Fri Jul 18 18:40:50 2008 UTC ()
Use X509_check_ca to determine if this is a CA key.
This has the side effect of actually setting ex_xkusage.


(joerg)
diff -r1.1.2.3 -r1.1.2.4 pkgsrc/pkgtools/pkg_install/files/lib/pkcs7.c
cvs diff -r1.1.2.3 -r1.1.2.4 pkgsrc/pkgtools/pkg_install/files/lib/pkcs7.c (expand / switch to unified diff)

--- pkgsrc/pkgtools/pkg_install/files/lib/pkcs7.c 2008/07/05 17:26:40 1.1.2.3
+++ pkgsrc/pkgtools/pkg_install/files/lib/pkcs7.c 2008/07/18 18:40:50 1.1.2.4
@@ -1,23 +1,23 @@ @@ -1,23 +1,23 @@
1/* $NetBSD: pkcs7.c,v 1.1.2.3 2008/07/05 17:26:40 joerg Exp $ */ 1/* $NetBSD: pkcs7.c,v 1.1.2.4 2008/07/18 18:40:50 joerg Exp $ */
2#if HAVE_CONFIG_H 2#if HAVE_CONFIG_H
3#include "config.h" 3#include "config.h"
4#endif 4#endif
5#include <nbcompat.h> 5#include <nbcompat.h>
6#if HAVE_SYS_CDEFS_H 6#if HAVE_SYS_CDEFS_H
7#include <sys/cdefs.h> 7#include <sys/cdefs.h>
8#endif 8#endif
9 9
10__RCSID("$NetBSD: pkcs7.c,v 1.1.2.3 2008/07/05 17:26:40 joerg Exp $"); 10__RCSID("$NetBSD: pkcs7.c,v 1.1.2.4 2008/07/18 18:40:50 joerg Exp $");
11 11
12/*- 12/*-
13 * Copyright (c) 2004, 2008 The NetBSD Foundation, Inc. 13 * Copyright (c) 2004, 2008 The NetBSD Foundation, Inc.
14 * All rights reserved. 14 * All rights reserved.
15 * 15 *
16 * This code is derived from software contributed to The NetBSD Foundation 16 * This code is derived from software contributed to The NetBSD Foundation
17 * by Love Hörnquist Åstrand <lha@it.su.se> 17 * by Love Hörnquist Åstrand <lha@it.su.se>
18 * 18 *
19 * Redistribution and use in source and binary forms, with or without 19 * Redistribution and use in source and binary forms, with or without
20 * modification, are permitted provided that the following conditions 20 * modification, are permitted provided that the following conditions
21 * are met: 21 * are met:
22 * 1. Redistributions of source code must retain the above copyright 22 * 1. Redistributions of source code must retain the above copyright
23 * notice, this list of conditions and the following disclaimer. 23 * notice, this list of conditions and the following disclaimer.
@@ -147,27 +147,28 @@ easy_pkcs7_verify(const char *content, s @@ -147,27 +147,28 @@ easy_pkcs7_verify(const char *content, s
147 147
148 signers = PKCS7_get0_signers(p7, NULL, 0); 148 signers = PKCS7_get0_signers(p7, NULL, 0);
149 if (signers == NULL) { 149 if (signers == NULL) {
150 warnx("Failed to get signers"); 150 warnx("Failed to get signers");
151 goto cleanup; 151 goto cleanup;
152 } 152 }
153  153
154 if (sk_X509_num(signers) == 0) { 154 if (sk_X509_num(signers) == 0) {
155 warnx("No signers found"); 155 warnx("No signers found");
156 goto cleanup; 156 goto cleanup;
157 } 157 }
158 158
159 for (i = 0; i < sk_X509_num(signers); i++) { 159 for (i = 0; i < sk_X509_num(signers); i++) {
160 if (sk_X509_value(signers, i)->ex_flags & EXFLAG_CA) { 160 /* Check CA state and update ex_xkusage as side effect */
 161 if (X509_check_ca(sk_X509_value(signers, i))) {
161 warnx("CA keys are not valid for signatures"); 162 warnx("CA keys are not valid for signatures");
162 goto cleanup; 163 goto cleanup;
163 } 164 }
164 if (is_pkg) { 165 if (is_pkg) {
165 if (sk_X509_value(signers, i)->ex_xkusage != XKU_CODE_SIGN) { 166 if (sk_X509_value(signers, i)->ex_xkusage != XKU_CODE_SIGN) {
166 warnx("Certificate must have CODE SIGNING property"); 167 warnx("Certificate must have CODE SIGNING property");
167 goto cleanup; 168 goto cleanup;
168 } 169 }
169 } else { 170 } else {
170 if (sk_X509_value(signers, i)->ex_xkusage != 0) { 171 if (sk_X509_value(signers, i)->ex_xkusage != 0) {
171 warnx("Certificate must not have any property"); 172 warnx("Certificate must not have any property");
172 goto cleanup; 173 goto cleanup;
173 } 174 }
@@ -228,30 +229,32 @@ easy_pkcs7_sign(const char *content, siz @@ -228,30 +229,32 @@ easy_pkcs7_sign(const char *content, siz
228 status = -1; 229 status = -1;
229 private_key = NULL; 230 private_key = NULL;
230 cert_chain = NULL; 231 cert_chain = NULL;
231 in = NULL; 232 in = NULL;
232 233
233 c = file_to_certs(cert_file); 234 c = file_to_certs(cert_file);
234 235
235 if (sk_X509_num(c) != 1) { 236 if (sk_X509_num(c) != 1) {
236 warnx("More then one certificate in the certificate file"); 237 warnx("More then one certificate in the certificate file");
237 goto cleanup; 238 goto cleanup;
238 } 239 }
239 certificate = sk_X509_value(c, 0); 240 certificate = sk_X509_value(c, 0);
240 241
241 if (certificate->ex_flags & EXFLAG_CA) { 242 /* Check CA state and update ex_xkusage as side effect */
 243 if (X509_check_ca(certificate)) {
242 warnx("CA keys are not valid for signatures"); 244 warnx("CA keys are not valid for signatures");
243 goto cleanup; 245 goto cleanup;
244 } 246 }
 247
245 if (certificate->ex_xkusage != XKU_CODE_SIGN) { 248 if (certificate->ex_xkusage != XKU_CODE_SIGN) {
246 warnx("Certificate must have CODE SIGNING property"); 249 warnx("Certificate must have CODE SIGNING property");
247 goto cleanup; 250 goto cleanup;
248 } 251 }
249 252
250 if (cert_chain_file) 253 if (cert_chain_file)
251 cert_chain = file_to_certs(cert_chain_file); 254 cert_chain = file_to_certs(cert_chain_file);
252 255
253 if ((f = fopen(key_file, "r")) == NULL) { 256 if ((f = fopen(key_file, "r")) == NULL) {
254 warn("Failed to open private key file %s", key_file); 257 warn("Failed to open private key file %s", key_file);
255 goto cleanup; 258 goto cleanup;
256 } 259 }
257 private_key = PEM_read_PrivateKey(f, NULL, ssl_pass_cb, NULL); 260 private_key = PEM_read_PrivateKey(f, NULL, ssl_pass_cb, NULL);