Verify the self-signed signature on PKCS 10 cert requests before honoring

them. Bug 174193. git-svn-id: svn://10.0.0.236/trunk@132267 18797224-902f-48f8-a5cc-f745e15eee43
2002-10-18 21:58:24 +00:00 · 2002-10-18 21:58:24 +00:00 · 2a6f78cf87
commit 2a6f78cf87
parent c7d7a44190
4 changed files with 54 additions and 1 deletions
--- a/mozilla/security/nss/cmd/certutil/certutil.c
+++ b/mozilla/security/nss/cmd/certutil/certutil.c
@ -242,6 +242,12 @@ GetCertRequest(PRFileDesc *inFile, PRBool ascii)
 		SEC_ASN1_GET(CERT_CertificateRequestTemplate), &signedData.data);
   } while (0);

+   if (!rv) {
+   	rv = CERT_VerifySignedDataWithPubKeyInfo(&signedData, 
+					         &certReq->subjectPublicKeyInfo,
+					         NULL /* wincx */);
+   }
+
   if (rv) {
       PRErrorCode  perr = PR_GetError();
       fprintf(stderr, "%s: unable to decode DER cert request (%s)\n", progName,
--- a/mozilla/security/nss/lib/certdb/cert.h
+++ b/mozilla/security/nss/lib/certdb/cert.h
@ -34,7 +34,7 @@
 /*
 * cert.h - public data structures and prototypes for the certificate library
 *
- * $Id: cert.h,v 1.25 2002-10-05 02:24:23 jpierre%netscape.com Exp $
+ * $Id: cert.h,v 1.26 2002-10-18 21:58:18 nelsonb%netscape.com Exp $
 */

 #ifndef _CERT_H_
@ -266,6 +266,8 @@ extern KeyType CERT_GetCertKeyType (CERTSubjectPublicKeyInfo *spki);
 */
 extern SECStatus CERT_InitCertDB(CERTCertDBHandle *handle);

+extern int CERT_GetDBContentVersion(CERTCertDBHandle *handle);
+
 /*
 ** Default certificate database routines
 */
@ -559,6 +561,13 @@ extern SECStatus CERT_VerifySignedData(CERTSignedData *sd,
 				       CERTCertificate *cert,
 				       int64 t,
 				       void *wincx);
+/*
+** verify the signature of a signed data object with the given DER publickey
+*/
+extern SECStatus
+CERT_VerifySignedDataWithPubKeyInfo(CERTSignedData *sd,
+                                    CERTSubjectPublicKeyInfo *pubKeyInfo,
+                                    void *wincx);

 /*
 ** NEW FUNCTIONS with new bit-field-FIELD SECCertificateUsage - please use
--- a/mozilla/security/nss/lib/certhigh/certvfy.c
+++ b/mozilla/security/nss/lib/certhigh/certvfy.c
@ -89,6 +89,38 @@ CERT_CertTimesValid(CERTCertificate *c)
    return(SECSuccess);
 }

+/*
+ * verify the signature of a signed data object with the given DER publickey
+ */
+SECStatus
+CERT_VerifySignedDataWithPubKeyInfo(CERTSignedData *sd, 
+                                    CERTSubjectPublicKeyInfo *pubKeyInfo,
+		                    void *wincx)
+{
+    SECKEYPublicKey *pubKey;
+    SECStatus        rv;
+    SECOidTag        algid;
+    SECItem          sig;
+
+    /* get cert's public key */
+    pubKey = SECKEY_ExtractPublicKey(pubKeyInfo);
+    if ( !pubKey )
+	return SECFailure;
+
+    /* check the signature */
+    sig = sd->signature;
+    /* convert sig->len from bit counts to byte count. */
+    DER_ConvertBitString(&sig);
+
+    algid = SECOID_GetAlgorithmTag(&sd->signatureAlgorithm);
+    rv = VFY_VerifyData(sd->data.data, sd->data.len, pubKey, &sig,
+			algid, wincx);
+
+    SECKEY_DestroyPublicKey(pubKey);
+
+    return rv ? SECFailure : SECSuccess;
+}
+
 /*
 * verify the signature of a signed data object with the given certificate
 */
--- a/mozilla/security/nss/lib/nss/nss.def
+++ b/mozilla/security/nss/lib/nss/nss.def
@ -714,3 +714,9 @@ SECKEY_CopyPublicKey;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.7 { 	# NSS 3.7 release
+;+    global:
+CERT_VerifySignedDataWithPubKeyInfo;
+;+    local:
+;+       *;
+;+};