu_keyring_gpg_finalize;
} }

45
src/fu-keyring-pkcs7.c
View File

@ -74,34 +74,21 @@ fu_keyring_pkcs7_add_public_key (FuKeyringPkcs7 *self,
} }
static gboolean static gboolean
fu_keyring_pkcs7_setup (FuKeyring *keyring, const gchar *public_key_dir, GError **error) fu_keyring_pkcs7_add_public_keys (FuKeyring *keyring,
const gchar *path,
GError **error)
{ {
FuKeyringPkcs7 *self = FU_KEYRING_PKCS7 (keyring); FuKeyringPkcs7 *self = FU_KEYRING_PKCS7 (keyring);
const gchar *fn_tmp; const gchar *fn_tmp;
int rc;
g_autoptr(GDir) dir = NULL; g_autoptr(GDir) dir = NULL;
if (self->tl != NULL)
return TRUE;
/* create trust list, a bit like a keyring */
rc = gnutls_x509_trust_list_init (&self->tl, 0);
if (rc != GNUTLS_E_SUCCESS) {
g_set_error (error,
FWUPD_ERROR,
FWUPD_ERROR_SIGNATURE_INVALID,
"failed to create trust list: %s [%i]",
gnutls_strerror (rc), rc);
return FALSE;
}
/* search all the public key files */ /* search all the public key files */
dir = g_dir_open (public_key_dir, 0, error); dir = g_dir_open (path, 0, error);
if (dir == NULL) if (dir == NULL)
return FALSE; return FALSE;
while ((fn_tmp = g_dir_read_name (dir)) != NULL) { while ((fn_tmp = g_dir_read_name (dir)) != NULL) {
g_autofree gchar *path_tmp = NULL; g_autofree gchar *path_tmp = NULL;
path_tmp = g_build_filename (public_key_dir, fn_tmp, NULL); path_tmp = g_build_filename (path, fn_tmp, NULL);
if (g_str_has_suffix (fn_tmp, ".pem")) { if (g_str_has_suffix (fn_tmp, ".pem")) {
if (!fu_keyring_pkcs7_add_public_key (self, path_tmp, if (!fu_keyring_pkcs7_add_public_key (self, path_tmp,
GNUTLS_X509_FMT_PEM, GNUTLS_X509_FMT_PEM,
@ -117,7 +104,28 @@ fu_keyring_pkcs7_setup (FuKeyring *keyring, const gchar *public_key_dir, GError
return FALSE; return FALSE;
} }
} }
return TRUE;
}
static gboolean
fu_keyring_pkcs7_setup (FuKeyring *keyring, GError **error)
{
FuKeyringPkcs7 *self = FU_KEYRING_PKCS7 (keyring);
int rc;
if (self->tl != NULL)
return TRUE;
/* create trust list, a bit like a keyring */
rc = gnutls_x509_trust_list_init (&self->tl, 0);
if (rc != GNUTLS_E_SUCCESS) {
g_set_error (error,
FWUPD_ERROR,
FWUPD_ERROR_SIGNATURE_INVALID,
"failed to create trust list: %s [%i]",
gnutls_strerror (rc), rc);
return FALSE;
}
return TRUE; return TRUE;
} }
@ -260,6 +268,7 @@ fu_keyring_pkcs7_class_init (FuKeyringPkcs7Class *klass)
GObjectClass *object_class = G_OBJECT_CLASS (klass); GObjectClass *object_class = G_OBJECT_CLASS (klass);
FuKeyringClass *klass_app = FU_KEYRING_CLASS (klass); FuKeyringClass *klass_app = FU_KEYRING_CLASS (klass);
klass_app->setup = fu_keyring_pkcs7_setup; klass_app->setup = fu_keyring_pkcs7_setup;
klass_app->add_public_keys = fu_keyring_pkcs7_add_public_keys;
klass_app->verify_data = fu_keyring_pkcs7_verify_data; klass_app->verify_data = fu_keyring_pkcs7_verify_data;
object_class->finalize = fu_keyring_pkcs7_finalize; object_class->finalize = fu_keyring_pkcs7_finalize;
} }

14
src/fu-keyring.c
View File

@ -33,12 +33,20 @@ G_DEFINE_TYPE_WITH_PRIVATE (FuKeyring, fu_keyring, G_TYPE_OBJECT)
#define GET_PRIVATE(o) (fu_keyring_get_instance_private (o)) #define GET_PRIVATE(o) (fu_keyring_get_instance_private (o))
gboolean gboolean
fu_keyring_setup (FuKeyring *keyring, const gchar *public_key_dir, GError **error) fu_keyring_setup (FuKeyring *keyring, GError **error)
{ {
FuKeyringClass *klass = FU_KEYRING_GET_CLASS (keyring); FuKeyringClass *klass = FU_KEYRING_GET_CLASS (keyring);
g_return_val_if_fail (FU_IS_KEYRING (keyring), FALSE); g_return_val_if_fail (FU_IS_KEYRING (keyring), FALSE);
g_return_val_if_fail (public_key_dir != NULL, FALSE); return klass->setup (keyring, error);
return klass->setup (keyring, public_key_dir, error); }
gboolean
fu_keyring_add_public_keys (FuKeyring *keyring, const gchar *path, GError **error)
{
FuKeyringClass *klass = FU_KEYRING_GET_CLASS (keyring);
g_return_val_if_fail (FU_IS_KEYRING (keyring), FALSE);
g_return_val_if_fail (path != NULL, FALSE);
return klass->add_public_keys (keyring, path, error);
} }
FuKeyringResult * FuKeyringResult *

8
src/fu-keyring.h
View File

@ -36,7 +36,9 @@ struct _FuKeyringClass
{ {
GObjectClass parent_class; GObjectClass parent_class;
gboolean (*setup) (FuKeyring *keyring, gboolean (*setup) (FuKeyring *keyring,
const gchar *public_key_dir, GError **error);
gboolean (*add_public_keys) (FuKeyring *keyring,
const gchar *path,
GError **error); GError **error);
FuKeyringResult *(*verify_data) (FuKeyring *keyring, FuKeyringResult *(*verify_data) (FuKeyring *keyring,
GBytes *payload, GBytes *payload,
@ -45,7 +47,9 @@ struct _FuKeyringClass
}; };
gboolean fu_keyring_setup (FuKeyring *keyring, gboolean fu_keyring_setup (FuKeyring *keyring,
const gchar *public_key_dir, GError **error);
gboolean fu_keyring_add_public_keys (FuKeyring *keyring,
const gchar *path,
GError **error); GError **error);
FuKeyringResult *fu_keyring_verify_data (FuKeyring *keyring, FuKeyringResult *fu_keyring_verify_data (FuKeyring *keyring,
GBytes *blob, GBytes *blob,

11
src/fu-self-test.c
View File

@ -405,8 +405,12 @@ fu_keyring_gpg_func (void)
/* add keys to keyring */ /* add keys to keyring */
keyring = fu_keyring_gpg_new (); keyring = fu_keyring_gpg_new ();
ret = fu_keyring_setup (keyring, &error);
g_assert_no_error (error);
g_assert_true (ret);
pki_dir = fu_test_get_filename (TESTDATADIR, "pki"); pki_dir = fu_test_get_filename (TESTDATADIR, "pki");
ret = fu_keyring_setup (keyring, pki_dir, &error); g_assert_nonnull (pki_dir);
ret = fu_keyring_add_public_keys (keyring, pki_dir, &error);
g_assert_no_error (error); g_assert_no_error (error);
g_assert_true (ret); g_assert_true (ret);
@ -458,9 +462,12 @@ fu_keyring_pkcs7_func (void)
/* add keys to keyring */ /* add keys to keyring */
keyring = fu_keyring_pkcs7_new (); keyring = fu_keyring_pkcs7_new ();
ret = fu_keyring_setup (keyring, &error);
g_assert_no_error (error);
g_assert_true (ret);
pki_dir = fu_test_get_filename (TESTDATADIR_DST, "pki"); pki_dir = fu_test_get_filename (TESTDATADIR_DST, "pki");
g_assert_nonnull (pki_dir); g_assert_nonnull (pki_dir);
ret = fu_keyring_setup (keyring, pki_dir, &error); ret = fu_keyring_add_public_keys (keyring, pki_dir, &error);
g_assert_no_error (error); g_assert_no_error (error);
g_assert_true (ret); g_assert_true (ret);