#include "img-verifier.h"
+static struct signed_file signed_file;
+static X509 *signed_file_cert;
+static X509_STORE *ca_store;
+static X509_STORE_CTX *ca_store_ctx;
+static EVP_MD_CTX *evp_md_ctx;
+
static int check_argument(int argc, char *argv[])
{
_D("The number of argument : %d", argc);
return SUCCEED;
}
-static struct signed_file signed_file;
-
static bool check_signed_file(const char *path)
{
const int metadata_size = sizeof(signed_file.delta_size) + sizeof(signed_file.signature_size) + sizeof(signed_file.certificate_size) + MAGIC_NUMBER_SIZE;
return -EIO;
}
-static X509_STORE *x509_store;
-
static int read_root_ca(void)
{
int ret;
dirp = opendir(IMG_VERIFIER_ROOT_CA_DIR);
ASSERT_RETV(dirp, -errno, "Failed to open %s : %m", IMG_VERIFIER_ROOT_CA_DIR);
- x509_store = X509_STORE_new();
- ASSERT_RETV(x509_store, -ENOMEM, "X509_STORE_new failed");
+ ca_store = X509_STORE_new();
+ ASSERT_RETV(ca_store, -ENOMEM, "X509_STORE_new failed");
_D("Root CA directory : %s", IMG_VERIFIER_ROOT_CA_DIR);
while ((dirent = readdir(dirp))) {
snprintf(root_ca_path, sizeof(root_ca_path), "%s/%s",
IMG_VERIFIER_ROOT_CA_DIR, dirent->d_name);
_D("Find root CA : %s", dirent->d_name);
- ret = X509_STORE_load_locations(x509_store, root_ca_path, NULL);
+ ret = X509_STORE_load_locations(ca_store, root_ca_path, NULL);
ASSERT_RETV(ret == 1, print_openssl_error(),
"X509_STORE_load_locations for %s failed", root_ca_path);
++num_root_ca;
return SUCCEED;
}
-static X509 *x509;
-static X509_STORE_CTX *x509_store_ctx;
-
static int verify_certificate(void)
{
int ret = -1;
pcert = signed_file.certificate;
ASSERT_RETV(pcert, EINVAL, "Invalid certificate");
- x509 = d2i_X509(NULL, (const unsigned char **)&pcert, signed_file.certificate_size);
- ASSERT_RETV(x509, print_openssl_error(), "d2i_X509 failed");
+ signed_file_cert = d2i_X509(NULL, (const unsigned char **)&pcert, signed_file.certificate_size);
+ ASSERT_RETV(signed_file_cert, print_openssl_error(), "d2i_X509 failed");
// Reject the certificate same with CA
- ca_object_list = X509_STORE_get0_objects(x509_store);
+ ca_object_list = X509_STORE_get0_objects(ca_store);
_D("The number of CA : %d", sk_X509_num(ca_object_list));
for (int idx = 0; idx < sk_X509_num(ca_object_list); idx++) {
ca_object = sk_X509_OBJECT_value(ca_object_list, idx);
ca = X509_OBJECT_get0_X509(ca_object);
- ASSERT_RETV(X509_cmp(x509, ca) != 0, EPERM, "Signing with CA is prohibited");
+ ASSERT_RETV(X509_cmp(signed_file_cert, ca) != 0, EPERM, "Signing with CA is prohibited");
}
// Check whether image has CA's child certificate
- x509_store_ctx = X509_STORE_CTX_new();
- ASSERT_RETV(x509_store_ctx, ENOMEM, "X509_STORE_CTX_new failed");
+ ca_store_ctx = X509_STORE_CTX_new();
+ ASSERT_RETV(ca_store_ctx, ENOMEM, "X509_STORE_CTX_new failed");
- ret = X509_STORE_CTX_init(x509_store_ctx, x509_store, x509, NULL);
+ ret = X509_STORE_CTX_init(ca_store_ctx, ca_store, signed_file_cert, NULL);
ASSERT_RETV(ret == 1, print_openssl_error(), "X509_STORE_CTX_init failed");
- X509_VERIFY_PARAM *x509_verify_param = X509_STORE_CTX_get0_param(x509_store_ctx);
+ X509_VERIFY_PARAM *x509_verify_param = X509_STORE_CTX_get0_param(ca_store_ctx);
ASSERT_RETV(x509_verify_param, print_openssl_error(), "X509_STORE_CTX_get0_param failed");
/**
ret = X509_VERIFY_PARAM_set_flags(x509_verify_param, X509_V_FLAG_NO_CHECK_TIME);
ASSERT_RETV(ret == 1, print_openssl_error(), "X509_VERIFY_PARAM_set_flags failed");
- ret = X509_verify_cert(x509_store_ctx);
+ ret = X509_verify_cert(ca_store_ctx);
if (ret != 1) {
- _E("X509_verify_cert failed : %s", X509_verify_cert_error_string((long)X509_STORE_CTX_get_error(x509_store_ctx)));
+ _E("X509_verify_cert failed : %s", X509_verify_cert_error_string((long)X509_STORE_CTX_get_error(ca_store_ctx)));
return EPERM;
}
return SUCCEED;
}
-static EVP_PKEY *public_key;
-static EVP_MD_CTX *evp_md_ctx;
-
static int verify_delta(void)
{
int ret = -1;
+ static EVP_PKEY *signed_file_public_key = NULL;
_I("Verify delta...");
- ASSERT_RETV(x509, EINVAL, "Invalid X509 certificate");
+ ASSERT_RETV(signed_file_cert, EINVAL, "Invalid X509 certificate");
- public_key = X509_get0_pubkey(x509);
- ASSERT_RETV(public_key, print_openssl_error(), "X509_get_pubkey_failed");
+ signed_file_public_key = X509_get0_pubkey(signed_file_cert);
+ ASSERT_RETV(signed_file_public_key, print_openssl_error(), "X509_get_pubkey_failed");
evp_md_ctx = EVP_MD_CTX_new();
ASSERT_RETV(evp_md_ctx, ENOMEM, "EVP_MD_CTX_new failed");
- ret = EVP_DigestVerifyInit(evp_md_ctx, NULL, EVP_sha256(), NULL, public_key);
+ ret = EVP_DigestVerifyInit(evp_md_ctx, NULL, EVP_sha256(), NULL, signed_file_public_key);
ASSERT_RETV(ret == 1, print_openssl_error(), "EVP_DigestVerifyInit failed");
// Hash delta
if (signed_file.certificate)
free(signed_file.certificate);
- if (x509)
- X509_free(x509);
+ if (signed_file_cert)
+ X509_free(signed_file_cert);
- if (x509_store)
- X509_STORE_free(x509_store);
+ if (ca_store)
+ X509_STORE_free(ca_store);
- if (x509_store_ctx)
- X509_STORE_CTX_free(x509_store_ctx);
+ if (ca_store_ctx)
+ X509_STORE_CTX_free(ca_store_ctx);
if (evp_md_ctx)
EVP_MD_CTX_free(evp_md_ctx);
projects / platform / core / system / tota-ua.git / commitdiff