nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-04-20 22:45:02 -05:00
Code Issues Projects Releases Wiki Activity

find the signer's certificate in the certificate chain

Browse Source
This commit is contained in:
olszomal 2020-09-30 12:21:47 +02:00 committed by Michał Trojnara
parent fe028d12f4
commit 858e9031f0
1 changed files with 29 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
osslsigncode.c
View File

@ -4200,21 +4200,30 @@ static int add_opus_attribute(PKCS7_SIGNER_INFO *si, char *desc, char *url)
static PKCS7 *create_new_signature(file_type_t type, static PKCS7 *create_new_signature(file_type_t type,
GLOBAL_OPTIONS *options, CRYPTO_PARAMS *cparams) GLOBAL_OPTIONS *options, CRYPTO_PARAMS *cparams)
{ {
int i; int i, signer = -1;
PKCS7 *sig; PKCS7 *sig;
PKCS7_SIGNER_INFO *si = NULL; PKCS7_SIGNER_INFO *si = NULL;
X509 *signcert;
sig = PKCS7_new(); sig = PKCS7_new();
PKCS7_set_type(sig, NID_pkcs7_signed); PKCS7_set_type(sig, NID_pkcs7_signed);
if (cparams->cert != NULL) if (cparams->cert != NULL) {
/*
* the private key and corresponding certificate are parsed from the PKCS12
* structure or loaded from the security token, so we may omit to check
* the consistency of a private key with the public key in an X509 certificate
*/
si = PKCS7_add_signature(sig, cparams->cert, cparams->pkey, options->md); si = PKCS7_add_signature(sig, cparams->cert, cparams->pkey, options->md);
} else {
for (i=0; si == NULL && i<sk_X509_num(cparams->certs); i++) { /* find the signer's certificate located somewhere in the whole certificate chain */
signcert = sk_X509_value(cparams->certs, i); for (i=0; i<sk_X509_num(cparams->certs); i++) {
/* X509_print_fp(stdout, signcert); */ X509 *signcert = sk_X509_value(cparams->certs, i);
si = PKCS7_add_signature(sig, signcert, cparams->pkey, options->md); if (X509_check_private_key(signcert, cparams->pkey)) {
si = PKCS7_add_signature(sig, signcert, cparams->pkey, options->md);
signer = i;
break;
}
}
} }
if (si == NULL) { if (si == NULL) {
printf("PKCS7_add_signature failed\n"); printf("PKCS7_add_signature failed\n");
@ -4236,21 +4245,28 @@ static PKCS7 *create_new_signature(file_type_t type,
} }
PKCS7_content_new(sig, NID_pkcs7_data); PKCS7_content_new(sig, NID_pkcs7_data);
/* add the signer's certificate */
if (cparams->cert != NULL) if (cparams->cert != NULL)
PKCS7_add_certificate(sig, cparams->cert); PKCS7_add_certificate(sig, cparams->cert);
if (signer != -1)
PKCS7_add_certificate(sig, sk_X509_value(cparams->certs, signer));
/* add the certificate chain */
for (i=0; i<sk_X509_num(cparams->certs); i++) {
if (i == signer)
continue;
PKCS7_add_certificate(sig, sk_X509_value(cparams->certs, i));
}
/* add all cross certificates */
if (cparams->xcerts) { if (cparams->xcerts) {
for(i = sk_X509_num(cparams->xcerts)-1; i>=0; i--) for (i=0; i<sk_X509_num(cparams->xcerts); i++)
PKCS7_add_certificate(sig, sk_X509_value(cparams->xcerts, i)); PKCS7_add_certificate(sig, sk_X509_value(cparams->xcerts, i));
} }
for (i = sk_X509_num(cparams->certs)-1; i>=0; i--)
PKCS7_add_certificate(sig, sk_X509_value(cparams->certs, i));
/* add crls */ /* add crls */
if (cparams->crls) { if (cparams->crls) {
for (i=0; i<sk_X509_CRL_num(cparams->crls); i++) for (i=0; i<sk_X509_CRL_num(cparams->crls); i++)
PKCS7_add_crl(sig, sk_X509_CRL_value(cparams->crls, i)); PKCS7_add_crl(sig, sk_X509_CRL_value(cparams->crls, i));
} }
return sig; /* OK */ return sig; /* OK */
} }