From ab6e3fce040f9ad27cbce44e9038a24f15b601c8 Mon Sep 17 00:00:00 2001 From: Matthieu Patou Date: Sun, 15 Aug 2010 18:31:28 +0400 Subject: s4:heimdal: import lorikeet-heimdal-201009250123 (commit 42cabfb5b683dbcb97d583c397b897507689e382) I based this on Matthieu's import of lorikeet-heimdal, and then updated it to this commit. Andrew Bartlett --- source4/heimdal/lib/hx509/cms.c | 53 +++++++++++++++++++++++++++-------------- 1 file changed, 35 insertions(+), 18 deletions(-) (limited to 'source4/heimdal/lib/hx509/cms.c') diff --git a/source4/heimdal/lib/hx509/cms.c b/source4/heimdal/lib/hx509/cms.c index 5506cee463..224c39086c 100644 --- a/source4/heimdal/lib/hx509/cms.c +++ b/source4/heimdal/lib/hx509/cms.c @@ -1170,6 +1170,7 @@ struct sigctx { heim_octet_string content; hx509_peer_info peer; int cmsidflag; + int leafonly; hx509_certs certs; hx509_certs anchors; hx509_certs pool; @@ -1360,7 +1361,7 @@ sig_process(hx509_context context, void *ctx, hx509_cert cert) if (sigctx->certs) { unsigned int i; - if (sigctx->pool) { + if (sigctx->pool && sigctx->leafonly == 0) { _hx509_calculate_path(context, HX509_CALCULATE_PATH_NO_ANCHOR, time(NULL), @@ -1415,6 +1416,12 @@ cert_process(hx509_context context, void *ctx, hx509_cert cert) return ret; } +static int +cmp_AlgorithmIdentifier(const AlgorithmIdentifier *p, const AlgorithmIdentifier *q) +{ + return der_heim_oid_cmp(&p->algorithm, &q->algorithm); +} + int hx509_cms_create_signed(hx509_context context, int flags, @@ -1427,7 +1434,7 @@ hx509_cms_create_signed(hx509_context context, hx509_certs pool, heim_octet_string *signed_data) { - unsigned int i; + unsigned int i, j; hx509_name name; int ret; size_t size; @@ -1454,9 +1461,22 @@ hx509_cms_create_signed(hx509_context context, else sigctx.cmsidflag = CMS_ID_SKI; - ret = hx509_certs_init(context, "MEMORY:certs", 0, NULL, &sigctx.certs); - if (ret) - return ret; + /** + * Use HX509_CMS_SIGNATURE_LEAF_ONLY to only request leaf + * certificates to be added to the SignedData. + */ + sigctx.leafonly = (flags & HX509_CMS_SIGNATURE_LEAF_ONLY) ? 1 : 0; + + /** + * Use HX509_CMS_NO_CERTS to make the SignedData contain no + * certificates, overrides HX509_CMS_SIGNATURE_LEAF_ONLY. + */ + + if ((flags & HX509_CMS_SIGNATURE_NO_CERTS) == 0) { + ret = hx509_certs_init(context, "MEMORY:certs", 0, NULL, &sigctx.certs); + if (ret) + return ret; + } sigctx.anchors = anchors; sigctx.pool = pool; @@ -1497,22 +1517,19 @@ hx509_cms_create_signed(hx509_context context, } if (sigctx.sd.signerInfos.len) { - ALLOC_SEQ(&sigctx.sd.digestAlgorithms, sigctx.sd.signerInfos.len); - if (sigctx.sd.digestAlgorithms.val == NULL) { - ret = ENOMEM; - hx509_clear_error_string(context); - goto out; - } - - /* XXX remove dups */ for (i = 0; i < sigctx.sd.signerInfos.len; i++) { AlgorithmIdentifier *di = &sigctx.sd.signerInfos.val[i].digestAlgorithm; - ret = copy_AlgorithmIdentifier(di, - &sigctx.sd.digestAlgorithms.val[i]); - if (ret) { - hx509_clear_error_string(context); - goto out; + + for (j = 0; j < sigctx.sd.digestAlgorithms.len; j++) + if (cmp_AlgorithmIdentifier(di, &sigctx.sd.digestAlgorithms.val[j]) == 0) + break; + if (j < sigctx.sd.digestAlgorithms.len) { + ret = add_DigestAlgorithmIdentifiers(&sigctx.sd.digestAlgorithms, di); + if (ret) { + hx509_clear_error_string(context); + goto out; + } } } } -- cgit