krb5 commit: Simplify pkcs7_dataDecode() in PKINIT
Greg Hudson
ghudson at mit.edu
Wed Jul 20 11:26:12 EDT 2016
https://github.com/krb5/krb5/commit/ddc70a62dcb4f31c16593d9909838cd3ca84c887
commit ddc70a62dcb4f31c16593d9909838cd3ca84c887
Author: Greg Hudson <ghudson at mit.edu>
Date: Thu Jun 16 13:54:01 2016 -0400
Simplify pkcs7_dataDecode() in PKINIT
RFC 4556 requires that the EnvelopedData in the encKeyPack contain
only one RecipientInfo. Take advantage of this constraint to simplify
pkcs7_dataDecode().
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 79 ++++----------------
1 files changed, 14 insertions(+), 65 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index d5e2769..be93611 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -5814,7 +5814,6 @@ pkcs7_dataDecode(krb5_context context,
pkinit_identity_crypto_context id_cryptoctx,
PKCS7 *p7)
{
- int i = 0;
unsigned int jj = 0, tmp_len = 0;
BIO *out=NULL,*etmp=NULL,*bio=NULL;
unsigned char *tmp=NULL;
@@ -5824,8 +5823,6 @@ pkcs7_dataDecode(krb5_context context,
X509_ALGOR *enc_alg=NULL;
STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
PKCS7_RECIP_INFO *ri=NULL;
- X509 *cert = sk_X509_value(id_cryptoctx->my_certs,
- id_cryptoctx->cert_index);
p7->state=PKCS7_S_HEADER;
@@ -5846,71 +5843,23 @@ pkcs7_dataDecode(krb5_context context,
/* It was encrypted, we need to decrypt the secret key
* with the private key */
- /* Find the recipientInfo which matches the passed certificate
- * (if any)
- */
-
- if (cert) {
- for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) {
- int tmp_ret = 0;
- ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
- tmp_ret = X509_NAME_cmp(ri->issuer_and_serial->issuer,
- cert->cert_info->issuer);
- if (!tmp_ret) {
- tmp_ret = M_ASN1_INTEGER_cmp(cert->cert_info->serialNumber,
- ri->issuer_and_serial->serial);
- if (!tmp_ret)
- break;
- }
- ri=NULL;
- }
- if (ri == NULL) {
- PKCS7err(PKCS7_F_PKCS7_DATADECODE,
- PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE);
- goto cleanup;
- }
-
+ /* RFC 4556 section 3.2.3.2 requires that there be exactly one
+ * recipientInfo. */
+ if (sk_PKCS7_RECIP_INFO_num(rsk) != 1) {
+ pkiDebug("invalid number of EnvelopedData RecipientInfos\n");
+ goto cleanup;
}
- /* If we haven't got a certificate try each ri in turn */
-
- if (cert == NULL) {
- for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) {
- ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
- jj = pkinit_decode_data(context, id_cryptoctx,
- M_ASN1_STRING_data(ri->enc_key),
- (unsigned int) M_ASN1_STRING_length(ri->enc_key),
- &tmp, &tmp_len);
- if (jj) {
- PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_EVP_LIB);
- goto cleanup;
- }
-
- if (!jj && tmp_len > 0) {
- jj = tmp_len;
- break;
- }
-
- ERR_clear_error();
- ri = NULL;
- }
-
- if (ri == NULL) {
- PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_RECIPIENT_MATCHES_KEY);
- goto cleanup;
- }
- }
- else {
- jj = pkinit_decode_data(context, id_cryptoctx,
- M_ASN1_STRING_data(ri->enc_key),
- (unsigned int) M_ASN1_STRING_length(ri->enc_key),
- &tmp, &tmp_len);
- if (jj || tmp_len <= 0) {
- PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_EVP_LIB);
- goto cleanup;
- }
- jj = tmp_len;
+ ri = sk_PKCS7_RECIP_INFO_value(rsk, 0);
+ jj = pkinit_decode_data(context, id_cryptoctx,
+ M_ASN1_STRING_data(ri->enc_key),
+ (unsigned int)M_ASN1_STRING_length(ri->enc_key),
+ &tmp, &tmp_len);
+ if (jj || tmp_len <= 0) {
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_EVP_LIB);
+ goto cleanup;
}
+ jj = tmp_len;
evp_ctx=NULL;
BIO_get_cipher_ctx(etmp,&evp_ctx);
More information about the cvs-krb5
mailing list