From 81583146602bba96728fa7544c8e856b32c22ee4 Mon Sep 17 00:00:00 2001

From: Peter Jones <pjones@redhat.com>

Date: Tue, 25 Apr 2017 17:01:13 -0400

Subject: [PATCH 20/29] try to say why something fails

Signed-off-by: Peter Jones <pjones@redhat.com>

---

 src/certdb.c             |  15 ++-

 src/certdb.h             |   2 +-

 src/pesigcheck.c         | 244 ++++++++++++++++++++++++++++++++++++++++++-----

 src/pesigcheck_context.h |   1 +

 4 files changed, 233 insertions(+), 29 deletions(-)

diff --git a/src/certdb.c b/src/certdb.c

index 1078a8a..fae80af 100644

--- a/src/certdb.c

+++ b/src/certdb.c

@@ -205,7 +205,7 @@ typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,

 static db_status

 check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,

-	 void *data, ssize_t datalen)

+	 void *data, ssize_t datalen, SECItem *match)

 {

 	SECItem pkcs7sig, sig;

 	dblist *dbl = which == DB ? ctx->db : ctx->dbx;

@@ -241,8 +241,12 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,

 				found = check(ctx, &sig,

 					      &certlist->SignatureType,

 					      &pkcs7sig);

-				if (found == FOUND)

+				if (found == FOUND) {

+					if (match)

+						memcpy(match, &sig,

+						       sizeof(sig));

 					return FOUND;

+				}

 				cert = (EFI_SIGNATURE_DATA *)((uint8_t *)cert +

 				        certlist->SignatureSize);

 			}

@@ -280,7 +284,7 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,

 db_status

 check_db_hash(db_specifier which, pesigcheck_context *ctx)

 {

-	return check_db(which, ctx, check_hash, NULL, 0);

+	return check_db(which, ctx, check_hash, NULL, 0, NULL);

 }

 static void

@@ -459,7 +463,8 @@ out:

 }

 db_status

-check_db_cert(db_specifier which, pesigcheck_context *ctx, void *data, ssize_t datalen)

+check_db_cert(db_specifier which, pesigcheck_context *ctx,

+	      void *data, ssize_t datalen, SECItem *match)

 {

-	return check_db(which, ctx, check_cert, data, datalen);

+	return check_db(which, ctx, check_cert, data, datalen, match);

 }

diff --git a/src/certdb.h b/src/certdb.h

index ccf3c87..8402299 100644

--- a/src/certdb.h

+++ b/src/certdb.h

@@ -43,7 +43,7 @@ typedef struct {

 extern db_status check_db_hash(db_specifier which, pesigcheck_context *ctx);

 extern db_status check_db_cert(db_specifier which, pesigcheck_context *ctx,

-				void *data, ssize_t datalen);

+				void *data, ssize_t datalen, SECItem *match);

 extern void init_cert_db(pesigcheck_context *ctx, int use_system_dbs);

 extern int add_cert_db(pesigcheck_context *ctx, const char *filename);

diff --git a/src/pesigcheck.c b/src/pesigcheck.c

index d7be542..c8e1086 100644

--- a/src/pesigcheck.c

+++ b/src/pesigcheck.c

@@ -17,7 +17,9 @@

  * Author(s): Peter Jones <pjones@redhat.com>

  */

+#include <err.h>

 #include <fcntl.h>

+#include <stdbool.h>

 #include <stdio.h>

 #include <stdlib.h>

 #include <string.h>

@@ -88,7 +90,8 @@ check_inputs(pesigcheck_context *ctx)

 }

 static int

-cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)

+cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen,

+		    SECItem *digest_out)

 {

 	SECItem sig, *pe_digest, *content;

 	uint8_t *digest;

@@ -109,6 +112,12 @@ cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)

 	pe_digest = ctx->cms_ctx->digests[0].pe_digest;

 	content = cinfo->content.signedData->contentInfo.content.data;

 	digest = content->data + content->len - pe_digest->len;

+	if (digest_out) {

+		digest_out->data = malloc(pe_digest->len);

+		digest_out->len = pe_digest->len;

+		digest_out->type = pe_digest->type;

+		memcpy(digest_out->data, digest, pe_digest->len);

+	}

 	if (memcmp(pe_digest->data, digest, pe_digest->len) != 0)

 		goto out;

@@ -120,22 +129,149 @@ out:

 	return ret;

 }

+struct reason {

+	enum {

+		WHITELISTED = 0,

+		INVALID = 1,

+		BLACKLISTED = 2,

+		NO_WHITELIST = 3,

+	} reason;

+	enum {

+		NONE = 0,

+		DIGEST = 1,

+		SIGNATURE = 2,

+	} type;

+	union {

+		struct {

+			SECItem digest;

+		};

+		struct {

+			SECItem sig;

+			SECItem db_cert;

+		};

+	};

+};

+

+static void

+print_digest(SECItem *digest)

+{

+	char buf[digest->len * 2 + 2];

+

+	for (unsigned int i = 0; i < digest->len; i++)

+		snprintf(buf + i * 2, digest->len * 2, "%02x",

+			 digest->data[i]);

+	buf[digest->len * 2] = '\0';

+	printf("%s\n", buf);

+}

+

+static void

+print_certificate(SECItem *cert)

+{

+	printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);

+	printf("cert: %p\n", cert);

+}

+

+static void

+print_signatures(SECItem *database_cert, SECItem *signature)

+{

+	printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);

+	print_certificate(database_cert);

+	print_certificate(signature);

+}

+

+static void

+print_reason(struct reason *reason)

+{

+	switch (reason->reason) {

+	case WHITELISTED:

+		printf("Whitelist entry: ");

+		if (reason->type == DIGEST)

+			print_digest(&reason->digest);

+		else if (reason->type == SIGNATURE)

+			print_signatures(&reason->sig, &reason->db_cert);

+		else

+			errx(1, "Unknown data type %d\n", reason->type);

+		break;

+	case INVALID:

+		if (reason->type == DIGEST) {

+			printf("Invalid digest: ");

+			print_digest(&reason->digest);

+		} else if (reason->type == SIGNATURE) {

+			printf("Invalid signature: ");

+			print_signatures(&reason->sig, &reason->db_cert);

+		} else {

+			errx(1, "Unknown data type %d\n", reason->type);

+		}

+		break;

+	case BLACKLISTED:

+		if (reason->type == DIGEST) {

+			printf("Invalid digest: ");

+			print_digest(&reason->digest);

+		} else if (reason->type == SIGNATURE) {

+			printf("Invalid signature: ");

+			print_signatures(&reason->sig, &reason->db_cert);

+		} else {

+			errx(1, "Unknown data type %d\n", reason->type);

+		}

+		break;

+	case NO_WHITELIST:

+		if (reason->type == NONE)

+			printf("No matching whitelist entry.\n");

+		else

+			errx(1, "Invalid data type %d\n", reason->type);

+		break;

+	default:

+		errx(1, "Unknown reason type %d\n", reason->reason);

+		break;

+	}

+}

+

+static void

+get_digest(pesigcheck_context *ctx, SECItem *digest)

+{

+	struct cms_context *cms = ctx->cms_ctx;

+	struct digest *cms_digest = &cms->digests[cms->selected_digest];

+

+	memcpy(digest, cms_digest->pe_digest, sizeof (*digest));

+}

+

 static int

-check_signature(pesigcheck_context *ctx)

+check_signature(pesigcheck_context *ctx, int *nreasons,

+		struct reason **reasons)

 {

-	int has_valid_cert = 0;

-	int has_invalid_cert = 0;

+	bool has_valid_cert = false;

+	bool is_invalid = false;

+	struct reason *reasonps = NULL, *reason;

+	int num_reasons = 16;

+	int nreason = 0;

 	int rc = 0;

+	int ret = -1;

 	cert_iter iter;

+	reasonps = calloc(sizeof(struct reason), 512);

+	if (!reasonps)

+		err(1, "check_signature");

+

 	generate_digest(ctx->cms_ctx, ctx->inpe, 1);

-	if (check_db_hash(DBX, ctx) == FOUND)

-		return -1;

+	if (check_db_hash(DBX, ctx) == FOUND) {

+		reason = &reasonps[nreason];

+		reason->reason = BLACKLISTED;

+		reason->type = DIGEST;

+		get_digest(ctx, &reason->digest);

+		reason += 1;

+		is_invalid = true;

+	}

-	if (check_db_hash(DB, ctx) == FOUND)

-		has_valid_cert = 1;

+	if (check_db_hash(DB, ctx) == FOUND) {

+		reason = &reasonps[nreason];

+		reason->reason = WHITELISTED;

+		reason->type = DIGEST;

+		get_digest(ctx, &reason->digest);

+		nreason += 1;

+		has_valid_cert = true;

+	}

 	rc = cert_iter_init(&iter, ctx->inpe);

 	if (rc < 0)

@@ -145,32 +281,81 @@ check_signature(pesigcheck_context *ctx)

 	ssize_t datalen;

 	while (1) {

+		/*

+		 * Make sure we always have enough for this iteration of the

+		 * loop, plus one "NO_WHITELIST" entry at the end.

+		 */

+		if (nreason >= num_reasons - 4) {

+			struct reason *new_reasons;

+

+			num_reasons += 16;

+

+			new_reasons = calloc(sizeof(struct reason), num_reasons);

+			if (!new_reasons)

+				err(1, "check_signature");

+			reasonps = new_reasons;

+		}

+

 		rc = next_cert(&iter, &data, &datalen);

 		if (rc <= 0)

 			break;

-		if (cert_matches_digest(ctx, data, datalen) < 0) {

-			has_invalid_cert = 1;

-			break;

+		reason = &reasonps[nreason];

+		if (cert_matches_digest(ctx, data, datalen,

+					&reason->digest) < 0) {

+			reason->reason = INVALID;

+			reason->type = DIGEST;

+			nreason += 1;

+			is_invalid = true;

 		}

-		if (check_db_cert(DBX, ctx, data, datalen) == FOUND) {

-			has_invalid_cert = 1;

-			break;

+		reason = &reasonps[nreason];

+		if (check_db_cert(DBX, ctx, data, datalen,

+				  &reason->db_cert) == FOUND) {

+			reason->reason = INVALID;

+			reason->type = SIGNATURE;

+			reason->sig.data = data;

+			reason->sig.len = datalen;

+			reason->type = siBuffer;

+			nreason += 1;

+			is_invalid = true;

 		}

-		if (check_db_cert(DB, ctx, data, datalen) == FOUND)

-			has_valid_cert = 1;

+		reason = &reasonps[nreason];

+		if (check_db_cert(DB, ctx, data, datalen,

+				  &reason->db_cert) == FOUND) {

+			reason->reason = WHITELISTED;

+			reason->type = SIGNATURE;

+			reason->sig.data = data;

+			reason->sig.len = datalen;

+			reason->type = siBuffer;

+			nreason += 1;

+			has_valid_cert = true;

+		}

 	}

 err:

-	if (has_invalid_cert)

-		return -1;

+	if (has_valid_cert != true) {

+		if (is_invalid != true) {

+			reason = &reasonps[nreason];

+			reason->reason = NO_WHITELIST;

+			reason->type = NONE;

+			nreason += 1;

+		}

+		is_invalid = true;

+	}

-	if (has_valid_cert)

-		return 0;

+	if (is_invalid == false)

+		ret = 0;

-	return -1;

+	if (nreasons && reasons) {

+		*nreasons = nreason;

+		*reasons = reasonps;

+	} else {

+		free(reasonps);

+	}

+

+	return ret;

 }

 void

@@ -204,6 +389,9 @@ main(int argc, char *argv[])

 	pesigcheck_context ctx, *ctxp = &ctx;

+	struct reason *reasons = NULL;

+	int nreasons = 0;

+

 	char *dbfile = NULL;

 	char *dbxfile = NULL;

 	char *certfile = NULL;

@@ -242,6 +430,12 @@ main(int argc, char *argv[])

 		 .arg = &ctx.quiet,

 		 .val = 1,

 		 .descrip = "return only; no text output." },

+		{.longName = "verbose",

+		 .shortName = 'v',

+		 .argInfo = POPT_BIT_SET,

+		 .arg = &ctx.verbose,

+		 .val = 1,

+		 .descrip = "print reasons for success and failure." },

 		{.longName = "no-system-db",

 		 .shortName = 'n',

 		 .argInfo = POPT_ARG_INT,

@@ -308,12 +502,16 @@ main(int argc, char *argv[])

 		exit(1);

 	}

-	rc = check_signature(ctxp);

+	rc = check_signature(ctxp, &nreasons, &reasons);

-	close_input(ctxp);

+	if (!ctx.quiet && ctx.verbose) {

+		for (int i = 0; i < nreasons; i++)

+			print_reason(&reasons[i]);

+	}

 	if (!ctx.quiet)

 		printf("pesigcheck: \"%s\" is %s.\n", ctx.infile,

 			rc >= 0 ? "valid" : "invalid");

+	close_input(ctxp);

 	pesigcheck_context_fini(&ctx;;

 	NSS_Shutdown();

diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h

index 7b5cc89..aec415e 100644

--- a/src/pesigcheck_context.h

+++ b/src/pesigcheck_context.h

@@ -61,6 +61,7 @@ typedef struct pesigcheck_context {

 	Pe *inpe;

 	int quiet;

+	int verbose;

 	hashlist *hashes;

-- 

2.13.4