sbsigntool: update to support openssl-1.1.0

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
author: Lans Zhang <jia.zhang@windriver.com> 2017-08-15 13:11:45 +0800
committer: Lans Zhang <jia.zhang@windriver.com> 2017-08-15 13:12:38 +0800
commit: c912483e8789262bc3d1e7c0a43bbceeaa6facee (patch)
tree: 08fe38afe6f543d59da49f7d2caf1eaed12874e5
parent: 2c265a6fc3e7df1e8530326c3ec733c2fa34d2f1 (diff)
download: meta-secure-core-c912483e8789262bc3d1e7c0a43bbceeaa6facee.tar.gz
3 files changed, 209 insertions, 0 deletions
diff --git a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool-native_git.bb b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool-native_git.bb
index b48f91d..431144a 100644
--- a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool-native_git.bb
+++ b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool-native_git.bb
@@ -19,6 +19,8 @@ SRC_URI = "\
    file://Fix-for-multi-sign.patch \
    file://sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch \
    file://image-fix-the-segment-fault-caused-by-the-uninitiali.patch \
+    file://Fix-the-deprecated-ASN1_STRING_data.patch \
+    file://Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch \
 "
 SRCREV="951ee95a301674c046f55330cd7460e1314deff2"
diff --git a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data.patch b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data.patch
new file mode 100644
index 0000000..6ffbde2
--- /dev/null
+++ b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data.patch
@@ -0,0 +1,49 @@
+From c5d321ded2020441b0d064e03b7b07358d3f71da Mon Sep 17 00:00:00 2001
+From: Lans Zhang <jia.zhang@windriver.com>
+Date: Tue, 15 Aug 2017 10:55:40 +0800
+Subject: [PATCH] Fix the deprecated ASN1_STRING_data()
+Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
+---
+ src/idc.c       | 4 ++--
+ src/sbkeysync.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+diff --git a/src/idc.c b/src/idc.c
+index 236cefd..8feaa11 100644
+--- a/src/idc.c
+++ b/src/idc.c
+@@ -238,7 +238,7 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio)
+ 
+        /* extract the idc from the signed PKCS7 'other' data */
+        str = p7->d.sign->contents->d.other->value.asn1_string;
+-       idcbuf = buf = ASN1_STRING_data(str);
+       idcbuf = buf = (const unsigned char *)ASN1_STRING_get0_data(str);
+        idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
+ 
+        /* If we were passed a BIO, write the idc data, minus type and length,
+@@ -289,7 +289,7 @@ int IDC_check_hash(struct idc *idc, struct image *image)
+        }
+ 
+        /* check hash against the one we calculated from the image */
+-       buf = ASN1_STRING_data(str);
+       buf = (const unsigned char *)ASN1_STRING_get0_data(str);
+        if (memcmp(buf, sha, sizeof(sha))) {
+                fprintf(stderr, "Hash doesn't match image\n");
+                fprintf(stderr, " got:       %s\n", sha256_str(buf));
+diff --git a/src/sbkeysync.c b/src/sbkeysync.c
+index a63d3b8..ef028ef 100644
+--- a/src/sbkeysync.c
+++ b/src/sbkeysync.c
+@@ -210,7 +210,7 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
+        serial = x509->cert_info->serialNumber;
+ 
+        key->id_len = ASN1_STRING_length(serial);
+-       key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
+       key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
+ 
+        key->description = talloc_array(key, char, description_len);
+        X509_NAME_oneline(x509->cert_info->subject,
+-- 
+2.7.5
diff --git a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch
new file mode 100644
index 0000000..f517e47
--- /dev/null
+++ b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch
@@ -0,0 +1,158 @@
+From ddf7f08d27d6a44eb62928b33c66204ffa3d7edb Mon Sep 17 00:00:00 2001
+From: Lans Zhang <jia.zhang@windriver.com>
+Date: Tue, 15 Aug 2017 13:05:14 +0800
+Subject: [PATCH] Update OpenSSL API usage to support OpenSSL 1.1
+Most structure definitions in OpenSSL are now opaque and we must call
+the appropriate accessor functions to get information from them.
+Not all the accessors are available in older versions, so define the
+missing accessors as macros.
+The X509_retrieve_match() function is no longer usable, as we cannot
+initialise an X509_OBJECT ourselves.  Instead, iterate over the
+certificate store and use X509_OBJECT_get_type and X509_cmp to
+compare certificates.
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
+---
+ src/sbkeysync.c |  7 +++----
+ src/sbverify.c  | 52 ++++++++++++++++++++++++++++++++++++++--------------
+ 2 files changed, 41 insertions(+), 18 deletions(-)
+diff --git a/src/sbkeysync.c b/src/sbkeysync.c
+index ef028ef..19e3064 100644
+--- a/src/sbkeysync.c
+++ b/src/sbkeysync.c
+@@ -204,16 +204,15 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
+                return -1;
+ 
+        /* we use the X509 serial number as the key ID */
+-       if (!x509->cert_info || !x509->cert_info->serialNumber)
+       serial = X509_get_serialNumber(x509);
+       if (!serial)
+                goto out;
+ 
+-       serial = x509->cert_info->serialNumber;
+-
+        key->id_len = ASN1_STRING_length(serial);
+        key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
+ 
+        key->description = talloc_array(key, char, description_len);
+-       X509_NAME_oneline(x509->cert_info->subject,
+       X509_NAME_oneline(X509_get_subject_name(x509),
+                        key->description, description_len);
+ 
+        rc = 0;
+diff --git a/src/sbverify.c b/src/sbverify.c
+index fb03d21..0aed71a 100644
+--- a/src/sbverify.c
+++ b/src/sbverify.c
+@@ -55,6 +55,14 @@
+ #include <openssl/pem.h>
+ #include <openssl/x509v3.h>
+ 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
+#define X509_OBJECT_get_type(obj) ((obj)->type)
+#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
+#define X509_STORE_get0_objects(certs) ((certs)->objs)
+#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
+#endif
+
+ static const char *toolname = "sbverify";
+ static const int cert_name_len = 160;
+ 
+@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *p7)
+ 
+        for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
+                cert = sk_X509_value(p7->d.sign->cert, i);
+-               X509_NAME_oneline(cert->cert_info->subject,
+               X509_NAME_oneline(X509_get_subject_name(cert),
+                                subject_name, cert_name_len);
+-               X509_NAME_oneline(cert->cert_info->issuer,
+               X509_NAME_oneline(X509_get_issuer_name(cert),
+                                issuer_name, cert_name_len);
+ 
+                printf(" - subject: %s\n", subject_name);
+@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *p7)
+ static void print_certificate_store_certs(X509_STORE *certs)
+ {
+        char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
+       STACK_OF(X509_OBJECT) *objs;
+        X509_OBJECT *obj;
+       X509 *cert;
+        int i;
+ 
+        printf("certificate store:\n");
+ 
+-       for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
+-               obj = sk_X509_OBJECT_value(certs->objs, i);
+       objs = X509_STORE_get0_objects(certs);
+
+       for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+               obj = sk_X509_OBJECT_value(objs, i);
+ 
+-               if (obj->type != X509_LU_X509)
+               if (X509_OBJECT_get_type(obj) != X509_LU_X509)
+                        continue;
+ 
+-               X509_NAME_oneline(obj->data.x509->cert_info->subject,
+               cert = X509_OBJECT_get0_X509(obj);
+
+               X509_NAME_oneline(X509_get_subject_name(cert),
+                                subject_name, cert_name_len);
+-               X509_NAME_oneline(obj->data.x509->cert_info->issuer,
+               X509_NAME_oneline(X509_get_issuer_name(cert),
+                                issuer_name, cert_name_len);
+ 
+                printf(" - subject: %s\n", subject_name);
+@@ -182,12 +196,21 @@ static int load_detached_signature_data(struct image *image,
+ 
+ static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
+ {
+-       X509_OBJECT obj;
+       STACK_OF(X509_OBJECT) *objs;
+       X509_OBJECT *obj;
+       int i;
+
+       objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
+ 
+-       obj.type = X509_LU_X509;
+-       obj.data.x509 = cert;
+       for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+               obj = sk_X509_OBJECT_value(objs, i);
+ 
+-       return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
+               if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
+                   !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
+                       return 1;
+       }
+
+       return 0;
+ }
+ 
+ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
+@@ -195,15 +218,16 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
+        int err = X509_STORE_CTX_get_error(ctx);
+ 
+        /* also accept code-signing keys */
+-       if (err == X509_V_ERR_INVALID_PURPOSE
+-                       && ctx->cert->ex_xkusage == XKU_CODE_SIGN)
+       if (err == X509_V_ERR_INVALID_PURPOSE &&
+                       X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx))
+                       == XKU_CODE_SIGN)
+                status = 1;
+ 
+        /* all certs given with the --cert argument are trusted */
+        else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
+                        err == X509_V_ERR_CERT_UNTRUSTED) {
+ 
+-               if (cert_in_store(ctx->current_cert, ctx))
+               if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx))
+                        status = 1;
+        }
+ 
+-- 
+2.7.5
author	Lans Zhang <jia.zhang@windriver.com>	2017-08-15 13:11:45 +0800
committer	Lans Zhang <jia.zhang@windriver.com>	2017-08-15 13:12:38 +0800
commit	c912483e8789262bc3d1e7c0a43bbceeaa6facee (patch)
tree	08fe38afe6f543d59da49f7d2caf1eaed12874e5
parent	2c265a6fc3e7df1e8530326c3ec733c2fa34d2f1 (diff)
download	meta-secure-core-c912483e8789262bc3d1e7c0a43bbceeaa6facee.tar.gz

diff --git a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool-native_git.bb b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool-native_git.bb index b48f91d..431144a 100644 --- a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool-native_git.bb +++ b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool-native_git.bb
@@ -19,6 +19,8 @@ SRC_URI = "\
19	file://Fix-for-multi-sign.patch \	19	file://Fix-for-multi-sign.patch \
20	file://sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch \	20	file://sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch \
21	file://image-fix-the-segment-fault-caused-by-the-uninitiali.patch \	21	file://image-fix-the-segment-fault-caused-by-the-uninitiali.patch \
		22	file://Fix-the-deprecated-ASN1_STRING_data.patch \
		23	file://Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch \
22	"	24	"
23	SRCREV="951ee95a301674c046f55330cd7460e1314deff2"	25	SRCREV="951ee95a301674c046f55330cd7460e1314deff2"
24		26


diff --git a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data.patch b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data.patch new file mode 100644 index 0000000..6ffbde2 --- /dev/null +++ b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data.patch
@@ -0,0 +1,49 @@
		1	From c5d321ded2020441b0d064e03b7b07358d3f71da Mon Sep 17 00:00:00 2001
		2	From: Lans Zhang <jia.zhang@windriver.com>
		3	Date: Tue, 15 Aug 2017 10:55:40 +0800
		4	Subject: [PATCH] Fix the deprecated ASN1_STRING_data()
		5
		6	Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
		7	---
		8	src/idc.c \| 4 ++--
		9	src/sbkeysync.c \| 2 +-
		10	2 files changed, 3 insertions(+), 3 deletions(-)
		11
		12	diff --git a/src/idc.c b/src/idc.c
		13	index 236cefd..8feaa11 100644
		14	--- a/src/idc.c
		15	+++ b/src/idc.c
		16	@@ -238,7 +238,7 @@ struct idc IDC_get(PKCS7 p7, BIO *bio)
		17
		18	/* extract the idc from the signed PKCS7 'other' data */
		19	str = p7->d.sign->contents->d.other->value.asn1_string;
		20	- idcbuf = buf = ASN1_STRING_data(str);
		21	+ idcbuf = buf = (const unsigned char *)ASN1_STRING_get0_data(str);
		22	idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
		23
		24	/* If we were passed a BIO, write the idc data, minus type and length,
		25	@@ -289,7 +289,7 @@ int IDC_check_hash(struct idc idc, struct image image)
		26	}
		27
		28	/* check hash against the one we calculated from the image */
		29	- buf = ASN1_STRING_data(str);
		30	+ buf = (const unsigned char *)ASN1_STRING_get0_data(str);
		31	if (memcmp(buf, sha, sizeof(sha))) {
		32	fprintf(stderr, "Hash doesn't match image\n");
		33	fprintf(stderr, " got: %s\n", sha256_str(buf));
		34	diff --git a/src/sbkeysync.c b/src/sbkeysync.c
		35	index a63d3b8..ef028ef 100644
		36	--- a/src/sbkeysync.c
		37	+++ b/src/sbkeysync.c
		38	@@ -210,7 +210,7 @@ static int x509_key_parse(struct key key, uint8_t data, size_t len)
		39	serial = x509->cert_info->serialNumber;
		40
		41	key->id_len = ASN1_STRING_length(serial);
		42	- key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
		43	+ key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
		44
		45	key->description = talloc_array(key, char, description_len);
		46	X509_NAME_oneline(x509->cert_info->subject,
		47	--
		48	2.7.5
		49


diff --git a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch new file mode 100644 index 0000000..f517e47 --- /dev/null +++ b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch
@@ -0,0 +1,158 @@
		1	From ddf7f08d27d6a44eb62928b33c66204ffa3d7edb Mon Sep 17 00:00:00 2001
		2	From: Lans Zhang <jia.zhang@windriver.com>
		3	Date: Tue, 15 Aug 2017 13:05:14 +0800
		4	Subject: [PATCH] Update OpenSSL API usage to support OpenSSL 1.1
		5
		6	Most structure definitions in OpenSSL are now opaque and we must call
		7	the appropriate accessor functions to get information from them.
		8	Not all the accessors are available in older versions, so define the
		9	missing accessors as macros.
		10
		11	The X509_retrieve_match() function is no longer usable, as we cannot
		12	initialise an X509_OBJECT ourselves. Instead, iterate over the
		13	certificate store and use X509_OBJECT_get_type and X509_cmp to
		14	compare certificates.
		15
		16	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
		17	Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
		18	---
		19	src/sbkeysync.c \| 7 +++----
		20	src/sbverify.c \| 52 ++++++++++++++++++++++++++++++++++++++--------------
		21	2 files changed, 41 insertions(+), 18 deletions(-)
		22
		23	diff --git a/src/sbkeysync.c b/src/sbkeysync.c
		24	index ef028ef..19e3064 100644
		25	--- a/src/sbkeysync.c
		26	+++ b/src/sbkeysync.c
		27	@@ -204,16 +204,15 @@ static int x509_key_parse(struct key key, uint8_t data, size_t len)
		28	return -1;
		29
		30	/* we use the X509 serial number as the key ID */
		31	- if (!x509->cert_info \|\| !x509->cert_info->serialNumber)
		32	+ serial = X509_get_serialNumber(x509);
		33	+ if (!serial)
		34	goto out;
		35
		36	- serial = x509->cert_info->serialNumber;
		37	-
		38	key->id_len = ASN1_STRING_length(serial);
		39	key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
		40
		41	key->description = talloc_array(key, char, description_len);
		42	- X509_NAME_oneline(x509->cert_info->subject,
		43	+ X509_NAME_oneline(X509_get_subject_name(x509),
		44	key->description, description_len);
		45
		46	rc = 0;
		47	diff --git a/src/sbverify.c b/src/sbverify.c
		48	index fb03d21..0aed71a 100644
		49	--- a/src/sbverify.c
		50	+++ b/src/sbverify.c
		51	@@ -55,6 +55,14 @@
		52	#include <openssl/pem.h>
		53	#include <openssl/x509v3.h>
		54
		55	+#if OPENSSL_VERSION_NUMBER < 0x10100000L
		56	+#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
		57	+#define X509_OBJECT_get_type(obj) ((obj)->type)
		58	+#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
		59	+#define X509_STORE_get0_objects(certs) ((certs)->objs)
		60	+#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
		61	+#endif
		62	+
		63	static const char *toolname = "sbverify";
		64	static const int cert_name_len = 160;
		65
		66	@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *p7)
		67
		68	for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
		69	cert = sk_X509_value(p7->d.sign->cert, i);
		70	- X509_NAME_oneline(cert->cert_info->subject,
		71	+ X509_NAME_oneline(X509_get_subject_name(cert),
		72	subject_name, cert_name_len);
		73	- X509_NAME_oneline(cert->cert_info->issuer,
		74	+ X509_NAME_oneline(X509_get_issuer_name(cert),
		75	issuer_name, cert_name_len);
		76
		77	printf(" - subject: %s\n", subject_name);
		78	@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *p7)
		79	static void print_certificate_store_certs(X509_STORE *certs)
		80	{
		81	char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
		82	+ STACK_OF(X509_OBJECT) *objs;
		83	X509_OBJECT *obj;
		84	+ X509 *cert;
		85	int i;
		86
		87	printf("certificate store:\n");
		88
		89	- for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
		90	- obj = sk_X509_OBJECT_value(certs->objs, i);
		91	+ objs = X509_STORE_get0_objects(certs);
		92	+
		93	+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
		94	+ obj = sk_X509_OBJECT_value(objs, i);
		95
		96	- if (obj->type != X509_LU_X509)
		97	+ if (X509_OBJECT_get_type(obj) != X509_LU_X509)
		98	continue;
		99
		100	- X509_NAME_oneline(obj->data.x509->cert_info->subject,
		101	+ cert = X509_OBJECT_get0_X509(obj);
		102	+
		103	+ X509_NAME_oneline(X509_get_subject_name(cert),
		104	subject_name, cert_name_len);
		105	- X509_NAME_oneline(obj->data.x509->cert_info->issuer,
		106	+ X509_NAME_oneline(X509_get_issuer_name(cert),
		107	issuer_name, cert_name_len);
		108
		109	printf(" - subject: %s\n", subject_name);
		110	@@ -182,12 +196,21 @@ static int load_detached_signature_data(struct image *image,
		111
		112	static int cert_in_store(X509 cert, X509_STORE_CTX ctx)
		113	{
		114	- X509_OBJECT obj;
		115	+ STACK_OF(X509_OBJECT) *objs;
		116	+ X509_OBJECT *obj;
		117	+ int i;
		118	+
		119	+ objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
		120
		121	- obj.type = X509_LU_X509;
		122	- obj.data.x509 = cert;
		123	+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
		124	+ obj = sk_X509_OBJECT_value(objs, i);
		125
		126	- return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
		127	+ if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
		128	+ !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
		129	+ return 1;
		130	+ }
		131	+
		132	+ return 0;
		133	}
		134
		135	static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
		136	@@ -195,15 +218,16 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
		137	int err = X509_STORE_CTX_get_error(ctx);
		138
		139	/* also accept code-signing keys */
		140	- if (err == X509_V_ERR_INVALID_PURPOSE
		141	- && ctx->cert->ex_xkusage == XKU_CODE_SIGN)
		142	+ if (err == X509_V_ERR_INVALID_PURPOSE &&
		143	+ X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx))
		144	+ == XKU_CODE_SIGN)
		145	status = 1;
		146
		147	/* all certs given with the --cert argument are trusted */
		148	else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY \|\|
		149	err == X509_V_ERR_CERT_UNTRUSTED) {
		150
		151	- if (cert_in_store(ctx->current_cert, ctx))
		152	+ if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx))
		153	status = 1;
		154	}
		155
		156	--
		157	2.7.5
		158