Skip to content

Commit

Permalink
(xmlsec-mscng, xmlsec-mscrypto) Support multiple trusted certs with s…
Browse files Browse the repository at this point in the history
…ame subject
  • Loading branch information
lsh123 committed Jul 18, 2024
1 parent 3e92e7c commit 277a73c
Show file tree
Hide file tree
Showing 3 changed files with 69 additions and 46 deletions.
45 changes: 23 additions & 22 deletions src/mscng/x509vfy.c
Original file line number Diff line number Diff line change
Expand Up @@ -455,32 +455,33 @@ xmlSecMSCngX509StoreContainsCert(HCERTSTORE store, CERT_NAME_BLOB* name,
xmlSecAssert2(name != NULL, -1);
xmlSecAssert2(cert != NULL, -1);

storeCert = CertFindCertificateInStore(store,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0,
CERT_FIND_SUBJECT_NAME,
name,
NULL);
if (storeCert == NULL) {
return (0);
}
while (TRUE) {
storeCert = CertFindCertificateInStore(store,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0,
CERT_FIND_SUBJECT_NAME,
name,
storeCert);
if (storeCert == NULL) {
return (0);
}

ret = xmlSecMSCngX509StoreVerifySubject(cert, storeCert);
if (ret < 0) {
xmlSecInternalError("xmlSecMSCngX509StoreVerifySubject", NULL);
CertFreeCertificateContext(storeCert);
return(-1);
} else if (ret == 0) {
xmlSecOtherError(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
NULL,
"xmlSecMSCngX509StoreVerifySubject");
ret = xmlSecMSCngX509StoreVerifySubject(cert, storeCert);
if (ret < 0) {
xmlSecInternalError("xmlSecMSCngX509StoreVerifySubject", NULL);
continue; /* storeCert will be released in the next CertFindCertificateInStore() call */
} else if (ret == 0) {
xmlSecOtherError(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED, NULL, "xmlSecMSCngX509StoreVerifySubject");
continue; /* storeCert will be released in the next CertFindCertificateInStore() call */
}

/* success */
CertFreeCertificateContext(storeCert);
return(-1);
return(1);
}

/* success */
CertFreeCertificateContext(storeCert);
return(1);
/* no luck */
return (0);
}

static int
Expand Down
47 changes: 25 additions & 22 deletions src/mscrypto/x509vfy.c
Original file line number Diff line number Diff line change
Expand Up @@ -364,32 +364,35 @@ xmlSecMSCryptoX509StoreContainsCert(HCERTSTORE store, CERT_NAME_BLOB* name,
xmlSecAssert2(cert != NULL, -1);
xmlSecAssert2(keyDataStore != NULL, -1);

storeCert = CertFindCertificateInStore(store,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0,
CERT_FIND_SUBJECT_NAME,
name,
NULL);
if (storeCert == NULL) {
return (0);
}
while (TRUE) {
storeCert = CertFindCertificateInStore(store,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0,
CERT_FIND_SUBJECT_NAME,
name,
storeCert);
if (storeCert == NULL) {
return (0);
}

ret = xmlSecMSCryptoX509StoreVerifySubject(keyDataStore, cert, storeCert);
if (ret < 0) {
xmlSecInternalError("xmlSecMSCryptoX509StoreVerifySubject", NULL);
CertFreeCertificateContext(storeCert);
return(-1);
} else if (ret == 0) {
xmlSecOtherError(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
NULL,
"xmlSecMSCryptoX509StoreVerifySubject");
ret = xmlSecMSCryptoX509StoreVerifySubject(keyDataStore, cert, storeCert);
if (ret < 0) {
xmlSecInternalError("xmlSecMSCryptoX509StoreVerifySubject", NULL);
continue; /* storeCert will be released in the next CertFindCertificateInStore() call */
} else if (ret == 0) {
xmlSecOtherError(XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
NULL,
"xmlSecMSCryptoX509StoreVerifySubject");
continue; /* storeCert will be released in the next CertFindCertificateInStore() call */
}

/* success */
CertFreeCertificateContext(storeCert);
return(-1);
return(1);
}

/* success */
CertFreeCertificateContext(storeCert);
return(1);
/* no luck */
return (0);
}


Expand Down
23 changes: 21 additions & 2 deletions tests/testDSig.sh
Original file line number Diff line number Diff line change
Expand Up @@ -1172,7 +1172,8 @@ execDSigTest $res_success \

# Test was created using the following command:
# xmlsec.exe sign --crypto openssl --lax-key-search --privkey-pem tests/keys/same-subj-key1.pem,tests/keys/same-subj-cert1.pem tests/aleksey-xmldsig-01/enveloped-x509-same-subj-cert.tmpl
# this should succeeed with both intermidiate and trusted certs provided

# this should succeeed with good cert
extra_message="Cert chaing is good"
execDSigTest $res_success \
"" \
Expand All @@ -1181,7 +1182,7 @@ execDSigTest $res_success \
"x509" \
"--trusted-$cert_format $topfolder/keys/same-subj-cert1.$cert_format --enabled-key-data x509"

# this should fail: missing intermidiate cert (ca2cert)
# this should fail: Same subject but wrong cert
extra_message="Negative test: Same subject but wrong cert"
execDSigTest $res_fail \
"" \
Expand All @@ -1190,6 +1191,24 @@ execDSigTest $res_fail \
"x509" \
"--trusted-$cert_format $topfolder/keys/same-subj-cert2.$cert_format --enabled-key-data x509"

# this should succeeed with both good (cert1) and bad (cert2) certs present (simulating key rotation)
extra_message="Cert chaing is good: both good (cert1) and bad (cert2) certs present"
execDSigTest $res_success \
"" \
"aleksey-xmldsig-01/enveloped-x509-same-subj-cert" \
"sha256 rsa-sha256" \
"x509" \
"--trusted-$cert_format $topfolder/keys/same-subj-cert1.$cert_format --trusted-$cert_format $topfolder/keys/same-subj-cert2.$cert_format --enabled-key-data x509"

# this should succeeed with both bad (cert2) and good (cert1) certs present (simulating key rotation)
extra_message="Cert chaing is good: both bad (cert2) and good (cert1) certs present"
execDSigTest $res_success \
"" \
"aleksey-xmldsig-01/enveloped-x509-same-subj-cert" \
"sha256 rsa-sha256" \
"x509" \
"--trusted-$cert_format $topfolder/keys/same-subj-cert2.$cert_format --trusted-$cert_format $topfolder/keys/same-subj-cert1.$cert_format --enabled-key-data x509"


# Test was created using the following command:
# xmlsec1 sign --lax-key-search --privkey-pem tests/keys/rsakey.pem,tests/keys/rsacert.pem tests/aleksey-xmldsig-01/enveloped-x509-missing-cert.tmpl
Expand Down

0 comments on commit 277a73c

Please sign in to comment.