From 7192e52fa1c02d648f9567184da5f8efd5a9f513 Mon Sep 17 00:00:00 2001
From: Morten Linderud <morten@linderud.pw>
Date: Wed, 2 Jun 2021 21:38:23 +0200
Subject: [PATCH] keys: Move from sbsigntools to go-uefi

Signed-off-by: Morten Linderud <morten@linderud.pw>
---
 go.mod  |  2 +-
 go.sum  |  5 +++++
 keys.go | 51 ++++++++++++++++++++++++++++++++++++++++++++-------
 3 files changed, 50 insertions(+), 8 deletions(-)

diff --git a/go.mod b/go.mod
index 3eca5c6..b865eea 100644
--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,7 @@ go 1.15
 require (
 	github.com/anatol/vmtest v0.0.0-20210225191124-26540db15d49
 	github.com/fatih/color v1.11.0
-	github.com/foxboron/go-uefi v0.0.0-20210529141219-efd3747ccc2a
+	github.com/foxboron/go-uefi v0.0.0-20210602193603-8589bbab9380
 	github.com/google/uuid v1.1.1
 	github.com/spf13/cobra v1.0.0
 	golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
diff --git a/go.sum b/go.sum
index db91cdc..e66f775 100644
--- a/go.sum
+++ b/go.sum
@@ -24,6 +24,10 @@ github.com/fatih/color v1.11.0 h1:l4iX0RqNnx/pU7rY2DB/I+znuYY0K3x6Ywac6EIr0PA=
 github.com/fatih/color v1.11.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
 github.com/foxboron/go-uefi v0.0.0-20210529141219-efd3747ccc2a h1:zgWbnr42UqgbdTAwLAabeqKe6ngZObnOFfTSdG0IeH8=
 github.com/foxboron/go-uefi v0.0.0-20210529141219-efd3747ccc2a/go.mod h1:XNONgjPFFVVcYAMAXvW06XCHZqdaXeCGqeS7o19LbN0=
+github.com/foxboron/go-uefi v0.0.0-20210529162927-64271cb1bb37 h1:H1mJPtjJleczgRuWvOREaF764tQCTVB5bOHAcqdKYj4=
+github.com/foxboron/go-uefi v0.0.0-20210529162927-64271cb1bb37/go.mod h1:XNONgjPFFVVcYAMAXvW06XCHZqdaXeCGqeS7o19LbN0=
+github.com/foxboron/go-uefi v0.0.0-20210602193603-8589bbab9380 h1:D8hRHRCC/jFjOg0alhvQo2unG/HU/qZFbhLvRJPo21I=
+github.com/foxboron/go-uefi v0.0.0-20210602193603-8589bbab9380/go.mod h1:bLcrn48nYQOkijhTK2iQw1MjXbBqJTG0k8RP6ww+CGQ=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
@@ -141,6 +145,7 @@ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
diff --git a/keys.go b/keys.go
index ae92611..af2d14c 100644
--- a/keys.go
+++ b/keys.go
@@ -11,11 +11,12 @@ import (
 	"fmt"
 	"math/big"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"time"
 
 	"github.com/foxboron/go-uefi/efi"
+	"github.com/foxboron/go-uefi/efi/pecoff"
+	"github.com/foxboron/go-uefi/efi/pkcs7"
 	"github.com/foxboron/go-uefi/efi/signature"
 	"github.com/foxboron/go-uefi/efi/util"
 	"golang.org/x/sys/unix"
@@ -125,13 +126,30 @@ func VerifyFile(cert, file string) (bool, error) {
 		return false, fmt.Errorf("couldn't access %s: %w", cert, err)
 	}
 
-	cmd := exec.Command("sbverify", "--cert", cert, file)
-	if err := cmd.Run(); err != nil {
-		if exitError, ok := err.(*exec.ExitError); ok {
-			return exitError.ExitCode() == 0, nil
+	peFile, err := os.ReadFile(file)
+	if err != nil {
+		return false, err
+	}
+
+	x509Cert := util.ReadCertFromFile(cert)
+	sigs, err := pecoff.GetSignatures(peFile)
+	if err != nil {
+		return false, err
+	}
+	if len(sigs) == 0 {
+		return false, nil
+	}
+	for _, signature := range sigs {
+		ok, err := pkcs7.VerifySignature(x509Cert, signature.Certificate)
+		if err != nil {
+			return false, err
+		}
+		if ok {
+			return true, nil
 		}
 	}
-	return true, nil
+	// If we come this far we haven't found a signature that matches the cert
+	return false, nil
 }
 
 var ErrAlreadySigned = errors.New("already signed file")
@@ -161,10 +179,29 @@ func SignFile(key, cert, file, output, checksum string) error {
 		return fmt.Errorf("couldn't access %s: %w", key, err)
 	}
 
-	_, err = exec.Command("sbsign", "--key", key, "--cert", cert, "--output", output, file).Output()
+	// We want to write the file back with correct permissions
+	si, err := os.Stat(file)
 	if err != nil {
 		return fmt.Errorf("failed signing file: %w", err)
 	}
+
+	peFile, err := os.ReadFile(file)
+	if err != nil {
+		return err
+	}
+
+	Cert := util.ReadCertFromFile(cert)
+	Key := util.ReadKeyFromFile(key)
+
+	ctx := pecoff.PECOFFChecksum(peFile)
+
+	sig := pecoff.CreateSignature(ctx, Cert, Key)
+
+	b := pecoff.AppendToBinary(ctx, sig)
+	if err = os.WriteFile(file, b, si.Mode()); err != nil {
+		return err
+	}
+
 	return nil
 }