summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/hx509
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/lib/hx509')
-rw-r--r--source4/heimdal/lib/hx509/cert.c7
-rw-r--r--source4/heimdal/lib/hx509/cms.c4
-rw-r--r--source4/heimdal/lib/hx509/crypto.c36
-rw-r--r--source4/heimdal/lib/hx509/hx_locl.h5
-rw-r--r--source4/heimdal/lib/hx509/keyset.c53
-rw-r--r--source4/heimdal/lib/hx509/ks_dir.c2
-rw-r--r--source4/heimdal/lib/hx509/ks_file.c2
-rw-r--r--source4/heimdal/lib/hx509/ks_keychain.c1
-rw-r--r--source4/heimdal/lib/hx509/ks_p12.c2
-rw-r--r--source4/heimdal/lib/hx509/peer.c3
-rw-r--r--source4/heimdal/lib/hx509/revoke.c10
11 files changed, 96 insertions, 29 deletions
diff --git a/source4/heimdal/lib/hx509/cert.c b/source4/heimdal/lib/hx509/cert.c
index ebf02a99e3..4783edd681 100644
--- a/source4/heimdal/lib/hx509/cert.c
+++ b/source4/heimdal/lib/hx509/cert.c
@@ -1023,9 +1023,12 @@ certificate_is_self_signed(hx509_context context,
ret = _hx509_name_cmp(&cert->tbsCertificate.subject,
&cert->tbsCertificate.issuer, &diff);
*self_signed = (diff == 0);
- if (ret)
+ if (ret) {
hx509_set_error_string(context, 0, ret,
"Failed to check if self signed");
+ } else
+ ret = _hx509_self_signed_valid(context, &cert->signatureAlgorithm);
+
return ret;
}
@@ -3251,7 +3254,7 @@ _hx509_cert_get_eku(hx509_context context,
* @param context A hx509 context.
* @param c the certificate to encode.
* @param os the encode certificate, set to NULL, 0 on case of
- * error. Free the returned structure with hx509_xfree().
+ * error. Free the os->data with hx509_xfree().
*
* @return An hx509 error code, see hx509_get_error_string().
*
diff --git a/source4/heimdal/lib/hx509/cms.c b/source4/heimdal/lib/hx509/cms.c
index 4766c34655..5506cee463 100644
--- a/source4/heimdal/lib/hx509/cms.c
+++ b/source4/heimdal/lib/hx509/cms.c
@@ -1491,7 +1491,7 @@ hx509_cms_create_signed(hx509_context context,
* signatures).
*/
if ((flags & HX509_CMS_SIGNATURE_NO_SIGNER) == 0) {
- ret = hx509_certs_iter(context, certs, sig_process, &sigctx);
+ ret = hx509_certs_iter_f(context, certs, sig_process, &sigctx);
if (ret)
goto out;
}
@@ -1525,7 +1525,7 @@ hx509_cms_create_signed(hx509_context context,
goto out;
}
- ret = hx509_certs_iter(context, sigctx.certs, cert_process, &sigctx);
+ ret = hx509_certs_iter_f(context, sigctx.certs, cert_process, &sigctx);
if (ret)
goto out;
}
diff --git a/source4/heimdal/lib/hx509/crypto.c b/source4/heimdal/lib/hx509/crypto.c
index 050a0902b3..bee64c145f 100644
--- a/source4/heimdal/lib/hx509/crypto.c
+++ b/source4/heimdal/lib/hx509/crypto.c
@@ -87,8 +87,9 @@ struct signature_alg {
const heim_oid *key_oid;
const AlgorithmIdentifier *digest_alg;
int flags;
-#define PROVIDE_CONF 1
-#define REQUIRE_SIGNER 2
+#define PROVIDE_CONF 0x1
+#define REQUIRE_SIGNER 0x2
+#define SELF_SIGNED_OK 0x4
#define SIG_DIGEST 0x100
#define SIG_PUBLIC_SIG 0x200
@@ -1200,7 +1201,7 @@ static const struct signature_alg ecdsa_with_sha256_alg = {
&_hx509_signature_ecdsa_with_sha256_data,
&asn1_oid_id_ecPublicKey,
&_hx509_signature_sha256_data,
- PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+ PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
0,
NULL,
ecdsa_verify_signature,
@@ -1214,7 +1215,7 @@ static const struct signature_alg ecdsa_with_sha1_alg = {
&_hx509_signature_ecdsa_with_sha1_data,
&asn1_oid_id_ecPublicKey,
&_hx509_signature_sha1_data,
- PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+ PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
0,
NULL,
ecdsa_verify_signature,
@@ -1243,7 +1244,7 @@ static const struct signature_alg pkcs1_rsa_sha1_alg = {
&_hx509_signature_rsa_with_sha1_data,
&asn1_oid_id_pkcs1_rsaEncryption,
NULL,
- PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+ PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
0,
NULL,
rsa_verify_signature,
@@ -1256,7 +1257,7 @@ static const struct signature_alg rsa_with_sha256_alg = {
&_hx509_signature_rsa_with_sha256_data,
&asn1_oid_id_pkcs1_rsaEncryption,
&_hx509_signature_sha256_data,
- PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+ PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
0,
NULL,
rsa_verify_signature,
@@ -1269,7 +1270,7 @@ static const struct signature_alg rsa_with_sha1_alg = {
&_hx509_signature_rsa_with_sha1_data,
&asn1_oid_id_pkcs1_rsaEncryption,
&_hx509_signature_sha1_data,
- PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+ PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
0,
NULL,
rsa_verify_signature,
@@ -1482,6 +1483,27 @@ _hx509_signature_best_before(hx509_context context,
}
int
+_hx509_self_signed_valid(hx509_context context,
+ const AlgorithmIdentifier *alg)
+{
+ const struct signature_alg *md;
+
+ md = find_sig_alg(&alg->algorithm);
+ if (md == NULL) {
+ hx509_clear_error_string(context);
+ return HX509_SIG_ALG_NO_SUPPORTED;
+ }
+ if ((md->flags & SELF_SIGNED_OK) == 0) {
+ hx509_set_error_string(context, 0, HX509_CRYPTO_ALGORITHM_BEST_BEFORE,
+ "Algorithm %s not trusted for self signatures",
+ md->name);
+ return HX509_CRYPTO_ALGORITHM_BEST_BEFORE;
+ }
+ return 0;
+}
+
+
+int
_hx509_verify_signature(hx509_context context,
const hx509_cert cert,
const AlgorithmIdentifier *alg,
diff --git a/source4/heimdal/lib/hx509/hx_locl.h b/source4/heimdal/lib/hx509/hx_locl.h
index 2d1c036d53..3e3ab23c6d 100644
--- a/source4/heimdal/lib/hx509/hx_locl.h
+++ b/source4/heimdal/lib/hx509/hx_locl.h
@@ -39,16 +39,19 @@
#include <stdlib.h>
#include <ctype.h>
#include <errno.h>
+#ifdef HAVE_STRINGS_H
#include <strings.h>
+#endif
#include <assert.h>
#include <stdarg.h>
#include <err.h>
#include <limits.h>
+#include <roken.h>
+
#include <getarg.h>
#include <base64.h>
#include <hex.h>
-#include <roken.h>
#include <com_err.h>
#include <parse_units.h>
#include <parse_bytes.h>
diff --git a/source4/heimdal/lib/hx509/keyset.c b/source4/heimdal/lib/hx509/keyset.c
index 4a96cff530..465ca1b4d3 100644
--- a/source4/heimdal/lib/hx509/keyset.c
+++ b/source4/heimdal/lib/hx509/keyset.c
@@ -3,6 +3,8 @@
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -323,7 +325,7 @@ hx509_certs_end_seq(hx509_context context,
* @param certs certificate store to iterate over.
* @param func function to call for each certificate. The function
* should return non-zero to abort the iteration, that value is passed
- * back to te caller of hx509_certs_iter().
+ * back to the caller of hx509_certs_iter_f().
* @param ctx context variable that will passed to the function.
*
* @return Returns an hx509 error code.
@@ -332,10 +334,10 @@ hx509_certs_end_seq(hx509_context context,
*/
int
-hx509_certs_iter(hx509_context context,
- hx509_certs certs,
- int (*func)(hx509_context, void *, hx509_cert),
- void *ctx)
+hx509_certs_iter_f(hx509_context context,
+ hx509_certs certs,
+ int (*func)(hx509_context, void *, hx509_cert),
+ void *ctx)
{
hx509_cursor cursor;
hx509_cert c;
@@ -364,13 +366,46 @@ hx509_certs_iter(hx509_context context,
return ret;
}
+/**
+ * Iterate over all certificates in a keystore and call an function
+ * for each fo them.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to iterate over.
+ * @param func function to call for each certificate. The function
+ * should return non-zero to abort the iteration, that value is passed
+ * back to the caller of hx509_certs_iter().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
+#ifdef __BLOCKS__
+
+static int
+certs_iter(hx509_context context, void *ctx, hx509_cert cert)
+{
+ int (^func)(hx509_cert) = ctx;
+ return func(cert);
+}
+
+int
+hx509_certs_iter(hx509_context context,
+ hx509_certs certs,
+ int (^func)(hx509_cert))
+{
+ return hx509_certs_iter_f(context, certs, certs_iter, func);
+}
+#endif
+
/**
- * Function to use to hx509_certs_iter() as a function argument, the
- * ctx variable to hx509_certs_iter() should be a FILE file descriptor.
+ * Function to use to hx509_certs_iter_f() as a function argument, the
+ * ctx variable to hx509_certs_iter_f() should be a FILE file descriptor.
*
* @param context a hx509 context.
- * @param ctx used by hx509_certs_iter().
+ * @param ctx used by hx509_certs_iter_f().
* @param c a certificate
*
* @return Returns an hx509 error code.
@@ -587,7 +622,7 @@ hx509_certs_merge(hx509_context context, hx509_certs to, hx509_certs from)
{
if (from == NULL)
return 0;
- return hx509_certs_iter(context, from, certs_merge_func, to);
+ return hx509_certs_iter_f(context, from, certs_merge_func, to);
}
/**
diff --git a/source4/heimdal/lib/hx509/ks_dir.c b/source4/heimdal/lib/hx509/ks_dir.c
index 9ce9b5c8e6..8c8c6e50c8 100644
--- a/source4/heimdal/lib/hx509/ks_dir.c
+++ b/source4/heimdal/lib/hx509/ks_dir.c
@@ -113,7 +113,7 @@ dir_iter_start(hx509_context context,
free(d);
return errno;
}
- rk_cloexec(dirfd(d->dir));
+ rk_cloexec_dir(d->dir);
d->certs = NULL;
d->iter = NULL;
diff --git a/source4/heimdal/lib/hx509/ks_file.c b/source4/heimdal/lib/hx509/ks_file.c
index f137b84641..645dc405a2 100644
--- a/source4/heimdal/lib/hx509/ks_file.c
+++ b/source4/heimdal/lib/hx509/ks_file.c
@@ -571,7 +571,7 @@ file_store(hx509_context context,
rk_cloexec_file(sc.f);
sc.format = ksf->format;
- ret = hx509_certs_iter(context, ksf->certs, store_func, &sc);
+ ret = hx509_certs_iter_f(context, ksf->certs, store_func, &sc);
fclose(sc.f);
return ret;
}
diff --git a/source4/heimdal/lib/hx509/ks_keychain.c b/source4/heimdal/lib/hx509/ks_keychain.c
index 01d0c55d1c..9c6521790a 100644
--- a/source4/heimdal/lib/hx509/ks_keychain.c
+++ b/source4/heimdal/lib/hx509/ks_keychain.c
@@ -43,6 +43,7 @@ OSStatus SecKeyGetCSPHandle(SecKeyRef, CSSM_CSP_HANDLE *);
OSStatus SecKeyGetCredentials(SecKeyRef, CSSM_ACL_AUTHORIZATION_TAG,
int, const CSSM_ACCESS_CREDENTIALS **);
#define kSecCredentialTypeDefault 0
+#define CSSM_SIZE uint32_t
#endif
diff --git a/source4/heimdal/lib/hx509/ks_p12.c b/source4/heimdal/lib/hx509/ks_p12.c
index c17ce3f6ac..d94ab197cd 100644
--- a/source4/heimdal/lib/hx509/ks_p12.c
+++ b/source4/heimdal/lib/hx509/ks_p12.c
@@ -571,7 +571,7 @@ p12_store(hx509_context context,
memset(&as, 0, sizeof(as));
memset(&pfx, 0, sizeof(pfx));
- ret = hx509_certs_iter(context, p12->certs, store_func, &as);
+ ret = hx509_certs_iter_f(context, p12->certs, store_func, &as);
if (ret)
goto out;
diff --git a/source4/heimdal/lib/hx509/peer.c b/source4/heimdal/lib/hx509/peer.c
index c796e19173..457f6c4d04 100644
--- a/source4/heimdal/lib/hx509/peer.c
+++ b/source4/heimdal/lib/hx509/peer.c
@@ -3,6 +3,8 @@
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -144,6 +146,7 @@ hx509_peer_info_add_cms_alg(hx509_context context,
hx509_set_error_string(context, 0, ENOMEM, "out of memory");
return ENOMEM;
}
+ peer->val = ptr;
ret = copy_AlgorithmIdentifier(val, &peer->val[peer->len]);
if (ret == 0)
peer->len += 1;
diff --git a/source4/heimdal/lib/hx509/revoke.c b/source4/heimdal/lib/hx509/revoke.c
index 21140b3c7e..6d2cac4afb 100644
--- a/source4/heimdal/lib/hx509/revoke.c
+++ b/source4/heimdal/lib/hx509/revoke.c
@@ -989,7 +989,7 @@ hx509_ocsp_request(hx509_context context,
ctx.digest = digest;
ctx.parent = NULL;
- ret = hx509_certs_iter(context, reqcerts, add_to_req, &ctx);
+ ret = hx509_certs_iter_f(context, reqcerts, add_to_req, &ctx);
hx509_cert_free(ctx.parent);
if (ret)
goto out;
@@ -1004,17 +1004,17 @@ hx509_ocsp_request(hx509_context context,
es = req.tbsRequest.requestExtensions;
- es->val = calloc(1, sizeof(es->val[0]));
+ es->val = calloc(es->len, sizeof(es->val[0]));
if (es->val == NULL) {
ret = ENOMEM;
goto out;
}
+ es->len = 1;
ret = der_copy_oid(&asn1_oid_id_pkix_ocsp_nonce, &es->val[0].extnID);
if (ret) {
free_OCSPRequest(&req);
return ret;
}
- es->len = 1;
es->val[0].extnValue.data = malloc(10);
if (es->val[0].extnValue.data == NULL) {
@@ -1153,7 +1153,7 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
fprintf(out, "appended certs:\n");
if (ocsp.certs)
- ret = hx509_certs_iter(context, ocsp.certs, hx509_ci_print_names, out);
+ ret = hx509_certs_iter_f(context, ocsp.certs, hx509_ci_print_names, out);
free_ocsp(&ocsp);
return ret;
@@ -1486,7 +1486,7 @@ hx509_crl_sign(hx509_context context,
}
c.tbsCertList.crlExtensions = NULL;
- ret = hx509_certs_iter(context, crl->revoked, add_revoked, &c.tbsCertList);
+ ret = hx509_certs_iter_f(context, crl->revoked, add_revoked, &c.tbsCertList);
if (ret)
goto out;