From 9b4b12928c0450ac69d83293e179eec439465c03 Mon Sep 17 00:00:00 2001

From: Peter Jones <pjones@redhat.com>

Date: Mon, 22 Aug 2016 13:43:56 -0400

Subject: [PATCH 16/29] efikeygen: add --modsign

---

 src/cms_common.c | 29 ++++++++++++++++++++++++++++

 src/cms_common.h |  1 +

 src/efikeygen.c  | 59 ++++++++++++++++++++++++++++++++++++++++++++------------

 3 files changed, 77 insertions(+), 12 deletions(-)

diff --git a/src/cms_common.c b/src/cms_common.c

index 6a4e6a7..2df2cfe 100644

--- a/src/cms_common.c

+++ b/src/cms_common.c

@@ -715,6 +715,35 @@ make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,

 	return 0;

 }

+static SEC_ASN1Template EKUOidSequence[] = {

+	{

+	.kind = SEC_ASN1_OBJECT_ID,

+	.offset = 0,

+	.sub = &SEC_AnyTemplate,

+	.size = sizeof (SECItem),

+	},

+	{ 0 }

+};

+

+int

+make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag)

+{

+	void *rv;

+	SECOidData *oid_data;

+

+	oid_data = SECOID_FindOIDByTag(oid_tag);

+	if (!oid_data)

+		cmsreterr(-1, cms, "could not encode eku oid data");

+

+	rv = SEC_ASN1EncodeItem(cms->arena, encoded, &oid_data->oid,

+				EKUOidSequence);

+	if (rv == NULL)

+		cmsreterr(-1, cms, "could not encode eku oid data");

+

+	encoded->type = siBuffer;

+	return 0;

+}

+

 int

 generate_octet_string(cms_context *cms, SECItem *encoded, SECItem *original)

 {

diff --git a/src/cms_common.h b/src/cms_common.h

index c7d7268..7a31273 100644

--- a/src/cms_common.h

+++ b/src/cms_common.h

@@ -123,6 +123,7 @@ extern int wrap_in_seq(cms_context *cms, SECItem *der,

 			SECItem *items, int num_items);

 extern int make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,

 			SECItem *original);

+extern int make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag);

 extern int generate_validity(cms_context *cms, SECItem *der, time_t start,

 				time_t end);

 extern int generate_common_name(cms_context *cms, SECItem *der, char *cn);

diff --git a/src/efikeygen.c b/src/efikeygen.c

index 8a515a5..9390578 100644

--- a/src/efikeygen.c

+++ b/src/efikeygen.c

@@ -49,6 +49,7 @@

 #include <libdpe/libdpe.h>

 #include "cms_common.h"

+#include "oid.h"

 #include "util.h"

 typedef struct {

@@ -249,20 +250,34 @@ add_basic_constraints(cms_context *cms, void *extHandle)

 }

 static int

-add_extended_key_usage(cms_context *cms, void *extHandle)

+add_extended_key_usage(cms_context *cms, int modsign_only, void *extHandle)

 {

-	SECItem value = {

-		.data = (unsigned char *)"\x30\x0a\x06\x08\x2b\x06\x01"

-					 "\x05\x05\x07\x03\x03",

-		.len = 12,

-		.type = siBuffer

-	};

+	SECItem values[2];

+	SECItem wrapped = { 0 };

+	SECStatus status;

+	SECOidTag tag;

+	int rc;

+

+	if (modsign_only < 1 || modsign_only > 2)

+		cmsreterr(-1, cms, "could not encode extended key usage");

+	rc = make_eku_oid(cms, &values[0], SEC_OID_EXT_KEY_USAGE_CODE_SIGN);

+	if (rc < 0)

+		cmsreterr(-1, cms, "could not encode extended key usage");

+

+	tag = find_ms_oid_tag(SHIM_EKU_MODULE_SIGNING_ONLY);

+	printf("tag: %d\n", tag);

+	rc = make_eku_oid(cms, &values[1], tag);

+	if (rc < 0)

+		cmsreterr(-1, cms, "could not encode extended key usage");

+

+	rc = wrap_in_seq(cms, &wrapped, values, modsign_only);

+	if (rc < 0)

+		cmsreterr(-1, cms, "could not encode extended key usage");

-	SECStatus status;

 	status = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE,

-					&value, PR_FALSE, PR_TRUE);

+					&wrapped, PR_FALSE, PR_TRUE);

 	if (status != SECSuccess)

 		cmsreterr(-1, cms, "could not encode extended key usage");

@@ -294,7 +309,7 @@ static int

 add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,

 			int is_ca, int is_self_signed, SECKEYPublicKey *pubkey,

 			SECKEYPublicKey *spubkey,

-			char *url)

+			char *url, int modsign_only)

 {

 	void *mark = PORT_ArenaMark(cms->arena);

@@ -319,7 +334,7 @@ add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,

 	if (rc < 0)

 		cmsreterr(-1, cms, "could not generate certificate extensions");

-	rc = add_extended_key_usage(cms, extHandle);

+	rc = add_extended_key_usage(cms, modsign_only, extHandle);

 	if (rc < 0)

 		cmsreterr(-1, cms, "could not generate certificate extensions");

@@ -469,6 +484,7 @@ int main(int argc, char *argv[])

 {

 	int is_ca = 0;

 	int is_self_signed = -1;

+	int modsign_only = 0;

 	char *tokenname = "NSS Certificate DB";

 	char *signer = NULL;

 	char *nickname = NULL;

@@ -522,6 +538,18 @@ int main(int argc, char *argv[])

 		 .descrip = "Generate a self-signed certificate" },

 		/* stuff about the generated key */

+		{.longName = "kernel",

+		 .shortName = 'k',

+		 .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,

+		 .arg = &modsign_only,

+		 .val = 1,

+		 .descrip = "Generate a kernel-signing certificate" },

+		{.longName = "module",

+		 .shortName = 'm',

+		 .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,

+		 .arg = &modsign_only,

+		 .val = 2,

+		 .descrip = "Generate a module-signing certificate" },

 		{.longName = "nickname",

 		 .shortName = 'n',

 		 .argInfo = POPT_ARG_STRING,

@@ -628,6 +656,9 @@ int main(int argc, char *argv[])

 			liberr(1, "could not allocate cms context");

 	}

+	if (modsign_only < 1 || modsign_only > 2)

+		errx(1, "either --kernel or --module must be used");

+

 	SECStatus status = NSS_InitReadWrite(dbdir);

 	if (status != SECSuccess)

 		nsserr(1, "could not initialize NSS");

@@ -639,6 +670,10 @@ int main(int argc, char *argv[])

 	SECKEYPublicKey *pubkey = NULL;

 	SECKEYPrivateKey *privkey = NULL;

+	status = register_oids(cms);

+	if (status != SECSuccess)

+		nsserr(1, "Could not register OIDs");

+

 	PK11SlotInfo *slot = NULL;

 	if (pubfile) {

 		rc = get_pubkey_from_file(pubfile, &pubkey);

@@ -713,7 +748,7 @@ int main(int argc, char *argv[])

 	crq = CERT_CreateCertificateRequest(name, spki, &attributes);

 	rc = add_extensions_to_crq(cms, crq, is_ca, is_self_signed, pubkey,

-					spubkey, url);

+					spubkey, url, modsign_only);

 	if (rc < 0)

 		exit(1);

-- 

2.13.4