[pkgsrc/pkg_install-renovation]: pkgsrc/pkgtools/pkg_install/files/lib pkg_in...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/pkg_install-renovation]: pkgsrc/pkgtools/pkg_install/files/lib pkg_in...
From: joerg <joerg%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 06:04:25 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/17fba4beee7c
branches:  pkg_install-renovation
changeset: 541561:17fba4beee7c
user:      joerg <joerg%pkgsrc.org@localhost>
date:      Sat Jul 05 17:26:39 2008 +0000

description:
pkg_install-20080705:
Based on a discussion with tls@, make the key validation stricter.
Don't allow CA keys for packages or pkg-vulnerabilities.
Require CODE SIGN as key usage attribute for packages.
Require that no key usage attribute is set for pkg-vulnerabilities.
The latter is not finalised and might change again.

diffstat:

 pkgtools/pkg_install/files/lib/lib.h                  |   4 +-
 pkgtools/pkg_install/files/lib/pkcs7.c                |  33 +++++++++++++++++-
 pkgtools/pkg_install/files/lib/pkg_signature.c        |   6 +-
 pkgtools/pkg_install/files/lib/version.h              |   4 +-
 pkgtools/pkg_install/files/lib/vulnerabilities-file.c |   4 +-
 5 files changed, 39 insertions(+), 12 deletions(-)

diffs (151 lines):

diff -r d2cbbacd0d8a -r 17fba4beee7c pkgtools/pkg_install/files/lib/lib.h
--- a/pkgtools/pkg_install/files/lib/lib.h      Fri Jun 27 15:25:52 2008 +0000
+++ b/pkgtools/pkg_install/files/lib/lib.h      Sat Jul 05 17:26:39 2008 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: lib.h,v 1.42.2.6 2008/05/20 15:00:44 joerg Exp $ */
+/* $NetBSD: lib.h,v 1.42.2.7 2008/07/05 17:26:39 joerg Exp $ */
 
 /* from FreeBSD Id: lib.h,v 1.25 1997/10/08 07:48:03 charnier Exp */
 
@@ -387,7 +387,7 @@
 #ifdef HAVE_SSL
 /* PKCS7 signing/verification */
 int easy_pkcs7_verify(const char *, size_t, const char *, size_t,
-    const char *);
+    const char *, int);
 int easy_pkcs7_sign(const char *, size_t, char **, size_t *, const char *,
     const char *);
 #endif
diff -r d2cbbacd0d8a -r 17fba4beee7c pkgtools/pkg_install/files/lib/pkcs7.c
--- a/pkgtools/pkg_install/files/lib/pkcs7.c    Fri Jun 27 15:25:52 2008 +0000
+++ b/pkgtools/pkg_install/files/lib/pkcs7.c    Sat Jul 05 17:26:39 2008 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: pkcs7.c,v 1.1.2.2 2008/05/21 13:08:47 joerg Exp $      */
+/*     $NetBSD: pkcs7.c,v 1.1.2.3 2008/07/05 17:26:40 joerg Exp $      */
 #if HAVE_CONFIG_H
 #include "config.h"
 #endif
@@ -7,7 +7,7 @@
 #include <sys/cdefs.h>
 #endif
 
-__RCSID("$NetBSD: pkcs7.c,v 1.1.2.2 2008/05/21 13:08:47 joerg Exp $");
+__RCSID("$NetBSD: pkcs7.c,v 1.1.2.3 2008/07/05 17:26:40 joerg Exp $");
 
 /*-
  * Copyright (c) 2004, 2008 The NetBSD Foundation, Inc.
@@ -101,7 +101,7 @@
 int
 easy_pkcs7_verify(const char *content, size_t len,
     const char *signature, size_t signature_len,
-    const char *anchor)
+    const char *anchor, int is_pkg)
 {
        STACK_OF(X509) *cert_chain, *signers;
        X509_STORE *store;
@@ -156,6 +156,24 @@
                goto cleanup;
        }
 
+       for (i = 0; i < sk_X509_num(signers); i++) {
+               if (sk_X509_value(signers, i)->ex_flags & EXFLAG_CA) {
+                       warnx("CA keys are not valid for signatures");
+                       goto cleanup;
+               }
+               if (is_pkg) {
+                       if (sk_X509_value(signers, i)->ex_xkusage != XKU_CODE_SIGN) {
+                               warnx("Certificate must have CODE SIGNING property");
+                               goto cleanup;
+                       }
+               } else {
+                       if (sk_X509_value(signers, i)->ex_xkusage != 0) {
+                               warnx("Certificate must not have any property");
+                               goto cleanup;
+                       }
+               }
+       }
+
        printf("Sigature ok, signed by:\n");
 
        for (i = 0; i < sk_X509_num(signers); i++) {
@@ -220,6 +238,15 @@
        }
        certificate = sk_X509_value(c, 0);
 
+       if (certificate->ex_flags & EXFLAG_CA) {
+               warnx("CA keys are not valid for signatures");
+               goto cleanup;
+       }
+       if (certificate->ex_xkusage != XKU_CODE_SIGN) {
+               warnx("Certificate must have CODE SIGNING property");
+               goto cleanup;
+       }
+
        if (cert_chain_file)
                cert_chain = file_to_certs(cert_chain_file);
 
diff -r d2cbbacd0d8a -r 17fba4beee7c pkgtools/pkg_install/files/lib/pkg_signature.c
--- a/pkgtools/pkg_install/files/lib/pkg_signature.c    Fri Jun 27 15:25:52 2008 +0000
+++ b/pkgtools/pkg_install/files/lib/pkg_signature.c    Sat Jul 05 17:26:39 2008 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: pkg_signature.c,v 1.1.2.2 2008/05/19 10:42:41 joerg Exp $      */
+/*     $NetBSD: pkg_signature.c,v 1.1.2.3 2008/07/05 17:26:40 joerg Exp $      */
 
 #if HAVE_CONFIG_H
 #include "config.h"
@@ -7,7 +7,7 @@
 #if HAVE_SYS_CDEFS_H
 #include <sys/cdefs.h>
 #endif
-__RCSID("$NetBSD: pkg_signature.c,v 1.1.2.2 2008/05/19 10:42:41 joerg Exp $");
+__RCSID("$NetBSD: pkg_signature.c,v 1.1.2.3 2008/07/05 17:26:40 joerg Exp $");
 
 /*-
  * Copyright (c) 2008 Joerg Sonnenberger <joerg%NetBSD.org@localhost>.
@@ -356,7 +356,7 @@
                goto no_valid_signature;
 
        if (easy_pkcs7_verify(hash_file, hash_len, signature_file,
-           signature_len, certs_packages)) {
+           signature_len, certs_packages, 1)) {
                free(signature_file);
                free_signature_int(state);
                goto no_valid_signature;
diff -r d2cbbacd0d8a -r 17fba4beee7c pkgtools/pkg_install/files/lib/version.h
--- a/pkgtools/pkg_install/files/lib/version.h  Fri Jun 27 15:25:52 2008 +0000
+++ b/pkgtools/pkg_install/files/lib/version.h  Sat Jul 05 17:26:39 2008 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: version.h,v 1.102.2.7 2008/06/27 15:25:52 joerg Exp $  */
+/*     $NetBSD: version.h,v 1.102.2.8 2008/07/05 17:26:40 joerg Exp $  */
 
 /*
  * Copyright (c) 2001 Thomas Klausner.  All rights reserved.
@@ -27,6 +27,6 @@
 #ifndef _INST_LIB_VERSION_H_
 #define _INST_LIB_VERSION_H_
 
-#define PKGTOOLS_VERSION "20080627"
+#define PKGTOOLS_VERSION "20080705"
 
 #endif /* _INST_LIB_VERSION_H_ */
diff -r d2cbbacd0d8a -r 17fba4beee7c pkgtools/pkg_install/files/lib/vulnerabilities-file.c
--- a/pkgtools/pkg_install/files/lib/vulnerabilities-file.c     Fri Jun 27 15:25:52 2008 +0000
+++ b/pkgtools/pkg_install/files/lib/vulnerabilities-file.c     Sat Jul 05 17:26:39 2008 +0000
@@ -36,7 +36,7 @@
 #if HAVE_SYS_CDEFS_H
 #include <sys/cdefs.h>
 #endif
-__RCSID("$NetBSD: vulnerabilities-file.c,v 1.3.4.4 2008/05/12 12:46:06 joerg Exp $");
+__RCSID("$NetBSD: vulnerabilities-file.c,v 1.3.4.5 2008/07/05 17:26:40 joerg Exp $");
 
 #if HAVE_SYS_STAT_H
 #include <sys/stat.h>
@@ -126,7 +126,7 @@
        end_sig += strlen(pkcs7_end);
 
        if (easy_pkcs7_verify(begin_pkgvul, end_pkgvul - begin_pkgvul,
-           begin_sig, end_sig - begin_sig, certs_pkg_vulnerabilities))
+           begin_sig, end_sig - begin_sig, certs_pkg_vulnerabilities, 0))
                errx(EXIT_FAILURE, "Unable to verify PKCS7 signature");
 #else
        errx(EXIT_FAILURE, "OpenSSL support is not compiled in");

Prev by Date: [pkgsrc/pkg_install-renovation]: pkgsrc/pkgtools/pkg_install/files/lib Use X5...
Next by Date: [pkgsrc/pkg_install-renovation]: pkgsrc/pkgtools/pkg_install/files/add Remove...
Previous by Thread: [pkgsrc/pkg_install-renovation]: pkgsrc/pkgtools/pkg_install/files/lib Use X5...
Next by Thread: [pkgsrc/pkg_install-renovation]: pkgsrc/pkgtools/pkg_install/files/add Remove...
Indexes:

Home | Main Index | Thread Index | Old Index