diff options
author | Jeremy Barton <jbarton@microsoft.com> | 2017-08-07 21:38:28 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-08-07 21:38:28 +0300 |
commit | 5536941c95dc011928de209df46989a143a1492b (patch) | |
tree | 24fe32424db6983a35c2cf0fe737bef80ae84ceb /src | |
parent | 525d6ae50fa8f982ac186083e9dc8563fe50e7a0 (diff) | |
parent | fec742c21f867501ad3c9ff9a8d5ba48fe475ab2 (diff) |
Merge pull request #22967 from bartonjs/linux_selfsigned_sigcheck
Make OpenSSL verify self-issued signature integrity to match Windows
Diffstat (limited to 'src')
3 files changed, 54 insertions, 1 deletions
diff --git a/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.h b/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.h index 9cd689d991..3e405b09da 100644 --- a/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.h +++ b/src/Native/Unix/System.Security.Cryptography.Native/opensslshim.h @@ -325,6 +325,7 @@ int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p, PER_FUNCTION_BLOCK(X509_STORE_CTX_get_error_depth, true) \ PER_FUNCTION_BLOCK(X509_STORE_CTX_init, true) \ PER_FUNCTION_BLOCK(X509_STORE_CTX_new, true) \ + PER_FUNCTION_BLOCK(X509_STORE_CTX_set_flags, true) \ PER_FUNCTION_BLOCK(X509_STORE_CTX_set_verify_cb, true) \ PER_FUNCTION_BLOCK(X509_STORE_free, true) \ PER_FUNCTION_BLOCK(X509_STORE_new, true) \ @@ -615,6 +616,7 @@ FOR_ALL_OPENSSL_FUNCTIONS #define X509_STORE_CTX_get_error_depth X509_STORE_CTX_get_error_depth_ptr #define X509_STORE_CTX_init X509_STORE_CTX_init_ptr #define X509_STORE_CTX_new X509_STORE_CTX_new_ptr +#define X509_STORE_CTX_set_flags X509_STORE_CTX_set_flags_ptr #define X509_STORE_CTX_set_verify_cb X509_STORE_CTX_set_verify_cb_ptr #define X509_STORE_free X509_STORE_free_ptr #define X509_STORE_new X509_STORE_new_ptr diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_x509.cpp b/src/Native/Unix/System.Security.Cryptography.Native/pal_x509.cpp index 0a3dfcc2c8..3118c9aa2c 100644 --- a/src/Native/Unix/System.Security.Cryptography.Native/pal_x509.cpp +++ b/src/Native/Unix/System.Security.Cryptography.Native/pal_x509.cpp @@ -208,7 +208,14 @@ extern "C" void CryptoNative_X509StoreCtxDestroy(X509_STORE_CTX* v) extern "C" int32_t CryptoNative_X509StoreCtxInit(X509_STORE_CTX* ctx, X509_STORE* store, X509* x509, X509Stack* extraStore) { - return X509_STORE_CTX_init(ctx, store, x509, extraStore); + int32_t val = X509_STORE_CTX_init(ctx, store, x509, extraStore); + + if (val != 0) + { + X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CHECK_SS_SIGNATURE); + } + + return val; } extern "C" int32_t CryptoNative_X509VerifyCert(X509_STORE_CTX* ctx) diff --git a/src/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs b/src/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs index 3d1d44ec5a..7cf8db6023 100644 --- a/src/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs +++ b/src/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs @@ -5,6 +5,7 @@ using System.Collections.Generic; using System.IO; using System.Linq; +using System.Runtime.InteropServices; using System.Text; using System.Threading; using Xunit; @@ -630,5 +631,48 @@ namespace System.Security.Cryptography.X509Certificates.Tests using (var chain = X509Chain.Create()) Assert.NotNull(chain); } + + [Fact] + public static void InvalidSelfSignedSignature() + { + X509ChainStatusFlags expectedFlags; + + if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) + { + expectedFlags = X509ChainStatusFlags.NotSignatureValid; + } + else if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX)) + { + expectedFlags = X509ChainStatusFlags.UntrustedRoot; + } + else + { + expectedFlags = + X509ChainStatusFlags.NotSignatureValid | + X509ChainStatusFlags.UntrustedRoot; + } + + byte[] certBytes = (byte[])TestData.MicrosoftDotComRootBytes.Clone(); + // The signature goes up to the very last byte, so flip some bits in it. + certBytes[certBytes.Length - 1] ^= 0xFF; + + using (var cert = new X509Certificate2(certBytes)) + using (ChainHolder holder = new ChainHolder()) + { + X509Chain chain = holder.Chain; + X509ChainPolicy policy = chain.ChainPolicy; + policy.VerificationTime = cert.NotBefore.AddDays(3); + policy.RevocationMode = X509RevocationMode.NoCheck; + + chain.Build(cert); + + X509ChainStatusFlags allFlags = + chain.ChainStatus.Select(cs => cs.Status).Aggregate( + X509ChainStatusFlags.NoError, + (a, b) => a | b); + + Assert.Equal(expectedFlags, allFlags); + } + } } } |