From aa7336e50a443e40d6b006b7d5af5e00c0e1ba42 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 9 Oct 2012 14:47:08 -0400 Subject: [PATCH] Handle anonymous-as-signed-data-with-no-signers Update to generate and consume signed-data with no signer-info, which we need for anonymous PKINIT. --- .../preauth/pkinit/pkinit_crypto_nss.c | 55 ++++++++++--------- 1 file changed, 28 insertions(+), 27 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index c1e654ad91..59b27b2f72 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -4307,45 +4307,46 @@ crypto_signeddata_common_create(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, NSSCMSMessage *msg, SECOidTag digest, - enum sdcc_include_certchain include_certchain, + enum sdcc_include_certchain certchain_mode, enum sdcc_include_signed_attrs add_signedattrs, NSSCMSSignedData **signed_data_out) { NSSCMSSignedData *sdata; NSSCMSSignerInfo *signer; - - if (id_cryptoctx->id_cert == NULL) { - pkiDebug("%s: no signer identity\n", __FUNCTION__); - return ENOENT; - } + NSSCMSCertChainMode chainmode; /* Create a signed-data object. */ sdata = NSS_CMSSignedData_Create(msg); if (sdata == NULL) return ENOMEM; - /* Create a signer and add it to the signed-data pointer. */ - signer = NSS_CMSSignerInfo_Create(msg, id_cryptoctx->id_cert, digest); - if (signer == NULL) - return ENOMEM; - if (NSS_CMSSignerInfo_IncludeCerts(signer, - (include_certchain == - signeddata_common_create_with_chain) ? - NSSCMSCM_CertChain : NSSCMSCM_CertOnly, - certUsageAnyCA) != SECSuccess) { - pkiDebug("%s: error setting IncludeCerts\n", __FUNCTION__); - return ENOMEM; - } - if (NSS_CMSSignedData_AddSignerInfo(sdata, signer) != SECSuccess) - return ENOMEM; - - if (add_signedattrs == signeddata_common_create_with_signed_attrs) - /* The presence of any signed attribute means the digest - * becomes a signed attribute, too. */ - if (NSS_CMSSignerInfo_AddSigningTime(signer, PR_Now()) != SECSuccess) { - pkiDebug("%s: error adding signing time\n", __FUNCTION__); + if (id_cryptoctx->id_cert != NULL) { + /* Create a signer and add it to the signed-data pointer. */ + signer = NSS_CMSSignerInfo_Create(msg, id_cryptoctx->id_cert, digest); + if (signer == NULL) + return ENOMEM; + chainmode = (certchain_mode == signeddata_common_create_with_chain) ? + NSSCMSCM_CertChain : + NSSCMSCM_CertOnly; + if (NSS_CMSSignerInfo_IncludeCerts(signer, + chainmode, + certUsageAnyCA) != SECSuccess) { + pkiDebug("%s: error setting IncludeCerts\n", __FUNCTION__); + return ENOMEM; + } + if (NSS_CMSSignedData_AddSignerInfo(sdata, signer) != SECSuccess) return ENOMEM; + + if (add_signedattrs == signeddata_common_create_with_signed_attrs) { + /* The presence of any signed attribute means the digest + * becomes a signed attribute, too. */ + if (NSS_CMSSignerInfo_AddSigningTime(signer, + PR_Now()) != SECSuccess) { + pkiDebug("%s: error adding signing time\n", __FUNCTION__); + return ENOMEM; + } } + } *signed_data_out = sdata; return 0; @@ -5282,7 +5283,7 @@ cms_signeddata_verify(krb5_context context, cms_msg_type, &plain, &was_signed); - if ((ret != 0) || (plain == NULL) || !was_signed) { + if ((ret != 0) || (plain == NULL)) { NSS_CMSMessage_Destroy(msg); PORT_FreeArena(pool, PR_TRUE); return ret ? ret : ENOMEM; -- 2.47.3