lockdown: Fix generation of x509 subject key identifier extension for GnuTLS

author: Martin Szulecki 2013-09-06 14:27:13 +0200
committer: Martin Szulecki 2013-09-17 11:43:34 +0200
commit: 4804da75c979419a2d37f7f3e6bf06cc77e71235 (patch)
tree: b057909c8c90ca555a373c5846e39da7dc9f8dcc /src
parent: e2f5717487f6950ff6253ccce6a967b0ad9ebbea (diff)
download: libimobiledevice-4804da75c979419a2d37f7f3e6bf06cc77e71235.tar.gz
libimobiledevice-4804da75c979419a2d37f7f3e6bf06cc77e71235.tar.bz2
1 files changed, 12 insertions, 7 deletions
diff --git a/src/lockdown.c b/src/lockdown.c
index 2b0ab89..9f4864e 100644
--- a/src/lockdown.c
+++ b/src/lockdown.c
@@ -38,6 +38,7 @@
 #else
 #include <libtasn1.h>
 #include <gnutls/x509.h>
+#include <gnutls/crypto.h>
 #endif
 #include <plist/plist.h>
@@ -1495,13 +1496,17 @@ lockdownd_error_t lockdownd_gen_pair_cert_for_udid(const char *udid, key_data_t
                                gnutls_x509_crt_set_ca_status(dev_cert, 0);
                                gnutls_x509_crt_set_activation_time(dev_cert, time(NULL));
                                gnutls_x509_crt_set_expiration_time(dev_cert, time(NULL) + (60 * 60 * 24 * 365 * 10));
-                                /* FIXME calculate subject key id correctly */
-#if 0
+                                /* use custom hash generation for compatibility with the "Apple ecosystem" */
-                                unsigned char hash[20];
+                                const gnutls_digest_algorithm_t dig_sha1 = GNUTLS_DIG_SHA1;
-                                size_t hash_size = sizeof(hash);
+                                size_t hash_size = gnutls_hash_get_len(dig_sha1);
-                                gnutls_x509_crt_get_key_id(dev_cert, 0, (unsigned char*)hash, &hash_size);
+                                unsigned char hash[hash_size];
-                                gnutls_x509_crt_set_subject_key_id(dev_cert, hash, hash_size);
+                                if (gnutls_hash_fast(dig_sha1, der_pub_key.data, der_pub_key.size, (unsigned char*)&hash) < 0) {
-#endif
+                                        debug_info("ERROR: Failed to generate SHA1 for public key");
+                                } else {
+                                        gnutls_x509_crt_set_subject_key_id(dev_cert, hash, hash_size);
+                                }
                                gnutls_x509_crt_set_key_usage(dev_cert, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT);
                                gnutls_x509_crt_sign(dev_cert, root_cert, root_privkey);
author	Martin Szulecki	2013-09-06 14:27:13 +0200
committer	Martin Szulecki	2013-09-17 11:43:34 +0200
commit	4804da75c979419a2d37f7f3e6bf06cc77e71235 (patch)
tree	b057909c8c90ca555a373c5846e39da7dc9f8dcc /src
parent	e2f5717487f6950ff6253ccce6a967b0ad9ebbea (diff)
download	libimobiledevice-4804da75c979419a2d37f7f3e6bf06cc77e71235.tar.gz libimobiledevice-4804da75c979419a2d37f7f3e6bf06cc77e71235.tar.bz2

diff --git a/src/lockdown.c b/src/lockdown.c index 2b0ab89..9f4864e 100644 --- a/src/lockdown.c +++ b/src/lockdown.c
@@ -38,6 +38,7 @@
38	#else	38	#else
39	#include <libtasn1.h>	39	#include <libtasn1.h>
40	#include <gnutls/x509.h>	40	#include <gnutls/x509.h>
		41	#include <gnutls/crypto.h>
41	#endif	42	#endif
42	#include <plist/plist.h>	43	#include <plist/plist.h>
43		44
@@ -1495,13 +1496,17 @@ lockdownd_error_t lockdownd_gen_pair_cert_for_udid(const char *udid, key_data_t
1495	gnutls_x509_crt_set_ca_status(dev_cert, 0);	1496	gnutls_x509_crt_set_ca_status(dev_cert, 0);
1496	gnutls_x509_crt_set_activation_time(dev_cert, time(NULL));	1497	gnutls_x509_crt_set_activation_time(dev_cert, time(NULL));
1497	gnutls_x509_crt_set_expiration_time(dev_cert, time(NULL) + (60 * 60 * 24 * 365 * 10));	1498	gnutls_x509_crt_set_expiration_time(dev_cert, time(NULL) + (60 * 60 * 24 * 365 * 10));
1498	/* FIXME calculate subject key id correctly */	1499
1499	#if 0	1500	/* use custom hash generation for compatibility with the "Apple ecosystem" */
1500	unsigned char hash[20];	1501	const gnutls_digest_algorithm_t dig_sha1 = GNUTLS_DIG_SHA1;
1501	size_t hash_size = sizeof(hash);	1502	size_t hash_size = gnutls_hash_get_len(dig_sha1);
1502	gnutls_x509_crt_get_key_id(dev_cert, 0, (unsigned char*)hash, &hash_size);	1503	unsigned char hash[hash_size];
1503	gnutls_x509_crt_set_subject_key_id(dev_cert, hash, hash_size);	1504	if (gnutls_hash_fast(dig_sha1, der_pub_key.data, der_pub_key.size, (unsigned char*)&hash) < 0) {
1504	#endif	1505	debug_info("ERROR: Failed to generate SHA1 for public key");
		1506	} else {
		1507	gnutls_x509_crt_set_subject_key_id(dev_cert, hash, hash_size);
		1508	}
		1509
1505	gnutls_x509_crt_set_key_usage(dev_cert, GNUTLS_KEY_DIGITAL_SIGNATURE \| GNUTLS_KEY_KEY_ENCIPHERMENT);	1510	gnutls_x509_crt_set_key_usage(dev_cert, GNUTLS_KEY_DIGITAL_SIGNATURE \| GNUTLS_KEY_KEY_ENCIPHERMENT);
1506	gnutls_x509_crt_sign(dev_cert, root_cert, root_privkey);	1511	gnutls_x509_crt_sign(dev_cert, root_cert, root_privkey);
1507		1512