rpms / pesign

Clone
Source Code
GIT

Blame 0014-Don-t-allow-or-require-module-or-kernel-with-ca.patch

el6 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 main rawhide
  1.   ba9a699b4b9ad02eb81ff550b536db1c92663255
  2.   0014-Don-t-allow-or-require-module-or-kernel-with-ca.patch
Blob History Raw
ba9a699 
From d14dce18a8fa31e2097d99a717d87b23539b9098 Mon Sep 17 00:00:00 2001
ba9a699 
From: Peter Jones <pjones@redhat.com>
ba9a699 
Date: Wed, 15 May 2019 15:55:17 -0400
ba9a699 
Subject: [PATCH 14/42] Don't allow (or require) --module or --kernel with
ba9a699 
 --ca.
ba9a699
ba9a699 
If you're doing a CA/signer split setup, the CA shouldn't be allowed to
ba9a699 
sign things other than other certificates.
ba9a699
ba9a699 
Signed-off-by: Peter Jones <pjones@redhat.com>
ba9a699 
---
ba9a699 
 src/efikeygen.c | 55 ++++++++++++++++++++++++++++++++-----------------
ba9a699 
 src/efikeygen.1 |  6 ++++--
ba9a699 
 2 files changed, 40 insertions(+), 21 deletions(-)
ba9a699
ba9a699 
diff --git a/src/efikeygen.c b/src/efikeygen.c
ba9a699 
index 848480a9b01..b8b0c961739 100644
ba9a699 
--- a/src/efikeygen.c
ba9a699 
+++ b/src/efikeygen.c
ba9a699 
@@ -54,6 +54,13 @@
ba9a699 
 #include "cms_common.h"
ba9a699 
 #include "oid.h"
ba9a699
ba9a699 
+enum {
ba9a699 
+	MODSIGN_EKU_NONE,
ba9a699 
+	MODSIGN_EKU_KERNEL,
ba9a699 
+	MODSIGN_EKU_MODULE,
ba9a699 
+	MODSIGN_EKU_CA
ba9a699 
+};
ba9a699 
+
ba9a699 
 typedef struct {
ba9a699 
 	SECItem data;
ba9a699 
 	SECAlgorithmID keytype;
ba9a699 
@@ -183,8 +190,7 @@ add_key_usage(cms_context *cms, void *extHandle, int is_ca)
ba9a699
ba9a699 
 	if (is_ca) {
ba9a699 
 		usage = KU_KEY_CERT_SIGN |
ba9a699 
-			KU_CRL_SIGN |
ba9a699 
-			KU_DIGITAL_SIGNATURE;
ba9a699 
+			KU_CRL_SIGN;
ba9a699 
 	} else {
ba9a699 
 		usage = KU_KEY_ENCIPHERMENT |
ba9a699 
 			KU_DATA_ENCIPHERMENT |
ba9a699 
@@ -252,7 +258,7 @@ add_basic_constraints(cms_context *cms, void *extHandle)
ba9a699 
 }
ba9a699
ba9a699 
 static int
ba9a699 
-add_extended_key_usage(cms_context *cms, int modsign_only, void *extHandle)
ba9a699 
+add_extended_key_usage(cms_context *cms, int modsign_eku, void *extHandle)
ba9a699 
 {
ba9a699 
 	SECItem values[2];
ba9a699 
 	SECItem wrapped = { 0 };
ba9a699 
@@ -260,7 +266,11 @@ add_extended_key_usage(cms_context *cms, int modsign_only, void *extHandle)
ba9a699 
 	SECOidTag tag;
ba9a699 
 	int rc;
ba9a699
ba9a699 
-	if (modsign_only < 1 || modsign_only > 2)
ba9a699 
+	if (modsign_eku == MODSIGN_EKU_CA)
ba9a699 
+		return 0;
ba9a699 
+
ba9a699 
+	if (modsign_eku != MODSIGN_EKU_KERNEL
ba9a699 
+	    && modsign_eku != MODSIGN_EKU_MODULE)
ba9a699 
 		cmsreterr(-1, cms, "could not encode extended key usage");
ba9a699
ba9a699 
 	rc = make_eku_oid(cms, &values[0], SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
ba9a699 
@@ -273,11 +283,10 @@ add_extended_key_usage(cms_context *cms, int modsign_only, void *extHandle)
ba9a699 
 	if (rc < 0)
ba9a699 
 		cmsreterr(-1, cms, "could not encode extended key usage");
ba9a699
ba9a699 
-	rc = wrap_in_seq(cms, &wrapped, values, modsign_only);
ba9a699 
+	rc = wrap_in_seq(cms, &wrapped, values, modsign_eku);
ba9a699 
 	if (rc < 0)
ba9a699 
 		cmsreterr(-1, cms, "could not encode extended key usage");
ba9a699
ba9a699 
-
ba9a699 
 	status = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE,
ba9a699 
 					&wrapped, PR_FALSE, PR_TRUE);
ba9a699 
 	if (status != SECSuccess)
ba9a699 
@@ -311,7 +320,7 @@ static int
ba9a699 
 add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
ba9a699 
 			int is_ca, int is_self_signed, SECKEYPublicKey *pubkey,
ba9a699 
 			SECKEYPublicKey *spubkey,
ba9a699 
-			char *url, int modsign_only)
ba9a699 
+			char *url, int modsign_eku)
ba9a699 
 {
ba9a699 
 	void *mark = PORT_ArenaMark(cms->arena);
ba9a699
ba9a699 
@@ -336,7 +345,7 @@ add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
ba9a699 
 	if (rc < 0)
ba9a699 
 		cmsreterr(-1, cms, "could not generate certificate extensions");
ba9a699
ba9a699 
-	rc = add_extended_key_usage(cms, modsign_only, extHandle);
ba9a699 
+	rc = add_extended_key_usage(cms, modsign_eku, extHandle);
ba9a699 
 	if (rc < 0)
ba9a699 
 		cmsreterr(-1, cms, "could not generate certificate extensions");
ba9a699
ba9a699 
@@ -486,7 +495,7 @@ int main(int argc, char *argv[])
ba9a699 
 {
ba9a699 
 	int is_ca = 0;
ba9a699 
 	int is_self_signed = -1;
ba9a699 
-	int modsign_only = 0;
ba9a699 
+	int modsign_eku = MODSIGN_EKU_NONE;
ba9a699 
 	char *tokenname = "NSS Certificate DB";
ba9a699 
 	char *signer = NULL;
ba9a699 
 	char *nickname = NULL;
ba9a699 
@@ -543,14 +552,14 @@ int main(int argc, char *argv[])
ba9a699 
 		{.longName = "kernel",
ba9a699 
 		 .shortName = 'k',
ba9a699 
 		 .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
ba9a699 
-		 .arg = &modsign_only,
ba9a699 
-		 .val = 1,
ba9a699 
+		 .arg = &modsign_eku,
ba9a699 
+		 .val = MODSIGN_EKU_KERNEL,
ba9a699 
 		 .descrip = "Generate a kernel-signing certificate" },
ba9a699 
 		{.longName = "module",
ba9a699 
 		 .shortName = 'm',
ba9a699 
 		 .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
ba9a699 
-		 .arg = &modsign_only,
ba9a699 
-		 .val = 2,
ba9a699 
+		 .arg = &modsign_eku,
ba9a699 
+		 .val = MODSIGN_EKU_MODULE,
ba9a699 
 		 .descrip = "Generate a module-signing certificate" },
ba9a699 
 		{.longName = "nickname",
ba9a699 
 		 .shortName = 'n',
ba9a699 
@@ -622,10 +631,12 @@ int main(int argc, char *argv[])
ba9a699 
 	/*
ba9a699 
 	 * Scenarios that are okay (x == valid combination)
ba9a699 
 	 *
ba9a699 
-	 *         is_ca        is_self_signed       pubkey
ba9a699 
-	 * i_c     x            x                    x
ba9a699 
-	 * i_s_s   x            x                    o
ba9a699 
-	 * pubkey  x            o                    o
ba9a699 
+	 *		is_ca   is_self_signed  pubkey	modules	kernel
ba9a699 
+	 * i_c		x       x               x	o	o
ba9a699 
+	 * i_s_s	x       x               o	o	o
ba9a699 
+	 * pubkey	x       o               x	x	x
ba9a699 
+	 * modules	o	x		x	x	x
ba9a699 
+	 * kernel	o	x		x	x	x
ba9a699 
 	 */
ba9a699
ba9a699 
 	if (is_self_signed == -1)
ba9a699 
@@ -660,8 +671,14 @@ int main(int argc, char *argv[])
ba9a699 
 			liberr(1, "could not allocate cms context");
ba9a699 
 	}
ba9a699
ba9a699 
-	if (modsign_only < 1 || modsign_only > 2)
ba9a699 
+	if (is_ca) {
ba9a699 
+		if (modsign_eku != MODSIGN_EKU_NONE)
ba9a699 
+			errx(1, "CA certificates cannot have kernel or module signing credentials.");
ba9a699 
+		modsign_eku = MODSIGN_EKU_CA;
ba9a699 
+	} else if (modsign_eku != MODSIGN_EKU_KERNEL
ba9a699 
+		   && modsign_eku != MODSIGN_EKU_MODULE) {
ba9a699 
 		errx(1, "either --kernel or --module must be used");
ba9a699 
+	}
ba9a699
ba9a699 
 	SECStatus status = NSS_InitReadWrite(dbdir);
ba9a699 
 	if (status != SECSuccess)
ba9a699 
@@ -752,7 +769,7 @@ int main(int argc, char *argv[])
ba9a699 
 	crq = CERT_CreateCertificateRequest(name, spki, &attributes);
ba9a699
ba9a699 
 	rc = add_extensions_to_crq(cms, crq, is_ca, is_self_signed, pubkey,
ba9a699 
-					spubkey, url, modsign_only);
ba9a699 
+					spubkey, url, modsign_eku);
ba9a699 
 	if (rc < 0)
ba9a699 
 		exit(1);
ba9a699
ba9a699 
diff --git a/src/efikeygen.1 b/src/efikeygen.1
ba9a699 
index 255fadc3979..88ee7c2f7c0 100644
ba9a699 
--- a/src/efikeygen.1
ba9a699 
+++ b/src/efikeygen.1
ba9a699 
@@ -33,11 +33,13 @@ Nickname of certificate to be used to sign the generated certificate.
ba9a699
ba9a699 
 .TP
ba9a699 
 \fB-\-kernel\fR
ba9a699 
-The generated certificate is to be used to sign kernels.
ba9a699 
+The generated certificate is to be used to sign kernels.  Not to be used for CA
ba9a699 
+certificates.
ba9a699
ba9a699 
 .TP
ba9a699 
 \fB-\-module\fR
ba9a699 
-The generated certificate is to be used to sign kernel modules.
ba9a699 
+The generated certificate is to be used to sign kernel modules.  Not to be used
ba9a699 
+for CA certificates.
ba9a699
ba9a699 
 .TP
ba9a699 
 \fB-\-token\fR=\fItoken\fR
ba9a699 
--
ba9a699 
2.29.2
ba9a699
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.