Blob Blame History Raw
From 56402a2b350ebdcfd49685a5a3c0fd42131b2196 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 12 Dec 2017 15:24:57 +0100
Subject: [PATCH 89/89] p11_child: properly check results of
 CERT_VerifyCertificateNow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

With certificateUsageCheckAllUsages not only the return code of
CERT_VerifyCertificateNow() should be checked but also the usages for
which the certificate was verified. The usages checked here will all
involve CA signature checks and OCSP checks if OCSP is enabled.

Related to https://pagure.io/SSSD/sssd/issue/3560

Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
(cherry picked from commit 787ba9c882f1d7ff9ea4f2745e779c5fb04dfafc)
---
 src/p11_child/p11_child_nss.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index 21c508eb1b1b68b3606d0a5eed36573b01f27a19..cb894280c18fcbd59c5499e36d30f3ba305c0ea2 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -45,6 +45,15 @@
 #include "util/crypto/sss_crypto.h"
 #include "util/cert.h"
 
+#define EXP_USAGES (  certificateUsageSSLClient \
+                    | certificateUsageSSLServer \
+                    | certificateUsageSSLServerWithStepUp \
+                    | certificateUsageEmailSigner \
+                    | certificateUsageEmailRecipient \
+                    | certificateUsageObjectSigner \
+                    | certificateUsageStatusResponder \
+                    | certificateUsageSSLCA )
+
 enum op_mode {
     OP_NONE,
     OP_AUTH,
@@ -136,6 +145,7 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
     char *cert_b64 = NULL;
     char *multi = NULL;
     PRCList *node;
+    SECCertificateUsage returned_usage = 0;
 
     nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, &parameters, flags);
     if (nss_ctx == NULL) {
@@ -329,8 +339,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
             rv = CERT_VerifyCertificateNow(handle, cert_list_node->cert,
                                            PR_TRUE,
                                            certificateUsageCheckAllUsages,
-                                           NULL, NULL);
-            if (rv != SECSuccess) {
+                                           NULL, &returned_usage);
+            if (rv != SECSuccess || ((returned_usage & EXP_USAGES) == 0)) {
                 DEBUG(SSSDBG_OP_FAILURE,
                       "Certificate [%s][%s] not valid [%d][%s], skipping.\n",
                       cert_list_node->cert->nickname,
-- 
2.14.3