dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0089-p11_child-properly-check-results-of-CERT_VerifyCerti.patch

ced1f5
From 56402a2b350ebdcfd49685a5a3c0fd42131b2196 Mon Sep 17 00:00:00 2001
ced1f5
From: Sumit Bose <sbose@redhat.com>
ced1f5
Date: Tue, 12 Dec 2017 15:24:57 +0100
ced1f5
Subject: [PATCH 89/89] p11_child: properly check results of
ced1f5
 CERT_VerifyCertificateNow
ced1f5
MIME-Version: 1.0
ced1f5
Content-Type: text/plain; charset=UTF-8
ced1f5
Content-Transfer-Encoding: 8bit
ced1f5
ced1f5
With certificateUsageCheckAllUsages not only the return code of
ced1f5
CERT_VerifyCertificateNow() should be checked but also the usages for
ced1f5
which the certificate was verified. The usages checked here will all
ced1f5
involve CA signature checks and OCSP checks if OCSP is enabled.
ced1f5
ced1f5
Related to https://pagure.io/SSSD/sssd/issue/3560
ced1f5
ced1f5
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
ced1f5
(cherry picked from commit 787ba9c882f1d7ff9ea4f2745e779c5fb04dfafc)
ced1f5
---
ced1f5
 src/p11_child/p11_child_nss.c | 14 ++++++++++++--
ced1f5
 1 file changed, 12 insertions(+), 2 deletions(-)
ced1f5
ced1f5
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
ced1f5
index 21c508eb1b1b68b3606d0a5eed36573b01f27a19..cb894280c18fcbd59c5499e36d30f3ba305c0ea2 100644
ced1f5
--- a/src/p11_child/p11_child_nss.c
ced1f5
+++ b/src/p11_child/p11_child_nss.c
ced1f5
@@ -45,6 +45,15 @@
ced1f5
 #include "util/crypto/sss_crypto.h"
ced1f5
 #include "util/cert.h"
ced1f5
 
ced1f5
+#define EXP_USAGES (  certificateUsageSSLClient \
ced1f5
+                    | certificateUsageSSLServer \
ced1f5
+                    | certificateUsageSSLServerWithStepUp \
ced1f5
+                    | certificateUsageEmailSigner \
ced1f5
+                    | certificateUsageEmailRecipient \
ced1f5
+                    | certificateUsageObjectSigner \
ced1f5
+                    | certificateUsageStatusResponder \
ced1f5
+                    | certificateUsageSSLCA )
ced1f5
+
ced1f5
 enum op_mode {
ced1f5
     OP_NONE,
ced1f5
     OP_AUTH,
ced1f5
@@ -136,6 +145,7 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
ced1f5
     char *cert_b64 = NULL;
ced1f5
     char *multi = NULL;
ced1f5
     PRCList *node;
ced1f5
+    SECCertificateUsage returned_usage = 0;
ced1f5
 
ced1f5
     nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, &parameters, flags);
ced1f5
     if (nss_ctx == NULL) {
ced1f5
@@ -329,8 +339,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
ced1f5
             rv = CERT_VerifyCertificateNow(handle, cert_list_node->cert,
ced1f5
                                            PR_TRUE,
ced1f5
                                            certificateUsageCheckAllUsages,
ced1f5
-                                           NULL, NULL);
ced1f5
-            if (rv != SECSuccess) {
ced1f5
+                                           NULL, &returned_usage);
ced1f5
+            if (rv != SECSuccess || ((returned_usage & EXP_USAGES) == 0)) {
ced1f5
                 DEBUG(SSSDBG_OP_FAILURE,
ced1f5
                       "Certificate [%s][%s] not valid [%d][%s], skipping.\n",
ced1f5
                       cert_list_node->cert->nickname,
ced1f5
-- 
ced1f5
2.14.3
ced1f5