krb5 commit: Remove include_certchain parameter in PKINIT
ghudson at mit.edu
ghudson at mit.edu
Wed Jul 20 21:53:27 EDT 2022
https://github.com/krb5/krb5/commit/6c2ee5a89cdaa0afb08d30c9f9873fbd00dbf57c
commit 6c2ee5a89cdaa0afb08d30c9f9873fbd00dbf57c
Author: Greg Hudson <ghudson at mit.edu>
Date: Tue Jul 12 19:15:29 2022 -0400
Remove include_certchain parameter in PKINIT
Every caller of cms_signeddata_create() and cms_envelopeddata_create()
passes 1 for include_certchain. Remove the parameter and
unconditionally add the certificate chain.
src/plugins/preauth/pkinit/pkinit_clnt.c | 2 +-
src/plugins/preauth/pkinit/pkinit_crypto.h | 6 --
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 79 ++++++++++------------
src/plugins/preauth/pkinit/pkinit_srv.c | 4 +-
4 files changed, 40 insertions(+), 51 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 8c4d81bbc..725d5bc43 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -270,7 +270,7 @@ pkinit_as_req_create(krb5_context context,
} else {
retval = cms_signeddata_create(context, plgctx->cryptoctx,
reqctx->cryptoctx, reqctx->idctx,
- CMS_SIGN_CLIENT, 1,
+ CMS_SIGN_CLIENT,
(unsigned char *)
coded_auth_pack->data,
coded_auth_pack->length,
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
index 5ecc86dab..e22798f66 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
@@ -132,9 +132,6 @@ krb5_error_code cms_signeddata_create
int cms_msg_type, /* IN
specifies CMS_SIGN_CLIENT for client-side CMS message
and CMS_SIGN_SERVER for kdc-side */
- int include_certchain, /* IN
- specifies where certificates field in SignedData
- should contain certificate path */
unsigned char *auth_pack, /* IN
contains DER encoded AuthPack (CMS_SIGN_CLIENT)
or DER encoded DHRepInfo (CMS_SIGN_SERVER) */
@@ -192,9 +189,6 @@ krb5_error_code cms_envelopeddata_create
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
krb5_preauthtype pa_type, /* IN */
- int include_certchain, /* IN
- specifies whether the certificates field in
- SignedData should contain certificate path */
unsigned char *key_pack, /* IN
contains DER encoded ReplyKeyPack */
unsigned int key_pack_len, /* IN
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 3024973f3..5c7461170 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -1504,7 +1504,6 @@ cms_signeddata_create(krb5_context context,
pkinit_req_crypto_context req_cryptoctx,
pkinit_identity_crypto_context id_cryptoctx,
int cms_msg_type,
- int include_certchain,
unsigned char *data,
unsigned int data_len,
unsigned char **signed_data,
@@ -1549,49 +1548,46 @@ cms_signeddata_create(krb5_context context,
goto cleanup;
if (id_cryptoctx->my_certs != NULL) {
- /* create a cert chain that has at least the signer's certificate */
+ X509_STORE *certstore = NULL;
+ X509_STORE_CTX *certctx;
+ STACK_OF(X509) *certstack = NULL;
+ char buf[DN_BUF_LEN];
+ unsigned int i = 0, size = 0;
+
+ /* create a cert chain */
if ((cert_stack = sk_X509_new_null()) == NULL)
goto cleanup;
cert = sk_X509_value(id_cryptoctx->my_certs, id_cryptoctx->cert_index);
- if (!include_certchain) {
- pkiDebug("only including signer's certificate\n");
- sk_X509_push(cert_stack, X509_dup(cert));
- } else {
- /* create a cert chain */
- X509_STORE *certstore = NULL;
- X509_STORE_CTX *certctx;
- STACK_OF(X509) *certstack = NULL;
- char buf[DN_BUF_LEN];
- unsigned int i = 0, size = 0;
-
- if ((certstore = X509_STORE_new()) == NULL)
- goto cleanup;
- pkiDebug("building certificate chain\n");
- X509_STORE_set_verify_cb(certstore, openssl_callback);
- certctx = X509_STORE_CTX_new();
- if (certctx == NULL)
- goto cleanup;
- X509_STORE_CTX_init(certctx, certstore, cert,
- id_cryptoctx->intermediateCAs);
- X509_STORE_CTX_trusted_stack(certctx, id_cryptoctx->trustedCAs);
- if (!X509_verify_cert(certctx)) {
- retval = oerr_cert(context, 0, certctx,
- _("Failed to verify own certificate"));
- goto cleanup;
- }
- certstack = X509_STORE_CTX_get1_chain(certctx);
- size = sk_X509_num(certstack);
- for(i = 0; i < size - 1; i++) {
- X509 *x = sk_X509_value(certstack, i);
- X509_NAME_oneline(X509_get_subject_name(x), buf, sizeof(buf));
- TRACE_PKINIT_CERT_CHAIN_NAME(context, (int)i, buf);
- sk_X509_push(cert_stack, X509_dup(x));
- }
- X509_STORE_CTX_free(certctx);
- X509_STORE_free(certstore);
- sk_X509_pop_free(certstack, X509_free);
+
+ certstore = X509_STORE_new();
+ if (certstore == NULL)
+ goto cleanup;
+ pkiDebug("building certificate chain\n");
+ X509_STORE_set_verify_cb(certstore, openssl_callback);
+ certctx = X509_STORE_CTX_new();
+ if (certctx == NULL)
+ goto cleanup;
+ X509_STORE_CTX_init(certctx, certstore, cert,
+ id_cryptoctx->intermediateCAs);
+ X509_STORE_CTX_trusted_stack(certctx, id_cryptoctx->trustedCAs);
+ if (!X509_verify_cert(certctx)) {
+ retval = oerr_cert(context, 0, certctx,
+ _("Failed to verify own certificate"));
+ goto cleanup;
+ }
+ certstack = X509_STORE_CTX_get1_chain(certctx);
+ size = sk_X509_num(certstack);
+ for (i = 0; i < size - 1; i++) {
+ X509 *x = sk_X509_value(certstack, i);
+ X509_NAME_oneline(X509_get_subject_name(x), buf, sizeof(buf));
+ TRACE_PKINIT_CERT_CHAIN_NAME(context, (int)i, buf);
+ sk_X509_push(cert_stack, X509_dup(x));
}
+ X509_STORE_CTX_free(certctx);
+ X509_STORE_free(certstore);
+ sk_X509_pop_free(certstack, X509_free);
+
p7s->cert = cert_stack;
/* fill-in PKCS7_SIGNER_INFO */
@@ -2175,7 +2171,6 @@ cms_envelopeddata_create(krb5_context context,
pkinit_req_crypto_context reqctx,
pkinit_identity_crypto_context idctx,
krb5_preauthtype pa_type,
- int include_certchain,
unsigned char *key_pack,
unsigned int key_pack_len,
unsigned char **out,
@@ -2191,8 +2186,8 @@ cms_envelopeddata_create(krb5_context context,
const EVP_CIPHER *cipher = NULL;
retval = cms_signeddata_create(context, plgctx, reqctx, idctx,
- CMS_ENVEL_SERVER, include_certchain,
- key_pack, key_pack_len, &signed_data,
+ CMS_ENVEL_SERVER, key_pack, key_pack_len,
+ &signed_data,
(unsigned int *)&signed_data_len);
if (retval) {
pkiDebug("failed to create pkcs7 signed data\n");
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 865c543c4..0ac9ca065 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -863,7 +863,7 @@ pkinit_server_return_padata(krb5_context context,
retval = cms_signeddata_create(context, plgctx->cryptoctx,
reqctx->cryptoctx, plgctx->idctx,
- CMS_SIGN_SERVER, 1,
+ CMS_SIGN_SERVER,
(unsigned char *)
encoded_dhkey_info->data,
encoded_dhkey_info->length,
@@ -917,7 +917,7 @@ pkinit_server_return_padata(krb5_context context,
rep->choice = choice_pa_pk_as_rep_encKeyPack;
retval = cms_envelopeddata_create(context, plgctx->cryptoctx,
reqctx->cryptoctx, plgctx->idctx,
- padata->pa_type, 1,
+ padata->pa_type,
(unsigned char *)
encoded_key_pack->data,
encoded_key_pack->length,
More information about the cvs-krb5
mailing list