diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-01-12 18:16:45 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-03-27 11:51:27 +1100 |
commit | 89eaef025376339ef25d07cdc4748920fceaa968 (patch) | |
tree | f514f4632c9d54a372a7f1f0ca845a0c3a488fbf /source4/heimdal/lib/hx509/crypto.c | |
parent | fac8ca52ade6e490eea3cf3d0fc98287da321c13 (diff) | |
download | samba-89eaef025376339ef25d07cdc4748920fceaa968.tar.gz samba-89eaef025376339ef25d07cdc4748920fceaa968.tar.bz2 samba-89eaef025376339ef25d07cdc4748920fceaa968.zip |
s4:heimdal: import lorikeet-heimdal-201001120029 (commit a5e675fed7c5db8a7370b77ed0bfa724196aa84d)
Diffstat (limited to 'source4/heimdal/lib/hx509/crypto.c')
-rw-r--r-- | source4/heimdal/lib/hx509/crypto.c | 36 |
1 files changed, 29 insertions, 7 deletions
diff --git a/source4/heimdal/lib/hx509/crypto.c b/source4/heimdal/lib/hx509/crypto.c index 050a0902b3..bee64c145f 100644 --- a/source4/heimdal/lib/hx509/crypto.c +++ b/source4/heimdal/lib/hx509/crypto.c @@ -87,8 +87,9 @@ struct signature_alg { const heim_oid *key_oid; const AlgorithmIdentifier *digest_alg; int flags; -#define PROVIDE_CONF 1 -#define REQUIRE_SIGNER 2 +#define PROVIDE_CONF 0x1 +#define REQUIRE_SIGNER 0x2 +#define SELF_SIGNED_OK 0x4 #define SIG_DIGEST 0x100 #define SIG_PUBLIC_SIG 0x200 @@ -1200,7 +1201,7 @@ static const struct signature_alg ecdsa_with_sha256_alg = { &_hx509_signature_ecdsa_with_sha256_data, &asn1_oid_id_ecPublicKey, &_hx509_signature_sha256_data, - PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG, + PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 0, NULL, ecdsa_verify_signature, @@ -1214,7 +1215,7 @@ static const struct signature_alg ecdsa_with_sha1_alg = { &_hx509_signature_ecdsa_with_sha1_data, &asn1_oid_id_ecPublicKey, &_hx509_signature_sha1_data, - PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG, + PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 0, NULL, ecdsa_verify_signature, @@ -1243,7 +1244,7 @@ static const struct signature_alg pkcs1_rsa_sha1_alg = { &_hx509_signature_rsa_with_sha1_data, &asn1_oid_id_pkcs1_rsaEncryption, NULL, - PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG, + PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 0, NULL, rsa_verify_signature, @@ -1256,7 +1257,7 @@ static const struct signature_alg rsa_with_sha256_alg = { &_hx509_signature_rsa_with_sha256_data, &asn1_oid_id_pkcs1_rsaEncryption, &_hx509_signature_sha256_data, - PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG, + PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 0, NULL, rsa_verify_signature, @@ -1269,7 +1270,7 @@ static const struct signature_alg rsa_with_sha1_alg = { &_hx509_signature_rsa_with_sha1_data, &asn1_oid_id_pkcs1_rsaEncryption, &_hx509_signature_sha1_data, - PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG, + PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 0, NULL, rsa_verify_signature, @@ -1482,6 +1483,27 @@ _hx509_signature_best_before(hx509_context context, } int +_hx509_self_signed_valid(hx509_context context, + const AlgorithmIdentifier *alg) +{ + const struct signature_alg *md; + + md = find_sig_alg(&alg->algorithm); + if (md == NULL) { + hx509_clear_error_string(context); + return HX509_SIG_ALG_NO_SUPPORTED; + } + if ((md->flags & SELF_SIGNED_OK) == 0) { + hx509_set_error_string(context, 0, HX509_CRYPTO_ALGORITHM_BEST_BEFORE, + "Algorithm %s not trusted for self signatures", + md->name); + return HX509_CRYPTO_ALGORITHM_BEST_BEFORE; + } + return 0; +} + + +int _hx509_verify_signature(hx509_context context, const hx509_cert cert, const AlgorithmIdentifier *alg, |