diff --git a/Makefile-libostree.am b/Makefile-libostree.am
index 701653ed1c..411fafccb2 100644
--- a/Makefile-libostree.am
+++ b/Makefile-libostree.am
@@ -261,6 +261,8 @@ libostree_1_la_SOURCES += \
src/libostree/ostree-sign-dummy.h \
src/libostree/ostree-sign-ed25519.c \
src/libostree/ostree-sign-ed25519.h \
+ src/libostree/ostree-sign-x509.c \
+ src/libostree/ostree-sign-x509.h \
src/libostree/ostree-sign-private.h \
src/libostree/ostree-blob-reader.c \
src/libostree/ostree-blob-reader.h \
diff --git a/Makefile-otcore.am b/Makefile-otcore.am
index 8252ead00e..dbb25e8d93 100644
--- a/Makefile-otcore.am
+++ b/Makefile-otcore.am
@@ -19,6 +19,7 @@ libotcore_la_SOURCES = \
src/libotcore/otcore.h \
src/libotcore/otcore-ed25519-verify.c \
src/libotcore/otcore-prepare-root.c \
+ src/libotcore/otcore-x509-verify.c \
$(NULL)
libotcore_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/libglnx -I$(srcdir)/src/libotutil -DLOCALEDIR=\"$(datadir)/locale\" $(OT_INTERNAL_GIO_UNIX_CFLAGS) $(OT_INTERNAL_GPGME_CFLAGS) $(OT_DEP_CRYPTO_LIBS) $(LIBSYSTEMD_CFLAGS)
diff --git a/Makefile-tests.am b/Makefile-tests.am
index 415637a5d1..51505f1982 100644
--- a/Makefile-tests.am
+++ b/Makefile-tests.am
@@ -156,12 +156,24 @@ _installed_or_uninstalled_test_scripts = \
tests/test-summary-collections.sh \
tests/test-pull-collections.sh \
tests/test-config.sh \
- tests/test-signed-commit.sh \
+ tests/test-signed-commit-dummy.sh \
tests/test-signed-pull.sh \
tests/test-pre-signed-pull.sh \
tests/test-signed-pull-summary.sh \
$(NULL)
+if HAVE_ED25519
+_installed_or_uninstalled_test_scripts += \
+ tests/test-signed-commit-ed25519.sh \
+ $(NULL)
+endif
+
+if HAVE_X509
+_installed_or_uninstalled_test_scripts += \
+ tests/test-signed-commit-x509.sh \
+ $(NULL)
+endif
+
if USE_GPGME
_installed_or_uninstalled_test_scripts += \
tests/test-remote-gpg-import.sh \
diff --git a/configure.ac b/configure.ac
index 538ff3456e..d29cfd059a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -452,10 +452,19 @@ if test x$with_openssl != xno; then OSTREE_FEATURES="$OSTREE_FEATURES openssl";
AM_CONDITIONAL(USE_OPENSSL, test $with_openssl != no)
dnl end openssl
-if test x$with_openssl != xno || test x$with_ed25519_libsodium != xno; then
+AM_CONDITIONAL([HAVE_ED25519], [test x$with_openssl != xno || test x$with_ed25519_libsodium != xno])
+
+AM_COND_IF([HAVE_ED25519], [
AC_DEFINE([HAVE_ED25519], 1, [Define if ed25519 is supported ])
OSTREE_FEATURES="$OSTREE_FEATURES sign-ed25519"
-fi
+])
+
+AM_CONDITIONAL([HAVE_X509], [test x$with_openssl != xno])
+
+AM_COND_IF([HAVE_X509], [
+ AC_DEFINE([HAVE_X509], 1, [Define if x509 is supported ])
+ OSTREE_FEATURES="$OSTREE_FEATURES sign-x509"
+])
dnl begin gnutls; in contrast to openssl this one only
dnl supports --with-crypto=gnutls
@@ -697,7 +706,7 @@ echo "
systemd: $with_libsystemd
libmount: $with_libmount
libsodium (ed25519 signatures): $with_ed25519_libsodium
- openssl (ed25519 signatures): $with_openssl
+ openssl (ed25519 and x509 signatures): $with_openssl
libarchive (parse tar files directly): $with_libarchive
static deltas: yes (always enabled now)
O_TMPFILE: $enable_otmpfile
diff --git a/man/ostree-commit.xml b/man/ostree-commit.xml
index 12f4fd10fa..b842c53f6d 100644
--- a/man/ostree-commit.xml
+++ b/man/ostree-commit.xml
@@ -312,7 +312,7 @@ License along with this library. If not, see .
Use particular signature engine. Currently
- available ed25519 and dummy
+ available ed25519, x509, and dummy
signature types.
The default is ed25519.
@@ -323,7 +323,8 @@ License along with this library. If not, see .
="PATH"
- This will read a key (corresponding to the provided --sign-type from the provided path. The key should be base64 encoded.
+ This will read a key (corresponding to the provided --sign-type from the provided path. The encoding of the key depends on
+ signature engine. For ed25519 the key should be base64 encoded, for x509 it should be in PEM format, and for dummy it should be an ASCII-string.
@@ -337,7 +338,7 @@ License along with this library. If not, see .
The KEY-ID is:
-
+
base64-encoded secret key for commit signing.
diff --git a/man/ostree-sign.xml b/man/ostree-sign.xml
index 508a6ca22b..c5542e0339 100644
--- a/man/ostree-sign.xml
+++ b/man/ostree-sign.xml
@@ -64,26 +64,28 @@ License along with this library. If not, see .
- There are several "well-known" system places for `ed25519` trusted and revoked public keys -- expected single base64-encoded key per line.
+ For `ed25519` and `x509`, there are several "well-known" system places for trusted and revoked public keys as listed below.
Files:
- /etc/ostree/trusted.ed25519
- /etc/ostree/revoked.ed25519
- /usr/share/ostree/trusted.ed25519
- /usr/share/ostree/revoked.ed25519
+ /etc/ostree/trusted.SIGN-TYPE
+ /etc/ostree/revoked.SIGN-TYPE
+ /usr/share/ostree/trusted.SIGN-TYPE
+ /usr/share/ostree/revoked.SIGN-TYPE
Directories containing files with keys:
- /etc/ostree/trusted.ed25519.d
- /etc/ostree/revoked.ed25519.d
- /usr/share/ostree/trusted.ed25519.d
- /usr/share/ostree/revoked.ed25519.d
+ /etc/ostree/trusted.SIGN-TYPE.d
+ /etc/ostree/revoked.SIGN-TYPE.d
+ /usr/share/ostree/trusted.SIGN-TYPE.d
+ /usr/share/ostree/revoked.SIGN-TYPE.d
+
+ The format of those files depends on the signature mechanism; for `ed25519`, keys are stored in the base64 encoding per line, while for `x509` they are stored in the PEM "PUBLIC KEY" encoding.
@@ -95,7 +97,7 @@ License along with this library. If not, see .
-
+
base64-encoded secret (for signing) or public key (for verifying).
@@ -120,7 +122,7 @@ License along with this library. If not, see .
Use particular signature mechanism. Currently
- available ed25519 and dummy
+ available ed25519, x509, and dummy
signature types.
The default is ed25519.
@@ -133,8 +135,8 @@ License along with this library. If not, see .
- Valid for ed25519 signature type.
- For ed25519 this file must contain base64-encoded
+ Valid for ed25519 and x509 signature types.
+ This file must contain base64-encoded
secret key(s) (for signing) or public key(s) (for verifying) per line.
diff --git a/rust-bindings/sys/tests/constant.c b/rust-bindings/sys/tests/constant.c
index 7b3a9d7c57..ba1d600d32 100644
--- a/rust-bindings/sys/tests/constant.c
+++ b/rust-bindings/sys/tests/constant.c
@@ -157,6 +157,7 @@ main ()
PRINT_CONSTANT (OSTREE_SHA256_DIGEST_LEN);
PRINT_CONSTANT (OSTREE_SHA256_STRING_LEN);
PRINT_CONSTANT (OSTREE_SIGN_NAME_ED25519);
+ PRINT_CONSTANT (OSTREE_SIGN_NAME_X509);
PRINT_CONSTANT ((gint)OSTREE_STATIC_DELTA_GENERATE_OPT_LOWLATENCY);
PRINT_CONSTANT ((gint)OSTREE_STATIC_DELTA_GENERATE_OPT_MAJOR);
PRINT_CONSTANT ((gint)OSTREE_STATIC_DELTA_INDEX_FLAGS_NONE);
diff --git a/src/libostree/ostree-sign-x509.c b/src/libostree/ostree-sign-x509.c
new file mode 100644
index 0000000000..336c3daa40
--- /dev/null
+++ b/src/libostree/ostree-sign-x509.c
@@ -0,0 +1,650 @@
+/* vim:set et sw=2 cin cino=t0,f0,(0,{s,>2s,n-s,^-s,e2s: */
+/*
+ * Copyright © 2019 Collabora Ltd.
+ *
+ * SPDX-License-Identifier: LGPL-2.0+
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see .
+ *
+ * Authors:
+ * - Denis Pynkin (d4s)
+ */
+
+#include "config.h"
+
+#include "ostree-sign-x509.h"
+#include "otcore.h"
+#include
+#include
+#include
+
+#undef G_LOG_DOMAIN
+#define G_LOG_DOMAIN "OSTreeSign"
+
+#define OSTREE_SIGN_X509_NAME "x509"
+
+typedef enum
+{
+ X509_OK,
+ X509_NOT_SUPPORTED,
+ X509_FAILED_INITIALIZATION
+} x509_state;
+
+struct _OstreeSignX509
+{
+ GObject parent;
+ x509_state state;
+ GBytes *secret_key;
+ GList *public_keys; /* GBytes */
+ GList *revoked_keys; /* GBytes */
+};
+
+static void ostree_sign_x509_iface_init (OstreeSignInterface *self);
+
+G_DEFINE_TYPE_WITH_CODE (OstreeSignX509, _ostree_sign_x509, G_TYPE_OBJECT,
+ G_IMPLEMENT_INTERFACE (OSTREE_TYPE_SIGN, ostree_sign_x509_iface_init));
+
+static void
+ostree_sign_x509_iface_init (OstreeSignInterface *self)
+{
+
+ self->data = ostree_sign_x509_data;
+ self->data_verify = ostree_sign_x509_data_verify;
+ self->get_name = ostree_sign_x509_get_name;
+ self->metadata_key = ostree_sign_x509_metadata_key;
+ self->metadata_format = ostree_sign_x509_metadata_format;
+ self->clear_keys = ostree_sign_x509_clear_keys;
+ self->set_sk = ostree_sign_x509_set_sk;
+ self->set_pk = ostree_sign_x509_set_pk;
+ self->add_pk = ostree_sign_x509_add_pk;
+ self->load_pk = ostree_sign_x509_load_pk;
+}
+
+static void
+_ostree_sign_x509_class_init (OstreeSignX509Class *self)
+{
+}
+
+static void
+_ostree_sign_x509_init (OstreeSignX509 *self)
+{
+
+ self->state = X509_OK;
+ self->secret_key = NULL;
+ self->public_keys = NULL;
+ self->revoked_keys = NULL;
+
+#if !defined(USE_OPENSSL)
+ self->state = X509_NOT_SUPPORTED;
+#else
+ if (!otcore_x509_init ())
+ self->state = X509_FAILED_INITIALIZATION;
+#endif
+}
+
+static gboolean
+_ostree_sign_x509_is_initialized (OstreeSignX509 *self, GError **error)
+{
+ switch (self->state)
+ {
+ case X509_OK:
+ break;
+ case X509_NOT_SUPPORTED:
+ return glnx_throw (error, "x509: engine is not supported");
+ case X509_FAILED_INITIALIZATION:
+ return glnx_throw (error, "x509: crypto library isn't initialized properly");
+ }
+
+ return TRUE;
+}
+
+gboolean
+ostree_sign_x509_data (OstreeSign *self, GBytes *data, GBytes **signature,
+ GCancellable *cancellable, GError **error)
+{
+
+ g_assert (OSTREE_IS_SIGN (self));
+ OstreeSignX509 *sign = _ostree_sign_x509_get_instance_private (OSTREE_SIGN_X509 (self));
+
+ if (!_ostree_sign_x509_is_initialized (sign, error))
+ return FALSE;
+
+ if (sign->secret_key == NULL)
+ return glnx_throw (error, "Not able to sign: secret key is not set");
+
+#if defined(USE_OPENSSL)
+ gsize secret_key_size;
+ const guint8 *secret_key_buf = g_bytes_get_data (sign->secret_key, &secret_key_size);
+#endif
+
+ unsigned long long sig_size = 0;
+ g_autofree guchar *sig = NULL;
+
+#if defined(USE_OPENSSL)
+ EVP_MD_CTX *ctx = EVP_MD_CTX_new ();
+ if (!ctx)
+ return glnx_throw (error, "openssl: failed to allocate context");
+
+ const unsigned char *p = secret_key_buf;
+ EVP_PKEY *pkey = d2i_AutoPrivateKey (NULL, &p, secret_key_size);
+ if (!pkey)
+ {
+ EVP_MD_CTX_free (ctx);
+ return glnx_throw (error, "openssl: Failed to initialize x509 key");
+ }
+
+ size_t len;
+ if (EVP_DigestSignInit (ctx, NULL, NULL, NULL, pkey)
+ && EVP_DigestSign (ctx, NULL, &len, g_bytes_get_data (data, NULL), g_bytes_get_size (data)))
+ {
+ sig = g_malloc0 (len);
+ if (EVP_DigestSign (ctx, sig, &len, g_bytes_get_data (data, NULL), g_bytes_get_size (data)))
+ sig_size = len;
+ }
+
+ EVP_PKEY_free (pkey);
+ EVP_MD_CTX_free (ctx);
+
+#endif
+
+ if (sig_size == 0)
+ return glnx_throw (error, "Failed to sign");
+
+ *signature = g_bytes_new_take (g_steal_pointer (&sig), sig_size);
+ return TRUE;
+}
+
+gboolean
+ostree_sign_x509_data_verify (OstreeSign *self, GBytes *data, GVariant *signatures,
+ char **out_success_message, GError **error)
+{
+ g_assert (OSTREE_IS_SIGN (self));
+
+ if (data == NULL)
+ return glnx_throw (error, "x509: unable to verify NULL data");
+
+ OstreeSignX509 *sign = _ostree_sign_x509_get_instance_private (OSTREE_SIGN_X509 (self));
+
+ if (!_ostree_sign_x509_is_initialized (sign, error))
+ return FALSE;
+
+ if (signatures == NULL)
+ return glnx_throw (error, "x509: commit have no signatures of my type");
+
+ if (!g_variant_is_of_type (signatures, (GVariantType *)OSTREE_SIGN_METADATA_X509_TYPE))
+ return glnx_throw (error, "x509: wrong type passed for verification");
+
+ /* If no keys pre-loaded then,
+ * try to load public keys from storage(s) */
+ if (sign->public_keys == NULL)
+ {
+ g_autoptr (GVariantBuilder) builder = NULL;
+ g_autoptr (GVariant) options = NULL;
+
+ builder = g_variant_builder_new (G_VARIANT_TYPE ("a{sv}"));
+ options = g_variant_builder_end (builder);
+
+ if (!ostree_sign_x509_load_pk (self, options, error))
+ return FALSE;
+ }
+
+ g_debug ("verify: data hash = 0x%x", g_bytes_hash (data));
+
+ g_autoptr (GString) invalid_signatures = NULL;
+ guint n_invalid_signatures = 0;
+
+ for (gsize i = 0; i < g_variant_n_children (signatures); i++)
+ {
+ g_autoptr (GVariant) child = g_variant_get_child_value (signatures, i);
+ g_autoptr (GBytes) signature = g_variant_get_data_as_bytes (child);
+
+ g_debug ("Read signature %d: %s", (gint)i, g_variant_print (child, TRUE));
+
+ for (GList *l = sign->public_keys; l != NULL; l = l->next)
+ {
+ GBytes *public_key = l->data;
+ /* TODO: use non-list for tons of revoked keys? */
+ if (g_list_find_custom (sign->revoked_keys, public_key, g_bytes_compare) != NULL)
+ {
+ g_autofree char *hex = g_malloc0 (g_bytes_get_size (public_key) * 2 + 1);
+ ot_bin2hex (hex, g_bytes_get_data (public_key, NULL), g_bytes_get_size (public_key));
+ g_debug ("Skip revoked key '%s'", hex);
+ continue;
+ }
+
+ bool valid = false;
+ if (!otcore_validate_x509_signature (data, public_key, signature, &valid, error))
+ return FALSE;
+ if (!valid)
+ {
+ /* Incorrect signature! */
+ if (invalid_signatures == NULL)
+ invalid_signatures = g_string_new ("");
+ else
+ g_string_append (invalid_signatures, "; ");
+ n_invalid_signatures++;
+ g_autofree char *hex = g_malloc0 (g_bytes_get_size (public_key) * 2 + 1);
+ ot_bin2hex (hex, g_bytes_get_data (public_key, NULL), g_bytes_get_size (public_key));
+ g_string_append_printf (invalid_signatures, "key '%s'", hex);
+ }
+ else
+ {
+ if (out_success_message)
+ {
+ g_autofree char *hex = g_malloc0 (g_bytes_get_size (public_key) * 2 + 1);
+ ot_bin2hex (hex, g_bytes_get_data (public_key, NULL),
+ g_bytes_get_size (public_key));
+ *out_success_message = g_strdup_printf (
+ "x509: Signature verified successfully with key '%s'", hex);
+ }
+ return TRUE;
+ }
+ }
+ }
+
+ if (invalid_signatures)
+ {
+ g_assert_cmpuint (n_invalid_signatures, >, 0);
+ /* The test suite has a key ring with 100 keys. This seems insane, let's
+ * cap a reasonable error message at 3.
+ */
+ if (n_invalid_signatures > 3)
+ return glnx_throw (error, "x509: Signature couldn't be verified; tried %u keys",
+ n_invalid_signatures);
+ return glnx_throw (error, "x509: Signature couldn't be verified with: %s",
+ invalid_signatures->str);
+ }
+ return glnx_throw (error, "x509: no signatures found");
+}
+
+const gchar *
+ostree_sign_x509_get_name (OstreeSign *self)
+{
+ g_assert (OSTREE_IS_SIGN (self));
+
+ return OSTREE_SIGN_X509_NAME;
+}
+
+const gchar *
+ostree_sign_x509_metadata_key (OstreeSign *self)
+{
+
+ return OSTREE_SIGN_METADATA_X509_KEY;
+}
+
+const gchar *
+ostree_sign_x509_metadata_format (OstreeSign *self)
+{
+
+ return OSTREE_SIGN_METADATA_X509_TYPE;
+}
+
+gboolean
+ostree_sign_x509_clear_keys (OstreeSign *self, GError **error)
+{
+ g_assert (OSTREE_IS_SIGN (self));
+
+ OstreeSignX509 *sign = _ostree_sign_x509_get_instance_private (OSTREE_SIGN_X509 (self));
+
+ if (!_ostree_sign_x509_is_initialized (sign, error))
+ return FALSE;
+
+ /* Clear secret key */
+ if (sign->secret_key != NULL)
+ {
+ gsize size;
+ gpointer data = g_bytes_unref_to_data (sign->secret_key, &size);
+ explicit_bzero (data, size);
+ sign->secret_key = NULL;
+ }
+
+ /* Clear already loaded trusted keys */
+ if (sign->public_keys != NULL)
+ {
+ g_list_free_full (sign->public_keys, (GDestroyNotify)g_bytes_unref);
+ sign->public_keys = NULL;
+ }
+
+ /* Clear already loaded revoked keys */
+ if (sign->revoked_keys != NULL)
+ {
+ g_list_free_full (sign->revoked_keys, (GDestroyNotify)g_bytes_unref);
+ sign->revoked_keys = NULL;
+ }
+
+ return TRUE;
+}
+
+/* Support 2 representations:
+ * base64 ascii -- secret key is passed as string
+ * raw key -- key is passed as bytes array
+ * */
+gboolean
+ostree_sign_x509_set_sk (OstreeSign *self, GVariant *secret_key, GError **error)
+{
+ g_assert (OSTREE_IS_SIGN (self));
+
+ if (!ostree_sign_x509_clear_keys (self, error))
+ return FALSE;
+
+ OstreeSignX509 *sign = _ostree_sign_x509_get_instance_private (OSTREE_SIGN_X509 (self));
+
+ gsize n_elements = 0;
+
+ g_autofree guchar *secret_key_buf = NULL;
+ if (g_variant_is_of_type (secret_key, G_VARIANT_TYPE_STRING))
+ {
+ const gchar *sk_ascii = g_variant_get_string (secret_key, NULL);
+ secret_key_buf = g_base64_decode (sk_ascii, &n_elements);
+ }
+ else if (g_variant_is_of_type (secret_key, G_VARIANT_TYPE_BYTESTRING))
+ {
+ secret_key_buf
+ = (guchar *)g_variant_get_fixed_array (secret_key, &n_elements, sizeof (guchar));
+ }
+ else
+ {
+ return glnx_throw (error, "Unknown x509 secret key type");
+ }
+
+ sign->secret_key = g_bytes_new_take (g_steal_pointer (&secret_key_buf), n_elements);
+
+ return TRUE;
+}
+
+/* Support 2 representations:
+ * base64 ascii -- public key is passed as string
+ * raw key -- key is passed as bytes array
+ * */
+gboolean
+ostree_sign_x509_set_pk (OstreeSign *self, GVariant *public_key, GError **error)
+{
+ g_assert (OSTREE_IS_SIGN (self));
+
+ if (!ostree_sign_x509_clear_keys (self, error))
+ return FALSE;
+
+ return ostree_sign_x509_add_pk (self, public_key, error);
+}
+
+/* Support 2 representations:
+ * base64 ascii -- public key is passed as string
+ * raw key -- key is passed as bytes array
+ * */
+gboolean
+ostree_sign_x509_add_pk (OstreeSign *self, GVariant *public_key, GError **error)
+{
+ g_assert (OSTREE_IS_SIGN (self));
+
+ OstreeSignX509 *sign = _ostree_sign_x509_get_instance_private (OSTREE_SIGN_X509 (self));
+
+ if (!_ostree_sign_x509_is_initialized (sign, error))
+ return FALSE;
+
+ g_autofree guint8 *key_owned = NULL;
+ const guint8 *key = NULL;
+ gsize n_elements = 0;
+
+ if (g_variant_is_of_type (public_key, G_VARIANT_TYPE_STRING))
+ {
+ const gchar *pk_ascii = g_variant_get_string (public_key, NULL);
+ key = key_owned = g_base64_decode (pk_ascii, &n_elements);
+ }
+ else if (g_variant_is_of_type (public_key, G_VARIANT_TYPE_BYTESTRING))
+ {
+ key = g_variant_get_fixed_array (public_key, &n_elements, sizeof (guchar));
+ }
+ else
+ {
+ return glnx_throw (error, "Unknown x509 public key type");
+ }
+
+ g_autofree char *hex = g_malloc0 (n_elements * 2 + 1);
+ ot_bin2hex (hex, key, n_elements);
+ g_debug ("Read x509 public key = %s", hex);
+
+ g_autoptr (GBytes) key_bytes = g_bytes_new_static (key, n_elements);
+ if (g_list_find_custom (sign->public_keys, key_bytes, g_bytes_compare) == NULL)
+ {
+ GBytes *new_key_bytes = g_bytes_new (key, n_elements);
+ sign->public_keys = g_list_prepend (sign->public_keys, new_key_bytes);
+ }
+
+ return TRUE;
+}
+
+/* Add revoked public key */
+static gboolean
+_x509_add_revoked (OstreeSign *self, GVariant *revoked_key, GError **error)
+{
+ g_assert (OSTREE_IS_SIGN (self));
+
+ OstreeSignX509 *sign = _ostree_sign_x509_get_instance_private (OSTREE_SIGN_X509 (self));
+
+ g_autofree guint8 *key_owned = NULL;
+ const guint8 *key = NULL;
+ gsize n_elements = 0;
+
+ if (g_variant_is_of_type (revoked_key, G_VARIANT_TYPE_STRING))
+ {
+ const gchar *rk_ascii = g_variant_get_string (revoked_key, NULL);
+ key = key_owned = g_base64_decode (rk_ascii, &n_elements);
+ }
+ else if (g_variant_is_of_type (revoked_key, G_VARIANT_TYPE_BYTESTRING))
+ {
+ key = g_variant_get_fixed_array (revoked_key, &n_elements, sizeof (guchar));
+ }
+ else
+ {
+ return glnx_throw (error, "Unknown x509 revoked key type");
+ }
+
+ g_autofree char *hex = g_malloc0 (n_elements * 2 + 1);
+ ot_bin2hex (hex, key, n_elements);
+ g_debug ("Read x509 revoked key = %s", hex);
+
+ g_autoptr (GBytes) key_bytes = g_bytes_new_static (key, n_elements);
+ if (g_list_find_custom (sign->revoked_keys, key, g_bytes_compare) == NULL)
+ {
+ GBytes *new_key_bytes = g_bytes_new (key, n_elements);
+ sign->revoked_keys = g_list_prepend (sign->revoked_keys, new_key_bytes);
+ }
+
+ return TRUE;
+}
+
+static gboolean
+_load_pk_from_stream (OstreeSign *self, GInputStream *key_stream_in, gboolean trusted,
+ GError **error)
+{
+ if (key_stream_in == NULL)
+ return glnx_throw (error, "x509: unable to read from NULL key-data input stream");
+
+ gboolean ret = FALSE;
+
+ g_autoptr (OstreeBlobReader) blob_reader = ostree_sign_read_pk (self, key_stream_in);
+ g_assert (blob_reader);
+
+ /* Use simple file format with just a list of base64 public keys per line */
+ while (TRUE)
+ {
+ g_autoptr (GVariant) pk = NULL;
+ gboolean added = FALSE;
+ g_autoptr (GError) local_error = NULL;
+ g_autoptr (GBytes) blob = ostree_blob_reader_read_blob (blob_reader, NULL, &local_error);
+
+ if (local_error != NULL)
+ {
+ g_propagate_error (error, g_steal_pointer (&local_error));
+ return FALSE;
+ }
+
+ if (blob == NULL)
+ return ret;
+
+ /* Read the key itself */
+ pk = g_variant_new_from_bytes (G_VARIANT_TYPE_BYTESTRING, blob, FALSE);
+
+ if (trusted)
+ added = ostree_sign_x509_add_pk (self, pk, error);
+ else
+ added = _x509_add_revoked (self, pk, error);
+
+ g_autofree gchar *pk_printable = g_variant_print (pk, FALSE);
+ g_debug ("%s %s key: %s", added ? "Added" : "Invalid", trusted ? "public" : "revoked",
+ pk_printable);
+
+ /* Mark what we load at least one key */
+ if (added)
+ ret = TRUE;
+ }
+
+ return ret;
+}
+
+static gboolean
+_load_pk_from_file (OstreeSign *self, const gchar *filename, gboolean trusted, GError **error)
+{
+ g_debug ("Processing file '%s'", filename);
+
+ g_autoptr (GFile) keyfile = NULL;
+ g_autoptr (GFileInputStream) key_stream_in = NULL;
+
+ if (!g_file_test (filename, G_FILE_TEST_IS_REGULAR))
+ {
+ g_debug ("Can't open file '%s' with public keys", filename);
+ return glnx_throw (error, "File object '%s' is not a regular file", filename);
+ }
+
+ keyfile = g_file_new_for_path (filename);
+ key_stream_in = g_file_read (keyfile, NULL, error);
+ if (key_stream_in == NULL)
+ return FALSE;
+
+ if (!_load_pk_from_stream (self, G_INPUT_STREAM (key_stream_in), trusted, error))
+ {
+ if (error == NULL || *error == NULL)
+ return glnx_throw (error, "signature: x509: no valid keys in file '%s'", filename);
+ else
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+static gboolean
+_x509_load_pk (OstreeSign *self, GVariant *options, gboolean trusted, GError **error)
+{
+
+ gboolean ret = FALSE;
+ const gchar *custom_dir = NULL;
+
+ g_autoptr (GPtrArray) base_dirs = g_ptr_array_new_with_free_func (g_free);
+ g_autoptr (GPtrArray) x509_files = g_ptr_array_new_with_free_func (g_free);
+
+ if (g_variant_lookup (options, "basedir", "&s", &custom_dir))
+ {
+ /* Add custom directory */
+ g_ptr_array_add (base_dirs, g_strdup (custom_dir));
+ }
+ else
+ {
+ /* Default paths where to find files with public keys */
+ g_ptr_array_add (base_dirs, g_strdup ("/etc/ostree"));
+ g_ptr_array_add (base_dirs, g_strdup (DATADIR "/ostree"));
+ }
+
+ /* Scan all well-known directories and construct the list with file names to scan keys */
+ for (gint i = 0; i < base_dirs->len; i++)
+ {
+ gchar *base_name = NULL;
+ g_autofree gchar *base_dir = NULL;
+ g_autoptr (GDir) dir = NULL;
+
+ base_name = g_build_filename ((gchar *)g_ptr_array_index (base_dirs, i),
+ trusted ? "trusted.x509" : "revoked.x509", NULL);
+
+ g_debug ("Check x509 keys from file: %s", base_name);
+ g_ptr_array_add (x509_files, base_name);
+
+ base_dir = g_strconcat (base_name, ".d", NULL);
+ dir = g_dir_open (base_dir, 0, error);
+ if (dir == NULL)
+ {
+ g_clear_error (error);
+ continue;
+ }
+ const gchar *entry = NULL;
+ while ((entry = g_dir_read_name (dir)) != NULL)
+ {
+ gchar *filename = g_build_filename (base_dir, entry, NULL);
+ g_debug ("Check x509 keys from file: %s", filename);
+ g_ptr_array_add (x509_files, filename);
+ }
+ }
+
+ /* Scan all well-known files */
+ for (gint i = 0; i < x509_files->len; i++)
+ {
+ if (!_load_pk_from_file (self, (gchar *)g_ptr_array_index (x509_files, i), trusted, error))
+ {
+ g_debug ("Problem with loading x509 %s keys from `%s`", trusted ? "public" : "revoked",
+ (gchar *)g_ptr_array_index (x509_files, i));
+ g_clear_error (error);
+ }
+ else
+ ret = TRUE;
+ }
+
+ if (!ret && (error == NULL || *error == NULL))
+ return glnx_throw (error, "signature: x509: no keys loaded");
+
+ return ret;
+}
+
+/*
+ * options argument should be a{sv}:
+ * - filename -- single file to use to load keys from;
+ * - basedir -- directory containing subdirectories
+ * 'trusted.x509.d' and 'revoked.x509.d' with appropriate
+ * public keys. Used for testing and re-definition of system-wide
+ * directories if defaults are not suitable for any reason.
+ */
+gboolean
+ostree_sign_x509_load_pk (OstreeSign *self, GVariant *options, GError **error)
+{
+
+ const gchar *filename = NULL;
+
+ OstreeSignX509 *sign = _ostree_sign_x509_get_instance_private (OSTREE_SIGN_X509 (self));
+ if (!_ostree_sign_x509_is_initialized (sign, error))
+ return FALSE;
+
+ /* Read keys only from single file provided */
+ if (g_variant_lookup (options, "filename", "&s", &filename))
+ return _load_pk_from_file (self, filename, TRUE, error);
+
+ /* Load public keys from well-known directories and files */
+ if (!_x509_load_pk (self, options, TRUE, error))
+ return FALSE;
+
+ /* Load untrusted keys from well-known directories and files
+ * Ignore the failure from this function -- it is expected to have
+ * empty list of revoked keys.
+ * */
+ if (!_x509_load_pk (self, options, FALSE, error))
+ g_clear_error (error);
+
+ return TRUE;
+}
diff --git a/src/libostree/ostree-sign-x509.h b/src/libostree/ostree-sign-x509.h
new file mode 100644
index 0000000000..556e7f6219
--- /dev/null
+++ b/src/libostree/ostree-sign-x509.h
@@ -0,0 +1,56 @@
+/* vim:set et sw=2 cin cino=t0,f0,(0,{s,>2s,n-s,^-s,e2s: */
+
+/*
+ * Copyright © 2019 Collabora Ltd.
+ *
+ * SPDX-License-Identifier: LGPL-2.0+
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see .
+ *
+ * Authors:
+ * - Denis Pynkin (d4s)
+ */
+
+#pragma once
+
+#include "ostree-sign.h"
+
+G_BEGIN_DECLS
+
+#define OSTREE_TYPE_SIGN_X509 (_ostree_sign_x509_get_type ())
+
+_OSTREE_PUBLIC
+G_DECLARE_FINAL_TYPE (OstreeSignX509, _ostree_sign_x509, OSTREE, SIGN_X509, GObject)
+
+gboolean ostree_sign_x509_data (OstreeSign *self, GBytes *data, GBytes **signature,
+ GCancellable *cancellable, GError **error);
+
+gboolean ostree_sign_x509_data_verify (OstreeSign *self, GBytes *data, GVariant *signatures,
+ char **out_success_message, GError **error);
+
+const gchar *ostree_sign_x509_get_name (OstreeSign *self);
+const gchar *ostree_sign_x509_metadata_key (OstreeSign *self);
+const gchar *ostree_sign_x509_metadata_format (OstreeSign *self);
+
+gboolean ostree_sign_x509_clear_keys (OstreeSign *self, GError **error);
+
+gboolean ostree_sign_x509_set_sk (OstreeSign *self, GVariant *secret_key, GError **error);
+
+gboolean ostree_sign_x509_set_pk (OstreeSign *self, GVariant *public_key, GError **error);
+
+gboolean ostree_sign_x509_add_pk (OstreeSign *self, GVariant *public_key, GError **error);
+
+gboolean ostree_sign_x509_load_pk (OstreeSign *self, GVariant *options, GError **error);
+
+G_END_DECLS
diff --git a/src/libostree/ostree-sign.c b/src/libostree/ostree-sign.c
index ad2358de68..c5d625aaa8 100644
--- a/src/libostree/ostree-sign.c
+++ b/src/libostree/ostree-sign.c
@@ -39,11 +39,13 @@
#include "ostree-autocleanups.h"
#include "ostree-blob-reader-base64.h"
+#include "ostree-blob-reader-pem.h"
#include "ostree-blob-reader-raw.h"
#include "ostree-core.h"
#include "ostree-sign-dummy.h"
#include "ostree-sign-ed25519.h"
#include "ostree-sign-private.h"
+#include "ostree-sign-x509.h"
#include "ostree-sign.h"
#include "ostree-autocleanups.h"
@@ -61,6 +63,9 @@ typedef struct
_sign_type sign_types[] = {
#if defined(HAVE_ED25519)
{ OSTREE_SIGN_NAME_ED25519, 0 },
+#endif
+#if defined(HAVE_X509)
+ { OSTREE_SIGN_NAME_X509, 0 },
#endif
{ "dummy", 0 }
};
@@ -69,6 +74,9 @@ enum
{
#if defined(HAVE_ED25519)
SIGN_ED25519,
+#endif
+#if defined(HAVE_X509)
+ SIGN_X509,
#endif
SIGN_DUMMY
};
@@ -538,6 +546,10 @@ ostree_sign_get_by_name (const gchar *name, GError **error)
#if defined(HAVE_ED25519)
if (sign_types[SIGN_ED25519].type == 0)
sign_types[SIGN_ED25519].type = OSTREE_TYPE_SIGN_ED25519;
+#endif
+#if defined(HAVE_X509)
+ if (sign_types[SIGN_X509].type == 0)
+ sign_types[SIGN_X509].type = OSTREE_TYPE_SIGN_X509;
#endif
if (sign_types[SIGN_DUMMY].type == 0)
sign_types[SIGN_DUMMY].type = OSTREE_TYPE_SIGN_DUMMY;
@@ -661,6 +673,10 @@ ostree_sign_read_pk (OstreeSign *self, GInputStream *stream)
#if defined(HAVE_ED25519)
if (OSTREE_IS_SIGN_ED25519 (self))
return OSTREE_BLOB_READER (_ostree_blob_reader_base64_new (stream));
+#endif
+#if defined(HAVE_X509)
+ if (OSTREE_IS_SIGN_X509 (self))
+ return OSTREE_BLOB_READER (_ostree_blob_reader_pem_new (stream, "PUBLIC KEY"));
#endif
if (OSTREE_IS_SIGN_DUMMY (self))
return OSTREE_BLOB_READER (_ostree_blob_reader_raw_new (stream));
@@ -684,6 +700,10 @@ ostree_sign_read_sk (OstreeSign *self, GInputStream *stream)
#if defined(HAVE_ED25519)
if (OSTREE_IS_SIGN_ED25519 (self))
return OSTREE_BLOB_READER (_ostree_blob_reader_base64_new (stream));
+#endif
+#if defined(HAVE_X509)
+ if (OSTREE_IS_SIGN_X509 (self))
+ return OSTREE_BLOB_READER (_ostree_blob_reader_pem_new (stream, "PRIVATE KEY"));
#endif
if (OSTREE_IS_SIGN_DUMMY (self))
return OSTREE_BLOB_READER (_ostree_blob_reader_raw_new (stream));
diff --git a/src/libostree/ostree-sign.h b/src/libostree/ostree-sign.h
index 81495c3900..b5b7397c6f 100644
--- a/src/libostree/ostree-sign.h
+++ b/src/libostree/ostree-sign.h
@@ -44,6 +44,14 @@ G_BEGIN_DECLS
*/
#define OSTREE_SIGN_NAME_ED25519 "ed25519"
+/**
+ * OSTREE_SIGN_NAME_X509:
+ * The name of the x509 signing type.
+ *
+ * Since: 2024.7
+ */
+#define OSTREE_SIGN_NAME_X509 "x509"
+
_OSTREE_PUBLIC
G_DECLARE_INTERFACE (OstreeSign, ostree_sign, OSTREE, SIGN, GObject)
diff --git a/src/libotcore/otcore-x509-verify.c b/src/libotcore/otcore-x509-verify.c
new file mode 100644
index 0000000000..c8fe7611f1
--- /dev/null
+++ b/src/libotcore/otcore-x509-verify.c
@@ -0,0 +1,89 @@
+/*
+ * SPDX-License-Identifier: LGPL-2.0+
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see .
+ */
+
+#include "config.h"
+
+#include "otcore.h"
+
+/* Initialize global state; may be called multiple times and is idempotent. */
+bool
+otcore_x509_init (void)
+{
+ return true;
+}
+
+/* Validate a single x509 signature. If there is an unexpected state, such
+ * as an ill-forumed public key or signature, a hard error will be returned.
+ *
+ * If the signature is not correct, this function will return successfully, but
+ * `out_valid` will be set to `false`.
+ *
+ * If the signature is correct, `out_valid` will be `true`.
+ */
+gboolean
+otcore_validate_x509_signature (GBytes *data, GBytes *public_key, GBytes *signature,
+ bool *out_valid, GError **error)
+{
+ // Since this is signature verification code, let's verify preconditions.
+ g_assert (data);
+ g_assert (public_key);
+ g_assert (signature);
+ g_assert (out_valid);
+ // It is OK for error to be NULL, though according to GError rules.
+
+#if defined(HAVE_OPENSSL)
+ gsize public_key_size;
+ const guint8 *public_key_buf = g_bytes_get_data (public_key, &public_key_size);
+
+ gsize signature_size;
+ const guint8 *signature_buf = g_bytes_get_data (signature, &signature_size);
+
+ if (public_key_size > OSTREE_SIGN_MAX_METADATA_SIZE)
+ return glnx_throw (
+ error, "Invalid public key of %" G_GSIZE_FORMAT " bytes, expected <= %" G_GSIZE_FORMAT,
+ public_key_size, (gsize)OSTREE_SIGN_MAX_METADATA_SIZE);
+
+ if (signature_size > OSTREE_SIGN_MAX_METADATA_SIZE)
+ return glnx_throw (
+ error, "Invalid signature of %" G_GSIZE_FORMAT " bytes, expected <= %" G_GSIZE_FORMAT,
+ signature_size, (gsize)OSTREE_SIGN_MAX_METADATA_SIZE);
+
+ EVP_MD_CTX *ctx = EVP_MD_CTX_new ();
+ if (!ctx)
+ return glnx_throw (error, "openssl: failed to allocate context");
+
+ const unsigned char *p = public_key_buf;
+ EVP_PKEY *pkey = d2i_PUBKEY (NULL, &p, public_key_size);
+ if (!pkey)
+ {
+ EVP_MD_CTX_free (ctx);
+ return glnx_throw (error, "openssl: Failed to initialize x509 key");
+ }
+ if (EVP_DigestVerifyInit (ctx, NULL, NULL, NULL, pkey) != 0
+ && EVP_DigestVerify (ctx, signature_buf, signature_size, g_bytes_get_data (data, NULL),
+ g_bytes_get_size (data))
+ != 0)
+ {
+ *out_valid = true;
+ }
+ EVP_PKEY_free (pkey);
+ EVP_MD_CTX_free (ctx);
+ return TRUE;
+#else
+ return glnx_throw (error, "x509 signature validation requested, but support not compiled in");
+#endif
+}
diff --git a/src/libotcore/otcore.h b/src/libotcore/otcore.h
index 6e1d510329..7296aee391 100644
--- a/src/libotcore/otcore.h
+++ b/src/libotcore/otcore.h
@@ -27,6 +27,7 @@
#define USE_LIBSODIUM
#elif defined(HAVE_OPENSSL)
#include
+#include
#define USE_OPENSSL
#endif
@@ -39,10 +40,22 @@
// The variant type
#define OSTREE_SIGN_METADATA_ED25519_TYPE "aay"
+// This key is stored inside commit metadata.
+#define OSTREE_SIGN_METADATA_X509_KEY "ostree.sign.x509"
+// The variant type
+#define OSTREE_SIGN_METADATA_X509_TYPE "aay"
+
+// Maximum size of metadata in bytes, in sync with OSTREE_MAX_METADATA_SIZE
+#define OSTREE_SIGN_MAX_METADATA_SIZE (128 * 1024 * 1024)
+
bool otcore_ed25519_init (void);
gboolean otcore_validate_ed25519_signature (GBytes *data, GBytes *pubkey, GBytes *signature,
bool *out_valid, GError **error);
+bool otcore_x509_init (void);
+gboolean otcore_validate_x509_signature (GBytes *data, GBytes *public_key, GBytes *signature,
+ bool *out_valid, GError **error);
+
char *otcore_find_proc_cmdline_key (const char *cmdline, const char *key);
gboolean otcore_get_ostree_target (const char *cmdline, gboolean *is_aboot, char **out_target,
GError **error);
diff --git a/tests/libtest.sh b/tests/libtest.sh
index 2c2a33f0d9..da556ea912 100755
--- a/tests/libtest.sh
+++ b/tests/libtest.sh
@@ -780,6 +780,40 @@ gen_ed25519_random_public()
openssl genpkey -algorithm ED25519 | openssl pkey -outform DER | tail -c 32 | base64
}
+# Keys for x509 signing tests
+X509PUBLICPEM=
+X509SECRETPEM=
+
+X509PUBLIC=
+X509SECRET=
+
+gen_x509_keys ()
+{
+ # Generate private key in PEM format
+ X509SECRETPEM="$(mktemp -p ${test_tmpdir} ed448_sk_XXXXXX.pem)"
+ openssl genpkey -algorithm ed448 -outform PEM -out "${X509SECRETPEM}"
+ X509PUBLICPEM="$(mktemp -p ${test_tmpdir} ed448_pk_XXXXXX.pem)"
+ openssl pkey -outform PEM -pubout -in "${X509SECRETPEM}" -out "${X509PUBLICPEM}"
+
+ X509PUBLIC="$(openssl pkey -inform PEM -outform DER -pubin -pubout -in ${X509PUBLICPEM} | base64 -w 0)"
+ X509SECRET="$(openssl pkey -inform PEM -outform DER -in ${X509SECRETPEM} | base64 -w 0)"
+
+ echo "Generated ed448 keys:"
+ echo "public: ${X509PUBLIC}"
+ echo "secret: ${X509SECRET}"
+}
+
+gen_x509_random_public()
+{
+ openssl genpkey -algorithm ed448 | openssl pkey -pubout -outform DER | base64 -w 0
+ echo
+}
+
+gen_x509_random_public_pem()
+{
+ openssl genpkey -algorithm ed448 | openssl pkey -pubout -outform PEM
+}
+
is_bare_user_only_repo () {
grep -q 'mode=bare-user-only' $1/config
}
diff --git a/tests/test-signed-commit-dummy.sh b/tests/test-signed-commit-dummy.sh
new file mode 100755
index 0000000000..6c6158e46b
--- /dev/null
+++ b/tests/test-signed-commit-dummy.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+#
+# Copyright (C) 2019 Collabora Ltd.
+#
+# SPDX-License-Identifier: LGPL-2.0+
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see .
+
+set -euo pipefail
+
+. $(dirname $0)/libtest.sh
+
+echo "1..4"
+
+# This is explicitly opt in for testing
+export OSTREE_DUMMY_SIGN_ENABLED=1
+
+mkdir ${test_tmpdir}/repo
+ostree_repo_init repo --mode="archive"
+
+echo "Unsigned commit" > file.txt
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo commit -b main -s 'Unsigned commit'
+COMMIT="$(ostree --repo=${test_tmpdir}/repo rev-parse main)"
+
+# Test `ostree sign` with dummy module first
+DUMMYSIGN="dummysign"
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --sign-type=dummy ${COMMIT} ${DUMMYSIGN}
+
+# Ensure that detached metadata really contain expected string
+EXPECTEDSIGN="$(echo $DUMMYSIGN | hexdump -n 9 -e '8/1 "0x%.2x, " 1/1 " 0x%.2x"')"
+${CMD_PREFIX} ostree --repo=repo show ${COMMIT} --print-detached-metadata-key=ostree.sign.dummy | grep -q -e "${EXPECTEDSIGN}"
+echo "ok Detached dummy signature added"
+
+# Verify vith sign mechanism
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --sign-type=dummy --verify ${COMMIT} ${DUMMYSIGN}
+echo "ok dummy signature verified"
+
+echo "Signed commit with dummy key: ${DUMMYSIGN}" >> file.txt
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo commit -b main -s 'Signed with dummy module' --sign=${DUMMYSIGN} --sign-type=dummy
+COMMIT="$(ostree --repo=${test_tmpdir}/repo rev-parse main)"
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --sign-type=dummy --verify ${COMMIT} ${DUMMYSIGN}
+echo "ok commit with dummy signing"
+
+if ${CMD_PREFIX} env -u OSTREE_DUMMY_SIGN_ENABLED ostree --repo=${test_tmpdir}/repo sign --sign-type=dummy --verify ${COMMIT} ${DUMMYSIGN} 2>err.txt; then
+ fatal "verified dummy signature without env"
+fi
+# FIXME the error message here is broken
+#assert_file_has_content_literal err.txt 'dummy signature type is only for ostree testing'
+assert_file_has_content_literal err.txt ' No valid signatures found'
+echo "ok dummy sig requires env"
diff --git a/tests/test-signed-commit.sh b/tests/test-signed-commit-ed25519.sh
similarity index 76%
rename from tests/test-signed-commit.sh
rename to tests/test-signed-commit-ed25519.sh
index 73218528ce..dfc8e3fd1e 100755
--- a/tests/test-signed-commit.sh
+++ b/tests/test-signed-commit-ed25519.sh
@@ -21,7 +21,7 @@ set -euo pipefail
. $(dirname $0)/libtest.sh
-echo "1..11"
+echo "1..7"
# This is explicitly opt in for testing
export OSTREE_DUMMY_SIGN_ENABLED=1
@@ -29,48 +29,8 @@ export OSTREE_DUMMY_SIGN_ENABLED=1
mkdir ${test_tmpdir}/repo
ostree_repo_init repo --mode="archive"
-echo "Unsigned commit" > file.txt
-${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo commit -b main -s 'Unsigned commit'
-COMMIT="$(ostree --repo=${test_tmpdir}/repo rev-parse main)"
-
-# Test `ostree sign` with dummy module first
+# For multi-sign test
DUMMYSIGN="dummysign"
-${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --sign-type=dummy ${COMMIT} ${DUMMYSIGN}
-
-# Ensure that detached metadata really contain expected string
-EXPECTEDSIGN="$(echo $DUMMYSIGN | hexdump -n 9 -e '8/1 "0x%.2x, " 1/1 " 0x%.2x"')"
-${CMD_PREFIX} ostree --repo=repo show ${COMMIT} --print-detached-metadata-key=ostree.sign.dummy | grep -q -e "${EXPECTEDSIGN}"
-echo "ok Detached dummy signature added"
-
-# Verify vith sign mechanism
-${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --sign-type=dummy --verify ${COMMIT} ${DUMMYSIGN}
-echo "ok dummy signature verified"
-
-echo "Signed commit with dummy key: ${DUMMYSIGN}" >> file.txt
-${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo commit -b main -s 'Signed with dummy module' --sign=${DUMMYSIGN} --sign-type=dummy
-COMMIT="$(ostree --repo=${test_tmpdir}/repo rev-parse main)"
-${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --sign-type=dummy --verify ${COMMIT} ${DUMMYSIGN}
-echo "ok commit with dummy signing"
-
-if ${CMD_PREFIX} env -u OSTREE_DUMMY_SIGN_ENABLED ostree --repo=${test_tmpdir}/repo sign --sign-type=dummy --verify ${COMMIT} ${DUMMYSIGN} 2>err.txt; then
- fatal "verified dummy signature without env"
-fi
-# FIXME the error message here is broken
-#assert_file_has_content_literal err.txt 'dummy signature type is only for ostree testing'
-assert_file_has_content_literal err.txt ' No valid signatures found'
-echo "ok dummy sig requires env"
-
-# tests below require libsodium support
-if ! has_ostree_feature sign-ed25519; then
- echo "ok Detached ed25519 signature # SKIP due libsodium unavailability"
- echo "ok ed25519 signature verified # SKIP due libsodium unavailability"
- echo "ok multiple signing # SKIP due libsodium unavailability"
- echo "ok verify ed25519 keys file # SKIP due libsodium unavailability"
- echo "ok sign with ed25519 keys file # SKIP due libsodium unavailability"
- echo "ok verify ed25519 system-wide configuration # SKIP due libsodium unavailability"
- echo "ok verify ed25519 revoking keys mechanism # SKIP due libsodium unavailability"
- exit 0
-fi
# Test ostree sign with 'ed25519' module
gen_ed25519_keys
diff --git a/tests/test-signed-commit-x509.sh b/tests/test-signed-commit-x509.sh
new file mode 100755
index 0000000000..8a96e3ad9d
--- /dev/null
+++ b/tests/test-signed-commit-x509.sh
@@ -0,0 +1,164 @@
+#!/bin/bash
+#
+# Copyright (C) 2019 Collabora Ltd.
+#
+# SPDX-License-Identifier: LGPL-2.0+
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see .
+
+set -euo pipefail
+
+. $(dirname $0)/libtest.sh
+
+echo "1..7"
+
+# This is explicitly opt in for testing
+export OSTREE_DUMMY_SIGN_ENABLED=1
+
+mkdir ${test_tmpdir}/repo
+ostree_repo_init repo --mode="archive"
+
+# For multi-sign test
+DUMMYSIGN="dummysign"
+
+# Test ostree sign with 'x509' module
+gen_x509_keys
+PUBLIC=${X509PUBLIC}
+SECRET=${X509SECRET}
+
+WRONG_PUBLIC="$(gen_x509_random_public)"
+
+echo "PUBLIC = $PUBLIC"
+
+echo "Signed commit with x509: ${SECRET}" >> file.txt
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo commit -b main -s "Signed with x509 module" --sign="${SECRET}" --sign-type=x509
+COMMIT="$(ostree --repo=${test_tmpdir}/repo rev-parse main)"
+
+# Ensure that detached metadata contain signature
+${CMD_PREFIX} ostree --repo=repo show ${COMMIT} --print-detached-metadata-key=ostree.sign.x509 &>/dev/null
+echo "ok Detached x509 signature added"
+
+# Verify vith sign mechanism
+if ${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --verify --sign-type=x509 ${COMMIT} ${WRONG_PUBLIC}; then
+ exit 1
+fi
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --verify --sign-type=x509 ${COMMIT} ${PUBLIC}
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --verify --sign-type=x509 ${COMMIT} ${PUBLIC} ${PUBLIC}
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --verify --sign-type=x509 ${COMMIT} $(gen_x509_random_public) ${PUBLIC}
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --verify --sign-type=x509 ${COMMIT} $(gen_x509_random_public) $(gen_x509_random_public) ${PUBLIC}
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --verify --sign-type=x509 ${COMMIT} ${PUBLIC} $(gen_x509_random_public) $(gen_x509_random_public)
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --verify --sign-type=x509 ${COMMIT} $(gen_x509_random_public) $(gen_x509_random_public) ${PUBLIC} $(gen_x509_random_public) $(gen_x509_random_public)
+echo "ok x509 signature verified"
+
+# Check if we are able to use all available modules to sign the same commit
+echo "Unsigned commit for multi-sign" >> file.txt
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo commit -b main -s 'Unsigned commit'
+COMMIT="$(ostree --repo=${test_tmpdir}/repo rev-parse main)"
+# Check if we have no signatures
+for mod in "dummy" "x509"; do
+ if ostree --repo=repo show ${COMMIT} --print-detached-metadata-key=ostree.sign.${mod}; then
+ echo "Unexpected signature for ${mod} found"
+ exit 1
+ fi
+done
+
+# Sign with all available modules
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --sign-type=dummy ${COMMIT} ${DUMMYSIGN}
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --sign-type=x509 ${COMMIT} ${SECRET}
+# and verify
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --verify --sign-type=x509 ${COMMIT} ${PUBLIC} >out.txt
+assert_file_has_content out.txt "x509: Signature verified successfully with key"
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --sign-type=dummy --verify ${COMMIT} ${DUMMYSIGN} >out.txt
+assert_file_has_content out.txt "dummy: Signature verified"
+echo "ok multiple signing "
+
+# Prepare files with public x509 signatures
+PUBKEYS="$(mktemp -p ${test_tmpdir} x509_XXXXXX.x509)"
+
+# Test if file contain no keys
+if ${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --verify --sign-type=x509 --keys-file=${PUBKEYS} ${COMMIT}; then
+ exit 1
+fi
+
+# Test if have a problem with file object
+if ${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --verify --sign-type=x509 --keys-file=${test_tmpdir} ${COMMIT}; then
+ exit 1
+fi
+
+# Test with single key in list
+cat ${X509PUBLICPEM} > ${PUBKEYS}
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --verify --sign-type=x509 --keys-file=${PUBKEYS} ${COMMIT} >out.txt
+assert_file_has_content out.txt 'x509: Signature verified successfully'
+
+# Test the file with multiple keys without a valid public key
+for((i=0;i<100;i++)); do
+ # Generate a list with some public signatures
+ gen_x509_random_public_pem
+done > ${PUBKEYS}
+# Check if file contain no valid signatures
+if ${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --verify --sign-type=x509 --keys-file=${PUBKEYS} ${COMMIT} 2>err.txt; then
+ fatal "validated with no signatures"
+fi
+assert_file_has_content err.txt 'error:.* x509: Signature couldn.t be verified; tried 100 keys'
+# Check if no valid signatures provided via args&file
+if ${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --verify --sign-type=x509 --keys-file=${PUBKEYS} ${COMMIT} ${WRONG_PUBLIC}; then
+ exit 1
+fi
+
+#Test keys file and public key
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --verify --sign-type=x509 --keys-file=${PUBKEYS} ${COMMIT} ${PUBLIC}
+
+# Add correct key into the list
+cat "${X509PUBLICPEM}" >> ${PUBKEYS}
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --verify --sign-type=x509 --keys-file=${PUBKEYS} ${COMMIT}
+
+echo "ok verify x509 keys file"
+
+# Check x509 signing with secret file
+echo "Unsigned commit for secret file usage" >> file.txt
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo commit -b main -s 'Unsigned commit'
+COMMIT="$(ostree --repo=${test_tmpdir}/repo rev-parse main)"
+
+KEYFILE="$(mktemp -p ${test_tmpdir} secret_XXXXXX.x509)"
+cat "${X509SECRETPEM}" > ${KEYFILE}
+# Sign
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --sign-type=x509 --keys-file=${KEYFILE} ${COMMIT}
+# Verify
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --verify --sign-type=x509 --keys-file=${PUBKEYS} ${COMMIT}
+echo "ok sign with x509 keys file"
+
+# Check the well-known places mechanism
+mkdir -p ${test_tmpdir}/{trusted,revoked}.x509.d
+for((i=0;i<100;i++)); do
+ # Generate some key files with random public signatures
+ gen_x509_random_public_pem > ${test_tmpdir}/trusted.x509.d/signature_$i
+done
+# Check no valid public keys are available
+if ${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --verify --sign-type=x509 --keys-dir=${test_tmpdir} ${COMMIT}; then
+ exit 1
+fi
+cat "${X509PUBLICPEM}" > ${test_tmpdir}/trusted.x509.d/correct
+# Verify with correct key
+${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --verify --sign-type=x509 --keys-dir=${test_tmpdir} ${COMMIT}
+
+echo "ok verify x509 system-wide configuration"
+
+# Add the public key into revoked list
+cat "${X509PUBLICPEM}" > ${test_tmpdir}/revoked.x509.d/correct
+# Check if public key is not valid anymore
+if ${CMD_PREFIX} ostree --repo=${test_tmpdir}/repo sign --verify --sign-type=x509 --keys-dir=${test_tmpdir} ${COMMIT}; then
+ exit 1
+fi
+rm -rf ${test_tmpdir}/{trusted,revoked}.x509.d
+echo "ok verify x509 revoking keys mechanism"