[xmltooling] 10/15: CPPXT-114 - ExplicitKeyTrustEngine doesn't handle EC in the OpenSSL case

Ferenc Wágner wferi at moszumanska.debian.org
Fri Sep 8 22:04:27 UTC 2017 

This is an automated email from the git hooks/post-receive script.

wferi pushed a commit to branch master
in repository xmltooling.

commit 3f9febcc15e5036b55a610d4d244b2e550790a03
Author: Scott Cantor <cantor.2 at osu.edu>
Date:   Fri Apr 14 17:10:20 2017 -0400

    CPPXT-114 - ExplicitKeyTrustEngine doesn't handle EC in the OpenSSL case
    
    https://issues.shibboleth.net/jira/browse/CPPXT-114
    
    Fix build on OpenSSL 1.0.2 and guard EC key usage with ifdefs for older cases.
---
 xmltooling/security/impl/ExplicitKeyTrustEngine.cpp | 14 ++++++++++----
 xmltooling/security/impl/OpenSSLSupport.h           |  1 +
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
index 75a782e..92a0bed 100644
--- a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
+++ b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
@@ -279,20 +279,26 @@ bool ExplicitKeyTrustEngine::validate(
                 log.debug("end-entity certificate matches peer RSA key information");
                 break;
             }
-        } else if (EVP_PKEY_id(evp) == EVP_PKEY_DSA) {
+        }
+        else if (EVP_PKEY_id(evp) == EVP_PKEY_DSA) {
             found = OpenSSLSecurityHelper::matchesPublic(EVP_PKEY_get0_DSA(evp), *key);
             if (found) {
                 log.debug("end-entity certificate matches peer RSA key information");
                 break;
             }
-        } else if (EVP_PKEY_id(evp) == EVP_PKEY_EC) {
+        }
+#if defined(XMLTOOLING_XMLSEC_ECC) && defined(XMLTOOLING_OPENSSL_HAVE_EC)
+        else if (EVP_PKEY_id(evp) == EVP_PKEY_EC) {
             found = OpenSSLSecurityHelper::matchesPublic(EVP_PKEY_get0_EC_KEY(evp), *key);
             if (found) {
-                log.debug("end-entity certificate matches peer RSA key information");
+                log.debug("end-entity certificate matches peer EC key information");
                 break;
             }
-        } else
+        }
+#endif
+        else {
             log.warn("unknown peer key type, skipping...");
+        }
     }
     EVP_PKEY_free(evp);
     if (!found)
diff --git a/xmltooling/security/impl/OpenSSLSupport.h b/xmltooling/security/impl/OpenSSLSupport.h
index cf3e799..c4601df 100644
--- a/xmltooling/security/impl/OpenSSLSupport.h
+++ b/xmltooling/security/impl/OpenSSLSupport.h
@@ -34,6 +34,7 @@
 
 #   define EVP_PKEY_get0_DSA(_pkey_) ((_pkey_)->pkey.dsa)
 #   define EVP_PKEY_get0_RSA(_pkey_) ((_pkey_)->pkey.rsa)
+#   define EVP_PKEY_get0_EC_KEY(_pkey_) ((_pkey_)->pkey.ec)
 #endif
 
 #if (OPENSSL_VERSION_NUMBER < 0x10000000L)

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/xmltooling.git

More information about the Pkg-shibboleth-devel mailing list