Browse code
Rudimentary blacklisting
Shawn webb authored on 2012/10/18 23:41:12Showing 3 changed files
| ... | ... |
@@ -840,7 +840,7 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg |
| 840 | 840 |
cli_dbgmsg("asn1_parse_mscat: %u new certificates collected\n", newcerts.items);
|
| 841 | 841 |
while(x509) {
|
| 842 | 842 |
cli_crt *parent = crtmgr_verify_crt(cmgr, x509); |
| 843 |
- if(parent) {
|
|
| 843 |
+ if(parent && !(parent->isBlacklisted)) {
|
|
| 844 | 844 |
x509->codeSign &= parent->codeSign; |
| 845 | 845 |
x509->timeSign &= parent->timeSign; |
| 846 | 846 |
if(crtmgr_add(cmgr, x509)) |
| ... | ... |
@@ -31,6 +31,7 @@ int cli_crt_init(cli_crt *x509) {
|
| 31 | 31 |
cli_errmsg("cli_crt_init: mp_init_multi failed with %d\n", ret);
|
| 32 | 32 |
return 1; |
| 33 | 33 |
} |
| 34 |
+ x509->isBlacklisted = 0; |
|
| 34 | 35 |
x509->not_before = x509->not_after = 0; |
| 35 | 36 |
x509->prev = x509->next = NULL; |
| 36 | 37 |
x509->certSign = x509->codeSign = x509->timeSign = 0; |
| ... | ... |
@@ -116,6 +117,7 @@ int crtmgr_add(crtmgr *m, cli_crt *x509) {
|
| 116 | 116 |
i->certSign = x509->certSign; |
| 117 | 117 |
i->codeSign = x509->codeSign; |
| 118 | 118 |
i->timeSign = x509->timeSign; |
| 119 |
+ i->isBlacklisted = x509->isBlacklisted; |
|
| 119 | 120 |
i->next = m->crts; |
| 120 | 121 |
i->prev = NULL; |
| 121 | 122 |
if(m->crts) |
| ... | ... |
@@ -314,8 +316,11 @@ cli_crt *crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const uint8_t *se |
| 314 | 314 |
continue; |
| 315 | 315 |
if(!memcmp(i->issuer, issuer, sizeof(i->issuer)) && |
| 316 | 316 |
!memcmp(i->serial, serial, sizeof(i->serial)) && |
| 317 |
- !crtmgr_rsa_verify(i, &sig, hashtype, refhash)) |
|
| 317 |
+ !crtmgr_rsa_verify(i, &sig, hashtype, refhash)) {
|
|
| 318 |
+ if (i->isBlacklisted) |
|
| 319 |
+ i = NULL; |
|
| 318 | 320 |
break; |
| 321 |
+ } |
|
| 319 | 322 |
} |
| 320 | 323 |
mp_clear(&sig); |
| 321 | 324 |
return i; |