From 9170bfe3631de8dc3ccca2fe2fe466d8257dea2e Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 10 Jun 2011 12:12:27 -0400 Subject: [PATCH 123/150] - try to unwrap pkcs12 and crl blobs while reading them --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 50 +++++++++++++++++++++--- 1 files changed, 44 insertions(+), 6 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index 4eba446..068b0cf 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -47,6 +47,7 @@ #include #include #include +#include #include #include #include @@ -1022,13 +1023,21 @@ secitem_from_dh_pubval(PLArenaPool *pool, return 0; } -/* Load the contents of a file into a SECitem. */ +/* Load the contents of a file into a SECitem. If it looks like a PEM-wrapped + * item, maybe try to undo the base64 encoding. */ +enum secitem_from_file_type { + secitem_from_file_plain, + secitem_from_file_decode +}; static int -secitem_from_file(PLArenaPool *pool, const char *filename, SECItem *item) +secitem_from_file(PLArenaPool *pool, const char *filename, SECItem *item, + enum secitem_from_file_type secitem_from_file_type) { - SECItem tmp; + SECItem tmp, *decoded; struct stat st; int fd, i, n; + const char *encoded, *p; + char *what, *q; fd = open(filename, O_RDONLY); if (fd == -1) { return errno; @@ -1039,7 +1048,7 @@ secitem_from_file(PLArenaPool *pool, const char *filename, SECItem *item) return i; } memset(&tmp, 0, sizeof(tmp)); - tmp.data = PORT_ArenaZAlloc(pool, st.st_size); + tmp.data = PORT_ArenaZAlloc(pool, st.st_size + 1); if (tmp.data == NULL) { close(fd); return ENOMEM; @@ -1056,7 +1065,34 @@ secitem_from_file(PLArenaPool *pool, const char *filename, SECItem *item) if (n < st.st_size) { return ENOMEM; } + tmp.data[n] = '\0'; tmp.len = n; + encoded = (const char *) tmp.data; + if ((secitem_from_file_type == secitem_from_file_decode) && + (tmp.len > 11) && + (strncmp(encoded, "-----BEGIN ", 11) == 0)) { + /* find the beginning of the next line */ + p = encoded; + p += strcspn(p, "\r\n"); + p += strspn(p, "\r\n"); + q = NULL; + what = PORT_ArenaZAlloc(pool, p - (encoded + 2) + 1); + if (what != NULL) { + /* construct the matching end-of-item and look for it */ + memcpy(what, "-----END ", 9); + memcpy(what + 9, encoded + 11, p - (encoded + 11)); + what[p - (encoded + 2)] = '\0'; + q = strstr(p, what); + } + if (q != NULL) { + *q = '\0'; + decoded = NSSBase64_DecodeBuffer(pool, NULL, + p, q - p); + if (decoded != NULL) { + tmp = *decoded; + } + } + } *item = tmp; return 0; } @@ -2262,7 +2298,8 @@ crypto_load_pkcs12(krb5_context context, "no slot found\n", __FUNCTION__, name); return SECFailure; } - if (secitem_from_file(id_cryptoctx->pool, name, &tmp) != 0) { + if (secitem_from_file(id_cryptoctx->pool, name, &tmp, + secitem_from_file_decode) != 0) { pkiDebug("%s: skipping identity PKCS12 bundle \"%s\": " "error reading from file\n", __FUNCTION__, name); return SECFailure; @@ -2598,7 +2635,8 @@ crypto_load_files(krb5_context context, * yet, cache a CRL. */ if ((status == SECSuccess) && (crlfile != NULL)) { memset(&tmp, 0, sizeof(tmp)); - if (secitem_from_file(id_cryptoctx->pool, crlfile, &tmp) == 0) { + if (secitem_from_file(id_cryptoctx->pool, crlfile, &tmp, + secitem_from_file_decode) == 0) { crl = SECITEM_ArenaDupItem(id_cryptoctx->pool, &tmp); /* Count the CRLs. */ if (id_cryptoctx->id_crls != NULL) { -- 1.7.6.4