[pkgsrc/pkg_install-renovation]: pkgsrc/pkgtools/pkg_install/files/lib Furthe...

[joerg <joerg%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/24ec297bfc01
branches:  pkg_install-renovation
changeset: 541567:24ec297bfc01
user:      joerg <joerg%pkgsrc.org@localhost>
date:      Wed Jul 23 18:59:18 2008 +0000

description:
Further analyses shows that OpenSSL refuses signature validation if key
usage attributes are present and emailProtection is not included, so
require it as well as codeSigning.

diffstat:

 pkgtools/pkg_install/files/lib/pkcs7.c |  16 ++++++++++------
 1 files changed, 10 insertions(+), 6 deletions(-)

diffs (51 lines):

diff -r f3eeb983955e -r 24ec297bfc01 pkgtools/pkg_install/files/lib/pkcs7.c
--- a/pkgtools/pkg_install/files/lib/pkcs7.c    Tue Jul 22 20:14:48 2008 +0000
+++ b/pkgtools/pkg_install/files/lib/pkcs7.c    Wed Jul 23 18:59:18 2008 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: pkcs7.c,v 1.1.2.5 2008/07/21 22:15:09 joerg Exp $      */
+/*     $NetBSD: pkcs7.c,v 1.1.2.6 2008/07/23 18:59:18 joerg Exp $      */
 #if HAVE_CONFIG_H
 #include "config.h"
 #endif
@@ -7,7 +7,7 @@
 #include <sys/cdefs.h>
 #endif
 
-__RCSID("$NetBSD: pkcs7.c,v 1.1.2.5 2008/07/21 22:15:09 joerg Exp $");
+__RCSID("$NetBSD: pkcs7.c,v 1.1.2.6 2008/07/23 18:59:18 joerg Exp $");
 
 /*-
  * Copyright (c) 2004, 2008 The NetBSD Foundation, Inc.
@@ -56,6 +56,8 @@
 #define __UNCONST(a)   ((void *)(unsigned long)(const void *)(a))
 #endif
 
+static const int pkg_key_usage = XKU_CODE_SIGN | XKU_SMIME;
+
 static int
 check_ca(X509 *cert)
 {
@@ -183,8 +185,9 @@
                        goto cleanup;
                }
                if (is_pkg) {
-                       if (sk_X509_value(signers, i)->ex_xkusage != XKU_CODE_SIGN) {
-                               warnx("Certificate must have CODE SIGNING property");
+                       if (sk_X509_value(signers, i)->ex_xkusage != pkg_key_usage) {
+                               warnx("Certificate must have CODE SIGNING "
+                                   "and EMAIL PROTECTION property");
                                goto cleanup;
                        }
                } else {
@@ -267,8 +270,9 @@
                goto cleanup;
        }
 
-       if (certificate->ex_xkusage != XKU_CODE_SIGN) {
-               warnx("Certificate must have CODE SIGNING property");
+       if (certificate->ex_xkusage != pkg_key_usage) {
+               warnx("Certificate must have CODE SIGNING "
+                   "and EMAIL PROTECTION property");
                goto cleanup;
        }