]>
Commit | Line | Data |
---|---|---|
e164c3e2 AM |
1 | From 3186e24f5a46172cd771d61cdeec5e590f73743e Mon Sep 17 00:00:00 2001 |
2 | From: Steve Langasek <steve.langasek@canonical.com> | |
3 | Date: Wed, 15 Jul 2015 08:48:25 -0700 | |
4 | Subject: [PATCH] Support openssl 1.0.2b and above | |
5 | ||
6 | Newer versions of openssl return a different error with alternate | |
7 | certificate chains; update for compatibility. | |
8 | ||
9 | Signed-off-by: Marc Deslauriers <marc.deslauriers@canonical.com> | |
10 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1474541 | |
11 | --- | |
12 | src/sbverify.c | 1 + | |
13 | 1 file changed, 1 insertion(+) | |
14 | ||
1d68a40a JR |
15 | diff -urNp -x '*.orig' sbsigntool-0.6.org/src/sbkeysync.c sbsigntool-0.6/src/sbkeysync.c |
16 | --- sbsigntool-0.6.org/src/sbkeysync.c 2012-10-11 14:32:32.000000000 +0200 | |
17 | +++ sbsigntool-0.6/src/sbkeysync.c 2021-10-03 23:16:05.621000201 +0200 | |
18 | @@ -203,16 +203,15 @@ static int x509_key_parse(struct key *ke | |
19 | return -1; | |
e164c3e2 | 20 | |
1d68a40a JR |
21 | /* we use the X509 serial number as the key ID */ |
22 | - if (!x509->cert_info || !x509->cert_info->serialNumber) | |
23 | + serial = X509_get_serialNumber(x509); | |
24 | + if (!serial) | |
25 | goto out; | |
e164c3e2 | 26 | |
1d68a40a JR |
27 | - serial = x509->cert_info->serialNumber; |
28 | - | |
29 | key->id_len = ASN1_STRING_length(serial); | |
30 | key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len); | |
31 | ||
32 | key->description = talloc_array(key, char, description_len); | |
33 | - X509_NAME_oneline(x509->cert_info->subject, | |
34 | + X509_NAME_oneline(X509_get_subject_name(x509), | |
35 | key->description, description_len); | |
36 | ||
37 | rc = 0; | |
38 | diff -urNp -x '*.orig' sbsigntool-0.6.org/src/sbverify.c sbsigntool-0.6/src/sbverify.c | |
39 | --- sbsigntool-0.6.org/src/sbverify.c 2012-10-11 14:32:32.000000000 +0200 | |
40 | +++ sbsigntool-0.6/src/sbverify.c 2021-10-03 23:16:05.621000201 +0200 | |
e164c3e2 AM |
41 | @@ -55,6 +55,14 @@ |
42 | #include <openssl/pem.h> | |
43 | #include <openssl/x509v3.h> | |
44 | ||
45 | +#if OPENSSL_VERSION_NUMBER < 0x10100000L | |
46 | +#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509) | |
47 | +#define X509_OBJECT_get_type(obj) ((obj)->type) | |
48 | +#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert) | |
49 | +#define X509_STORE_get0_objects(certs) ((certs)->objs) | |
50 | +#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage) | |
51 | +#endif | |
52 | + | |
53 | static const char *toolname = "sbverify"; | |
54 | static const int cert_name_len = 160; | |
55 | ||
56 | @@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 * | |
57 | ||
58 | for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) { | |
59 | cert = sk_X509_value(p7->d.sign->cert, i); | |
60 | - X509_NAME_oneline(cert->cert_info->subject, | |
61 | + X509_NAME_oneline(X509_get_subject_name(cert), | |
62 | subject_name, cert_name_len); | |
63 | - X509_NAME_oneline(cert->cert_info->issuer, | |
64 | + X509_NAME_oneline(X509_get_issuer_name(cert), | |
65 | issuer_name, cert_name_len); | |
66 | ||
67 | printf(" - subject: %s\n", subject_name); | |
68 | @@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 * | |
69 | static void print_certificate_store_certs(X509_STORE *certs) | |
70 | { | |
71 | char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1]; | |
72 | + STACK_OF(X509_OBJECT) *objs; | |
73 | X509_OBJECT *obj; | |
74 | + X509 *cert; | |
75 | int i; | |
76 | ||
77 | printf("certificate store:\n"); | |
78 | ||
79 | - for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) { | |
80 | - obj = sk_X509_OBJECT_value(certs->objs, i); | |
81 | + objs = X509_STORE_get0_objects(certs); | |
82 | + | |
83 | + for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { | |
84 | + obj = sk_X509_OBJECT_value(objs, i); | |
85 | ||
86 | - if (obj->type != X509_LU_X509) | |
87 | + if (X509_OBJECT_get_type(obj) != X509_LU_X509) | |
88 | continue; | |
89 | ||
90 | - X509_NAME_oneline(obj->data.x509->cert_info->subject, | |
91 | + cert = X509_OBJECT_get0_X509(obj); | |
92 | + | |
93 | + X509_NAME_oneline(X509_get_subject_name(cert), | |
94 | subject_name, cert_name_len); | |
95 | - X509_NAME_oneline(obj->data.x509->cert_info->issuer, | |
96 | + X509_NAME_oneline(X509_get_issuer_name(cert), | |
97 | issuer_name, cert_name_len); | |
98 | ||
99 | printf(" - subject: %s\n", subject_name); | |
100 | @@ -182,12 +196,21 @@ static int load_detached_signature_data( | |
101 | ||
102 | static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx) | |
103 | { | |
104 | - X509_OBJECT obj; | |
105 | + STACK_OF(X509_OBJECT) *objs; | |
106 | + X509_OBJECT *obj; | |
107 | + int i; | |
108 | + | |
109 | + objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx)); | |
110 | ||
111 | - obj.type = X509_LU_X509; | |
112 | - obj.data.x509 = cert; | |
113 | + for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { | |
114 | + obj = sk_X509_OBJECT_value(objs, i); | |
115 | ||
116 | - return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL; | |
117 | + if (X509_OBJECT_get_type(obj) == X509_LU_X509 && | |
118 | + !X509_cmp(X509_OBJECT_get0_X509(obj), cert)) | |
119 | + return 1; | |
120 | + } | |
121 | + | |
122 | + return 0; | |
123 | } | |
124 | ||
125 | static int x509_verify_cb(int status, X509_STORE_CTX *ctx) | |
1d68a40a | 126 | @@ -195,15 +218,17 @@ static int x509_verify_cb(int status, X5 |
e164c3e2 AM |
127 | int err = X509_STORE_CTX_get_error(ctx); |
128 | ||
129 | /* also accept code-signing keys */ | |
130 | - if (err == X509_V_ERR_INVALID_PURPOSE | |
131 | - && ctx->cert->ex_xkusage == XKU_CODE_SIGN) | |
132 | + if (err == X509_V_ERR_INVALID_PURPOSE && | |
133 | + X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx)) | |
134 | + == XKU_CODE_SIGN) | |
135 | status = 1; | |
136 | ||
137 | /* all certs given with the --cert argument are trusted */ | |
1d68a40a JR |
138 | else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || |
139 | + err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT || | |
e164c3e2 AM |
140 | err == X509_V_ERR_CERT_UNTRUSTED) { |
141 | ||
142 | - if (cert_in_store(ctx->current_cert, ctx)) | |
143 | + if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx)) | |
144 | status = 1; | |
145 | } | |
e164c3e2 | 146 |