From cc39dbca85e59e564114a1e12058674ee3d3bac4 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 26 Jul 2022 15:52:17 +0000
Subject: Bug 1681099, pk11wrap: Tighten certificate lookup based on PKCS #11
 URI, r=kjacobs,rrelyea

Previously we only used the "object" attribute (mapped to CKA_LABEL) to find certificates by PKCS #11 URI. This updates the logic to match also with "id" (mapped to CKA_ID) and reject the request if a "type" attribute is present with the value other than "cert".

Note: as "id" may not be null-terminated, the PKCS #11 URI API had to be revamped to allow binary blobs. This is still not perfect because PK11URIAttribute doesn't have a length field of value.

Differential Revision: https://phabricator.services.mozilla.com/D98940
---
 automation/abi-check/expected-report-libnssutil3.so.txt | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'automation')

diff --git a/automation/abi-check/expected-report-libnssutil3.so.txt b/automation/abi-check/expected-report-libnssutil3.so.txt
index e69de29bb..ba634d9ab 100644
--- a/automation/abi-check/expected-report-libnssutil3.so.txt
+++ b/automation/abi-check/expected-report-libnssutil3.so.txt
@@ -0,0 +1,6 @@
+
+2 Added functions:
+
+  'function const SECItem* PK11URI_GetPathAttributeItem(PK11URI*, const char*)'    {PK11URI_GetPathAttributeItem@@NSSUTIL_3.82}
+  'function const SECItem* PK11URI_GetQueryAttributeItem(PK11URI*, const char*)'    {PK11URI_GetQueryAttributeItem@@NSSUTIL_3.82}
+
-- 
cgit v1.2.1