diff options
author | Nalin Dahyabhai <nalin@redhat.com> | 2010-09-16 19:31:54 -0400 |
---|---|---|
committer | Nalin Dahyabhai <nalin@redhat.com> | 2010-09-16 19:31:54 -0400 |
commit | 3fe7ccdb9298e5b6f9fa9dc25bef21c0715ece21 (patch) | |
tree | d0d87aff90de42a5a87e81cca904eb90646db21c | |
parent | 188111911c2a6bdc2c8982c06a59a742450113e7 (diff) | |
download | krb5-3fe7ccdb9298e5b6f9fa9dc25bef21c0715ece21.tar.gz krb5-3fe7ccdb9298e5b6f9fa9dc25bef21c0715ece21.tar.xz krb5-3fe7ccdb9298e5b6f9fa9dc25bef21c0715ece21.zip |
- fix reading of keyUsage extensions when attempting to select pkinit client certs (part of #629022, RT#6775)
-rw-r--r-- | krb5-trunk-key_usage.patch | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/krb5-trunk-key_usage.patch b/krb5-trunk-key_usage.patch new file mode 100644 index 0000000..f45db69 --- /dev/null +++ b/krb5-trunk-key_usage.patch @@ -0,0 +1,25 @@ +Reading the NID_key_usage extension doesn't ensure that the ex_flags and +ex_kusage fields that the ku_reject() macro checks. It'd probably be +better to check the usage string directly, but calling X509_check_ca() +makes the right things happen. RT#6775, part of #629022. + +Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +=================================================================== +--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24312) ++++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24313) +@@ -2005,6 +2005,7 @@ + pkiDebug("%s: found acceptable EKU, checking for digitalSignature\n", __FUNCTION__); + + /* check that digitalSignature KeyUsage is present */ ++ X509_check_ca(reqctx->received_cert); + if ((usage = X509_get_ext_d2i(reqctx->received_cert, + NID_key_usage, NULL, NULL))) { + +@@ -4551,6 +4552,7 @@ + } + + /* Make sure usage exists before checking bits */ ++ X509_check_ca(x); + usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL); + if (usage) { + if (!ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) |