(hx509_verify_path): handle the case where the where two proxy certs
in a chain. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17274 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
@@ -1325,20 +1325,32 @@ hx509_verify_path(hx509_context context,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* XXX need to mangle name to remove the CN of the
|
|
||||||
* subject, copying issuer only works for one level
|
|
||||||
* but is better then doing no checking at all.
|
|
||||||
*
|
|
||||||
* The subject name of the proxy certificate should be
|
* The subject name of the proxy certificate should be
|
||||||
* CN=XXX,<proxy issuer>
|
* CN=XXX,<proxy issuer>, prune of CN and check if its
|
||||||
|
* the same over the whole chain of proxy certs and
|
||||||
|
* then check with the EE cert when we get to it.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
ret = copy_Name(&c->tbsCertificate.issuer, &name);
|
ret = copy_Name(&c->tbsCertificate.subject, &name);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
free_ProxyCertInfo(&info);
|
free_ProxyCertInfo(&info);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
j = name.u.rdnSequence.len;
|
||||||
|
if (name.u.rdnSequence.len < 2
|
||||||
|
|| name.u.rdnSequence.val[j - 1].len > 1
|
||||||
|
|| heim_oid_cmp(&name.u.rdnSequence.val[j - 1].val[0].type,
|
||||||
|
oid_id_at_commonName()))
|
||||||
|
{
|
||||||
|
free_ProxyCertInfo(&info);
|
||||||
|
ret = HX509_PROXY_CERT_NAME_WRONG;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
free_RelativeDistinguishedName(&name.u.rdnSequence.val[j - 1]);
|
||||||
|
name.u.rdnSequence.len -= 1;
|
||||||
|
|
||||||
if (proxy_cert_depth) {
|
if (proxy_cert_depth) {
|
||||||
ret = _hx509_name_cmp(&proxy_issuer, &name);
|
ret = _hx509_name_cmp(&proxy_issuer, &name);
|
||||||
free_Name(&name);
|
free_Name(&name);
|
||||||
@@ -1354,10 +1366,30 @@ hx509_verify_path(hx509_context context,
|
|||||||
free_ProxyCertInfo(&info);
|
free_ProxyCertInfo(&info);
|
||||||
break;
|
break;
|
||||||
} else {
|
} else {
|
||||||
|
/*
|
||||||
|
* Now we are done with the proxy certificates, if
|
||||||
|
* there where any proxy certificates
|
||||||
|
* (proxy_cert_depth > 0), check that the proxy issuer
|
||||||
|
* matched proxy certificates subject.
|
||||||
|
*/
|
||||||
if (proxy_cert_depth) {
|
if (proxy_cert_depth) {
|
||||||
ret = _hx509_name_cmp(&proxy_issuer,
|
ret = _hx509_name_cmp(&proxy_issuer,
|
||||||
&c->tbsCertificate.subject);
|
&c->tbsCertificate.subject);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
|
char *str;
|
||||||
|
ret = hx509_name_to_string(&proxy_issuer, &str);
|
||||||
|
if (ret)
|
||||||
|
abort();
|
||||||
|
printf("name: %s\n", str);
|
||||||
|
free(str);
|
||||||
|
|
||||||
|
ret = hx509_name_to_string(&c->tbsCertificate.subject, &str);
|
||||||
|
if (ret)
|
||||||
|
abort();
|
||||||
|
printf("subject: %s\n", str);
|
||||||
|
free(str);
|
||||||
|
|
||||||
|
printf("name wrong3\n");
|
||||||
ret = HX509_PROXY_CERT_NAME_WRONG;
|
ret = HX509_PROXY_CERT_NAME_WRONG;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user