|
|
20746d |
From 616bc539e7054f7e561ca66672019f7990759811 Mon Sep 17 00:00:00 2001
|
|
|
20746d |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
20746d |
Date: Thu, 17 Aug 2017 18:10:37 +1000
|
|
|
20746d |
Subject: [PATCH] MS cert template: add template extension to CSR
|
|
|
20746d |
|
|
|
20746d |
Add the MS V2 certificate template extension to the CSR, when the
|
|
|
20746d |
attribute is set. Failure to parse the value (as stored) merely
|
|
|
20746d |
causes the extension to be skipped.
|
|
|
20746d |
|
|
|
20746d |
Part of: https://pagure.io/certmonger/issue/78
|
|
|
20746d |
---
|
|
|
20746d |
src/certext.c | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
|
|
|
20746d |
1 file changed, 84 insertions(+), 2 deletions(-)
|
|
|
20746d |
|
|
|
20746d |
diff --git a/src/certext.c b/src/certext.c
|
|
|
20746d |
index 64ae05a..5f8a743 100644
|
|
|
20746d |
--- a/src/certext.c
|
|
|
20746d |
+++ b/src/certext.c
|
|
|
20746d |
@@ -69,7 +69,7 @@ struct kerberos_principal_name {
|
|
|
20746d |
struct ms_template {
|
|
|
20746d |
SECItem id;
|
|
|
20746d |
SECItem major;
|
|
|
20746d |
- SECItem *minor;
|
|
|
20746d |
+ SECItem minor;
|
|
|
20746d |
};
|
|
|
20746d |
|
|
|
20746d |
/* KerberosString: RFC 4120, 5.2.1 */
|
|
|
20746d |
@@ -180,7 +180,7 @@ cm_ms_template_template[] = {
|
|
|
20746d |
.kind = SEC_ASN1_SEQUENCE,
|
|
|
20746d |
.offset = 0,
|
|
|
20746d |
.sub = NULL,
|
|
|
20746d |
- .size = sizeof(struct kerberos_principal_name),
|
|
|
20746d |
+ .size = sizeof(struct ms_template),
|
|
|
20746d |
},
|
|
|
20746d |
{
|
|
|
20746d |
.kind = SEC_ASN1_OBJECT_ID,
|
|
|
20746d |
@@ -1593,6 +1593,76 @@ cm_certext_build_profile(struct cm_store_entry *entry,
|
|
|
20746d |
return item;
|
|
|
20746d |
}
|
|
|
20746d |
|
|
|
20746d |
+/* Build a Microsoft certificate template extension value. */
|
|
|
20746d |
+static SECItem *
|
|
|
20746d |
+cm_certext_build_certificate_template(
|
|
|
20746d |
+ PLArenaPool *arena,
|
|
|
20746d |
+ char *template_spec)
|
|
|
20746d |
+{
|
|
|
20746d |
+ struct ms_template template_data;
|
|
|
20746d |
+ memset(&template_data, 0, sizeof(struct ms_template));
|
|
|
20746d |
+
|
|
|
20746d |
+ if (NULL == template_spec || *template_spec == '\0')
|
|
|
20746d |
+ return NULL;
|
|
|
20746d |
+
|
|
|
20746d |
+ /* strtok overwrites delimiters with null bytes;
|
|
|
20746d |
+ * therefore duplicate the input string */
|
|
|
20746d |
+ char *template_spec_dup = PORT_ArenaStrdup(arena, template_spec);
|
|
|
20746d |
+ if (NULL == template_spec_dup)
|
|
|
20746d |
+ return NULL;
|
|
|
20746d |
+
|
|
|
20746d |
+ int i = 0;
|
|
|
20746d |
+ char *saveptr, *endptr;
|
|
|
20746d |
+ for (
|
|
|
20746d |
+ char *part = strtok_r(template_spec_dup, ":", &saveptr);
|
|
|
20746d |
+ part != NULL;
|
|
|
20746d |
+ part = strtok_r(NULL, ":", &saveptr)
|
|
|
20746d |
+ ) {
|
|
|
20746d |
+ if (i == 0) {
|
|
|
20746d |
+ // parse OID
|
|
|
20746d |
+ if (SECSuccess != SEC_StringToOID(arena, &template_data.id, part, 0))
|
|
|
20746d |
+ return NULL;
|
|
|
20746d |
+ }
|
|
|
20746d |
+ else if (i == 1) {
|
|
|
20746d |
+ // parse major version
|
|
|
20746d |
+ long x = strtol(part, &endptr, 10);
|
|
|
20746d |
+ if (*part == '\0' || *endptr != '\0') {
|
|
|
20746d |
+ // string was empty or contained non-digits
|
|
|
20746d |
+ return NULL;
|
|
|
20746d |
+ }
|
|
|
20746d |
+ if (SEC_ASN1EncodeInteger(arena, &template_data.major, x)
|
|
|
20746d |
+ != &template_data.major)
|
|
|
20746d |
+ return NULL;
|
|
|
20746d |
+ }
|
|
|
20746d |
+ else if (i == 2) {
|
|
|
20746d |
+ // parse minor version
|
|
|
20746d |
+ long x = strtol(part, &endptr, 10);
|
|
|
20746d |
+ if (*part == '\0' || *endptr != '\0') {
|
|
|
20746d |
+ // string was empty or contained non-digits
|
|
|
20746d |
+ return NULL;
|
|
|
20746d |
+ }
|
|
|
20746d |
+ if (SEC_ASN1EncodeInteger(arena, &template_data.minor, x)
|
|
|
20746d |
+ != &template_data.minor)
|
|
|
20746d |
+ return NULL;
|
|
|
20746d |
+ }
|
|
|
20746d |
+ else {
|
|
|
20746d |
+ // there are too many parts!
|
|
|
20746d |
+ return NULL;
|
|
|
20746d |
+ }
|
|
|
20746d |
+ i++;
|
|
|
20746d |
+ }
|
|
|
20746d |
+ if (i < 2) {
|
|
|
20746d |
+ // there are too few parts! (OID and major version are required)
|
|
|
20746d |
+ return NULL;
|
|
|
20746d |
+ }
|
|
|
20746d |
+
|
|
|
20746d |
+ SECItem encoded;
|
|
|
20746d |
+ if (SEC_ASN1EncodeItem(arena, &encoded, &template_data,
|
|
|
20746d |
+ cm_ms_template_template) != &encoded)
|
|
|
20746d |
+ return NULL;
|
|
|
20746d |
+ return SECITEM_ArenaDupItem(arena, &encoded);
|
|
|
20746d |
+}
|
|
|
20746d |
+
|
|
|
20746d |
/* Build a Netscape certtype extension value. */
|
|
|
20746d |
static SECItem *
|
|
|
20746d |
cm_certext_build_ns_certtype(struct cm_store_entry *entry,
|
|
|
20746d |
@@ -1840,6 +1910,18 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry,
|
|
|
20746d |
i++;
|
|
|
20746d |
}
|
|
|
20746d |
}
|
|
|
20746d |
+ if (entry->cm_template_certificate_template != NULL) {
|
|
|
20746d |
+ oid = (SECOidData *) &oid_microsoft_certificate_template;
|
|
|
20746d |
+ item = cm_certext_build_certificate_template(
|
|
|
20746d |
+ arena, entry->cm_template_certificate_template);
|
|
|
20746d |
+ if ((item != NULL) && (oid != NULL)) {
|
|
|
20746d |
+ ext[i].id = oid->oid;
|
|
|
20746d |
+ ext[i].critical = der_false;
|
|
|
20746d |
+ ext[i].value = *item;
|
|
|
20746d |
+ exts[i] = &ext[i];
|
|
|
20746d |
+ i++;
|
|
|
20746d |
+ }
|
|
|
20746d |
+ }
|
|
|
20746d |
if (entry->cm_template_ns_certtype != NULL) {
|
|
|
20746d |
oid = SECOID_FindOIDByTag(SEC_OID_NS_CERT_EXT_CERT_TYPE);
|
|
|
20746d |
item = cm_certext_build_ns_certtype(entry, arena,
|
|
|
20746d |
--
|
|
|
20746d |
2.14.4
|
|
|
20746d |
|