sign regulatory database file

diff --git a/Makefile b/Makefile
index 766bb7e..0d82adb 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-all:   regulatory.bin
+all:   regulatory.bin verify
 
 
 regulatory.bin:        regulatory.sqlite dbgen.py
@@ -13,3 +13,6 @@ regulatory.sqlite: db/*.sql
                if [ $$i = "db/00-database.sql" ] ; then continue ; fi ;\
                sed 's/AUTO_INCREMENT/AUTOINCREMENT/; s/use regulatory;//' < $$i | sqlite3 regulatory.sqlite ;\
        done
+
+verify:        regulatory.sqlite verify.sh
+       @./verify.sh

diff --git a/daemon/regdb.h b/daemon/regdb.h
index 3398bd1..18fcd52 100644 (file)
--- a/daemon/regdb.h
+++ b/daemon/regdb.h
@@ -16,6 +16,15 @@
  */
 #define REGDB_VERSION  19
 
+/*
+ * We currently only support sha1-hashed files, update the
+ * version number for other hashes/multiple-hash schemes.
+ *
+ * The signature is appended to the file to allow it to be
+ * checked easily, it extends over the whole rest of the file.
+ */
+#define REGDB_SIGNATURE_SIZE   128
+
 struct regdb_file_header {
        /* must be REGDB_MAGIC */
        __be32  magic;

diff --git a/dbgen.py b/dbgen.py
index d6741a4..b08b9a6 100755 (executable)
--- a/dbgen.py
+++ b/dbgen.py
@@ -3,6 +3,8 @@
 from pysqlite2 import dbapi2 as db
 from cStringIO import StringIO
 import struct
+from M2Crypto import RSA
+import sha
 
 MAGIC = 0x52474442
 VERSION = 19
@@ -37,7 +39,6 @@ output = StringIO()
 be32(output, MAGIC)
 be32(output, VERSION)
 reg_country_ptr = PTR(output)
-
 # add number of countries
 cursor.execute('SELECT COUNT(*) FROM reg_country;')
 be32(output, cursor.fetchone()[0])
@@ -110,5 +111,12 @@ for country in cursor:
     # struct regdb_file_reg_country
     output.write(struct.pack('>ccxxI', str(alpha2[0]), str(alpha2[1]), reg_rules_collections[reg_collection_id]))
 
+key = RSA.load_key('test-key.priv.pem')
+hash = sha.new()
+hash.update(output.getvalue())
+sig = key.sign(hash.digest())
+assert len(sig) == 128
+output.write(sig)
+
 outfile = open('regulatory.bin', 'w')
 outfile.write(output.getvalue())

diff --git a/test-key.priv.pem b/test-key.priv.pem
new file mode 100644 (file)
index 0000000..171629d
--- /dev/null
+++ b/test-key.priv.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDU49VKuQ8OeW+3Ti6v2tiKgKmN5wtgWaWxaYTXdYeNaK7uTdIL
+RD29JCLICIT/5L8XTgoZ2KkGRyrTfgencGZ0H2AiUeqUHkR+xkzPUs+Pj+ZrqE2w
+nX5D60zi5NR8Rjwq5SO9mSU7AOUQn3ee177QCuuit4NqhUUtBegW46G1zQIDAQAB
+AoGBAIvN6t4dVXPt751zLFmz4AxknfRgTCpD9PnjD6fmuNP2cRpx5IQdlmXFe0nd
+vmnFsG//gcajb6x9w/QLib89oylfhy20H8Ykjg2XVQjugAyxDLAD0OTAoazBtTQ4
+VdpAkuegSOc2t7zG4wuo50b6vxinr+SI6DHAy/8t2jC/XqPBAkEA++u5liGdi/Qb
+3bwshiW3XJ6Qfvn6JykZqNfYkHYRb7jIUy/mN9gwWiXUSt2Cr1P6P9zGfVnC4jXT
++RlknbPdSQJBANhWUM1PxbX3b4W5tn2qRAX4gyLx8biqMVd3caEZv1kO4bx6rcfI
+h6favK6Fk8/3d39GOZ8fqGqNoQM8CIBYKGUCQBGPJKhqP2j54tdZvmC7UESMaNXw
+5pbELp2uLdIj6KM45f2mYQ2TbAtch6eQOQOvfsnkwZELKKJLzjKWqoSzfMECQD/n
+Z2DugomY+MF4tVZzmDpnSV1mOLAC3iZnKxKah3JoOfgyCOlt69yCeZ/X52zUPeFD
+vjup31byVTCeaCh5Yh0CQGBMkZZuFWO9ueayN+6LxIrqrNUYc+HxCtvtMJyEvsEk
+aWfEGwYDuWYvkrREON1wicc5wBSM8hZ57n+lPlF/PlE=
+-----END RSA PRIVATE KEY-----

diff --git a/test-key.pub.pem b/test-key.pub.pem
new file mode 100644 (file)
index 0000000..95bd948
--- /dev/null
+++ b/test-key.pub.pem
@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDU49VKuQ8OeW+3Ti6v2tiKgKmN
+5wtgWaWxaYTXdYeNaK7uTdILRD29JCLICIT/5L8XTgoZ2KkGRyrTfgencGZ0H2Ai
+UeqUHkR+xkzPUs+Pj+ZrqE2wnX5D60zi5NR8Rjwq5SO9mSU7AOUQn3ee177QCuui
+t4NqhUUtBegW46G1zQIDAQAB
+-----END PUBLIC KEY-----

diff --git a/verify.sh b/verify.sh
new file mode 100755 (executable)
index 0000000..cdfc492
--- /dev/null
+++ b/verify.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+DBFILE=regulatory.bin
+
+flen=$(stat -c '%s' regulatory.bin)
+tmp=$(mktemp)
+tmpdata=$(mktemp)
+dd if="$DBFILE" of="$tmp" bs=1 count=128 skip=$((flen - 128)) 2>/dev/null
+dd if="$DBFILE" of="$tmpdata" bs=1 count=$((flen - 128)) 2>/dev/null
+openssl dgst -sha1 -verify test-key.pub.pem -signature "$tmp" "$tmpdata"
+rm -f "$tmp"
+rm -f "$tmpdata"