dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0089-p11_child-properly-check-results-of-CERT_VerifyCerti.patch

9f2ebf
From 56402a2b350ebdcfd49685a5a3c0fd42131b2196 Mon Sep 17 00:00:00 2001
9f2ebf
From: Sumit Bose <sbose@redhat.com>
9f2ebf
Date: Tue, 12 Dec 2017 15:24:57 +0100
9f2ebf
Subject: [PATCH 89/89] p11_child: properly check results of
9f2ebf
 CERT_VerifyCertificateNow
9f2ebf
MIME-Version: 1.0
9f2ebf
Content-Type: text/plain; charset=UTF-8
9f2ebf
Content-Transfer-Encoding: 8bit
9f2ebf
9f2ebf
With certificateUsageCheckAllUsages not only the return code of
9f2ebf
CERT_VerifyCertificateNow() should be checked but also the usages for
9f2ebf
which the certificate was verified. The usages checked here will all
9f2ebf
involve CA signature checks and OCSP checks if OCSP is enabled.
9f2ebf
9f2ebf
Related to https://pagure.io/SSSD/sssd/issue/3560
9f2ebf
9f2ebf
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
9f2ebf
(cherry picked from commit 787ba9c882f1d7ff9ea4f2745e779c5fb04dfafc)
9f2ebf
---
9f2ebf
 src/p11_child/p11_child_nss.c | 14 ++++++++++++--
9f2ebf
 1 file changed, 12 insertions(+), 2 deletions(-)
9f2ebf
9f2ebf
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
9f2ebf
index 21c508eb1b1b68b3606d0a5eed36573b01f27a19..cb894280c18fcbd59c5499e36d30f3ba305c0ea2 100644
9f2ebf
--- a/src/p11_child/p11_child_nss.c
9f2ebf
+++ b/src/p11_child/p11_child_nss.c
9f2ebf
@@ -45,6 +45,15 @@
9f2ebf
 #include "util/crypto/sss_crypto.h"
9f2ebf
 #include "util/cert.h"
9f2ebf
 
9f2ebf
+#define EXP_USAGES (  certificateUsageSSLClient \
9f2ebf
+                    | certificateUsageSSLServer \
9f2ebf
+                    | certificateUsageSSLServerWithStepUp \
9f2ebf
+                    | certificateUsageEmailSigner \
9f2ebf
+                    | certificateUsageEmailRecipient \
9f2ebf
+                    | certificateUsageObjectSigner \
9f2ebf
+                    | certificateUsageStatusResponder \
9f2ebf
+                    | certificateUsageSSLCA )
9f2ebf
+
9f2ebf
 enum op_mode {
9f2ebf
     OP_NONE,
9f2ebf
     OP_AUTH,
9f2ebf
@@ -136,6 +145,7 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
9f2ebf
     char *cert_b64 = NULL;
9f2ebf
     char *multi = NULL;
9f2ebf
     PRCList *node;
9f2ebf
+    SECCertificateUsage returned_usage = 0;
9f2ebf
 
9f2ebf
     nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, &parameters, flags);
9f2ebf
     if (nss_ctx == NULL) {
9f2ebf
@@ -329,8 +339,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
9f2ebf
             rv = CERT_VerifyCertificateNow(handle, cert_list_node->cert,
9f2ebf
                                            PR_TRUE,
9f2ebf
                                            certificateUsageCheckAllUsages,
9f2ebf
-                                           NULL, NULL);
9f2ebf
-            if (rv != SECSuccess) {
9f2ebf
+                                           NULL, &returned_usage);
9f2ebf
+            if (rv != SECSuccess || ((returned_usage & EXP_USAGES) == 0)) {
9f2ebf
                 DEBUG(SSSDBG_OP_FAILURE,
9f2ebf
                       "Certificate [%s][%s] not valid [%d][%s], skipping.\n",
9f2ebf
                       cert_list_node->cert->nickname,
9f2ebf
-- 
9f2ebf
2.14.3
9f2ebf