1 #!/usr/perl5/bin/perl
2 #
3 # CDDL HEADER START
4 #
5 # The contents of this file are subject to the terms of the
6 # Common Development and Distribution License (the "License").
7 # You may not use this file except in compliance with the License.
8 #
9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 # or http://www.opensolaris.org/os/licensing.
11 # See the License for the specific language governing permissions
12 # and limitations under the License.
13 #
14 # When distributing Covered Code, include this CDDL HEADER in each
15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 # If applicable, add the following below this CDDL HEADER, with the
17 # fields enclosed by brackets "[]" replaced with your own identifying
18 # information: Portions Copyright [yyyy] [name of copyright owner]
19 #
20 # CDDL HEADER END
21 #
22 #
23 # ident "%Z%%M% %I% %E% SMI"
24 #
25 # Copyright 2007 Sun Microsystems, Inc. All rights reserved.
26 # Use is subject to license terms.
27 #
28
29 # Server program for code signing server
30 #
31 # This program implements an ssh-based service to add digital
32 # signatures to files. The sshd_config file on the server
33 # contains an entry like the following to invoke this program:
34 #
35 # Subsystem codesign /opt/signing/bin/server
36 #
37 # The client program sends a ZIP archive of the file to be
38 # signed along with the name of a signing credential stored
39 # on the server. Each credential is a directory containing
40 # a public-key certificate, private key, and a script to
41 # perform the appropriate signing operation.
42 #
43 # This program unpacks the input ZIP archive, invokes the
44 # signing script for the specified credential, and sends
45 # back an output ZIP archive, which typically contains the
46 # (modified) input file but may also contain additional
47 # files created by the signing script.
48
49 use strict;
50 use File::Temp 'tempdir';
51 use File::Path;
52
53 my $Base = "/opt/signing";
54 my $Tmpdir = tempdir(CLEANUP => 1); # Temporary directory
55 my $Session = $$;
56
57 #
58 # Main program
59 #
60
61 # Set up
62 open(AUDIT, ">>$Base/audit/log");
63 $| = 1; # Flush output on every write
64
65 # Record user and client system
66 my $user = `/usr/ucb/whoami`;
67 chomp($user);
68 my ($client) = split(/\s/, $ENV{SSH_CLIENT});
69 audit("START User=$user Client=$client");
70
71 # Process signing requests
72 while (<STDIN>) {
73 if (/^SIGN (\d+) (\S+) (\S+)/) {
74 sign($1, $2, $3);
75 } else {
76 abnormal("WARNING Unknown command");
77 }
78 }
79 exit(0);
80
81 #
82 # get_credential(name)
83 #
84 # Verify that the user is allowed to use the named credential and
85 # return the path to the credential directory. If the user is not
86 # authorized to use the credential, return undef.
87 #
88 sub get_credential {
89 my $name = shift;
90 my $dir;
91
92 $dir = "$Base/cred/$2";
93 if (!open(F, "<$dir/private")) {
94 abnormal("WARNING Credential $name not available");
95 $dir = undef;
96 }
97 close(F);
98 return $dir;
99 }
100
101 #
102 # sign(size, cred, path)
103 #
104 # Sign an individual file.
105 #
106 sub sign {
107 my ($size, $cred, $path) = @_;
108 my ($cred_dir, $msg);
109
110 # Read input file
111 recvfile("$Tmpdir/in.zip", $size) || return;
112
113 # Check path for use of .. or absolute pathname
114 my @comp = split(m:/:, $path);
115 foreach my $elem (@comp) {
116 if ($elem eq "" || $elem eq "..") {
117 abnormal("WARNING Invalid path $path");
118 return;
119 }
120 }
121
122 # Get credential directory
123 $cred_dir = get_credential($cred) || return;
124
125 # Create work area
126 rmtree("$Tmpdir/reloc");
127 mkdir("$Tmpdir/reloc");
128 chdir("$Tmpdir/reloc");
129
130 # Read and unpack input ZIP archive
131 system("/usr/bin/unzip -qo ../in.zip $path");
132
133 # Sign input file using credential-specific script
134 $msg = `cd $cred_dir; ./sign $Tmpdir/reloc/$path`;
135 if ($? != 0) {
136 chomp($msg);
137 abnormal("WARNING $msg");
138 return;
139 }
140
141 # Pack output file(s) in ZIP archive and return
142 unlink("../out.zip");
143 system("/usr/bin/zip -qr ../out.zip .");
144 chdir($Tmpdir);
145 my $hash = `digest -a md5 $Tmpdir/reloc/$path`;
146 sendfile("$Tmpdir/out.zip", $path) || return;
147
148 # Audit successful signing
149 chomp($hash);
150 audit("SIGN $path $cred $hash");
151 }
152
153 #
154 # sendfile(file, path)
155 #
156 # Send a ZIP archive to the client. This involves sending
157 # an OK SIGN response that includes the file size, followed by
158 # the contents of the archive itself.
159 #
160 sub sendfile {
161 my ($file, $path) = @_;
162 my ($size, $bytes);
163
164 $size = -s $file;
165 if (!open(F, "<$file")) {
166 abnormal("ERROR Internal read error");
167 return (0);
168 }
169 read(F, $bytes, $size);
170 close(F);
171 print "OK SIGN $size $path\n";
172 syswrite(STDOUT, $bytes, $size);
173 return (1);
174 }
175
176 #
177 # recvfile(file, size)
178 #
179 # Receive a ZIP archive from the client. The caller
180 # provides the size argument previously obtained from the
181 # client request.
182 #
183 sub recvfile {
184 my ($file, $size) = @_;
185 my $bytes;
186
187 if (!read(STDIN, $bytes, $size)) {
188 abnormal("ERROR No input data");
189 return (0);
190 }
191 if (!open(F, ">$file")) {
192 abnormal("ERROR Internal write error");
193 return (0);
194 }
195 syswrite(F, $bytes, $size);
196 close(F);
197 return (1);
198 }
199
200 #
201 # audit(msg)
202 #
203 # Create an audit record. All records have this format:
204 # [date] [time] [session] [keyword] [other parameters]
205 # The keywords START and END mark the boundaries of a session.
206 #
207 sub audit {
208 my ($msg) = @_;
209 my ($sec, $min, $hr, $day, $mon, $yr) = localtime(time);
210 my $timestamp = sprintf("%04d-%02d-%02d %02d:%02d:%02d",
211 $yr+1900, $mon+1, $day, $hr, $min, $sec);
212
213 print AUDIT "$timestamp $Session $msg\n";
214 }
215
216 #
217 # abnormal(msg)
218 #
219 # Respond to an abnormal condition, which may be fatal (ERROR) or
220 # non-fatal (WARNING). Send the message to the audit error log
221 # and to the client program. Exit in case of fatal errors.
222 #
223 sub abnormal {
224 my $msg = shift;
225
226 audit($msg);
227 print("$msg\n");
228 exit(1) if ($msg =~ /^ERROR/);
229 }
230
231 #
232 # END()
233 #
234 # Clean up prior to normal or abnormal exit.
235 #
236 sub END {
237 audit("END");
238 close(AUDIT);
239 chdir(""); # so $Tmpdir can be removed
240 }