From 4804da75c979419a2d37f7f3e6bf06cc77e71235 Mon Sep 17 00:00:00 2001 From: Martin Szulecki Date: Fri, 6 Sep 2013 14:27:13 +0200 Subject: lockdown: Fix generation of x509 subject key identifier extension for GnuTLS --- src/lockdown.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/src/lockdown.c b/src/lockdown.c index 2b0ab89..9f4864e 100644 --- a/src/lockdown.c +++ b/src/lockdown.c @@ -38,6 +38,7 @@ #else #include #include +#include #endif #include @@ -1495,13 +1496,17 @@ lockdownd_error_t lockdownd_gen_pair_cert_for_udid(const char *udid, key_data_t gnutls_x509_crt_set_ca_status(dev_cert, 0); gnutls_x509_crt_set_activation_time(dev_cert, time(NULL)); gnutls_x509_crt_set_expiration_time(dev_cert, time(NULL) + (60 * 60 * 24 * 365 * 10)); - /* FIXME calculate subject key id correctly */ -#if 0 - unsigned char hash[20]; - size_t hash_size = sizeof(hash); - gnutls_x509_crt_get_key_id(dev_cert, 0, (unsigned char*)hash, &hash_size); - gnutls_x509_crt_set_subject_key_id(dev_cert, hash, hash_size); -#endif + + /* use custom hash generation for compatibility with the "Apple ecosystem" */ + const gnutls_digest_algorithm_t dig_sha1 = GNUTLS_DIG_SHA1; + size_t hash_size = gnutls_hash_get_len(dig_sha1); + unsigned char hash[hash_size]; + if (gnutls_hash_fast(dig_sha1, der_pub_key.data, der_pub_key.size, (unsigned char*)&hash) < 0) { + debug_info("ERROR: Failed to generate SHA1 for public key"); + } else { + gnutls_x509_crt_set_subject_key_id(dev_cert, hash, hash_size); + } + gnutls_x509_crt_set_key_usage(dev_cert, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT); gnutls_x509_crt_sign(dev_cert, root_cert, root_privkey); -- cgit v1.1-32-gdbae