| @@ -1,23 +1,23 @@ | | | @@ -1,23 +1,23 @@ |
1 | /* $NetBSD: pkcs7.c,v 1.1.2.3 2008/07/05 17:26:40 joerg Exp $ */ | | 1 | /* $NetBSD: pkcs7.c,v 1.1.2.4 2008/07/18 18:40:50 joerg Exp $ */ |
2 | #if HAVE_CONFIG_H | | 2 | #if HAVE_CONFIG_H |
3 | #include "config.h" | | 3 | #include "config.h" |
4 | #endif | | 4 | #endif |
5 | #include <nbcompat.h> | | 5 | #include <nbcompat.h> |
6 | #if HAVE_SYS_CDEFS_H | | 6 | #if HAVE_SYS_CDEFS_H |
7 | #include <sys/cdefs.h> | | 7 | #include <sys/cdefs.h> |
8 | #endif | | 8 | #endif |
9 | | | 9 | |
10 | __RCSID("$NetBSD: pkcs7.c,v 1.1.2.3 2008/07/05 17:26:40 joerg Exp $"); | | 10 | __RCSID("$NetBSD: pkcs7.c,v 1.1.2.4 2008/07/18 18:40:50 joerg Exp $"); |
11 | | | 11 | |
12 | /*- | | 12 | /*- |
13 | * Copyright (c) 2004, 2008 The NetBSD Foundation, Inc. | | 13 | * Copyright (c) 2004, 2008 The NetBSD Foundation, Inc. |
14 | * All rights reserved. | | 14 | * All rights reserved. |
15 | * | | 15 | * |
16 | * This code is derived from software contributed to The NetBSD Foundation | | 16 | * This code is derived from software contributed to The NetBSD Foundation |
17 | * by Love Hörnquist Åstrand <lha@it.su.se> | | 17 | * by Love Hörnquist Åstrand <lha@it.su.se> |
18 | * | | 18 | * |
19 | * Redistribution and use in source and binary forms, with or without | | 19 | * Redistribution and use in source and binary forms, with or without |
20 | * modification, are permitted provided that the following conditions | | 20 | * modification, are permitted provided that the following conditions |
21 | * are met: | | 21 | * are met: |
22 | * 1. Redistributions of source code must retain the above copyright | | 22 | * 1. Redistributions of source code must retain the above copyright |
23 | * notice, this list of conditions and the following disclaimer. | | 23 | * notice, this list of conditions and the following disclaimer. |
| @@ -147,27 +147,28 @@ easy_pkcs7_verify(const char *content, s | | | @@ -147,27 +147,28 @@ easy_pkcs7_verify(const char *content, s |
147 | | | 147 | |
148 | signers = PKCS7_get0_signers(p7, NULL, 0); | | 148 | signers = PKCS7_get0_signers(p7, NULL, 0); |
149 | if (signers == NULL) { | | 149 | if (signers == NULL) { |
150 | warnx("Failed to get signers"); | | 150 | warnx("Failed to get signers"); |
151 | goto cleanup; | | 151 | goto cleanup; |
152 | } | | 152 | } |
153 | | | 153 | |
154 | if (sk_X509_num(signers) == 0) { | | 154 | if (sk_X509_num(signers) == 0) { |
155 | warnx("No signers found"); | | 155 | warnx("No signers found"); |
156 | goto cleanup; | | 156 | goto cleanup; |
157 | } | | 157 | } |
158 | | | 158 | |
159 | for (i = 0; i < sk_X509_num(signers); i++) { | | 159 | for (i = 0; i < sk_X509_num(signers); i++) { |
160 | if (sk_X509_value(signers, i)->ex_flags & EXFLAG_CA) { | | 160 | /* Check CA state and update ex_xkusage as side effect */ |
| | | 161 | if (X509_check_ca(sk_X509_value(signers, i))) { |
161 | warnx("CA keys are not valid for signatures"); | | 162 | warnx("CA keys are not valid for signatures"); |
162 | goto cleanup; | | 163 | goto cleanup; |
163 | } | | 164 | } |
164 | if (is_pkg) { | | 165 | if (is_pkg) { |
165 | if (sk_X509_value(signers, i)->ex_xkusage != XKU_CODE_SIGN) { | | 166 | if (sk_X509_value(signers, i)->ex_xkusage != XKU_CODE_SIGN) { |
166 | warnx("Certificate must have CODE SIGNING property"); | | 167 | warnx("Certificate must have CODE SIGNING property"); |
167 | goto cleanup; | | 168 | goto cleanup; |
168 | } | | 169 | } |
169 | } else { | | 170 | } else { |
170 | if (sk_X509_value(signers, i)->ex_xkusage != 0) { | | 171 | if (sk_X509_value(signers, i)->ex_xkusage != 0) { |
171 | warnx("Certificate must not have any property"); | | 172 | warnx("Certificate must not have any property"); |
172 | goto cleanup; | | 173 | goto cleanup; |
173 | } | | 174 | } |
| @@ -228,30 +229,32 @@ easy_pkcs7_sign(const char *content, siz | | | @@ -228,30 +229,32 @@ easy_pkcs7_sign(const char *content, siz |
228 | status = -1; | | 229 | status = -1; |
229 | private_key = NULL; | | 230 | private_key = NULL; |
230 | cert_chain = NULL; | | 231 | cert_chain = NULL; |
231 | in = NULL; | | 232 | in = NULL; |
232 | | | 233 | |
233 | c = file_to_certs(cert_file); | | 234 | c = file_to_certs(cert_file); |
234 | | | 235 | |
235 | if (sk_X509_num(c) != 1) { | | 236 | if (sk_X509_num(c) != 1) { |
236 | warnx("More then one certificate in the certificate file"); | | 237 | warnx("More then one certificate in the certificate file"); |
237 | goto cleanup; | | 238 | goto cleanup; |
238 | } | | 239 | } |
239 | certificate = sk_X509_value(c, 0); | | 240 | certificate = sk_X509_value(c, 0); |
240 | | | 241 | |
241 | if (certificate->ex_flags & EXFLAG_CA) { | | 242 | /* Check CA state and update ex_xkusage as side effect */ |
| | | 243 | if (X509_check_ca(certificate)) { |
242 | warnx("CA keys are not valid for signatures"); | | 244 | warnx("CA keys are not valid for signatures"); |
243 | goto cleanup; | | 245 | goto cleanup; |
244 | } | | 246 | } |
| | | 247 | |
245 | if (certificate->ex_xkusage != XKU_CODE_SIGN) { | | 248 | if (certificate->ex_xkusage != XKU_CODE_SIGN) { |
246 | warnx("Certificate must have CODE SIGNING property"); | | 249 | warnx("Certificate must have CODE SIGNING property"); |
247 | goto cleanup; | | 250 | goto cleanup; |
248 | } | | 251 | } |
249 | | | 252 | |
250 | if (cert_chain_file) | | 253 | if (cert_chain_file) |
251 | cert_chain = file_to_certs(cert_chain_file); | | 254 | cert_chain = file_to_certs(cert_chain_file); |
252 | | | 255 | |
253 | if ((f = fopen(key_file, "r")) == NULL) { | | 256 | if ((f = fopen(key_file, "r")) == NULL) { |
254 | warn("Failed to open private key file %s", key_file); | | 257 | warn("Failed to open private key file %s", key_file); |
255 | goto cleanup; | | 258 | goto cleanup; |
256 | } | | 259 | } |
257 | private_key = PEM_read_PrivateKey(f, NULL, ssl_pass_cb, NULL); | | 260 | private_key = PEM_read_PrivateKey(f, NULL, ssl_pass_cb, NULL); |