/** * Blacklist DigiNotar roots * http://codereview.chromium.org/7791032/ * https://bugzilla.mozilla.org/show_bug.cgi?id=682956 **/ int check_diginotar_blacklist(SecCertificateRefP cert) { int i; CFDataRef pkh_data = SecCertificateCopyPublicKeySHA1Digest(cert); if( pkh_data == NULL) return 0; const UInt8* pkh = CFDataGetBytePtr(pkh_data); if( pkh == NULL) return 0; for(i=0; i < NUM_DIGINOTAR_PKHS; i++) { if(!memcmp(pkh, diginotar_pkhs[i], PKH_SIZE)) { syslog(LOG_WARNING, "iSSLFix: blocking DigiNotar certificate"); CFRelease(pkh_data); return 1; } } CFRelease(pkh_data); return 0; }
/* algId refers to the hash we'll perform in issuer name and key */ certId->algId.algorithm = CSSMOID_SHA1; /* preencoded DER NULL */ static uint8_t nullParam[2] = {5, 0}; certId->algId.parameters.Data = nullParam; certId->algId.parameters.Length = sizeof(nullParam); /* @@@ Change this from using SecCertificateCopyIssuerSHA1Digest() / SecCertificateCopyPublicKeySHA1Digest() to SecCertificateCopyIssuerSequence() / SecCertificateGetPublicKeyData() and call SecDigestCreate here instead. */ issuerNameDigest = SecCertificateCopyIssuerSHA1Digest(this->certificate); serial = SecCertificateCopySerialNumber(this->certificate); issuerPubKeyDigest = SecCertificateCopyPublicKeySHA1Digest(this->issuer); /* build the CertID from those components */ certId->issuerNameHash.Length = CC_SHA1_DIGEST_LENGTH; certId->issuerNameHash.Data = (uint8_t *)CFDataGetBytePtr(issuerNameDigest); certId->issuerPubKeyHash.Length = CC_SHA1_DIGEST_LENGTH; certId->issuerPubKeyHash.Data = (uint8_t *)CFDataGetBytePtr(issuerPubKeyDigest); certId->serialNumber.Length = CFDataGetLength(serial); certId->serialNumber.Data = (uint8_t *)CFDataGetBytePtr(serial); /* Build top level request with one entry in requestList, no signature, and no optional extensions. */ tbs->version = &vers; tbs->requestList = reqArray; /* Encode the request. */