diff options
| author | jpierre%netscape.com <devnull@localhost> | 2001-12-06 23:19:41 +0000 |
|---|---|---|
| committer | jpierre%netscape.com <devnull@localhost> | 2001-12-06 23:19:41 +0000 |
| commit | dcc6dfe9caabd24242b21bf02dd839fc8b54cc37 (patch) | |
| tree | 019faea51e3c3ab4e605567cc69d2ac365183b5a /security/nss/cmd/smimetools | |
| parent | b6a588017b0dda5a2dd83c89f149145cf7368c4c (diff) | |
| download | nss-hg-dcc6dfe9caabd24242b21bf02dd839fc8b54cc37.tar.gz | |
Fix for 108097 - allow cmsutil to work with dual-key certs for signing and encrypting
Diffstat (limited to 'security/nss/cmd/smimetools')
| -rw-r--r-- | security/nss/cmd/smimetools/cmsutil.c | 58 |
1 files changed, 46 insertions, 12 deletions
diff --git a/security/nss/cmd/smimetools/cmsutil.c b/security/nss/cmd/smimetools/cmsutil.c index c1d1d3736..f244a1be2 100644 --- a/security/nss/cmd/smimetools/cmsutil.c +++ b/security/nss/cmd/smimetools/cmsutil.c @@ -413,8 +413,11 @@ signed_data(struct signOptionsStr *signOptions) "ERROR: please indicate the nickname of a certificate to sign with.\n"); return NULL; } - if ((cert = CERT_FindCertByNickname(signOptions->options->certHandle, - signOptions->nickname)) == NULL) { + if ((cert = CERT_FindUserCertByUsage(signOptions->options->certHandle, + signOptions->nickname, + certUsageEmailSigner, + PR_FALSE, + NULL)) == NULL) { SECU_PrintError(progName, "the corresponding cert for key \"%s\" does not exist", signOptions->nickname); @@ -487,10 +490,12 @@ signed_data(struct signOptionsStr *signOptions) goto loser; } } + if (signOptions->encryptionKeyPreferenceNick) { /* get the cert, add it to the message */ - if ((ekpcert = CERT_FindCertByNickname(signOptions->options->certHandle, - signOptions->encryptionKeyPreferenceNick)) + if ((ekpcert = CERT_FindUserCertByUsage(signOptions->options->certHandle, + signOptions->encryptionKeyPreferenceNick, + certUsageEmailRecipient, PR_FALSE, NULL)) == NULL) { SECU_PrintError(progName, "the corresponding cert for key \"%s\" does not exist", @@ -509,15 +514,44 @@ signed_data(struct signOptionsStr *signOptions) } } else { /* check signing cert for fitness as encryption cert */ - /* if yes, add signing cert as EncryptionKeyPreference */ - if (NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(signerinfo, cert, - signOptions->options->certHandle) - != SECSuccess) { - fprintf(stderr, - "ERROR: cannot add default SMIMEEncKeyPrefs attribute.\n"); - goto loser; - } + SECStatus FitForEncrypt = CERT_CheckCertUsage(cert, certUsageEmailRecipient); + + if (SECSuccess == FitForEncrypt) { + /* if yes, add signing cert as EncryptionKeyPreference */ + if (NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(signerinfo, cert, + signOptions->options->certHandle) + != SECSuccess) { + fprintf(stderr, + "ERROR: cannot add default SMIMEEncKeyPrefs attribute.\n"); + goto loser; + } + } else { + /* this is a dual-key cert case, we need to look for the encryption + certificate under the same nickname as the signing cert */ + /* get the cert, add it to the message */ + if ((ekpcert = CERT_FindUserCertByUsage(signOptions->options->certHandle, + signOptions->nickname, + certUsageEmailRecipient, + PR_FALSE, + NULL)) == NULL) { + SECU_PrintError(progName, + "the corresponding cert for key \"%s\" does not exist", + signOptions->encryptionKeyPreferenceNick); + goto loser; + } + if (NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(signerinfo, ekpcert, + signOptions->options->certHandle) + != SECSuccess) { + fprintf(stderr, "ERROR: cannot add SMIMEEncKeyPrefs attribute.\n"); + goto loser; + } + if (NSS_CMSSignedData_AddCertificate(sigd, ekpcert) != SECSuccess) { + fprintf(stderr, "ERROR: cannot add encryption certificate.\n"); + goto loser; + } + } } + if (NSS_CMSSignedData_AddSignerInfo(sigd, signerinfo) != SECSuccess) { fprintf(stderr, "ERROR: cannot add CMS signerInfo object.\n"); goto loser; |