|
 |
ced1f5 |
From 56402a2b350ebdcfd49685a5a3c0fd42131b2196 Mon Sep 17 00:00:00 2001
|
|
|
ced1f5 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
ced1f5 |
Date: Tue, 12 Dec 2017 15:24:57 +0100
|
|
|
ced1f5 |
Subject: [PATCH 89/89] p11_child: properly check results of
|
|
|
ced1f5 |
CERT_VerifyCertificateNow
|
|
|
ced1f5 |
MIME-Version: 1.0
|
|
|
ced1f5 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ced1f5 |
Content-Transfer-Encoding: 8bit
|
|
|
ced1f5 |
|
|
|
ced1f5 |
With certificateUsageCheckAllUsages not only the return code of
|
|
|
ced1f5 |
CERT_VerifyCertificateNow() should be checked but also the usages for
|
|
|
ced1f5 |
which the certificate was verified. The usages checked here will all
|
|
|
ced1f5 |
involve CA signature checks and OCSP checks if OCSP is enabled.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Related to https://pagure.io/SSSD/sssd/issue/3560
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
|
|
|
ced1f5 |
(cherry picked from commit 787ba9c882f1d7ff9ea4f2745e779c5fb04dfafc)
|
|
|
ced1f5 |
---
|
|
|
ced1f5 |
src/p11_child/p11_child_nss.c | 14 ++++++++++++--
|
|
|
ced1f5 |
1 file changed, 12 insertions(+), 2 deletions(-)
|
|
|
ced1f5 |
|
|
|
ced1f5 |
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
|
|
|
ced1f5 |
index 21c508eb1b1b68b3606d0a5eed36573b01f27a19..cb894280c18fcbd59c5499e36d30f3ba305c0ea2 100644
|
|
|
ced1f5 |
--- a/src/p11_child/p11_child_nss.c
|
|
|
ced1f5 |
+++ b/src/p11_child/p11_child_nss.c
|
|
|
ced1f5 |
@@ -45,6 +45,15 @@
|
|
|
ced1f5 |
#include "util/crypto/sss_crypto.h"
|
|
|
ced1f5 |
#include "util/cert.h"
|
|
|
ced1f5 |
|
|
|
ced1f5 |
+#define EXP_USAGES ( certificateUsageSSLClient \
|
|
|
ced1f5 |
+ | certificateUsageSSLServer \
|
|
|
ced1f5 |
+ | certificateUsageSSLServerWithStepUp \
|
|
|
ced1f5 |
+ | certificateUsageEmailSigner \
|
|
|
ced1f5 |
+ | certificateUsageEmailRecipient \
|
|
|
ced1f5 |
+ | certificateUsageObjectSigner \
|
|
|
ced1f5 |
+ | certificateUsageStatusResponder \
|
|
|
ced1f5 |
+ | certificateUsageSSLCA )
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
enum op_mode {
|
|
|
ced1f5 |
OP_NONE,
|
|
|
ced1f5 |
OP_AUTH,
|
|
|
ced1f5 |
@@ -136,6 +145,7 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
|
ced1f5 |
char *cert_b64 = NULL;
|
|
|
ced1f5 |
char *multi = NULL;
|
|
|
ced1f5 |
PRCList *node;
|
|
|
ced1f5 |
+ SECCertificateUsage returned_usage = 0;
|
|
|
ced1f5 |
|
|
|
ced1f5 |
nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, ¶meters, flags);
|
|
|
ced1f5 |
if (nss_ctx == NULL) {
|
|
|
ced1f5 |
@@ -329,8 +339,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
|
ced1f5 |
rv = CERT_VerifyCertificateNow(handle, cert_list_node->cert,
|
|
|
ced1f5 |
PR_TRUE,
|
|
|
ced1f5 |
certificateUsageCheckAllUsages,
|
|
|
ced1f5 |
- NULL, NULL);
|
|
|
ced1f5 |
- if (rv != SECSuccess) {
|
|
|
ced1f5 |
+ NULL, &returned_usage);
|
|
|
ced1f5 |
+ if (rv != SECSuccess || ((returned_usage & EXP_USAGES) == 0)) {
|
|
|
ced1f5 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ced1f5 |
"Certificate [%s][%s] not valid [%d][%s], skipping.\n",
|
|
|
ced1f5 |
cert_list_node->cert->nickname,
|
|
|
ced1f5 |
--
|
|
|
ced1f5 |
2.14.3
|
|
|
ced1f5 |
|