RPM Package Manager, CVS Repository
http://rpm5.org/cvs/
____________________________________________________________________________
Server: rpm5.org Name: Jeff Johnson
Root: /v/rpm/cvs Email: jbj@rpm5.org
Module: rpm Date: 29-Dec-2007 03:49:32
Branch: HEAD Handle: 2007122902493200
Modified files:
rpm/lib genpgp.sh rpmts.c tpgp.c
Log:
- jbj: hmmm, RSA V4 pubkey keyid's differ from gpg --list-public-keys.
- jbj: functional DSA rpmtsFindPubkey implicit retrieve w pubfn == NULL
- jbj: use ts->pkpkt just like rpmtsFindPubkey() does.
- jbj: check for pubkey_algo and (DSA only) keyid match.
- jbj: generate armored RSA.pub and DSA.pub correctly.
Summary:
Revision Changes Path
2.4 +2 -2 rpm/lib/genpgp.sh
2.133 +1 -2 rpm/lib/rpmts.c
2.8 +28 -8 rpm/lib/tpgp.c
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: rpm/lib/genpgp.sh
============================================================================
$ cvs diff -u -r2.3 -r2.4 genpgp.sh
--- rpm/lib/genpgp.sh 28 Dec 2007 19:54:51 -0000 2.3
+++ rpm/lib/genpgp.sh 29 Dec 2007 02:49:32 -0000 2.4
@@ -27,7 +27,7 @@
$gpg --detach-sign -a -u DSApub --output - plaintext > DSA.sig
$gpg --clearsign -u DSApub --output - plaintext > DSA.pem
-$gpg --export -a -u DSApub > DSA.pub
+$gpg --export -a DSApub > DSA.pub
echo "static const char * DSAsig = \"DSA.sig\";"
echo "static const char * DSApem = \"DSA.pem\";"
@@ -35,7 +35,7 @@
$gpg --detach-sign -a -u RSApub --output - plaintext > RSA.sig
$gpg --clearsign -u RSApub --output - plaintext > RSA.pem
-$gpg --export -a -u RSApub > RSA.pub
+$gpg --export -a RSApub > RSA.pub
echo "static const char * RSAsig = \"RSA.sig\";"
echo "static const char * RSApem = \"RSA.pem\";"
@@ .
patch -p0 <<'@@ .'
Index: rpm/lib/rpmts.c
============================================================================
$ cvs diff -u -r2.132 -r2.133 rpmts.c
--- rpm/lib/rpmts.c 16 Dec 2007 23:24:00 -0000 2.132
+++ rpm/lib/rpmts.c 29 Dec 2007 02:49:32 -0000 2.133
@@ -666,8 +666,7 @@
/*@=type =voidabstract @*/
ts->orderAlloced = 0;
- if (ts->pkpkt != NULL)
- ts->pkpkt = _free(ts->pkpkt);
+ ts->pkpkt = _free(ts->pkpkt);
ts->pkpktlen = 0;
memset(ts->pksignid, 0, sizeof(ts->pksignid));
@@ .
patch -p0 <<'@@ .'
Index: rpm/lib/tpgp.c
============================================================================
$ cvs diff -u -r2.7 -r2.8 tpgp.c
--- rpm/lib/tpgp.c 28 Dec 2007 23:27:35 -0000 2.7
+++ rpm/lib/tpgp.c 29 Dec 2007 02:49:32 -0000 2.8
@@ -23,6 +23,7 @@
#include "genpgp.h"
+#define _RPMTS_INTERNAL /* XXX ts->pkpkt */
#include <rpmcli.h>
#include <rpmcb.h>
@@ -38,10 +39,9 @@
{
pgpDig dig = rpmtsDig(ts);
pgpDigParams sigp;
+ pgpDigParams pubp;
const unsigned char * sigpkt = NULL;
size_t sigpktlen = 0;
- const unsigned char * pubpkt = NULL;
- size_t pubpktlen = 0;
DIGEST_CTX ctx = NULL;
int printing = 0;
int rc = 0;
@@ -61,6 +61,7 @@
}
_sigfn = _free(_sigfn);
} else {
+ /* XXX FIXME: read clearsign'd file with appended signature.
}
xx = pgpPrtPkts((uint8_t *)sigpkt, sigpktlen, dig, printing);
if (xx) {
@@ -78,26 +79,44 @@
/* Load the pubkey. Use pubfn if specified, otherwise rpmdb keyring. */
if (pubfn != NULL) {
const char * _pubfn = rpmExpand(pubfn, NULL);
- xx = pgpReadPkts(_pubfn, &pubpkt, &pubpktlen);
+ xx = pgpReadPkts(_pubfn, &ts->pkpkt, &ts->pkpktlen);
if (xx != PGPARMOR_PUBKEY) {
-fprintf(stderr, "==> pgpReadPkts(%s) PUB %p[%u] ret %d\n", _pubfn, pubpkt, pubpktlen, xx);
+fprintf(stderr, "==> pgpReadPkts(%s) PUB %p[%u] ret %d\n", _pubfn, ts->pkpkt, ts->pkpktlen, xx);
_pubfn = _free(_pubfn);
goto exit;
}
_pubfn = _free(_pubfn);
- xx = pgpPrtPkts((uint8_t *)pubpkt, pubpktlen, dig, printing);
+ xx = pgpPrtPkts((uint8_t *)ts->pkpkt, ts->pkpktlen, dig, printing);
if (xx) {
-fprintf(stderr, "==> pgpPrtPkts PUB %p[%u] ret %d\n", pubpkt, pubpktlen, xx);
+fprintf(stderr, "==> pgpPrtPkts PUB %p[%u] ret %d\n", ts->pkpkt, ts->pkpktlen, xx);
goto exit;
}
} else {
- rpmRC res = rpmtsFindPubkey(ts, dig);
+ rpmRC res = pgpFindPubkey(dig);
if (res != RPMRC_OK) {
fprintf(stderr, "==> rpmtsFindPubkey ret %d\n", res);
goto exit;
}
}
+ pubp = pgpGetPubkey(dig);
+
+ /* Do the parameters match the signature? */
+ if (!(sigp->pubkey_algo == pubp->pubkey_algo
+#ifdef NOTYET
+ && sigp->hash_algo == pubp->hash_algo
+#endif
+ /* XXX V4 RSA key id's seem to be broken. */
+ && (pubp->pubkey_algo == PGPPUBKEYALGO_RSA || !memcmp(sigp->signid, pubp->signid, sizeof(sigp->signid))) ) )
+ {
+fprintf(stderr, "==> mismatch between signature and pubkey\n");
+fprintf(stderr, "\tpubkey_algo: %u %u\n", sigp->pubkey_algo, pubp->pubkey_algo);
+fprintf(stderr, "\tsignid: %08X %08X %08X %08X\n",
+pgpGrab(sigp->signid, 4), pgpGrab(sigp->signid+4, 4),
+pgpGrab(pubp->signid, 4), pgpGrab(pubp->signid+4, 4));
+ goto exit;
+ }
+
/* Compute the message digest. */
ctx = rpmDigestInit(sigp->hash_algo, RPMDIGEST_NONE);
@@ -160,8 +179,9 @@
}
exit:
- pubpkt = _free(pubpkt);
sigpkt = _free(sigpkt);
+ ts->pkpkt = _free(ts->pkpkt);
+ ts->pkpktlen = 0;
rpmtsCleanDig(ts);
if (_debug)
@@ .
Received on Sat Dec 29 03:49:32 2007