modsign: Make sign-file determine the format of the X.509 cert

Make sign-file determine the format of the X.509 certificate by reading the first two bytes and seeing if the first byte is 0x30 and the second 0x81-0x84. If this is the case, assume it's DER encoded, otherwise assume it to be PEM encoded. Without this, it gets awkward to deal with the error messages from d2i_X509_bio() when we want to call BIO_reset() and then PEM_read_bio() in case the certificate was PEM encoded rather than X.509 encoded. Reported-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Ben Hutchings <ben@decadent.org.uk> cc: David Woodhouse <dwmw2@infradead.org> cc: Juerg Haefliger <juerg.haefliger@hpe.com> cc: Ben Hutchings <ben@decadent.org.uk>
author: David Howells <dhowells@redhat.com> 2016-06-14 08:18:33 -0400
committer: David Howells <dhowells@redhat.com> 2016-06-14 08:18:33 -0400
commit: 9552c7aebb8c36912612fddad5b55267c671a303 (patch)
tree: 69b853c2003b114914a0db05137bd8cbeeeac7f1 /scripts/sign-file.c
parent: 965475acca2cbcc1d748a8b6a05f8c7cf57d075a (diff)
1 files changed, 26 insertions, 8 deletions
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index d912d5a56a5e..53af6dc3e6c1 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -1,6 +1,6 @@
 /* Sign a module file using the given key.
 *
- * Copyright © 2014-2015 Red Hat, Inc. All Rights Reserved.
+ * Copyright © 2014-2016 Red Hat, Inc. All Rights Reserved.
 * Copyright © 2015      Intel Corporation.
 * Copyright © 2016      Hewlett Packard Enterprise Development LP
 *
@@ -167,19 +167,37 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
 static X509 *read_x509(const char *x509_name)
 {
+        unsigned char buf[2];
        X509 *x509;
        BIO *b;
+        int n;
        b = BIO_new_file(x509_name, "rb");
        ERR(!b, "%s", x509_name);
-        x509 = d2i_X509_bio(b, NULL); /* Binary encoded X.509 */
-        if (!x509) {
+        /* Look at the first two bytes of the file to determine the encoding */
-                ERR(BIO_reset(b) != 1, "%s", x509_name);
+        n = BIO_read(b, buf, 2);
-                x509 = PEM_read_bio_X509(b, NULL, NULL,
+        if (n != 2) {
-                                         NULL); /* PEM encoded X.509 */
+                if (BIO_should_retry(b)) {
-                if (x509)
+                        fprintf(stderr, "%s: Read wanted retry\n", x509_name);
-                        drain_openssl_errors();
+                        exit(1);
+                }
+                if (n >= 0) {
+                        fprintf(stderr, "%s: Short read\n", x509_name);
+                        exit(1);
+                }
+                ERR(1, "%s", x509_name);
        }
+        ERR(BIO_reset(b) != 0, "%s", x509_name);
+        if (buf[0] == 0x30 && buf[1] >= 0x81 && buf[1] <= 0x84)
+                /* Assume raw DER encoded X.509 */
+                x509 = d2i_X509_bio(b, NULL);
+        else
+                /* Assume PEM encoded X.509 */
+                x509 = PEM_read_bio_X509(b, NULL, NULL, NULL);
        BIO_free(b);
        ERR(!x509, "%s", x509_name);
author	David Howells <dhowells@redhat.com>	2016-06-14 08:18:33 -0400
committer	David Howells <dhowells@redhat.com>	2016-06-14 08:18:33 -0400
commit	9552c7aebb8c36912612fddad5b55267c671a303 (patch)
tree	69b853c2003b114914a0db05137bd8cbeeeac7f1 /scripts/sign-file.c
parent	965475acca2cbcc1d748a8b6a05f8c7cf57d075a (diff)

diff --git a/scripts/sign-file.c b/scripts/sign-file.c index d912d5a56a5e..53af6dc3e6c1 100755 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c
@@ -1,6 +1,6 @@
1	/* Sign a module file using the given key.	1	/* Sign a module file using the given key.
2	*	2	*
3	* Copyright © 2014-2015 Red Hat, Inc. All Rights Reserved.	3	* Copyright © 2014-2016 Red Hat, Inc. All Rights Reserved.
4	* Copyright © 2015 Intel Corporation.	4	* Copyright © 2015 Intel Corporation.
5	* Copyright © 2016 Hewlett Packard Enterprise Development LP	5	* Copyright © 2016 Hewlett Packard Enterprise Development LP
6	*	6	*
@@ -167,19 +167,37 @@ static EVP_PKEY read_private_key(const char private_key_name)
167		167
168	static X509 read_x509(const char x509_name)	168	static X509 read_x509(const char x509_name)
169	{	169	{
		170	unsigned char buf[2];
170	X509 *x509;	171	X509 *x509;
171	BIO *b;	172	BIO *b;
		173	int n;
172		174
173	b = BIO_new_file(x509_name, "rb");	175	b = BIO_new_file(x509_name, "rb");
174	ERR(!b, "%s", x509_name);	176	ERR(!b, "%s", x509_name);
175	x509 = d2i_X509_bio(b, NULL); /* Binary encoded X.509 */	177
176	if (!x509) {	178	/* Look at the first two bytes of the file to determine the encoding */
177	ERR(BIO_reset(b) != 1, "%s", x509_name);	179	n = BIO_read(b, buf, 2);
178	x509 = PEM_read_bio_X509(b, NULL, NULL,	180	if (n != 2) {
179	NULL); /* PEM encoded X.509 */	181	if (BIO_should_retry(b)) {
180	if (x509)	182	fprintf(stderr, "%s: Read wanted retry\n", x509_name);
181	drain_openssl_errors();	183	exit(1);
		184	}
		185	if (n >= 0) {
		186	fprintf(stderr, "%s: Short read\n", x509_name);
		187	exit(1);
		188	}
		189	ERR(1, "%s", x509_name);
182	}	190	}
		191
		192	ERR(BIO_reset(b) != 0, "%s", x509_name);
		193
		194	if (buf[0] == 0x30 && buf[1] >= 0x81 && buf[1] <= 0x84)
		195	/* Assume raw DER encoded X.509 */
		196	x509 = d2i_X509_bio(b, NULL);
		197	else
		198	/* Assume PEM encoded X.509 */
		199	x509 = PEM_read_bio_X509(b, NULL, NULL, NULL);
		200
183	BIO_free(b);	201	BIO_free(b);
184	ERR(!x509, "%s", x509_name);	202	ERR(!x509, "%s", x509_name);
185		203