/*
* Copyright (C) 2012 Red Hat Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* * Redistributions of source code must retain the above
* copyright notice, this list of conditions and the
* following disclaimer.
* * Redistributions in binary form must reproduce the
* above copyright notice, this list of conditions and
* the following disclaimer in the documentation and/or
* other materials provided with the distribution.
* * The names of contributors to this software may not be
* used to endorse or promote products derived from this
* software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
* THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
* DAMAGE.
*
* Author: Stef Walter <stefw@redhat.com>
*/
#include "config.h"
#define P11_DEBUG_FLAG P11_DEBUG_TRUST
#include "array.h"
#include "asn1.h"
#include "attrs.h"
#include "builder.h"
#include "constants.h"
#include "debug.h"
#include "digest.h"
#include "index.h"
#include "message.h"
#include "oid.h"
#include "pkcs11i.h"
#include "pkcs11x.h"
#include "utf8.h"
#include "x509.h"
#include <assert.h>
#include <stdlib.h>
#include <string.h>
struct _p11_builder {
p11_asn1_cache *asn1_cache;
p11_dict *asn1_defs;
int flags;
};
enum {
NONE = 0,
CREATE = 1 << 0,
MODIFY = 1 << 1,
REQUIRE = 1 << 2,
WANT = 1 << 3,
};
enum {
NORMAL_BUILD = 0,
GENERATED_CLASS = 1 << 0,
};
typedef struct {
int build_flags;
struct {
CK_ATTRIBUTE_TYPE type;
int flags;
bool (*validate) (p11_builder *, CK_ATTRIBUTE *);
} attrs[32];
CK_ATTRIBUTE * (*populate) (p11_builder *, p11_index *, CK_ATTRIBUTE *);
CK_RV (*validate) (p11_builder *, CK_ATTRIBUTE *, CK_ATTRIBUTE *);
} builder_schema;
static node_asn *
decode_or_get_asn1 (p11_builder *builder,
const char *struct_name,
const unsigned char *der,
size_t length)
{
node_asn *node;
node = p11_asn1_cache_get (builder->asn1_cache, struct_name, der, length);
if (node != NULL)
return node;
node = p11_asn1_decode (builder->asn1_defs, struct_name, der, length, NULL);
if (node != NULL)
p11_asn1_cache_take (builder->asn1_cache, node, struct_name, der, length);
return node;
}
static unsigned char *
lookup_extension (p11_builder *builder,
p11_index *index,
CK_ATTRIBUTE *cert,
CK_ATTRIBUTE *public_key,
const unsigned char *oid,
size_t *ext_len)
{
CK_OBJECT_CLASS klass = CKO_X_CERTIFICATE_EXTENSION;
CK_OBJECT_HANDLE obj;
CK_ATTRIBUTE *attrs;
CK_ATTRIBUTE *label;
void *value;
size_t length;
node_asn *node;
CK_ATTRIBUTE match[] = {
{ CKA_PUBLIC_KEY_INFO, },
{ CKA_OBJECT_ID, (void *)oid, p11_oid_length (oid) },
{ CKA_CLASS, &klass, sizeof (klass) },
{ CKA_INVALID },
};
if (public_key == NULL || public_key->type == CKA_INVALID)
public_key = p11_attrs_find_valid (cert, CKA_PUBLIC_KEY_INFO);
/* Look for an attached certificate extension */
if (public_key != NULL) {
memcpy (match, public_key, sizeof (CK_ATTRIBUTE));
obj = p11_index_find (index, match, -1);
attrs = p11_index_lookup (index, obj);
if (attrs != NULL) {
value = p11_attrs_find_value (attrs, CKA_VALUE, &length);
if (value != NULL) {
node = decode_or_get_asn1 (builder, "PKIX1.Extension", value, length);
if (node == NULL) {
label = p11_attrs_find_valid (attrs, CKA_LABEL);
if (label == NULL)
label = p11_attrs_find_valid (cert, CKA_LABEL);
p11_message ("%.*s: invalid certificate extension",
label ? (int)label->ulValueLen : 7,
label ? (char *)label->pValue : "unknown");
return NULL;
}
return p11_asn1_read (node, "extnValue", ext_len);
}
}
}
/* Couldn't find a parsed extension, so look in the current certificate */
value = p11_attrs_find_value (cert, CKA_VALUE, &length);
if (value != NULL) {
node = decode_or_get_asn1 (builder, "PKIX1.Certificate", value, length);
return_val_if_fail (node != NULL, NULL);
return p11_x509_find_extension (node, oid, value, length, ext_len);
}
return NULL;
}
static CK_OBJECT_HANDLE *
lookup_related (p11_index *index,
CK_OBJECT_CLASS klass,
CK_ATTRIBUTE *attr)
{
CK_ATTRIBUTE match[] = {
{ attr->type, attr->pValue, attr->ulValueLen },
{ CKA_CLASS, &klass, sizeof (klass) },
{ CKA_INVALID }
};
return p11_index_find_all (index, match, -1);
}
p11_builder *
p11_builder_new (int flags)
{
p11_builder *builder;
builder = calloc (1, sizeof (p11_builder));
return_val_if_fail (builder != NULL, NULL);
builder->asn1_cache = p11_asn1_cache_new ();
return_val_if_fail (builder->asn1_cache, NULL);
builder->asn1_defs = p11_asn1_cache_defs (builder->asn1_cache);
builder->flags = flags;
return builder;
}
static int
atoin (const char *p,
int digits)
{
int ret = 0, base = 1;
while(--digits >= 0) {
if (p[digits] < '0' || p[digits] > '9')
return -1;
ret += (p[digits] - '0') * base;
base *= 10;
}
return ret;
}
static bool
type_bool (p11_builder *builder,
CK_ATTRIBUTE *attr)
{
return (attr->pValue != NULL &&
sizeof (CK_BBOOL) == attr->ulValueLen);
}
static bool
type_ulong (p11_builder *builder,
CK_ATTRIBUTE *attr)
{
return (attr->pValue != NULL &&
sizeof (CK_ULONG) == attr->ulValueLen);
}
static bool
type_utf8 (p11_builder *builder,
CK_ATTRIBUTE *attr)
{
if (attr->ulValueLen == 0)
return true;
if (attr->pValue == NULL)
return false;
return p11_utf8_validate (attr->pValue, attr->ulValueLen);
}
static bool
type_date (p11_builder *builder,
CK_ATTRIBUTE *attr)
{
CK_DATE *date;
struct tm tm;
struct tm two;
if (attr->ulValueLen == 0)
return true;
if (attr->pValue == NULL || attr->ulValueLen != sizeof (CK_DATE))
return false;
date = attr->pValue;
memset (&tm, 0, sizeof (tm));
tm.tm_year = atoin ((char *)date->year, 4) - 1900;
tm.tm_mon = atoin ((char *)date->month, 2);
tm.tm_mday = atoin ((char *)date->day, 2);
if (tm.tm_year < 0 || tm.tm_mon <= 0 || tm.tm_mday <= 0)
return false;
memcpy (&two, &tm, sizeof (tm));
if (mktime (&two) < 0)
return false;
/* If mktime changed anything, then bad date */
if (tm.tm_year != two.tm_year ||
tm.tm_mon != two.tm_mon ||
tm.tm_mday != two.tm_mday)
return false;
return true;
}
static bool
check_der_struct (p11_builder *builder,
const char *struct_name,
CK_ATTRIBUTE *attr)
{
node_asn *asn;
if (attr->ulValueLen == 0)
return true;
if (attr->pValue == NULL)
return false;
asn = p11_asn1_decode (builder->asn1_defs, struct_name,
attr->pValue, attr->ulValueLen, NULL);
if (asn == NULL)
return false;
asn1_delete_structure (&asn);
return true;
}
static bool
type_der_name (p11_builder *builder,
CK_ATTRIBUTE *attr)
{
return check_der_struct (builder, "PKIX1.Name", attr);
}
static bool
type_der_serial (p11_builder *builder,
CK_ATTRIBUTE *attr)
{
return check_der_struct (builder, "PKIX1.CertificateSerialNumber", attr);
}
static bool
type_der_oid (p11_builder *builder,
CK_ATTRIBUTE *attr)
{
/* AttributeType is an OBJECT ID */
return check_der_struct (builder, "PKIX1.AttributeType", attr);
}
static bool
type_der_cert (p11_builder *builder,
CK_ATTRIBUTE *attr)
{
return check_der_struct (builder, "PKIX1.Certificate", attr);
}
static bool
type_der_key (p11_builder *builder,
CK_ATTRIBUTE *attr)
{
return check_der_struct (builder, "PKIX1.SubjectPublicKeyInfo", attr);
}
static bool
type_der_ext (p11_builder *builder,
CK_ATTRIBUTE *attr)
{
return check_der_struct (builder, "PKIX1.Extension", attr);
}
#define COMMON_ATTRS \
{ CKA_CLASS, REQUIRE | CREATE, type_ulong }, \
{ CKA_TOKEN, CREATE | WANT, type_bool }, \
{ CKA_MODIFIABLE, CREATE | WANT, type_bool }, \
{ CKA_PRIVATE, CREATE, type_bool }, \
{ CKA_LABEL, CREATE | MODIFY | WANT, type_utf8 }, \
{ CKA_X_GENERATED, CREATE }, \
{ CKA_X_ORIGIN, NONE } \
static CK_ATTRIBUTE *
common_populate (p11_builder *builder,
p11_index *index,
CK_ATTRIBUTE *unused)
{
CK_BBOOL tokenv = CK_FALSE;
CK_BBOOL modifiablev = CK_TRUE;
CK_BBOOL privatev = CK_FALSE;
CK_BBOOL generatedv = CK_FALSE;
CK_ATTRIBUTE token = { CKA_TOKEN, &tokenv, sizeof (tokenv), };
CK_ATTRIBUTE privat = { CKA_PRIVATE, &privatev, sizeof (privatev) };
CK_ATTRIBUTE modifiable = { CKA_MODIFIABLE, &modifiablev, sizeof (modifiablev) };
CK_ATTRIBUTE generated = { CKA_X_GENERATED, &generatedv, sizeof (generatedv) };
CK_ATTRIBUTE label = { CKA_LABEL, "", 0 };
if (builder->flags & P11_BUILDER_FLAG_TOKEN) {
tokenv = CK_TRUE;
modifiablev = CK_FALSE;
}
return p11_attrs_build (NULL, &token, &privat, &modifiable, &label, &generated, NULL);
}
static void
calc_check_value (const unsigned char *data,
size_t length,
CK_BYTE *check_value)
{
unsigned char checksum[P11_DIGEST_SHA1_LEN];
p11_digest_sha1 (checksum, data, length, NULL);
memcpy (check_value, checksum, 3);
}
static int
century_for_two_digit_year (int year)
{
time_t now;
struct tm tm;
int century, current;
return_val_if_fail (year >= 0 && year <= 99, -1);
/* Get the current year */
now = time (NULL);
return_val_if_fail (now >= 0, -1);
if (!gmtime_r (&now, &tm))
return_val_if_reached (-1);
current = (tm.tm_year % 100);
century = (tm.tm_year + 1900) - current;
/*
* Check if it's within 40 years before the
* current date.
*/
if (current < 40) {
if (year < current)
return century;
if (year > 100 - (40 - current))
return century - 100;
} else {
if (year < current && year > (current - 40))
return century;
}
/*
* If it's after then adjust for overflows to
* the next century.
*/
if (year < current)
return century + 100;
else
return century;
}
static bool
calc_date (node_asn *node,
const char *field,
CK_DATE *date)
{
node_asn *choice;
char buf[64];
int century;
char *sub;
int year;
int len;
int ret;
if (!node)
return false;
choice = asn1_find_node (node, field);
return_val_if_fail (choice != NULL, false);
len = sizeof (buf) - 1;
ret = asn1_read_value (node, field, buf, &len);
return_val_if_fail (ret == ASN1_SUCCESS, false);
sub = strconcat (field, ".", buf, NULL);
/*
* So here we take a shortcut and just copy the date from the
* certificate into the CK_DATE. This doesn't take into account
* time zones. However the PKCS#11 spec does not say what timezone
* the dates are in. In the PKCS#11 value have a day resolution,
* and time zones aren't that critical.
*/
if (strcmp (buf, "generalTime") == 0) {
len = sizeof (buf) - 1;
ret = asn1_read_value (node, sub, buf, &len);
return_val_if_fail (ret == ASN1_SUCCESS, false);
return_val_if_fail (len >= 8, false);
/* Same as first 8 characters of date */
memcpy (date, buf, 8);
} else if (strcmp (buf, "utcTime") == 0) {
len = sizeof (buf) - 1;
ret = asn1_read_value (node, sub, buf, &len);
return_val_if_fail (ret == ASN1_SUCCESS, false);
return_val_if_fail (len >= 6, false);
year = atoin (buf, 2);
return_val_if_fail (year >= 0, false);
century = century_for_two_digit_year (year);
return_val_if_fail (century >= 0 && century <= 9900, false);
snprintf ((char *)date->year, 3, "%02d", century / 100);
memcpy (((char *)date) + 2, buf, 6);
} else {
return_val_if_reached (false);
}
free (sub);
return true;
}
static bool
calc_element (node_asn *node,
const unsigned char *data,
size_t length,
const char *field,
CK_ATTRIBUTE *attr)
{
int ret;
int start, end;
if (!node)
return false;
ret = asn1_der_decoding_startEnd (node, data, length, field, &start, &end);
return_val_if_fail (ret == ASN1_SUCCESS, false);
return_val_if_fail (end >= start, false);
attr->pValue = (void *)(data + start);
attr->ulValueLen = (end - start) + 1;
return true;
}
static bool
is_v1_x509_authority (p11_builder *builder,
CK_ATTRIBUTE *cert)
{
CK_ATTRIBUTE subject;
CK_ATTRIBUTE issuer;
CK_ATTRIBUTE *value;
char buffer[16];
node_asn *node;
int len;
int ret;
value = p11_attrs_find_valid (cert, CKA_VALUE);
if (value == NULL)
return false;
node = decode_or_get_asn1 (builder, "PKIX1.Certificate",
value->pValue, value->ulValueLen);
return_val_if_fail (node != NULL, false);
len = sizeof (buffer);
ret = asn1_read_value (node, "tbsCertificate.version", buffer, &len);
/* The default value */
if (ret == ASN1_ELEMENT_NOT_FOUND) {
ret = ASN1_SUCCESS;
buffer[0] = 0;
len = 1;
}
return_val_if_fail (ret == ASN1_SUCCESS, false);
/*
* In X.509 version v1 is the integer zero. Two's complement
* integer, but zero is easy to read.
*/
if (len != 1 || buffer[0] != 0)
return false;
/* Must be self-signed, ie: same subject and issuer */
if (!calc_element (node, value->pValue, value->ulValueLen, "tbsCertificate.subject", &subject))
return_val_if_reached (false);
if (!calc_element (node, value->pValue, value->ulValueLen, "tbsCertificate.issuer", &issuer))
return_val_if_reached (false);
return p11_attr_match_value (&subject, issuer.pValue, issuer.ulValueLen);
}
static bool
calc_certificate_category (p11_builder *builder,
p11_index *index,
CK_ATTRIBUTE *cert,
CK_ATTRIBUTE *public_key,
CK_ULONG *category)
{
CK_ATTRIBUTE *label;
unsigned char *ext;
size_t ext_len;
bool is_ca = 0;
bool ret;
/*
* In the PKCS#11 spec:
* 0 = unspecified (default value)
* 1 = token user
* 2 = authority
* 3 = other entity
*/
/* See if we have a basic constraints extension */
ext = lookup_extension (builder, index, cert, public_key, P11_OID_BASIC_CONSTRAINTS, &ext_len);
if (ext != NULL) {
ret = p11_x509_parse_basic_constraints (builder->asn1_defs, ext, ext_len, &is_ca);
free (ext);
if (!ret) {
label = p11_attrs_find_valid (cert, CKA_LABEL);
p11_message ("%.*s: invalid basic constraints certificate extension",
label ? (int)label->ulValueLen : 7,
label ? (char *)label->pValue : "unknown");
return false;
}
} else if (is_v1_x509_authority (builder, cert)) {
/*
* If there is no basic constraints extension, and the CA version is
* v1, and is self-signed, then we assume this is a certificate authority.
* So we add a BasicConstraints attached certificate extension
*/
is_ca = 1;
} else if (!p11_attrs_find_valid (cert, CKA_VALUE)) {
/*
* If we have no certificate value, then this is unknown
*/
*category = 0;
return true;
}
*category = is_ca ? 2 : 3;
return true;
}
static CK_ATTRIBUTE *
certificate_value_attrs (p11_builder *builder,
CK_ATTRIBUTE *attrs,
node_asn *node,
const unsigned char *der,
size_t der_len,
CK_ATTRIBUTE *public_key)
{
unsigned char checksum[P11_DIGEST_SHA1_LEN];
unsigned char *keyid = NULL;
size_t keyid_len;
unsigned char *ext = NULL;
size_t ext_len;
CK_BBOOL falsev = CK_FALSE;
CK_ULONG zero = 0UL;
CK_BYTE checkv[3];
CK_DATE startv;
CK_DATE endv;
char *labelv = NULL;
CK_ATTRIBUTE trusted = { CKA_TRUSTED, &falsev, sizeof (falsev) };
CK_ATTRIBUTE distrusted = { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) };
CK_ATTRIBUTE url = { CKA_URL, "", 0 };
CK_ATTRIBUTE hash_of_subject_public_key = { CKA_HASH_OF_SUBJECT_PUBLIC_KEY, checksum, sizeof (checksum) };
CK_ATTRIBUTE hash_of_issuer_public_key = { CKA_HASH_OF_ISSUER_PUBLIC_KEY, "", 0 };
CK_ATTRIBUTE java_midp_security_domain = { CKA_JAVA_MIDP_SECURITY_DOMAIN, &zero, sizeof (zero) };
CK_ATTRIBUTE check_value = { CKA_CHECK_VALUE, &checkv, sizeof (checkv) };
CK_ATTRIBUTE start_date = { CKA_START_DATE, &startv, sizeof (startv) };
CK_ATTRIBUTE end_date = { CKA_END_DATE, &endv, sizeof (endv) };
CK_ATTRIBUTE subject = { CKA_SUBJECT, };
CK_ATTRIBUTE issuer = { CKA_ISSUER, "", 0 };
CK_ATTRIBUTE serial_number = { CKA_SERIAL_NUMBER, "", 0 };
CK_ATTRIBUTE label = { CKA_LABEL };
CK_ATTRIBUTE id = { CKA_ID, NULL, 0 };
return_val_if_fail (attrs != NULL, NULL);
if (der == NULL)
check_value.type = CKA_INVALID;
else
calc_check_value (der, der_len, checkv);
if (!calc_date (node, "tbsCertificate.validity.notBefore", &startv))
start_date.ulValueLen = 0;
if (!calc_date (node, "tbsCertificate.validity.notAfter", &endv))
end_date.ulValueLen = 0;
if (calc_element (node, der, der_len, "tbsCertificate.subjectPublicKeyInfo", public_key))
public_key->type = CKA_PUBLIC_KEY_INFO;
else
public_key->type = CKA_INVALID;
calc_element (node, der, der_len, "tbsCertificate.issuer.rdnSequence", &issuer);
if (!calc_element (node, der, der_len, "tbsCertificate.subject.rdnSequence", &subject))
subject.type = CKA_INVALID;
calc_element (node, der, der_len, "tbsCertificate.serialNumber", &serial_number);
/* Try to build a keyid from an extension */
if (node) {
ext = p11_x509_find_extension (node, P11_OID_SUBJECT_KEY_IDENTIFIER, der, der_len, &ext_len);
if (ext) {
keyid = p11_x509_parse_subject_key_identifier (builder->asn1_defs, ext,
ext_len, &keyid_len);
id.pValue = keyid;
id.ulValueLen = keyid_len;
}
}
if (!node || !p11_x509_hash_subject_public_key (node, der, der_len, checksum))
hash_of_subject_public_key.ulValueLen = 0;
if (id.pValue == NULL) {
id.pValue = hash_of_subject_public_key.pValue;
id.ulValueLen = hash_of_subject_public_key.ulValueLen;
}
if (node) {
labelv = p11_x509_lookup_dn_name (node, "tbsCertificate.subject",
der, der_len, P11_OID_CN);
if (!labelv)
labelv = p11_x509_lookup_dn_name (node, "tbsCertificate.subject",
der, der_len, P11_OID_OU);
if (!labelv)
labelv = p11_x509_lookup_dn_name (node, "tbsCertificate.subject",
der, der_len, P11_OID_O);
}
if (labelv) {
label.pValue = labelv;
label.ulValueLen = strlen (labelv);
} else {
label.type = CKA_INVALID;
}
attrs = p11_attrs_build (attrs, &trusted, &distrusted, &url, &hash_of_issuer_public_key,
&hash_of_subject_public_key, &java_midp_security_domain,
&check_value, &start_date, &end_date, &id,
&subject, &issuer, &serial_number, &label, public_key,
NULL);
return_val_if_fail (attrs != NULL, NULL);
free (ext);
free (keyid);
free (labelv);
return attrs;
}
static CK_ATTRIBUTE *
certificate_populate (p11_builder *builder,
p11_index *index,
CK_ATTRIBUTE *cert)
{
CK_ULONG categoryv = 0UL;
CK_ATTRIBUTE *attrs = NULL;
CK_ATTRIBUTE public_key;
node_asn *node = NULL;
unsigned char *der = NULL;
size_t der_len = 0;
CK_ATTRIBUTE category = { CKA_CERTIFICATE_CATEGORY, &categoryv, sizeof (categoryv) };
CK_ATTRIBUTE empty_value = { CKA_VALUE, "", 0 };
attrs = common_populate (builder, index, cert);
return_val_if_fail (attrs != NULL, NULL);
der = p11_attrs_find_value (cert, CKA_VALUE, &der_len);
if (der != NULL)
node = decode_or_get_asn1 (builder, "PKIX1.Certificate", der, der_len);
attrs = certificate_value_attrs (builder, attrs, node, der, der_len, &public_key);
return_val_if_fail (attrs != NULL, NULL);
if (!calc_certificate_category (builder, index, cert, &public_key, &categoryv))
categoryv = 0;
return p11_attrs_build (attrs, &category, &empty_value, NULL);
}
static bool
have_attribute (CK_ATTRIBUTE *attrs1,
CK_ATTRIBUTE *attrs2,
CK_ATTRIBUTE_TYPE type)
{
CK_ATTRIBUTE *attr;
attr = p11_attrs_find (attrs1, type);
if (attr == NULL)
attr = p11_attrs_find (attrs2, type);
return attr != NULL && attr->ulValueLen > 0;
}
static CK_RV
certificate_validate (p11_builder *builder,
CK_ATTRIBUTE *attrs,
CK_ATTRIBUTE *merge)
{
/*
* In theory we should be validating that in the absence of CKA_VALUE
* various other fields must be set. However we do not enforce this
* because we want to be able to have certificates without a value
* but issuer and serial number, for blacklisting purposes.
*/
if (have_attribute (attrs, merge, CKA_URL)) {
if (!have_attribute (attrs, merge, CKA_HASH_OF_SUBJECT_PUBLIC_KEY)) {
p11_message ("missing the CKA_HASH_OF_SUBJECT_PUBLIC_KEY attribute");
return CKR_TEMPLATE_INCONSISTENT;
}
if (!have_attribute (attrs, merge, CKA_HASH_OF_SUBJECT_PUBLIC_KEY)) {
p11_message ("missing the CKA_HASH_OF_ISSUER_PUBLIC_KEY attribute");
return CKR_TEMPLATE_INCONSISTENT;
}
}
return CKR_OK;
}
const static builder_schema certificate_schema = {
NORMAL_BUILD,
{ COMMON_ATTRS,
{ CKA_CERTIFICATE_TYPE, REQUIRE | CREATE, type_ulong },
{ CKA_TRUSTED, CREATE | WANT, type_bool },
{ CKA_X_DISTRUSTED, CREATE | WANT, type_bool },
{ CKA_NSS_MOZILLA_CA_POLICY, CREATE | WANT, type_bool },
{ CKA_CERTIFICATE_CATEGORY, CREATE | WANT, type_ulong },
{ CKA_CHECK_VALUE, CREATE | WANT, },
{ CKA_START_DATE, CREATE | MODIFY | WANT, type_date },
{ CKA_END_DATE, CREATE | MODIFY | WANT, type_date },
{ CKA_SUBJECT, CREATE | WANT, type_der_name },
{ CKA_ID, CREATE | MODIFY | WANT },
{ CKA_ISSUER, CREATE | MODIFY | WANT, type_der_name },
{ CKA_SERIAL_NUMBER, CREATE | MODIFY | WANT, type_der_serial },
{ CKA_VALUE, CREATE, type_der_cert },
{ CKA_URL, CREATE, type_utf8 },
{ CKA_HASH_OF_SUBJECT_PUBLIC_KEY, CREATE },
{ CKA_HASH_OF_ISSUER_PUBLIC_KEY, CREATE },
{ CKA_JAVA_MIDP_SECURITY_DOMAIN, CREATE, type_ulong },
{ CKA_PUBLIC_KEY_INFO, WANT, type_der_key },
{ CKA_INVALID },
}, certificate_populate, certificate_validate,
};
static CK_ATTRIBUTE *
extension_populate (p11_builder *builder,
p11_index *index,
CK_ATTRIBUTE *extension)
{
unsigned char checksum[P11_DIGEST_SHA1_LEN];
CK_ATTRIBUTE object_id = { CKA_INVALID };
CK_ATTRIBUTE id = { CKA_INVALID };
CK_ATTRIBUTE *attrs = NULL;
void *der;
size_t len;
node_asn *asn;
attrs = common_populate (builder, index, extension);
return_val_if_fail (attrs != NULL, NULL);
if (!p11_attrs_find_valid (attrs, CKA_ID)) {
der = p11_attrs_find_value (extension, CKA_PUBLIC_KEY_INFO, &len);
return_val_if_fail (der != NULL, NULL);
p11_digest_sha1 (checksum, der, len, NULL);
id.pValue = checksum;
id.ulValueLen = sizeof (checksum);
id.type = CKA_ID;
}
/* Pull the object id out of the extension if not present */
if (!p11_attrs_find_valid (attrs, CKA_OBJECT_ID)) {
der = p11_attrs_find_value (extension, CKA_VALUE, &len);
return_val_if_fail (der != NULL, NULL);
asn = decode_or_get_asn1 (builder, "PKIX1.Extension", der, len);
return_val_if_fail (asn != NULL, NULL);
if (calc_element (asn, der, len, "extnID", &object_id))
object_id.type = CKA_OBJECT_ID;
}
attrs = p11_attrs_build (attrs, &object_id, &id, NULL);
return_val_if_fail (attrs != NULL, NULL);
return attrs;
}
const static builder_schema extension_schema = {
NORMAL_BUILD,
{ COMMON_ATTRS,
{ CKA_VALUE, REQUIRE | CREATE, type_der_ext },
{ CKA_PUBLIC_KEY_INFO, REQUIRE | CREATE, type_der_key },
{ CKA_OBJECT_ID, CREATE | WANT, type_der_oid },
{ CKA_ID, CREATE | MODIFY },
{ CKA_INVALID },
}, extension_populate,
};
static CK_ATTRIBUTE *
data_populate (p11_builder *builder,
p11_index *index,
CK_ATTRIBUTE *data)
{
static const CK_ATTRIBUTE value = { CKA_VALUE, "", 0 };
static const CK_ATTRIBUTE application = { CKA_APPLICATION, "", 0 };
static const CK_ATTRIBUTE object_id = { CKA_OBJECT_ID, "", 0 };
CK_ATTRIBUTE *attrs;
attrs = common_populate (builder, index, data);
return_val_if_fail (attrs != NULL, NULL);
return p11_attrs_build (attrs, &value, &application, &object_id, NULL);
}
const static builder_schema data_schema = {
NORMAL_BUILD,
{ COMMON_ATTRS,
{ CKA_VALUE, CREATE | MODIFY | WANT },
{ CKA_APPLICATION, CREATE | MODIFY | WANT, type_utf8 },
{ CKA_OBJECT_ID, CREATE | MODIFY | WANT, type_der_oid },
{ CKA_INVALID },
}, data_populate,
};
const static builder_schema trust_schema = {
GENERATED_CLASS,
{ COMMON_ATTRS,
{ CKA_CERT_SHA1_HASH, CREATE },
{ CKA_CERT_MD5_HASH, CREATE },
{ CKA_ISSUER, CREATE },
{ CKA_SUBJECT, CREATE },
{ CKA_SERIAL_NUMBER, CREATE },
{ CKA_TRUST_SERVER_AUTH, CREATE },
{ CKA_TRUST_CLIENT_AUTH, CREATE },
{ CKA_TRUST_EMAIL_PROTECTION, CREATE },
{ CKA_TRUST_CODE_SIGNING, CREATE },
{ CKA_TRUST_IPSEC_END_SYSTEM, CREATE },
{ CKA_TRUST_IPSEC_TUNNEL, CREATE },
{ CKA_TRUST_IPSEC_USER, CREATE },
{ CKA_TRUST_TIME_STAMPING, CREATE },
{ CKA_TRUST_DIGITAL_SIGNATURE, CREATE },
{ CKA_TRUST_NON_REPUDIATION, CREATE },
{ CKA_TRUST_KEY_ENCIPHERMENT, CREATE },
{ CKA_TRUST_DATA_ENCIPHERMENT, CREATE },
{ CKA_TRUST_KEY_AGREEMENT, CREATE },
{ CKA_TRUST_KEY_CERT_SIGN, CREATE },
{ CKA_TRUST_CRL_SIGN, CREATE },
{ CKA_TRUST_STEP_UP_APPROVED, CREATE },
{ CKA_ID, CREATE },
{ CKA_INVALID },
}, common_populate
};
const static builder_schema assertion_schema = {
GENERATED_CLASS,
{ COMMON_ATTRS,
{ CKA_X_PURPOSE, REQUIRE | CREATE },
{ CKA_X_CERTIFICATE_VALUE, CREATE },
{ CKA_X_ASSERTION_TYPE, REQUIRE | CREATE },
{ CKA_ISSUER, CREATE },
{ CKA_SERIAL_NUMBER, CREATE },
{ CKA_X_PEER, CREATE },
{ CKA_ID, CREATE },
{ CKA_INVALID },
}, common_populate
};
const static builder_schema builtin_schema = {
GENERATED_CLASS,
{ COMMON_ATTRS,
{ CKA_INVALID },
}, common_populate
};
static const char *
value_name (const p11_constant *info,
CK_ATTRIBUTE_TYPE type)
{
const char *name = p11_constant_name (info, type);
return name ? name : "unknown";
}
static const char *
type_name (CK_ATTRIBUTE_TYPE type)
{
return value_name (p11_constant_types, type);
}
static CK_RV
build_for_schema (p11_builder *builder,
p11_index *index,
const builder_schema *schema,
CK_ATTRIBUTE *attrs,
CK_ATTRIBUTE *merge,
CK_ATTRIBUTE **extra)
{
CK_BBOOL modifiable;
CK_ATTRIBUTE *attr;
bool modifying;
bool creating;
bool populate;
bool loading;
bool found;
int flags;
int i, j;
CK_RV rv;
populate = false;
/* Signifies that data is being loaded */
loading = p11_index_loading (index);
/* Signifies that this is being created by a caller, instead of loaded */
creating = (attrs == NULL && !loading);
/* Item is being modified by a caller */
modifying = (attrs != NULL && !loading);
/* This item may not be modifiable */
if (modifying) {
if (!p11_attrs_find_bool (attrs, CKA_MODIFIABLE, &modifiable) || !modifiable) {
p11_message ("the object is not modifiable");
return CKR_ATTRIBUTE_READ_ONLY;
}
}
if (creating && (builder->flags & P11_BUILDER_FLAG_TOKEN)) {
if (schema->build_flags & GENERATED_CLASS) {
p11_message ("objects of this type cannot be created");
return CKR_TEMPLATE_INCONSISTENT;
}
}
for (i = 0; merge[i].type != CKA_INVALID; i++) {
/* Don't validate attribute if not changed */
attr = p11_attrs_find (attrs, merge[i].type);
if (attr && p11_attr_equal (attr, merge + i))
continue;
found = false;
for (j = 0; schema->attrs[j].type != CKA_INVALID; j++) {
if (schema->attrs[j].type != merge[i].type)
continue;
flags = schema->attrs[j].flags;
if (creating && !(flags & CREATE)) {
p11_message ("the %s attribute cannot be set",
type_name (schema->attrs[j].type));
return CKR_ATTRIBUTE_READ_ONLY;
}
if (modifying && !(flags & MODIFY)) {
p11_message ("the %s attribute cannot be changed",
type_name (schema->attrs[j].type));
return CKR_ATTRIBUTE_READ_ONLY;
}
if (!loading && schema->attrs[j].validate != NULL &&
!schema->attrs[j].validate (builder, merge + i)) {
p11_message ("the %s attribute has an invalid value",
type_name (schema->attrs[j].type));
return CKR_ATTRIBUTE_VALUE_INVALID;
}
found = true;
break;
}
if (!found) {
p11_message ("the %s attribute is not valid for the object",
type_name (merge[i].type));
return CKR_TEMPLATE_INCONSISTENT;
}
}
if (attrs == NULL) {
for (j = 0; schema->attrs[j].type != CKA_INVALID; j++) {
flags = schema->attrs[j].flags;
found = false;
if ((flags & REQUIRE) || (flags & WANT)) {
for (i = 0; merge[i].type != CKA_INVALID; i++) {
if (schema->attrs[j].type == merge[i].type) {
found = true;
break;
}
}
}
if (!found) {
if (flags & REQUIRE) {
p11_message ("missing the %s attribute",
type_name (schema->attrs[j].type));
return CKR_TEMPLATE_INCOMPLETE;
} else if (flags & WANT) {
populate = true;
}
}
}
}
/* Validate the result, before committing to the change. */
if (!loading && schema->validate) {
rv = (schema->validate) (builder, attrs, merge);
if (rv != CKR_OK)
return rv;
}
if (populate && schema->populate)
*extra = schema->populate (builder, index, merge);
return CKR_OK;
}
CK_RV
p11_builder_build (void *bilder,
p11_index *index,
CK_ATTRIBUTE *attrs,
CK_ATTRIBUTE *merge,
CK_ATTRIBUTE **populate)
{
p11_builder *builder = bilder;
CK_OBJECT_CLASS klass;
CK_CERTIFICATE_TYPE type;
CK_BBOOL token;
return_val_if_fail (builder != NULL, CKR_GENERAL_ERROR);
return_val_if_fail (index != NULL, CKR_GENERAL_ERROR);
return_val_if_fail (merge != NULL, CKR_GENERAL_ERROR);
if (!p11_attrs_find_ulong (attrs ? attrs : merge, CKA_CLASS, &klass)) {
p11_message ("no CKA_CLASS attribute found");
return CKR_TEMPLATE_INCOMPLETE;
}
if (!attrs && p11_attrs_find_bool (merge, CKA_TOKEN, &token)) {
if (token != ((builder->flags & P11_BUILDER_FLAG_TOKEN) ? CK_TRUE : CK_FALSE)) {
p11_message ("cannot create a %s object", token ? "token" : "non-token");
return CKR_TEMPLATE_INCONSISTENT;
}
}
switch (klass) {
case CKO_CERTIFICATE:
if (!p11_attrs_find_ulong (attrs ? attrs : merge, CKA_CERTIFICATE_TYPE, &type)) {
p11_message ("missing %s on object", type_name (CKA_CERTIFICATE_TYPE));
return CKR_TEMPLATE_INCOMPLETE;
} else if (type == CKC_X_509) {
return build_for_schema (builder, index, &certificate_schema, attrs, merge, populate);
} else {
p11_message ("%s unsupported %s", value_name (p11_constant_certs, type),
type_name (CKA_CERTIFICATE_TYPE));
return CKR_TEMPLATE_INCONSISTENT;
}
case CKO_X_CERTIFICATE_EXTENSION:
return build_for_schema (builder, index, &extension_schema, attrs, merge, populate);
case CKO_DATA:
return build_for_schema (builder, index, &data_schema, attrs, merge, populate);
case CKO_NSS_TRUST:
return build_for_schema (builder, index, &trust_schema, attrs, merge, populate);
case CKO_NSS_BUILTIN_ROOT_LIST:
return build_for_schema (builder, index, &builtin_schema, attrs, merge, populate);
case CKO_X_TRUST_ASSERTION:
return build_for_schema (builder, index, &assertion_schema, attrs, merge, populate);
default:
p11_message ("%s unsupported object class",
value_name (p11_constant_classes, klass));
return CKR_TEMPLATE_INCONSISTENT;
}
}
void
p11_builder_free (p11_builder *builder)
{
return_if_fail (builder != NULL);
p11_asn1_cache_free (builder->asn1_cache);
free (builder);
}
p11_asn1_cache *
p11_builder_get_cache (p11_builder *builder)
{
return_val_if_fail (builder != NULL, NULL);
return builder->asn1_cache;
}
static CK_ATTRIBUTE *
build_trust_object_ku (p11_builder *builder,
p11_index *index,
CK_ATTRIBUTE *cert,
CK_ATTRIBUTE *object,
CK_TRUST present)
{
unsigned char *data = NULL;
unsigned int ku = 0;
size_t length;
CK_TRUST defawlt;
CK_ULONG i;
struct {
CK_ATTRIBUTE_TYPE type;
unsigned int ku;
} ku_attribute_map[] = {
{ CKA_TRUST_DIGITAL_SIGNATURE, P11_KU_DIGITAL_SIGNATURE },
{ CKA_TRUST_NON_REPUDIATION, P11_KU_NON_REPUDIATION },
{ CKA_TRUST_KEY_ENCIPHERMENT, P11_KU_KEY_ENCIPHERMENT },
{ CKA_TRUST_DATA_ENCIPHERMENT, P11_KU_DATA_ENCIPHERMENT },
{ CKA_TRUST_KEY_AGREEMENT, P11_KU_KEY_AGREEMENT },
{ CKA_TRUST_KEY_CERT_SIGN, P11_KU_KEY_CERT_SIGN },
{ CKA_TRUST_CRL_SIGN, P11_KU_CRL_SIGN },
{ CKA_INVALID },
};
CK_ATTRIBUTE attrs[sizeof (ku_attribute_map)];
defawlt = present;
/* If blacklisted, don't even bother looking at extensions */
if (present != CKT_NSS_NOT_TRUSTED)
data = lookup_extension (builder, index, cert, NULL, P11_OID_KEY_USAGE, &length);
if (data) {
/*
* If the certificate extension was missing, then *all* key
* usages are to be set. If the extension was invalid, then
* fail safe to none of the key usages.
*/
defawlt = CKT_NSS_TRUST_UNKNOWN;
if (!p11_x509_parse_key_usage (builder->asn1_defs, data, length, &ku))
p11_message ("invalid key usage certificate extension");
free (data);
}
for (i = 0; ku_attribute_map[i].type != CKA_INVALID; i++) {
attrs[i].type = ku_attribute_map[i].type;
if (data && (ku & ku_attribute_map[i].ku) == ku_attribute_map[i].ku) {
attrs[i].pValue = &present;
attrs[i].ulValueLen = sizeof (present);
} else {
attrs[i].pValue = &defawlt;
attrs[i].ulValueLen = sizeof (defawlt);
}
}
return p11_attrs_buildn (object, attrs, i);
}
static bool
strv_to_dict (const char **array,
p11_dict **dict)
{
int i;
if (!array) {
*dict = NULL;
return true;
}
*dict = p11_dict_new (p11_dict_str_hash, p11_dict_str_equal, NULL, NULL);
return_val_if_fail (*dict != NULL, false);
for (i = 0; array[i] != NULL; i++) {
if (!p11_dict_set (*dict, (void *)array[i], (void *)array[i]))
return_val_if_reached (false);
}
return true;
}
static CK_ATTRIBUTE *
build_trust_object_eku (CK_ATTRIBUTE *object,
CK_TRUST allow,
const char **purposes,
const char **rejects)
{
p11_dict *dict_purp;
p11_dict *dict_rej;
CK_TRUST neutral;
CK_TRUST disallow;
CK_ULONG i;
struct {
CK_ATTRIBUTE_TYPE type;
const char *oid;
} eku_attribute_map[] = {
{ CKA_TRUST_SERVER_AUTH, P11_OID_SERVER_AUTH_STR },
{ CKA_TRUST_CLIENT_AUTH, P11_OID_CLIENT_AUTH_STR },
{ CKA_TRUST_CODE_SIGNING, P11_OID_CODE_SIGNING_STR },
{ CKA_TRUST_EMAIL_PROTECTION, P11_OID_EMAIL_PROTECTION_STR },
{ CKA_TRUST_IPSEC_END_SYSTEM, P11_OID_IPSEC_END_SYSTEM_STR },
{ CKA_TRUST_IPSEC_TUNNEL, P11_OID_IPSEC_TUNNEL_STR },
{ CKA_TRUST_IPSEC_USER, P11_OID_IPSEC_USER_STR },
{ CKA_TRUST_TIME_STAMPING, P11_OID_TIME_STAMPING_STR },
{ CKA_INVALID },
};
CK_ATTRIBUTE attrs[sizeof (eku_attribute_map)];
if (!strv_to_dict (purposes, &dict_purp) ||
!strv_to_dict (rejects, &dict_rej))
return_val_if_reached (NULL);
/* The neutral value is set if an purpose is not present */
if (allow == CKT_NSS_NOT_TRUSTED)
neutral = CKT_NSS_NOT_TRUSTED;
/* If anything explicitly set, then neutral is unknown */
else if (purposes || rejects)
neutral = CKT_NSS_TRUST_UNKNOWN;
/* Otherwise neutral will allow any purpose */
else
neutral = allow;
/* The value set if a purpose is explicitly rejected */
disallow = CKT_NSS_NOT_TRUSTED;
for (i = 0; eku_attribute_map[i].type != CKA_INVALID; i++) {
attrs[i].type = eku_attribute_map[i].type;
if (dict_rej && p11_dict_get (dict_rej, eku_attribute_map[i].oid)) {
attrs[i].pValue = &disallow;
attrs[i].ulValueLen = sizeof (disallow);
} else if (dict_purp && p11_dict_get (dict_purp, eku_attribute_map[i].oid)) {
attrs[i].pValue = &allow;
attrs[i].ulValueLen = sizeof (allow);
} else {
attrs[i].pValue = &neutral;
attrs[i].ulValueLen = sizeof (neutral);
}
}
p11_dict_free (dict_purp);
p11_dict_free (dict_rej);
return p11_attrs_buildn (object, attrs, i);
}
static void
replace_nss_trust_object (p11_builder *builder,
p11_index *index,
CK_ATTRIBUTE *cert,
CK_BBOOL trust,
CK_BBOOL distrust,
CK_BBOOL authority,
const char **purposes,
const char **rejects)
{
CK_ATTRIBUTE *attrs = NULL;
CK_ATTRIBUTE *match = NULL;
CK_TRUST allow;
CK_RV rv;
CK_OBJECT_CLASS klassv = CKO_NSS_TRUST;
CK_BYTE sha1v[P11_DIGEST_SHA1_LEN];
CK_BYTE md5v[P11_DIGEST_MD5_LEN];
CK_BBOOL generatedv = CK_FALSE;
CK_BBOOL falsev = CK_FALSE;
CK_ATTRIBUTE klass = { CKA_CLASS, &klassv, sizeof (klassv) };
CK_ATTRIBUTE modifiable = { CKA_MODIFIABLE, &falsev, sizeof (falsev) };
CK_ATTRIBUTE generated = { CKA_X_GENERATED, &generatedv, sizeof (generatedv) };
CK_ATTRIBUTE invalid = { CKA_INVALID, };
CK_ATTRIBUTE md5_hash = { CKA_CERT_MD5_HASH, md5v, sizeof (md5v) };
CK_ATTRIBUTE sha1_hash = { CKA_CERT_SHA1_HASH, sha1v, sizeof (sha1v) };
CK_ATTRIBUTE step_up_approved = { CKA_TRUST_STEP_UP_APPROVED, &falsev, sizeof (falsev) };
CK_ATTRIBUTE_PTR label;
CK_ATTRIBUTE_PTR id;
CK_ATTRIBUTE_PTR subject;
CK_ATTRIBUTE_PTR issuer;
CK_ATTRIBUTE_PTR serial_number;
p11_array *array;
void *value;
size_t length;
issuer = p11_attrs_find_valid (cert, CKA_ISSUER);
serial_number = p11_attrs_find_valid (cert, CKA_SERIAL_NUMBER);
value = p11_attrs_find_value (cert, CKA_VALUE, &length);
if (!issuer && !serial_number && !value) {
p11_debug ("can't generate nss trust object for certificate without issuer+serial or value");
return;
}
if (value == NULL) {
md5_hash.type = CKA_INVALID;
sha1_hash.type = CKA_INVALID;
} else {
p11_digest_md5 (md5v, value, length, NULL);
p11_digest_sha1 (sha1v, value, length, NULL);
}
if (!issuer)
issuer = &invalid;
if (!serial_number)
serial_number = &invalid;
match = p11_attrs_build (NULL, issuer, serial_number, &sha1_hash,
&generated, &klass, NULL);
return_if_fail (match != NULL);
/* If we find a non-generated object, then don't generate */
if (p11_index_find (index, match, -1)) {
p11_debug ("not generating nss trust object because one already exists");
attrs = NULL;
} else {
generatedv = CK_TRUE;
match = p11_attrs_build (match, &generated, NULL);
return_if_fail (match != NULL);
/* Copy all of the following attributes from certificate */
id = p11_attrs_find_valid (cert, CKA_ID);
if (id == NULL)
id = &invalid;
subject = p11_attrs_find_valid (cert, CKA_SUBJECT);
if (subject == NULL)
subject = &invalid;
label = p11_attrs_find_valid (cert, CKA_LABEL);
if (label == NULL)
label = &invalid;
attrs = p11_attrs_dup (match);
return_if_fail (attrs != NULL);
attrs = p11_attrs_build (attrs, &klass, &modifiable, id, label,
subject, issuer, serial_number,
&md5_hash, &sha1_hash, &step_up_approved, NULL);
return_if_fail (attrs != NULL);
/* Calculate the default allow trust */
if (distrust)
allow = CKT_NSS_NOT_TRUSTED;
else if (trust && authority)
allow = CKT_NSS_TRUSTED_DELEGATOR;
else if (trust)
allow = CKT_NSS_TRUSTED;
else
allow = CKT_NSS_TRUST_UNKNOWN;
attrs = build_trust_object_ku (builder, index, cert, attrs, allow);
return_if_fail (attrs != NULL);
attrs = build_trust_object_eku (attrs, allow, purposes, rejects);
return_if_fail (attrs != NULL);
}
/* Replace related generated object with this new one */
array = p11_array_new (NULL);
p11_array_push (array, attrs);
rv = p11_index_replace_all (index, match, CKA_INVALID, array);
return_if_fail (rv == CKR_OK);
p11_array_free (array);
p11_attrs_free (match);
}
static void
build_assertions (p11_array *array,
CK_ATTRIBUTE *cert,
CK_X_ASSERTION_TYPE type,
const char **oids)
{
CK_OBJECT_CLASS assertion = CKO_X_TRUST_ASSERTION;
CK_BBOOL truev = CK_TRUE;
CK_BBOOL falsev = CK_FALSE;
CK_ATTRIBUTE klass = { CKA_CLASS, &assertion, sizeof (assertion) };
CK_ATTRIBUTE private = { CKA_PRIVATE, &falsev, sizeof (falsev) };
CK_ATTRIBUTE modifiable = { CKA_MODIFIABLE, &falsev, sizeof (falsev) };
CK_ATTRIBUTE assertion_type = { CKA_X_ASSERTION_TYPE, &type, sizeof (type) };
CK_ATTRIBUTE autogen = { CKA_X_GENERATED, &truev, sizeof (truev) };
CK_ATTRIBUTE purpose = { CKA_X_PURPOSE, };
CK_ATTRIBUTE invalid = { CKA_INVALID, };
CK_ATTRIBUTE certificate_value = { CKA_X_CERTIFICATE_VALUE, };
CK_ATTRIBUTE *issuer;
CK_ATTRIBUTE *serial;
CK_ATTRIBUTE *value;
CK_ATTRIBUTE *label;
CK_ATTRIBUTE *id;
CK_ATTRIBUTE *attrs;
int i;
if (type == CKT_X_DISTRUSTED_CERTIFICATE) {
certificate_value.type = CKA_INVALID;
issuer = p11_attrs_find_valid (cert, CKA_ISSUER);
serial = p11_attrs_find_valid (cert, CKA_SERIAL_NUMBER);
if (!issuer || !serial) {
p11_debug ("not building negative trust assertion for certificate without serial or issuer");
return;
}
} else {
issuer = &invalid;
serial = &invalid;
value = p11_attrs_find_valid (cert, CKA_VALUE);
if (value == NULL) {
p11_debug ("not building positive trust assertion for certificate without value");
return;
}
certificate_value.pValue = value->pValue;
certificate_value.ulValueLen = value->ulValueLen;
}
label = p11_attrs_find (cert, CKA_LABEL);
if (label == NULL)
label = &invalid;
id = p11_attrs_find (cert, CKA_ID);
if (id == NULL)
id = &invalid;
for (i = 0; oids[i] != NULL; i++) {
purpose.pValue = (void *)oids[i];
purpose.ulValueLen = strlen (oids[i]);
attrs = p11_attrs_build (NULL, &klass, &private, &modifiable,
id, label, &assertion_type, &purpose,
issuer, serial, &certificate_value, &autogen, NULL);
return_if_fail (attrs != NULL);
if (!p11_array_push (array, attrs))
return_if_reached ();
}
}
static void
build_trust_assertions (p11_array *positives,
p11_array *negatives,
CK_ATTRIBUTE *cert,
CK_BBOOL trust,
CK_BBOOL distrust,
CK_BBOOL authority,
const char **purposes,
const char **rejects)
{
const char *all_purposes[] = {
P11_OID_SERVER_AUTH_STR,
P11_OID_CLIENT_AUTH_STR,
P11_OID_CODE_SIGNING_STR,
P11_OID_EMAIL_PROTECTION_STR,
P11_OID_IPSEC_END_SYSTEM_STR,
P11_OID_IPSEC_TUNNEL_STR,
P11_OID_IPSEC_USER_STR,
P11_OID_TIME_STAMPING_STR,
NULL,
};
/* Build assertions for anything that's explicitly rejected */
if (rejects && negatives) {
build_assertions (negatives, cert, CKT_X_DISTRUSTED_CERTIFICATE, rejects);
}
if (distrust && negatives) {
/*
* Trust assertions are defficient in that they don't blacklist a certificate
* for any purposes. So we just have to go wild and write out a bunch of
* assertions for all our known purposes.
*/
build_assertions (negatives, cert, CKT_X_DISTRUSTED_CERTIFICATE, all_purposes);
}
/*
* TODO: Build pinned certificate assertions. That is, trusted
* certificates where not an authority.
*/
if (trust && authority && positives) {
if (purposes) {
/* If purposes explicitly set, then anchor for those purposes */
build_assertions (positives, cert, CKT_X_ANCHORED_CERTIFICATE, purposes);
} else {
/* If purposes not-explicitly set, then anchor for all known */
build_assertions (positives, cert, CKT_X_ANCHORED_CERTIFICATE, all_purposes);
}
}
}
static void
replace_trust_assertions (p11_builder *builder,
p11_index *index,
CK_ATTRIBUTE *cert,
CK_BBOOL trust,
CK_BBOOL distrust,
CK_BBOOL authority,
const char **purposes,
const char **rejects)
{
CK_OBJECT_CLASS assertion = CKO_X_TRUST_ASSERTION;
CK_BBOOL generated = CK_TRUE;
p11_array *positives = NULL;
p11_array *negatives = NULL;
CK_ATTRIBUTE *value;
CK_ATTRIBUTE *issuer;
CK_ATTRIBUTE *serial;
CK_RV rv;
CK_ATTRIBUTE match_positive[] = {
{ CKA_X_CERTIFICATE_VALUE, },
{ CKA_CLASS, &assertion, sizeof (assertion) },
{ CKA_X_GENERATED, &generated, sizeof (generated) },
{ CKA_INVALID }
};
CK_ATTRIBUTE match_negative[] = {
{ CKA_ISSUER, },
{ CKA_SERIAL_NUMBER, },
{ CKA_CLASS, &assertion, sizeof (assertion) },
{ CKA_X_GENERATED, &generated, sizeof (generated) },
{ CKA_INVALID }
};
value = p11_attrs_find_valid (cert, CKA_VALUE);
if (value) {
positives = p11_array_new (NULL);
match_positive[0].pValue = value->pValue;
match_positive[0].ulValueLen = value->ulValueLen;
}
issuer = p11_attrs_find_valid (cert, CKA_ISSUER);
serial = p11_attrs_find_valid (cert, CKA_SERIAL_NUMBER);
if (issuer && serial) {
negatives = p11_array_new (NULL);
memcpy (match_negative + 0, issuer, sizeof (CK_ATTRIBUTE));
memcpy (match_negative + 1, serial, sizeof (CK_ATTRIBUTE));
}
build_trust_assertions (positives, negatives, cert, trust, distrust,
authority, purposes, rejects);
if (positives) {
rv = p11_index_replace_all (index, match_positive, CKA_X_PURPOSE, positives);
return_if_fail (rv == CKR_OK);
p11_array_free (positives);
}
if (negatives) {
rv = p11_index_replace_all (index, match_negative, CKA_X_PURPOSE, negatives);
return_if_fail (rv == CKR_OK);
p11_array_free (negatives);
}
}
static void
remove_trust_and_assertions (p11_builder *builder,
p11_index *index,
CK_ATTRIBUTE *attrs)
{
replace_nss_trust_object (builder, index, attrs,
CK_FALSE, CK_FALSE, CK_FALSE,
NULL, NULL);
replace_trust_assertions (builder, index, attrs,
CK_FALSE, CK_FALSE, CK_FALSE,
NULL, NULL);
}
static void
replace_trust_and_assertions (p11_builder *builder,
p11_index *index,
CK_ATTRIBUTE *cert)
{
CK_BBOOL trust = CK_FALSE;
CK_BBOOL distrust = CK_FALSE;
CK_BBOOL authority = CK_FALSE;
p11_array *purposes = NULL;
p11_array *rejects = NULL;
const char **purposev;
const char **rejectv;
CK_ULONG category;
unsigned char *ext;
size_t ext_len;
/*
* We look up all this information in advance, since it's used
* by the various adapter objects, and we don't have to parse
* it multiple times.
*/
if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &trust))
trust = CK_FALSE;
if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &distrust))
distrust = CK_FALSE;
if (p11_attrs_find_ulong (cert, CKA_CERTIFICATE_CATEGORY, &category) && category == 2)
authority = CK_TRUE;
if (!distrust) {
ext = lookup_extension (builder, index, cert, NULL, P11_OID_EXTENDED_KEY_USAGE, &ext_len);
if (ext != NULL) {
purposes = p11_x509_parse_extended_key_usage (builder->asn1_defs, ext, ext_len);
if (purposes == NULL)
p11_message ("invalid extended key usage certificate extension");
free (ext);
}
ext = lookup_extension (builder, index, cert, NULL, P11_OID_OPENSSL_REJECT, &ext_len);
if (ext != NULL) {
rejects = p11_x509_parse_extended_key_usage (builder->asn1_defs, ext, ext_len);
if (rejects == NULL)
p11_message ("invalid reject key usage certificate extension");
free (ext);
}
}
/* null-terminate these arrays and use as strv's */
purposev = rejectv = NULL;
if (rejects) {
if (!p11_array_push (rejects, NULL))
return_if_reached ();
rejectv = (const char **)rejects->elem;
}
if (purposes) {
if (!p11_array_push (purposes, NULL))
return_if_reached ();
purposev = (const char **)purposes->elem;
}
replace_nss_trust_object (builder, index, cert, trust, distrust,
authority, purposev, rejectv);
replace_trust_assertions (builder, index, cert, trust, distrust,
authority, purposev, rejectv);
p11_array_free (purposes);
p11_array_free (rejects);
}
static void
replace_compat_for_cert (p11_builder *builder,
p11_index *index,
CK_OBJECT_HANDLE handle,
CK_ATTRIBUTE *attrs)
{
static const CK_OBJECT_CLASS certificate = CKO_CERTIFICATE;
static const CK_CERTIFICATE_TYPE x509 = CKC_X_509;
CK_ATTRIBUTE *value;
CK_ATTRIBUTE match[] = {
{ CKA_VALUE, },
{ CKA_CLASS, (void *)&certificate, sizeof (certificate) },
{ CKA_CERTIFICATE_TYPE, (void *)&x509, sizeof (x509) },
{ CKA_INVALID }
};
/*
* If this certificate is going away, then find duplicate. In this
* case all the trust assertions are recalculated with this new
* certificate in mind.
*/
if (handle == 0) {
value = p11_attrs_find_valid (attrs, CKA_VALUE);
if (value != NULL) {
match[0].pValue = value->pValue;
match[0].ulValueLen = value->ulValueLen;
handle = p11_index_find (index, match, -1);
}
if (handle != 0)
attrs = p11_index_lookup (index, handle);
}
if (handle == 0)
remove_trust_and_assertions (builder, index, attrs);
else
replace_trust_and_assertions (builder, index, attrs);
}
static void
replace_compat_for_ext (p11_builder *builder,
p11_index *index,
CK_OBJECT_HANDLE handle,
CK_ATTRIBUTE *attrs)
{
CK_OBJECT_HANDLE *handles;
CK_ATTRIBUTE *public_key;
int i;
public_key = p11_attrs_find_valid (attrs, CKA_PUBLIC_KEY_INFO);
if (public_key == NULL)
return;
handles = lookup_related (index, CKO_CERTIFICATE, public_key);
for (i = 0; handles && handles[i] != 0; i++) {
attrs = p11_index_lookup (index, handles[i]);
replace_trust_and_assertions (builder, index, attrs);
}
free (handles);
}
static void
update_related_category (p11_builder *builder,
p11_index *index,
CK_OBJECT_HANDLE handle,
CK_ATTRIBUTE *attrs)
{
CK_OBJECT_HANDLE *handles;
CK_ULONG categoryv = 0UL;
CK_ATTRIBUTE *update;
CK_ATTRIBUTE *cert;
CK_ATTRIBUTE *public_key;
CK_RV rv;
int i;
CK_ATTRIBUTE category[] = {
{ CKA_CERTIFICATE_CATEGORY, &categoryv, sizeof (categoryv) },
{ CKA_INVALID, },
};
public_key = p11_attrs_find_valid (attrs, CKA_PUBLIC_KEY_INFO);
if (public_key == NULL)
return;
/* Find all other objects with this handle */
handles = lookup_related (index, CKO_CERTIFICATE, public_key);
for (i = 0; handles && handles[i] != 0; i++) {
cert = p11_index_lookup (index, handle);
if (calc_certificate_category (builder, index, cert, public_key, &categoryv)) {
update = p11_attrs_build (NULL, &category, NULL);
rv = p11_index_update (index, handles[i], update);
return_if_fail (rv == CKR_OK);
}
}
free (handles);
}
void
p11_builder_changed (void *bilder,
p11_index *index,
CK_OBJECT_HANDLE handle,
CK_ATTRIBUTE *attrs)
{
static const CK_OBJECT_CLASS certificate = CKO_CERTIFICATE;
static const CK_OBJECT_CLASS extension = CKO_X_CERTIFICATE_EXTENSION;
static const CK_CERTIFICATE_TYPE x509 = CKC_X_509;
static const CK_ATTRIBUTE match_cert[] = {
{ CKA_CLASS, (void *)&certificate, sizeof (certificate) },
{ CKA_CERTIFICATE_TYPE, (void *)&x509, sizeof (x509) },
{ CKA_INVALID }
};
static const CK_ATTRIBUTE match_eku[] = {
{ CKA_CLASS, (void *)&extension, sizeof (extension) },
{ CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE,
sizeof (P11_OID_EXTENDED_KEY_USAGE) },
{ CKA_INVALID }
};
static const CK_ATTRIBUTE match_ku[] = {
{ CKA_CLASS, (void *)&extension, sizeof (extension) },
{ CKA_OBJECT_ID, (void *)P11_OID_KEY_USAGE,
sizeof (P11_OID_KEY_USAGE) },
{ CKA_INVALID }
};
static const CK_ATTRIBUTE match_bc[] = {
{ CKA_CLASS, (void *)&extension, sizeof (extension) },
{ CKA_OBJECT_ID, (void *)P11_OID_BASIC_CONSTRAINTS,
sizeof (P11_OID_BASIC_CONSTRAINTS) },
{ CKA_INVALID }
};
p11_builder *builder = bilder;
return_if_fail (builder != NULL);
return_if_fail (index != NULL);
return_if_fail (attrs != NULL);
/*
* Treat these operations as loading, not modifying/creating, so we get
* around many of the rules that govern object creation
*/
p11_index_load (index);
/* A certificate */
if (p11_attrs_match (attrs, match_cert)) {
replace_compat_for_cert (builder, index, handle, attrs);
/* An ExtendedKeyUsage extension */
} else if (p11_attrs_match (attrs, match_eku) ||
p11_attrs_match (attrs, match_ku)) {
replace_compat_for_ext (builder, index, handle, attrs);
/* A BasicConstraints extension */
} else if (p11_attrs_match (attrs, match_bc)) {
update_related_category (builder, index, handle, attrs);
}
p11_index_finish (index);
}