[xmltooling] 14/24: CPPXT-110 OpenSSL 1.1 makes DSA opaque
Ferenc Wágner
wferi at moszumanska.debian.org
Fri Dec 16 11:56:12 UTC 2016
This is an automated email from the git hooks/post-receive script.
wferi pushed a commit to branch master
in repository xmltooling.
commit c3693a3bba7b3ec30fb4d6272ab8b2f8224d3175
Author: Rod Widdowson <rdw at steadingsoftware.com>
Date: Fri Jul 15 15:34:22 2016 +0100
CPPXT-110 OpenSSL 1.1 makes DSA opaque
https://issues.shibboleth.net/jira/browse/CPPXT-110
Add new functions to get the public and private key.
Call the new DSA_get0_key function in 1.1 and reach into
the structure otherwise.
(reapplied - previously backed out in bae0dd53)
---
.../security/impl/ExplicitKeyTrustEngine.cpp | 4 +++-
xmltooling/security/impl/OpenSSLSupport.cpp | 27 +++++++++++++++++++++-
xmltooling/security/impl/OpenSSLSupport.h | 7 ++++++
xmltooling/security/impl/SecurityHelper.cpp | 5 ++--
4 files changed, 39 insertions(+), 4 deletions(-)
diff --git a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
index 5f70a70..785d912 100644
--- a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
+++ b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
@@ -34,12 +34,14 @@
#include "signature/Signature.h"
#include "signature/SignatureValidator.h"
#include "util/NDC.h"
+#include "security/impl/OpenSSLSupport.h"
#include <xercesc/util/XMLUniDefs.hpp>
#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
#include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
#include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
+
using namespace xmlsignature;
using namespace xmltooling::logging;
using namespace xmltooling;
@@ -277,7 +279,7 @@ bool ExplicitKeyTrustEngine::validate(
{
DSA* dsa = static_cast<OpenSSLCryptoKeyDSA*>(key)->getOpenSSLDSA();
EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE));
- if (dsa && evp && evp->type == EVP_PKEY_DSA && BN_cmp(dsa->pub_key,evp->pkey.dsa->pub_key) == 0) {
+ if (dsa && evp && evp->type == EVP_PKEY_DSA && BN_cmp(DSA_get0_pubkey(dsa),DSA_get0_pubkey(evp->pkey.dsa)) == 0) {
if (evp)
EVP_PKEY_free(evp);
log.debug("end-entity certificate matches peer DSA key information");
diff --git a/xmltooling/security/impl/OpenSSLSupport.cpp b/xmltooling/security/impl/OpenSSLSupport.cpp
index bedf872..e5d79a7 100644
--- a/xmltooling/security/impl/OpenSSLSupport.cpp
+++ b/xmltooling/security/impl/OpenSSLSupport.cpp
@@ -29,6 +29,8 @@
#include <openssl/x509_vfy.h>
#include <security/impl/OpenSSLSupport.h>
+using namespace xmltooling;
+
X509StoreCtxRAII::X509StoreCtxRAII() : m_context(X509_STORE_CTX_new()) {
}
@@ -56,7 +58,8 @@ STACK_OF(X509) *X509StoreCtxRAII::get0Chain() {
}
// the API to set the trusted stack changed in OpenSSL1.1
-void X509StoreCtxRAII::set0TrustedStack(STACK_OF(X509) *sk) {
+void X509StoreCtxRAII::set0TrustedStack(STACK_OF(X509) *sk)
+{
if (m_context) {
#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
X509_STORE_CTX_trusted_stack(m_context, sk);
@@ -65,3 +68,25 @@ void X509StoreCtxRAII::set0TrustedStack(STACK_OF(X509) *sk) {
#endif
}
}
+
+BIGNUM *DSA_get0_pubkey(const DSA *dsa)
+{
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ return dsa->pub_key;
+#else
+ BIGNUM *result;
+ DSA_get0_key(dsa, &result, NULL);
+ return result;
+#endif
+}
+
+BIGNUM *DSA_get0_privkey(const DSA *dsa)
+{
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ return dsa->priv_key;
+#else
+ BIGNUM *result;
+ DSA_get0_key(dsa, NULL, &result);
+ return result;
+#endif
+}
diff --git a/xmltooling/security/impl/OpenSSLSupport.h b/xmltooling/security/impl/OpenSSLSupport.h
index ffaa390..74bd710 100644
--- a/xmltooling/security/impl/OpenSSLSupport.h
+++ b/xmltooling/security/impl/OpenSSLSupport.h
@@ -33,6 +33,7 @@
# define X509_STORE_CTX_get0_untrusted(ctx) (ctx->untrusted)
#endif
+namespace xmltooling {
// RAII for the now opaque X509_STORE_CTX
class X509StoreCtxRAII
{
@@ -51,3 +52,9 @@
private:
X509_STORE_CTX *m_context;
};
+
+
+ BIGNUM *DSA_get0_pubkey(const DSA *dsa);
+ BIGNUM *DSA_get0_privkey(const DSA *dsa);
+
+}
diff --git a/xmltooling/security/impl/SecurityHelper.cpp b/xmltooling/security/impl/SecurityHelper.cpp
index 0c15f05..bb2f016 100644
--- a/xmltooling/security/impl/SecurityHelper.cpp
+++ b/xmltooling/security/impl/SecurityHelper.cpp
@@ -30,6 +30,7 @@
#include "security/OpenSSLCryptoX509CRL.h"
#include "security/SecurityHelper.h"
#include "security/X509Credential.h"
+#include "security/impl/OpenSSLSupport.h"
#include "soap/HTTPSOAPTransport.h"
#include "util/NDC.h"
@@ -504,7 +505,7 @@ bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key
return false;
const DSA* dsa1 = static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA();
const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key2).getOpenSSLDSA();
- return (dsa1 && dsa2 && BN_cmp(dsa1->pub_key,dsa2->pub_key) == 0);
+ return (dsa1 && dsa2 && BN_cmp(DSA_get0_pubkey(dsa1),DSA_get0_pubkey(dsa2)) == 0);
}
// For a private key, compare the private half.
@@ -513,7 +514,7 @@ bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key
return false;
const DSA* dsa1 = static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA();
const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key2).getOpenSSLDSA();
- return (dsa1 && dsa2 && BN_cmp(dsa1->priv_key,dsa2->priv_key) == 0);
+ return (dsa1 && dsa2 && BN_cmp(DSA_get0_privkey(dsa1),DSA_get0_privkey(dsa2)) == 0);
}
#if defined(XMLTOOLING_XMLSEC_ECC) && defined(XMLTOOLING_OPENSSL_HAVE_EC)
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/xmltooling.git
More information about the Pkg-shibboleth-devel
mailing list