summaryrefslogtreecommitdiffstats
path: root/security/nss/cmd/signtool/verify.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/cmd/signtool/verify.c')
-rw-r--r--security/nss/cmd/signtool/verify.c337
1 files changed, 337 insertions, 0 deletions
diff --git a/security/nss/cmd/signtool/verify.c b/security/nss/cmd/signtool/verify.c
new file mode 100644
index 000000000..41656a10f
--- /dev/null
+++ b/security/nss/cmd/signtool/verify.c
@@ -0,0 +1,337 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "signtool.h"
+
+static int jar_cb(int status, JAR *jar, const char *metafile,
+ char *pathname, char *errortext);
+static int verify_global(JAR *jar);
+
+/*************************************************************************
+ *
+ * V e r i f y J a r
+ */
+int
+VerifyJar(char *filename)
+{
+ FILE *fp;
+
+ int ret;
+ int status;
+ int failed = 0;
+ char *err;
+
+ JAR *jar;
+ JAR_Context *ctx;
+
+ JAR_Item *it;
+
+ jar = JAR_new();
+
+ if ((fp = fopen(filename, "r")) == NULL) {
+ perror(filename);
+ exit(ERRX);
+ } else
+ fclose(fp);
+
+ JAR_set_callback(JAR_CB_SIGNAL, jar, jar_cb);
+
+ status = JAR_pass_archive(jar, jarArchGuess, filename, "some-url");
+
+ if (status < 0 || jar->valid < 0) {
+ failed = 1;
+ PR_fprintf(outputFD,
+ "\nNOTE -- \"%s\" archive DID NOT PASS crypto verification.\n",
+ filename);
+ if (status < 0) {
+ const char *errtext;
+
+ if (status >= JAR_BASE && status <= JAR_BASE_END) {
+ errtext = JAR_get_error(status);
+ } else {
+ errtext = SECU_Strerror(PORT_GetError());
+ }
+
+ PR_fprintf(outputFD, " (reported reason: %s)\n\n",
+ errtext);
+
+ /* corrupt files should not have their contents listed */
+
+ if (status == JAR_ERR_CORRUPT)
+ return -1;
+ }
+ PR_fprintf(outputFD,
+ "entries shown below will have their digests checked only.\n");
+ jar->valid = 0;
+ } else
+ PR_fprintf(outputFD,
+ "archive \"%s\" has passed crypto verification.\n", filename);
+
+ if (verify_global(jar))
+ failed = 1;
+
+ PR_fprintf(outputFD, "\n");
+ PR_fprintf(outputFD, "%16s %s\n", "status", "path");
+ PR_fprintf(outputFD, "%16s %s\n", "------------", "-------------------");
+
+ ctx = JAR_find(jar, NULL, jarTypeMF);
+
+ while (JAR_find_next(ctx, &it) >= 0) {
+ if (it && it->pathname) {
+ rm_dash_r(TMP_OUTPUT);
+ ret = JAR_verified_extract(jar, it->pathname, TMP_OUTPUT);
+ /* if (ret < 0) printf ("error %d on %s\n", ret, it->pathname); */
+ if (ret < 0)
+ failed = 1;
+
+ if (ret == JAR_ERR_PNF)
+ err = "NOT PRESENT";
+ else if (ret == JAR_ERR_HASH)
+ err = "HASH FAILED";
+ else
+ err = "NOT VERIFIED";
+
+ PR_fprintf(outputFD, "%16s %s\n",
+ ret >= 0 ? "verified" : err, it->pathname);
+
+ if (ret != 0 && ret != JAR_ERR_PNF && ret != JAR_ERR_HASH)
+ PR_fprintf(outputFD, " (reason: %s)\n",
+ JAR_get_error(ret));
+ }
+ }
+
+ JAR_find_end(ctx);
+
+ if (status < 0 || jar->valid < 0) {
+ failed = 1;
+ PR_fprintf(outputFD,
+ "\nNOTE -- \"%s\" archive DID NOT PASS crypto verification.\n",
+ filename);
+ give_help(status);
+ }
+
+ JAR_destroy(jar);
+
+ if (failed)
+ return -1;
+ return 0;
+}
+
+/***************************************************************************
+ *
+ * v e r i f y _ g l o b a l
+ */
+static int
+verify_global(JAR *jar)
+{
+ FILE *fp;
+ JAR_Context *ctx;
+ JAR_Item *it;
+ JAR_Digest *globaldig;
+ char *ext;
+ unsigned char *md5_digest, *sha1_digest;
+ unsigned int sha1_length, md5_length;
+ int retval = 0;
+ char buf[BUFSIZ];
+
+ ctx = JAR_find(jar, "*", jarTypePhy);
+
+ while (JAR_find_next(ctx, &it) >= 0) {
+ if (!PORT_Strncmp(it->pathname, "META-INF", 8)) {
+ for (ext = it->pathname; *ext; ext++)
+ ;
+ while (ext > it->pathname && *ext != '.')
+ ext--;
+
+ if (verbosity >= 0) {
+ if (!PORT_Strcasecmp(ext, ".rsa")) {
+ PR_fprintf(outputFD, "found a RSA signature file: %s\n",
+ it->pathname);
+ }
+
+ if (!PORT_Strcasecmp(ext, ".dsa")) {
+ PR_fprintf(outputFD, "found a DSA signature file: %s\n",
+ it->pathname);
+ }
+
+ if (!PORT_Strcasecmp(ext, ".mf")) {
+ PR_fprintf(outputFD,
+ "found a MF master manifest file: %s\n",
+ it->pathname);
+ }
+ }
+
+ if (!PORT_Strcasecmp(ext, ".sf")) {
+ if (verbosity >= 0) {
+ PR_fprintf(outputFD,
+ "found a SF signature manifest file: %s\n",
+ it->pathname);
+ }
+
+ rm_dash_r(TMP_OUTPUT);
+ if (JAR_extract(jar, it->pathname, TMP_OUTPUT) < 0) {
+ PR_fprintf(errorFD, "%s: error extracting %s\n",
+ PROGRAM_NAME, it->pathname);
+ errorCount++;
+ retval = -1;
+ continue;
+ }
+
+ md5_digest = NULL;
+ sha1_digest = NULL;
+
+ if ((fp = fopen(TMP_OUTPUT, "rb")) != NULL) {
+ while (fgets(buf, BUFSIZ, fp)) {
+ char *s;
+
+ if (*buf == 0 || *buf == '\n' || *buf == '\r')
+ break;
+
+ for (s = buf; *s && *s != '\n' && *s != '\r'; s++)
+ ;
+ *s = 0;
+
+ if (!PORT_Strncmp(buf, "MD5-Digest: ", 12)) {
+ md5_digest =
+ ATOB_AsciiToData(buf + 12, &md5_length);
+ }
+ if (!PORT_Strncmp(buf, "SHA1-Digest: ", 13)) {
+ sha1_digest =
+ ATOB_AsciiToData(buf + 13, &sha1_length);
+ }
+ if (!PORT_Strncmp(buf, "SHA-Digest: ", 12)) {
+ sha1_digest =
+ ATOB_AsciiToData(buf + 12, &sha1_length);
+ }
+ }
+
+ globaldig = jar->globalmeta;
+
+ if (globaldig && md5_digest && verbosity >= 0) {
+ PR_fprintf(outputFD,
+ " md5 digest on global metainfo: %s\n",
+ PORT_Memcmp(md5_digest, globaldig->md5, MD5_LENGTH)
+ ? "no match"
+ : "match");
+ }
+
+ if (globaldig && sha1_digest && verbosity >= 0) {
+ PR_fprintf(outputFD,
+ " sha digest on global metainfo: %s\n",
+ PORT_Memcmp(sha1_digest, globaldig->sha1, SHA1_LENGTH)
+ ? "no match"
+ : "match");
+ }
+
+ if (globaldig == NULL && verbosity >= 0) {
+ PR_fprintf(outputFD,
+ "global metadigest is not available, strange.\n");
+ }
+
+ PORT_Free(md5_digest);
+ PORT_Free(sha1_digest);
+ fclose(fp);
+ }
+ }
+ }
+ }
+
+ JAR_find_end(ctx);
+
+ return retval;
+}
+
+/************************************************************************
+ *
+ * J a r W h o
+ */
+int
+JarWho(char *filename)
+{
+ FILE *fp;
+
+ JAR *jar;
+ JAR_Context *ctx;
+
+ int status;
+ int retval = 0;
+
+ JAR_Item *it;
+ JAR_Cert *fing;
+
+ CERTCertificate *cert, *prev = NULL;
+
+ jar = JAR_new();
+
+ if ((fp = fopen(filename, "r")) == NULL) {
+ perror(filename);
+ exit(ERRX);
+ }
+ fclose(fp);
+
+ status = JAR_pass_archive(jar, jarArchGuess, filename, "some-url");
+
+ if (status < 0 || jar->valid < 0) {
+ PR_fprintf(outputFD,
+ "NOTE -- \"%s\" archive DID NOT PASS crypto verification.\n",
+ filename);
+ retval = -1;
+ if (jar->valid < 0 || status != -1) {
+ const char *errtext;
+
+ if (status >= JAR_BASE && status <= JAR_BASE_END) {
+ errtext = JAR_get_error(status);
+ } else {
+ errtext = SECU_Strerror(PORT_GetError());
+ }
+
+ PR_fprintf(outputFD, " (reported reason: %s)\n\n", errtext);
+ }
+ }
+
+ PR_fprintf(outputFD, "\nSigner information:\n\n");
+
+ ctx = JAR_find(jar, NULL, jarTypeSign);
+
+ while (JAR_find_next(ctx, &it) >= 0) {
+ fing = (JAR_Cert *)it->data;
+ cert = fing->cert;
+
+ if (cert) {
+ if (prev == cert)
+ break;
+
+ if (cert->nickname)
+ PR_fprintf(outputFD, "nickname: %s\n", cert->nickname);
+ if (cert->subjectName)
+ PR_fprintf(outputFD, "subject name: %s\n",
+ cert->subjectName);
+ if (cert->issuerName)
+ PR_fprintf(outputFD, "issuer name: %s\n", cert->issuerName);
+ } else {
+ PR_fprintf(outputFD, "no certificate could be found\n");
+ retval = -1;
+ }
+
+ prev = cert;
+ }
+
+ JAR_find_end(ctx);
+
+ JAR_destroy(jar);
+ return retval;
+}
+
+/************************************************************************
+ * j a r _ c b
+ */
+static int
+jar_cb(int status, JAR *jar, const char *metafile,
+ char *pathname, char *errortext)
+{
+ PR_fprintf(errorFD, "error %d: %s IN FILE %s\n", status, errortext,
+ pathname);
+ errorCount++;
+ return 0;
+}