Source

Cog / Frameworks / Sparkle / NSFileManager+Verification.m

Full commit
//
//  NSFileManager+Verification.m
//  Sparkle
//
//  Created by Andy Matuschak on 3/16/06.
//  Copyright 2006 Andy Matuschak. All rights reserved.
//

// DSA stuff adapted from code provided by Allan Odgaard. Thanks, Allan!

#import "NSFileManager+Verification.h"
#import "SUUtilities.h"
#import "md5.h"

#import <stdio.h>
#import <openssl/evp.h>
#import <openssl/bio.h>
#import <openssl/pem.h>
#import <openssl/rsa.h>
#import <openssl/sha.h>

int b64decode(unsigned char* str)
{
    unsigned char *cur, *start;
    int d, dlast, phase;
    unsigned char c;
    static int table[256] = {
        -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,  /* 00-0F */
        -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,  /* 10-1F */
        -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,63,  /* 20-2F */
        52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,-1,  /* 30-3F */
        -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,10,11,12,13,14,  /* 40-4F */
        15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,  /* 50-5F */
        -1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,  /* 60-6F */
        41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1,  /* 70-7F */
        -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,  /* 80-8F */
        -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,  /* 90-9F */
        -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,  /* A0-AF */
        -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,  /* B0-BF */
        -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,  /* C0-CF */
        -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,  /* D0-DF */
        -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,  /* E0-EF */
        -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1   /* F0-FF */
    };
	
    d = dlast = phase = 0;
    start = str;
    for (cur = str; *cur != '\0'; ++cur )
    {
		if(*cur == '\n' || *cur == '\r'){phase = dlast = 0; continue;}
        d = table[(int)*cur];
        if(d != -1)
        {
            switch(phase)
            {
				case 0:
					++phase;
					break;
				case 1:
					c = ((dlast << 2) | ((d & 0x30) >> 4));
					*str++ = c;
					++phase;
					break;
				case 2:
					c = (((dlast & 0xf) << 4) | ((d & 0x3c) >> 2));
					*str++ = c;
					++phase;
					break;
				case 3:
					c = (((dlast & 0x03 ) << 6) | d);
					*str++ = c;
					phase = 0;
					break;
            }
            dlast = d;
        }
    }
    *str = '\0';
    return str - start;
}

EVP_PKEY* load_dsa_key(char *key)
{
	EVP_PKEY* pkey = NULL;
	BIO *bio;
	if((bio = BIO_new_mem_buf(key, strlen(key))))
	{
		DSA* dsa_key = 0;
		if(PEM_read_bio_DSA_PUBKEY(bio, &dsa_key, NULL, NULL))
		{
			if((pkey = EVP_PKEY_new()))
			{
				if(EVP_PKEY_assign_DSA(pkey, dsa_key) != 1)
				{
					DSA_free(dsa_key);
					EVP_PKEY_free(pkey);
					pkey = NULL;
				}
			}
		}
		BIO_free(bio);
	}
	return pkey;
}

@implementation NSFileManager (SUVerification)

- (BOOL)validatePath:(NSString *)path withMD5Hash:(NSString *)hash
{
	NSData *data = [NSData dataWithContentsOfFile:path];
	if (!data) { return NO; }
	
	md5_state_t md5_state;
	md5_init(&md5_state);
	md5_append(&md5_state, [data bytes], [data length]);
	unsigned char digest[16];
	md5_finish(&md5_state, digest);
	
	int di;
	char hexDigest[32];
	for (di = 0; di < 16; di++)
	    sprintf(hexDigest + di*2, "%02x", digest[di]);
	
	return [hash isEqualToString:[NSString stringWithUTF8String:hexDigest]];
}

- (BOOL)validatePath:(NSString *)path withEncodedDSASignature:(NSString *)encodedSignature
{
	EVP_PKEY* pkey;
	if(!encodedSignature || !SUInfoValueForKey(SUPublicDSAKeyKey) || !(pkey = load_dsa_key((char *)[SUInfoValueForKey(SUPublicDSAKeyKey) UTF8String])))
		return NO;
	
	// Now, the signature is in base64; we have to decode it into a binary stream.
	unsigned char *signature = (unsigned char *)[encodedSignature UTF8String];
	long length = b64decode(signature);
	
	NSData *pathData = [NSData dataWithContentsOfFile:path];
	if (!pathData) { return NO; }
	unsigned char md[SHA_DIGEST_LENGTH];
	SHA1([pathData bytes], [pathData length], md);
	
	BOOL res = false;
	EVP_MD_CTX ctx;
	if(EVP_VerifyInit(&ctx, EVP_dss1()) == 1)
	{
		EVP_VerifyUpdate(&ctx, md, SHA_DIGEST_LENGTH);
		res = EVP_VerifyFinal(&ctx, signature, length, pkey) == 1;
	}
	EVP_PKEY_free(pkey);
	return res;
}

@end