Merge pull request #1222 from alorbach/ksi-i1206

Ksi i1206

runtime/librsgt.c

@@ -615,6 +615,8 @@ int
 tlvOpen(gtfile gf, char *hdr, unsigned lenHdr)
 {
 	int r = 0;
+	struct stat stat_st;
+
 	gf->fd = open((char*)gf->sigfilename,
 		       O_WRONLY|O_APPEND|O_NOCTTY|O_CLOEXEC, 0600);
 	if(gf->fd == -1) {
@@ -625,10 +627,27 @@ tlvOpen(gtfile gf, char *hdr, unsigned lenHdr)
 			r = RSGTE_IO;
 			goto done;
 		}
+
+		/* Write fileHeader */
 		memcpy(gf->tlvBuf, hdr, lenHdr);
 		gf->tlvIdx = lenHdr;
 	} else {
-		gf->tlvIdx = 0; /* header already present! */
+		/* Get FileSize from existing ksisigfile */
+		if(fstat(gf->fd, &stat_st) == -1) {
+			reportErr(gf->ctx, "tlvOpen: can not stat file");
+			r = RSGTE_IO;
+			goto done;
+		}
+
+		/* Check if size is above header length. */
+		if(stat_st.st_size > 0) {
+			/* header already present! */
+			gf->tlvIdx = 0;
+		} else {
+			/* Write fileHeader */
+			memcpy(gf->tlvBuf, hdr, lenHdr);
+			gf->tlvIdx = lenHdr;
+		}
 	}
 	/* we now need to obtain the last previous hash, so that
 	 * we can continue the hash chain. We do not check for error

runtime/librsksi.c

@@ -682,6 +682,8 @@ static int
 tlvOpenKSI(ksifile ksi, const char *const hdr, unsigned lenHdr)
 {
 	int r = 0;
+	struct stat stat_st;
+
 	ksi->fd = open((char*)ksi->sigfilename,
 		       O_WRONLY|O_APPEND|O_NOCTTY|O_CLOEXEC, 0600);
 	if(ksi->fd == -1) {
@@ -692,10 +694,27 @@ tlvOpenKSI(ksifile ksi, const char *const hdr, unsigned lenHdr)
 			r = RSGTE_IO;
 			goto done;
 		}
+
+		/* Write fileHeader */
 		memcpy(ksi->tlvBuf, hdr, lenHdr);
 		ksi->tlvIdx = lenHdr;
 	} else {
-		ksi->tlvIdx = 0; /* header already present! */
+		/* Get FileSize from existing ksisigfile */
+		if(fstat(ksi->fd, &stat_st) == -1) {
+			reportErr(ksi->ctx, "tlvOpenKSI: can not stat file");
+			r = RSGTE_IO;
+			goto done;
+		}
+
+		/* Check if size is above header length. */
+		if(stat_st.st_size > 0) {
+			/* header already present! */
+			ksi->tlvIdx = 0;
+		} else {
+			/* Write fileHeader */
+			memcpy(ksi->tlvBuf, hdr, lenHdr);
+			ksi->tlvIdx = lenHdr;
+		}
 	}
 	/* we now need to obtain the last previous hash, so that
 	 * we can continue the hash chain. We do not check for error

runtime/librsksi.h

@@ -28,9 +28,6 @@ typedef enum KSI_HashAlgorithm_en KSI_HashAlgorithm;
  * cases ;) [and 64 is not really a waste of memory, so we do not even
  * try to work with reallocs and such...]
  */
-/*#define MAX_ROOTS 64
-#define LOGSIGHDR "LOGSIG10"
-*/ 
 
 /* context for gt calls. This primarily serves as a container for the
  * config settings. The actual file-specific data is kept in ksifile.
@@ -207,6 +204,7 @@ int verifySigblkFinish(ksifile ksi, KSI_DataHash **pRoot);
 int verifySigblkFinishChain(ksifile ksi, block_hashchain_t *hashchain, KSI_DataHash **pRoot, ksierrctx_t *ectx); 
 void outputHash(FILE *fp, const char *hdr, const uint8_t *data, const uint16_t len, const uint8_t verbose); 
 void outputKSIHash(FILE *fp, const char *hdr, const KSI_DataHash *const __restrict__ hash, const uint8_t verbose); 
+int rsksi_setDefaultConstraint(ksifile ksi, char *stroid, char *strvalue);
 
 /* TODO: replace these? */
 int hash_m_ksi(ksifile ksi, KSI_DataHash **m);

runtime/librsksi_read.c

@@ -1371,6 +1371,34 @@ rsksi_getExcerptBlockParams(FILE *fp, uint8_t bRewind, block_sig_t **bs, block_h
 	return r;
 }
 
+/**
+*	Set Default Constrain parameters
+*/
+int 
+rsksi_setDefaultConstraint(ksifile ksi, char *stroid, char *strvalue)
+{
+	int ksistate;
+	int r = RSGTE_SUCCESS;
+
+	/* Create and set default CertConstraint */
+	const KSI_CertConstraint pubFileCertConstr[] = {
+			{ stroid, strvalue},
+			{ NULL, NULL }
+	};
+
+	if(rsksi_read_debug) { printf("rsksi_setDefaultConstraint:\t\t Setting OID='%s' to '%s' \n", stroid, strvalue); }
+
+	ksistate = KSI_CTX_setDefaultPubFileCertConstraints(ksi->ctx->ksi_ctx, pubFileCertConstr);
+	if (ksistate != KSI_OK) {
+		fprintf(stderr, "rsksi_setDefaultConstraint:\t\t\t Unable to configure publications file cert constraints %s=%s.\n", stroid, strvalue);
+		r = RSGTE_IO;
+		goto done;
+	}
+done:
+	return r;
+}
+
+
 /**
  * Read the file header and compare it to the expected value.
  * The file pointer is placed right after the header.

tests/Makefile.am

@@ -239,6 +239,8 @@ if ENABLE_GT_KSI
 TESTS +=  \
 	ksi-verify-short.sh \
 	ksi-verify-long.sh \
+	ksi-verify-cnstr-short.sh \
+	ksi-verify-cnstr-long.sh \
 	ksi-extract-verify-short.sh \
 	ksi-extract-verify-long.sh 
 if HAVE_VALGRIND
@@ -1294,6 +1296,8 @@ EXTRA_DIST= \
 	ksi-verify-long.sh \
 	ksi-extract-verify-short.sh \
 	ksi-extract-verify-long.sh \
+	ksi-verify-cnstr-short.sh \
+	ksi-verify-cnstr-long.sh \
 	ksi-verify-short-vg.sh \
 	ksi-verify-long-vg.sh \
 	ksi-extract-verify-short-vg.sh \

tests/ksi-verify-cnstr-long.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# rsgtutil utility test 
+#	Verifies sample logdata against public ksi verification repository. 
+#	Adds --cnstr parameter 
+#
+# This file is part of the rsyslog project, released under ASL 2.0
+#
+# Copyright 2016 Rainer Gerhards and Adiscon GmbH.
+RSYSLOG_KSI_BIN="http://verify.guardtime.com/ksi-publications.bin"
+RSYSLOG_KSI_DEBUG="--show-verified"
+RSYSLOG_KSI_LOG="ksi-sample.log"
+
+echo \[ksi-verify-cnstr-long.sh\]: testing rsgtutil verify function \(With cnstr param\) - long options
+. $srcdir/diag.sh init
+
+echo "running rsgtutil command with long options"
+../tools/rsgtutil $RSYSLOG_KSI_DEBUG --verify --publications-server $RSYSLOG_KSI_BIN --cnstr KSI_CERT_EMAIL=publications@guardtime.com $srcdir/testsuites/$RSYSLOG_KSI_LOG
+
+RSYSLOGD_EXIT=$?
+if [ "$RSYSLOGD_EXIT" -ne "0" ]; then	# EX_OK
+	if [ "$RSYSLOGD_EXIT" -eq "69" ]; then	# EX_UNAVAILABLE
+		echo "[ksi-verify-cnstr-long.sh]: rsgtutil verify failed with service unavailable (does not generate an error)"
+		exit 77;
+	else
+		echo "[ksi-verify-cnstr-long.sh]: rsgtutil verify failed with error: " $RSYSLOGD_EXIT
+		exit 1;
+	fi 
+fi
+
+# Cleanup temp files
+rm -f rsgtutil.out*.log 
+
+echo SUCCESS: rsgtutil verify function \(With cnstr param\) - long options

tests/ksi-verify-cnstr-short.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# rsgtutil utility test 
+#	Verifies sample logdata against public ksi verification repository. 
+#	Adds -C parameter 
+#
+# This file is part of the rsyslog project, released under ASL 2.0
+#
+# Copyright 2016 Rainer Gerhards and Adiscon GmbH.
+RSYSLOG_KSI_BIN="http://verify.guardtime.com/ksi-publications.bin"
+RSYSLOG_KSI_DEBUG="-s"
+RSYSLOG_KSI_LOG="ksi-sample.log"
+
+echo \[ksi-verify-cnstr-short.sh\]: testing rsgtutil verify function \(With cnstr param\) - short options
+. $srcdir/diag.sh init
+
+echo "running rsgtutil command with short options"
+../tools/rsgtutil $RSYSLOG_KSI_DEBUG -t -P $RSYSLOG_KSI_BIN -C KSI_CERT_EMAIL=publications@guardtime.com $srcdir/testsuites/$RSYSLOG_KSI_LOG
+
+RSYSLOGD_EXIT=$?
+if [ "$RSYSLOGD_EXIT" -ne "0" ]; then	# EX_OK
+	if [ "$RSYSLOGD_EXIT" -eq "69" ]; then	# EX_UNAVAILABLE
+		echo "[ksi-verify-cnstr-short.sh]: rsgtutil verify failed with service unavailable (does not generate an error)"
+		exit 77;
+	else
+		echo "[ksi-verify-cnstr-short.sh]: rsgtutil verify failed with error: " $RSYSLOGD_EXIT
+		exit 1;
+	fi 
+fi
+
+# Cleanup temp files
+rm -f rsgtutil.out*.log 
+
+echo SUCCESS: rsgtutil verify function \(With cnstr param\) - short options

tools/rsgtutil.c

@@ -55,11 +55,15 @@ static enum { FILEMODE_LOGSIG, FILEMODE_RECSIG } filemode = FILEMODE_LOGSIG;
 static enum { API_GT, API_KSI } apimode = API_GT;
 static int verbose = 0;
 static int debug = 0; 
+/* Helper variables for VERIFY Mode */
+char *constraint_oid = NULL;
+char *constraint_value = NULL;
 /* Helper variables for EXTRACT Mode */
 static int append = 0;
 char *outputfile = NULL;
 const char *linenumbers = "";
 
+
 #ifdef ENABLEGT
 static void
 dumpFile(const char *name)
@@ -769,6 +773,13 @@ verifyKSI(const char *name, char *errbuf, char *sigfname, char *oldsigfname, cha
 		goto done;
 	}
 
+	/* Check if we have a logsignature file */
+	if (constraint_oid != NULL && constraint_value != NULL) {
+		if((r = rsksi_setDefaultConstraint(ksi, constraint_oid, constraint_value)) != 0) {
+			goto done;
+		}
+	}
+
 	/* Check if we have a logsignature file */
 	if((r = rsksi_chkFileHdr(sigfp, (char*)"LOGSIG11", 0)) == 0) {
 		/* Verify Log signature */
@@ -1764,6 +1775,7 @@ static struct option long_options[] =
 	{"extract", required_argument, NULL, 'x'},
 	{"output", required_argument, NULL, 'o'},
 	{"append", no_argument, NULL, 'A'},
+	{"cnstr", required_argument, NULL, 'C'},
 	{NULL, 0, NULL, 0} 
 }; 
 
@@ -1773,28 +1785,29 @@ rsgtutil_usage(void)
 {
 	fprintf(stderr, "usage: rsgtutil [options]\n"
 			"Use \"man rsgtutil\" for more details.\n\n"
-			"\t-h, --help \t\t\t Show this help.\n"
-			"\t-D, --dump \t\t\t dump operations mode.\n"
-			"\t-t, --verify \t\t\t Verify operations mode.\n"
-			"\t-e, --extend \t\t\t Extends the RFC3161 signatures.\n"
-			"\t-x, --extract <LINENUMBERS> \t\t\t Extract these linenumbers including signatures.\n"
-			"\t-B, --show-sigblock-params \t Show signature block parameters.\n"
-			"\t-T, --detect-file-type \t Show Type of signature file.\n"
-			"\t-c, --convert \t\t\t Convert Signature Format Version 10 to 11.\n"
-			"\t-V, --version \t\t\t Print utility version\n"
+			"\t-h, --help \t\t\t\t Show this help.\n"
+			"\t-D, --dump \t\t\t\t dump operations mode.\n"
+			"\t-t, --verify \t\t\t\t Verify operations mode.\n"
+			"\t-e, --extend \t\t\t\t Extends the RFC3161 signatures.\n"
+			"\t-x, --extract <LINENUMBERS> \t\t Extract these linenumbers including signatures.\n"
+			"\t-B, --show-sigblock-params \t\t Show signature block parameters.\n"
+			"\t-T, --detect-file-type \t\t\t Show Type of signature file.\n"
+			"\t-c, --convert \t\t\t\t Convert Signature Format Version 10 to 11.\n"
+			"\t-V, --version \t\t\t\t Print utility version\n"
 			"\t\tOptional parameters\n"
-			"\t-a <GT|KSI>, --api  <GT|KSI> \t Set which API to use.\n"
+			"\t-a <GT|KSI>, --api  <GT|KSI> \t\t Set which API to use.\n"
 			"\t\tGT = Guardtime Client Library\n"
 			"\t\tKSI = Guardtime KSI Library\n"
-			"\t-s, --show-verified \t\t Also show correctly verified blocks.\n"
+			"\t-s, --show-verified \t\t\t Also show correctly verified blocks.\n"
 			"\t-P <URL>, --publications-server <URL> \t Sets the publications server.\n"
 			"\t-E <URL>, --extend-server <URL> \t Sets the extension server.\n"
-			"\t-u <USERID>, --userid <USERID> \t Sets the userid used (Needed for the extension server).\n"
+			"\t-u <USERID>, --userid <USERID> \t\t Sets the userid used (Needed for the extension server).\n"
 			"\t-k <USERKEY>, --userkey <USERKEY> \t Sets the userkey used (Needed for the extension server).\n"
 			"\t-o <FILENAME>, --output <FILENAME> \t Sets an output filename (EXTRACT Mode only).\n"
-			"\t-A, --append \t\t\t Append extracted output to file (EXTRACT Mode only).\n"
-			"\t-v, --verbose \t\t\t Verbose output.\n"
-			"\t-d, --debug \t\t\t Debug (developer) output.\n"
+			"\t-A, --append \t\t\t\t Append extracted output to file (EXTRACT Mode only).\n"
+			"\t-C <oid>=<value>, --cnstr <oid>=<value>\t Specify the OID of the PKI certificate field (e.g. e-mail address) and the expected value.\n"
+			"\t-v, --verbose \t\t\t\t Verbose output.\n"
+			"\t-d, --debug \t\t\t\t Debug (developer) output.\n"
 			);
 }
 
@@ -1805,7 +1818,7 @@ main(int argc, char *argv[])
 	int opt;
 
 	while(1) {
-		opt = getopt_long(argc, argv, "a:ABcdDeE:hk:o:P:stTu:vVx:", long_options, NULL);
+		opt = getopt_long(argc, argv, "a:ABcC:dDeE:hk:o:P:stTu:vVx:", long_options, NULL);
 		if(opt == -1)
 			break;
 		switch(opt) {
@@ -1904,6 +1917,76 @@ main(int argc, char *argv[])
 		case 'A':
 			append = 1;
 			break;
+		case 'C':
+#ifdef ENABLEKSI
+			if (strlen(optarg) > 0 && (strchr(optarg, '=') != NULL)) {
+				/* Get pos of = */ 
+				char* pszTmp = optarg;
+				i = 0; /* Reset */
+
+				while(pszTmp != NULL) {
+					if ( *(pszTmp) == '=' ) {
+						/* Extract pszOID */
+						constraint_oid = malloc( i + 1 ); 
+						strncpy(constraint_oid, optarg, i);
+						*(constraint_oid+i) = '\0'; 
+
+						/* Extract pszValue */
+						constraint_value = malloc( strlen(pszTmp) + 1 ); 
+						pszTmp++;
+						strncpy(constraint_value, pszTmp, strlen(pszTmp));
+						*(constraint_value+strlen(pszTmp)) = '\0'; 
+						break; 
+					}
+
+					pszTmp++; /* Next Char*/
+					i++; /* Increment Count */
+				}
+
+				if (constraint_oid == NULL || constraint_value == NULL) {
+					/* Free mem */
+					if (constraint_oid != NULL) { free(constraint_oid); constraint_oid = NULL; }
+					if (constraint_value != NULL) { free(constraint_value); constraint_value = NULL; } 
+
+					fprintf(stderr, "--cnstr:\t\t\t error missing oid or value\n");
+					return 1;
+				} else {
+					fprintf(stderr, "--cnstr= oid='%s' value='%s' \n", constraint_oid, constraint_value );
+
+					/* Check for constraint aliases */
+					if(		strcmp(constraint_oid, "E") == 0 || 
+							strcmp(constraint_oid, "email") == 0 ||
+							strcmp(constraint_oid, "1.2.840.113549.1.9.1") == 0) {
+						free(constraint_oid);
+						constraint_oid = KSI_CERT_EMAIL;
+					}
+					else if(strcmp(constraint_oid, "CN") == 0 || 
+							strcmp(constraint_oid, "cname") == 0 ||
+							strcmp(constraint_oid, "2.5.4.3") == 0) {
+						free(constraint_oid);
+						constraint_oid = KSI_CERT_COMMON_NAME; 
+					}
+					else if(strcmp(constraint_oid, "C") == 0 || 
+							strcmp(constraint_oid, "country") == 0 ||
+							strcmp(constraint_oid, "2.5.4.6") == 0) {
+						free(constraint_oid);
+						constraint_oid = KSI_CERT_COUNTRY; 
+					}
+					else if(strcmp(constraint_oid, "O") == 0 || 
+							strcmp(constraint_oid, "org") == 0 ||
+							strcmp(constraint_oid, "2.5.4.10") == 0) {
+						free(constraint_oid);
+						constraint_oid = KSI_CERT_ORGANIZATION; 
+					}
+				}
+			} else {
+				fprintf(stderr, "--cnstr:\t\t\t error invalid constrain parameter\n");
+				return 1;
+			}
+#else 
+			fprintf(stderr, "--cnstr only with ksi library supported\n" );
+#endif
+			break;
 		case 'h':
 		case '?':
 			rsgtutil_usage();