Control: tag -1 patch With this patch applied, sbsigntool builds against either libssl- dev/unstable or libssl-dev/experimental.
Ben. -- Ben Hutchings compatible: Gracefully accepts erroneous data from any source
Author: Ben Hutchings <b...@decadent.org.uk>
Date: Sun, 26 Jun 2016 22:04:29 +0200
Description: Update OpenSSL API usage to support OpenSSL 1.1
Most structure definitions in OpenSSL are now opaque and we must call
the appropriate accessor functions to get information from them.
Not all the accessors are available in older versions, so define the
missing accessors as macros.
.
The X509_retrieve_match() function is no longer usable, as we cannot
initialise an X509_OBJECT ourselves. Instead, iterate over the
certificate store and use X509_OBJECT_get_type and X509_cmp to
compare certificates.
--- a/src/sbverify.c
+++ b/src/sbverify.c
@@ -55,6 +55,14 @@
#include <openssl/pem.h>
#include <openssl/x509v3.h>
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
+#define X509_OBJECT_get_type(obj) ((obj)->type)
+#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
+#define X509_STORE_get0_objects(certs) ((certs)->objs)
+#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
+#endif
+
static const char *toolname = "sbverify";
static const int cert_name_len = 160;
@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *
for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
cert = sk_X509_value(p7->d.sign->cert, i);
- X509_NAME_oneline(cert->cert_info->subject,
+ X509_NAME_oneline(X509_get_subject_name(cert),
subject_name, cert_name_len);
- X509_NAME_oneline(cert->cert_info->issuer,
+ X509_NAME_oneline(X509_get_issuer_name(cert),
issuer_name, cert_name_len);
printf(" - subject: %s\n", subject_name);
@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *
static void print_certificate_store_certs(X509_STORE *certs)
{
char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
+ STACK_OF(X509_OBJECT) *objs;
X509_OBJECT *obj;
+ X509 *cert;
int i;
printf("certificate store:\n");
- for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
- obj = sk_X509_OBJECT_value(certs->objs, i);
+ objs = X509_STORE_get0_objects(certs);
+
+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+ obj = sk_X509_OBJECT_value(objs, i);
- if (obj->type != X509_LU_X509)
+ if (X509_OBJECT_get_type(obj) != X509_LU_X509)
continue;
- X509_NAME_oneline(obj->data.x509->cert_info->subject,
+ cert = X509_OBJECT_get0_X509(obj);
+
+ X509_NAME_oneline(X509_get_subject_name(cert),
subject_name, cert_name_len);
- X509_NAME_oneline(obj->data.x509->cert_info->issuer,
+ X509_NAME_oneline(X509_get_issuer_name(cert),
issuer_name, cert_name_len);
printf(" - subject: %s\n", subject_name);
@@ -182,12 +196,21 @@ static int load_detached_signature_data(
static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
{
- X509_OBJECT obj;
+ STACK_OF(X509_OBJECT) *objs;
+ X509_OBJECT *obj;
+ int i;
+
+ objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
- obj.type = X509_LU_X509;
- obj.data.x509 = cert;
+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+ obj = sk_X509_OBJECT_value(objs, i);
- return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
+ if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
+ !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
+ return 1;
+ }
+
+ return 0;
}
static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
@@ -195,8 +218,9 @@ static int x509_verify_cb(int status, X5
int err = X509_STORE_CTX_get_error(ctx);
/* also accept code-signing keys */
- if (err == X509_V_ERR_INVALID_PURPOSE
- && ctx->cert->ex_xkusage == XKU_CODE_SIGN)
+ if (err == X509_V_ERR_INVALID_PURPOSE &&
+ X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx))
+ == XKU_CODE_SIGN)
status = 1;
/* all certs given with the --cert argument are trusted */
@@ -204,7 +228,7 @@ static int x509_verify_cb(int status, X5
err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ||
err == X509_V_ERR_CERT_UNTRUSTED) {
- if (cert_in_store(ctx->current_cert, ctx))
+ if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx))
status = 1;
}
/* UEFI doesn't care about expired signatures, so we shouldn't either. */
--- a/src/sbkeysync.c
+++ b/src/sbkeysync.c
@@ -204,16 +204,15 @@ static int x509_key_parse(struct key *ke
return -1;
/* we use the X509 serial number as the key ID */
- if (!x509->cert_info || !x509->cert_info->serialNumber)
+ serial = X509_get_serialNumber(x509);
+ if (!serial)
goto out;
- serial = x509->cert_info->serialNumber;
-
key->id_len = ASN1_STRING_length(serial);
key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
key->description = talloc_array(key, char, description_len);
- X509_NAME_oneline(x509->cert_info->subject,
+ X509_NAME_oneline(X509_get_subject_name(x509),
key->description, description_len);
rc = 0;
signature.asc
Description: This is a digitally signed message part
