From a6e2786a03a31abac0131636d4e74bb4c6d3554a Mon Sep 17 00:00:00 2001 From: Oliver Kurth Date: Fri, 10 Mar 2023 12:59:57 -0800 Subject: [PATCH 1/2] update rpm keyring API calls 1/2 (AddKeyFileToKeyring()) --- client/gpgcheck.c | 93 +++++++++------------------------------------ client/prototypes.h | 7 ---- 2 files changed, 19 insertions(+), 81 deletions(-) diff --git a/client/gpgcheck.c b/client/gpgcheck.c index 094379b9..b8b3968d 100644 --- a/client/gpgcheck.c +++ b/client/gpgcheck.c @@ -103,12 +103,10 @@ AddKeyFileToKeyring( ) { uint32_t dwError = 0; - uint8_t* pPkt = NULL; - size_t nPktLen = 0; - char* pszKeyData = NULL; - int nKeyDataSize; - int nKeys = 0; - int nOffset = 0; + + int subkeysCount, i; + rpmPubkey *subkeys = NULL; + rpmPubkey key = NULL; if(IsNullOrEmptyString(pszFile) || !pKeyring) { @@ -116,84 +114,31 @@ AddKeyFileToKeyring( BAIL_ON_TDNF_ERROR(dwError); } - dwError = ReadGPGKeyFile(pszFile, &pszKeyData, &nKeyDataSize); - BAIL_ON_TDNF_ERROR(dwError); - - while (nOffset < nKeyDataSize) - { - pgpArmor nArmor = pgpParsePkts(pszKeyData + nOffset, &pPkt, &nPktLen); - if(nArmor == PGPARMOR_PUBKEY) - { - dwError = AddKeyPktToKeyring(pKeyring, pPkt, nPktLen); - BAIL_ON_TDNF_ERROR(dwError); - nKeys++; - } - nOffset += nPktLen; - } - if (nKeys == 0) { + key = rpmPubkeyRead(pszFile); + if (key == NULL) { + pr_err("reading %s failed: %s (%d)", pszFile, strerror(errno), errno); dwError = ERROR_TDNF_INVALID_PUBKEY_FILE; BAIL_ON_TDNF_ERROR(dwError); } - -cleanup: - TDNF_SAFE_FREE_MEMORY(pszKeyData); - return dwError; -error: - goto cleanup; -} - -uint32_t -AddKeyPktToKeyring( - rpmKeyring pKeyring, - uint8_t* pPkt, - size_t nPktLen - ) -{ - uint32_t dwError = 0; - pgpDig pDig = NULL; - rpmPubkey pPubkey = NULL; - - if(!pKeyring || !pPkt || nPktLen == 0) - { - dwError = ERROR_TDNF_INVALID_PARAMETER; - BAIL_ON_TDNF_ERROR(dwError); - } - - pPubkey = rpmPubkeyNew (pPkt, nPktLen); - if(!pPubkey) - { - dwError = ERROR_TDNF_CREATE_PUBKEY_FAILED; - BAIL_ON_TDNF_ERROR(dwError); + if (rpmKeyringAddKey(pKeyring, key) == 0) { + pr_info("added key %s to keyring"); } + subkeys = rpmGetSubkeys(key, &subkeysCount); + rpmPubkeyFree(key); + for (i = 0; i < subkeysCount; i++) { + rpmPubkey subkey = subkeys[i]; - pDig = rpmPubkeyDig(pPubkey); - if(!pDig) - { - dwError = ERROR_TDNF_CREATE_PUBKEY_FAILED; - BAIL_ON_TDNF_ERROR(dwError); - } - - dwError = rpmKeyringLookup(pKeyring, pDig); - if(dwError == RPMRC_OK) - { - dwError = 0;//key exists - } - else - { - dwError = rpmKeyringAddKey(pKeyring, pPubkey); - if(dwError == 1) - { - dwError = 0;//Already added. ignore + if (rpmKeyringAddKey(pKeyring, subkey) == 0) { + pr_info("added subkey %d of main key %s to keyring\n", i, pszFile); } - BAIL_ON_TDNF_ERROR(dwError); + rpmPubkeyFree(subkey); } + cleanup: + if (subkeys) + free(subkeys); return dwError; error: - if(pPubkey) - { - rpmPubkeyFree(pPubkey); - } goto cleanup; } diff --git a/client/prototypes.h b/client/prototypes.h index 2c6a2b20..42244993 100644 --- a/client/prototypes.h +++ b/client/prototypes.h @@ -49,13 +49,6 @@ AddKeyFileToKeyring( rpmKeyring pKeyring ); -uint32_t -AddKeyPktToKeyring( - rpmKeyring pKeyring, - uint8_t* pPkt, - size_t nPktLen - ); - uint32_t VerifyRpmSig( rpmKeyring pKeyring, From 65d2850f005bd75b2d752701a6f6555eed5ef33e Mon Sep 17 00:00:00 2001 From: Oliver Kurth Date: Fri, 10 Mar 2023 14:12:32 -0800 Subject: [PATCH 2/2] update rpm keyring API calls 2/2 (VerifyRpmSig) --- client/gpgcheck.c | 138 ++++++++++---------------------------------- client/includes.h | 1 + client/prototypes.h | 13 ----- 3 files changed, 30 insertions(+), 122 deletions(-) diff --git a/client/gpgcheck.c b/client/gpgcheck.c index b8b3968d..4957c881 100644 --- a/client/gpgcheck.c +++ b/client/gpgcheck.c @@ -22,28 +22,50 @@ uint32_t TDNFGPGCheck( - rpmKeyring pKeyring, + rpmts pTS, const char* pszKeyFile, const char* pszPkgFile ) { uint32_t dwError = 0; - char* pszKeyData = NULL; + rpmKeyring pKeyring = NULL; + FD_t fp = NULL; - if(!pKeyring || IsNullOrEmptyString(pszKeyFile) || !pszPkgFile) + if(!pTS || IsNullOrEmptyString(pszKeyFile) || !pszPkgFile) { dwError = ERROR_TDNF_INVALID_PARAMETER; BAIL_ON_TDNF_ERROR(dwError); } + fp = Fopen(pszPkgFile, "r.ufdio"); + if (fp == NULL) { + dwError = errno; + BAIL_ON_TDNF_SYSTEM_ERROR(dwError); + } + + pKeyring = rpmtsGetKeyring(pTS, 0); + if (pKeyring == NULL) { + pr_err("failed to get RPM keyring"); + dwError = ERROR_TDNF_INVALID_PARAMETER; + BAIL_ON_TDNF_ERROR(dwError); + } + dwError = AddKeyFileToKeyring(pszKeyFile, pKeyring); BAIL_ON_TDNF_ERROR(dwError); - dwError = VerifyRpmSig(pKeyring, pszPkgFile); - BAIL_ON_TDNF_ERROR(dwError); + if (rpmVerifySignatures( + /* unused but must be != NULL, see lib/rpmchecksig.c in rpm */ (QVA_t)1, + pTS, fp, pszPkgFile) != 0) + { + dwError = ERROR_TDNF_RPM_GPG_NO_MATCH; + BAIL_ON_TDNF_ERROR(dwError); + } cleanup: - TDNF_SAFE_FREE_MEMORY(pszKeyData); + if(fp) + { + Fclose(fp); + } return dwError; error: @@ -142,106 +164,6 @@ AddKeyFileToKeyring( goto cleanup; } -uint32_t -VerifyRpmSig( - rpmKeyring pKeyring, - const char* pszPkgFile - ) -{ - uint32_t dwError = 0; - FD_t pFD_t = NULL; - rpmts pTS = NULL; - rpmtd pTD = NULL; - Header pPkgHeader = NULL; - pgpDig pDigest = NULL; - - if(!pKeyring || IsNullOrEmptyString(pszPkgFile)) - { - dwError = ERROR_TDNF_INVALID_PARAMETER; - BAIL_ON_TDNF_ERROR(dwError); - } - - pFD_t = Fopen(pszPkgFile, "r.fdio"); - if(!pFD_t) - { - dwError = errno; - BAIL_ON_TDNF_SYSTEM_ERROR(dwError); - } - - pTS = rpmtsCreate(); - if(!pTS) - { - dwError = ERROR_TDNF_RPMTS_CREATE_FAILED; - BAIL_ON_TDNF_RPM_ERROR(dwError); - } - rpmtsSetVSFlags (pTS, _RPMVSF_NOSIGNATURES); - - pTD = rpmtdNew(); - if(!pTD) - { - dwError = ERROR_TDNF_RPMTD_CREATE_FAILED; - BAIL_ON_TDNF_RPM_ERROR(dwError); - } - - dwError = rpmReadPackageFile(pTS, pFD_t, pszPkgFile, &pPkgHeader); - BAIL_ON_TDNF_RPM_ERROR(dwError); - - if(!headerConvert(pPkgHeader, HEADERCONV_RETROFIT_V3)) - { - dwError = ERROR_TDNF_RPM_HEADER_CONVERT_FAILED; - BAIL_ON_TDNF_RPM_ERROR(dwError); - } - - if(!headerGet(pPkgHeader, RPMTAG_RSAHEADER, pTD, HEADERGET_MINMEM)) - { - dwError = ERROR_TDNF_RPM_GET_RSAHEADER_FAILED; - BAIL_ON_TDNF_ERROR(dwError); - } - - pDigest = pgpNewDig(); - if(pgpPrtPkts(pTD->data, pTD->count, pDigest, 0)) - { - dwError = ERROR_TDNF_RPM_GPG_PARSE_FAILED; - BAIL_ON_TDNF_ERROR(dwError); - } - - if(rpmKeyringLookup(pKeyring, pDigest) != RPMRC_OK) - { - dwError = ERROR_TDNF_RPM_GPG_NO_MATCH; - BAIL_ON_TDNF_ERROR(dwError); - } - -cleanup: - if(pFD_t) - { - Fclose(pFD_t); - } - if(pDigest) - { - pgpFreeDig(pDigest); - } - if(pPkgHeader) - { - headerFree(pPkgHeader); - } - if(pTD) - { - rpmtdFree(pTD); - } - if(pTS) - { - rpmtsFree(pTS); - } - return dwError; - -error: - if (pszPkgFile) - { - pr_err("Error verifying signature of: %s\n", pszPkgFile); - } - goto cleanup; -} - uint32_t TDNFImportGPGKeyFile( rpmts pTS, @@ -300,7 +222,6 @@ TDNFGPGCheckPackage( { uint32_t dwError = 0; Header rpmHeader = NULL; - rpmKeyring pKeyring = NULL; int nGPGSigCheck = 0; FD_t fp = NULL; char** ppszUrlGPGKeys = NULL; @@ -373,8 +294,7 @@ TDNFGPGCheckPackage( dwError = TDNFImportGPGKeyFile(pTS->pTS, pszLocalGPGKey); BAIL_ON_TDNF_ERROR(dwError); - pKeyring = rpmtsGetKeyring(pTS->pTS, 0); - dwError = TDNFGPGCheck(pKeyring, pszLocalGPGKey, pszFilePath); + dwError = TDNFGPGCheck(pTS->pTS, pszLocalGPGKey, pszFilePath); if (dwError == 0) { nMatched++; diff --git a/client/includes.h b/client/includes.h index 470f3ba9..8f975e87 100644 --- a/client/includes.h +++ b/client/includes.h @@ -43,6 +43,7 @@ #include #include #include +#include //libcurl #include diff --git a/client/prototypes.h b/client/prototypes.h index 42244993..abb5e349 100644 --- a/client/prototypes.h +++ b/client/prototypes.h @@ -49,19 +49,6 @@ AddKeyFileToKeyring( rpmKeyring pKeyring ); -uint32_t -VerifyRpmSig( - rpmKeyring pKeyring, - const char* pszPkgFile - ); - -uint32_t -TDNFGPGCheck( - rpmKeyring pKeyring, - const char* pszUrlKeyFile, - const char* pszPackage - ); - uint32_t TDNFImportGPGKeyFile( rpmts pTS,