From 4804da75c979419a2d37f7f3e6bf06cc77e71235 Mon Sep 17 00:00:00 2001
From: Martin Szulecki
Date: Fri, 6 Sep 2013 14:27:13 +0200
Subject: lockdown: Fix generation of x509 subject key identifier extension for
 GnuTLS

---
 src/lockdown.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

(limited to 'src')

diff --git a/src/lockdown.c b/src/lockdown.c
index 2b0ab89..9f4864e 100644
--- a/src/lockdown.c
+++ b/src/lockdown.c
@@ -38,6 +38,7 @@
 #else
 #include <libtasn1.h>
 #include <gnutls/x509.h>
+#include <gnutls/crypto.h>
 #endif
 #include <plist/plist.h>
 
@@ -1495,13 +1496,17 @@ lockdownd_error_t lockdownd_gen_pair_cert_for_udid(const char *udid, key_data_t
 				gnutls_x509_crt_set_ca_status(dev_cert, 0);
 				gnutls_x509_crt_set_activation_time(dev_cert, time(NULL));
 				gnutls_x509_crt_set_expiration_time(dev_cert, time(NULL) + (60 * 60 * 24 * 365 * 10));
-				/* FIXME calculate subject key id correctly */
-#if 0
-				unsigned char hash[20];
-				size_t hash_size = sizeof(hash);
-				gnutls_x509_crt_get_key_id(dev_cert, 0, (unsigned char*)hash, &hash_size);
-				gnutls_x509_crt_set_subject_key_id(dev_cert, hash, hash_size);
-#endif
+
+				/* use custom hash generation for compatibility with the "Apple ecosystem" */
+				const gnutls_digest_algorithm_t dig_sha1 = GNUTLS_DIG_SHA1;
+				size_t hash_size = gnutls_hash_get_len(dig_sha1);
+				unsigned char hash[hash_size];
+				if (gnutls_hash_fast(dig_sha1, der_pub_key.data, der_pub_key.size, (unsigned char*)&hash) < 0) {
+					debug_info("ERROR: Failed to generate SHA1 for public key");
+				} else {
+					gnutls_x509_crt_set_subject_key_id(dev_cert, hash, hash_size);
+				}
+
 				gnutls_x509_crt_set_key_usage(dev_cert, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT);
 				gnutls_x509_crt_sign(dev_cert, root_cert, root_privkey);
 
-- 
cgit v1.1-32-gdbae