From 56402a2b350ebdcfd49685a5a3c0fd42131b2196 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 12 Dec 2017 15:24:57 +0100 Subject: [PATCH 89/89] p11_child: properly check results of CERT_VerifyCertificateNow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With certificateUsageCheckAllUsages not only the return code of CERT_VerifyCertificateNow() should be checked but also the usages for which the certificate was verified. The usages checked here will all involve CA signature checks and OCSP checks if OCSP is enabled. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano FidĂȘncio (cherry picked from commit 787ba9c882f1d7ff9ea4f2745e779c5fb04dfafc) --- src/p11_child/p11_child_nss.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c index 21c508eb1b1b68b3606d0a5eed36573b01f27a19..cb894280c18fcbd59c5499e36d30f3ba305c0ea2 100644 --- a/src/p11_child/p11_child_nss.c +++ b/src/p11_child/p11_child_nss.c @@ -45,6 +45,15 @@ #include "util/crypto/sss_crypto.h" #include "util/cert.h" +#define EXP_USAGES ( certificateUsageSSLClient \ + | certificateUsageSSLServer \ + | certificateUsageSSLServerWithStepUp \ + | certificateUsageEmailSigner \ + | certificateUsageEmailRecipient \ + | certificateUsageObjectSigner \ + | certificateUsageStatusResponder \ + | certificateUsageSSLCA ) + enum op_mode { OP_NONE, OP_AUTH, @@ -136,6 +145,7 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, char *cert_b64 = NULL; char *multi = NULL; PRCList *node; + SECCertificateUsage returned_usage = 0; nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, ¶meters, flags); if (nss_ctx == NULL) { @@ -329,8 +339,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, rv = CERT_VerifyCertificateNow(handle, cert_list_node->cert, PR_TRUE, certificateUsageCheckAllUsages, - NULL, NULL); - if (rv != SECSuccess) { + NULL, &returned_usage); + if (rv != SECSuccess || ((returned_usage & EXP_USAGES) == 0)) { DEBUG(SSSDBG_OP_FAILURE, "Certificate [%s][%s] not valid [%d][%s], skipping.\n", cert_list_node->cert->nickname, -- 2.14.3