projects / project / ucert.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
output error message in case of revoked key
[project/ucert.git] / usign-exec.c
1 /*
2 * wrapper functions around the usign executable
3 * Copyright (C) 2018 Daniel Golle <daniel@makrotopia.org>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 3
7 * as published by the Free Software Foundation
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 */
14
15 #include <stdbool.h>
16 #include <stdio.h>
17 #include <string.h>
18 #include <unistd.h>
19 #include <sys/wait.h>
20
21 #include "usign.h"
22
23 /*
24 * check for revoker deadlink in pubkeydir
25 * return true if a revoker exists, false otherwise
26 */
27 int _usign_key_is_revoked(const char *fingerprint, const char *pubkeydir) {
28 char tml[64] = {0};
29 char rfname[256] = {0};
30
31 snprintf(rfname, sizeof(rfname)-1, "%s/%s", pubkeydir, fingerprint);
32 if (readlink(rfname, tml, sizeof(tml)) > 0 &&
33 !strcmp(tml, ".revoked.")) {
34 return true;
35 };
36
37 return false;
38 }
39
40 /*
41 * call usign -S ...
42 * return WEXITSTATUS or -1 if fork or execv fails
43 */
44 int usign_s(const char *msgfile, const char *seckeyfile, const char *sigfile, bool quiet) {
45 pid_t pid;
46 int status;
47 const char *usign_argv[16] = {0};
48 unsigned int usign_argc = 0;
49
50 usign_argv[usign_argc++] = "/usr/bin/usign";
51 usign_argv[usign_argc++] = "-S";
52 usign_argv[usign_argc++] = "-m";
53 usign_argv[usign_argc++] = msgfile;
54 usign_argv[usign_argc++] = "-s";
55 usign_argv[usign_argc++] = seckeyfile;
56 usign_argv[usign_argc++] = "-x";
57 usign_argv[usign_argc++] = sigfile;
58
59 if (quiet)
60 usign_argv[usign_argc++] = "-q";
61
62 pid = fork();
63 switch (pid) {
64 case -1:
65 return -1;
66
67 case 0:
68 if (execv(usign_argv[0], usign_argv))
69 return -1;
70
71 break;
72
73 default:
74 waitpid(pid, &status, 0);
75 return WEXITSTATUS(status);
76 }
77
78 return -1;
79 }
80
81 /*
82 * call usign -F ... and set fingerprint returned
83 * return WEXITSTATUS or -1 if fork or execv fails
84 */
85 static int usign_f(char *fingerprint, const char *pubkeyfile, const char *seckeyfile, const char *sigfile) {
86 int fds[2];
87 pid_t pid;
88 int status;
89 const char *usign_argv[16] = {0};
90 unsigned int usign_argc = 0;
91
92 if (pipe(fds))
93 return -1;
94
95 usign_argv[usign_argc++] = "/usr/bin/usign";
96 usign_argv[usign_argc++] = "-F";
97
98 if (pubkeyfile) {
99 usign_argv[usign_argc++] = "-p";
100 usign_argv[usign_argc++] = pubkeyfile;
101 }
102
103 if (seckeyfile) {
104 usign_argv[usign_argc++] = "-s";
105 usign_argv[usign_argc++] = seckeyfile;
106 }
107
108 if (sigfile) {
109 usign_argv[usign_argc++] = "-x";
110 usign_argv[usign_argc++] = sigfile;
111 }
112
113 pid = fork();
114 switch (pid) {
115 case -1:
116 return -1;
117
118 case 0:
119 dup2(fds[1], 1);
120
121 close(0);
122 close(2);
123 close(fds[0]);
124 close(fds[1]);
125
126 if (execv(usign_argv[0], usign_argv))
127 return -1;
128
129 break;
130
131 default:
132 waitpid(pid, &status, 0);
133 if (fingerprint && !WEXITSTATUS(status)) {
134 memset(fingerprint, 0, 16);
135 read(fds[0], fingerprint, 16);
136 fingerprint[16] = '\0';
137 }
138 close(fds[0]);
139 close(fds[1]);
140 return WEXITSTATUS(status);
141 }
142
143 return -1;
144 }
145
146 /*
147 * call usign -F -p ...
148 */
149 int usign_f_pubkey(char *fingerprint, const char *pubkeyfile) {
150 return usign_f(fingerprint, pubkeyfile, NULL, NULL);
151 }
152
153 /*
154 * call usign -F -s ...
155 */
156 int usign_f_seckey(char *fingerprint, const char *seckeyfile) {
157 return usign_f(fingerprint, NULL, seckeyfile, NULL);
158 }
159
160 /*
161 * call usign -F -x ...
162 */
163 int usign_f_sig(char *fingerprint, const char *sigfile) {
164 return usign_f(fingerprint, NULL, NULL, sigfile);
165 }
166
167
168 /*
169 * call usign -V ...
170 * return WEXITSTATUS or -1 if fork or execv fails
171 */
172 int usign_v(const char *msgfile, const char *pubkeyfile,
173 const char *pubkeydir, const char *sigfile, bool quiet) {
174 pid_t pid;
175 int status;
176 const char *usign_argv[16] = {0};
177 unsigned int usign_argc = 0;
178 char fingerprint[17];
179
180 if (usign_f_sig(fingerprint, sigfile)) {
181 if (!quiet)
182 fprintf(stdout, "cannot get signing key fingerprint\n");
183 return 1;
184 }
185
186 if (pubkeydir && _usign_key_is_revoked(fingerprint, pubkeydir)) {
187 if (!quiet)
188 fprintf(stdout, "key %s has been revoked!\n", fingerprint);
189 return 1;
190 }
191 usign_argv[usign_argc++] = "/usr/bin/usign";
192 usign_argv[usign_argc++] = "-V";
193 usign_argv[usign_argc++] = "-m";
194 usign_argv[usign_argc++] = msgfile;
195
196 if (quiet)
197 usign_argv[usign_argc++] = "-q";
198
199 if (pubkeyfile) {
200 usign_argv[usign_argc++] = "-p";
201 usign_argv[usign_argc++] = pubkeyfile;
202 }
203
204 if (pubkeydir) {
205 usign_argv[usign_argc++] = "-P";
206 usign_argv[usign_argc++] = pubkeydir;
207 }
208
209 if (sigfile) {
210 usign_argv[usign_argc++] = "-x";
211 usign_argv[usign_argc++] = sigfile;
212 }
213
214 pid = fork();
215 switch (pid) {
216 case -1:
217 return -1;
218
219 case 0:
220 if (execv(usign_argv[0], usign_argv))
221 return -1;
222
223 break;
224
225 default:
226 waitpid(pid, &status, 0);
227 return WEXITSTATUS(status);
228 }
229
230 return -1;
231 }
OpenWrt usign certificate wrapper