|
|
a7d761 |
From 5e55a4bd86d7df8e24b78feaea772255d53efaa5 Mon Sep 17 00:00:00 2001
|
|
|
a7d761 |
From: Jack Magne <jmagne@redhat.com>
|
|
|
a7d761 |
Date: Fri, 8 Feb 2019 11:21:48 -0800
|
|
|
a7d761 |
Subject: [PATCH] Additional: Resolve Bug 1666872 - CC: Enable AIA OCSP cert
|
|
|
a7d761 |
checking for entire cert chain.
|
|
|
a7d761 |
|
|
|
a7d761 |
Simple fix to make sure we are using the correct variant of the NSS cert usage quantity.
|
|
|
a7d761 |
|
|
|
a7d761 |
It turns out some calls need a SECCertUsage and others need a SECCertificateUsage.
|
|
|
a7d761 |
We also need to convert between the two in certain instances.
|
|
|
a7d761 |
|
|
|
a7d761 |
Found and fixed double certificate object free issue.
|
|
|
a7d761 |
---
|
|
|
a7d761 |
org/mozilla/jss/ssl/callbacks.c | 10 ++++++++--
|
|
|
a7d761 |
org/mozilla/jss/ssl/common.c | 19 ++++++++++++++-----
|
|
|
a7d761 |
org/mozilla/jss/ssl/jssl.h | 2 +-
|
|
|
a7d761 |
3 files changed, 23 insertions(+), 8 deletions(-)
|
|
|
a7d761 |
|
|
|
a7d761 |
diff --git a/org/mozilla/jss/ssl/callbacks.c b/org/mozilla/jss/ssl/callbacks.c
|
|
|
a7d761 |
index dfbe408..1f8cc56 100644
|
|
|
a7d761 |
--- a/jss/org/mozilla/jss/ssl/callbacks.c
|
|
|
a7d761 |
+++ b/jss/org/mozilla/jss/ssl/callbacks.c
|
|
|
a7d761 |
@@ -473,6 +473,9 @@ JSSL_DefaultCertAuthCallback(void *arg, PRFileDesc *fd, PRBool checkSig,
|
|
|
a7d761 |
|
|
|
a7d761 |
certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;
|
|
|
a7d761 |
|
|
|
a7d761 |
+ /* PKIX call needs a SECCertificate usage, convert */
|
|
|
a7d761 |
+ SECCertificateUsage certificateUsage = (SECCertificateUsage)1 << certUsage;
|
|
|
a7d761 |
+
|
|
|
a7d761 |
/* SSL_PeerCertificate() returns a shallow copy of the cert, so we
|
|
|
a7d761 |
must destroy it before we exit this function */
|
|
|
a7d761 |
|
|
|
a7d761 |
@@ -480,7 +483,7 @@ JSSL_DefaultCertAuthCallback(void *arg, PRFileDesc *fd, PRBool checkSig,
|
|
|
a7d761 |
|
|
|
a7d761 |
if (peerCert) {
|
|
|
a7d761 |
if( ocspPolicy == OCSP_LEAF_AND_CHAIN_POLICY) {
|
|
|
a7d761 |
- rv = JSSL_verifyCertPKIX( peerCert, certUsage,
|
|
|
a7d761 |
+ rv = JSSL_verifyCertPKIX( peerCert, certificateUsage,
|
|
|
a7d761 |
NULL /* pin arg */, ocspPolicy, NULL, NULL);
|
|
|
a7d761 |
} else {
|
|
|
a7d761 |
rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), peerCert,
|
|
|
a7d761 |
@@ -616,6 +619,9 @@ JSSL_JavaCertAuthCallback(void *arg, PRFileDesc *fd, PRBool checkSig,
|
|
|
a7d761 |
if (peerCert == NULL) goto finish;
|
|
|
a7d761 |
|
|
|
a7d761 |
certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;
|
|
|
a7d761 |
+ /* PKIX call needs a SECCertificate usage, convert */
|
|
|
a7d761 |
+ SECCertificateUsage certificateUsage = (SECCertificateUsage)1 << certUsage;
|
|
|
a7d761 |
+
|
|
|
a7d761 |
|
|
|
a7d761 |
/*
|
|
|
a7d761 |
* verify it against current time - (can't use
|
|
|
a7d761 |
@@ -624,7 +630,7 @@ JSSL_JavaCertAuthCallback(void *arg, PRFileDesc *fd, PRBool checkSig,
|
|
|
a7d761 |
*/
|
|
|
a7d761 |
|
|
|
a7d761 |
if( ocspPolicy == OCSP_LEAF_AND_CHAIN_POLICY) {
|
|
|
a7d761 |
- verificationResult = JSSL_verifyCertPKIX( peerCert, certUsage,
|
|
|
a7d761 |
+ verificationResult = JSSL_verifyCertPKIX( peerCert, certificateUsage,
|
|
|
a7d761 |
NULL /* pin arg */, ocspPolicy, &log, NULL);
|
|
|
a7d761 |
} else {
|
|
|
a7d761 |
verificationResult = CERT_VerifyCert( CERT_GetDefaultCertDB(),
|
|
|
a7d761 |
diff --git a/org/mozilla/jss/ssl/common.c b/org/mozilla/jss/ssl/common.c
|
|
|
a7d761 |
index 7952488..8c2a224 100644
|
|
|
a7d761 |
--- a/jss/org/mozilla/jss/ssl/common.c
|
|
|
a7d761 |
+++ b/jss/org/mozilla/jss/ssl/common.c
|
|
|
a7d761 |
@@ -903,7 +903,7 @@ finish:
|
|
|
a7d761 |
/* Get the trusted anchor for pkix */
|
|
|
a7d761 |
|
|
|
a7d761 |
CERTCertificate * getRoot(CERTCertificate *cert,
|
|
|
a7d761 |
- SECCertificateUsage certUsage)
|
|
|
a7d761 |
+ SECCertUsage certUsage)
|
|
|
a7d761 |
{
|
|
|
a7d761 |
CERTCertificate *root = NULL;
|
|
|
a7d761 |
CERTCertListNode *node = NULL;
|
|
|
a7d761 |
@@ -945,7 +945,7 @@ finish:
|
|
|
a7d761 |
*/
|
|
|
a7d761 |
|
|
|
a7d761 |
SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert,
|
|
|
a7d761 |
- SECCertificateUsage certUsage,secuPWData *pwdata, int ocspPolicy,
|
|
|
a7d761 |
+ SECCertificateUsage certificateUsage,secuPWData *pwdata, int ocspPolicy,
|
|
|
a7d761 |
CERTVerifyLog *log, SECCertificateUsage *usage)
|
|
|
a7d761 |
{
|
|
|
a7d761 |
|
|
|
a7d761 |
@@ -1002,6 +1002,8 @@ SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert,
|
|
|
a7d761 |
|
|
|
a7d761 |
PRBool fetchCerts = PR_FALSE;
|
|
|
a7d761 |
|
|
|
a7d761 |
+ SECCertUsage certUsage = certUsageSSLClient /* 0 */;
|
|
|
a7d761 |
+
|
|
|
a7d761 |
SECStatus res = SECFailure;
|
|
|
a7d761 |
if(cert == NULL) {
|
|
|
a7d761 |
goto finish;
|
|
|
a7d761 |
@@ -1036,9 +1038,15 @@ SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert,
|
|
|
a7d761 |
cvin[inParamIndex].value.pointer.revocation = rev;
|
|
|
a7d761 |
inParamIndex++;
|
|
|
a7d761 |
|
|
|
a7d761 |
-
|
|
|
a7d761 |
/* establish trust anchor */
|
|
|
a7d761 |
|
|
|
a7d761 |
+ /* We need to convert the SECCertificateUsage to a SECCertUsage to obtain
|
|
|
a7d761 |
+ * the root.
|
|
|
a7d761 |
+ */
|
|
|
a7d761 |
+
|
|
|
a7d761 |
+ SECCertificateUsage testUsage = certificateUsage;
|
|
|
a7d761 |
+ while (0 != (testUsage = testUsage >> 1)) { certUsage++; }
|
|
|
a7d761 |
+
|
|
|
a7d761 |
CERTCertificate *root = getRoot(cert,certUsage);
|
|
|
a7d761 |
|
|
|
a7d761 |
/* Try to add the root as the trust anchor so all the
|
|
|
a7d761 |
@@ -1073,7 +1081,7 @@ SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert,
|
|
|
a7d761 |
|
|
|
a7d761 |
cvout[outParamIndex].type = cert_po_end;
|
|
|
a7d761 |
|
|
|
a7d761 |
- res = CERT_PKIXVerifyCert(cert, certUsage, cvin, cvout, &pwdata);
|
|
|
a7d761 |
+ res = CERT_PKIXVerifyCert(cert, certificateUsage, cvin, cvout, &pwdata);
|
|
|
a7d761 |
|
|
|
a7d761 |
finish:
|
|
|
a7d761 |
/* clean up any trusted cert list */
|
|
|
a7d761 |
@@ -1083,8 +1091,9 @@ finish:
|
|
|
a7d761 |
trustedCertList = NULL;
|
|
|
a7d761 |
}
|
|
|
a7d761 |
|
|
|
a7d761 |
+ /* CERT_DestroyCertList destroys interior certs for us. */
|
|
|
a7d761 |
+
|
|
|
a7d761 |
if(root) {
|
|
|
a7d761 |
- CERT_DestroyCertificate(root);
|
|
|
a7d761 |
root = NULL;
|
|
|
a7d761 |
}
|
|
|
a7d761 |
|
|
|
a7d761 |
diff --git a/org/mozilla/jss/ssl/jssl.h b/org/mozilla/jss/ssl/jssl.h
|
|
|
a7d761 |
index 02771f8..e76db90 100644
|
|
|
a7d761 |
--- a/jss/org/mozilla/jss/ssl/jssl.h
|
|
|
a7d761 |
+++ b/jss/org/mozilla/jss/ssl/jssl.h
|
|
|
a7d761 |
@@ -145,7 +145,7 @@ JSSL_getOCSPPolicy();
|
|
|
a7d761 |
|
|
|
a7d761 |
SECStatus
|
|
|
a7d761 |
JSSL_verifyCertPKIX(CERTCertificate *cert,
|
|
|
a7d761 |
- SECCertificateUsage certUsage,
|
|
|
a7d761 |
+ SECCertificateUsage certificateUsage,
|
|
|
a7d761 |
secuPWData *pwdata, int ocspPolicy,
|
|
|
a7d761 |
CERTVerifyLog *log,SECCertificateUsage *usage);
|
|
|
a7d761 |
|
|
|
a7d761 |
--
|
|
|
a7d761 |
1.8.3.1
|
|
|
a7d761 |
|