1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
From 18f2f93416a3c35111225edb55ac40ffc1181a52 Mon Sep 17 00:00:00 2001
From: "dunno@dunno" <dunno@dunno>
Date: Tue, 9 Oct 2018 10:40:06 -0400
Subject: [PATCH 3/4] Cryptlib: work around new CA rules
---
Cryptlib/Pk/CryptPkcs7Verify.c | 39 ++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/Cryptlib/Pk/CryptPkcs7Verify.c b/Cryptlib/Pk/CryptPkcs7Verify.c
index fe8e5950f9f..219c2bb1096 100644
--- a/Cryptlib/Pk/CryptPkcs7Verify.c
+++ b/Cryptlib/Pk/CryptPkcs7Verify.c
@@ -30,6 +30,43 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };
+BOOLEAN ca_warning;
+
+void
+clear_ca_warning()
+{
+ ca_warning = FALSE;
+}
+
+BOOLEAN
+get_ca_warning()
+{
+ return ca_warning;
+}
+
+int
+X509VerifyCb (
+ IN int Status,
+ IN X509_STORE_CTX *Context
+ )
+{
+ INTN Error;
+
+ Error = (INTN) X509_STORE_CTX_get_error (Context);
+
+ if (Error == X509_V_ERR_INVALID_CA) {
+ /* Due to the historical reason, we have to relax the the x509 v3 extension
+ * check to allow the CA certificates without the CA flag in the basic
+ * constraints or KeyCertSign in the key usage to be loaded. In the future,
+ * this callback should be removed to enforce the proper check. */
+ ca_warning = TRUE;
+
+ return 1;
+ }
+
+ return Status;
+}
+
/**
Check input P7Data is a wrapped ContentInfo structure or not. If not construct
a new structure to wrap P7Data.
@@ -866,6 +903,8 @@ Pkcs7Verify (
goto _Exit;
}
+ X509_STORE_set_verify_cb (CertStore, X509VerifyCb);
+
//
// For generic PKCS#7 handling, InData may be NULL if the content is present
// in PKCS#7 structure. So ignore NULL checking here.
--
2.17.1
|
