Class: Owlet::Signer

Inherits:
Object
  • Object
show all
Defined in:
lib/owlet/signer.rb

Class Method Summary collapse

Class Method Details

.list_certificates(package) ⇒ Object 



18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
 
# File 'lib/owlet/signer.rb', line 18

def self.list_certificates(package)
  # Check that package exists.
  raise "Cannot file package #{package}" unless File.exists?(package)
  
  sig_data = Zip::ZipFile.open(package) do |zip|
    entry = zip.find_entry("_Signature")
    unless entry.nil?
      YAML.load(entry.get_input_stream.read)
    else
      {:certificates => []}
    end
  end
  
  sig_data[:certificates]
end

.sign(data, private_key) ⇒ Object

Sign arbitary data using private_key Return Base 64 (RFC 4648) encoded signature



8
9
10
 
# File 'lib/owlet/signer.rb', line 8

def self.sign(data, private_key)
  Base64.encode64(private_key.sign(OpenSSL::Digest::SHA256.new, data)).gsub(/\n/, '')
end

.sign_package(package, options) ⇒ Object

Signs given package with PKCS12 file p12 is either OpenSSL::PKCS!@ or file



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
 
# File 'lib/owlet/signer.rb', line 36

def self.sign_package(package, options)
  # Get private key
  if options['key']
    p12 = OpenSSL::PKCS12.new(File.read(options['key']))
    public_key = p12.certificate
    private_key = p12.key
  else
    private_key = OpenSSL::PKey::RSA.new(File.read(options['private']))
    public_key = OpenSSL::X509::Certificate.new(File.read(options['public']))
  end
  
  raise "Cannot find package #{package}" unless File.exists?(package)
  
  # Initialize signature data
  sig_data = { :signatures => {}, :certificates => []}
  
  # Open and sign files
  Zip::ZipFile.open(package) do |zip|
    sig_meta = zip.find_entry("_Signature")
    unless sig_meta.nil?
      sig_data = YAML.load(sig_meta.get_input_stream.read)
    end
    
    zip.each do |entry|
      data = entry.get_input_stream.read
      next if data.nil?
      
      sig_data[:signatures][entry.name] ||= []
      sig_data[:signatures][entry.name].push sign(data, private_key)
    end
    
    sig_data[:certificates].push public_key.to_pem
    
    zip.get_output_stream("_Signature") do |io|
      io.puts sig_data.to_yaml
    end
  end
  
  true
end

.verify(data, signature, public_key) ⇒ Object

Verify arbitary data against given signature and public key. Signature must be Base64 encoded, RFC 4648 compliat.



14
15
16
 
# File 'lib/owlet/signer.rb', line 14

def self.verify(data, signature, public_key)
  public_key.verify(OpenSSL::Digest::SHA256.new, Base64.decode64(signature).gsub(/\n/, ''), data)
end

.verify_package(package) ⇒ Object 



77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
 
# File 'lib/owlet/signer.rb', line 77

def self.verify_package(package)
  raise "Cannot find package #{package}" unless File.exists?(package)
  
  Zip::ZipFile.open(package) do |zip|
    entry = zip.find_entry("_Signature")
    raise "Package not signed." if entry.nil?
    
    sig_data = YAML.load(entry.get_input_stream.read)
    sig_data[:certificates].map! { |c| OpenSSL::X509::Certificate.new(c) }
    
    zip.each do |entry|
      next if entry.name == "_Signature"
      
      # Check for all certificates
      sig_data[:certificates].each_index do |i|
        data = entry.get_input_stream.read
        next if data.nil?
        
        if sig_data[:signatures][entry.name].nil? or sig_data[:signatures][entry.name][i].nil?
          raise "Cannot find signature for #{entry.name}"
        end
        
        unless verify(data, sig_data[:signatures][entry.name][i], sig_data[:certificates][i].public_key)
          raise "Signature for #{entry.name} for certicate #{sig_data[:certificates][i].subject} failed."
        end
      end
    end
  end
  
  return true
end