source-git / opencryptoki

Clone
Source Code
GIT

Files

  1.   8681c66a40b6fb0c455e64866c38ecfa5a9d2cb2
  2.   usr
  3.   lib
  4.   common
  5.   cert.c
Blob Blame History Raw 
/*
 * COPYRIGHT (c) International Business Machines Corp. 2001-2017
 *
 * This program is provided under the terms of the Common Public License,
 * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
 * software constitutes recipient's acceptance of CPL-1.0 terms which can be
 * found in the file LICENSE file or at
 * https://opensource.org/licenses/cpl1.0.php
 */

// File:  cert.c
//
// Functions contained within:
//
//    cert_check_required_attributes
//    cert_validate_attribute
//    cert_x509_check_required_attributes
//    cert_x509_set_default_attributes
//    cert_x509_validate_attribute
//    cert_vendor_check_required_attributes
//    cert_vendor_validate_attribute
//

#include <pthread.h>
#include <stdlib.h>

#include <string.h>             // for memcmp() et al

#include "pkcs11types.h"
#include "defs.h"
#include "host_defs.h"
#include "h_extern.h"
#include "trace.h"


// cert_check_required_attributes
//
// Checks for required attributes for generic CKO_CERTIFICATE objects
//
//    CKA_CERTIFICATE_TYPE : must be present on MODE_CREATE.
//
CK_RV cert_check_required_attributes(TEMPLATE *tmpl, CK_ULONG mode)
{
    CK_ATTRIBUTE *attr = NULL;
    CK_BBOOL found;

    if (!tmpl)
        return CKR_FUNCTION_FAILED;

    if (mode == MODE_CREATE) {
        found = template_attribute_find(tmpl, CKA_CERTIFICATE_TYPE, &attr);
        if (found == FALSE) {
            TRACE_ERROR("%s\n", ock_err(ERR_TEMPLATE_INCOMPLETE));
            return CKR_TEMPLATE_INCOMPLETE;
        }
        // don't bother checking the value.  it was checked in the 'validate'
        // routine.
    }

    return template_check_required_base_attributes(tmpl, mode);
}


// cert_validate_attribute()
//
CK_RV cert_validate_attribute(TEMPLATE *tmpl, CK_ATTRIBUTE *attr,
                              CK_ULONG mode)
{
    CK_CERTIFICATE_TYPE type;

    switch (attr->type) {
    case CKA_CERTIFICATE_TYPE:
        if (mode != MODE_CREATE) {
            TRACE_ERROR("%s\n", ock_err(ERR_ATTRIBUTE_READ_ONLY));
            return CKR_ATTRIBUTE_READ_ONLY;
        }
        type = *(CK_CERTIFICATE_TYPE *) attr->pValue;
        if (type == CKC_X_509 || type >= CKC_VENDOR_DEFINED) {
            return CKR_OK;
        }
        TRACE_ERROR("%s\n", ock_err(ERR_ATTRIBUTE_VALUE_INVALID));
        return CKR_ATTRIBUTE_VALUE_INVALID;
    default:
        return template_validate_base_attribute(tmpl, attr, mode);
    }
}


// cert_x509_check_required_attributes()
//
CK_RV cert_x509_check_required_attributes(TEMPLATE *tmpl, CK_ULONG mode)
{
    CK_ATTRIBUTE *attr = NULL;
    CK_BBOOL found;

    found = template_attribute_find(tmpl, CKA_SUBJECT, &attr);
    if (!found) {
        TRACE_ERROR("%s\n", ock_err(ERR_TEMPLATE_INCOMPLETE));
        return CKR_TEMPLATE_INCOMPLETE;
    }
    found = template_attribute_find(tmpl, CKA_VALUE, &attr);
    if (!found) {
        TRACE_ERROR("%s\n", ock_err(ERR_TEMPLATE_INCOMPLETE));
        return CKR_TEMPLATE_INCOMPLETE;
    }

    return cert_check_required_attributes(tmpl, mode);
}


// cert_x509_set_default_attributes()
//
// Set the default attributes for X.509 certificates
//
//    CKA_ID            : empty string
//    CKA_ISSUER        : empty string
//    CKA_SERIAL_NUMBER : empty string
//
CK_RV cert_x509_set_default_attributes(TEMPLATE *tmpl, CK_ULONG mode)
{
    CK_ATTRIBUTE *id_attr = NULL;
    CK_ATTRIBUTE *issuer_attr = NULL;
    CK_ATTRIBUTE *serial_attr = NULL;

    // satisfy compiler warning....
    //
    if (mode)
        id_attr = NULL;

    id_attr = (CK_ATTRIBUTE *) malloc(sizeof(CK_ATTRIBUTE));
    issuer_attr = (CK_ATTRIBUTE *) malloc(sizeof(CK_ATTRIBUTE));
    serial_attr = (CK_ATTRIBUTE *) malloc(sizeof(CK_ATTRIBUTE));

    if (!id_attr || !issuer_attr || !serial_attr) {
        if (id_attr)
            free(id_attr);
        if (issuer_attr)
            free(issuer_attr);
        if (serial_attr)
            free(serial_attr);
        TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));

        return CKR_HOST_MEMORY;
    }

    id_attr->type = CKA_ID;
    id_attr->ulValueLen = 0;    // empty string
    id_attr->pValue = NULL;

    issuer_attr->type = CKA_ISSUER;
    issuer_attr->ulValueLen = 0;        // empty byte array
    issuer_attr->pValue = NULL;

    serial_attr->type = CKA_SERIAL_NUMBER;
    serial_attr->ulValueLen = 0;        // empty byte array
    serial_attr->pValue = NULL;

    template_update_attribute(tmpl, id_attr);
    template_update_attribute(tmpl, issuer_attr);
    template_update_attribute(tmpl, serial_attr);

    return CKR_OK;
}


// cert_x509_validate_attributes()
//
CK_RV cert_x509_validate_attribute(TEMPLATE *tmpl, CK_ATTRIBUTE *attr,
                                   CK_ULONG mode)
{
    switch (attr->type) {
    case CKA_SUBJECT:
        if (mode != MODE_CREATE) {
            TRACE_ERROR("%s\n", ock_err(ERR_ATTRIBUTE_READ_ONLY));
            return CKR_ATTRIBUTE_READ_ONLY;
        }
        return CKR_OK;
    case CKA_ID:
    case CKA_ISSUER:
    case CKA_SERIAL_NUMBER:
        return CKR_OK;
    case CKA_VALUE:
        if (mode != MODE_CREATE) {
            TRACE_ERROR("%s\n", ock_err(ERR_ATTRIBUTE_READ_ONLY));
            return CKR_ATTRIBUTE_READ_ONLY;
        }
        return CKR_OK;
    default:
        return cert_validate_attribute(tmpl, attr, mode);
    }
}


// cert_vendor_check_required_attributes()
//
CK_RV cert_vendor_check_required_attributes(TEMPLATE *tmpl, CK_ULONG mode)
{
    // CKC_VENDOR has no required attributes
    //
    return cert_check_required_attributes(tmpl, mode);
}


// cert_vendor_validate_attribute()
//
CK_RV cert_vendor_validate_attribute(TEMPLATE *tmpl, CK_ATTRIBUTE *attr,
                                     CK_ULONG mode)
{
    // cryptoki specifies no attributes for CKC_VENDOR certificates
    //
    return cert_validate_attribute(tmpl, attr, mode);
}

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation