From 3cd3d271d39b5600fe041f2049d42fb73d9e8c42 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 6 Sep 2011 14:36:40 -0400 Subject: [PATCH 130/150] handle ws2003-style signed-then-enveloped OIDs --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 23 +++++++++++++++++++---- 1 files changed, 19 insertions(+), 4 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index 6a5020d..d5ccd29 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -2029,7 +2029,9 @@ cert_load_ca_certs_from_slot(krb5_context context, continue; } if ((SEC_GET_TRUST_FLAGS(&trust, trustSSL) & - (CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA)) == 0) { + (CERTDB_TRUSTED_CA | + CERTDB_TRUSTED_CLIENT_CA | + CERTDB_NS_TRUSTED_CA)) == 0) { continue; } /* DestroyCertList frees all of the certs in the list, @@ -4109,6 +4111,8 @@ cert_retrieve_cert_sans(krb5_context context, if (SEC_ASN1DecodeItem(pool, &encoded_names, SEC_ASN1_GET(SEC_SequenceOfAnyTemplate), ext) != SECSuccess) { + pkiDebug("%s: error decoding subjectAltName extension\n", + __FUNCTION__); PORT_FreeArena(pool, PR_TRUE); return ENOMEM; } @@ -4120,6 +4124,8 @@ cert_retrieve_cert_sans(krb5_context context, memset(&name, 0, sizeof(name)); if (CERT_DecodeGeneralName(pool, encoded_names[i], &name) != &name) { + pkiDebug("%s: error decoding GeneralName value, " + "skipping\n", __FUNCTION__); continue; } switch (name.type) { @@ -4567,6 +4573,7 @@ crypto_signeddata_common_verify(krb5_context context, CERTCertDBHandle *certdb, SECCertUsage usage, SECOidTag expected_type, + SECOidTag expected_type2, PLArenaPool *pool, SECItem **plain, int cms_msg_type, @@ -4616,6 +4623,8 @@ crypto_signeddata_common_verify(krb5_context context, NSS_CMSMessage_Destroy(ecmsg); return EINVAL; } + pkiDebug("%s: parsed plain-data (length=%ld) as signed-data\n", + __FUNCTION__, (long) edata->len); cinfo = ecinfo; } else { /* Okay, it's a normal signed-data blob. */ @@ -4745,7 +4754,9 @@ crypto_signeddata_common_verify(krb5_context context, return ENOMEM; } encapsulated_tag = NSS_CMSContentInfo_GetContentTypeTag(ecinfo); - if (encapsulated_tag != expected_type) { + if ((encapsulated_tag != expected_type) && + ((expected_type2 == SEC_OID_UNKNOWN) || + (encapsulated_tag != expected_type2))) { pkiDebug("%s: wrong encapsulated content type\n", __FUNCTION__); if (ecmsg != NULL) { @@ -4794,7 +4805,7 @@ cms_envelopeddata_verify(krb5_context context, PLArenaPool *pool; SECItem *plain, encoded; SECCertUsage usage; - SECOidTag expected_tag; + SECOidTag expected_tag, expected_tag2; int is_signed, ret; pool = PORT_NewArena(sizeof(double)); @@ -4846,6 +4857,7 @@ cms_envelopeddata_verify(krb5_context context, /* Pull out the signed data and verify it. */ expected_tag = get_pkinit_data_rkey_data_tag(); + expected_tag2 = SEC_OID_PKCS7_DATA; usage = certUsageSSLServer; plain = NULL; ret = crypto_signeddata_common_verify(context, @@ -4857,6 +4869,7 @@ cms_envelopeddata_verify(krb5_context context, certdb, usage, expected_tag, + expected_tag2, pool, &plain, CMS_ENVEL_SERVER, @@ -5042,7 +5055,7 @@ cms_signeddata_verify(krb5_context context, NSSCMSContentInfo *info; CERTCertDBHandle *certdb; SECCertUsage usage; - SECOidTag expected_tag; + SECOidTag expected_tag, expected_tag2; PLArenaPool *pool; SECItem *plain, encoded; struct content_info simple_content_info; @@ -5066,6 +5079,7 @@ cms_signeddata_verify(krb5_context context, return ENOSYS; break; } + expected_tag2 = SEC_OID_UNKNOWN; pool = PORT_NewArena(sizeof(double)); if (pool == NULL) { @@ -5138,6 +5152,7 @@ cms_signeddata_verify(krb5_context context, certdb, usage, expected_tag, + expected_tag2, pool, &plain, cms_msg_type, -- 1.7.6.4