Browse code
check ext key usage
aCaB authored on 2012/01/07 04:06:29Showing 3 changed files
| ... | ... |
@@ -638,13 +638,13 @@ static int asn1_get_x509(fmap_t *map, const void **asn1data, unsigned int *size, |
| 638 | 638 |
} |
| 639 | 639 |
if(ext.size != 8) |
| 640 | 640 |
continue; |
| 641 |
- if(!fmap_need_ptr_once(map, value.content, 8)) {
|
|
| 641 |
+ if(!fmap_need_ptr_once(map, ext.content, 8)) {
|
|
| 642 | 642 |
exts.size = 1; |
| 643 | 643 |
break; |
| 644 | 644 |
} |
| 645 |
- if(!memcmp("\x2b\x06\x01\x05\x05\x07\x03\x03", value.content, 8)) /* id_kp_codeSigning */
|
|
| 645 |
+ if(!memcmp("\x2b\x06\x01\x05\x05\x07\x03\x03", ext.content, 8)) /* id_kp_codeSigning */
|
|
| 646 | 646 |
x509.codeSign = 1; |
| 647 |
- else if(!memcmp("\x2b\x06\x01\x05\x05\x07\x03\x08", value.content, 8)) /* id_kp_timeStamping */
|
|
| 647 |
+ else if(!memcmp("\x2b\x06\x01\x05\x05\x07\x03\x08", ext.content, 8)) /* id_kp_timeStamping */
|
|
| 648 | 648 |
x509.timeSign = 1; |
| 649 | 649 |
} |
| 650 | 650 |
continue; |
| ... | ... |
@@ -1004,7 +1004,7 @@ static int asn1_parse_mscat(fmap_t *map, const void *start, unsigned int size, c |
| 1004 | 1004 |
cli_dbgmsg("asn1_parse_mscat: failed to read encryptedDigest\n");
|
| 1005 | 1005 |
break; |
| 1006 | 1006 |
} |
| 1007 |
- if(crtmgr_verify_pkcs7(cmgr, issuer, asn1.content, asn1.size, CLI_SHA1RSA, sha1)) {
|
|
| 1007 |
+ if(crtmgr_verify_pkcs7(cmgr, issuer, asn1.content, asn1.size, CLI_SHA1RSA, sha1, VRFY_CODE)) {
|
|
| 1008 | 1008 |
cli_dbgmsg("asn1_parse_mscat: pkcs7 signature verification failed\n");
|
| 1009 | 1009 |
break; |
| 1010 | 1010 |
} |
| ... | ... |
@@ -1245,7 +1245,7 @@ static int asn1_parse_mscat(fmap_t *map, const void *start, unsigned int size, c |
| 1245 | 1245 |
cli_dbgmsg("asn1_parse_mscat: failed to read countersignature encryptedDigest\n");
|
| 1246 | 1246 |
break; |
| 1247 | 1247 |
} |
| 1248 |
- if(crtmgr_verify_pkcs7(cmgr, issuer, asn1.content, asn1.size, hashtype, sha1)) {
|
|
| 1248 |
+ if(crtmgr_verify_pkcs7(cmgr, issuer, asn1.content, asn1.size, hashtype, sha1, VRFY_TIME)) {
|
|
| 1249 | 1249 |
cli_dbgmsg("asn1_parse_mscat: pkcs7 countersignature verification failed\n");
|
| 1250 | 1250 |
break; |
| 1251 | 1251 |
} |
| ... | ... |
@@ -33,7 +33,7 @@ int cli_crt_init(cli_crt *x509) {
|
| 33 | 33 |
} |
| 34 | 34 |
x509->not_before = x509->not_after = 0; |
| 35 | 35 |
x509->prev = x509->next = NULL; |
| 36 |
- x509->certSign = x509->codeSign = x509->timeSign = -1; |
|
| 36 |
+ x509->certSign = x509->codeSign = x509->timeSign = 0; |
|
| 37 | 37 |
return 0; |
| 38 | 38 |
} |
| 39 | 39 |
|
| ... | ... |
@@ -127,7 +127,7 @@ int crtmgr_add(crtmgr *m, cli_crt *x509) {
|
| 127 | 127 |
sprintf(&issuer[j*2], "%02x", i->issuer[j]); |
| 128 | 128 |
sprintf(&subject[j*2], "%02x", i->subject[j]); |
| 129 | 129 |
} |
| 130 |
- cli_dbgmsg("crtmgr_add: added cert s:%s i:%s n:%s e:%s %lu->%lu\n", subject, issuer, mod, exp, (unsigned long)i->not_before, (unsigned long)i->not_after);
|
|
| 130 |
+ cli_dbgmsg("crtmgr_add: added cert s:%s i:%s n:%s e:%s %lu->%lu %s%s%s\n", subject, issuer, mod, exp, (unsigned long)i->not_before, (unsigned long)i->not_after, i->certSign ? "cert ":"", i->codeSign ? "code ":"", i->timeSign ? "time":"");
|
|
| 131 | 131 |
} |
| 132 | 132 |
m->items++; |
| 133 | 133 |
return 0; |
| ... | ... |
@@ -267,13 +267,11 @@ int crtmgr_verify_crt(crtmgr *m, cli_crt *x509) {
|
| 267 | 267 |
return 1; |
| 268 | 268 |
} |
| 269 | 269 |
|
| 270 |
-int crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const void *signature, unsigned int signature_len, cli_crt_hashtype hashtype, const uint8_t *refhash) {
|
|
| 270 |
+int crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const void *signature, unsigned int signature_len, cli_crt_hashtype hashtype, const uint8_t *refhash, cli_vrfy_type vrfytype) {
|
|
| 271 | 271 |
cli_crt *i; |
| 272 | 272 |
mp_int sig; |
| 273 | 273 |
int ret; |
| 274 | 274 |
|
| 275 |
- /* FIXME: add check on serial ? */ |
|
| 276 |
- |
|
| 277 | 275 |
if(signature_len < 1024/8 || signature_len > 4096/8+1) {
|
| 278 | 276 |
cli_dbgmsg("crtmgr_verify_pkcs7: unsupported sig len: %u\n", signature_len);
|
| 279 | 277 |
return 1; |
| ... | ... |
@@ -290,6 +288,10 @@ int crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const void *signature, |
| 290 | 290 |
|
| 291 | 291 |
ret = 1; |
| 292 | 292 |
for(i = m->crts; i; i = i->next) {
|
| 293 |
+ if(vrfytype == VRFY_CODE && !i->codeSign) |
|
| 294 |
+ continue; |
|
| 295 |
+ if(vrfytype == VRFY_TIME && !i->timeSign) |
|
| 296 |
+ continue; |
|
| 293 | 297 |
if(!memcmp(i->issuer, issuer, sizeof(i->issuer)) && |
| 294 | 298 |
!crtmgr_rsa_verify(i, &sig, hashtype, refhash)) {
|
| 295 | 299 |
ret = 0; |
| ... | ... |
@@ -27,7 +27,7 @@ |
| 27 | 27 |
#include "sha1.h" |
| 28 | 28 |
|
| 29 | 29 |
typedef enum { CLI_SHA1RSA, CLI_MD5RSA } cli_crt_hashtype;
|
| 30 |
- |
|
| 30 |
+typedef enum {VRFY_CODE, VRFY_TIME} cli_vrfy_type;
|
|
| 31 | 31 |
|
| 32 | 32 |
typedef struct cli_crt_t {
|
| 33 | 33 |
uint8_t subject[SHA1_HASH_SIZE]; |
| ... | ... |
@@ -60,7 +60,7 @@ int crtmgr_add(crtmgr *m, cli_crt *x509); |
| 60 | 60 |
cli_crt *crtmgr_lookup(crtmgr *m, cli_crt *x509); |
| 61 | 61 |
void crtmgr_del(crtmgr *m, cli_crt *x509); |
| 62 | 62 |
int crtmgr_verify_crt(crtmgr *m, cli_crt *x509); |
| 63 |
-int crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const void *signature, unsigned int signature_len, cli_crt_hashtype hashtype, const uint8_t *refhash); |
|
| 63 |
+int crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const void *signature, unsigned int signature_len, cli_crt_hashtype hashtype, const uint8_t *refhash, cli_vrfy_type vrfytype); |
|
| 64 | 64 |
int crtmgr_add_roots(crtmgr *m); |
| 65 | 65 |
|
| 66 | 66 |
|