int flash_validate_certificate(int signed_fd, int *data_fd) {
int ret = 0;
const char *cert_path;
X509_STORE *store = NULL;
CMS_ContentInfo *content_info;
BIO *content;
cert_path = fastboot_getvar("certificate-path");
if (!strcmp(cert_path, "")) {
D(ERR, "could not find cert-key value in config file");
goto finish;
}
store = cert_store_from_path(cert_path);
if (store == NULL) {
D(ERR, "unable to create certification store");
goto finish;
}
if (cert_read(signed_fd, &content_info, &content)) {
D(ERR, "reading data failed");
goto finish;
}
ret = cert_verify(content, content_info, store, data_fd);
cert_release(content, content_info);
return ret;
finish:
if (store != NULL)
cert_release_store(store);
return ret;
}
int
main (int argc, char **argv)
{
int arg_idx = 0;
char *privcert_file = NULL;
char *pubcert_file = NULL;
char *priv_file = NULL;
char *pub_file = NULL;
char *priv_id = NULL;
char *pub_id = NULL;
char *label = DEFAULT_LABEL;
dckey *priv = NULL;
dckey *pub = NULL;
cert *priv_cert = NULL;
cert *pub_cert = NULL;
printf("argc count is: %d\n", argc);
if((argc < 7) || (argc > 8))
{
printf("Invalid number of arguments!!!\n");
usage (argv[0], argc);
}
printf("argc value is: %d\n", argc);
ri ();
priv_file = argv[++arg_idx];
privcert_file = argv[++arg_idx];
priv_id = argv[++arg_idx];
pub_file = argv[++arg_idx];
pubcert_file = argv[++arg_idx];
pub_id = argv[++arg_idx];
if (argc - 2 == arg_idx) {
/* there was a label */
label = argv[++arg_idx];
}
pub_cert = pki_check(pubcert_file, pub_file, pub_id);
/* check above won't return if something was wrong */
pub = pub_cert->public_key;
if (!cert_verify (priv_cert = cert_read (privcert_file))) {
printf ("%s: trouble reading certificate from %s, "
"or certificate expired\n", getprogname (), privcert_file);
perror (getprogname ());
exit (-1);
} else if (!dcareequiv(pub_cert->issuer,priv_cert->issuer)) {
printf ("%s: certificates issued by different CAs.\n",
getprogname ());
printf ("\tOwn (%s's) certificate in %s\n", priv_id, privcert_file);
printf ("\tOther (%s's) certificate in %s\n", pub_id, pubcert_file);
} else {
priv = priv_from_file (priv_file);
nidh (priv, pub, priv_id, pub_id, label);
}
return 0;
}
/* Verifies the validity of a certificate */
void
pki_check(char *cert_file, char *pk_file, char *id)
{
cert *c = cert_read (cert_file);
dckey *pk = pk_from_file (pk_file);
if (!c) {
printf ("Error reading the certificate from %s\n", cert_file);
exit (1);
}
if (!pk) {
printf ("Error reading the public key from %s\n", pk_file);
exit (1);
}
if (!cert_verify (c)) {
printf ("Certificate invalid or expired\n");
exit (1);
}
if (!dcareequiv (c->public_key, pk)) {
printf ("The certificate in %s does not refer to the public key in %s\n",
cert_file, pk_file);
exit (1);
}
if (strcmp (c->identity, id) != 0) {
printf ("The certificate in %s does not refer to identity %s\n",
cert_file, id);
exit (1);
}
/* everything checked out */
printf ("Valid certificate\n");
exit (0);
}
int
main (int argc, char **argv)
{
int fdca, fdpk;
dckey *ca = NULL, *pk = NULL;
char *id = NULL;
char *cert_file = NULL, *pk_file = NULL;
int duration = -1;
ri ();
if (argc < 2)
usage (argv[0]);
else if (argc == 2) {
if (strcmp (argv[1], "init") != 0)
usage (argv[0]);
else {
setprogname (argv[0]);
pki_init ();
}
}
else if (argc == 5) {
if (strcmp (argv[1], "check") != 0)
usage (argv[0]);
else {
setprogname (argv[0]);
pki_check (argv[2], argv[3], argv[4]);
}
}
else if (strcmp (argv[1], "cert") != 0) {
usage (argv[0]);
}
else {
/* cert commnad */
setprogname (argv[0]);
/* first, let's take care of the options, if any */
parse_options (&pk, &cert_file, &duration, argc, argv);
/* the last two args are ID and PK-FILE */
pk_file = argv[argc - 2];
id = argv[argc - 1];
/* set up default values for parameters not affected by the options */
if (!cert_file) {
/* default cert_file is ID.cert */
if (cat_str (&cert_file, id)
|| cat_str (&cert_file, ".cert")) {
xfree (cert_file);
exit (1);
}
}
if (duration == -1)
/* default duration is 30 days */
duration = 30;
/* take care of the public key that we are certifying */
/* if the -g option was used, we have to write the pk to pk_file */
if (pk)
write_pkfile (pk_file, pk);
/* otherwise, import pk from pk_file */
else {
if ((fdpk = open (pk_file, O_RDONLY)) == -1) {
if (errno == ENOENT) {
usage (argv[0]);
}
else {
perror (argv[0]);
exit (1);
}
}
else if (!(pk = import_pub_from_file (fdpk))) {
fprintf (stderr, "%s: no public key found in %s\n", argv[0], pk_file);
close (fdpk);
exit (1);
}
close (fdpk);
fdpk = -1;
}
/* now read the ca private key from ./.pki/ca.priv */
if ((fdca = open ("./.pki/ca.priv", O_RDONLY)) == -1) {
if (errno == ENOENT) {
usage (argv[0]);
}
else {
perror (argv[0]);
exit (1);
}
}
else {
if (!(ca = import_priv_from_file (fdca))) {
fprintf (stderr, "%s: no private key found in %s\n",
argv[0], "./.pki/ca.priv");
close (fdca);
exit (1);
}
close (fdca);
fdca = -1;
/* prepare a cert, sign it and write it to cert_file */
switch (cert_sign_n_write (ca, id, pk, duration, cert_file)) {
case 0:
/* no error */
/* the ca signing key is not needed anymore: wipe it out */
dcfree (ca);
ca = NULL;
break;
case -1:
/* trouble with the write system call */
check_n_free (&cert_file);
dcfree (ca);
exit (1);
case -2:
/* trouble preparing/signinig the certificate */
check_n_free (&cert_file);
dcfree (ca);
exit (1);
default:
check_n_free (&cert_file);
dcfree (ca);
exit (1);
}
assert (cert_verify (cert_read (cert_file)));
dcfree (pk);
pk = NULL;
}
}
check_n_free (&cert_file);
return 0;
}
int
main (int argc, char **argv)
{
const char *ke_msg1 = NULL;
char *ke_msg2 = NULL;
char *ca_file = NULL;
char *sk_file = NULL;
char *cert_file = NULL;
char *resp_id = NULL;
int out_fd;
flow1 *to_b = NULL;
flow2 *from_b = NULL;
cert *own_cert = NULL;
dckey *sk = NULL;
dckey *ca_pk = NULL;
u_char seskey[sha1_hashsize], secret[aes_blocklen];
char *pretty_secret = NULL;
if ((argc == 5) && argv[1][0] != '-') {
/* no -p option */
ca_file = "./.pki/ca.pub";
}
else if ((argc == 6)
&& (argv[1][0] != '-')
&& (argv[1] + 1) && (argv[1][1] != 'p')
&& (argv[1] + 2)) {
/* -p option present, followed by CERT-FILE without separating blank */
ca_file = argv[1] + 2;
}
else if ((argc == 7) && !strcmp (argv[1], "-p")) {
/* -p option present, followed by blank and CERT-FILE */
ca_file = argv[2];
}
else {
usage (argv[0]);
/* does not return */
}
setprogname (argv[0]);
ri ();
sk_file = argv[argc - 4];
cert_file = argv[argc - 3];
resp_id = argv[argc - 2];
out_fd = atoi (argv[argc - 1]);
if (!cert_verify (own_cert = cert_read (cert_file))) {
fprintf (stderr, "%s: trouble reading certificate from %s, or certificate expired\n",
getprogname (), cert_file);
perror (getprogname ());
exit (1);
}
else {
to_b = prepare_ke_msg (own_cert, xstrdup (resp_id));
sk = sk_from_file (sk_file);
ke_msg1 = export_ke_msg (to_b, sk);
dcfree (sk);
sk = NULL;
write_chunk (1, ke_msg1, strlen (ke_msg1));
check_n_free ((char **) &ke_msg1);
ca_pk = pk_from_file (ca_file);
if (!(ke_msg2 = read_line (0))
|| !(from_b = process_ke_reply (to_b, ke_msg2, ca_pk))) {
fprintf (stderr, "error reading/parsing bob's message:\n%s", ke_msg2);
dcfree (ca_pk);
ca_pk = NULL;
check_n_free(&ke_msg2);
exit (1);
}
dcfree (ca_pk);
ca_pk = NULL;
check_n_free(&ke_msg2);
/* derive_key looks at seskey to know if it the caller is alice or bob */
seskey[0] = 'a';
if (derive_key (seskey, to_b, from_b) == -1) {
fprintf (stderr, "error deriving session key for alice.\n");
flow1_clr (to_b);
flow2_clr (from_b);
exit (1);
}
else {
/* choose a random number to send */
prng_getbytes (secret, aes_blocklen);
cat_buf (&pretty_secret, secret, aes_blocklen);
/* send it to bob, encrypted under the newly established session key */
send_secret (1, secret, seskey);
/* dump the chosen secret to standard error */
if ((write_chunk (out_fd, pretty_secret, strlen (pretty_secret)) == -1)
|| (write_chunk (out_fd, "\n", 1) == -1)) {
fprintf (stderr, "error writing to the launcher.\n");
bzero (seskey, sha1_hashsize);
bzero (secret, sizeof (secret));
bzero (pretty_secret, strlen (pretty_secret));
xfree (pretty_secret);
pretty_secret = NULL;
flow1_clr (to_b);
flow2_clr (from_b);
exit (1);
}
/* wipe out sensitive data */
bzero (seskey, sha1_hashsize);
bzero (secret, sizeof (secret));
bzero (pretty_secret, strlen (pretty_secret));
xfree (pretty_secret);
pretty_secret = NULL;
flow1_clr (to_b);
flow2_clr (from_b);
}
}
/* fprintf (stderr, "alice:done.\n"); */
return 0;
}
