|
|
c2a5c7 |
From 066fdce95a3a58e312f52c4e14536b4b3a4f5e26 Mon Sep 17 00:00:00 2001
|
|
|
c2a5c7 |
From: Jakub Jelen <jjelen@redhat.com>
|
|
|
c2a5c7 |
Date: Tue, 9 May 2017 16:46:16 +0200
|
|
|
c2a5c7 |
Subject: [PATCH 1/3] If the underlying PKCS#15 structure does not provide
|
|
|
c2a5c7 |
label for a certificate, try to use DN from the certificate.
|
|
|
c2a5c7 |
|
|
|
c2a5c7 |
---
|
|
|
c2a5c7 |
src/libopensc/libopensc.exports | 1 +
|
|
|
c2a5c7 |
src/pkcs11/framework-pkcs15.c | 31 +++++++++++++++++++++++++++++++
|
|
|
c2a5c7 |
2 files changed, 32 insertions(+)
|
|
|
c2a5c7 |
|
|
|
c2a5c7 |
diff --git a/src/libopensc/libopensc.exports b/src/libopensc/libopensc.exports
|
|
|
c2a5c7 |
index 18f80374f..36cf57023 100644
|
|
|
c2a5c7 |
--- a/src/libopensc/libopensc.exports
|
|
|
c2a5c7 |
+++ b/src/libopensc/libopensc.exports
|
|
|
c2a5c7 |
@@ -208,6 +208,7 @@ sc_pkcs15_free_prkey_info
|
|
|
c2a5c7 |
sc_pkcs15_free_pubkey
|
|
|
c2a5c7 |
sc_pkcs15_free_pubkey_info
|
|
|
c2a5c7 |
sc_pkcs15_get_application_by_type
|
|
|
c2a5c7 |
+sc_pkcs15_get_name_from_dn
|
|
|
c2a5c7 |
sc_pkcs15_get_object_guid
|
|
|
c2a5c7 |
sc_pkcs15_get_object_id
|
|
|
c2a5c7 |
sc_pkcs15_get_objects
|
|
|
c2a5c7 |
diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
|
|
|
c2a5c7 |
index 42c509356..f9063c8cc 100644
|
|
|
c2a5c7 |
--- a/src/pkcs11/framework-pkcs15.c
|
|
|
c2a5c7 |
+++ b/src/pkcs11/framework-pkcs15.c
|
|
|
c2a5c7 |
@@ -553,6 +553,30 @@ public_key_created(struct pkcs15_fw_data *fw_data, const struct sc_pkcs15_id *id
|
|
|
c2a5c7 |
return SC_ERROR_OBJECT_NOT_FOUND;
|
|
|
c2a5c7 |
}
|
|
|
c2a5c7 |
|
|
|
c2a5c7 |
+static void
|
|
|
c2a5c7 |
+pkcs15_cert_extract_label(struct pkcs15_cert_object *cert)
|
|
|
c2a5c7 |
+{
|
|
|
c2a5c7 |
+ if (!cert || !cert->cert_p15obj || !cert->cert_data)
|
|
|
c2a5c7 |
+ return;
|
|
|
c2a5c7 |
+
|
|
|
c2a5c7 |
+ sc_log(context, "pkcs15_cert_extract_label() called. Current label: %s", cert->cert_p15obj->label);
|
|
|
c2a5c7 |
+
|
|
|
c2a5c7 |
+ /* if we didn't get a label, set one based on the CN */
|
|
|
c2a5c7 |
+ if (*cert->cert_p15obj->label == '\0') { /* can't be NULL -- static array */
|
|
|
c2a5c7 |
+ static const struct sc_object_id cn_oid = {{ 2, 5, 4, 3, -1 }};
|
|
|
c2a5c7 |
+ u8 *cn_name = NULL;
|
|
|
c2a5c7 |
+ size_t cn_len = 0;
|
|
|
c2a5c7 |
+ int rv = sc_pkcs15_get_name_from_dn(context,
|
|
|
c2a5c7 |
+ cert->cert_data->subject, cert->cert_data->subject_len,
|
|
|
c2a5c7 |
+ &cn_oid, &cn_name, &cn_len);
|
|
|
c2a5c7 |
+ sc_log(context, "pkcs15_cert_extract_label(): Name from DN is %s", cn_name);
|
|
|
c2a5c7 |
+ if (rv == SC_SUCCESS) {
|
|
|
c2a5c7 |
+ memcpy(cert->cert_p15obj->label, cn_name, cn_len);
|
|
|
c2a5c7 |
+ cert->cert_p15obj->label[cn_len] = '\0';
|
|
|
c2a5c7 |
+ }
|
|
|
c2a5c7 |
+ free(cn_name);
|
|
|
c2a5c7 |
+ }
|
|
|
c2a5c7 |
+}
|
|
|
c2a5c7 |
|
|
|
c2a5c7 |
static int
|
|
|
c2a5c7 |
__pkcs15_create_cert_object(struct pkcs15_fw_data *fw_data, struct sc_pkcs15_object *cert,
|
|
|
c2a5c7 |
@@ -606,6 +627,9 @@ __pkcs15_create_cert_object(struct pkcs15_fw_data *fw_data, struct sc_pkcs15_obj
|
|
|
c2a5c7 |
obj2->pub_genfrom = object;
|
|
|
c2a5c7 |
object->cert_pubkey = obj2;
|
|
|
c2a5c7 |
|
|
|
c2a5c7 |
+ /* Find missing labels for certificate */
|
|
|
c2a5c7 |
+ pkcs15_cert_extract_label(object);
|
|
|
c2a5c7 |
+
|
|
|
c2a5c7 |
if (cert_object != NULL)
|
|
|
c2a5c7 |
*cert_object = (struct pkcs15_any_object *) object;
|
|
|
c2a5c7 |
|
|
|
c2a5c7 |
@@ -877,6 +901,9 @@ check_cert_data_read(struct pkcs15_fw_data *fw_data, struct pkcs15_cert_object *
|
|
|
c2a5c7 |
if (!obj2->pub_data)
|
|
|
c2a5c7 |
rv = sc_pkcs15_pubkey_from_cert(context, &cert->cert_data->data, &obj2->pub_data);
|
|
|
c2a5c7 |
|
|
|
c2a5c7 |
+ /* Find missing labels for certificate */
|
|
|
c2a5c7 |
+ pkcs15_cert_extract_label(cert);
|
|
|
c2a5c7 |
+
|
|
|
c2a5c7 |
/* now that we have the cert and pub key, lets see if we can bind anything else */
|
|
|
c2a5c7 |
pkcs15_bind_related_objects(fw_data);
|
|
|
c2a5c7 |
|
|
|
c2a5c7 |
@@ -3165,6 +3192,10 @@ pkcs15_cert_get_attribute(struct sc_pkcs11_session *session, void *object, CK_AT
|
|
|
c2a5c7 |
*(CK_BBOOL*)attr->pValue = FALSE;
|
|
|
c2a5c7 |
break;
|
|
|
c2a5c7 |
case CKA_LABEL:
|
|
|
c2a5c7 |
+ if (check_cert_data_read(fw_data, cert) != 0) {
|
|
|
c2a5c7 |
+ attr->ulValueLen = 0;
|
|
|
c2a5c7 |
+ return CKR_OK;
|
|
|
c2a5c7 |
+ }
|
|
|
c2a5c7 |
len = strnlen(cert->cert_p15obj->label, sizeof cert->cert_p15obj->label);
|
|
|
c2a5c7 |
check_attribute_buffer(attr, len);
|
|
|
c2a5c7 |
memcpy(attr->pValue, cert->cert_p15obj->label, len);
|
|
|
c2a5c7 |
|
|
|
c2a5c7 |
From 4d8b75c1f0a901d661ed00b29175e2fdaee940ca Mon Sep 17 00:00:00 2001
|
|
|
c2a5c7 |
From: Jakub Jelen <jjelen@redhat.com>
|
|
|
c2a5c7 |
Date: Fri, 19 May 2017 17:52:09 +0200
|
|
|
c2a5c7 |
Subject: [PATCH 2/3] Properly check bounds for long DNs
|
|
|
c2a5c7 |
|
|
|
c2a5c7 |
---
|
|
|
c2a5c7 |
src/pkcs11/framework-pkcs15.c | 3 ++-
|
|
|
c2a5c7 |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
c2a5c7 |
|
|
|
c2a5c7 |
diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
|
|
|
c2a5c7 |
index f9063c8cc..863ad02a1 100644
|
|
|
c2a5c7 |
--- a/src/pkcs11/framework-pkcs15.c
|
|
|
c2a5c7 |
+++ b/src/pkcs11/framework-pkcs15.c
|
|
|
c2a5c7 |
@@ -566,8 +566,9 @@ pkcs15_cert_extract_label(struct pkcs15_cert_object *cert)
|
|
|
c2a5c7 |
int rv = sc_pkcs15_get_name_from_dn(context,
|
|
|
c2a5c7 |
cert->cert_data->subject, cert->cert_data->subject_len,
|
|
|
c2a5c7 |
&cn_oid, &cn_name, &cn_len);
|
|
|
c2a5c7 |
- sc_log(context, "pkcs15_cert_extract_label(): Name from DN is %s", cn_name);
|
|
|
c2a5c7 |
if (rv == SC_SUCCESS) {
|
|
|
c2a5c7 |
+ sc_log(context, "pkcs15_cert_extract_label(): Name from DN is %s", cn_name);
|
|
|
c2a5c7 |
+ cn_len = MIN(cn_len, SC_PKCS15_MAX_LABEL_SIZE-1);
|
|
|
c2a5c7 |
memcpy(cert->cert_p15obj->label, cn_name, cn_len);
|
|
|
c2a5c7 |
cert->cert_p15obj->label[cn_len] = '\0';
|
|
|
c2a5c7 |
}
|
|
|
c2a5c7 |
|
|
|
c2a5c7 |
From 4621251bbff5cc1df826aa7fdc2aa7dfbae3c8ab Mon Sep 17 00:00:00 2001
|
|
|
c2a5c7 |
From: Jakub Jelen <jjelen@redhat.com>
|
|
|
c2a5c7 |
Date: Mon, 22 May 2017 09:46:56 +0200
|
|
|
c2a5c7 |
Subject: [PATCH 3/3] Missing include
|
|
|
c2a5c7 |
|
|
|
c2a5c7 |
---
|
|
|
c2a5c7 |
src/pkcs11/framework-pkcs15.c | 1 +
|
|
|
c2a5c7 |
1 file changed, 1 insertion(+)
|
|
|
c2a5c7 |
|
|
|
c2a5c7 |
diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
|
|
|
c2a5c7 |
index 863ad02a1..ce890b7a1 100644
|
|
|
c2a5c7 |
--- a/src/pkcs11/framework-pkcs15.c
|
|
|
c2a5c7 |
+++ b/src/pkcs11/framework-pkcs15.c
|
|
|
c2a5c7 |
@@ -22,6 +22,7 @@
|
|
|
c2a5c7 |
#include <stdlib.h>
|
|
|
c2a5c7 |
#include <string.h>
|
|
|
c2a5c7 |
#include "libopensc/log.h"
|
|
|
c2a5c7 |
+#include "libopensc/internal.h"
|
|
|
c2a5c7 |
#include "libopensc/asn1.h"
|
|
|
c2a5c7 |
#include "libopensc/cardctl.h"
|
|
|
c2a5c7 |
#include "common/compat_strnlen.h"
|
|
|
c2a5c7 |
|