[backend] BSTUF: use new helper functions

openSUSE · Nov 14, 2018 · 6b920c3 · 6b920c3
1 parent 296bf28
commit 6b920c3
Showing 1 changed file with 17 additions and 28 deletions.
diff --git a/src/backend/BSTUF.pm b/src/backend/BSTUF.pm
@@ -37,8 +37,7 @@ sub keydata2asn1 {
   my ($keydata) = @_;
   die("need an rsa pubkey\n") unless ($keydata->{'algo'} || '') eq 'rsa';
   my $pubkey = BSASN1::asn1_sequence(BSASN1::asn1_integer_mpi($keydata->{'mpis'}->[0]->{'data'}), BSASN1::asn1_integer_mpi($keydata->{'mpis'}->[1]->{'data'}));
-  $pubkey = BSASN1::asn1_pack($BSASN1::BIT_STRING, pack('C', 0).$pubkey);
-  return BSASN1::asn1_sequence(BSASN1::asn1_sequence($BSX509::oid_rsaencryption, BSASN1::asn1_null()), $pubkey);
+  return BSASN1::asn1_sequence(BSASN1::asn1_sequence($BSX509::oid_rsaencryption, BSASN1::asn1_null()), BSASN1::asn1_bytes($pubkey));
 }
 
 sub rfc3339time {
@@ -63,60 +62,50 @@ sub sign {
 
 sub mktbscert {
   my ($cn, $not_before, $not_after, $subjectkeyinfo) = @_;
-  my $serial = pack("C", 128 + int(rand(128)));
-  $serial .= pack("C", int(rand(256))) for (1, 2, 3, 4, 5, 6, 7);
   my $certversion = BSASN1::asn1_tagged(0, BSASN1::asn1_integer(2));
-  my $certserial = BSASN1::asn1_integer_mpi($serial);
+  my $certserial = BSX509::pack_random_serial();
   my $sigalgo = BSASN1::asn1_sequence($BSX509::oid_sha256withrsaencryption, BSASN1::asn1_null());
-  my $cnattr = BSASN1::asn1_sequence($BSX509::oid_common_name, BSASN1::asn1_pack($BSASN1::UTF8STRING, $cn));
-  my $issuer = BSASN1::asn1_sequence(BSASN1::asn1_set($cnattr));
+  my $issuer = BSX509::pack_distinguished_name([ $BSX509::oid_common_name, $cn ]);
   my $validity = BSASN1::asn1_sequence(BSASN1::asn1_utctime($not_before), BSASN1::asn1_utctime($not_after));
-  my $critical = BSASN1::asn1_boolean(1);
-  my $basic_constraints = BSASN1::asn1_sequence($BSX509::oid_basic_constraints, $critical, BSASN1::asn1_octet_string(BSASN1::asn1_sequence()));
-  my $key_usage = BSASN1::asn1_sequence($BSX509::oid_key_usage, $critical, BSASN1::asn1_octet_string(BSASN1::asn1_pack($BSASN1::BIT_STRING, pack("CC", 5, 160))));
-  my $ext_key_usage = BSASN1::asn1_sequence($BSX509::oid_ext_key_usage, BSASN1::asn1_octet_string(BSASN1::asn1_sequence($BSX509::oid_code_signing)));
-  my $extensions = BSASN1::asn1_tagged(3, BSASN1::asn1_sequence($basic_constraints, $key_usage, $ext_key_usage));
+  my $basic_constraints = BSASN1::asn1_sequence();
+  my $key_usage = BSASN1::asn1_bits_list($BSX509::key_usage_digital_signature, $BSX509::key_usage_key_encipherment);
+  my $ext_key_usage = BSASN1::asn1_sequence($BSX509::oid_code_signing);
+  my $extensions = BSX509::pack_cert_extensions(
+		    $BSX509::oid_basic_constraints, [ $basic_constraints, 1 ],
+		    $BSX509::oid_key_usage, [ $key_usage, 1 ],
+		    $BSX509::oid_ext_key_usage, [ $ext_key_usage ]);
   my $tbscert = BSASN1::asn1_sequence($certversion, $certserial, $sigalgo, $issuer, $validity, $issuer, $subjectkeyinfo, $extensions);
   return $tbscert;
 }
 
 sub mkcert {
   my ($tbscert, $signargs) = @_;
-  my $sigalgo = BSASN1::asn1_sequence($BSX509::oid_sha256withrsaencryption, BSASN1::asn1_null());
   my $signature = sign($tbscert, $signargs);
-  my $cert = BSASN1::asn1_sequence($tbscert, $sigalgo, BSASN1::asn1_pack($BSASN1::BIT_STRING, pack("C", 0), $signature));
+  my $sigalgo = BSASN1::asn1_sequence($BSX509::oid_sha256withrsaencryption, BSASN1::asn1_null());
+  my $cert = BSASN1::asn1_sequence($tbscert, $sigalgo, BSASN1::asn1_bytes($signature));
   return BSASN1::der2pem($cert, 'CERTIFICATE');
 }
 
 # return the to-be-signed part of a certificate
 sub gettbscert {
   my ($cert) = @_;
   $cert = BSASN1::pem2der($cert, 'CERTIFICATE');
-  (undef, undef, $cert) = BSASN1::asn1_unpack($cert, $BSASN1::CONS | $BSASN1::SEQUENCE);
-  (undef, undef, undef, $cert) = BSASN1::asn1_unpack($cert, $BSASN1::CONS | $BSASN1::SEQUENCE);
-  return $cert;
+  return (BSASN1::asn1_unpack_sequence($cert, undef, [ $BSASN1::CONS | $BSASN1::SEQUENCE, -1]))[0];
 }
 
 # remove the serial number from a tbs certificate. We need to do this because the
 # serial is random and we want to compare two certs.
 sub removecertserial {
   my ($tbscert) = @_;
-  (undef, undef, $tbscert) = BSASN1::asn1_unpack($tbscert, $BSASN1::CONS | $BSASN1::SEQUENCE);
-  my $tail = $tbscert;
-  ($tail, undef, undef) = BSASN1::asn1_unpack($tail);	# the version
-  my $l = length($tail);
-  ($tail, undef, undef) = BSASN1::asn1_unpack($tail, $BSASN1::INTEGER);	# the serial
-  substr($tbscert, length($tbscert) - $l, $l - length($tail), '');
-  return BSASN1::asn1_sequence($tbscert); 	# pack back into a sequence
+  my @parts = BSASN1::asn1_unpack_sequence($tbscert, undef, [ @$BSX509::tbscertificate_tags[0 .. 1], -1 ]);
+  splice(@parts, 1, 1);		# remove serial entry
+  return BSASN1::asn1_sequence(@parts);
 }
 
 # get pubkey
 sub getsubjectkeyinfo {
   my ($tbscert) = @_;
-  (undef, undef, $tbscert) = BSASN1::asn1_unpack($tbscert, $BSASN1::CONS | $BSASN1::SEQUENCE);
-  ($tbscert, undef, undef) = BSASN1::asn1_unpack($tbscert) for 1..6;
-  (undef, undef, undef, $tbscert) = BSASN1::asn1_unpack($tbscert, $BSASN1::CONS | $BSASN1::SEQUENCE);
-  return $tbscert;
+  return (BSASN1::asn1_unpack_sequence($tbscert, undef, [ @$BSX509::tbscertificate_tags[0 .. 7], -1 ]))[6];
 }
 
 sub signdata {