/*

 * COPYRIGHT (c) International Business Machines Corp. 2001-2017

 *

 * This program is provided under the terms of the Common Public License,

 * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this

 * software constitutes recipient's acceptance of CPL-1.0 terms which can be

 * found in the file LICENSE file or at

 * https://opensource.org/licenses/cpl1.0.php

 */

// File:  cert.c

//

// Functions contained within:

//

//    cert_check_required_attributes

//    cert_validate_attribute

//    cert_x509_check_required_attributes

//    cert_x509_set_default_attributes

//    cert_x509_validate_attribute

//    cert_vendor_check_required_attributes

//    cert_vendor_validate_attribute

//

#include <pthread.h>

#include <stdlib.h>

#include <string.h>             // for memcmp() et al

#include "pkcs11types.h"

#include "defs.h"

#include "host_defs.h"

#include "h_extern.h"

#include "trace.h"

// cert_check_required_attributes

//

// Checks for required attributes for generic CKO_CERTIFICATE objects

//

//    CKA_CERTIFICATE_TYPE : must be present on MODE_CREATE.

//

CK_RV cert_check_required_attributes(TEMPLATE *tmpl, CK_ULONG mode)

{

    CK_ATTRIBUTE *attr = NULL;

    CK_BBOOL found;

    if (!tmpl)

        return CKR_FUNCTION_FAILED;

    if (mode == MODE_CREATE) {

        found = template_attribute_find(tmpl, CKA_CERTIFICATE_TYPE, &attr);

        if (found == FALSE) {

            TRACE_ERROR("%s\n", ock_err(ERR_TEMPLATE_INCOMPLETE));

            return CKR_TEMPLATE_INCOMPLETE;

        }

        // don't bother checking the value.  it was checked in the 'validate'

        // routine.

    }

    return template_check_required_base_attributes(tmpl, mode);

}

// cert_validate_attribute()

//

CK_RV cert_validate_attribute(TEMPLATE *tmpl, CK_ATTRIBUTE *attr,

                              CK_ULONG mode)

{

    CK_CERTIFICATE_TYPE type;

    switch (attr->type) {

    case CKA_CERTIFICATE_TYPE:

        if (mode != MODE_CREATE) {

            TRACE_ERROR("%s\n", ock_err(ERR_ATTRIBUTE_READ_ONLY));

            return CKR_ATTRIBUTE_READ_ONLY;

        }

        type = *(CK_CERTIFICATE_TYPE *) attr->pValue;

        if (type == CKC_X_509 || type >= CKC_VENDOR_DEFINED) {

            return CKR_OK;

        }

        TRACE_ERROR("%s\n", ock_err(ERR_ATTRIBUTE_VALUE_INVALID));

        return CKR_ATTRIBUTE_VALUE_INVALID;

    default:

        return template_validate_base_attribute(tmpl, attr, mode);

    }

}

// cert_x509_check_required_attributes()

//

CK_RV cert_x509_check_required_attributes(TEMPLATE *tmpl, CK_ULONG mode)

{

    CK_ATTRIBUTE *attr = NULL;

    CK_BBOOL found;

    found = template_attribute_find(tmpl, CKA_SUBJECT, &attr);

    if (!found) {

        TRACE_ERROR("%s\n", ock_err(ERR_TEMPLATE_INCOMPLETE));

        return CKR_TEMPLATE_INCOMPLETE;

    }

    found = template_attribute_find(tmpl, CKA_VALUE, &attr);

    if (!found) {

        TRACE_ERROR("%s\n", ock_err(ERR_TEMPLATE_INCOMPLETE));

        return CKR_TEMPLATE_INCOMPLETE;

    }

    return cert_check_required_attributes(tmpl, mode);

}

// cert_x509_set_default_attributes()

//

// Set the default attributes for X.509 certificates

//

//    CKA_ID            : empty string

//    CKA_ISSUER        : empty string

//    CKA_SERIAL_NUMBER : empty string

//

CK_RV cert_x509_set_default_attributes(TEMPLATE *tmpl, CK_ULONG mode)

{

    CK_ATTRIBUTE *id_attr = NULL;

    CK_ATTRIBUTE *issuer_attr = NULL;

    CK_ATTRIBUTE *serial_attr = NULL;

    // satisfy compiler warning....

    //

    if (mode)

        id_attr = NULL;

    id_attr = (CK_ATTRIBUTE *) malloc(sizeof(CK_ATTRIBUTE));

    issuer_attr = (CK_ATTRIBUTE *) malloc(sizeof(CK_ATTRIBUTE));

    serial_attr = (CK_ATTRIBUTE *) malloc(sizeof(CK_ATTRIBUTE));

    if (!id_attr || !issuer_attr || !serial_attr) {

        if (id_attr)

            free(id_attr);

        if (issuer_attr)

            free(issuer_attr);

        if (serial_attr)

            free(serial_attr);

        TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));

        return CKR_HOST_MEMORY;

    }

    id_attr->type = CKA_ID;

    id_attr->ulValueLen = 0;    // empty string

    id_attr->pValue = NULL;

    issuer_attr->type = CKA_ISSUER;

    issuer_attr->ulValueLen = 0;        // empty byte array

    issuer_attr->pValue = NULL;

    serial_attr->type = CKA_SERIAL_NUMBER;

    serial_attr->ulValueLen = 0;        // empty byte array

    serial_attr->pValue = NULL;

    template_update_attribute(tmpl, id_attr);

    template_update_attribute(tmpl, issuer_attr);

    template_update_attribute(tmpl, serial_attr);

    return CKR_OK;

}

// cert_x509_validate_attributes()

//

CK_RV cert_x509_validate_attribute(TEMPLATE *tmpl, CK_ATTRIBUTE *attr,

                                   CK_ULONG mode)

{

    switch (attr->type) {

    case CKA_SUBJECT:

        if (mode != MODE_CREATE) {

            TRACE_ERROR("%s\n", ock_err(ERR_ATTRIBUTE_READ_ONLY));

            return CKR_ATTRIBUTE_READ_ONLY;

        }

        return CKR_OK;

    case CKA_ID:

    case CKA_ISSUER:

    case CKA_SERIAL_NUMBER:

        return CKR_OK;

    case CKA_VALUE:

        if (mode != MODE_CREATE) {

            TRACE_ERROR("%s\n", ock_err(ERR_ATTRIBUTE_READ_ONLY));

            return CKR_ATTRIBUTE_READ_ONLY;

        }

        return CKR_OK;

    default:

        return cert_validate_attribute(tmpl, attr, mode);

    }

}

// cert_vendor_check_required_attributes()

//

CK_RV cert_vendor_check_required_attributes(TEMPLATE *tmpl, CK_ULONG mode)

{

    // CKC_VENDOR has no required attributes

    //

    return cert_check_required_attributes(tmpl, mode);

}

// cert_vendor_validate_attribute()

//

CK_RV cert_vendor_validate_attribute(TEMPLATE *tmpl, CK_ATTRIBUTE *attr,

                                     CK_ULONG mode)

{

    // cryptoki specifies no attributes for CKC_VENDOR certificates

    //

    return cert_validate_attribute(tmpl, attr, mode);

}