micord/ervu-sign-module
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

SUPPORT-8924. Добавлена проверка KeyUsage сертификата для подписи

Browse source 
(cherry picked from commit 6d835c0958)
This commit is contained in:
Наиля Алашкова 2025-02-18 09:54:37 +03:00
parent 706de87d4a
commit 339a8f9b1b
3 changed files with 61 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

1
src/utils/capi.c
View file

@ -32,6 +32,7 @@ capi_function_list_init(library_t *lib, capi_function_list_t *fl)
LIBRARY_RESOLVE(fl->CertVerifyCertificateChainPolicy, lib, "CertVerifyCertificateChainPolicy");
LIBRARY_RESOLVE(fl->CertFreeCertificateChain, lib, "CertFreeCertificateChain");
LIBRARY_RESOLVE(fl->CryptGenRandom, lib, "CryptGenRandom");
LIBRARY_RESOLVE(fl->CertGetIntendedKeyUsage, lib, "CertGetIntendedKeyUsage");
#ifdef UNICODE
LIBRARY_RESOLVE(fl->CryptSignHash, lib, "CryptSignHashW");

9
src/utils/capi.h
View file

@ -207,6 +207,14 @@ DECLARE_FN(WINADVAPI,
DWORD dwLen,
BYTE *pbBuffer));
DECLARE_FN(WINADVAPI,
BOOL,
CERT_GET_INTENDED_KEY_USAGE,
(DWORD dwCertEncodingType,
PCERT_INFO pCertInfo,
BYTE *pbKeyUsage,
IN DWORD cbKeyUsage));
#ifdef UNICODE
#define CRYPT_SIGN_HASH_FN CRYPT_SIGN_HASH_W_FN
#define CRYPT_VERIFY_SIGNATURE_FN CRYPT_VERIFY_SIGNATURE_W_FN
@ -241,6 +249,7 @@ typedef struct {
CERT_VERIFY_CERTIFICATE_CHAIN_POLICY_FN CertVerifyCertificateChainPolicy;
CERT_FREE_CERTIFICATE_CHAIN_FN CertFreeCertificateChain;
CRYPT_GEN_RANDOM_FN CryptGenRandom;
CERT_GET_INTENDED_KEY_USAGE_FN CertGetIntendedKeyUsage;
} capi_function_list_t;

67
src/utils/cryptopro.c
View file

@ -206,26 +206,34 @@ exit:
return is_verified;
}
static void
log_sign_hash_data_last_error()
static bool
check_cert_key_usage(PCCERT_CONTEXT certificate)
{
DWORD error = cp_function_list.GetLastError();
bool is_digital_signature_key_usage = false;
BYTE key_usage;
switch (error) {
case ERROR_FUNCTION_FAILED:
LOG_ERROR("sign_hash_data exit with error. Last error code: "
"license is expired or not yet valid (0x%08x)", error);
break;
LOG_TRACE("check_cert_key_usage enter");
case SCARD_W_WRONG_CHV:
LOG_ERROR("sign_hash_data exit with error. Last error code: "
"the wrong PIN was presented (0x%08x)", error);
break;
default:
LOG_ERROR("sign_hash_data exit with error. Last error code: 0x%08x", error);
break;
if (cp_function_list.CertGetIntendedKeyUsage(
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
certificate->pCertInfo,
&key_usage,
sizeof(key_usage))) {
if (key_usage & CERT_DIGITAL_SIGNATURE_KEY_USAGE) {
is_digital_signature_key_usage = true;
}
} else {
LOG_ERROR("CertGetIntendedKeyUsage failed: 0x%08x", cp_function_list.GetLastError());
}
if (is_digital_signature_key_usage) {
LOG_DEBUG("Certificate KeyUsage contains digitalSignature");
} else {
LOG_ERROR("Certificate KeyUsage does not contain digitalSignature");
}
LOG_TRACE("check_cert_key_usage exit");
return is_digital_signature_key_usage;
}
int
@ -243,6 +251,11 @@ open_signer_cert(cryptopro_context_t *ctx)
goto error;
}
if (!check_cert_key_usage(ctx->signer_cert)) {
goto error;
}
LOG_TRACE("open_signer_cert exit");
return 0;
@ -270,6 +283,28 @@ close_signer_cert(cryptopro_context_t *ctx)
LOG_TRACE("close_signer_cert exit");
}
static void
log_sign_hash_data_last_error()
{
DWORD error = cp_function_list.GetLastError();
switch (error) {
case ERROR_FUNCTION_FAILED:
LOG_ERROR("sign_hash_data exit with error. Last error code: "
"license is expired or not yet valid (0x%08x)", error);
break;
case SCARD_W_WRONG_CHV:
LOG_ERROR("sign_hash_data exit with error. Last error code: "
"the wrong PIN was presented (0x%08x)", error);
break;
default:
LOG_ERROR("sign_hash_data exit with error. Last error code: 0x%08x", error);
break;
}
}
static int
sign_hash_data(const cryptopro_context_t *ctx, const str_t *data, /*out*/ str_t *sign)
{