diff options
author | Martin Szulecki | 2013-09-06 14:27:13 +0200 |
---|---|---|
committer | Martin Szulecki | 2013-09-17 11:43:34 +0200 |
commit | 4804da75c979419a2d37f7f3e6bf06cc77e71235 (patch) | |
tree | b057909c8c90ca555a373c5846e39da7dc9f8dcc /src | |
parent | e2f5717487f6950ff6253ccce6a967b0ad9ebbea (diff) | |
download | libimobiledevice-4804da75c979419a2d37f7f3e6bf06cc77e71235.tar.gz libimobiledevice-4804da75c979419a2d37f7f3e6bf06cc77e71235.tar.bz2 |
lockdown: Fix generation of x509 subject key identifier extension for GnuTLS
Diffstat (limited to 'src')
-rw-r--r-- | src/lockdown.c | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/src/lockdown.c b/src/lockdown.c index 2b0ab89..9f4864e 100644 --- a/src/lockdown.c +++ b/src/lockdown.c @@ -38,6 +38,7 @@ #else #include <libtasn1.h> #include <gnutls/x509.h> +#include <gnutls/crypto.h> #endif #include <plist/plist.h> @@ -1495,13 +1496,17 @@ lockdownd_error_t lockdownd_gen_pair_cert_for_udid(const char *udid, key_data_t gnutls_x509_crt_set_ca_status(dev_cert, 0); gnutls_x509_crt_set_activation_time(dev_cert, time(NULL)); gnutls_x509_crt_set_expiration_time(dev_cert, time(NULL) + (60 * 60 * 24 * 365 * 10)); - /* FIXME calculate subject key id correctly */ -#if 0 - unsigned char hash[20]; - size_t hash_size = sizeof(hash); - gnutls_x509_crt_get_key_id(dev_cert, 0, (unsigned char*)hash, &hash_size); - gnutls_x509_crt_set_subject_key_id(dev_cert, hash, hash_size); -#endif + + /* use custom hash generation for compatibility with the "Apple ecosystem" */ + const gnutls_digest_algorithm_t dig_sha1 = GNUTLS_DIG_SHA1; + size_t hash_size = gnutls_hash_get_len(dig_sha1); + unsigned char hash[hash_size]; + if (gnutls_hash_fast(dig_sha1, der_pub_key.data, der_pub_key.size, (unsigned char*)&hash) < 0) { + debug_info("ERROR: Failed to generate SHA1 for public key"); + } else { + gnutls_x509_crt_set_subject_key_id(dev_cert, hash, hash_size); + } + gnutls_x509_crt_set_key_usage(dev_cert, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT); gnutls_x509_crt_sign(dev_cert, root_cert, root_privkey); |