diff options
| author | Wyllys Ingersoll <wyllys.ingersoll@sun.com> | 2010-06-21 08:34:53 -0700 |
|---|---|---|
| committer | Wyllys Ingersoll <wyllys.ingersoll@sun.com> | 2010-06-21 08:34:53 -0700 |
| commit | f5880f733dae6fbca929002abbce77c9c77dbf6a (patch) | |
| tree | 9fca4782d817f074c89a56fc1a7739b28b961272 /usr/src/lib/libkmf | |
| parent | f02131e024f67c2f5ecda4e85e852a0edb3cea0a (diff) | |
| download | illumos-gate-f5880f733dae6fbca929002abbce77c9c77dbf6a.tar.gz | |
6961704 KMF generates certificates with bad signatures
Diffstat (limited to 'usr/src/lib/libkmf')
| -rw-r--r-- | usr/src/lib/libkmf/libkmf/common/certop.c | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/usr/src/lib/libkmf/libkmf/common/certop.c b/usr/src/lib/libkmf/libkmf/common/certop.c index a866deb5d5..a111690158 100644 --- a/usr/src/lib/libkmf/libkmf/common/certop.c +++ b/usr/src/lib/libkmf/libkmf/common/certop.c @@ -3033,6 +3033,18 @@ sign_cert(KMF_HANDLE_T handle, signature_oid); if (ret) goto cleanup; + + /* Free the previous "data to be signed" block */ + kmf_free_data(&data_to_sign); + + /* + * We changed the cert (updated the signature OID), so we + * need to re-encode it so the correct data gets signed. + */ + ret = DerEncodeTbsCertificate(&subj_cert->certificate, + &data_to_sign); + if (ret != KMF_OK) + goto cleanup; } kmf_set_attr_at_index(attrlist, i, KMF_KEYSTORE_TYPE_ATTR, &Signkey->kstype, sizeof (KMF_KEYSTORE_TYPE)); @@ -3088,7 +3100,11 @@ sign_cert(KMF_HANDLE_T handle, subj_cert->signature.encrypted = signature; } else { - subj_cert->signature.encrypted = signed_data; + ret = copy_data(&subj_cert->signature.encrypted, &signed_data); + kmf_free_data(&signed_data); + + if (ret != KMF_OK) + goto cleanup; } /* Now, re-encode the cert with the new signature */ |