︙ | | |
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
-
+
|
}
}
namespace eval ::appfs {
variable cachedir "/tmp/appfs-cache"
variable ttl 3600
variable nttl 60
variable trusted_cas [list]
proc _hash_sep {hash {seps 4}} {
for {set idx 0} {$idx < $seps} {incr idx} {
append retval "[string range $hash [expr {$idx * 2}] [expr {($idx * 2) + 1}]]/"
}
append retval "[string range $hash [expr {$idx * 2}] end]"
|
︙ | | |
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
|
if {![regexp {^[0-9a-f]*$} $value]} {
return false
}
return true
}
proc _verifySignatureAndCertificate {certificate signature} {
proc _verifySignatureAndCertificate {hostname certificate signature hash} {
set certificate [binary format "H*" $certificate]
set signature [binary format "H*" $signature]
set certificate [::pki::x509::parse_cert $certificate]
array set certificate_arr $certificate
set certificate_cn [::pki::x509::_dn_to_cn $certificate_arr(subject)]
if {![::pki::verify $signature "$hash,sha1" $certificate]} {
return false
}
if {[string tolower $certificate_cn] != [string tolower $hostname]} {
return false
}
if {![::pki::x509::verify_cert $certificate $::appfs::trusted_cas]} {
return false
}
return true
}
proc _normalizeOS {os} {
set os [string tolower [string trim $os]]
switch -- $os {
|
︙ | | |
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
|
-
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
|
}
proc init {} {
if {[info exists ::appfs::init_called]} {
return
}
# Force [parray] to be loaded
# Force [parray] and [clock] to be loaded
catch {
parray does_not_exist
}
catch {
clock seconds
}
catch {
clock add [clock seconds] 3 seconds
}
set ::appfs::init_called 1
# Add a default CA to list of trusted CAs
lappend ::appfs::trusted_cas [::pki::x509::parse_cert {
-----BEGIN CERTIFICATE-----
MIIC7DCCAdSgAwIBAgIBATANBgkqhkiG9w0BAQUFADAvMRIwEAYDVQQKEwlSb3kg
S2VlbmUxGTAXBgNVBAMTEEFwcEZTIEtleSBNYXN0ZXIwHhcNMTQxMTE3MjAxNzI4
WhcNMTkxMTE3MjAxNzI4WjAvMRIwEAYDVQQKEwlSb3kgS2VlbmUxGTAXBgNVBAMT
EEFwcEZTIEtleSBNYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCq6uSK46yG5b6RJWwRlvw5glAnjsc1GiX3duXA0vG4qnKUnDtl/jcMmq2GMOB9
Iy1tjabEHA0MhW2j7Vwe/O9MLFJkJ30M1PVD7YZRRNaAsz3UWIKEjPI7BBc32KOm
BL3CTXCCdzllL1HhVbnM5iCAmgHcg1DUk/EvWXvnEDxXRy2lV9mQsmDedrffY7Wl
Or57nlczaMuPLpyRSkv75PAnjQJxT3sWlBpy+/H9ImudQdpJNf/FtxcqN7iDwH5B
vIceYEtDVxFsvo5HOVkSl9jeo5E4Gpe3wyfRhoqB2UkaW1Kq0iH5R+00S760xQMx
LL9L1duhu1dL7HsmEw7IeYURAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
KoZIhvcNAQEFBQADggEBAKhO4ZSzYP37BqixNHKK9+gSeC6Fga85iLWhwpPW0kSl
z03hal80KZ+kPMzb8C52N283tQNAqJ9Q8akDPZxSzzMUVOGpGw2pJ7ZswKDz0ZTa
0edq/gdT/HrdegvNtDPc2jona5FVOYqwdcz5kbl1UWBaBp3VXUgcYjXSRaBK43Wd
cveiDUeZw7gHqRSN/AyYUCtJzWmvGsJuIFhMBonuz8jylhyMJCYJFT4iMUC8MNIw
niX1xx+Nu6fPV5ZZHj9rbhiBaLjm+tkDwtPgA3j2pxvHKYptuWxeYO+9DDNa9sCb
E5AnJIlOnd/tGe0Chf0sFQg+l9nNiNrWGgzdd9ZPJK4=
-----END CERTIFICATE-----
}]
# Load configuration file
set config_file [file join $::appfs::cachedir config]
if {[file exists $config_file]} {
source $config_file
}
|
︙ | | |
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
|
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
|
-
+
|
set indexhashcert [lindex $indexhash_data 2]
set indexhashsig [lindex $indexhash_data 3]
if {![_isHash $indexhash]} {
return -code error "Invalid hash: $indexhash"
}
if {![_verifySignatureAndCertificate $indexhashcert $indexhashsig]} {
if {![_verifySignatureAndCertificate $hostname $indexhashcert $indexhashsig $indexhash]} {
return -code error "Invalid signature or certificate from $hostname"
}
set file [download $hostname $indexhash]
set fd [open $file]
set data [read $fd]
close $fd
|
︙ | | |