[kmf-discuss] KMF_SignCSR problem

[Wyllys Ingersoll]

OK, I figured it out.

You must "zero" the CSR structure before you start building it.
ex:
  (void) memset(&req->tbs, 0, sizeof (KMF_CSR_DATA));

Otherwise, the "numberOfExtensions" counter inside the structure
is uninitialized and any non-zero value in that position will
potentially cause a SEGV when the "encode" routine sees it
and tries to walk the extension list.

Maybe we need to add a new function or macro for initializing
some of these structures.
Ex:
#define INITIALIZE_CSR_DATA(csrptr) (void) memset((void *)csrptr, 0, sizeof (KMF_CSR_DATA));

I posted my own sample code for signing a csr in the "files" section
for reference.

-Wyllys


Massimiliano Pala wrote:
> I was wondering if there are required fields in the CSR before being
> able to sign it. I use the following:
> 
>   rv = KMF_SignCSR( lib_h, req->tbs, pkey->priv_key, req->data);
> 
> where:
> 
> - pkey->priv_key is a KMF_KEY_HANDLE (as returned from
> KMF_CreateKeyPair());
> 
> - pkey->pub_key is a KMF_KEY_HANDLE (as returned from KMF_CreateKeyPair());
> 
> - req->tbs is a KMF_CSR_DATA where I have correctly set:
>   * pubkey with --> KMF_SetCSRPubKey ( lib_h, pkey->pub_key, req->tbs);
>   * version number with --> KMF_SetCSRVersion( req->tbs, 2 );
>   * subject DN with --> KMF_SetCSRSubjectName ( req->tbs, &xname );
>     ( where xname is set with KMF_DNParser( "", &xname ))
> 
> The problem seems related to extensions, are them required ? Since I am not
> setting any, now ? (I also tried seting the version number to 0, but it
> does
> not help)
> 
> Maybe you could add some checks on the input in the encoding routines for
> bad values passed to the Sign routine :)
> 
> Thanks and have a good day!
> 
> Cheers,
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> kmf-discuss mailing list
> kmf-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/kmf-discuss