hx509: Fix unauthorized feature accounting
This commit is contained in:
Nicolas Williams
@@ -48,7 +48,6 @@ struct hx509_request_data {
|
|||||||
struct abitstring_s authorized_EKUs;
|
struct abitstring_s authorized_EKUs;
|
||||||
struct abitstring_s authorized_SANs;
|
struct abitstring_s authorized_SANs;
|
||||||
uint32_t nunsupported; /* Count of unsupported features requested */
|
uint32_t nunsupported; /* Count of unsupported features requested */
|
||||||
uint32_t nrequested; /* Count of supported features requested */
|
|
||||||
uint32_t nauthorized; /* Count of supported features authorized */
|
uint32_t nauthorized; /* Count of supported features authorized */
|
||||||
uint32_t ku_are_authorized:1;
|
uint32_t ku_are_authorized:1;
|
||||||
};
|
};
|
||||||
@@ -202,18 +201,11 @@ hx509_request_get_SubjectPublicKeyInfo(hx509_context context,
|
|||||||
HX509_LIB_FUNCTION int HX509_LIB_CALL
|
HX509_LIB_FUNCTION int HX509_LIB_CALL
|
||||||
hx509_request_set_ku(hx509_context context, hx509_request req, KeyUsage ku)
|
hx509_request_set_ku(hx509_context context, hx509_request req, KeyUsage ku)
|
||||||
{
|
{
|
||||||
KeyUsage oldku = req->ku;
|
|
||||||
uint64_t n = KeyUsage2int(ku);
|
uint64_t n = KeyUsage2int(ku);
|
||||||
|
|
||||||
if ((KeyUsage2int(req->ku) & n) != n) {
|
if ((KeyUsage2int(req->ku) & n) != n)
|
||||||
req->ku_are_authorized = 0;
|
req->ku_are_authorized = 0;
|
||||||
}
|
|
||||||
req->ku = ku;
|
req->ku = ku;
|
||||||
|
|
||||||
if (KeyUsage2int(oldku) == 0 && n != 0)
|
|
||||||
req->nrequested++;
|
|
||||||
if (KeyUsage2int(oldku) && KeyUsage2int(req->ku) == 0)
|
|
||||||
req->nrequested--;
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -286,12 +278,7 @@ hx509_request_add_GeneralName(hx509_context context,
|
|||||||
hx509_request req,
|
hx509_request req,
|
||||||
const GeneralName *gn)
|
const GeneralName *gn)
|
||||||
{
|
{
|
||||||
int ret;
|
return add_GeneralNames(&req->san, gn);
|
||||||
|
|
||||||
ret = add_GeneralNames(&req->san, gn);
|
|
||||||
if (ret == 0)
|
|
||||||
req->nrequested++;
|
|
||||||
return ret;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
@@ -340,13 +327,8 @@ hx509_request_add_xmpp_name(hx509_context context,
|
|||||||
hx509_request req,
|
hx509_request req,
|
||||||
const char *jid)
|
const char *jid)
|
||||||
{
|
{
|
||||||
int ret;
|
return add_utf8_other_san(context, &req->san,
|
||||||
|
&asn1_oid_id_pkix_on_xmppAddr, jid);
|
||||||
ret = add_utf8_other_san(context, &req->san, &asn1_oid_id_pkix_on_xmppAddr,
|
|
||||||
jid);
|
|
||||||
if (ret == 0)
|
|
||||||
req->nrequested++;
|
|
||||||
return ret;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -365,13 +347,8 @@ hx509_request_add_ms_upn_name(hx509_context context,
|
|||||||
hx509_request req,
|
hx509_request req,
|
||||||
const char *upn)
|
const char *upn)
|
||||||
{
|
{
|
||||||
int ret;
|
return add_utf8_other_san(context, &req->san, &asn1_oid_id_pkinit_ms_san,
|
||||||
|
|
||||||
ret = add_utf8_other_san(context, &req->san, &asn1_oid_id_pkinit_ms_san,
|
|
||||||
upn);
|
upn);
|
||||||
if (ret == 0)
|
|
||||||
req->nrequested++;
|
|
||||||
return ret;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -391,17 +368,13 @@ hx509_request_add_dns_name(hx509_context context,
|
|||||||
const char *hostname)
|
const char *hostname)
|
||||||
{
|
{
|
||||||
GeneralName name;
|
GeneralName name;
|
||||||
int ret;
|
|
||||||
|
|
||||||
memset(&name, 0, sizeof(name));
|
memset(&name, 0, sizeof(name));
|
||||||
name.element = choice_GeneralName_dNSName;
|
name.element = choice_GeneralName_dNSName;
|
||||||
name.u.dNSName.data = rk_UNCONST(hostname);
|
name.u.dNSName.data = rk_UNCONST(hostname);
|
||||||
name.u.dNSName.length = strlen(hostname);
|
name.u.dNSName.length = strlen(hostname);
|
||||||
|
|
||||||
ret = add_GeneralNames(&req->san, &name);
|
return add_GeneralNames(&req->san, &name);
|
||||||
if (ret == 0)
|
|
||||||
req->nrequested++;
|
|
||||||
return ret;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -421,17 +394,13 @@ hx509_request_add_email(hx509_context context,
|
|||||||
const char *email)
|
const char *email)
|
||||||
{
|
{
|
||||||
GeneralName name;
|
GeneralName name;
|
||||||
int ret;
|
|
||||||
|
|
||||||
memset(&name, 0, sizeof(name));
|
memset(&name, 0, sizeof(name));
|
||||||
name.element = choice_GeneralName_rfc822Name;
|
name.element = choice_GeneralName_rfc822Name;
|
||||||
name.u.rfc822Name.data = rk_UNCONST(email);
|
name.u.rfc822Name.data = rk_UNCONST(email);
|
||||||
name.u.rfc822Name.length = strlen(email);
|
name.u.rfc822Name.length = strlen(email);
|
||||||
|
|
||||||
ret = add_GeneralNames(&req->san, &name);
|
return add_GeneralNames(&req->san, &name);
|
||||||
if (ret == 0)
|
|
||||||
req->nrequested++;
|
|
||||||
return ret;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -460,8 +429,6 @@ hx509_request_add_registered(hx509_context context,
|
|||||||
return ret;
|
return ret;
|
||||||
ret = add_GeneralNames(&req->san, &name);
|
ret = add_GeneralNames(&req->san, &name);
|
||||||
free_GeneralName(&name);
|
free_GeneralName(&name);
|
||||||
if (ret == 0)
|
|
||||||
req->nrequested++;
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -498,8 +465,6 @@ hx509_request_add_pkinit(hx509_context context,
|
|||||||
if (ret == 0)
|
if (ret == 0)
|
||||||
ret = add_GeneralNames(&req->san, &gn);
|
ret = add_GeneralNames(&req->san, &gn);
|
||||||
free_GeneralName(&gn);
|
free_GeneralName(&gn);
|
||||||
if (ret == 0)
|
|
||||||
req->nrequested++;
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -854,7 +819,6 @@ hx509_request_parse_der(hx509_context context,
|
|||||||
*/
|
*/
|
||||||
if (KeyUsage2int((*req)->ku) & ~KeyUsage2int(int2KeyUsage(~0)))
|
if (KeyUsage2int((*req)->ku) & ~KeyUsage2int(int2KeyUsage(~0)))
|
||||||
(*req)->nunsupported++;
|
(*req)->nunsupported++;
|
||||||
(*req)->nrequested++;
|
|
||||||
} else if (der_heim_oid_cmp(&e->extnID,
|
} else if (der_heim_oid_cmp(&e->extnID,
|
||||||
&asn1_oid_id_x509_ce_extKeyUsage) == 0) {
|
&asn1_oid_id_x509_ce_extKeyUsage) == 0) {
|
||||||
ret = decode_ExtKeyUsage(e->extnValue.data, e->extnValue.length,
|
ret = decode_ExtKeyUsage(e->extnValue.data, e->extnValue.length,
|
||||||
@@ -865,7 +829,6 @@ hx509_request_parse_der(hx509_context context,
|
|||||||
* Count each EKU as a separate requested extension to be
|
* Count each EKU as a separate requested extension to be
|
||||||
* authorized.
|
* authorized.
|
||||||
*/
|
*/
|
||||||
(*req)->nrequested += (*req)->eku.len;
|
|
||||||
} else if (der_heim_oid_cmp(&e->extnID,
|
} else if (der_heim_oid_cmp(&e->extnID,
|
||||||
&asn1_oid_id_x509_ce_subjectAltName) == 0) {
|
&asn1_oid_id_x509_ce_subjectAltName) == 0) {
|
||||||
ret = decode_GeneralNames(e->extnValue.data, e->extnValue.length,
|
ret = decode_GeneralNames(e->extnValue.data, e->extnValue.length,
|
||||||
@@ -876,7 +839,6 @@ hx509_request_parse_der(hx509_context context,
|
|||||||
* Count each SAN as a separate requested extension to be
|
* Count each SAN as a separate requested extension to be
|
||||||
* authorized.
|
* authorized.
|
||||||
*/
|
*/
|
||||||
(*req)->nrequested += (*req)->san.len;
|
|
||||||
} else {
|
} else {
|
||||||
char *oidstr = NULL;
|
char *oidstr = NULL;
|
||||||
|
|
||||||
@@ -1218,7 +1180,10 @@ hx509_request_count_unsupported(hx509_request req)
|
|||||||
HX509_LIB_FUNCTION size_t HX509_LIB_CALL
|
HX509_LIB_FUNCTION size_t HX509_LIB_CALL
|
||||||
hx509_request_count_unauthorized(hx509_request req)
|
hx509_request_count_unauthorized(hx509_request req)
|
||||||
{
|
{
|
||||||
return req->nrequested - (req->nauthorized + req->ku_are_authorized);
|
size_t nrequested = req->eku.len + req->san.len +
|
||||||
|
(KeyUsage2int(req->ku) ? 1 : 0) + req->nunsupported;
|
||||||
|
|
||||||
|
return nrequested - (req->nauthorized + req->ku_are_authorized);
|
||||||
}
|
}
|
||||||
|
|
||||||
static hx509_san_type
|
static hx509_san_type
|
||||||
|
|||||||
Reference in New Issue
Block a user