void ERR_load_crypto_strings(void)
{
#ifndef OPENSSL_NO_ERR
ERR_load_ERR_strings(); /* include error strings for SYSerr */
ERR_load_BN_strings();
# ifndef OPENSSL_NO_RSA
ERR_load_RSA_strings();
# endif
# ifndef OPENSSL_NO_DH
ERR_load_DH_strings();
# endif
ERR_load_EVP_strings();
ERR_load_BUF_strings();
ERR_load_OBJ_strings();
ERR_load_PEM_strings();
# ifndef OPENSSL_NO_DSA
ERR_load_DSA_strings();
# endif
ERR_load_X509_strings();
ERR_load_ASN1_strings();
ERR_load_CONF_strings();
ERR_load_CRYPTO_strings();
# ifndef OPENSSL_NO_COMP
ERR_load_COMP_strings();
# endif
# ifndef OPENSSL_NO_EC
ERR_load_EC_strings();
# endif
# ifndef OPENSSL_NO_ECDSA
ERR_load_ECDSA_strings();
# endif
# ifndef OPENSSL_NO_ECDH
ERR_load_ECDH_strings();
# endif
/* skip ERR_load_SSL_strings() because it is not in this library */
ERR_load_BIO_strings();
ERR_load_PKCS7_strings();
ERR_load_X509V3_strings();
ERR_load_PKCS12_strings();
ERR_load_RAND_strings();
ERR_load_DSO_strings();
// ERR_load_TS_strings();
# ifndef OPENSSL_NO_ENGINE
ERR_load_ENGINE_strings();
# endif
ERR_load_OCSP_strings();
ERR_load_UI_strings();
# ifdef OPENSSL_FIPS
ERR_load_FIPS_strings();
# endif
/*
# ifndef OPENSSL_NO_CMS
ERR_load_CMS_strings();
# endif
*/
# ifndef OPENSSL_NO_JPAKE
ERR_load_JPAKE_strings();
# endif
#endif
}
void err_load_crypto_strings_intern(void)
{
#ifdef OPENSSL_FIPS
FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
#endif
#ifndef OPENSSL_NO_ERR
ERR_load_ERR_strings(); /* include error strings for SYSerr */
ERR_load_BN_strings();
# ifndef OPENSSL_NO_RSA
ERR_load_RSA_strings();
# endif
# ifndef OPENSSL_NO_DH
ERR_load_DH_strings();
# endif
ERR_load_EVP_strings();
ERR_load_BUF_strings();
ERR_load_OBJ_strings();
ERR_load_PEM_strings();
# ifndef OPENSSL_NO_DSA
ERR_load_DSA_strings();
# endif
ERR_load_X509_strings();
ERR_load_ASN1_strings();
ERR_load_CONF_strings();
ERR_load_CRYPTO_strings();
# ifndef OPENSSL_NO_COMP
ERR_load_COMP_strings();
# endif
# ifndef OPENSSL_NO_EC
ERR_load_EC_strings();
# endif
/* skip ERR_load_SSL_strings() because it is not in this library */
ERR_load_BIO_strings();
ERR_load_PKCS7_strings();
ERR_load_X509V3_strings();
ERR_load_PKCS12_strings();
ERR_load_RAND_strings();
ERR_load_DSO_strings();
# ifndef OPENSSL_NO_TS
ERR_load_TS_strings();
# endif
# ifndef OPENSSL_NO_ENGINE
ERR_load_ENGINE_strings();
# endif
ERR_load_OCSP_strings();
ERR_load_UI_strings();
# ifdef OPENSSL_FIPS
ERR_load_FIPS_strings();
# endif
# ifndef OPENSSL_NO_CMS
ERR_load_CMS_strings();
# endif
# ifndef OPENSSL_NO_CT
ERR_load_CT_strings();
# endif
ERR_load_ASYNC_strings();
#endif
ERR_load_KDF_strings();
}
void ERR_load_crypto_strings(void)
{
static int done=0;
if (done) return;
done=1;
#ifndef OPENSSL_NO_ERR
ERR_load_ERR_strings(); /* include error strings for SYSerr */
ERR_load_BN_strings();
#ifndef OPENSSL_NO_RSA
ERR_load_RSA_strings();
#endif
#ifndef OPENSSL_NO_DH
ERR_load_DH_strings();
#endif
ERR_load_EVP_strings();
ERR_load_BUF_strings();
ERR_load_OBJ_strings();
ERR_load_PEM_strings();
#ifndef OPENSSL_NO_DSA
ERR_load_DSA_strings();
#endif
ERR_load_X509_strings();
ERR_load_ASN1_strings();
ERR_load_CONF_strings();
ERR_load_CRYPTO_strings();
#ifndef OPENSSL_NO_EC
ERR_load_EC_strings();
#endif
#ifndef OPENSSL_NO_ECDSA
ERR_load_ECDSA_strings();
#endif
#ifndef OPENSSL_NO_ECDH
ERR_load_ECDH_strings();
#endif
/* skip ERR_load_SSL_strings() because it is not in this library */
ERR_load_BIO_strings();
ERR_load_PKCS7_strings();
ERR_load_X509V3_strings();
ERR_load_PKCS12_strings();
ERR_load_RAND_strings();
ERR_load_DSO_strings();
#ifndef OPENSSL_NO_ENGINE
ERR_load_ENGINE_strings();
#endif
ERR_load_OCSP_strings();
ERR_load_UI_strings();
#endif
}
/* This function must be called before trying to sign any file.
* It loads string for errors, and ciphers are auto-loaded by OpenSSL now.
* If this function fails it may be because the certificate cannot
* be validated.
*
* returns: true if can initialize and validate certificates, otherwise false */
bool initialize_signature(void)
{
int ret = -1;
time_t mod_sec = 0;
struct tm *alttime;
struct stat statt;
string_or_die(&CERTNAME, "%s/%s", cert_path, SWUPDCERT);
ERR_load_crypto_strings();
ERR_load_PKCS7_strings();
EVP_add_digest(EVP_sha256());
if (!get_pubkey()) {
goto fail;
}
ret = validate_certificate();
if (ret) {
printf("Failed to verify certificate: %s\n", X509_verify_cert_error_string(ret));
if (ret == X509_V_ERR_CERT_NOT_YET_VALID) {
/* If we can retrieve an approx. good system time, report out to user */
if (stat("/usr/lib/os-release", &statt) != -1) {
mod_sec = statt.st_mtim.tv_sec;
char timebuf[30];
alttime = localtime(&mod_sec);
strftime(timebuf, sizeof(timebuf), "%F", alttime);
printf("System clock should be at least %s\n", timebuf);
}
}
goto fail;
}
/* Push our trust cert(s) to the stack, which is a set of certificates
* in which to search for the signer's cert. */
x509_stack = sk_X509_new_null();
if (!x509_stack) {
goto fail;
}
sk_X509_push(x509_stack, cert);
return true;
fail:
return false;
}
/* This function must be called before trying to sign any file.
* It loads string for errors, and ciphers are auto-loaded by OpenSSL now.
* If this function fails it may be because the certificate cannot
* be validated.
*
* returns: true if can initialize and validate certificates, otherwise false */
bool signature_init(const char *certificate_path, const char *crl)
{
int ret = -1;
X509 *cert;
if (!certificate_path) {
error("Invalid swupd certificate - Empty");
return false;
}
ERR_load_crypto_strings();
ERR_load_PKCS7_strings();
EVP_add_digest(EVP_sha256());
cert = get_cert_from_path(certificate_path);
if (!cert) {
goto fail;
}
ret = validate_certificate(cert, certificate_path, crl);
if (ret) {
if (ret == X509_V_ERR_CERT_NOT_YET_VALID) {
BIO *b;
time_t currtime = 0;
struct tm *timeinfo;
char time_str[50];
/* The system time wasn't sane, print out what it is and the cert validity range */
time(&currtime);
timeinfo = localtime(&currtime);
strftime(time_str, sizeof(time_str), "%a %b %d %H:%M:%S %Y", timeinfo);
warn("Current time is %s\n", time_str);
info("Certificate validity is:\n");
b = BIO_new_fp(stdout, BIO_NOCLOSE);
if (b == NULL) {
error("Failed to create BIO wrapping stream\n");
goto fail;
}
/* The ASN1_TIME_print function does not include a newline... */
if (!ASN1_TIME_print(b, X509_get_notBefore(cert))) {
info("\n");
error("Failed to get certificate begin date\n");
goto fail;
}
info("\n");
if (!ASN1_TIME_print(b, X509_get_notAfter(cert))) {
info("\n");
error("Failed to get certificate expiration date\n");
goto fail;
}
info("\n");
BIO_free(b);
}
goto fail;
}
/* Push our trust cert(s) to the stack, which is a set of certificates
* in which to search for the signer's cert. */
x509_stack = sk_X509_new_null();
if (!x509_stack) {
goto fail;
}
sk_X509_push(x509_stack, cert);
return true;
fail:
error("Failed to verify certificate: %s\n", X509_verify_cert_error_string(ret));
return false;
}
int err_load_crypto_strings_int(void)
{
if (
#ifndef OPENSSL_NO_ERR
ERR_load_ERR_strings() == 0 || /* include error strings for SYSerr */
ERR_load_BN_strings() == 0 ||
# ifndef OPENSSL_NO_RSA
ERR_load_RSA_strings() == 0 ||
# endif
# ifndef OPENSSL_NO_DH
ERR_load_DH_strings() == 0 ||
# endif
ERR_load_EVP_strings() == 0 ||
ERR_load_BUF_strings() == 0 ||
ERR_load_OBJ_strings() == 0 ||
ERR_load_PEM_strings() == 0 ||
# ifndef OPENSSL_NO_DSA
ERR_load_DSA_strings() == 0 ||
# endif
ERR_load_X509_strings() == 0 ||
ERR_load_ASN1_strings() == 0 ||
ERR_load_CONF_strings() == 0 ||
ERR_load_CRYPTO_strings() == 0 ||
# ifndef OPENSSL_NO_COMP
ERR_load_COMP_strings() == 0 ||
# endif
# ifndef OPENSSL_NO_EC
ERR_load_EC_strings() == 0 ||
# endif
/* skip ERR_load_SSL_strings() because it is not in this library */
ERR_load_BIO_strings() == 0 ||
ERR_load_PKCS7_strings() == 0 ||
ERR_load_X509V3_strings() == 0 ||
ERR_load_PKCS12_strings() == 0 ||
ERR_load_RAND_strings() == 0 ||
ERR_load_DSO_strings() == 0 ||
# ifndef OPENSSL_NO_TS
ERR_load_TS_strings() == 0 ||
# endif
# ifndef OPENSSL_NO_ENGINE
ERR_load_ENGINE_strings() == 0 ||
# endif
# ifndef OPENSSL_NO_OCSP
ERR_load_OCSP_strings() == 0 ||
# endif
#ifndef OPENSSL_NO_UI
ERR_load_UI_strings() == 0 ||
#endif
# ifndef OPENSSL_NO_CMS
ERR_load_CMS_strings() == 0 ||
# endif
# ifndef OPENSSL_NO_CT
ERR_load_CT_strings() == 0 ||
# endif
ERR_load_ASYNC_strings() == 0 ||
#endif
ERR_load_KDF_strings() == 0 ||
ERR_load_OSSL_STORE_strings() == 0)
return 0;
return 1;
}
int
main(int argc, char *argv[])
{
if (argc < 3) {
fprintf(stderr, "usage: verify foo.efi cert0 [... certN]\n");
exit(1);
}
OpenSSL_add_all_algorithms();
ERR_load_PKCS7_strings();
ERR_load_crypto_strings();
int binfd = open(argv[1], O_RDONLY);
if (binfd < 0)
err(1, "verify: %s", argv[1]);
struct stat sb;
fstat(binfd, &sb);
void *bin = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, binfd, 0);
size_t bin_size = sb.st_size;
PE_COFF_LOADER_IMAGE_CONTEXT context;
int rc = read_header(bin, sb.st_size, &context);
if (rc < 0) {
fprintf(stderr, "read_header(): %m\n");
exit(1);
}
UINT8 sha256hash[32];
rc = generate_hash(bin, sb.st_size, &context, sha256hash);
if (rc < 0) {
fprintf(stderr, "you can't handle a hash\n");
exit(1);
}
WIN_CERTIFICATE_EFI_PKCS *efi_pkcs = NULL;
if (context.SecDir->Size != 0) {
efi_pkcs = ImageAddress(bin, bin_size,
context.SecDir->VirtualAddress);
if (!efi_pkcs) {
fprintf(stderr, "signature is at invalid "
"offset\n");
exit(1);
}
}
int found = 0;
for (int i = 2; argv[i] != NULL; i++) {
int fd = open(argv[i], O_RDONLY);
if (fd < 0)
err(1, "verify: %s", argv[i]);
printf("adding cert from \"%s\"\n", argv[i]);
uint8_t *cert;
struct stat sb;
fstat(fd, &sb);
cert = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
size_t cert_size = sb.st_size;
rc = AuthenticodeVerify((UINT8 *)&efi_pkcs->CertData,
efi_pkcs->Hdr.dwLength - sizeof(efi_pkcs->Hdr),
cert, cert_size,
sha256hash, 32);
if (rc == 1) {
found = 1;
break;
}
char errbuf[120];
unsigned long err = ERR_get_error();
ERR_error_string(err, errbuf);
printf("%s\n", errbuf);
munmap(cert, sb.st_size);
close(fd);
}
if (!found) {
fprintf(stderr, "verify failed!\n");
exit(1);
}
printf("Image verifies correctly\n");
return 0;
}