From cc39dbca85e59e564114a1e12058674ee3d3bac4 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 26 Jul 2022 15:52:17 +0000 Subject: Bug 1681099, pk11wrap: Tighten certificate lookup based on PKCS #11 URI, r=kjacobs,rrelyea Previously we only used the "object" attribute (mapped to CKA_LABEL) to find certificates by PKCS #11 URI. This updates the logic to match also with "id" (mapped to CKA_ID) and reject the request if a "type" attribute is present with the value other than "cert". Note: as "id" may not be null-terminated, the PKCS #11 URI API had to be revamped to allow binary blobs. This is still not perfect because PK11URIAttribute doesn't have a length field of value. Differential Revision: https://phabricator.services.mozilla.com/D98940 --- gtests/pk11_gtest/pk11_module_unittest.cc | 35 ++++- gtests/pkcs11testmodule/pkcs11testmodule.cpp | 223 ++++++++++++++++++++++++--- 2 files changed, 234 insertions(+), 24 deletions(-) (limited to 'gtests') diff --git a/gtests/pk11_gtest/pk11_module_unittest.cc b/gtests/pk11_gtest/pk11_module_unittest.cc index eb467c3c4..42b59c605 100644 --- a/gtests/pk11_gtest/pk11_module_unittest.cc +++ b/gtests/pk11_gtest/pk11_module_unittest.cc @@ -45,7 +45,7 @@ TEST_F(Pkcs11ModuleTest, ListSlots) { PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, nullptr)); ASSERT_NE(nullptr, slots); - PK11SlotListElement* element = PK11_GetFirstSafe(slots.get()); + PK11SlotListElement *element = PK11_GetFirstSafe(slots.get()); ASSERT_NE(nullptr, element); // These tokens are always present. @@ -81,6 +81,39 @@ TEST_F(Pkcs11ModuleTest, PublicCertificatesToken) { EXPECT_TRUE(PK11_IsFriendly(slot2.get())); } +TEST_F(Pkcs11ModuleTest, PublicCertificatesTokenLookup) { + const std::string kCertUrl = + "pkcs11:id=%10%11%12%13%14%15%16%17%18%19%1a%1b%1c%1d%1e%1f"; + + ScopedCERTCertList certsByUrl( + PK11_FindCertsFromURI(kCertUrl.c_str(), nullptr)); + EXPECT_NE(nullptr, certsByUrl.get()); + + size_t count = 0; + CERTCertificate *certByUrl = nullptr; + for (CERTCertListNode *node = CERT_LIST_HEAD(certsByUrl); + !CERT_LIST_END(node, certsByUrl); node = CERT_LIST_NEXT(node)) { + if (count == 0) { + certByUrl = node->cert; + } + count++; + } + EXPECT_EQ(1UL, count); + EXPECT_NE(nullptr, certByUrl); + + EXPECT_EQ( + 0, strcmp(certByUrl->nickname, "Test PKCS11 Public Certs Token:cert2")); +} + +TEST_F(Pkcs11ModuleTest, PublicCertificatesTokenLookupNoMatch) { + const std::string kCertUrl = + "pkcs11:id=%00%01%02%03%04%05%06%07%08%09%0a%0b%0c%0d%0e%0e"; + + ScopedCERTCertList certsByUrl( + PK11_FindCertsFromURI(kCertUrl.c_str(), nullptr)); + EXPECT_EQ(nullptr, certsByUrl.get()); +} + #if defined(_WIN32) #include diff --git a/gtests/pkcs11testmodule/pkcs11testmodule.cpp b/gtests/pkcs11testmodule/pkcs11testmodule.cpp index dbb574442..4bd558c0d 100644 --- a/gtests/pkcs11testmodule/pkcs11testmodule.cpp +++ b/gtests/pkcs11testmodule/pkcs11testmodule.cpp @@ -76,13 +76,79 @@ CK_RV Test_C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR) { return CKR_OK; } static int tokenPresent = 0; -// The token in slot 4 has 2 objects. Both of them are profile object -// and identified by object ID 1 or 2. +// The token in slot 4 has 4 objects: +// 1. CKO_PROFILE with CKP_PUBLIC_CERTIFICATES_TOKEN +// 2. CKO_PROFILE with CKP_BASELINE_PROVIDER +// 3. CKO_CERTIFICATE with CKA_ID "\x00..\x0f" +// 4. CKO_CERTIFICATE with CKA_ID "\x10..\x1f" static bool readingProfile = false; static const CK_PROFILE_ID profiles[] = {CKP_PUBLIC_CERTIFICATES_TOKEN, CKP_BASELINE_PROVIDER}; static int profileIndex = 0; +static bool readingCert = false; +static const unsigned char certId1[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f +}; +static const char *certLabel1 = "cert1"; +static const unsigned char certId2[] = { + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f +}; +static const char *certLabel2 = "cert2"; + +static const unsigned char certValue[] = { + 0x30, 0x82, 0x01, 0x54, 0x30, 0x81, 0xfc, 0xa0, 0x03, 0x02, 0x01, 0x02, + 0x02, 0x02, 0x0e, 0x42, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, + 0x3d, 0x04, 0x03, 0x02, 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x13, 0x0a, 0x45, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, + 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x30, 0x31, 0x32, 0x31, + 0x39, 0x30, 0x39, 0x30, 0x32, 0x34, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x31, + 0x30, 0x33, 0x31, 0x39, 0x30, 0x39, 0x30, 0x32, 0x34, 0x39, 0x5a, 0x30, + 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0a, + 0x45, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x41, 0x30, 0x59, + 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, + 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, + 0x04, 0x24, 0xd1, 0x96, 0xcc, 0x72, 0x36, 0xbb, 0xd6, 0x04, 0x36, 0x14, + 0x59, 0x9a, 0x27, 0x24, 0x6b, 0x03, 0x7c, 0x02, 0x69, 0x68, 0x50, 0x70, + 0x52, 0xe5, 0x5f, 0xe1, 0xf1, 0xd4, 0x0a, 0x00, 0x18, 0x76, 0x14, 0xa3, + 0xed, 0x7d, 0xc5, 0x0a, 0xfe, 0xe4, 0x6f, 0x09, 0xf8, 0xcd, 0xe8, 0x5a, + 0x39, 0x81, 0xf4, 0xcc, 0x25, 0xbe, 0x26, 0x76, 0xe1, 0x23, 0x52, 0x09, + 0x6f, 0xbd, 0xf1, 0x75, 0xbe, 0xa3, 0x3c, 0x30, 0x3a, 0x30, 0x14, 0x06, + 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x01, 0x01, 0x01, + 0xff, 0x04, 0x04, 0x03, 0x02, 0x02, 0x04, 0x30, 0x12, 0x06, 0x03, 0x55, + 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x08, 0x30, 0x06, 0x01, 0x01, 0xff, + 0x02, 0x01, 0x00, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, + 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x0a, 0x06, 0x08, 0x2a, + 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30, 0x44, + 0x02, 0x20, 0x76, 0x56, 0x09, 0xe9, 0x79, 0xc2, 0x62, 0x28, 0xfc, 0x48, + 0xf8, 0xac, 0x73, 0xbb, 0xe1, 0xe5, 0x79, 0x93, 0x78, 0x05, 0x4b, 0x45, + 0x08, 0xcf, 0x10, 0x9f, 0x0d, 0xb9, 0x50, 0x7d, 0x70, 0x24, 0x02, 0x20, + 0x27, 0x52, 0xe7, 0x9e, 0x42, 0xe3, 0xb2, 0x4d, 0xbb, 0x7d, 0xa3, 0x81, + 0x5f, 0x7f, 0x0f, 0x3a, 0x55, 0x34, 0xfa, 0x86, 0x35, 0xcb, 0x68, 0x4f, + 0xad, 0x67, 0x67, 0x05, 0x36, 0xcb, 0x11, 0x4d +}; +static const unsigned char certSerial[] = { + 0x02, 0x02, 0x0e, 0x42 +}; +static const unsigned char certIssuer[] = { + 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, + 0x0a, 0x45, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x41 +}; + +static const struct cert { + const unsigned char *id; + size_t idLen; + const char *label; +} certs[] = { + { certId1, sizeof(certId1), certLabel1 }, + { certId2, sizeof(certId2), certLabel2 } +}; +static int certIndex = 0; +static CK_OBJECT_HANDLE certHandle = CK_INVALID_HANDLE; +static bool certIdGiven = false; + CK_RV Test_C_GetSlotList(CK_BBOOL limitToTokensPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) { if (!pulCount) { @@ -316,22 +382,78 @@ CK_RV Test_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) { if (hSession == 4) { - assert(hObject >= 1 && - hObject - 1 < sizeof(profiles) / sizeof(profiles[0])); - for (CK_ULONG count = 0; count < ulCount; count++) { - if (pTemplate[count].type == CKA_PROFILE_ID) { - if (pTemplate[count].pValue) { - assert(pTemplate[count].ulValueLen == sizeof(CK_ULONG)); - CK_ULONG value = profiles[hObject - 1]; - memcpy(pTemplate[count].pValue, &value, sizeof(value)); + switch (hObject) { + case 1: + case 2: + for (CK_ULONG count = 0; count < ulCount; count++) { + if (pTemplate[count].type == CKA_PROFILE_ID) { + if (pTemplate[count].pValue) { + assert(pTemplate[count].ulValueLen == sizeof(CK_ULONG)); + CK_ULONG value = profiles[hObject - 1]; + memcpy(pTemplate[count].pValue, &value, sizeof(value)); + } else { + pTemplate[count].ulValueLen = sizeof(CK_ULONG); + } } else { - pTemplate[count].ulValueLen = sizeof(CK_ULONG); + pTemplate[count].ulValueLen = (CK_ULONG)-1; + } + } + return CKR_OK; + case 3: + case 4: + for (CK_ULONG count = 0; count < ulCount; count++) { + switch (pTemplate[count].type) { + case CKA_TOKEN: + if (pTemplate[count].pValue) { + assert(pTemplate[count].ulValueLen == sizeof(CK_BBOOL)); + CK_BBOOL value = true; + memcpy(pTemplate[count].pValue, &value, sizeof(value)); + } else { + pTemplate[count].ulValueLen = sizeof(CK_BBOOL); + } + break; + + case CKA_LABEL: { + const char *label = certs[hObject - 3].label; + size_t labelLen = strlen(label); + if (pTemplate[count].pValue) { + if (pTemplate[count].ulValueLen >= labelLen) { + memcpy(pTemplate[count].pValue, label, labelLen); + } else { + pTemplate[count].ulValueLen = CK_UNAVAILABLE_INFORMATION; + } + } else { + pTemplate[count].ulValueLen = labelLen; + } + break; + } + +#define BYTEARRAY_CASE(label, array) \ + case label: \ + if (pTemplate[count].pValue) { \ + if (pTemplate[count].ulValueLen >= sizeof(array)) { \ + memcpy(pTemplate[count].pValue, array, sizeof(array)); \ + } else { \ + pTemplate[count].ulValueLen = CK_UNAVAILABLE_INFORMATION; \ + } \ + } else { \ + pTemplate[count].ulValueLen = sizeof(array); \ + } \ + break; + + BYTEARRAY_CASE(CKA_VALUE, certValue) + BYTEARRAY_CASE(CKA_SERIAL_NUMBER, certSerial) + BYTEARRAY_CASE(CKA_ISSUER, certIssuer) + + default: + pTemplate[count].ulValueLen = CK_UNAVAILABLE_INFORMATION; + break; } - } else { - pTemplate[count].ulValueLen = (CK_ULONG)-1; } + return CKR_OK; + default: + break; } - return CKR_OK; } return CKR_FUNCTION_NOT_SUPPORTED; } @@ -345,19 +467,47 @@ CK_RV Test_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) { // Slot 4 if (hSession == 4) { + CK_OBJECT_CLASS objectClass = CKO_DATA; + CK_BYTE *id = NULL; + CK_ULONG idLen = 0; for (CK_ULONG count = 0; count < ulCount; count++) { CK_ATTRIBUTE attribute = pTemplate[count]; - if (attribute.type == CKA_CLASS) { - assert(attribute.ulValueLen == sizeof(CK_ULONG)); - - CK_ULONG value; - memcpy(&value, attribute.pValue, attribute.ulValueLen); - if (value == CKO_PROFILE) { - readingProfile = true; - profileIndex = 0; - break; + switch (attribute.type) { + case CKA_CLASS: + assert(attribute.ulValueLen == sizeof(CK_OBJECT_CLASS)); + + memcpy(&objectClass, attribute.pValue, attribute.ulValueLen); + break; + case CKA_ID: + id = (CK_BYTE *)attribute.pValue; + idLen = attribute.ulValueLen; + break; + default: + break; + } + } + + switch (objectClass) { + case CKO_PROFILE: + readingProfile = true; + profileIndex = 0; + break; + case CKO_CERTIFICATE: + readingCert = true; + certIndex = 0; + if (id) { + certIdGiven = true; + for (size_t count = 0; count < sizeof(certs) / sizeof(certs[0]); count++) { + if (certs[count].idLen == idLen && + memcmp(certs[count].id, id, idLen) == 0) { + certHandle = count + 3; + break; + } } } + break; + default: + break; } } return CKR_OK; @@ -379,6 +529,30 @@ CK_RV Test_C_FindObjects(CK_SESSION_HANDLE hSession, } profileIndex += count; *pulObjectCount = count; + } else if (readingCert) { + assert(hSession == 4); + if (!certIdGiven) { + CK_ULONG count = ulMaxObjectCount; + size_t remaining = sizeof(certs) / sizeof(certs[0]) - certIndex; + if (count > remaining) { + count = remaining; + } + for (CK_ULONG i = 0; i < count; i++) { + phObject[i] = i + 3; + } + *pulObjectCount = count; + certIndex += count; + } else if (certHandle != CK_INVALID_HANDLE) { + if (certIndex == 0 && ulMaxObjectCount > 0) { + phObject[0] = certHandle; + *pulObjectCount = 1; + certIndex = 1; + } else { + *pulObjectCount = 0; + } + } else { + *pulObjectCount = 0; + } } else { *pulObjectCount = 0; } @@ -387,6 +561,9 @@ CK_RV Test_C_FindObjects(CK_SESSION_HANDLE hSession, CK_RV Test_C_FindObjectsFinal(CK_SESSION_HANDLE hSession) { readingProfile = false; + readingCert = false; + certHandle = CK_INVALID_HANDLE; + certIdGiven = false; return CKR_OK; } -- cgit v1.2.1