Attachment 634838 Details for Bug 870864 – Patch1: Add extended key usage to the tools

[patch] Patch1: Add extended key usage to the tools

0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch (text/plain), 7.15 KB, created by Elio Maldonado Batiz on 2012-10-29 02:49:58 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Elio Maldonado Batiz

Created: 2012-10-29 02:49:58 UTC

Size: 7.15 KB

patch

obsolete

>From b160c63113c7403c296ccb893c6049655e18e667 Mon Sep 17 00:00:00 2001
>From: Peter Jones <pjones@redhat.com>
>Date: Wed, 10 Oct 2012 09:44:50 -0400
>Subject: [PATCH] Add extended key usage for MS Authenticode Code Signing.
>
>We need this for Secure Boot keys.  For a detailed list of OIDs
>involved, google for "Object IDs associated with Microsoft
>cryptography".  We use several of these with SB, but only need support
>here (at this time) for generating certificates with the code signing EKU.
>
>Signed-off-by: Peter Jones <nss-owner@fedoraproject.org>
>---
> mozilla/security/nss/cmd/certcgi/ca_form.html       |  1 +
> mozilla/security/nss/cmd/certcgi/certcgi.c          |  4 ++++
> mozilla/security/nss/cmd/certcgi/stnd_ext_form.html |  1 +
> mozilla/security/nss/cmd/certutil/certext.c         |  5 +++++
> mozilla/security/nss/cmd/certutil/certutil.c        |  2 +-
> mozilla/security/nss/lib/util/secoid.c              | 13 +++++++++++++
> mozilla/security/nss/lib/util/secoidt.h             |  4 ++++
> 7 files changed, 29 insertions(+), 1 deletion(-)
>
>diff --git a/mozilla/security/nss/cmd/certcgi/ca_form.html b/mozilla/security/nss/cmd/certcgi/ca_form.html
>index cb3e195..7faafba 100644
>--- a/mozilla/security/nss/cmd/certcgi/ca_form.html
>+++ b/mozilla/security/nss/cmd/certcgi/ca_form.html
>@@ -199,6 +199,7 @@
>     <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P>
>     <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P>
>     <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P>
>+    <input type="checkbox" name="extKeyUsage-msCodeSign"> Microsoft Code Signing</P>
>     </tr>
>     <tr>
>     <td>
>diff --git a/mozilla/security/nss/cmd/certcgi/certcgi.c b/mozilla/security/nss/cmd/certcgi/certcgi.c
>index 038b55f..28d6d7f 100644
>--- a/mozilla/security/nss/cmd/certcgi/certcgi.c
>+++ b/mozilla/security/nss/cmd/certcgi/certcgi.c
>@@ -876,6 +876,11 @@ AddExtKeyUsage(void *extHandle, Pair *data)
>     if( SECSuccess != rv ) goto loser;
>   }
> 
>+  if( find_field_bool(data, "extKeyUsage-msCodeSign", PR_TRUE) ) {
>+    rv = AddOidToSequence(os, szOID_KP_CTL_USAGE_SIGNING);
>+    if( SECSuccess != rv ) goto loser;
>+  }
>+
>   if( find_field_bool(data, "extKeyUsage-NS-govtApproved", PR_TRUE) ) {
>     rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED);
>     if( SECSuccess != rv ) goto loser;
>diff --git a/mozilla/security/nss/cmd/certcgi/stnd_ext_form.html b/mozilla/security/nss/cmd/certcgi/stnd_ext_form.html
>index de5d795..9e55322 100644
>--- a/mozilla/security/nss/cmd/certcgi/stnd_ext_form.html
>+++ b/mozilla/security/nss/cmd/certcgi/stnd_ext_form.html
>@@ -66,6 +66,7 @@
>     <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P>
>     <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P>
>     <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P>
>+    <input type="checkbox" name="extKeyUsage-msCodeSign"> Microsoft Code Signing</P>
>     </tr>
>     <tr>
>     <td>
>diff --git a/mozilla/security/nss/cmd/certutil/certext.c b/mozilla/security/nss/cmd/certutil/certext.c
>index b9ccfbf..d83a08d 100644
>--- a/mozilla/security/nss/cmd/certutil/certext.c
>+++ b/mozilla/security/nss/cmd/certutil/certext.c
>@@ -516,6 +516,7 @@ extKeyUsageKeyWordArray[] = { "serverAuth",
>                               "timeStamp",
>                               "ocspResponder",
>                               "stepUp",
>+                              "msCodeSigning",
>                               NULL};
> 
> static SECStatus 
>@@ -544,6 +545,7 @@ AddExtKeyUsage (void *extHandle, const char *userSuppliedValue)
>                     "\t\t4 - Timestamp\n"
>                     "\t\t5 - OCSP Responder\n"
>                     "\t\t6 - Step-up\n"
>+                    "\t\t7 - MS Code Signing\n"
>                     "\t\tOther to finish\n",
>                     buffer, sizeof(buffer)) == SECFailure) {
>                 GEN_BREAK(SECFailure);
>@@ -587,6 +589,9 @@ AddExtKeyUsage (void *extHandle, const char *userSuppliedValue)
>         case 6:
>             rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED);
>             break;
>+        case 7:
>+            rv = AddOidToSequence(os, szOID_KP_CTL_USAGE_SIGNING);
>+            break;
>         default:
>             goto endloop;
>         }
>diff --git a/mozilla/security/nss/cmd/certutil/certutil.c b/mozilla/security/nss/cmd/certutil/certutil.c
>index 88e4037..0c7eaed 100644
>--- a/mozilla/security/nss/cmd/certutil/certutil.c
>+++ b/mozilla/security/nss/cmd/certutil/certutil.c
>@@ -1176,7 +1176,7 @@ static void luC(enum usage_level ul, const char *command)
>               "%-20s Create extended key usage extension. Possible keywords:\n"
>               "%-20s \"serverAuth\", \"clientAuth\",\"codeSigning\",\n"
>               "%-20s \"emailProtection\", \"timeStamp\",\"ocspResponder\",\n"
>-              "%-20s \"stepUp\", \"critical\"\n",
>+              "%-20s \"stepUp\", \"msCodeSign\", \"critical\"\n",
>         "   -6 | --extKeyUsage keyword,keyword,...", "", "", "", "");
>     FPS "%-20s Create an email subject alt name extension\n",
>         "   -7 emailAddrs");
>diff --git a/mozilla/security/nss/lib/util/secoid.c b/mozilla/security/nss/lib/util/secoid.c
>index c722897..32831ad 100644
>--- a/mozilla/security/nss/lib/util/secoid.c
>+++ b/mozilla/security/nss/lib/util/secoid.c
>@@ -179,6 +179,12 @@ const char __nss_util_sccsid[] = "@(#)NSS " NSSUTIL_VERSION _DEBUG_STRING
> /* { 1.3.6.1.4.1.311 } */
> #define MICROSOFT_OID 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37
> #define EV_NAME_ATTRIBUTE 	MICROSOFT_OID, 60, 2, 1
>+/* Microsoft Crypto 2.0 ID space */
>+/* { 1.3.6.1.4.1.311.10 } */
>+#define MS_CRYPTO_20		MICROSOFT_OID, 10
>+/* Microsoft Crypto 2.0 Extended Key Usage ID space */
>+/* { 1.3.6.1.4.1.311.10.3 } */
>+#define MS_CRYPTO_EKU		MS_CRYPTO_20, 3
> 
> #define CERTICOM_OID            0x2b, 0x81, 0x04
> #define SECG_OID                CERTICOM_OID, 0x00
>@@ -481,6 +487,7 @@ CONST_OID pkixExtendedKeyUsageCodeSign[]      	= { PKIX_KEY_USAGE, 3 };
> CONST_OID pkixExtendedKeyUsageEMailProtect[]  	= { PKIX_KEY_USAGE, 4 };
> CONST_OID pkixExtendedKeyUsageTimeStamp[]     	= { PKIX_KEY_USAGE, 8 };
> CONST_OID pkixOCSPResponderExtendedKeyUsage[] 	= { PKIX_KEY_USAGE, 9 };
>+CONST_OID msExtendedKeyUsageCodeSigning[]      = { MS_CRYPTO_EKU, 1 };
> 
> /* OIDs for Netscape defined algorithms */
> CONST_OID netscapeSMimeKEA[] 			= { NETSCAPE_ALGS, 0x01 };
>@@ -1659,6 +1666,10 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
>         "Business Category",
> 	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
> 
>+    OD( msExtendedKeyUsageCodeSigning, szOID_KP_CTL_USAGE_SIGNING,
>+        "Microsoft Authenticode Code Signing",
>+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
>+
> };
> 
> /* PRIVATE EXTENDED SECOID Table
>diff --git a/mozilla/security/nss/lib/util/secoidt.h b/mozilla/security/nss/lib/util/secoidt.h
>index 24c8547..5c57862 100644
>--- a/mozilla/security/nss/lib/util/secoidt.h
>+++ b/mozilla/security/nss/lib/util/secoidt.h
>@@ -466,6 +466,10 @@ typedef enum {
>     SEC_OID_EV_INCORPORATION_COUNTRY        = 312,
>     SEC_OID_BUSINESS_CATEGORY               = 313,
> 
>+    /* Microsoft Authenticode OIDs */
>+    /* using the terrible microsoft name here... */
>+    szOID_KP_CTL_USAGE_SIGNING              = 314,
>+
>     SEC_OID_TOTAL
> } SECOidTag;
> 
>-- 
>1.7.12.1
>

Actions: View | Diff

Attachments on bug 870864: 634838 | 634839 | 634848 | 634849 | 634850 | 636948 | 636949 | 636950 | 641077 | 644478