[kmf-discuss] KMF code review (part II.)
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Thu Feb 14 11:29:37 PST 2008
Huie-Ying Lee wrote:
> Wyllys Ingersoll wrote:
>> Huie-Ying Lee wrote:
>>
>>> certop.c:
>>>
>>> The kmf_sign_data() API needs to be updated to check the key usage
>>> policy
>>> as well.
>>
>> It does - see line 583
>
> Hmm, I still didn't see it.
> In the webrev, certop.c, line 578-593 in kmf_sign_data() do not check
> the policy.
>
> --------------------------------------------------------------------------------
>
> 578 /*
> 579 * If a signer cert was given, use it to find the private key
> 580 * to use for signing the data.
> 581 */
> 582 if (signer_cert != NULL) {
> 583 ret = check_key_usage(handle, signer_cert,
> KMF_KU_SIGN_DATA);
> 584 585 /*
> 586 * Signing generic data does not require the
> 587 * KeyUsage extension.
> 588 */
> 589 if (ret == KMF_ERR_EXTENSION_NOT_FOUND)
> 590 ret = KMF_OK;
> 591 if (ret != KMF_OK)
> 592 return (ret);
> 593
> ------------------------------------------------------------------------------
>
>
> However, in kmf_sign_cert() (line 437-443), it checks the policy as
> below:
>
> --------------------------------------------------------------------------------
>
> 437 if (signer_cert != NULL) {
> 438 policy = handle->policy;
> 439 ret = check_key_usage(handle, signer_cert,
> KMF_KU_SIGN_CERT);
> 440 if (ret == KMF_ERR_EXTENSION_NOT_FOUND &&
> policy->ku_bits == 0)
> 441 ret = KMF_OK;
> 442 if (ret != KMF_OK)
> 443 return (ret);
> 444
> -------------------------------------------------------------------------------
>
>
>
> Have I looked at the same file as yours ? Have I overlooked anything ?
Oh I see, you are correct, I forgot the "policy->ku_bits" test. I will
add it.
Thanks,
Wyllys
More information about the kmf-discuss
mailing list