[packages/sbsigntool.git] / openssl.patch

From 3186e24f5a46172cd771d61cdeec5e590f73743e Mon Sep 17 00:00:00 2001
From: Steve Langasek <steve.langasek@canonical.com>
Date: Wed, 15 Jul 2015 08:48:25 -0700
Subject: [PATCH] Support openssl 1.0.2b and above

Newer versions of openssl return a different error with alternate
certificate chains; update for compatibility.

Signed-off-by: Marc Deslauriers <marc.deslauriers@canonical.com>
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1474541
---
 src/sbverify.c | 1 +
 1 file changed, 1 insertion(+)

diff -urNp -x '*.orig' sbsigntool-0.6.org/src/sbkeysync.c sbsigntool-0.6/src/sbkeysync.c
--- sbsigntool-0.6.org/src/sbkeysync.c	2012-10-11 14:32:32.000000000 +0200
+++ sbsigntool-0.6/src/sbkeysync.c	2021-10-03 23:16:05.621000201 +0200
@@ -203,16 +203,15 @@ static int x509_key_parse(struct key *ke
 		return -1;
 
 	/* we use the X509 serial number as the key ID */
-	if (!x509->cert_info || !x509->cert_info->serialNumber)
+	serial = X509_get_serialNumber(x509);
+	if (!serial)
 		goto out;
 
-	serial = x509->cert_info->serialNumber;
-
 	key->id_len = ASN1_STRING_length(serial);
 	key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
 
 	key->description = talloc_array(key, char, description_len);
-	X509_NAME_oneline(x509->cert_info->subject,
+	X509_NAME_oneline(X509_get_subject_name(x509),
 			key->description, description_len);
 
 	rc = 0;
diff -urNp -x '*.orig' sbsigntool-0.6.org/src/sbverify.c sbsigntool-0.6/src/sbverify.c
--- sbsigntool-0.6.org/src/sbverify.c	2012-10-11 14:32:32.000000000 +0200
+++ sbsigntool-0.6/src/sbverify.c	2021-10-03 23:16:05.621000201 +0200
@@ -55,6 +55,14 @@
 #include <openssl/pem.h>
 #include <openssl/x509v3.h>
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
+#define X509_OBJECT_get_type(obj) ((obj)->type)
+#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
+#define X509_STORE_get0_objects(certs) ((certs)->objs)
+#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
+#endif
+
 static const char *toolname = "sbverify";
 static const int cert_name_len = 160;
 
@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *
 
 	for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
 		cert = sk_X509_value(p7->d.sign->cert, i);
-		X509_NAME_oneline(cert->cert_info->subject,
+		X509_NAME_oneline(X509_get_subject_name(cert),
 				subject_name, cert_name_len);
-		X509_NAME_oneline(cert->cert_info->issuer,
+		X509_NAME_oneline(X509_get_issuer_name(cert),
 				issuer_name, cert_name_len);
 
 		printf(" - subject: %s\n", subject_name);
@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *
 static void print_certificate_store_certs(X509_STORE *certs)
 {
 	char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
+	STACK_OF(X509_OBJECT) *objs;
 	X509_OBJECT *obj;
+	X509 *cert;
 	int i;
 
 	printf("certificate store:\n");
 
-	for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
-		obj = sk_X509_OBJECT_value(certs->objs, i);
+	objs = X509_STORE_get0_objects(certs);
+
+	for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+		obj = sk_X509_OBJECT_value(objs, i);
 
-		if (obj->type != X509_LU_X509)
+		if (X509_OBJECT_get_type(obj) != X509_LU_X509)
 			continue;
 
-		X509_NAME_oneline(obj->data.x509->cert_info->subject,
+		cert = X509_OBJECT_get0_X509(obj);
+
+		X509_NAME_oneline(X509_get_subject_name(cert),
 				subject_name, cert_name_len);
-		X509_NAME_oneline(obj->data.x509->cert_info->issuer,
+		X509_NAME_oneline(X509_get_issuer_name(cert),
 				issuer_name, cert_name_len);
 
 		printf(" - subject: %s\n", subject_name);
@@ -182,12 +196,21 @@ static int load_detached_signature_data(
 
 static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
 {
-	X509_OBJECT obj;
+	STACK_OF(X509_OBJECT) *objs;
+	X509_OBJECT *obj;
+	int i;
+
+	objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
 
-	obj.type = X509_LU_X509;
-	obj.data.x509 = cert;
+	for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+		obj = sk_X509_OBJECT_value(objs, i);
 
-	return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
+		if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
+		    !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
+			return 1;
+	}
+
+	return 0;
 }
 
 static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
@@ -195,15 +218,17 @@ static int x509_verify_cb(int status, X5
 	int err = X509_STORE_CTX_get_error(ctx);
 
 	/* also accept code-signing keys */
-	if (err == X509_V_ERR_INVALID_PURPOSE
-			&& ctx->cert->ex_xkusage == XKU_CODE_SIGN)
+	if (err == X509_V_ERR_INVALID_PURPOSE &&
+			X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx))
+			== XKU_CODE_SIGN)
 		status = 1;
 
 	/* all certs given with the --cert argument are trusted */
 	else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
+			err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ||
 			err == X509_V_ERR_CERT_UNTRUSTED) {
 
-		if (cert_in_store(ctx->current_cert, ctx))
+		if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx))
 			status = 1;
 	}
Commit	Line	Data
e164c3e2 AM	1	From 3186e24f5a46172cd771d61cdeec5e590f73743e Mon Sep 17 00:00:00 2001
	2	From: Steve Langasek <steve.langasek@canonical.com>
	3	Date: Wed, 15 Jul 2015 08:48:25 -0700
	4	Subject: [PATCH] Support openssl 1.0.2b and above
	5
	6	Newer versions of openssl return a different error with alternate
	7	certificate chains; update for compatibility.
	8
	9	Signed-off-by: Marc Deslauriers <marc.deslauriers@canonical.com>
	10	Bug-Ubuntu: https://bugs.launchpad.net/bugs/1474541
	11	---
	12	src/sbverify.c \| 1 +
	13	1 file changed, 1 insertion(+)
	14
1d68a40a JR	15	diff -urNp -x '*.orig' sbsigntool-0.6.org/src/sbkeysync.c sbsigntool-0.6/src/sbkeysync.c
	16	--- sbsigntool-0.6.org/src/sbkeysync.c 2012-10-11 14:32:32.000000000 +0200
	17	+++ sbsigntool-0.6/src/sbkeysync.c 2021-10-03 23:16:05.621000201 +0200
	18	@@ -203,16 +203,15 @@ static int x509_key_parse(struct key *ke
	19	return -1;
e164c3e2	20
1d68a40a JR	21	/* we use the X509 serial number as the key ID */
	22	- if (!x509->cert_info \|\| !x509->cert_info->serialNumber)
	23	+ serial = X509_get_serialNumber(x509);
	24	+ if (!serial)
	25	goto out;
e164c3e2	26
1d68a40a JR	27	- serial = x509->cert_info->serialNumber;
	28	-
	29	key->id_len = ASN1_STRING_length(serial);
	30	key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
	31
	32	key->description = talloc_array(key, char, description_len);
	33	- X509_NAME_oneline(x509->cert_info->subject,
	34	+ X509_NAME_oneline(X509_get_subject_name(x509),
	35	key->description, description_len);
	36
	37	rc = 0;
	38	diff -urNp -x '*.orig' sbsigntool-0.6.org/src/sbverify.c sbsigntool-0.6/src/sbverify.c
	39	--- sbsigntool-0.6.org/src/sbverify.c 2012-10-11 14:32:32.000000000 +0200
	40	+++ sbsigntool-0.6/src/sbverify.c 2021-10-03 23:16:05.621000201 +0200
e164c3e2 AM	41	@@ -55,6 +55,14 @@
	42	#include <openssl/pem.h>
	43	#include <openssl/x509v3.h>
	44
	45	+#if OPENSSL_VERSION_NUMBER < 0x10100000L
	46	+#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
	47	+#define X509_OBJECT_get_type(obj) ((obj)->type)
	48	+#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
	49	+#define X509_STORE_get0_objects(certs) ((certs)->objs)
	50	+#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
	51	+#endif
	52	+
	53	static const char *toolname = "sbverify";
	54	static const int cert_name_len = 160;
	55
	56	@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *
	57
	58	for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
	59	cert = sk_X509_value(p7->d.sign->cert, i);
	60	- X509_NAME_oneline(cert->cert_info->subject,
	61	+ X509_NAME_oneline(X509_get_subject_name(cert),
	62	subject_name, cert_name_len);
	63	- X509_NAME_oneline(cert->cert_info->issuer,
	64	+ X509_NAME_oneline(X509_get_issuer_name(cert),
	65	issuer_name, cert_name_len);
	66
	67	printf(" - subject: %s\n", subject_name);
	68	@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *
	69	static void print_certificate_store_certs(X509_STORE *certs)
	70	{
	71	char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
	72	+ STACK_OF(X509_OBJECT) *objs;
	73	X509_OBJECT *obj;
	74	+ X509 *cert;
	75	int i;
	76
	77	printf("certificate store:\n");
	78
	79	- for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
	80	- obj = sk_X509_OBJECT_value(certs->objs, i);
	81	+ objs = X509_STORE_get0_objects(certs);
	82	+
	83	+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
	84	+ obj = sk_X509_OBJECT_value(objs, i);
	85
	86	- if (obj->type != X509_LU_X509)
	87	+ if (X509_OBJECT_get_type(obj) != X509_LU_X509)
	88	continue;
	89
	90	- X509_NAME_oneline(obj->data.x509->cert_info->subject,
	91	+ cert = X509_OBJECT_get0_X509(obj);
	92	+
	93	+ X509_NAME_oneline(X509_get_subject_name(cert),
	94	subject_name, cert_name_len);
	95	- X509_NAME_oneline(obj->data.x509->cert_info->issuer,
	96	+ X509_NAME_oneline(X509_get_issuer_name(cert),
	97	issuer_name, cert_name_len);
	98
	99	printf(" - subject: %s\n", subject_name);
	100	@@ -182,12 +196,21 @@ static int load_detached_signature_data(
	101
	102	static int cert_in_store(X509 cert, X509_STORE_CTX ctx)
	103	{
	104	- X509_OBJECT obj;
105	+ STACK_OF(X509_OBJECT) *objs;
106	+ X509_OBJECT *obj;
107	+ int i;
108	+
109	+ objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
110
111	- obj.type = X509_LU_X509;
112	- obj.data.x509 = cert;
113	+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
114	+ obj = sk_X509_OBJECT_value(objs, i);
115
116	- return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
117	+ if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
118	+ !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
119	+ return 1;
120	+ }
121	+
122	+ return 0;
123	}
124
125	static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
1d68a40a	126	@@ -195,15 +218,17 @@ static int x509_verify_cb(int status, X5
e164c3e2 AM	127	int err = X509_STORE_CTX_get_error(ctx);
	128
	129	/* also accept code-signing keys */
	130	- if (err == X509_V_ERR_INVALID_PURPOSE
	131	- && ctx->cert->ex_xkusage == XKU_CODE_SIGN)
	132	+ if (err == X509_V_ERR_INVALID_PURPOSE &&
	133	+ X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx))
	134	+ == XKU_CODE_SIGN)
	135	status = 1;
	136
	137	/* all certs given with the --cert argument are trusted */
1d68a40a JR	138	else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY \|\|
1d68a40a JR	139	+ err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT \|\|
e164c3e2 AM	140	err == X509_V_ERR_CERT_UNTRUSTED) {
	141
	142	- if (cert_in_store(ctx->current_cert, ctx))
	143	+ if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx))
	144	status = 1;
	145	}
e164c3e2	146