Overview
| Comment: | Added working certificate support |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA1: |
3244026fd617fe4f6763765ed5ff9eea |
| User & Date: | rkeene on 2014-11-17 20:37:58.179 |
| Other Links: | manifest | tags |
Context
|
2014-11-17
| ||
| 20:50 | Updated to trim trailing newlines check-in: 3242c8d4d5 user: rkeene tags: trunk | |
| 20:37 | Added working certificate support check-in: 3244026fd6 user: rkeene tags: trunk | |
| 20:37 | Updated to include entire error stack on error for --tcl mode in AppFSd check-in: 4b2e0bf187 user: rkeene tags: trunk | |
Changes
Modified .fossil-settings/ignore-glob
from [efc67b31c0]
to [09c745f86a].
1 2 3 4 5 6 7 | appfsd appfsd.o appfsd.tcl.h sha1.o sha1.tcl.h pki.tcl.h pki.tcl.new | > > | 1 2 3 4 5 6 7 8 9 | appfsd appfsd.o appfsd.tcl.h sha1.o sha1.tcl.h pki.tcl.h pki.tcl.new pki.tcl CA |
Added appfs-cert version [536bd4fe36].
Modified appfsd.tcl
from [2e09ba053f]
to [af3233ef21].
| ︙ | ︙ | |||
20 21 22 23 24 25 26 |
}
}
namespace eval ::appfs {
variable cachedir "/tmp/appfs-cache"
variable ttl 3600
variable nttl 60
| | | 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
}
}
namespace eval ::appfs {
variable cachedir "/tmp/appfs-cache"
variable ttl 3600
variable nttl 60
variable trusted_cas [list]
proc _hash_sep {hash {seps 4}} {
for {set idx 0} {$idx < $seps} {incr idx} {
append retval "[string range $hash [expr {$idx * 2}] [expr {($idx * 2) + 1}]]/"
}
append retval "[string range $hash [expr {$idx * 2}] end]"
|
| ︙ | ︙ | |||
93 94 95 96 97 98 99 |
if {![regexp {^[0-9a-f]*$} $value]} {
return false
}
return true
}
| | > > > > > > > > > > > > > > > > > > > > | 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 |
if {![regexp {^[0-9a-f]*$} $value]} {
return false
}
return true
}
proc _verifySignatureAndCertificate {hostname certificate signature hash} {
set certificate [binary format "H*" $certificate]
set signature [binary format "H*" $signature]
set certificate [::pki::x509::parse_cert $certificate]
array set certificate_arr $certificate
set certificate_cn [::pki::x509::_dn_to_cn $certificate_arr(subject)]
if {![::pki::verify $signature "$hash,sha1" $certificate]} {
return false
}
if {[string tolower $certificate_cn] != [string tolower $hostname]} {
return false
}
if {![::pki::x509::verify_cert $certificate $::appfs::trusted_cas]} {
return false
}
return true
}
proc _normalizeOS {os} {
set os [string tolower [string trim $os]]
switch -- $os {
|
| ︙ | ︙ | |||
148 149 150 151 152 153 154 |
}
proc init {} {
if {[info exists ::appfs::init_called]} {
return
}
| | > > | > > > > > > > > > > > > > > > > > > > > > > > > > > | 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 |
}
proc init {} {
if {[info exists ::appfs::init_called]} {
return
}
# Force [parray] and [clock] to be loaded
catch {
parray does_not_exist
}
catch {
clock seconds
}
catch {
clock add [clock seconds] 3 seconds
}
set ::appfs::init_called 1
# Add a default CA to list of trusted CAs
lappend ::appfs::trusted_cas [::pki::x509::parse_cert {
-----BEGIN CERTIFICATE-----
MIIC7DCCAdSgAwIBAgIBATANBgkqhkiG9w0BAQUFADAvMRIwEAYDVQQKEwlSb3kg
S2VlbmUxGTAXBgNVBAMTEEFwcEZTIEtleSBNYXN0ZXIwHhcNMTQxMTE3MjAxNzI4
WhcNMTkxMTE3MjAxNzI4WjAvMRIwEAYDVQQKEwlSb3kgS2VlbmUxGTAXBgNVBAMT
EEFwcEZTIEtleSBNYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCq6uSK46yG5b6RJWwRlvw5glAnjsc1GiX3duXA0vG4qnKUnDtl/jcMmq2GMOB9
Iy1tjabEHA0MhW2j7Vwe/O9MLFJkJ30M1PVD7YZRRNaAsz3UWIKEjPI7BBc32KOm
BL3CTXCCdzllL1HhVbnM5iCAmgHcg1DUk/EvWXvnEDxXRy2lV9mQsmDedrffY7Wl
Or57nlczaMuPLpyRSkv75PAnjQJxT3sWlBpy+/H9ImudQdpJNf/FtxcqN7iDwH5B
vIceYEtDVxFsvo5HOVkSl9jeo5E4Gpe3wyfRhoqB2UkaW1Kq0iH5R+00S760xQMx
LL9L1duhu1dL7HsmEw7IeYURAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
KoZIhvcNAQEFBQADggEBAKhO4ZSzYP37BqixNHKK9+gSeC6Fga85iLWhwpPW0kSl
z03hal80KZ+kPMzb8C52N283tQNAqJ9Q8akDPZxSzzMUVOGpGw2pJ7ZswKDz0ZTa
0edq/gdT/HrdegvNtDPc2jona5FVOYqwdcz5kbl1UWBaBp3VXUgcYjXSRaBK43Wd
cveiDUeZw7gHqRSN/AyYUCtJzWmvGsJuIFhMBonuz8jylhyMJCYJFT4iMUC8MNIw
niX1xx+Nu6fPV5ZZHj9rbhiBaLjm+tkDwtPgA3j2pxvHKYptuWxeYO+9DDNa9sCb
E5AnJIlOnd/tGe0Chf0sFQg+l9nNiNrWGgzdd9ZPJK4=
-----END CERTIFICATE-----
}]
# Load configuration file
set config_file [file join $::appfs::cachedir config]
if {[file exists $config_file]} {
source $config_file
}
|
| ︙ | ︙ | |||
239 240 241 242 243 244 245 |
set indexhashcert [lindex $indexhash_data 2]
set indexhashsig [lindex $indexhash_data 3]
if {![_isHash $indexhash]} {
return -code error "Invalid hash: $indexhash"
}
| | | 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 |
set indexhashcert [lindex $indexhash_data 2]
set indexhashsig [lindex $indexhash_data 3]
if {![_isHash $indexhash]} {
return -code error "Invalid hash: $indexhash"
}
if {![_verifySignatureAndCertificate $hostname $indexhashcert $indexhashsig $indexhash]} {
return -code error "Invalid signature or certificate from $hostname"
}
set file [download $hostname $indexhash]
set fd [open $file]
set data [read $fd]
close $fd
|
| ︙ | ︙ |