mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21175 Commits
28 Branches
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
rspamd/src/rspamadm/signtool.c

signtool.c 16KB
Raw Permalink Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623 
  1. /*-

  2.  * Copyright 2016 Vsevolod Stakhov

  3.  *

  4.  * Licensed under the Apache License, Version 2.0 (the "License");

  5.  * you may not use this file except in compliance with the License.

  6.  * You may obtain a copy of the License at

  7.  *

  8.  *   http://www.apache.org/licenses/LICENSE-2.0

  9.  *

  10.  * Unless required by applicable law or agreed to in writing, software

  11.  * distributed under the License is distributed on an "AS IS" BASIS,

  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13.  * See the License for the specific language governing permissions and

  14.  * limitations under the License.

  15.  */

  16. 

  17. #include "config.h"

  18. #include "rspamadm.h"

  19. #include "cryptobox.h"

  20. #include "printf.h"

  21. #include "ucl.h"

  22. #include "libcryptobox/keypair.h"

  23. #include "libutil/str_util.h"

  24. #include "libutil/util.h"

  25. #include "unix-std.h"

  26. #ifdef HAVE_SYS_WAIT_H

  27. #include <sys/wait.h>

  28. #endif

  29. 

  30. static gboolean openssl = FALSE;

  31. static gboolean verify = FALSE;

  32. static gboolean quiet = FALSE;

  33. static char *suffix = NULL;

  34. static char *pubkey_file = NULL;

  35. static char *pubkey = NULL;

  36. static char *pubout = NULL;

  37. static char *keypair_file = NULL;

  38. static char *editor = NULL;

  39. static gboolean edit = FALSE;

  40. enum rspamd_cryptobox_mode mode = RSPAMD_CRYPTOBOX_MODE_25519;

  41. 

  42. static void rspamadm_signtool(int argc, char **argv,

  43. 							  const struct rspamadm_command *cmd);

  44. static const char *rspamadm_signtool_help(gboolean full_help,

  45. 										  const struct rspamadm_command *cmd);

  46. 

  47. struct rspamadm_command signtool_command = {

  48. 	.name = "signtool",

  49. 	.flags = 0,

  50. 	.help = rspamadm_signtool_help,

  51. 	.run = rspamadm_signtool,

  52. 	.lua_subrs = NULL,

  53. };

  54. 

  55. static GOptionEntry entries[] = {

  56. 	{"openssl", 'o', 0, G_OPTION_ARG_NONE, &openssl,

  57. 	 "Generate openssl nistp256 keypair not curve25519 one", NULL},

  58. 	{"verify", 'v', 0, G_OPTION_ARG_NONE, &verify,

  59. 	 "Verify signatures and not sign", NULL},

  60. 	{"suffix", 'S', 0, G_OPTION_ARG_STRING, &suffix,

  61. 	 "Save signatures in file<suffix> files", NULL},

  62. 	{"pubkey", 'p', 0, G_OPTION_ARG_STRING, &pubkey,

  63. 	 "Base32 encoded pubkey to verify", NULL},

  64. 	{"pubout", '\0', 0, G_OPTION_ARG_FILENAME, &pubout,

  65. 	 "Output public key to the specified file", NULL},

  66. 	{"pubfile", 'P', 0, G_OPTION_ARG_FILENAME, &pubkey_file,

  67. 	 "Load base32 encoded pubkey to verify from the file", NULL},

  68. 	{"keypair", 'k', 0, G_OPTION_ARG_STRING, &keypair_file,

  69. 	 "UCL with keypair to load for signing", NULL},

  70. 	{"quiet", 'q', 0, G_OPTION_ARG_NONE, &quiet,

  71. 	 "Be quiet", NULL},

  72. 	{"edit", 'e', 0, G_OPTION_ARG_NONE, &edit,

  73. 	 "Run editor and sign the edited file", NULL},

  74. 	{"editor", '\0', 0, G_OPTION_ARG_STRING, &editor,

  75. 	 "Use the specified editor instead of $EDITOR environment var", NULL},

  76. 	{NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL, NULL}};

  77. 

  78. static const char *

  79. rspamadm_signtool_help(gboolean full_help,

  80. 					   const struct rspamadm_command *cmd)

  81. {

  82. 	const char *help_str;

  83. 

  84. 	if (full_help) {

  85. 		help_str = "Manage digital signatures\n\n"

  86. 				   "Usage: rspamadm signtool [-o] -k <keypair_file> [-v -p <pubkey> | -P <pubkey_file>] [-S <suffix>] file1 ...\n"

  87. 				   "Where options are:\n\n"

  88. 				   "-v: verify against pubkey instead of \n"

  89. 				   "-o: use ECDSA instead of EdDSA\n"

  90. 				   "-p: load pubkey as base32 string\n"

  91. 				   "-P: load pubkey paced in file\n"

  92. 				   "-k: load signing keypair from ucl file\n"

  93. 				   "-S: append suffix for signatures and store them in files\n"

  94. 				   "-q: be quiet\n"

  95. 				   "-e: opens file for editing and sign the result\n"

  96. 				   "--editor: use the specified editor instead of $EDITOR environment var\n"

  97. 				   "--help: shows available options and commands";

  98. 	}

  99. 	else {

  100. 		help_str = "Sign and verify files tool";

  101. 	}

  102. 

  103. 	return help_str;

  104. }

  105. 

  106. static int

  107. rspamadm_edit_file(const char *fname)

  108. {

  109. 	char tmppath[PATH_MAX], run_cmdline[PATH_MAX];

  110. 	unsigned char *map;

  111. 	gsize len = 0;

  112. 	int fd_out, retcode, child_argc;

  113. 	GPid child_pid;

  114. 	char *tmpdir, **child_argv = NULL;

  115. 	struct stat st;

  116. 	GError *err = NULL;

  117. 

  118. 	if (editor == NULL) {

  119. 		editor = getenv("EDITOR");

  120. 	}

  121. 

  122. 	if (editor == NULL) {

  123. 		rspamd_fprintf(stderr, "cannot find editor: specify $EDITOR "

  124. 							   "environment variable or pass --editor argument\n");

  125. 		exit(EXIT_FAILURE);

  126. 	}

  127. 

  128. 	tmpdir = getenv("TMPDIR");

  129. 	if (tmpdir == NULL) {

  130. 		tmpdir = "/tmp";

  131. 	}

  132. 

  133. 	if (stat(fname, &st) == -1 || st.st_size == 0) {

  134. 		/* The source does not exist, but that shouldn't be a problem */

  135. 		len = 0;

  136. 		map = NULL;

  137. 

  138. 		/* Try to touch source anyway */

  139. 		fd_out = rspamd_file_xopen(fname, O_WRONLY | O_CREAT | O_EXCL, 00644,

  140. 								   0);

  141. 

  142. 		if (fd_out == -1) {

  143. 			rspamd_fprintf(stderr, "cannot open %s: %s\n", fname,

  144. 						   strerror(errno));

  145. 			exit(EXIT_FAILURE);

  146. 		}

  147. 

  148. 		close(fd_out);

  149. 	}

  150. 	else {

  151. 		map = rspamd_file_xmap(fname, PROT_READ, &len, TRUE);

  152. 

  153. 		if (map == NULL) {

  154. 			rspamd_fprintf(stderr, "cannot open %s: %s\n", fname,

  155. 						   strerror(errno));

  156. 			exit(EXIT_FAILURE);

  157. 		}

  158. 	}

  159. 

  160. 	rspamd_snprintf(tmppath, sizeof(tmppath),

  161. 					"%s/rspamd_sign-XXXXXXXXXX", tmpdir);

  162. 	mode_t cur_umask = umask(S_IRWXO | S_IRWXG);

  163. 	fd_out = mkstemp(tmppath);

  164. 	(void) umask(cur_umask);

  165. 

  166. 	if (fd_out == -1) {

  167. 		rspamd_fprintf(stderr, "cannot open tempfile %s: %s\n", tmppath,

  168. 					   strerror(errno));

  169. 		exit(EXIT_FAILURE);

  170. 	}

  171. 

  172. 	if (len > 0 && write(fd_out, map, len) == -1) {

  173. 		rspamd_fprintf(stderr, "cannot write to tempfile %s: %s\n", tmppath,

  174. 					   strerror(errno));

  175. 		unlink(tmppath);

  176. 		munmap(map, len);

  177. 		close(fd_out);

  178. 		exit(EXIT_FAILURE);

  179. 	}

  180. 

  181. 	if (len > 0) {

  182. 		munmap(map, len);

  183. 	}

  184. 

  185. 	fsync(fd_out);

  186. 	close(fd_out);

  187. 

  188. 	/* Now we spawn editor with the filename as argument */

  189. 	rspamd_snprintf(run_cmdline, sizeof(run_cmdline), "%s %s", editor, tmppath);

  190. 	if (!g_shell_parse_argv(run_cmdline, &child_argc,

  191. 							&child_argv, &err)) {

  192. 		rspamd_fprintf(stderr, "cannot exec %s: %e\n", editor,

  193. 					   err);

  194. 		unlink(tmppath);

  195. 		exit(EXIT_FAILURE);

  196. 	}

  197. 

  198. 	if (!g_spawn_async(NULL, child_argv, NULL,

  199. 					   G_SPAWN_CHILD_INHERITS_STDIN | G_SPAWN_SEARCH_PATH | G_SPAWN_DO_NOT_REAP_CHILD,

  200. 					   NULL, NULL, &child_pid, &err)) {

  201. 		rspamd_fprintf(stderr, "cannot exec %s: %e\n", editor,

  202. 					   err);

  203. 		unlink(tmppath);

  204. 		exit(EXIT_FAILURE);

  205. 	}

  206. 

  207. 	g_strfreev(child_argv);

  208. 

  209. 	for (;;) {

  210. 		if (waitpid((pid_t) child_pid, &retcode, 0) != -1) {

  211. 			break;

  212. 		}

  213. 

  214. 		if (errno != EINTR) {

  215. 			rspamd_fprintf(stderr, "failed to wait for %s: %s\n", editor,

  216. 						   strerror(errno));

  217. 			unlink(tmppath);

  218. 			exit(EXIT_FAILURE);

  219. 		}

  220. 	}

  221. 

  222. #if GLIB_MAJOR_VERSION >= 2 && GLIB_MINOR_VERSION >= 34

  223. #if GLIB_MINOR_VERSION >= 70

  224. 	if (!g_spawn_check_wait_status(retcode, &err)) {

  225. #else

  226. 	if (!g_spawn_check_exit_status(retcode, &err)) {

  227. #endif

  228. 		unlink(tmppath);

  229. 		rspamd_fprintf(stderr, "%s returned error code: %d - %e\n", editor,

  230. 					   retcode, err);

  231. 		exit(EXIT_FAILURE);

  232. 	}

  233. #else

  234. 	if (retcode != 0) {

  235. 		unlink(tmppath);

  236. 		rspamd_fprintf(stderr, "%s returned error code: %d\n", editor,

  237. 					   retcode);

  238. 		exit(retcode);

  239. 	}

  240. #endif

  241. 

  242. 	map = rspamd_file_xmap(tmppath, PROT_READ, &len, TRUE);

  243. 

  244. 	if (map == NULL) {

  245. 		rspamd_fprintf(stderr, "cannot map %s: %s\n", tmppath,

  246. 					   strerror(errno));

  247. 		unlink(tmppath);

  248. 		exit(EXIT_FAILURE);

  249. 	}

  250. 

  251. 	rspamd_snprintf(run_cmdline, sizeof(run_cmdline), "%s.new", fname);

  252. 	fd_out = rspamd_file_xopen(run_cmdline, O_RDWR | O_CREAT | O_TRUNC, 00600,

  253. 							   0);

  254. 

  255. 	if (fd_out == -1) {

  256. 		rspamd_fprintf(stderr, "cannot open new file %s: %s\n", run_cmdline,

  257. 					   strerror(errno));

  258. 		unlink(tmppath);

  259. 		munmap(map, len);

  260. 		exit(EXIT_FAILURE);

  261. 	}

  262. 

  263. 	if (write(fd_out, map, len) == -1) {

  264. 		rspamd_fprintf(stderr, "cannot write new file %s: %s\n", run_cmdline,

  265. 					   strerror(errno));

  266. 		unlink(tmppath);

  267. 		unlink(run_cmdline);

  268. 		close(fd_out);

  269. 		munmap(map, len);

  270. 		exit(EXIT_FAILURE);

  271. 	}

  272. 

  273. 	unlink(tmppath);

  274. 	(void) lseek(fd_out, 0, SEEK_SET);

  275. 	munmap(map, len);

  276. 

  277. 	return fd_out;

  278. }

  279. 

  280. static bool

  281. rspamadm_sign_file(const char *fname, struct rspamd_cryptobox_keypair *kp)

  282. {

  283. 	int fd_sig, fd_input;

  284. 	unsigned char sig[rspamd_cryptobox_MAX_SIGBYTES], *map;

  285. 	char sigpath[PATH_MAX];

  286. 	FILE *pub_fp;

  287. 	struct stat st;

  288. 	const unsigned char *sk;

  289. 

  290. 	if (suffix == NULL) {

  291. 		suffix = ".sig";

  292. 	}

  293. 

  294. 	if (edit) {

  295. 		/* We need to open editor and then sign the temporary file */

  296. 		fd_input = rspamadm_edit_file(fname);

  297. 	}

  298. 	else {

  299. 		fd_input = rspamd_file_xopen(fname, O_RDONLY, 0, TRUE);

  300. 	}

  301. 

  302. 	if (fd_input == -1) {

  303. 		rspamd_fprintf(stderr, "cannot open %s: %s\n", fname,

  304. 					   strerror(errno));

  305. 		exit(EXIT_FAILURE);

  306. 	}

  307. 

  308. 	g_assert(fstat(fd_input, &st) != -1);

  309. 

  310. 	rspamd_snprintf(sigpath, sizeof(sigpath), "%s%s", fname, suffix);

  311. 	fd_sig = rspamd_file_xopen(sigpath, O_WRONLY | O_CREAT | O_TRUNC, 00644, 0);

  312. 

  313. 	if (fd_sig == -1) {

  314. 		close(fd_input);

  315. 		rspamd_fprintf(stderr, "cannot open %s: %s\n", sigpath,

  316. 					   strerror(errno));

  317. 		exit(EXIT_FAILURE);

  318. 	}

  319. 

  320. 	map = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd_input, 0);

  321. 	close(fd_input);

  322. 

  323. 	if (map == MAP_FAILED) {

  324. 		close(fd_sig);

  325. 		rspamd_fprintf(stderr, "cannot map %s: %s\n", fname,

  326. 					   strerror(errno));

  327. 		exit(EXIT_FAILURE);

  328. 	}

  329. 

  330. 	g_assert(rspamd_cryptobox_MAX_SIGBYTES >=

  331. 			 rspamd_cryptobox_signature_bytes(mode));

  332. 

  333. 	sk = rspamd_keypair_component(kp, RSPAMD_KEYPAIR_COMPONENT_SK, NULL);

  334. 	rspamd_cryptobox_sign(sig, NULL, map, st.st_size, sk, mode);

  335. 

  336. 	if (edit) {

  337. 		/* We also need to rename .new file */

  338. 		rspamd_snprintf(sigpath, sizeof(sigpath), "%s.new", fname);

  339. 

  340. 		if (rename(sigpath, fname) == -1) {

  341. 			rspamd_fprintf(stderr, "cannot rename %s to %s: %s\n", sigpath, fname,

  342. 						   strerror(errno));

  343. 			exit(EXIT_FAILURE);

  344. 		}

  345. 

  346. 		unlink(sigpath);

  347. 	}

  348. 

  349. 	rspamd_snprintf(sigpath, sizeof(sigpath), "%s%s", fname, suffix);

  350. 

  351. 	if (write(fd_sig, sig, rspamd_cryptobox_signature_bytes(mode)) == -1) {

  352. 		rspamd_fprintf(stderr, "cannot write signature to %s: %s\n", sigpath,

  353. 					   strerror(errno));

  354. 		exit(EXIT_FAILURE);

  355. 	}

  356. 

  357. 	close(fd_sig);

  358. 	munmap(map, st.st_size);

  359. 

  360. 	if (!quiet) {

  361. 		rspamd_fprintf(stdout, "signed %s; stored hash in %s\n",

  362. 					   fname, sigpath);

  363. 	}

  364. 

  365. 	if (pubout) {

  366. 		GString *b32_pk;

  367. 

  368. 		pub_fp = fopen(pubout, "w");

  369. 

  370. 		if (pub_fp == NULL) {

  371. 			rspamd_fprintf(stderr, "cannot write pubkey to %s: %s",

  372. 						   pubout, strerror(errno));

  373. 		}

  374. 		else {

  375. 			b32_pk = rspamd_keypair_print(kp,

  376. 										  RSPAMD_KEYPAIR_PUBKEY | RSPAMD_KEYPAIR_BASE32);

  377. 

  378. 			if (b32_pk) {

  379. 				rspamd_fprintf(pub_fp, "%v", b32_pk);

  380. 				g_string_free(b32_pk, TRUE);

  381. 			}

  382. 

  383. 			fclose(pub_fp);

  384. 		}

  385. 		if (!quiet) {

  386. 			rspamd_fprintf(stdout, "stored pubkey in %s\n",

  387. 						   pubout);

  388. 		}

  389. 	}

  390. 

  391. 	return true;

  392. }

  393. 

  394. static bool

  395. rspamadm_verify_file(const char *fname, const unsigned char *pk)

  396. {

  397. 	int fd_sig, fd_input;

  398. 	unsigned char *map, *map_sig;

  399. 	char sigpath[PATH_MAX];

  400. 	struct stat st, st_sig;

  401. 	bool ret;

  402. 

  403. 	g_assert(rspamd_cryptobox_MAX_SIGBYTES >=

  404. 			 rspamd_cryptobox_signature_bytes(mode));

  405. 

  406. 	if (suffix == NULL) {

  407. 		suffix = ".sig";

  408. 	}

  409. 

  410. 	fd_input = rspamd_file_xopen(fname, O_RDONLY, 0, TRUE);

  411. 

  412. 	if (fd_input == -1) {

  413. 		rspamd_fprintf(stderr, "cannot open %s: %s\n", fname,

  414. 					   strerror(errno));

  415. 		exit(EXIT_FAILURE);

  416. 	}

  417. 

  418. 	g_assert(fstat(fd_input, &st) != -1);

  419. 

  420. 	rspamd_snprintf(sigpath, sizeof(sigpath), "%s%s", fname, suffix);

  421. 	fd_sig = rspamd_file_xopen(sigpath, O_RDONLY, 0, TRUE);

  422. 

  423. 	if (fd_sig == -1) {

  424. 		close(fd_input);

  425. 		rspamd_fprintf(stderr, "cannot open %s: %s\n", sigpath,

  426. 					   strerror(errno));

  427. 		exit(EXIT_FAILURE);

  428. 	}

  429. 

  430. 	map = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd_input, 0);

  431. 	close(fd_input);

  432. 

  433. 	if (map == MAP_FAILED) {

  434. 		close(fd_sig);

  435. 		rspamd_fprintf(stderr, "cannot open %s: %s\n", sigpath,

  436. 					   strerror(errno));

  437. 		exit(EXIT_FAILURE);

  438. 	}

  439. 

  440. 	g_assert(fstat(fd_sig, &st_sig) != -1);

  441. 

  442. 	if (st_sig.st_size != rspamd_cryptobox_signature_bytes(mode)) {

  443. 		close(fd_sig);

  444. 		rspamd_fprintf(stderr, "invalid signature size %s: %ud\n", fname,

  445. 					   (unsigned int) st_sig.st_size);

  446. 		munmap(map, st.st_size);

  447. 		exit(EXIT_FAILURE);

  448. 	}

  449. 

  450. 	map_sig = mmap(NULL, st_sig.st_size, PROT_READ, MAP_SHARED, fd_sig, 0);

  451. 	close(fd_sig);

  452. 

  453. 	if (map_sig == MAP_FAILED) {

  454. 		munmap(map, st.st_size);

  455. 		rspamd_fprintf(stderr, "cannot map %s: %s\n", sigpath,

  456. 					   strerror(errno));

  457. 		exit(EXIT_FAILURE);

  458. 	}

  459. 

  460. 	ret = rspamd_cryptobox_verify(map_sig, st_sig.st_size,

  461. 								  map, st.st_size, pk, mode);

  462. 	munmap(map, st.st_size);

  463. 	munmap(map_sig, st_sig.st_size);

  464. 

  465. 	if (!ret) {

  466. 		rspamd_fprintf(stderr, "cannot verify %s using %s: invalid signature\n",

  467. 					   fname, sigpath);

  468. 	}

  469. 	else if (!quiet) {

  470. 		rspamd_fprintf(stdout, "verified %s using %s\n",

  471. 					   fname, sigpath);

  472. 	}

  473. 

  474. 	return ret;

  475. }

  476. 

  477. 

  478. static void

  479. rspamadm_signtool(int argc, char **argv, const struct rspamadm_command *cmd)

  480. {

  481. 	GOptionContext *context;

  482. 	GError *error = NULL;

  483. 	struct ucl_parser *parser;

  484. 	ucl_object_t *top;

  485. 	struct rspamd_cryptobox_pubkey *pk;

  486. 	struct rspamd_cryptobox_keypair *kp;

  487. 	gsize fsize, flen;

  488. 	int i;

  489. 

  490. 	context = g_option_context_new(

  491. 		"keypair - create encryption keys");

  492. 	g_option_context_set_summary(context,

  493. 								 "Summary:\n  Rspamd administration utility version " RVERSION

  494. 								 "\n  Release id: " RID);

  495. 	g_option_context_add_main_entries(context, entries, NULL);

  496. 

  497. 	if (!g_option_context_parse(context, &argc, &argv, &error)) {

  498. 		rspamd_fprintf(stderr, "option parsing failed: %s\n", error->message);

  499. 		g_error_free(error);

  500. 		g_option_context_free(context);

  501. 		exit(EXIT_FAILURE);

  502. 	}

  503. 

  504. 	g_option_context_free(context);

  505. 

  506. 	if (openssl) {

  507. 		mode = RSPAMD_CRYPTOBOX_MODE_NIST;

  508. 	}

  509. 

  510. 	if (verify && (!pubkey && !pubkey_file)) {

  511. 		rspamd_fprintf(stderr, "no pubkey for verification\n");

  512. 		exit(EXIT_FAILURE);

  513. 	}

  514. 	else if (!verify && (!keypair_file)) {

  515. 		rspamd_fprintf(stderr, "no keypair for signing\n");

  516. 		exit(EXIT_FAILURE);

  517. 	}

  518. 

  519. 	if (verify) {

  520. 		g_assert(pubkey || pubkey_file);

  521. 

  522. 		if (pubkey_file) {

  523. 			int fd;

  524. 			char *map;

  525. 			struct stat st;

  526. 

  527. 			fd = open(pubkey_file, O_RDONLY);

  528. 

  529. 			if (fd == -1) {

  530. 				rspamd_fprintf(stderr, "cannot open %s: %s\n", pubkey_file,

  531. 							   strerror(errno));

  532. 				exit(EXIT_FAILURE);

  533. 			}

  534. 

  535. 			g_assert(fstat(fd, &st) != -1);

  536. 			fsize = st.st_size;

  537. 			flen = fsize;

  538. 			map = mmap(NULL, fsize, PROT_READ, MAP_SHARED, fd, 0);

  539. 			close(fd);

  540. 

  541. 			if (map == MAP_FAILED) {

  542. 				rspamd_fprintf(stderr, "cannot read %s: %s\n", pubkey_file,

  543. 							   strerror(errno));

  544. 				exit(EXIT_FAILURE);

  545. 			}

  546. 

  547. 			/* XXX: assume base32 pubkey now */

  548. 			while (flen > 0 && g_ascii_isspace(map[flen - 1])) {

  549. 				flen--;

  550. 			}

  551. 

  552. 			pk = rspamd_pubkey_from_base32(map, flen,

  553. 										   RSPAMD_KEYPAIR_SIGN, mode);

  554. 

  555. 			if (pk == NULL) {

  556. 				rspamd_fprintf(stderr, "bad size %s: %ud, %ud expected\n",

  557. 							   pubkey_file,

  558. 							   (unsigned int) flen,

  559. 							   rspamd_cryptobox_pk_sig_bytes(mode));

  560. 				exit(EXIT_FAILURE);

  561. 			}

  562. 

  563. 			munmap(map, fsize);

  564. 		}

  565. 		else {

  566. 			pk = rspamd_pubkey_from_base32(pubkey, strlen(pubkey),

  567. 										   RSPAMD_KEYPAIR_SIGN, mode);

  568. 

  569. 			if (pk == NULL) {

  570. 				rspamd_fprintf(stderr, "bad size %s: %ud, %ud expected\n",

  571. 							   pubkey_file,

  572. 							   (unsigned int) strlen(pubkey),

  573. 							   rspamd_cryptobox_pk_sig_bytes(mode));

  574. 				exit(EXIT_FAILURE);

  575. 			}

  576. 		}

  577. 

  578. 		for (i = 1; i < argc; i++) {

  579. 			/* XXX: support cmd line signature */

  580. 			if (!rspamadm_verify_file(argv[i], rspamd_pubkey_get_pk(pk, NULL))) {

  581. 				exit(EXIT_FAILURE);

  582. 			}

  583. 		}

  584. 

  585. 		g_free(pk);

  586. 	}

  587. 	else {

  588. 		g_assert(keypair_file != NULL);

  589. 

  590. 		parser = ucl_parser_new(0);

  591. 

  592. 		if (!ucl_parser_add_file(parser, keypair_file) ||

  593. 			(top = ucl_parser_get_object(parser)) == NULL) {

  594. 			rspamd_fprintf(stderr, "cannot load keypair: %s\n",

  595. 						   ucl_parser_get_error(parser));

  596. 			exit(EXIT_FAILURE);

  597. 		}

  598. 

  599. 		ucl_parser_free(parser);

  600. 

  601. 		kp = rspamd_keypair_from_ucl(top);

  602. 

  603. 		if (kp == NULL) {

  604. 			rspamd_fprintf(stderr, "invalid signing key\n");

  605. 			exit(EXIT_FAILURE);

  606. 		}

  607. 

  608. 		if (rspamd_keypair_type(kp) != RSPAMD_KEYPAIR_SIGN) {

  609. 			rspamd_fprintf(stderr, "unsuitable for signing key\n");

  610. 			exit(EXIT_FAILURE);

  611. 		}

  612. 

  613. 		for (i = 1; i < argc; i++) {

  614. 			/* XXX: support cmd line signature */

  615. 			if (!rspamadm_sign_file(argv[i], kp)) {

  616. 				rspamd_keypair_unref(kp);

  617. 				exit(EXIT_FAILURE);

  618. 			}

  619. 		}

  620. 

  621. 		rspamd_keypair_unref(kp);

  622. 	}

  623. }