Skip to content

Commit

Permalink
nss adopt cert type (lsh123#73)
Browse files Browse the repository at this point in the history 
* nss: handle 'type' in xmlSecNssX509StoreAdoptCert()

So that when it's trusted, we actually mark the certificate as trusted
using NSS API. This allows actually verifying the certificate chain in
xmlSecNssX509StoreVerify() without 'make check' failing.

* better error reporting and testing

* remove the cert before the test
  • Loading branch information
@lsh123
lsh123 committed Dec 15, 2016
1 parent 5f6ce2c commit 1533729
Show file tree
Hide file tree
Showing 7 changed files with 178 additions and 36 deletions.
22 changes: 21 additions & 1 deletion src/errors_helpers.h
View file
Expand Up @@ -512,7 +512,6 @@ extern "C" {
(msg), (param1), (param2) \
)


/**
* xmlSecOtherError4:
* @code: the error code.
Expand All @@ -531,6 +530,27 @@ extern "C" {
(code), \
(msg), (param1), (param2), (param3) \
)

/**
* xmlSecOtherError5:
* @code: the error code.
* @errorObject: the error specific error object (e.g. transform, key data, etc).
* @msg: the extra message.
* @param1: the extra message param.
* @param2: the extra message param.
* @param3: the extra message param.
* @param4: the extra message param.
*
* Macro. The XMLSec library macro for reporting other XMLSec errors.
*/
#define xmlSecOtherError5(code, errorObject, msg, param1, param2, param3, param4) \
xmlSecError(XMLSEC_ERRORS_HERE, \
(const char*)(errorObject), \
NULL, \
(code), \
(msg), (param1), (param2), (param3), (param4) \
)

#ifdef __cplusplus
}
#endif /* __cplusplus */
Expand Down
44 changes: 32 additions & 12 deletions src/nss/x509vfy.c
View file
Expand Up @@ -177,19 +177,20 @@ xmlSecNssX509StoreVerify(xmlSecKeyDataStorePtr store, CERTCertList* certs,
ctx = xmlSecNssX509StoreGetCtx(store);
xmlSecAssert2(ctx != NULL, NULL);

if(keyInfoCtx->certsVerificationTime > 0) {
/* convert the time since epoch in seconds to microseconds */
LL_UI2L(timeboundary, keyInfoCtx->certsVerificationTime);
tmp1 = (int64)PR_USEC_PER_SEC;
tmp2 = timeboundary;
LL_MUL(timeboundary, tmp1, tmp2);
} else {
timeboundary = PR_Now();
}

for (head = CERT_LIST_HEAD(certs);
!CERT_LIST_END(head, certs);
head = CERT_LIST_NEXT(head)) {
cert = head->cert;
if(keyInfoCtx->certsVerificationTime > 0) {
/* convert the time since epoch in seconds to microseconds */
LL_UI2L(timeboundary, keyInfoCtx->certsVerificationTime);
tmp1 = (int64)PR_USEC_PER_SEC;
tmp2 = timeboundary;
LL_MUL(timeboundary, tmp1, tmp2);
} else {
timeboundary = PR_Now();
}

/* if cert is the issuer of any other cert in the list, then it is
* to be skipped */
Expand All @@ -212,11 +213,13 @@ xmlSecNssX509StoreVerify(xmlSecKeyDataStorePtr store, CERTCertList* certs,
continue;
}

/* it's important to set the usage here, otherwise no real verification
* is performed. */
status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(),
cert, PR_FALSE,
(SECCertificateUsage)0,
certificateUsageEmailSigner,
timeboundary , NULL, NULL, NULL);
if (status == SECSuccess) {
if (status == SECSuccess) {
break;
}
}
Expand Down Expand Up @@ -270,7 +273,7 @@ xmlSecNssX509StoreVerify(xmlSecKeyDataStorePtr store, CERTCertList* certs,
* Returns: 0 on success or a negative value if an error occurs.
*/
int
xmlSecNssX509StoreAdoptCert(xmlSecKeyDataStorePtr store, CERTCertificate* cert, xmlSecKeyDataType type ATTRIBUTE_UNUSED) {
xmlSecNssX509StoreAdoptCert(xmlSecKeyDataStorePtr store, CERTCertificate* cert, xmlSecKeyDataType type) {
xmlSecNssX509StoreCtxPtr ctx;
int ret;

Expand All @@ -294,6 +297,23 @@ xmlSecNssX509StoreAdoptCert(xmlSecKeyDataStorePtr store, CERTCertificate* cert,
return(-1);
}

if(type == xmlSecKeyDataTypeTrusted) {
SECStatus status;

/* if requested, mark the certificate as trusted */
CERTCertTrust trust;
status = CERT_DecodeTrustString(&trust, "TCu,Cu,Tu");
if(status != SECSuccess) {
xmlSecNssError("CERT_DecodeTrustString", xmlSecKeyDataStoreGetName(store));
return(-1);
}
CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), cert, &trust);
if(status != SECSuccess) {
xmlSecNssError("CERT_ChangeCertTrust", xmlSecKeyDataStoreGetName(store));
return(-1);
}
}

return(0);
}

Expand Down
45 changes: 22 additions & 23 deletions src/openssl/x509vfy.c
View file
Expand Up @@ -178,7 +178,6 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509*
X509 * cert;
X509 * err_cert = NULL;
X509_STORE_CTX *xsc;
char buf[256];
int err = 0;
int i;
int ret;
Expand Down Expand Up @@ -326,55 +325,55 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509*
goto done;
} else if(ret == 0) {
const char* err_msg;
char subject[256], issuer[256];

buf[0] = '\0';
X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof buf);
X509_NAME_oneline(X509_get_subject_name(err_cert), subject, sizeof(subject));
X509_NAME_oneline(X509_get_issuer_name(err_cert), issuer, sizeof(issuer));
err_msg = X509_verify_cert_error_string(err);

xmlSecOtherError4(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
xmlSecOtherError5(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
xmlSecKeyDataStoreGetName(store),
"X509_verify_cert: subject=%s; err=%d; msg=%s",
xmlSecErrorsSafeString(buf),
err,
xmlSecErrorsSafeString(err_msg));

"X509_verify_cert: subject=%s; issuer=%s; err=%d; msg=%s",
subject, issuer, err, xmlSecErrorsSafeString(err_msg));
}
}
}

/* if we came here then we found nothing. do we have any error? */
if((err != 0) && (err_cert != NULL)) {
const char* err_msg;
char subject[256], issuer[256];

X509_NAME_oneline(X509_get_subject_name(err_cert), subject, sizeof(subject));
X509_NAME_oneline(X509_get_issuer_name(err_cert), issuer, sizeof(issuer));
err_msg = X509_verify_cert_error_string(err);

switch (err) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, sizeof buf);
xmlSecOtherError4(XMLSEC_ERRORS_R_CERT_ISSUER_FAILED,
xmlSecOtherError5(XMLSEC_ERRORS_R_CERT_ISSUER_FAILED,
xmlSecKeyDataStoreGetName(store),
"issuer=%s;err=%d;msg=%s",
xmlSecErrorsSafeString(buf),
err, xmlSecErrorsSafeString(err_msg));
"subject=%s; issuer=%s; err=%d; msg=%s",
subject, issuer, err, xmlSecErrorsSafeString(err_msg));
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
xmlSecOtherError3(XMLSEC_ERRORS_R_CERT_NOT_YET_VALID,
xmlSecOtherError5(XMLSEC_ERRORS_R_CERT_NOT_YET_VALID,
xmlSecKeyDataStoreGetName(store),
"err=%d;msg=%s",
err, xmlSecErrorsSafeString(err_msg));
"subject=%s; issuer=%s; err=%d; msg=%s",
subject, issuer, err, xmlSecErrorsSafeString(err_msg));
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
xmlSecOtherError3(XMLSEC_ERRORS_R_CERT_HAS_EXPIRED,
xmlSecOtherError5(XMLSEC_ERRORS_R_CERT_HAS_EXPIRED,
xmlSecKeyDataStoreGetName(store),
"err=%d;msg=%s",
err, xmlSecErrorsSafeString(err_msg));
"subject=%s; issuer=%s; err=%d; msg=%s",
subject, issuer, err, xmlSecErrorsSafeString(err_msg));
break;
default:
xmlSecOtherError3(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
xmlSecOtherError5(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
xmlSecKeyDataStoreGetName(store),
"err=%d;msg=%s",
err, xmlSecErrorsSafeString(err_msg));
"subject=%s; issuer=%s; err=%d; msg=%s",
subject, issuer, err, xmlSecErrorsSafeString(err_msg));
break;
}
}
Expand Down
81 changes: 81 additions & 0 deletions tests/aleksey-xmldsig-01/enveloping-sha256-rsa-sha256-verify.xml
View file
@@ -0,0 +1,81 @@
<?xml version="1.0" encoding="UTF-8"?>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#object">
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>iDhYt78o294fA6pzQ7k44+eejrQMi+WX3l3UrUdtL1Q=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>xOSp1bweDaNd5+NzBNO+m+1oEOm1jNjBMXf12F7LsXoBDpvgC3efL2XgkoRY8LJ9
msV4PSDkJRzzmvSTvQ6Txg==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIID9zCCA2CgAwIBAgIJAK+ii7kzrdqsMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTE9MDsGA1UEChM0WE1MIFNlY3Vy
aXR5IExpYnJhcnkgKGh0dHA6Ly93d3cuYWxla3NleS5jb20veG1sc2VjKTEQMA4G
A1UECxMHUm9vdCBDQTEWMBQGA1UEAxMNQWxla3NleSBTYW5pbjEhMB8GCSqGSIb3
DQEJARYSeG1sc2VjQGFsZWtzZXkuY29tMCAXDTE0MDUyMzE3NTA1OVoYDzIxMTQw
NDI5MTc1MDU5WjCBrjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
PTA7BgNVBAoTNFhNTCBTZWN1cml0eSBMaWJyYXJ5IChodHRwOi8vd3d3LmFsZWtz
ZXkuY29tL3htbHNlYykxEDAOBgNVBAsTB1Jvb3QgQ0ExFjAUBgNVBAMTDUFsZWtz
ZXkgU2FuaW4xITAfBgkqhkiG9w0BCQEWEnhtbHNlY0BhbGVrc2V5LmNvbTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtY4MCNj/qrOzVuex1BD/PuCYTDDOLLVj
tpKXQteQPqy0kgMwuQgRwdNnICIHQbnFKL40XoyACJVWKM7b0LkvWJNeyVzXPqEE
9ZPmNxWGUjVcr7powT7v8V7S2QflUnr8ZvR4XWwkZJ9EYKNhenijgJ5yYDrXCWdv
C+fnjBjv2LcCAwEAAaOCARcwggETMB0GA1UdDgQWBBQGtaSsp6p1ROoVnE/fBYNP
ah7+CzCB4wYDVR0jBIHbMIHYgBQGtaSsp6p1ROoVnE/fBYNPah7+C6GBtKSBsTCB
rjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExPTA7BgNVBAoTNFhN
TCBTZWN1cml0eSBMaWJyYXJ5IChodHRwOi8vd3d3LmFsZWtzZXkuY29tL3htbHNl
YykxEDAOBgNVBAsTB1Jvb3QgQ0ExFjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4xITAf
BgkqhkiG9w0BCQEWEnhtbHNlY0BhbGVrc2V5LmNvbYIJAK+ii7kzrdqsMAwGA1Ud
EwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEARpb86RP/ck55X+NunXeIX81i763b
j7Z1VJwFbA/QfupzxnqJ2IP/lxC8YxJ3Bp2IJMI7rC9r0poa41ZxI5rGHip97Dpg
sxPF9lkRUmKBBQjkICOq1w/4d2DRInBoqXttD+0WsqDfNDVK+7kSE07ytn3RzHCj
j0gv0PdxmuCsR/E=</X509Certificate>
<X509Certificate>MIIDzzCCAzigAwIBAgIJAK+ii7kzrdqtMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTE9MDsGA1UEChM0WE1MIFNlY3Vy
aXR5IExpYnJhcnkgKGh0dHA6Ly93d3cuYWxla3NleS5jb20veG1sc2VjKTEQMA4G
A1UECxMHUm9vdCBDQTEWMBQGA1UEAxMNQWxla3NleSBTYW5pbjEhMB8GCSqGSIb3
DQEJARYSeG1sc2VjQGFsZWtzZXkuY29tMCAXDTE0MDUyMzE3NTIzOFoYDzIxMTQw
NDI5MTc1MjM4WjCBnDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
PTA7BgNVBAoTNFhNTCBTZWN1cml0eSBMaWJyYXJ5IChodHRwOi8vd3d3LmFsZWtz
ZXkuY29tL3htbHNlYykxFjAUBgNVBAMTDUFsZWtzZXkgU2FuaW4xITAfBgkqhkiG
9w0BCQEWEnhtbHNlY0BhbGVrc2V5LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgC
QQCyuvKJ2CuUPD33ghPt4Q8MilesHxVbbpyKfmabrYVpDGVDmOKKp337qJUZZ95K
fwlXbR2j0zyKWJmvRxUx+PsTAgMBAAGjggFFMIIBQTAMBgNVHRMEBTADAQH/MCwG
CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
HQ4EFgQU/uTsUyTwlZXHELXhRLVdOWVa434wgeMGA1UdIwSB2zCB2IAUBrWkrKeq
dUTqFZxP3wWDT2oe/guhgbSkgbEwga4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
YWxpZm9ybmlhMT0wOwYDVQQKEzRYTUwgU2VjdXJpdHkgTGlicmFyeSAoaHR0cDov
L3d3dy5hbGVrc2V5LmNvbS94bWxzZWMpMRAwDgYDVQQLEwdSb290IENBMRYwFAYD
VQQDEw1BbGVrc2V5IFNhbmluMSEwHwYJKoZIhvcNAQkBFhJ4bWxzZWNAYWxla3Nl
eS5jb22CCQCvoou5M63arDANBgkqhkiG9w0BAQUFAAOBgQBuTAW63AgWqqUDPGi8
BiXbdKHhFP4J8qgkdv5WMa6SpSWVgNgOYXkK/BSg1aSmQtGv8/8UvBRPoJnO4y0N
jWUFf1ubOgUNmedYNLq7YbTp8yTGWeogCyM2xdWELMP8BMgQL0sP+MDAFMKO3itY
mEWnCEsP15HKSTms54RNj7oJ+A==</X509Certificate>
<X509Certificate>MIIDpzCCA1GgAwIBAgIJAK+ii7kzrdqvMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTE9MDsGA1UEChM0WE1MIFNlY3Vy
aXR5IExpYnJhcnkgKGh0dHA6Ly93d3cuYWxla3NleS5jb20veG1sc2VjKTEWMBQG
A1UEAxMNQWxla3NleSBTYW5pbjEhMB8GCSqGSIb3DQEJARYSeG1sc2VjQGFsZWtz
ZXkuY29tMCAXDTE0MDUyMzE3NTUzNFoYDzIxMTQwNDI5MTc1NTM0WjCBxzELMAkG
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExPTA7BgNVBAoTNFhNTCBTZWN1
cml0eSBMaWJyYXJ5IChodHRwOi8vd3d3LmFsZWtzZXkuY29tL3htbHNlYykxKTAn
BgNVBAsTIFRlc3QgVGhpcmQgTGV2ZWwgUlNBIENlcnRpZmljYXRlMRYwFAYDVQQD
Ew1BbGVrc2V5IFNhbmluMSEwHwYJKoZIhvcNAQkBFhJ4bWxzZWNAYWxla3NleS5j
b20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA09BtD3aeVt6DVDkk0dI7Vh7Ljqdn
sYmW0tbDVxxK+nume+Z9Sb4znbUKkWl+vgQATdRUEyhT2P+Gqrd0UBzYfQIDAQAB
o4IBRTCCAUEwDAYDVR0TBAUwAwEB/zAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNf0xkZ3zjcEI60pVPuwDqTM
QygZMIHjBgNVHSMEgdswgdiAFP7k7FMk8JWVxxC14US1XTllWuN+oYG0pIGxMIGu
MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTE9MDsGA1UEChM0WE1M
IFNlY3VyaXR5IExpYnJhcnkgKGh0dHA6Ly93d3cuYWxla3NleS5jb20veG1sc2Vj
KTEQMA4GA1UECxMHUm9vdCBDQTEWMBQGA1UEAxMNQWxla3NleSBTYW5pbjEhMB8G
CSqGSIb3DQEJARYSeG1sc2VjQGFsZWtzZXkuY29tggkAr6KLuTOt2q0wDQYJKoZI
hvcNAQEFBQADQQAOXBj0yICp1RmHXqnUlsppryLCW3pKBD1dkb4HWarO7RjA1yJJ
fBjXssrERn05kpBcrRfzou4r3DCgQFPhjxga</X509Certificate>
</X509Data>
</KeyInfo>
<Object Id="object">some text</Object>
</Signature>
Binary file added tests/keys/merlincert.der
View file
Binary file not shown.
19 changes: 19 additions & 0 deletions tests/testDSig.sh
View file
Expand Up @@ -922,6 +922,25 @@ execDSigTest $res_fail \
"rsa x509" \
"--trusted-$cert_format certs/rsa-ca-cert.$cert_format"

# 'Verify existing signature' MUST fail here, as --trusted-... is not passed.
# If this passes, that's a bug. Note that we need to cleanup NSS certs DB
# since it automaticall stores trusted certs
if [ "z$crypto" = "znss" ] ;
then
certutil -D -n "$NSS_TEST_CERT_NICKNAME" -d "$crypto_config"
if [ $? -ne 0 ]; then
echo "--- FAILED TO DELETE TRUSTED TEST CERTIFICATE FROM NSS CERT DB. THE NEXT TEST MIGHT FAIL" >> $logfile
echo "--- FAILED TO DELETE TRUSTED TEST CERTIFICATE FROM NSS CERT DB. THE NEXT TEST MIGHT FAIL"
fi
fi

execDSigTest $res_fail \
"aleksey-xmldsig-01" \
"enveloping-sha256-rsa-sha256-verify" \
"sha256 rsa-sha256" \
"rsa x509" \
"--enabled-key-data x509"

##########################################################################
##########################################################################
##########################################################################
Expand Down
3 changes: 3 additions & 0 deletions tests/testrun.sh
View file
Expand Up @@ -106,6 +106,9 @@ else
diff_param=-u
fi

NSS_TEST_CERT_NICKNAME="NSS Certificate DB:Aleksey Sanin - XML Security Library (http://www.aleksey.com/xmlsec)"


#
# Check the command result and print it to stdout
#
Expand Down

0 comments on commit 1533729

Please sign in to comment.