[krb5] - fix reading of keyUsage extensions when attempting to select pkinit client certs (part of #629022,
Nalin Dahyabhai
nalin at fedoraproject.org
Thu Sep 16 23:33:15 UTC 2010
commit 3fe7ccdb9298e5b6f9fa9dc25bef21c0715ece21
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Thu Sep 16 19:31:54 2010 -0400
- fix reading of keyUsage extensions when attempting to select pkinit client certs (part of #629022, RT#6775)
krb5-trunk-key_usage.patch | 25 +++++++++++++++++++++++++
1 files changed, 25 insertions(+), 0 deletions(-)
---
diff --git a/krb5-trunk-key_usage.patch b/krb5-trunk-key_usage.patch
new file mode 100644
index 0000000..f45db69
--- /dev/null
+++ b/krb5-trunk-key_usage.patch
@@ -0,0 +1,25 @@
+Reading the NID_key_usage extension doesn't ensure that the ex_flags and
+ex_kusage fields that the ku_reject() macro checks. It'd probably be
+better to check the usage string directly, but calling X509_check_ca()
+makes the right things happen. RT#6775, part of #629022.
+
+Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+===================================================================
+--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24312)
++++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24313)
+@@ -2005,6 +2005,7 @@
+ pkiDebug("%s: found acceptable EKU, checking for digitalSignature\n", __FUNCTION__);
+
+ /* check that digitalSignature KeyUsage is present */
++ X509_check_ca(reqctx->received_cert);
+ if ((usage = X509_get_ext_d2i(reqctx->received_cert,
+ NID_key_usage, NULL, NULL))) {
+
+@@ -4551,6 +4552,7 @@
+ }
+
+ /* Make sure usage exists before checking bits */
++ X509_check_ca(x);
+ usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL);
+ if (usage) {
+ if (!ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))
More information about the scm-commits
mailing list