|
 |
d1e1c8 |
From 705d47ac2c90b8de07a4ef3e1930de6c4b8fece0 Mon Sep 17 00:00:00 2001
|
|
|
d1e1c8 |
From: Peter Jones <pjones@redhat.com>
|
|
|
d1e1c8 |
Date: Wed, 22 Jul 2020 19:54:58 -0400
|
|
|
d1e1c8 |
Subject: [PATCH 59/62] Make openssl accept the right set of KU/EKUs
|
|
|
d1e1c8 |
|
|
|
d1e1c8 |
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
d1e1c8 |
Upstream: pr#211
|
|
|
d1e1c8 |
---
|
|
|
d1e1c8 |
Cryptlib/Pk/CryptPkcs7Verify.c | 87 ++++++++++++++++++++++++++++++++++
|
|
|
d1e1c8 |
1 file changed, 87 insertions(+)
|
|
|
d1e1c8 |
|
|
|
d1e1c8 |
diff --git a/Cryptlib/Pk/CryptPkcs7Verify.c b/Cryptlib/Pk/CryptPkcs7Verify.c
|
|
|
d1e1c8 |
index dcaba436797..09895d8c66a 100644
|
|
|
d1e1c8 |
--- a/Cryptlib/Pk/CryptPkcs7Verify.c
|
|
|
d1e1c8 |
+++ b/Cryptlib/Pk/CryptPkcs7Verify.c
|
|
|
d1e1c8 |
@@ -30,6 +30,91 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
|
|
d1e1c8 |
|
|
|
d1e1c8 |
UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };
|
|
|
d1e1c8 |
|
|
|
d1e1c8 |
+#if 1
|
|
|
d1e1c8 |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
d1e1c8 |
+#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
|
|
|
d1e1c8 |
+#define X509_OBJECT_get_type(obj) ((obj)->type)
|
|
|
d1e1c8 |
+#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
|
|
|
d1e1c8 |
+#define X509_STORE_get0_objects(certs) ((certs)->objs)
|
|
|
d1e1c8 |
+#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
|
|
|
d1e1c8 |
+#if OPENSSL_VERSION_NUMBER < 0x10020000L
|
|
|
d1e1c8 |
+#define X509_STORE_CTX_get0_store(ctx) ((ctx)->ctx)
|
|
|
d1e1c8 |
+#endif
|
|
|
d1e1c8 |
+#endif
|
|
|
d1e1c8 |
+
|
|
|
d1e1c8 |
+static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
|
|
|
d1e1c8 |
+{
|
|
|
d1e1c8 |
+ X509_OBJECT obj;
|
|
|
d1e1c8 |
+ obj.type = X509_LU_X509;
|
|
|
d1e1c8 |
+ obj.data.x509 = cert;
|
|
|
d1e1c8 |
+ return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
|
|
|
d1e1c8 |
+}
|
|
|
d1e1c8 |
+#else
|
|
|
d1e1c8 |
+/*
|
|
|
d1e1c8 |
+ * Later versions of openssl will need this instead.
|
|
|
d1e1c8 |
+ */
|
|
|
d1e1c8 |
+static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
|
|
|
d1e1c8 |
+{
|
|
|
d1e1c8 |
+ STACK_OF(X509_OBJECT) *objs;
|
|
|
d1e1c8 |
+ X509_OBJECT *obj;
|
|
|
d1e1c8 |
+ int i;
|
|
|
d1e1c8 |
+
|
|
|
d1e1c8 |
+ objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
|
|
|
d1e1c8 |
+
|
|
|
d1e1c8 |
+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
|
|
|
d1e1c8 |
+ obj = sk_X509_OBJECT_value(objs, i);
|
|
|
d1e1c8 |
+
|
|
|
d1e1c8 |
+ if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
|
|
|
d1e1c8 |
+ !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
|
|
|
d1e1c8 |
+ return 1;
|
|
|
d1e1c8 |
+ }
|
|
|
d1e1c8 |
+
|
|
|
d1e1c8 |
+ return 0;
|
|
|
d1e1c8 |
+}
|
|
|
d1e1c8 |
+#endif
|
|
|
d1e1c8 |
+
|
|
|
d1e1c8 |
+int
|
|
|
d1e1c8 |
+X509VerifyCb (
|
|
|
d1e1c8 |
+ IN int Status,
|
|
|
d1e1c8 |
+ IN X509_STORE_CTX *Context
|
|
|
d1e1c8 |
+ )
|
|
|
d1e1c8 |
+{
|
|
|
d1e1c8 |
+ INTN Error;
|
|
|
d1e1c8 |
+
|
|
|
d1e1c8 |
+ Error = (INTN) X509_STORE_CTX_get_error (Context);
|
|
|
d1e1c8 |
+
|
|
|
d1e1c8 |
+ /* Accept code-signing keys */
|
|
|
d1e1c8 |
+ if (Error == X509_V_ERR_INVALID_PURPOSE &&
|
|
|
d1e1c8 |
+ X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(Context)) == XKU_CODE_SIGN) {
|
|
|
d1e1c8 |
+ Status = 1;
|
|
|
d1e1c8 |
+ } else if (Error == X509_V_ERR_CERT_UNTRUSTED ||
|
|
|
d1e1c8 |
+ Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ||
|
|
|
d1e1c8 |
+ Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
|
|
|
d1e1c8 |
+ Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) {
|
|
|
d1e1c8 |
+ /* all certs in our cert database are explicitly trusted */
|
|
|
d1e1c8 |
+
|
|
|
d1e1c8 |
+ if (cert_in_store(X509_STORE_CTX_get_current_cert(Context), Context))
|
|
|
d1e1c8 |
+ Status = 1;
|
|
|
d1e1c8 |
+ } else if (Error == X509_V_ERR_CERT_HAS_EXPIRED ||
|
|
|
d1e1c8 |
+ Error == X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD ||
|
|
|
d1e1c8 |
+ Error == X509_V_ERR_CERT_NOT_YET_VALID ||
|
|
|
d1e1c8 |
+ Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
|
|
|
d1e1c8 |
+ Error == X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD) {
|
|
|
d1e1c8 |
+ /* UEFI explicitly allows expired certificates */
|
|
|
d1e1c8 |
+ Status = 1;
|
|
|
d1e1c8 |
+#if 0
|
|
|
d1e1c8 |
+ } else if (Error == X509_V_ERR_INVALID_CA) {
|
|
|
d1e1c8 |
+ /* Due to the historical reason, we have to relax the the x509 v3 extension
|
|
|
d1e1c8 |
+ * check to allow the CA certificates without the CA flag in the basic
|
|
|
d1e1c8 |
+ * constraints or KeyCertSign in the key usage to be loaded. In the future,
|
|
|
d1e1c8 |
+ * this callback should be removed to enforce the proper check. */
|
|
|
d1e1c8 |
+ Status = 1;
|
|
|
d1e1c8 |
+#endif
|
|
|
d1e1c8 |
+ }
|
|
|
d1e1c8 |
+
|
|
|
d1e1c8 |
+ return Status;
|
|
|
d1e1c8 |
+}
|
|
|
d1e1c8 |
+
|
|
|
d1e1c8 |
/**
|
|
|
d1e1c8 |
Check input P7Data is a wrapped ContentInfo structure or not. If not construct
|
|
|
d1e1c8 |
a new structure to wrap P7Data.
|
|
|
d1e1c8 |
@@ -844,6 +929,8 @@ Pkcs7Verify (
|
|
|
d1e1c8 |
goto _Exit;
|
|
|
d1e1c8 |
}
|
|
|
d1e1c8 |
|
|
|
d1e1c8 |
+ X509_STORE_set_verify_cb (CertStore, X509VerifyCb);
|
|
|
d1e1c8 |
+
|
|
|
d1e1c8 |
//
|
|
|
d1e1c8 |
// For generic PKCS#7 handling, InData may be NULL if the content is present
|
|
|
d1e1c8 |
// in PKCS#7 structure. So ignore NULL checking here.
|
|
|
d1e1c8 |
--
|
|
|
d1e1c8 |
2.26.2
|
|
|
d1e1c8 |
|