1 From 3186e24f5a46172cd771d61cdeec5e590f73743e Mon Sep 17 00:00:00 2001
2 From: Steve Langasek <steve.langasek@canonical.com>
3 Date: Wed, 15 Jul 2015 08:48:25 -0700
4 Subject: [PATCH] Support openssl 1.0.2b and above
6 Newer versions of openssl return a different error with alternate
7 certificate chains; update for compatibility.
9 Signed-off-by: Marc Deslauriers <marc.deslauriers@canonical.com>
10 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1474541
13 1 file changed, 1 insertion(+)
15 diff -urNp -x '*.orig' sbsigntool-0.6.org/src/sbkeysync.c sbsigntool-0.6/src/sbkeysync.c
16 --- sbsigntool-0.6.org/src/sbkeysync.c 2012-10-11 14:32:32.000000000 +0200
17 +++ sbsigntool-0.6/src/sbkeysync.c 2021-10-03 23:16:05.621000201 +0200
18 @@ -203,16 +203,15 @@ static int x509_key_parse(struct key *ke
21 /* we use the X509 serial number as the key ID */
22 - if (!x509->cert_info || !x509->cert_info->serialNumber)
23 + serial = X509_get_serialNumber(x509);
27 - serial = x509->cert_info->serialNumber;
29 key->id_len = ASN1_STRING_length(serial);
30 key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
32 key->description = talloc_array(key, char, description_len);
33 - X509_NAME_oneline(x509->cert_info->subject,
34 + X509_NAME_oneline(X509_get_subject_name(x509),
35 key->description, description_len);
38 diff -urNp -x '*.orig' sbsigntool-0.6.org/src/sbverify.c sbsigntool-0.6/src/sbverify.c
39 --- sbsigntool-0.6.org/src/sbverify.c 2012-10-11 14:32:32.000000000 +0200
40 +++ sbsigntool-0.6/src/sbverify.c 2021-10-03 23:16:05.621000201 +0200
42 #include <openssl/pem.h>
43 #include <openssl/x509v3.h>
45 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
46 +#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
47 +#define X509_OBJECT_get_type(obj) ((obj)->type)
48 +#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
49 +#define X509_STORE_get0_objects(certs) ((certs)->objs)
50 +#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
53 static const char *toolname = "sbverify";
54 static const int cert_name_len = 160;
56 @@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *
58 for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
59 cert = sk_X509_value(p7->d.sign->cert, i);
60 - X509_NAME_oneline(cert->cert_info->subject,
61 + X509_NAME_oneline(X509_get_subject_name(cert),
62 subject_name, cert_name_len);
63 - X509_NAME_oneline(cert->cert_info->issuer,
64 + X509_NAME_oneline(X509_get_issuer_name(cert),
65 issuer_name, cert_name_len);
67 printf(" - subject: %s\n", subject_name);
68 @@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *
69 static void print_certificate_store_certs(X509_STORE *certs)
71 char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
72 + STACK_OF(X509_OBJECT) *objs;
77 printf("certificate store:\n");
79 - for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
80 - obj = sk_X509_OBJECT_value(certs->objs, i);
81 + objs = X509_STORE_get0_objects(certs);
83 + for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
84 + obj = sk_X509_OBJECT_value(objs, i);
86 - if (obj->type != X509_LU_X509)
87 + if (X509_OBJECT_get_type(obj) != X509_LU_X509)
90 - X509_NAME_oneline(obj->data.x509->cert_info->subject,
91 + cert = X509_OBJECT_get0_X509(obj);
93 + X509_NAME_oneline(X509_get_subject_name(cert),
94 subject_name, cert_name_len);
95 - X509_NAME_oneline(obj->data.x509->cert_info->issuer,
96 + X509_NAME_oneline(X509_get_issuer_name(cert),
97 issuer_name, cert_name_len);
99 printf(" - subject: %s\n", subject_name);
100 @@ -182,12 +196,21 @@ static int load_detached_signature_data(
102 static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
105 + STACK_OF(X509_OBJECT) *objs;
109 + objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
111 - obj.type = X509_LU_X509;
112 - obj.data.x509 = cert;
113 + for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
114 + obj = sk_X509_OBJECT_value(objs, i);
116 - return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
117 + if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
118 + !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
125 static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
126 @@ -195,15 +218,17 @@ static int x509_verify_cb(int status, X5
127 int err = X509_STORE_CTX_get_error(ctx);
129 /* also accept code-signing keys */
130 - if (err == X509_V_ERR_INVALID_PURPOSE
131 - && ctx->cert->ex_xkusage == XKU_CODE_SIGN)
132 + if (err == X509_V_ERR_INVALID_PURPOSE &&
133 + X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx))
137 /* all certs given with the --cert argument are trusted */
138 else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
139 + err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ||
140 err == X509_V_ERR_CERT_UNTRUSTED) {
142 - if (cert_in_store(ctx->current_cert, ctx))
143 + if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx))