diff options
Diffstat (limited to 'source4/heimdal/lib/hx509')
-rw-r--r-- | source4/heimdal/lib/hx509/cert.c | 7 | ||||
-rw-r--r-- | source4/heimdal/lib/hx509/cms.c | 4 | ||||
-rw-r--r-- | source4/heimdal/lib/hx509/crypto.c | 36 | ||||
-rw-r--r-- | source4/heimdal/lib/hx509/hx_locl.h | 5 | ||||
-rw-r--r-- | source4/heimdal/lib/hx509/keyset.c | 53 | ||||
-rw-r--r-- | source4/heimdal/lib/hx509/ks_dir.c | 2 | ||||
-rw-r--r-- | source4/heimdal/lib/hx509/ks_file.c | 2 | ||||
-rw-r--r-- | source4/heimdal/lib/hx509/ks_keychain.c | 1 | ||||
-rw-r--r-- | source4/heimdal/lib/hx509/ks_p12.c | 2 | ||||
-rw-r--r-- | source4/heimdal/lib/hx509/peer.c | 3 | ||||
-rw-r--r-- | source4/heimdal/lib/hx509/revoke.c | 10 |
11 files changed, 96 insertions, 29 deletions
diff --git a/source4/heimdal/lib/hx509/cert.c b/source4/heimdal/lib/hx509/cert.c index ebf02a99e3..4783edd681 100644 --- a/source4/heimdal/lib/hx509/cert.c +++ b/source4/heimdal/lib/hx509/cert.c @@ -1023,9 +1023,12 @@ certificate_is_self_signed(hx509_context context, ret = _hx509_name_cmp(&cert->tbsCertificate.subject, &cert->tbsCertificate.issuer, &diff); *self_signed = (diff == 0); - if (ret) + if (ret) { hx509_set_error_string(context, 0, ret, "Failed to check if self signed"); + } else + ret = _hx509_self_signed_valid(context, &cert->signatureAlgorithm); + return ret; } @@ -3251,7 +3254,7 @@ _hx509_cert_get_eku(hx509_context context, * @param context A hx509 context. * @param c the certificate to encode. * @param os the encode certificate, set to NULL, 0 on case of - * error. Free the returned structure with hx509_xfree(). + * error. Free the os->data with hx509_xfree(). * * @return An hx509 error code, see hx509_get_error_string(). * diff --git a/source4/heimdal/lib/hx509/cms.c b/source4/heimdal/lib/hx509/cms.c index 4766c34655..5506cee463 100644 --- a/source4/heimdal/lib/hx509/cms.c +++ b/source4/heimdal/lib/hx509/cms.c @@ -1491,7 +1491,7 @@ hx509_cms_create_signed(hx509_context context, * signatures). */ if ((flags & HX509_CMS_SIGNATURE_NO_SIGNER) == 0) { - ret = hx509_certs_iter(context, certs, sig_process, &sigctx); + ret = hx509_certs_iter_f(context, certs, sig_process, &sigctx); if (ret) goto out; } @@ -1525,7 +1525,7 @@ hx509_cms_create_signed(hx509_context context, goto out; } - ret = hx509_certs_iter(context, sigctx.certs, cert_process, &sigctx); + ret = hx509_certs_iter_f(context, sigctx.certs, cert_process, &sigctx); if (ret) goto out; } diff --git a/source4/heimdal/lib/hx509/crypto.c b/source4/heimdal/lib/hx509/crypto.c index 050a0902b3..bee64c145f 100644 --- a/source4/heimdal/lib/hx509/crypto.c +++ b/source4/heimdal/lib/hx509/crypto.c @@ -87,8 +87,9 @@ struct signature_alg { const heim_oid *key_oid; const AlgorithmIdentifier *digest_alg; int flags; -#define PROVIDE_CONF 1 -#define REQUIRE_SIGNER 2 +#define PROVIDE_CONF 0x1 +#define REQUIRE_SIGNER 0x2 +#define SELF_SIGNED_OK 0x4 #define SIG_DIGEST 0x100 #define SIG_PUBLIC_SIG 0x200 @@ -1200,7 +1201,7 @@ static const struct signature_alg ecdsa_with_sha256_alg = { &_hx509_signature_ecdsa_with_sha256_data, &asn1_oid_id_ecPublicKey, &_hx509_signature_sha256_data, - PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG, + PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 0, NULL, ecdsa_verify_signature, @@ -1214,7 +1215,7 @@ static const struct signature_alg ecdsa_with_sha1_alg = { &_hx509_signature_ecdsa_with_sha1_data, &asn1_oid_id_ecPublicKey, &_hx509_signature_sha1_data, - PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG, + PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 0, NULL, ecdsa_verify_signature, @@ -1243,7 +1244,7 @@ static const struct signature_alg pkcs1_rsa_sha1_alg = { &_hx509_signature_rsa_with_sha1_data, &asn1_oid_id_pkcs1_rsaEncryption, NULL, - PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG, + PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 0, NULL, rsa_verify_signature, @@ -1256,7 +1257,7 @@ static const struct signature_alg rsa_with_sha256_alg = { &_hx509_signature_rsa_with_sha256_data, &asn1_oid_id_pkcs1_rsaEncryption, &_hx509_signature_sha256_data, - PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG, + PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 0, NULL, rsa_verify_signature, @@ -1269,7 +1270,7 @@ static const struct signature_alg rsa_with_sha1_alg = { &_hx509_signature_rsa_with_sha1_data, &asn1_oid_id_pkcs1_rsaEncryption, &_hx509_signature_sha1_data, - PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG, + PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK, 0, NULL, rsa_verify_signature, @@ -1482,6 +1483,27 @@ _hx509_signature_best_before(hx509_context context, } int +_hx509_self_signed_valid(hx509_context context, + const AlgorithmIdentifier *alg) +{ + const struct signature_alg *md; + + md = find_sig_alg(&alg->algorithm); + if (md == NULL) { + hx509_clear_error_string(context); + return HX509_SIG_ALG_NO_SUPPORTED; + } + if ((md->flags & SELF_SIGNED_OK) == 0) { + hx509_set_error_string(context, 0, HX509_CRYPTO_ALGORITHM_BEST_BEFORE, + "Algorithm %s not trusted for self signatures", + md->name); + return HX509_CRYPTO_ALGORITHM_BEST_BEFORE; + } + return 0; +} + + +int _hx509_verify_signature(hx509_context context, const hx509_cert cert, const AlgorithmIdentifier *alg, diff --git a/source4/heimdal/lib/hx509/hx_locl.h b/source4/heimdal/lib/hx509/hx_locl.h index 2d1c036d53..3e3ab23c6d 100644 --- a/source4/heimdal/lib/hx509/hx_locl.h +++ b/source4/heimdal/lib/hx509/hx_locl.h @@ -39,16 +39,19 @@ #include <stdlib.h> #include <ctype.h> #include <errno.h> +#ifdef HAVE_STRINGS_H #include <strings.h> +#endif #include <assert.h> #include <stdarg.h> #include <err.h> #include <limits.h> +#include <roken.h> + #include <getarg.h> #include <base64.h> #include <hex.h> -#include <roken.h> #include <com_err.h> #include <parse_units.h> #include <parse_bytes.h> diff --git a/source4/heimdal/lib/hx509/keyset.c b/source4/heimdal/lib/hx509/keyset.c index 4a96cff530..465ca1b4d3 100644 --- a/source4/heimdal/lib/hx509/keyset.c +++ b/source4/heimdal/lib/hx509/keyset.c @@ -3,6 +3,8 @@ * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -323,7 +325,7 @@ hx509_certs_end_seq(hx509_context context, * @param certs certificate store to iterate over. * @param func function to call for each certificate. The function * should return non-zero to abort the iteration, that value is passed - * back to te caller of hx509_certs_iter(). + * back to the caller of hx509_certs_iter_f(). * @param ctx context variable that will passed to the function. * * @return Returns an hx509 error code. @@ -332,10 +334,10 @@ hx509_certs_end_seq(hx509_context context, */ int -hx509_certs_iter(hx509_context context, - hx509_certs certs, - int (*func)(hx509_context, void *, hx509_cert), - void *ctx) +hx509_certs_iter_f(hx509_context context, + hx509_certs certs, + int (*func)(hx509_context, void *, hx509_cert), + void *ctx) { hx509_cursor cursor; hx509_cert c; @@ -364,13 +366,46 @@ hx509_certs_iter(hx509_context context, return ret; } +/** + * Iterate over all certificates in a keystore and call an function + * for each fo them. + * + * @param context a hx509 context. + * @param certs certificate store to iterate over. + * @param func function to call for each certificate. The function + * should return non-zero to abort the iteration, that value is passed + * back to the caller of hx509_certs_iter(). + * + * @return Returns an hx509 error code. + * + * @ingroup hx509_keyset + */ + +#ifdef __BLOCKS__ + +static int +certs_iter(hx509_context context, void *ctx, hx509_cert cert) +{ + int (^func)(hx509_cert) = ctx; + return func(cert); +} + +int +hx509_certs_iter(hx509_context context, + hx509_certs certs, + int (^func)(hx509_cert)) +{ + return hx509_certs_iter_f(context, certs, certs_iter, func); +} +#endif + /** - * Function to use to hx509_certs_iter() as a function argument, the - * ctx variable to hx509_certs_iter() should be a FILE file descriptor. + * Function to use to hx509_certs_iter_f() as a function argument, the + * ctx variable to hx509_certs_iter_f() should be a FILE file descriptor. * * @param context a hx509 context. - * @param ctx used by hx509_certs_iter(). + * @param ctx used by hx509_certs_iter_f(). * @param c a certificate * * @return Returns an hx509 error code. @@ -587,7 +622,7 @@ hx509_certs_merge(hx509_context context, hx509_certs to, hx509_certs from) { if (from == NULL) return 0; - return hx509_certs_iter(context, from, certs_merge_func, to); + return hx509_certs_iter_f(context, from, certs_merge_func, to); } /** diff --git a/source4/heimdal/lib/hx509/ks_dir.c b/source4/heimdal/lib/hx509/ks_dir.c index 9ce9b5c8e6..8c8c6e50c8 100644 --- a/source4/heimdal/lib/hx509/ks_dir.c +++ b/source4/heimdal/lib/hx509/ks_dir.c @@ -113,7 +113,7 @@ dir_iter_start(hx509_context context, free(d); return errno; } - rk_cloexec(dirfd(d->dir)); + rk_cloexec_dir(d->dir); d->certs = NULL; d->iter = NULL; diff --git a/source4/heimdal/lib/hx509/ks_file.c b/source4/heimdal/lib/hx509/ks_file.c index f137b84641..645dc405a2 100644 --- a/source4/heimdal/lib/hx509/ks_file.c +++ b/source4/heimdal/lib/hx509/ks_file.c @@ -571,7 +571,7 @@ file_store(hx509_context context, rk_cloexec_file(sc.f); sc.format = ksf->format; - ret = hx509_certs_iter(context, ksf->certs, store_func, &sc); + ret = hx509_certs_iter_f(context, ksf->certs, store_func, &sc); fclose(sc.f); return ret; } diff --git a/source4/heimdal/lib/hx509/ks_keychain.c b/source4/heimdal/lib/hx509/ks_keychain.c index 01d0c55d1c..9c6521790a 100644 --- a/source4/heimdal/lib/hx509/ks_keychain.c +++ b/source4/heimdal/lib/hx509/ks_keychain.c @@ -43,6 +43,7 @@ OSStatus SecKeyGetCSPHandle(SecKeyRef, CSSM_CSP_HANDLE *); OSStatus SecKeyGetCredentials(SecKeyRef, CSSM_ACL_AUTHORIZATION_TAG, int, const CSSM_ACCESS_CREDENTIALS **); #define kSecCredentialTypeDefault 0 +#define CSSM_SIZE uint32_t #endif diff --git a/source4/heimdal/lib/hx509/ks_p12.c b/source4/heimdal/lib/hx509/ks_p12.c index c17ce3f6ac..d94ab197cd 100644 --- a/source4/heimdal/lib/hx509/ks_p12.c +++ b/source4/heimdal/lib/hx509/ks_p12.c @@ -571,7 +571,7 @@ p12_store(hx509_context context, memset(&as, 0, sizeof(as)); memset(&pfx, 0, sizeof(pfx)); - ret = hx509_certs_iter(context, p12->certs, store_func, &as); + ret = hx509_certs_iter_f(context, p12->certs, store_func, &as); if (ret) goto out; diff --git a/source4/heimdal/lib/hx509/peer.c b/source4/heimdal/lib/hx509/peer.c index c796e19173..457f6c4d04 100644 --- a/source4/heimdal/lib/hx509/peer.c +++ b/source4/heimdal/lib/hx509/peer.c @@ -3,6 +3,8 @@ * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * + * Portions Copyright (c) 2009 Apple Inc. All rights reserved. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -144,6 +146,7 @@ hx509_peer_info_add_cms_alg(hx509_context context, hx509_set_error_string(context, 0, ENOMEM, "out of memory"); return ENOMEM; } + peer->val = ptr; ret = copy_AlgorithmIdentifier(val, &peer->val[peer->len]); if (ret == 0) peer->len += 1; diff --git a/source4/heimdal/lib/hx509/revoke.c b/source4/heimdal/lib/hx509/revoke.c index 21140b3c7e..6d2cac4afb 100644 --- a/source4/heimdal/lib/hx509/revoke.c +++ b/source4/heimdal/lib/hx509/revoke.c @@ -989,7 +989,7 @@ hx509_ocsp_request(hx509_context context, ctx.digest = digest; ctx.parent = NULL; - ret = hx509_certs_iter(context, reqcerts, add_to_req, &ctx); + ret = hx509_certs_iter_f(context, reqcerts, add_to_req, &ctx); hx509_cert_free(ctx.parent); if (ret) goto out; @@ -1004,17 +1004,17 @@ hx509_ocsp_request(hx509_context context, es = req.tbsRequest.requestExtensions; - es->val = calloc(1, sizeof(es->val[0])); + es->val = calloc(es->len, sizeof(es->val[0])); if (es->val == NULL) { ret = ENOMEM; goto out; } + es->len = 1; ret = der_copy_oid(&asn1_oid_id_pkix_ocsp_nonce, &es->val[0].extnID); if (ret) { free_OCSPRequest(&req); return ret; } - es->len = 1; es->val[0].extnValue.data = malloc(10); if (es->val[0].extnValue.data == NULL) { @@ -1153,7 +1153,7 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out) fprintf(out, "appended certs:\n"); if (ocsp.certs) - ret = hx509_certs_iter(context, ocsp.certs, hx509_ci_print_names, out); + ret = hx509_certs_iter_f(context, ocsp.certs, hx509_ci_print_names, out); free_ocsp(&ocsp); return ret; @@ -1486,7 +1486,7 @@ hx509_crl_sign(hx509_context context, } c.tbsCertList.crlExtensions = NULL; - ret = hx509_certs_iter(context, crl->revoked, add_revoked, &c.tbsCertList); + ret = hx509_certs_iter_f(context, crl->revoked, add_revoked, &c.tbsCertList); if (ret) goto out; |