1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143
|
Author: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 26 Jun 2016 22:04:29 +0200
Description: Update OpenSSL API usage to support OpenSSL 1.1
Most structure definitions in OpenSSL are now opaque and we must call
the appropriate accessor functions to get information from them.
Not all the accessors are available in older versions, so define the
missing accessors as macros.
.
The X509_retrieve_match() function is no longer usable, as we cannot
initialise an X509_OBJECT ourselves. Instead, iterate over the
certificate store and use X509_OBJECT_get_type and X509_cmp to
compare certificates.
--- a/src/sbverify.c
+++ b/src/sbverify.c
@@ -55,6 +55,14 @@
#include <openssl/pem.h>
#include <openssl/x509v3.h>
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
+#define X509_OBJECT_get_type(obj) ((obj)->type)
+#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
+#define X509_STORE_get0_objects(certs) ((certs)->objs)
+#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
+#endif
+
static const char *toolname = "sbverify";
static const int cert_name_len = 160;
@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *
for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
cert = sk_X509_value(p7->d.sign->cert, i);
- X509_NAME_oneline(cert->cert_info->subject,
+ X509_NAME_oneline(X509_get_subject_name(cert),
subject_name, cert_name_len);
- X509_NAME_oneline(cert->cert_info->issuer,
+ X509_NAME_oneline(X509_get_issuer_name(cert),
issuer_name, cert_name_len);
printf(" - subject: %s\n", subject_name);
@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *
static void print_certificate_store_certs(X509_STORE *certs)
{
char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
+ STACK_OF(X509_OBJECT) *objs;
X509_OBJECT *obj;
+ X509 *cert;
int i;
printf("certificate store:\n");
- for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
- obj = sk_X509_OBJECT_value(certs->objs, i);
+ objs = X509_STORE_get0_objects(certs);
+
+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+ obj = sk_X509_OBJECT_value(objs, i);
- if (obj->type != X509_LU_X509)
+ if (X509_OBJECT_get_type(obj) != X509_LU_X509)
continue;
- X509_NAME_oneline(obj->data.x509->cert_info->subject,
+ cert = X509_OBJECT_get0_X509(obj);
+
+ X509_NAME_oneline(X509_get_subject_name(cert),
subject_name, cert_name_len);
- X509_NAME_oneline(obj->data.x509->cert_info->issuer,
+ X509_NAME_oneline(X509_get_issuer_name(cert),
issuer_name, cert_name_len);
printf(" - subject: %s\n", subject_name);
@@ -182,12 +196,21 @@ static int load_detached_signature_data(
static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
{
- X509_OBJECT obj;
+ STACK_OF(X509_OBJECT) *objs;
+ X509_OBJECT *obj;
+ int i;
+
+ objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
- obj.type = X509_LU_X509;
- obj.data.x509 = cert;
+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+ obj = sk_X509_OBJECT_value(objs, i);
- return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
+ if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
+ !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
+ return 1;
+ }
+
+ return 0;
}
static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
@@ -195,8 +218,9 @@ static int x509_verify_cb(int status, X5
int err = X509_STORE_CTX_get_error(ctx);
/* also accept code-signing keys */
- if (err == X509_V_ERR_INVALID_PURPOSE
- && ctx->cert->ex_xkusage == XKU_CODE_SIGN)
+ if (err == X509_V_ERR_INVALID_PURPOSE &&
+ X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx))
+ == XKU_CODE_SIGN)
status = 1;
/* all certs given with the --cert argument are trusted */
@@ -204,7 +228,7 @@ static int x509_verify_cb(int status, X5
err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ||
err == X509_V_ERR_CERT_UNTRUSTED) {
- if (cert_in_store(ctx->current_cert, ctx))
+ if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx))
status = 1;
}
/* UEFI doesn't care about expired signatures, so we shouldn't either. */
--- a/src/sbkeysync.c
+++ b/src/sbkeysync.c
@@ -204,16 +204,15 @@ static int x509_key_parse(struct key *ke
return -1;
/* we use the X509 serial number as the key ID */
- if (!x509->cert_info || !x509->cert_info->serialNumber)
+ serial = X509_get_serialNumber(x509);
+ if (!serial)
goto out;
- serial = x509->cert_info->serialNumber;
-
key->id_len = ASN1_STRING_length(serial);
key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
key->description = talloc_array(key, char, description_len);
- X509_NAME_oneline(x509->cert_info->subject,
+ X509_NAME_oneline(X509_get_subject_name(x509),
key->description, description_len);
rc = 0;
|