Package: sbsigntool / 0.6-3.2

update-openssl-api-usage-to-support-openssl-1.1.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 26 Jun 2016 22:04:29 +0200
Description: Update OpenSSL API usage to support OpenSSL 1.1
 Most structure definitions in OpenSSL are now opaque and we must call
 the appropriate accessor functions to get information from them.
 Not all the accessors are available in older versions, so define the
 missing accessors as macros.
 .
 The X509_retrieve_match() function is no longer usable, as we cannot
 initialise an X509_OBJECT ourselves.  Instead, iterate over the
 certificate store and use X509_OBJECT_get_type and X509_cmp to
 compare certificates.

--- a/src/sbverify.c
+++ b/src/sbverify.c
@@ -55,6 +55,14 @@
 #include <openssl/pem.h>
 #include <openssl/x509v3.h>
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
+#define X509_OBJECT_get_type(obj) ((obj)->type)
+#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
+#define X509_STORE_get0_objects(certs) ((certs)->objs)
+#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
+#endif
+
 static const char *toolname = "sbverify";
 static const int cert_name_len = 160;
 
@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *
 
 	for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
 		cert = sk_X509_value(p7->d.sign->cert, i);
-		X509_NAME_oneline(cert->cert_info->subject,
+		X509_NAME_oneline(X509_get_subject_name(cert),
 				subject_name, cert_name_len);
-		X509_NAME_oneline(cert->cert_info->issuer,
+		X509_NAME_oneline(X509_get_issuer_name(cert),
 				issuer_name, cert_name_len);
 
 		printf(" - subject: %s\n", subject_name);
@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *
 static void print_certificate_store_certs(X509_STORE *certs)
 {
 	char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
+	STACK_OF(X509_OBJECT) *objs;
 	X509_OBJECT *obj;
+	X509 *cert;
 	int i;
 
 	printf("certificate store:\n");
 
-	for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
-		obj = sk_X509_OBJECT_value(certs->objs, i);
+	objs = X509_STORE_get0_objects(certs);
+
+	for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+		obj = sk_X509_OBJECT_value(objs, i);
 
-		if (obj->type != X509_LU_X509)
+		if (X509_OBJECT_get_type(obj) != X509_LU_X509)
 			continue;
 
-		X509_NAME_oneline(obj->data.x509->cert_info->subject,
+		cert = X509_OBJECT_get0_X509(obj);
+
+		X509_NAME_oneline(X509_get_subject_name(cert),
 				subject_name, cert_name_len);
-		X509_NAME_oneline(obj->data.x509->cert_info->issuer,
+		X509_NAME_oneline(X509_get_issuer_name(cert),
 				issuer_name, cert_name_len);
 
 		printf(" - subject: %s\n", subject_name);
@@ -182,12 +196,21 @@ static int load_detached_signature_data(
 
 static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
 {
-	X509_OBJECT obj;
+	STACK_OF(X509_OBJECT) *objs;
+	X509_OBJECT *obj;
+	int i;
+
+	objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
 
-	obj.type = X509_LU_X509;
-	obj.data.x509 = cert;
+	for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+		obj = sk_X509_OBJECT_value(objs, i);
 
-	return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
+		if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
+		    !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
+			return 1;
+	}
+
+	return 0;
 }
 
 static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
@@ -195,8 +218,9 @@ static int x509_verify_cb(int status, X5
 	int err = X509_STORE_CTX_get_error(ctx);
 
 	/* also accept code-signing keys */
-	if (err == X509_V_ERR_INVALID_PURPOSE
-			&& ctx->cert->ex_xkusage == XKU_CODE_SIGN)
+	if (err == X509_V_ERR_INVALID_PURPOSE &&
+			X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx))
+			== XKU_CODE_SIGN)
 		status = 1;
 
 	/* all certs given with the --cert argument are trusted */
@@ -204,7 +228,7 @@ static int x509_verify_cb(int status, X5
 			err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ||
 			err == X509_V_ERR_CERT_UNTRUSTED) {
 
-		if (cert_in_store(ctx->current_cert, ctx))
+		if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx))
 			status = 1;
 	}
 	/* UEFI doesn't care about expired signatures, so we shouldn't either. */
--- a/src/sbkeysync.c
+++ b/src/sbkeysync.c
@@ -204,16 +204,15 @@ static int x509_key_parse(struct key *ke
 		return -1;
 
 	/* we use the X509 serial number as the key ID */
-	if (!x509->cert_info || !x509->cert_info->serialNumber)
+	serial = X509_get_serialNumber(x509);
+	if (!serial)
 		goto out;
 
-	serial = x509->cert_info->serialNumber;
-
 	key->id_len = ASN1_STRING_length(serial);
 	key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
 
 	key->description = talloc_array(key, char, description_len);
-	X509_NAME_oneline(x509->cert_info->subject,
+	X509_NAME_oneline(X509_get_subject_name(x509),
 			key->description, description_len);
 
 	rc = 0;