From 6c2ee5a89cdaa0afb08d30c9f9873fbd00dbf57c Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 12 Jul 2022 19:15:29 -0400 Subject: [PATCH] Remove include_certchain parameter in PKINIT Every caller of cms_signeddata_create() and cms_envelopeddata_create() passes 1 for include_certchain. Remove the parameter and unconditionally add the certificate chain. --- src/plugins/preauth/pkinit/pkinit_clnt.c | 2 +- src/plugins/preauth/pkinit/pkinit_crypto.h | 6 -- .../preauth/pkinit/pkinit_crypto_openssl.c | 79 +++++++++---------- src/plugins/preauth/pkinit/pkinit_srv.c | 4 +- 4 files changed, 40 insertions(+), 51 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index 8c4d81bbc1..725d5bc438 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -270,7 +270,7 @@ pkinit_as_req_create(krb5_context context, } else { retval = cms_signeddata_create(context, plgctx->cryptoctx, reqctx->cryptoctx, reqctx->idctx, - CMS_SIGN_CLIENT, 1, + CMS_SIGN_CLIENT, (unsigned char *) coded_auth_pack->data, coded_auth_pack->length, diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h index 5ecc86dabc..e22798f668 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h @@ -132,9 +132,6 @@ krb5_error_code cms_signeddata_create int cms_msg_type, /* IN specifies CMS_SIGN_CLIENT for client-side CMS message and CMS_SIGN_SERVER for kdc-side */ - int include_certchain, /* IN - specifies where certificates field in SignedData - should contain certificate path */ unsigned char *auth_pack, /* IN contains DER encoded AuthPack (CMS_SIGN_CLIENT) or DER encoded DHRepInfo (CMS_SIGN_SERVER) */ @@ -192,9 +189,6 @@ krb5_error_code cms_envelopeddata_create pkinit_req_crypto_context req_cryptoctx, /* IN */ pkinit_identity_crypto_context id_cryptoctx, /* IN */ krb5_preauthtype pa_type, /* IN */ - int include_certchain, /* IN - specifies whether the certificates field in - SignedData should contain certificate path */ unsigned char *key_pack, /* IN contains DER encoded ReplyKeyPack */ unsigned int key_pack_len, /* IN diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 3024973f3a..5c74611707 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -1504,7 +1504,6 @@ cms_signeddata_create(krb5_context context, pkinit_req_crypto_context req_cryptoctx, pkinit_identity_crypto_context id_cryptoctx, int cms_msg_type, - int include_certchain, unsigned char *data, unsigned int data_len, unsigned char **signed_data, @@ -1549,49 +1548,46 @@ cms_signeddata_create(krb5_context context, goto cleanup; if (id_cryptoctx->my_certs != NULL) { - /* create a cert chain that has at least the signer's certificate */ + X509_STORE *certstore = NULL; + X509_STORE_CTX *certctx; + STACK_OF(X509) *certstack = NULL; + char buf[DN_BUF_LEN]; + unsigned int i = 0, size = 0; + + /* create a cert chain */ if ((cert_stack = sk_X509_new_null()) == NULL) goto cleanup; cert = sk_X509_value(id_cryptoctx->my_certs, id_cryptoctx->cert_index); - if (!include_certchain) { - pkiDebug("only including signer's certificate\n"); - sk_X509_push(cert_stack, X509_dup(cert)); - } else { - /* create a cert chain */ - X509_STORE *certstore = NULL; - X509_STORE_CTX *certctx; - STACK_OF(X509) *certstack = NULL; - char buf[DN_BUF_LEN]; - unsigned int i = 0, size = 0; - - if ((certstore = X509_STORE_new()) == NULL) - goto cleanup; - pkiDebug("building certificate chain\n"); - X509_STORE_set_verify_cb(certstore, openssl_callback); - certctx = X509_STORE_CTX_new(); - if (certctx == NULL) - goto cleanup; - X509_STORE_CTX_init(certctx, certstore, cert, - id_cryptoctx->intermediateCAs); - X509_STORE_CTX_trusted_stack(certctx, id_cryptoctx->trustedCAs); - if (!X509_verify_cert(certctx)) { - retval = oerr_cert(context, 0, certctx, - _("Failed to verify own certificate")); - goto cleanup; - } - certstack = X509_STORE_CTX_get1_chain(certctx); - size = sk_X509_num(certstack); - for(i = 0; i < size - 1; i++) { - X509 *x = sk_X509_value(certstack, i); - X509_NAME_oneline(X509_get_subject_name(x), buf, sizeof(buf)); - TRACE_PKINIT_CERT_CHAIN_NAME(context, (int)i, buf); - sk_X509_push(cert_stack, X509_dup(x)); - } - X509_STORE_CTX_free(certctx); - X509_STORE_free(certstore); - sk_X509_pop_free(certstack, X509_free); + + certstore = X509_STORE_new(); + if (certstore == NULL) + goto cleanup; + pkiDebug("building certificate chain\n"); + X509_STORE_set_verify_cb(certstore, openssl_callback); + certctx = X509_STORE_CTX_new(); + if (certctx == NULL) + goto cleanup; + X509_STORE_CTX_init(certctx, certstore, cert, + id_cryptoctx->intermediateCAs); + X509_STORE_CTX_trusted_stack(certctx, id_cryptoctx->trustedCAs); + if (!X509_verify_cert(certctx)) { + retval = oerr_cert(context, 0, certctx, + _("Failed to verify own certificate")); + goto cleanup; + } + certstack = X509_STORE_CTX_get1_chain(certctx); + size = sk_X509_num(certstack); + for (i = 0; i < size - 1; i++) { + X509 *x = sk_X509_value(certstack, i); + X509_NAME_oneline(X509_get_subject_name(x), buf, sizeof(buf)); + TRACE_PKINIT_CERT_CHAIN_NAME(context, (int)i, buf); + sk_X509_push(cert_stack, X509_dup(x)); } + X509_STORE_CTX_free(certctx); + X509_STORE_free(certstore); + sk_X509_pop_free(certstack, X509_free); + p7s->cert = cert_stack; /* fill-in PKCS7_SIGNER_INFO */ @@ -2175,7 +2171,6 @@ cms_envelopeddata_create(krb5_context context, pkinit_req_crypto_context reqctx, pkinit_identity_crypto_context idctx, krb5_preauthtype pa_type, - int include_certchain, unsigned char *key_pack, unsigned int key_pack_len, unsigned char **out, @@ -2191,8 +2186,8 @@ cms_envelopeddata_create(krb5_context context, const EVP_CIPHER *cipher = NULL; retval = cms_signeddata_create(context, plgctx, reqctx, idctx, - CMS_ENVEL_SERVER, include_certchain, - key_pack, key_pack_len, &signed_data, + CMS_ENVEL_SERVER, key_pack, key_pack_len, + &signed_data, (unsigned int *)&signed_data_len); if (retval) { pkiDebug("failed to create pkcs7 signed data\n"); diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 865c543c44..0ac9ca065a 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -863,7 +863,7 @@ pkinit_server_return_padata(krb5_context context, retval = cms_signeddata_create(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, - CMS_SIGN_SERVER, 1, + CMS_SIGN_SERVER, (unsigned char *) encoded_dhkey_info->data, encoded_dhkey_info->length, @@ -917,7 +917,7 @@ pkinit_server_return_padata(krb5_context context, rep->choice = choice_pa_pk_as_rep_encKeyPack; retval = cms_envelopeddata_create(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, - padata->pa_type, 1, + padata->pa_type, (unsigned char *) encoded_key_pack->data, encoded_key_pack->length, -- 2.47.2