mirror of https://github.com/ericonr/sbctl.git
keys: Move from sbsigntools to go-uefi
Signed-off-by: Morten Linderud <morten@linderud.pw>
This commit is contained in:
parent
2031e3a210
commit
7192e52fa1
2
go.mod
2
go.mod
|
@ -5,7 +5,7 @@ go 1.15
|
|||
require (
|
||||
github.com/anatol/vmtest v0.0.0-20210225191124-26540db15d49
|
||||
github.com/fatih/color v1.11.0
|
||||
github.com/foxboron/go-uefi v0.0.0-20210529141219-efd3747ccc2a
|
||||
github.com/foxboron/go-uefi v0.0.0-20210602193603-8589bbab9380
|
||||
github.com/google/uuid v1.1.1
|
||||
github.com/spf13/cobra v1.0.0
|
||||
golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
|
||||
|
|
5
go.sum
5
go.sum
|
@ -24,6 +24,10 @@ github.com/fatih/color v1.11.0 h1:l4iX0RqNnx/pU7rY2DB/I+znuYY0K3x6Ywac6EIr0PA=
|
|||
github.com/fatih/color v1.11.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
|
||||
github.com/foxboron/go-uefi v0.0.0-20210529141219-efd3747ccc2a h1:zgWbnr42UqgbdTAwLAabeqKe6ngZObnOFfTSdG0IeH8=
|
||||
github.com/foxboron/go-uefi v0.0.0-20210529141219-efd3747ccc2a/go.mod h1:XNONgjPFFVVcYAMAXvW06XCHZqdaXeCGqeS7o19LbN0=
|
||||
github.com/foxboron/go-uefi v0.0.0-20210529162927-64271cb1bb37 h1:H1mJPtjJleczgRuWvOREaF764tQCTVB5bOHAcqdKYj4=
|
||||
github.com/foxboron/go-uefi v0.0.0-20210529162927-64271cb1bb37/go.mod h1:XNONgjPFFVVcYAMAXvW06XCHZqdaXeCGqeS7o19LbN0=
|
||||
github.com/foxboron/go-uefi v0.0.0-20210602193603-8589bbab9380 h1:D8hRHRCC/jFjOg0alhvQo2unG/HU/qZFbhLvRJPo21I=
|
||||
github.com/foxboron/go-uefi v0.0.0-20210602193603-8589bbab9380/go.mod h1:bLcrn48nYQOkijhTK2iQw1MjXbBqJTG0k8RP6ww+CGQ=
|
||||
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
|
||||
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
|
||||
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
|
||||
|
@ -141,6 +145,7 @@ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4
|
|||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||
|
|
51
keys.go
51
keys.go
|
@ -11,11 +11,12 @@ import (
|
|||
"fmt"
|
||||
"math/big"
|
||||
"os"
|
||||
"os/exec"
|
||||
"path/filepath"
|
||||
"time"
|
||||
|
||||
"github.com/foxboron/go-uefi/efi"
|
||||
"github.com/foxboron/go-uefi/efi/pecoff"
|
||||
"github.com/foxboron/go-uefi/efi/pkcs7"
|
||||
"github.com/foxboron/go-uefi/efi/signature"
|
||||
"github.com/foxboron/go-uefi/efi/util"
|
||||
"golang.org/x/sys/unix"
|
||||
|
@ -125,13 +126,30 @@ func VerifyFile(cert, file string) (bool, error) {
|
|||
return false, fmt.Errorf("couldn't access %s: %w", cert, err)
|
||||
}
|
||||
|
||||
cmd := exec.Command("sbverify", "--cert", cert, file)
|
||||
if err := cmd.Run(); err != nil {
|
||||
if exitError, ok := err.(*exec.ExitError); ok {
|
||||
return exitError.ExitCode() == 0, nil
|
||||
peFile, err := os.ReadFile(file)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
x509Cert := util.ReadCertFromFile(cert)
|
||||
sigs, err := pecoff.GetSignatures(peFile)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
if len(sigs) == 0 {
|
||||
return false, nil
|
||||
}
|
||||
for _, signature := range sigs {
|
||||
ok, err := pkcs7.VerifySignature(x509Cert, signature.Certificate)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
if ok {
|
||||
return true, nil
|
||||
}
|
||||
}
|
||||
return true, nil
|
||||
// If we come this far we haven't found a signature that matches the cert
|
||||
return false, nil
|
||||
}
|
||||
|
||||
var ErrAlreadySigned = errors.New("already signed file")
|
||||
|
@ -161,10 +179,29 @@ func SignFile(key, cert, file, output, checksum string) error {
|
|||
return fmt.Errorf("couldn't access %s: %w", key, err)
|
||||
}
|
||||
|
||||
_, err = exec.Command("sbsign", "--key", key, "--cert", cert, "--output", output, file).Output()
|
||||
// We want to write the file back with correct permissions
|
||||
si, err := os.Stat(file)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed signing file: %w", err)
|
||||
}
|
||||
|
||||
peFile, err := os.ReadFile(file)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
Cert := util.ReadCertFromFile(cert)
|
||||
Key := util.ReadKeyFromFile(key)
|
||||
|
||||
ctx := pecoff.PECOFFChecksum(peFile)
|
||||
|
||||
sig := pecoff.CreateSignature(ctx, Cert, Key)
|
||||
|
||||
b := pecoff.AppendToBinary(ctx, sig)
|
||||
if err = os.WriteFile(file, b, si.Mode()); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue