... | ... |
@@ -423,63 +423,9 @@ int crtmgr_add_roots(struct cl_engine *engine, crtmgr *m) { |
423 | 423 |
cli_crt *crt, *new_crt; |
424 | 424 |
|
425 | 425 |
/* |
426 |
- * Only add trusted (and revoked) root certs once. Copy certs |
|
427 |
- * from engine's root certs list. |
|
426 |
+ * Certs are cached in engine->cmgr. Copy from there. |
|
428 | 427 |
*/ |
429 |
- if (m == &(engine->cmgr)) { |
|
430 |
- do { |
|
431 |
- if(cli_crt_init(&ca)) |
|
432 |
- return 1; |
|
433 |
- |
|
434 |
- memset(ca.issuer, '\xca', sizeof(ca.issuer)); |
|
435 |
- memcpy(ca.subject, MSCA_SUBJECT, sizeof(ca.subject)); |
|
436 |
- memset(ca.serial, '\xca', sizeof(ca.serial)); |
|
437 |
- if(mp_read_unsigned_bin(&ca.n, MSCA_MOD, sizeof(MSCA_MOD)-1) || mp_read_unsigned_bin(&ca.e, MSCA_EXP, sizeof(MSCA_EXP)-1)) { |
|
438 |
- cli_errmsg("crtmgr_add_roots: failed to read MSCA key\n"); |
|
439 |
- break; |
|
440 |
- } |
|
441 |
- ca.not_before = 0; |
|
442 |
- ca.not_after = (-1U)>>1; |
|
443 |
- ca.certSign = 1; |
|
444 |
- ca.codeSign = 1; |
|
445 |
- ca.timeSign = 1; |
|
446 |
- if(crtmgr_add(m, &ca)) |
|
447 |
- break; |
|
448 |
- |
|
449 |
- memcpy(ca.subject, MSA_SUBJECT, sizeof(ca.subject)); |
|
450 |
- if(mp_read_unsigned_bin(&ca.n, MSA_MOD, sizeof(MSA_MOD)-1) || mp_read_unsigned_bin(&ca.e, MSA_EXP, sizeof(MSA_EXP)-1)) { |
|
451 |
- cli_errmsg("crtmgr_add_roots: failed to read MSA key\n"); |
|
452 |
- break; |
|
453 |
- } |
|
454 |
- if(crtmgr_add(m, &ca)) |
|
455 |
- break; |
|
456 |
- |
|
457 |
- memcpy(ca.subject, VER_SUBJECT, sizeof(ca.subject)); |
|
458 |
- if(mp_read_unsigned_bin(&ca.n, VER_MOD, sizeof(VER_MOD)-1) || mp_read_unsigned_bin(&ca.e, VER_EXP, sizeof(VER_EXP)-1)) { |
|
459 |
- cli_errmsg("crtmgr_add_roots: failed to read VER key\n"); |
|
460 |
- break; |
|
461 |
- } |
|
462 |
- ca.timeSign = 0; |
|
463 |
- if(crtmgr_add(m, &ca)) |
|
464 |
- break; |
|
465 |
- |
|
466 |
- memcpy(ca.subject, THAW_SUBJECT, sizeof(ca.subject)); |
|
467 |
- if(mp_read_unsigned_bin(&ca.n, THAW_MOD, sizeof(THAW_MOD)-1) || mp_read_unsigned_bin(&ca.e, THAW_EXP, sizeof(THAW_EXP)-1)) { |
|
468 |
- cli_errmsg("crtmgr_add_roots: failed to read THAW key\n"); |
|
469 |
- break; |
|
470 |
- } |
|
471 |
- ca.codeSign = 0; |
|
472 |
- ca.timeSign = 1; |
|
473 |
- if(crtmgr_add(m, &ca)) |
|
474 |
- break; |
|
475 |
- |
|
476 |
- return 0; |
|
477 |
- } while(0); |
|
478 |
- |
|
479 |
- cli_crt_clear(&ca); |
|
480 |
- crtmgr_free(m); |
|
481 |
- return 1; |
|
482 |
- } else { |
|
428 |
+ if (m != &(engine->cmgr)) { |
|
483 | 429 |
for (crt = engine->cmgr.crts; crt != NULL; crt = crt->next) { |
484 | 430 |
if (crtmgr_add(m, crt)) { |
485 | 431 |
crtmgr_free(m); |
... | ... |
@@ -490,5 +436,5 @@ int crtmgr_add_roots(struct cl_engine *engine, crtmgr *m) { |
490 | 490 |
return 0; |
491 | 491 |
} |
492 | 492 |
|
493 |
- return 1; |
|
493 |
+ return 0; |
|
494 | 494 |
} |
... | ... |
@@ -2362,6 +2362,118 @@ static int cli_loadcdb(FILE *fs, struct cl_engine *engine, unsigned int *signo, |
2362 | 2362 |
return CL_SUCCESS; |
2363 | 2363 |
} |
2364 | 2364 |
|
2365 |
+/* |
|
2366 |
+ * Name;trusted:subject:pubkey;exponent;comment[;minFL;maxFL] |
|
2367 |
+ * Name and comment are ignored. They're just for the end user. |
|
2368 |
+ */ |
|
2369 |
+#define CRT_TOKENS 11 |
|
2370 |
+static int cli_loadcrt(FILE *fs, struct cl_engine *engine, struct cli_dbio *dbio) { |
|
2371 |
+ char buffer[FILEBUFF]; |
|
2372 |
+ char *tokens[CRT_TOKENS+1]; |
|
2373 |
+ size_t line=0, tokens_count, i, j; |
|
2374 |
+ cli_crt ca; |
|
2375 |
+ int ret=CL_SUCCESS; |
|
2376 |
+ char *subject, *pubkey, *exponent; |
|
2377 |
+ const uint8_t exp[] = "\x01\x00\x01"; |
|
2378 |
+ char c; |
|
2379 |
+ |
|
2380 |
+ cli_crt_init(&ca); |
|
2381 |
+ memset(ca.issuer, '\xca', sizeof(ca.issuer)); |
|
2382 |
+ memset(ca.serial, '\xca', sizeof(ca.serial)); |
|
2383 |
+ |
|
2384 |
+ while (cli_dbgets(buffer, FILEBUFF, fs, dbio)) { |
|
2385 |
+ line++; |
|
2386 |
+ |
|
2387 |
+ if (buffer[0] == '#') |
|
2388 |
+ continue; |
|
2389 |
+ |
|
2390 |
+ cli_chomp(buffer); |
|
2391 |
+ if (!strlen(buffer)) |
|
2392 |
+ continue; |
|
2393 |
+ |
|
2394 |
+ tokens_count = cli_strtokenize(buffer, ';', CRT_TOKENS + 1, (const char **)tokens); |
|
2395 |
+ if (tokens_count > CRT_TOKENS || tokens_count < CRT_TOKENS - 2) { |
|
2396 |
+ cli_errmsg("cli_loadcrt: line %u: Invalid number of tokens: %u\n", line, tokens_count); |
|
2397 |
+ ret = CL_EMALFDB; |
|
2398 |
+ goto end; |
|
2399 |
+ } |
|
2400 |
+ |
|
2401 |
+ switch (tokens[1][0]) { |
|
2402 |
+ case '1': |
|
2403 |
+ ca.isBlacklisted = 0; |
|
2404 |
+ break; |
|
2405 |
+ case '0': |
|
2406 |
+ ca.isBlacklisted = 1; |
|
2407 |
+ break; |
|
2408 |
+ default: |
|
2409 |
+ cli_errmsg("cli_loadcrt: line %u: Invalid trust specification. Expected 0 or 1\n", line); |
|
2410 |
+ ret = CL_EMALFDB; |
|
2411 |
+ goto end; |
|
2412 |
+ } |
|
2413 |
+ |
|
2414 |
+ subject = cli_hex2str(tokens[2]); |
|
2415 |
+ pubkey = cli_hex2str(tokens[3]); |
|
2416 |
+ |
|
2417 |
+ if (!subject) { |
|
2418 |
+ cli_errmsg("cli_loadcrt: line %u: Cannot convert subject to binary string\n", line); |
|
2419 |
+ ret = CL_EMALFDB; |
|
2420 |
+ goto end; |
|
2421 |
+ } |
|
2422 |
+ if (!pubkey) { |
|
2423 |
+ cli_errmsg("cli_loadcrt: line %u: Cannot convert public key to binary string\n", line); |
|
2424 |
+ ret = CL_EMALFDB; |
|
2425 |
+ goto end; |
|
2426 |
+ } |
|
2427 |
+ |
|
2428 |
+ memcpy(ca.subject, subject, sizeof(ca.subject)); |
|
2429 |
+ if (mp_read_unsigned_bin(&(ca.n), pubkey, strlen(tokens[3])/2) || mp_read_unsigned_bin(&(ca.e), exp, sizeof(exp)-1)) { |
|
2430 |
+ cli_errmsg("cli_loadcrt: line %u: Cannot convert exponent to binary data\n", line); |
|
2431 |
+ ret = CL_EMALFDB; |
|
2432 |
+ goto end; |
|
2433 |
+ } |
|
2434 |
+ |
|
2435 |
+ cli_dbgmsg("sizeof(exp): %u. sizeof(exp)-1: %u\n", sizeof(exp), sizeof(exp)-1); |
|
2436 |
+ |
|
2437 |
+ switch (tokens[5][0]) { |
|
2438 |
+ case '1': |
|
2439 |
+ ca.codeSign = 1; |
|
2440 |
+ break; |
|
2441 |
+ case '0': |
|
2442 |
+ ca.codeSign = 0; |
|
2443 |
+ break; |
|
2444 |
+ default: |
|
2445 |
+ cli_errmsg("cli_loadcrt: line %u: Invalid code sign specification. Expected 0 or 1\n", line); |
|
2446 |
+ ret = CL_EMALFDB; |
|
2447 |
+ goto end; |
|
2448 |
+ } |
|
2449 |
+ |
|
2450 |
+ switch (tokens[6][0]) { |
|
2451 |
+ case '1': |
|
2452 |
+ ca.timeSign = 1; |
|
2453 |
+ break; |
|
2454 |
+ case '0': |
|
2455 |
+ ca.timeSign = 0; |
|
2456 |
+ break; |
|
2457 |
+ default: |
|
2458 |
+ cli_errmsg("cli_loadcrt: line %u: Invalid time sign specification. Expected 0 or 1\n", line); |
|
2459 |
+ ret = CL_EMALFDB; |
|
2460 |
+ goto end; |
|
2461 |
+ } |
|
2462 |
+ |
|
2463 |
+ if (strlen(tokens[7])) |
|
2464 |
+ ca.not_before = atoi(tokens[7]); |
|
2465 |
+ ca.not_after = (-1U)>>1; |
|
2466 |
+ ca.certSign = 1; |
|
2467 |
+ |
|
2468 |
+ crtmgr_add(&(engine->cmgr), &ca); |
|
2469 |
+ } |
|
2470 |
+ |
|
2471 |
+end: |
|
2472 |
+ cli_dbgmsg("Number of certs: %d\n", engine->cmgr.items); |
|
2473 |
+ cli_crt_clear(&ca); |
|
2474 |
+ return ret; |
|
2475 |
+} |
|
2476 |
+ |
|
2365 | 2477 |
static int cli_loadmscat(FILE *fs, const char *dbname, struct cl_engine *engine, unsigned int options, struct cli_dbio *dbio) { |
2366 | 2478 |
fmap_t *map; |
2367 | 2479 |
|
... | ... |
@@ -2422,6 +2534,9 @@ int cli_load(const char *filename, struct cl_engine *engine, unsigned int *signo |
2422 | 2422 |
} else if(cli_strbcasestr(dbname, ".cud")) { |
2423 | 2423 |
ret = cli_cvdload(fs, engine, signo, options, 2, filename, 0); |
2424 | 2424 |
|
2425 |
+ } else if (cli_strbcasestr(dbname, ".crt")) { |
|
2426 |
+ ret = cli_loadcrt(fs, engine, dbio); |
|
2427 |
+ |
|
2425 | 2428 |
} else if(cli_strbcasestr(dbname, ".hdb") || cli_strbcasestr(dbname, ".hsb")) { |
2426 | 2429 |
ret = cli_loadhash(fs, engine, signo, MD5_HDB, options, dbio, dbname); |
2427 | 2430 |
} else if(cli_strbcasestr(dbname, ".hdu") || cli_strbcasestr(dbname, ".hsu")) { |