Treat caCertificate as base64-encoded DER rather than PEM

Openssl's pem parser is very picky and requires newlines.
Moonshot-webp eats newlines from the raw xml, requiring
hand-placed '
' for successful parsing, which is
undersirable. So instead use glib's g_base64_decode() to
convert caCertificate to DER.

diff --git a/configure.ac b/configure.ac
index 4b8bfde..c496414 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -88,6 +88,8 @@ if test "x$acceptor" = "xyes" ; then
   AX_CHECK_JANSSON
 fi
 
+PKG_CHECK_MODULES(GLIB, glib-2.0 >= 2.12)
+
 AX_CHECK_LIBMOONSHOT
 AC_CONFIG_FILES([Makefile libeap/Makefile mech_eap/Makefile
                          mech_eap.spec])

diff --git a/mech_eap/Makefile.am b/mech_eap/Makefile.am
index 4e27734..f17806f 100644 (file)
--- a/mech_eap/Makefile.am
+++ b/mech_eap/Makefile.am
@@ -130,8 +130,8 @@ mech_eap_la_SOURCES =                       \
 
 if LIBMOONSHOT
 mech_eap_la_SOURCES += util_moonshot.c
-mech_eap_la_CFLAGS  += @LIBMOONSHOT_CFLAGS@
-mech_eap_la_LDFLAGS += @LIBMOONSHOT_LDFLAGS@
+mech_eap_la_CFLAGS  += $(GLIB_CFLAGS) @LIBMOONSHOT_CFLAGS@
+mech_eap_la_LDFLAGS += $(GLIB_LDFLAGS) @LIBMOONSHOT_LDFLAGS@
 mech_eap_la_LIBADD  += @LIBMOONSHOT_LIBS@
 endif
 

diff --git a/mech_eap/util_moonshot.c b/mech_eap/util_moonshot.c
index b73b765..fc5dd82 100644 (file)
--- a/mech_eap/util_moonshot.c
+++ b/mech_eap/util_moonshot.c
@@ -31,10 +31,7 @@
  */
 
 #include "gssapiP_eap.h"
-#include <openssl/bio.h>
-#include <openssl/pem.h>
-#include <openssl/x509.h>
-#include <stdio.h>
+#include <glib.h>
 
 #ifdef HAVE_MOONSHOT_GET_IDENTITY
 #include <libmoonshot.h>
@@ -159,7 +156,6 @@ libMoonshotResolveInitiatorCred(OM_uint32 *minor,
     char *subjectNameConstraint = NULL;
     char *subjectAltNameConstraint = NULL;
     MoonshotError *error = NULL;
-    BIO *bio = NULL;
 
     if (cred->name != GSS_C_NO_NAME) {
         major = gssEapDisplayName(minor, cred->name, &initiator, NULL);
@@ -229,38 +225,18 @@ libMoonshotResolveInitiatorCred(OM_uint32 *minor,
 
         cred->caCertificate.length = HASH_PREFIX_LEN + len;
     } else if (!stringEmpty(caCertificate)) {
-        BUF_MEM *bptr;
-        X509 *cert;
         gss_buffer_desc tmp;
-
-        bio = BIO_new_mem_buf(caCertificate, -1);
-        if (bio == NULL) {
-            major = GSS_S_FAILURE;
-            *minor = ENOMEM;
-            goto cleanup;
-        }
-        cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
-        if (cert == NULL) {
-            major = GSS_S_DEFECTIVE_CREDENTIAL;
-            *minor = GSSEAP_BAD_CACERTIFICATE;
-            goto cleanup;
-        }
-        BIO_free(bio);
-        bio = BIO_new(BIO_s_mem());
-        if (i2d_X509_bio(bio, cert) < 0) {
+        tmp.value = g_base64_decode(caCertificate, &tmp.length);
+       if (tmp.value == NULL) {
             major = GSS_S_DEFECTIVE_CREDENTIAL;
             *minor = GSSEAP_BAD_CACERTIFICATE;
             goto cleanup;
         }
-        BIO_get_mem_ptr(bio, &bptr);
-        tmp.value = bptr->data;
-        tmp.length = bptr->length;
         major = duplicateBuffer(minor, &tmp, &cred->caCertificateBlob);
+        g_free(tmp.value);
         if (major != GSS_S_COMPLETE) {
             goto cleanup;
         }
-        BIO_free(bio);
-        bio = NULL;
         makeStringBufferOrCleanup("blob://ca-cert", &cred->caCertificate);
     }
 
@@ -276,7 +252,6 @@ cleanup:
     moonshot_free(caCertificate);
     moonshot_free(subjectNameConstraint);
     moonshot_free(subjectAltNameConstraint);
-    BIO_free(bio);
 
     gss_release_buffer(&tmpMinor, &initiator);
     gss_release_buffer(&tmpMinor, &target);