ericonr
/
sbctl
mirror of https://github.com/ericonr/sbctl.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

keys: Move from sbsigntools to go-uefi 

Signed-off-by: Morten Linderud <morten@linderud.pw>
This commit is contained in:
Morten Linderud 2021-06-02 21:38:23 +02:00
parent 2031e3a210
commit 7192e52fa1
No known key found for this signature in database
GPG Key ID: E742683BA08CB2FF
3 changed files with 50 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
go.mod
View File

@ -5,7 +5,7 @@ go 1.15
require (
github.com/anatol/vmtest v0.0.0-20210225191124-26540db15d49
github.com/fatih/color v1.11.0
github.com/foxboron/go-uefi v0.0.0-20210529141219-efd3747ccc2a
github.com/foxboron/go-uefi v0.0.0-20210602193603-8589bbab9380
github.com/google/uuid v1.1.1
github.com/spf13/cobra v1.0.0
golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a

5
go.sum
View File

@ -24,6 +24,10 @@ github.com/fatih/color v1.11.0 h1:l4iX0RqNnx/pU7rY2DB/I+znuYY0K3x6Ywac6EIr0PA=
github.com/fatih/color v1.11.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
github.com/foxboron/go-uefi v0.0.0-20210529141219-efd3747ccc2a h1:zgWbnr42UqgbdTAwLAabeqKe6ngZObnOFfTSdG0IeH8=
github.com/foxboron/go-uefi v0.0.0-20210529141219-efd3747ccc2a/go.mod h1:XNONgjPFFVVcYAMAXvW06XCHZqdaXeCGqeS7o19LbN0=
github.com/foxboron/go-uefi v0.0.0-20210529162927-64271cb1bb37 h1:H1mJPtjJleczgRuWvOREaF764tQCTVB5bOHAcqdKYj4=
github.com/foxboron/go-uefi v0.0.0-20210529162927-64271cb1bb37/go.mod h1:XNONgjPFFVVcYAMAXvW06XCHZqdaXeCGqeS7o19LbN0=
github.com/foxboron/go-uefi v0.0.0-20210602193603-8589bbab9380 h1:D8hRHRCC/jFjOg0alhvQo2unG/HU/qZFbhLvRJPo21I=
github.com/foxboron/go-uefi v0.0.0-20210602193603-8589bbab9380/go.mod h1:bLcrn48nYQOkijhTK2iQw1MjXbBqJTG0k8RP6ww+CGQ=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
@ -141,6 +145,7 @@ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

51
keys.go
View File

@ -11,11 +11,12 @@ import (
"fmt"
"math/big"
"os"
"os/exec"
"path/filepath"
"time"
"github.com/foxboron/go-uefi/efi"
"github.com/foxboron/go-uefi/efi/pecoff"
"github.com/foxboron/go-uefi/efi/pkcs7"
"github.com/foxboron/go-uefi/efi/signature"
"github.com/foxboron/go-uefi/efi/util"
"golang.org/x/sys/unix"
@ -125,13 +126,30 @@ func VerifyFile(cert, file string) (bool, error) {
return false, fmt.Errorf("couldn't access %s: %w", cert, err)
}
cmd := exec.Command("sbverify", "--cert", cert, file)
if err := cmd.Run(); err != nil {
if exitError, ok := err.(*exec.ExitError); ok {
return exitError.ExitCode() == 0, nil
peFile, err := os.ReadFile(file)
if err != nil {
return false, err
}
x509Cert := util.ReadCertFromFile(cert)
sigs, err := pecoff.GetSignatures(peFile)
if err != nil {
return false, err
}
if len(sigs) == 0 {
return false, nil
}
for _, signature := range sigs {
ok, err := pkcs7.VerifySignature(x509Cert, signature.Certificate)
if err != nil {
return false, err
}
if ok {
return true, nil
}
}
return true, nil
// If we come this far we haven't found a signature that matches the cert
return false, nil
}
var ErrAlreadySigned = errors.New("already signed file")
@ -161,10 +179,29 @@ func SignFile(key, cert, file, output, checksum string) error {
return fmt.Errorf("couldn't access %s: %w", key, err)
}
_, err = exec.Command("sbsign", "--key", key, "--cert", cert, "--output", output, file).Output()
// We want to write the file back with correct permissions
si, err := os.Stat(file)
if err != nil {
return fmt.Errorf("failed signing file: %w", err)
}
peFile, err := os.ReadFile(file)
if err != nil {
return err
}
Cert := util.ReadCertFromFile(cert)
Key := util.ReadKeyFromFile(key)
ctx := pecoff.PECOFFChecksum(peFile)
sig := pecoff.CreateSignature(ctx, Cert, Key)
b := pecoff.AppendToBinary(ctx, sig)
if err = os.WriteFile(file, b, si.Mode()); err != nil {
return err
}
return nil
}