certmonger

Clone

#207 If an existing cert exists, use it to decrypt the PKCS#7 envelope
Merged 2 years ago by rcritten. Opened 2 years ago by rcritten.
rcritten/certmonger issue_202  into  master

file modified
+23 -2 
@@ -82,7 +82,7 @@ 
 

  

  static SECItem *
 

  try_to_decode(void *parent, PLArenaPool *arena, SECItem *item,
 

- 	      SECKEYPrivateKey *privkey)
 

+ 	      SECKEYPrivateKey *privkey, X509 *old_cert)
 

  {
 

  	SECOidTag tag;
 

  	SECItem *ret = NULL, param, *parameters;
 
@@ -291,6 +291,7 @@ 
 

  	struct cm_pin_cb_data cb_data;
 

  	int n_tokens, ec;
 

  	struct cm_submit_decrypt_envelope_args *args = decrypt_userdata;
 

+ 	X509 *old_cert = NULL;
 

  

  	util_o_init();
 

  	ERR_load_crypto_strings();
 
@@ -430,6 +431,23 @@ 
 

  			break;
 

  		}
 

  	}
 

+ 	if (args->entry->cm_cert != NULL) {
 

+ 		BIO *bio = NULL;
 

+ 		cm_log(3, "Parsing existing certificate\n");
 

+ 		bio = BIO_new_mem_buf(args->entry->cm_cert, -1);
 

+ 		if (bio == NULL) {
 

+ 			cm_log(1, "Out of memory.\n");
 

+ 			goto done;
 

+ 		} else {
 

+ 			old_cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
 

+ 			BIO_free(bio);
 

+ 			if (old_cert == NULL) {
 

+ 				cm_log(1, "Error parsing certificate \"%s\".\n", args->entry->cm_cert);
 

+ 				goto done;
 

+ 			}
 

+ 		}
 

+ 	}
 

+ 	cm_log(3, "old_cert is %s\n", old_cert == NULL ? "NULL" : "present");
 

  

  	/* Now that we're logged in, try to decrypt the enveloped data. */
 

  	plain = NULL;
 
@@ -445,7 +463,7 @@ 
 

  			     !PRIVKEY_LIST_END(kle, keylist);
 

  			     kle = PRIVKEY_LIST_NEXT(kle)) {
 

  				plain = try_to_decode(args->entry, arena, &item,
 

- 						      kle->key);
 

+ 						      kle->key, old_cert);
 

  				if (plain != NULL) {
 

  					break;
 

  				}
 
@@ -482,4 +500,7 @@ 
 

  			cm_log(1, "Error shutting down NSS.\n");
 

  		}
 

  	}
 

+ 	if (old_cert != NULL) {
 

+ 		X509_free(old_cert);
 

+ 	}
 

  }

file modified
+41 -2 
@@ -26,6 +26,7 @@ 
 

  #include <time.h>
 

  #include <unistd.h>
 

  

+ #include <openssl/bio.h>
 

  #include <openssl/err.h>
 

  #include <openssl/pem.h>
 

  #include <openssl/x509.h>
 
@@ -326,6 +327,7 @@ 
 

  	const unsigned char *u;
 

  	long error, l;
 

  	int result = 0;
 

+ 	X509 *old_cert = NULL;
 

  

  	if ((args->entry->cm_key_next_marker != NULL) &&
 

  	    (strlen(args->entry->cm_key_next_marker) > 0)) {
 
@@ -375,13 +377,47 @@ 
 

  		cm_log(1, "Out of memory.\n");
 

  		goto done;
 

  	}
 

+ 	if (args->entry->cm_cert != NULL) {
 

+ 		BIO *bio = NULL;
 

+ 		cm_log(3, "Parsing existing certificate\n");
 

+ 		bio = BIO_new_mem_buf(args->entry->cm_cert, -1);
 

+ 		if (bio == NULL) {
 

+ 			cm_log(1, "Out of memory.\n");
 

+ 			goto done;
 

+ 		} else {
 

+ 			old_cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
 

+ 			BIO_free(bio);
 

+ 			if (old_cert == NULL) {
 

+ 				cm_log(1, "Error parsing certificate \"%s\".\n", args->entry->cm_cert);
 

+ 				goto done;
 

+ 			}
 

+ 		}
 

+ 	}
 

+ 	cm_log(3, "old_cert is %s\n", old_cert == NULL ? "NULL" : "present");
 

  	if (pkey_next != NULL) {
 

- 		result = PKCS7_decrypt(p7, pkey_next, NULL, out, 0);
 

+ 		result = PKCS7_decrypt(p7, pkey_next, old_cert, out, 0);
 

  		if (result == 1) {
 

  			goto done;
 

+ 		} else {
 

+ 			error = errno;
 

+ 			cm_log(1, "Error decrypting PKCS#7 with pkey_next: %s.\n",
 

+ 					strerror(error));
 

+ 			while ((error = ERR_get_error()) != 0) {
 

+ 				ERR_error_string_n(error, buf, sizeof(buf));
 

+ 				cm_log(1, "%s\n", buf);
 

+ 			}
 

+ 		}
 

+ 	}
 

+ 	result = PKCS7_decrypt(p7, pkey, old_cert, out, 0);
 

+ 	if (result == 0) {
 

+ 		error = errno;
 

+ 		cm_log(1, "Error decrypting PKCS#7 with pkey: %s.\n",
 

+ 				strerror(error));
 

+ 		while ((error = ERR_get_error()) != 0) {
 

+ 			ERR_error_string_n(error, buf, sizeof(buf));
 

+ 			cm_log(1, "%s\n", buf);
 

  		}
 

  	}
 

- 	result = PKCS7_decrypt(p7, pkey, NULL, out, 0);
 

  done:
 

  	if (result == 1) {
 

  		p = NULL;
 
@@ -411,4 +447,7 @@ 
 

  	if (out != NULL) {
 

  		BIO_free(out);
 

  	}
 

+ 	if (old_cert != NULL) {
 

+ 		X509_free(old_cert);
 

+ 	}
 

  }

From the PKCS7_decrypt man page:

Although the recipients certificate is not needed to decrypt the data
it is needed to locate the appropriate (of possible several) recipients
in the PKCS#7 structure.

Based heavily on patch contributed by Romain Bezut

https://pagure.io/certmonger/issue/202

Signed-off-by: Rob Crittenden rcritten@redhat.com

rebased onto 8a837fbd62b8113d928cfe3c7864a488f9b4d71c
2 years ago

rebased onto bd699ef1182b53d6e8331b8d8a69848d1c77cbe4
2 years ago

1 new commit added

  • Run autoreconf to ensure configure is built properly
2 years ago

rebased onto 9ac80d8
2 years ago

Pull-Request has been merged by rcritten
2 years ago
Metadata
None
No Tags
Changes Summary 2
+23 -2
file changed
src/submit-n.c
+41 -2
file changed
src/submit-o.c
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.