[PATCH usign] usign: add VERIFYONLY option

Paul Spooren mail at aparcar.org
Sat Jul 18 15:08:08 EDT 2020


The reimplementation of signify called usign is used for both opkg
package list and sysupgrade verification.

Currently usign support all features per default, including key
generation and signing of of mesages.

Inspired by Petrs work on the signify port[0] I tried to add similar
ifndef conditions to reduce the code size.

If VERIFYONLY is set, the usign binary size is reduced by 4kB. Only the
functions `-V` for verification and `-F` for fingerprint printing are
enabled.

[0]: https://github.com/openwrt/openwrt/pull/2911
Signed-off-by: Paul Spooren <mail at aparcar.org>
---
 main.c | 118 ++++++++++++++++++++++++++++++++-------------------------
 1 file changed, 66 insertions(+), 52 deletions(-)

diff --git a/main.c b/main.c
index ebfdfb0..ccf4455 100644
--- a/main.c
+++ b/main.c
@@ -57,7 +57,9 @@ static const char *pubkeyfile;
 static const char *pubkeydir;
 static const char *sigfile;
 static const char *seckeyfile;
+#ifndef VERIFYONLY
 static const char *comment;
+#endif
 static bool quiet;
 static enum {
 	CMD_NONE,
@@ -139,21 +141,6 @@ get_base64_file(const char *file, void *dest, int size, void *buf, int buflen)
 	return b64_decode(buf, dest, size) == size;
 }
 
-static void write_file(const char *name, const uint8_t *fingerprint,
-		       const char *prefix, char *buf)
-{
-	FILE *f;
-
-	f = open_file(name, false);
-	fputs("untrusted comment: ", f);
-	if (comment)
-		fputs(comment, f);
-	else
-		fprintf(f, "%s %016"PRIx64, prefix,
-			fingerprint_u64(fingerprint));
-	fprintf(f, "\n%s\n", buf);
-	fclose(f);
-}
 
 static int verify(const char *msgfile)
 {
@@ -208,6 +195,47 @@ static int verify(const char *msgfile)
 	return 0;
 }
 
+static int fingerprint(void)
+{
+	struct seckey skey;
+	struct pubkey pkey;
+	struct sig sig;
+	char buf[512];
+	uint8_t *fp;
+
+	if (seckeyfile &&
+	    get_base64_file(seckeyfile, &skey, sizeof(skey), buf, sizeof(buf)))
+		fp = skey.fingerprint;
+	else if (pubkeyfile &&
+	         get_base64_file(pubkeyfile, &pkey, sizeof(pkey), buf, sizeof(buf)))
+		fp = pkey.fingerprint;
+	else if (sigfile &&
+	         get_base64_file(sigfile, &sig, sizeof(sig), buf, sizeof(buf)))
+		fp = sig.fingerprint;
+	else
+		return 1;
+
+	fprintf(stdout, "%016"PRIx64"\n", fingerprint_u64(fp));
+	return 0;
+}
+
+#ifndef VERIFYONLY
+static void write_file(const char *name, const uint8_t *fingerprint,
+		       const char *prefix, char *buf)
+{
+	FILE *f;
+
+	f = open_file(name, false);
+	fputs("untrusted comment: ", f);
+	if (comment)
+		fputs(comment, f);
+	else
+		fprintf(f, "%s %016"PRIx64, prefix,
+			fingerprint_u64(fingerprint));
+	fprintf(f, "\n%s\n", buf);
+	fclose(f);
+}
+
 static int sign(const char *msgfile)
 {
 	struct seckey skey;
@@ -256,29 +284,6 @@ static int sign(const char *msgfile)
 	return 0;
 }
 
-static int fingerprint(void)
-{
-	struct seckey skey;
-	struct pubkey pkey;
-	struct sig sig;
-	char buf[512];
-	uint8_t *fp;
-
-	if (seckeyfile &&
-	    get_base64_file(seckeyfile, &skey, sizeof(skey), buf, sizeof(buf)))
-		fp = skey.fingerprint;
-	else if (pubkeyfile &&
-	         get_base64_file(pubkeyfile, &pkey, sizeof(pkey), buf, sizeof(buf)))
-		fp = pkey.fingerprint;
-	else if (sigfile &&
-	         get_base64_file(sigfile, &sig, sizeof(sig), buf, sizeof(buf)))
-		fp = sig.fingerprint;
-	else
-		return 1;
-
-	fprintf(stdout, "%016"PRIx64"\n", fingerprint_u64(fp));
-	return 0;
-}
 
 static int generate(void)
 {
@@ -332,6 +337,7 @@ static int generate(void)
 
 	return 0;
 }
+#endif
 
 static int usage(const char *cmd)
 {
@@ -339,17 +345,21 @@ static int usage(const char *cmd)
 		"Usage: %s <command> <options>\n"
 		"Commands:\n"
 		"  -V:			verify (needs at least -m and -p|-P)\n"
-		"  -S:			sign (needs at least -m and -s)\n"
 		"  -F:			print key fingerprint of public/secret key or signature\n"
+#ifndef VERIFYONLY
+		"  -S:			sign (needs at least -m and -s)\n"
 		"  -G:			generate a new keypair (needs at least -p and -s)\n"
+#endif
 		"Options:\n"
+#ifndef VERIFYONLY
 		"  -c <comment>: 	add comment to keys\n"
-		"  -m <file>:		message file\n"
+		"  -s <file>:		secret key file (sign/fingerprint only)\n"
+#endif
+		"  -x <file>:		signature file (defaults to <message file>.sig)\n"
 		"  -p <file>:		public key file (verify/fingerprint only)\n"
 		"  -P <path>:		public key directory (verify only)\n"
+		"  -m <file>:		message file\n"
 		"  -q:			quiet (do not print verification result, use return code only)\n"
-		"  -s <file>:		secret key file (sign/fingerprint only)\n"
-		"  -x <file>:		signature file (defaults to <message file>.sig)\n"
 		"\n",
 		cmd);
 	return 1;
@@ -373,18 +383,23 @@ int main(int argc, char **argv)
 		case 'V':
 			set_cmd(argv[0], CMD_VERIFY);
 			break;
-		case 'S':
-			set_cmd(argv[0], CMD_SIGN);
-			break;
 		case 'F':
 			set_cmd(argv[0], CMD_FINGERPRINT);
 			break;
+#ifndef VERIFYONLY
+		case 'S':
+			set_cmd(argv[0], CMD_SIGN);
+			break;
 		case 'G':
 			set_cmd(argv[0], CMD_GENERATE);
 			break;
 		case 'c':
 			comment = optarg;
 			break;
+#endif
+		case 's':
+			seckeyfile = optarg;
+			break;
 		case 'm':
 			msgfile = optarg;
 			break;
@@ -394,9 +409,6 @@ int main(int argc, char **argv)
 		case 'p':
 			pubkeyfile = optarg;
 			break;
-		case 's':
-			seckeyfile = optarg;
-			break;
 		case 'x':
 			sigfile = optarg;
 			break;
@@ -425,20 +437,22 @@ int main(int argc, char **argv)
 		if ((!pubkeyfile && !pubkeydir) || !msgfile)
 			return usage(argv[0]);
 		return verify(msgfile);
-	case CMD_SIGN:
-		if (!seckeyfile || !msgfile || !sigfile)
-			return usage(argv[0]);
-		return sign(msgfile);
 	case CMD_FINGERPRINT:
 		if (!!seckeyfile + !!pubkeyfile + !!sigfile != 1) {
 			fprintf(stderr, "Need one secret/public key or signature\n");
 			return usage(argv[0]);
 		}
 		return fingerprint();
+#ifndef VERIFYONLY
+	case CMD_SIGN:
+		if (!seckeyfile || !msgfile || !sigfile)
+			return usage(argv[0]);
+		return sign(msgfile);
 	case CMD_GENERATE:
 		if (!seckeyfile || !pubkeyfile)
 			return usage(argv[0]);
 		return generate();
+#endif
 	default:
 		return usage(argv[0]);
 	}
-- 
2.25.1




More information about the openwrt-devel mailing list