... | ... |
@@ -638,13 +638,13 @@ static int asn1_get_x509(fmap_t *map, const void **asn1data, unsigned int *size, |
638 | 638 |
} |
639 | 639 |
if(ext.size != 8) |
640 | 640 |
continue; |
641 |
- if(!fmap_need_ptr_once(map, value.content, 8)) { |
|
641 |
+ if(!fmap_need_ptr_once(map, ext.content, 8)) { |
|
642 | 642 |
exts.size = 1; |
643 | 643 |
break; |
644 | 644 |
} |
645 |
- if(!memcmp("\x2b\x06\x01\x05\x05\x07\x03\x03", value.content, 8)) /* id_kp_codeSigning */ |
|
645 |
+ if(!memcmp("\x2b\x06\x01\x05\x05\x07\x03\x03", ext.content, 8)) /* id_kp_codeSigning */ |
|
646 | 646 |
x509.codeSign = 1; |
647 |
- else if(!memcmp("\x2b\x06\x01\x05\x05\x07\x03\x08", value.content, 8)) /* id_kp_timeStamping */ |
|
647 |
+ else if(!memcmp("\x2b\x06\x01\x05\x05\x07\x03\x08", ext.content, 8)) /* id_kp_timeStamping */ |
|
648 | 648 |
x509.timeSign = 1; |
649 | 649 |
} |
650 | 650 |
continue; |
... | ... |
@@ -1004,7 +1004,7 @@ static int asn1_parse_mscat(fmap_t *map, const void *start, unsigned int size, c |
1004 | 1004 |
cli_dbgmsg("asn1_parse_mscat: failed to read encryptedDigest\n"); |
1005 | 1005 |
break; |
1006 | 1006 |
} |
1007 |
- if(crtmgr_verify_pkcs7(cmgr, issuer, asn1.content, asn1.size, CLI_SHA1RSA, sha1)) { |
|
1007 |
+ if(crtmgr_verify_pkcs7(cmgr, issuer, asn1.content, asn1.size, CLI_SHA1RSA, sha1, VRFY_CODE)) { |
|
1008 | 1008 |
cli_dbgmsg("asn1_parse_mscat: pkcs7 signature verification failed\n"); |
1009 | 1009 |
break; |
1010 | 1010 |
} |
... | ... |
@@ -1245,7 +1245,7 @@ static int asn1_parse_mscat(fmap_t *map, const void *start, unsigned int size, c |
1245 | 1245 |
cli_dbgmsg("asn1_parse_mscat: failed to read countersignature encryptedDigest\n"); |
1246 | 1246 |
break; |
1247 | 1247 |
} |
1248 |
- if(crtmgr_verify_pkcs7(cmgr, issuer, asn1.content, asn1.size, hashtype, sha1)) { |
|
1248 |
+ if(crtmgr_verify_pkcs7(cmgr, issuer, asn1.content, asn1.size, hashtype, sha1, VRFY_TIME)) { |
|
1249 | 1249 |
cli_dbgmsg("asn1_parse_mscat: pkcs7 countersignature verification failed\n"); |
1250 | 1250 |
break; |
1251 | 1251 |
} |
... | ... |
@@ -33,7 +33,7 @@ int cli_crt_init(cli_crt *x509) { |
33 | 33 |
} |
34 | 34 |
x509->not_before = x509->not_after = 0; |
35 | 35 |
x509->prev = x509->next = NULL; |
36 |
- x509->certSign = x509->codeSign = x509->timeSign = -1; |
|
36 |
+ x509->certSign = x509->codeSign = x509->timeSign = 0; |
|
37 | 37 |
return 0; |
38 | 38 |
} |
39 | 39 |
|
... | ... |
@@ -127,7 +127,7 @@ int crtmgr_add(crtmgr *m, cli_crt *x509) { |
127 | 127 |
sprintf(&issuer[j*2], "%02x", i->issuer[j]); |
128 | 128 |
sprintf(&subject[j*2], "%02x", i->subject[j]); |
129 | 129 |
} |
130 |
- cli_dbgmsg("crtmgr_add: added cert s:%s i:%s n:%s e:%s %lu->%lu\n", subject, issuer, mod, exp, (unsigned long)i->not_before, (unsigned long)i->not_after); |
|
130 |
+ cli_dbgmsg("crtmgr_add: added cert s:%s i:%s n:%s e:%s %lu->%lu %s%s%s\n", subject, issuer, mod, exp, (unsigned long)i->not_before, (unsigned long)i->not_after, i->certSign ? "cert ":"", i->codeSign ? "code ":"", i->timeSign ? "time":""); |
|
131 | 131 |
} |
132 | 132 |
m->items++; |
133 | 133 |
return 0; |
... | ... |
@@ -267,13 +267,11 @@ int crtmgr_verify_crt(crtmgr *m, cli_crt *x509) { |
267 | 267 |
return 1; |
268 | 268 |
} |
269 | 269 |
|
270 |
-int crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const void *signature, unsigned int signature_len, cli_crt_hashtype hashtype, const uint8_t *refhash) { |
|
270 |
+int crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const void *signature, unsigned int signature_len, cli_crt_hashtype hashtype, const uint8_t *refhash, cli_vrfy_type vrfytype) { |
|
271 | 271 |
cli_crt *i; |
272 | 272 |
mp_int sig; |
273 | 273 |
int ret; |
274 | 274 |
|
275 |
- /* FIXME: add check on serial ? */ |
|
276 |
- |
|
277 | 275 |
if(signature_len < 1024/8 || signature_len > 4096/8+1) { |
278 | 276 |
cli_dbgmsg("crtmgr_verify_pkcs7: unsupported sig len: %u\n", signature_len); |
279 | 277 |
return 1; |
... | ... |
@@ -290,6 +288,10 @@ int crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const void *signature, |
290 | 290 |
|
291 | 291 |
ret = 1; |
292 | 292 |
for(i = m->crts; i; i = i->next) { |
293 |
+ if(vrfytype == VRFY_CODE && !i->codeSign) |
|
294 |
+ continue; |
|
295 |
+ if(vrfytype == VRFY_TIME && !i->timeSign) |
|
296 |
+ continue; |
|
293 | 297 |
if(!memcmp(i->issuer, issuer, sizeof(i->issuer)) && |
294 | 298 |
!crtmgr_rsa_verify(i, &sig, hashtype, refhash)) { |
295 | 299 |
ret = 0; |
... | ... |
@@ -27,7 +27,7 @@ |
27 | 27 |
#include "sha1.h" |
28 | 28 |
|
29 | 29 |
typedef enum { CLI_SHA1RSA, CLI_MD5RSA } cli_crt_hashtype; |
30 |
- |
|
30 |
+typedef enum {VRFY_CODE, VRFY_TIME} cli_vrfy_type; |
|
31 | 31 |
|
32 | 32 |
typedef struct cli_crt_t { |
33 | 33 |
uint8_t subject[SHA1_HASH_SIZE]; |
... | ... |
@@ -60,7 +60,7 @@ int crtmgr_add(crtmgr *m, cli_crt *x509); |
60 | 60 |
cli_crt *crtmgr_lookup(crtmgr *m, cli_crt *x509); |
61 | 61 |
void crtmgr_del(crtmgr *m, cli_crt *x509); |
62 | 62 |
int crtmgr_verify_crt(crtmgr *m, cli_crt *x509); |
63 |
-int crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const void *signature, unsigned int signature_len, cli_crt_hashtype hashtype, const uint8_t *refhash); |
|
63 |
+int crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const void *signature, unsigned int signature_len, cli_crt_hashtype hashtype, const uint8_t *refhash, cli_vrfy_type vrfytype); |
|
64 | 64 |
int crtmgr_add_roots(crtmgr *m); |
65 | 65 |
|
66 | 66 |
|