From 787ba9c882f1d7ff9ea4f2745e779c5fb04dfafc Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Dec 14 2017 10:58:34 +0000 Subject: p11_child: properly check results of CERT_VerifyCertificateNow With certificateUsageCheckAllUsages not only the return code of CERT_VerifyCertificateNow() should be checked but also the usages for which the certificate was verified. The usages checked here will all involve CA signature checks and OCSP checks if OCSP is enabled. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano FidĂȘncio --- diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c index 21c508e..cb89428 100644 --- a/src/p11_child/p11_child_nss.c +++ b/src/p11_child/p11_child_nss.c @@ -45,6 +45,15 @@ #include "util/crypto/sss_crypto.h" #include "util/cert.h" +#define EXP_USAGES ( certificateUsageSSLClient \ + | certificateUsageSSLServer \ + | certificateUsageSSLServerWithStepUp \ + | certificateUsageEmailSigner \ + | certificateUsageEmailRecipient \ + | certificateUsageObjectSigner \ + | certificateUsageStatusResponder \ + | certificateUsageSSLCA ) + enum op_mode { OP_NONE, OP_AUTH, @@ -136,6 +145,7 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, char *cert_b64 = NULL; char *multi = NULL; PRCList *node; + SECCertificateUsage returned_usage = 0; nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, ¶meters, flags); if (nss_ctx == NULL) { @@ -329,8 +339,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, rv = CERT_VerifyCertificateNow(handle, cert_list_node->cert, PR_TRUE, certificateUsageCheckAllUsages, - NULL, NULL); - if (rv != SECSuccess) { + NULL, &returned_usage); + if (rv != SECSuccess || ((returned_usage & EXP_USAGES) == 0)) { DEBUG(SSSDBG_OP_FAILURE, "Certificate [%s][%s] not valid [%d][%s], skipping.\n", cert_list_node->cert->nickname,