Fix mapping of HTTP_STATUS_NOT_MODIFIED to IPP_STATUS_OK_EVENTS_COMPLETE.
Only test pinning for self-signed certs.
Fix sanity check for cupsSaveCredentials (copy/paste error)
{
switch (status)
{
+ case HTTP_STATUS_NOT_MODIFIED :
+ _cupsSetError(IPP_STATUS_OK_EVENTS_COMPLETE, httpStatus(status), 0);
+ break;
+
case HTTP_STATUS_NOT_FOUND :
_cupsSetError(IPP_STATUS_ERROR_NOT_FOUND, httpStatus(status), 0);
break;
}
// Look this common name up in the default keychains...
- if ((tcreds = cupsCopyCredentials(path, common_name)) != NULL)
+ if (num_certs == 1 && (tcreds = cupsCopyCredentials(path, common_name)) != NULL)
{
char credentials_str[1024], // String for incoming credentials
tcreds_str[1024]; // String for saved credentials
_cups_globals_t *cg = _cupsGlobals(); // Per-thread globals
+ DEBUG_printf("cupsGetCredentialsTrust(path=\"%s\", common_name=\"%s\", credentials=\"%lu bytes\", require_ca=%s)", path, common_name, (unsigned long)(credentials ? strlen(credentials) : 0), require_ca ? "true" : "false");
+
// Range check input...
if (!path)
path = http_default_path(defpath, sizeof(defpath));
cert = sk_X509_value(certs, 0);
+ DEBUG_printf("1cupsGetCredentialsGetTrust: certs=%p, sk_X509_num(certs)=%d", (void *)certs, sk_X509_num(certs));
+
if (cg->any_root < 0)
{
_cupsSetDefaults();
}
// Look this common name up in the default keychains...
- if ((tcreds = cupsCopyCredentials(path, common_name)) != NULL)
+ if (sk_X509_num(certs) == 1 && (tcreds = cupsCopyCredentials(path, common_name)) != NULL)
{
char credentials_str[1024], // String for incoming credentials
tcreds_str[1024]; // String for saved credentials
if (credentials)
{
// Make sure it looks like a PEM-encoded cert...
- if (strncmp(credentials, "-----BEGIN CERTIFICATE-----", 27) || strstr(key, "-----END CERTIFICATE-----") == NULL)
+ if (strncmp(credentials, "-----BEGIN CERTIFICATE-----", 27) || strstr(credentials, "-----END CERTIFICATE-----") == NULL)
return (false);
}
bool ret = false; // Return value
+ DEBUG_printf("3http_check_roots(creds=\"%s\")", creds);
+
#ifdef __APPLE__
// Apple hides all of the keychain stuff (all deprecated) so the best we can
// do is use the SecTrust API to evaluate the certificate...
// Test the certificate list against the macOS/iOS trust store...
if ((policy = SecPolicyCreateBasicX509()) != NULL)
{
+ DEBUG_puts("4http_check_roots: SecPolicyCreateBasicX509 succeeded.");
+
if (SecTrustCreateWithCertificates(certs, policy, &trust) == noErr)
{
ret = SecTrustEvaluateWithError(trust, NULL);
CFRelease(trust);
+
+ DEBUG_printf("4http_check_roots: SecTrustEvaluateWithError returned %d.", ret);
}
+#ifdef DEBUG
+ else
+ DEBUG_printf("4http_check_roots: SecTrustCreateWithCertificates returned %d.", SecTrustCreateWithCertificates(certs, policy, &trust));
+#endif // DEBUG
CFRelease(policy);
}
projects / thirdparty / cups.git / commitdiff
