X-Sender: sayuri@pop.terisa.com Date: Fri, 25 Jul 1997 11:40:06 -0700 From: Sayuri Nishimura Subject: patches for setref v1.0 Enclosed at the end of this message are three patches for SETREF version 1.0. patch-setref-19970715-1.0 This fixes an obscure bug in the encoding of default DEFAULT values. patch-setref-19970716-1.0 TransStain is now added to PReq. patch-setref-19970721-1.0 This fixes a bug in handling crl certs. The patchs are diff files that you can apply to your original setref v1.0 source by using unix command "patch". For example, do the following to apply the first patch. cd setref patch < patch-setref-19970715-1.0 Regards, sayuri %%%%%%%%%%%% patch-setref-19970715-1.0 %%%%%%%%%%%% Patch Number: 19970715 Patches Version: 1.0 Prerequisites: None Comments: This fixes an obscure bug in the encoding of default DEFAULT values. diff -r -c /prod/ship/set/v1_0/build/sunos413/setref/a2c/runtime/src/IMPLICIT_TAG.c ./a2c/runtime/src/IMPLICIT_TAG.c *** /prod/ship/set/v1_0/build/sunos413/setref/a2c/runtime/src/IMPLICIT_TAG.c Mon Jun 30 19:27:40 1997 --- ./a2c/runtime/src/IMPLICIT_TAG.c Tue Jul 15 10:46:03 1997 *************** *** 119,125 **** --- 119,156 ---- status = check_tag(ctx, module, selector, index); switch (status) { case NO_ERROR: /* do nothing */ break; + #if 0 + /* old code */ case A2C_WARN_WRONG_TAG: return A2C_WARN_WRONG_TAG; break; + #else + case A2C_WARN_WRONG_TAG: + + if (module->types[selector].template[*index].flags & FLAG_DEFAULT) { + UINT4 hold_tag = get_current_tag(ctx); + while (module->types[selector].template[*index].tag_tagging != TAGGING_BASE) { + ++*index; + } + set_current_tag(ctx,0); /* always invalid with explicit tagging */ + status = GET_VTBL(module->types[selector].template[*index].vtbl)-> + decode(instream, ctx, module, selector, index, data, error); + set_current_tag(ctx,hold_tag); + ++*index; /* get past EOC */ + switch (status) { + case A2C_WARN_DEFAULT: + /* this is what we're expecting */ + break; + case NO_ERROR: + ERETURN(A2C_ERR_INTERNAL); + break; + default: + ERETURN(status); + break; + } + return A2C_WARN_DEFAULT; + } + else + return A2C_WARN_WRONG_TAG; break; + #endif default: ERETURN(status); break; } *************** *** 147,153 **** ++*index; status = __encode(outstream, ctx, module, selector, index, data, error); ! if (status != NO_ERROR) ERETURN(status); return NO_ERROR; } --- 178,188 ---- ++*index; status = __encode(outstream, ctx, module, selector, index, data, error); ! if (status == A2C_WARN_DEFAULT) { ! /* do nothing */ ! } ! else ! if (status != NO_ERROR) ERETURN(status); return NO_ERROR; } %%%%%%%%%%%% patch-setref-19970716-1.0 %%%%%%%%%%%% Patch Number: 19970716 Patches Version: 1.0 Prerequisites: None Comments: TransStain is now added to PReq. diff -r -c /prod/ship/set/v1_0/build/sunos413/setref/demo/src/demo.c ./demo/src/demo.c *** /prod/ship/set/v1_0/build/sunos413/setref/demo/src/demo.c Mon Jun 30 22:33:27 1997 --- ./demo/src/demo.c Wed Jul 16 13:43:34 1997 *************** *** 164,169 **** --- 164,170 ---- static char *MERCHANTID = "MerchantID"; static int REGFORMID = 56789; static char *CARDEXPIRY = "199901"; + static char *CARDSECRET = "cardsecretcardsecret"; static char *PANSECRET = "pansecretpansecretpa"; static int ERROR = 1; /* "unspecifiedFailure" */ *************** *** 5205,5210 **** --- 5206,5214 ---- /* open the cache associated with the appropriate transaction */ cache_name = lid2filename(lidc); status = create_cache_ctx_db(&msg_cache[0], cache_name); + assert(status == NO_ERROR); + + status = CACHE_put(msg_cache[0], STATE_CARDSECRET, &CARDSECRET); assert(status == NO_ERROR); msg_type = asn1set__Message__pReq; diff -r -c /prod/ship/set/v1_0/build/sunos413/setref/set_msg/src/PReq.c ./set_msg/src/PReq.c *** /prod/ship/set/v1_0/build/sunos413/setref/set_msg/src/PReq.c Mon Jun 30 19:37:27 1997 --- ./set_msg/src/PReq.c Wed Jul 16 13:43:34 1997 *************** *** 198,203 **** --- 198,206 ---- default: ERETURN(status); break; } + status = CACHE_get(msg_cache[0], STATE_CARDSECRET, &WIP.cardSecret, heap); + if (status != NO_ERROR) ERETURN(status); + /* optional elements */ status = CACHE_get(msg_cache[0], STATE_CHALL_M, &OID.chall_M, heap); *************** *** 234,239 **** --- 237,243 ---- { int status = NO_ERROR; a2c_ctx codec; + ops_ctx crypto; PReq pReq = 0; int support = 0; UNUSED_ARG(msg_cache); *************** *** 244,249 **** --- 248,257 ---- pReq = safe_cast_PReq(msg); if (pReq == 0) ERETURN(SET_ERR_INTERNAL); + status = query_set_app_ctx(app_ctx, SET_APP_CTX_QUERY_OPS_CTX, &crypto); + if (status != NO_ERROR) ERETURN(SET_ERR_INTERNAL); + ASSERT(codec != 0); + status = query_set_app_ctx(app_ctx, SET_APP_CTX_QUERY_A2C_CTX, &codec); if (status != NO_ERROR) ERETURN(SET_ERR_INTERNAL); ASSERT(codec != 0); *************** *** 265,270 **** --- 273,283 ---- if (status != NO_ERROR) ERETURN(status); + /* make TransStain */ + status = build_HMAC(crypto, heap, &PIH.transStain, (asn__any*)&PIHTIDS.xid, + &WIP.cardSecret); + if (status != NO_ERROR) ERETURN(status); + /* at this point, gatewayKeyExchangeCID can be filled in using * either gkThumb (which came from PInitRes) or BrandID (which * came from PInitReq), or it can be left blank, to be filled *************** *** 520,526 **** status = build_EX(crypto, heap, &PRDS.piDualSigned.exPIData, &gateway, &WIP.encoded_lPIOI, ! &asn1set__id_set_content_PIData, &WIP.parameter, &asn1set__id_set_content_PANData); if (status != NO_ERROR) ERETURN(status); --- 533,539 ---- status = build_EX(crypto, heap, &PRDS.piDualSigned.exPIData, &gateway, &WIP.encoded_lPIOI, ! &asn1set__id_set_content_PIDualSignedTBE, &WIP.parameter, &asn1set__id_set_content_PANData); if (status != NO_ERROR) ERETURN(status); diff -r -c /prod/ship/set/v1_0/build/sunos413/setref/set_msg/src/PReq.h ./set_msg/src/PReq.h *** /prod/ship/set/v1_0/build/sunos413/setref/set_msg/src/PReq.h Mon Jun 30 19:37:29 1997 --- ./set_msg/src/PReq.h Wed Jul 16 14:36:29 1997 *************** *** 127,132 **** --- 127,133 ---- asn1set__PI pi; asn1set__AnyAny piSignatureTBS; asn__object_identifier tunnelingAlg; + asn1set__Secret cardSecret; } work_in_progress; } *i_PReq; diff -r -c /prod/ship/set/v1_0/build/sunos413/setref/set_msg/src/pi.c ./set_msg/src/pi.c *** /prod/ship/set/v1_0/build/sunos413/setref/set_msg/src/pi.c Mon Jun 30 19:38:13 1997 --- ./set_msg/src/pi.c Wed Jul 16 13:43:34 1997 *************** *** 158,164 **** SET_OPS_IDENTITY_USE(gateway, x509__KeyUsage__keyEncipherment); status = parse_EX(crypto, heap, &pids->exPIData, &gateway, &WIP.encoded_lPIOI, ! &asn1set__id_set_content_PIData, &WIP.parameter, &asn1set__id_set_content_PANData); COPY_OPS_IDENTITY_TO_CERT_IDENTITY(gateway, *GATEWAYKEYEXCHANGECID); if (status != NO_ERROR) ERETURN(status); --- 158,164 ---- SET_OPS_IDENTITY_USE(gateway, x509__KeyUsage__keyEncipherment); status = parse_EX(crypto, heap, &pids->exPIData, &gateway, &WIP.encoded_lPIOI, ! &asn1set__id_set_content_PIDualSignedTBE, &WIP.parameter, &asn1set__id_set_content_PANData); COPY_OPS_IDENTITY_TO_CERT_IDENTITY(gateway, *GATEWAYKEYEXCHANGECID); if (status != NO_ERROR) ERETURN(status); %%%%%%%%%%%% patch-setref-19970721-1.0 %%%%%%%%%%%% Patch Number: 19970716 Patches Version: 1.0 Prerequisites: None Comments: This fixes a bug in handling crl certs. diff -r -c /prod/ship/set/v1_0/build/sunos413/setref/setcert/src/setcert_chain.c ./setcert/src/setcert_chain.c *** /prod/ship/set/v1_0/build/sunos413/setref/setcert/src/setcert_chain.c Mon Jun 30 19:39:24 1997 --- ./setcert/src/setcert_chain.c Mon Jul 21 16:29:40 1997 *************** *** 530,537 **** --- 530,542 ---- } else { /* CA */ + #if 0 + if (BIT_IS_SET(KU(*exts), x509__KeyUsage__keyCertSign) || BIT_IS_SET(KU(*exts), x509__KeyUsage__cRLSign)) + #else + if (BIT_IS_SET(KU(*exts), x509__KeyUsage__keyCertSign)) + #endif { if (! BC(*exts).cA) BAD_DATA; if (! IS_PRESENT(BC(*exts), x509__BasicConstraintsSyntax__pathLenConstraint)) *************** *** 1074,1087 **** --- 1079,1098 ---- * CA. */ + #if 0 + if (BIT_IS_SET(KU(*subject_exts), x509__KeyUsage__keyCertSign) || BIT_IS_SET(KU(*subject_exts), x509__KeyUsage__cRLSign)) { + #endif if (! BC(*subject_exts).cA) ERETURN(SETCERT_ERR_INCORRECT_EXTN_DATA); + #if 0 + } else { if (BC(*subject_exts).cA) ERETURN(SETCERT_ERR_INCORRECT_EXTN_DATA); } + #endif /* *************** *** 1109,1114 **** --- 1120,1133 ---- if (status != NO_ERROR) ERETURN(status); + /* 6. if this is a root CA, make sure that the issuer and subject + * names are the same */ + if (BIT_IS_SET(CT(*subject_exts), asn1set__CertificateTypeSyntax__rca)) { + status = x509__Name_cmp(codec, heap, &subject->toBeSigned.issuer, + &subject->toBeSigned.subject); + if (status != 0) ERETURN(SETCERT_ERR_BAD_DN); + } + return NO_ERROR; } *************** *** 1142,1147 **** --- 1161,1167 ---- /* 2. validate the certificate */ + #if 0 if (BIT_IS_SET(CT(*decoded_exts), asn1set__CertificateTypeSyntax__card) || BIT_IS_SET(CT(*decoded_exts), asn1set__CertificateTypeSyntax__mer) || BIT_IS_SET(CT(*decoded_exts), asn1set__CertificateTypeSyntax__pgwy) *************** *** 1167,1172 **** --- 1187,1207 ---- if (status != NO_ERROR) ERETURN(status); } } + #else + if (BC(*decoded_exts).cA == 0) { + /* note, certificates owned by CAs are normal end-entity + * certificates when being used for any purpose but for + * signing certificates */ + status = validate_end_entity(codec, heap, decoded_cert, + decoded_exts, permitted_types, + key_usage); + if (status != NO_ERROR) ERETURN(status); + } + else { + status = validate_ca(codec, heap, decoded_cert, decoded_exts, + permitted_types, key_usage); + } + #endif return NO_ERROR; }