ea4ff2c97f
- Certmonger SCEP renewal should not use old challenges (#1990926) - Certmonger certificates stuck in NEED_GUIDANCE (#2001082) - certmonger creates CSRs with invalid DER syntax for X509v3 extensions with critical=FALSE (#2012261) - Re-enable 003-csrgen test Resolves: #1990926, #2001082, #2012261
81 lines
2.3 KiB
Diff
81 lines
2.3 KiB
Diff
From 9312d1892c611d9f0e814cb915488182da2b76cc Mon Sep 17 00:00:00 2001
|
|
From: Christian Heimes <cheimes@redhat.com>
|
|
Date: Mon, 4 Oct 2021 15:55:44 +0200
|
|
Subject: [PATCH] Use extensions template from NSS
|
|
|
|
Drop certmonger's custom extension template and use the sequence of X509v3
|
|
extensions template from NSS.
|
|
|
|
The certmonger template had a bug that caused certmonger to create CSRs
|
|
with invalid DER. It was encoding extension's critical element even for
|
|
default value FALSE.
|
|
|
|
Fixes: https://pagure.io/certmonger/issue/223
|
|
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
---
|
|
src/certext.c | 41 +----------------------------------------
|
|
1 file changed, 1 insertion(+), 40 deletions(-)
|
|
|
|
diff --git a/src/certext.c b/src/certext.c
|
|
index be536987..0d66971e 100644
|
|
--- a/src/certext.c
|
|
+++ b/src/certext.c
|
|
@@ -203,45 +203,6 @@ cm_ms_template_template[] = {
|
|
{0, 0, NULL, 0},
|
|
};
|
|
|
|
-/* RFC 5280, 4.1 */
|
|
-const SEC_ASN1Template
|
|
-cm_certext_cert_extension_template[] = {
|
|
- {
|
|
- .kind = SEC_ASN1_SEQUENCE,
|
|
- .offset = 0,
|
|
- .sub = NULL,
|
|
- .size = sizeof(CERTCertExtension),
|
|
- },
|
|
- {
|
|
- .kind = SEC_ASN1_OBJECT_ID,
|
|
- .offset = offsetof(CERTCertExtension, id),
|
|
- .sub = NULL,
|
|
- .size = sizeof(SECItem),
|
|
- },
|
|
- {
|
|
- .kind = SEC_ASN1_BOOLEAN,
|
|
- .offset = offsetof(CERTCertExtension, critical),
|
|
- .sub = NULL,
|
|
- .size = sizeof(SECItem),
|
|
- },
|
|
- {
|
|
- .kind = SEC_ASN1_OCTET_STRING,
|
|
- .offset = offsetof(CERTCertExtension, value),
|
|
- .sub = NULL,
|
|
- .size = sizeof(SECItem),
|
|
- },
|
|
- {0, 0, NULL, 0},
|
|
-};
|
|
-const SEC_ASN1Template
|
|
-cm_certext_sequence_of_cert_extension_template[] = {
|
|
- {
|
|
- .kind = SEC_ASN1_SEQUENCE_OF,
|
|
- .offset = 0,
|
|
- .sub = cm_certext_cert_extension_template,
|
|
- .size = sizeof(CERTCertExtension **),
|
|
- },
|
|
-};
|
|
-
|
|
/* Windows 2000-style UPN */
|
|
static unsigned char oid_ms_upn_name_bytes[] = {0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x03};
|
|
static const SECOidData oid_ms_upn_name = {
|
|
@@ -1960,7 +1921,7 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry,
|
|
/* Encode the sequence. */
|
|
memset(&encoded, 0, sizeof(encoded));
|
|
if (i > 1) {
|
|
- template = cm_certext_sequence_of_cert_extension_template;
|
|
+ template = CERT_SequenceOfCertExtensionTemplate;
|
|
if (SEC_ASN1EncodeItem(arena, &encoded, &exts_ptr,
|
|
template) == &encoded) {
|
|
*extensions = talloc_memdup(entry, encoded.data,
|
|
--
|
|
2.31.1
|
|
|