diff options
Diffstat (limited to 'trust/builder.c')
| -rw-r--r-- | trust/builder.c | 1872 |
1 files changed, 0 insertions, 1872 deletions
diff --git a/trust/builder.c b/trust/builder.c deleted file mode 100644 index e0ce370..0000000 --- a/trust/builder.c +++ /dev/null @@ -1,1872 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#define P11_DEBUG_FLAG P11_DEBUG_TRUST - -#include "array.h" -#include "asn1.h" -#include "attrs.h" -#include "builder.h" -#include "constants.h" -#include "debug.h" -#include "digest.h" -#include "index.h" -#include "message.h" -#include "oid.h" -#include "pkcs11i.h" -#include "pkcs11x.h" -#include "utf8.h" -#include "x509.h" - -#include <assert.h> -#include <stdlib.h> -#include <string.h> - -struct _p11_builder { - p11_asn1_cache *asn1_cache; - p11_dict *asn1_defs; - int flags; -}; - -enum { - NONE = 0, - CREATE = 1 << 0, - MODIFY = 1 << 1, - REQUIRE = 1 << 2, - WANT = 1 << 3, -}; - -enum { - NORMAL_BUILD = 0, - GENERATED_CLASS = 1 << 0, -}; - -typedef struct { - int build_flags; - struct { - CK_ATTRIBUTE_TYPE type; - int flags; - bool (*validate) (p11_builder *, CK_ATTRIBUTE *); - } attrs[32]; - CK_ATTRIBUTE * (*populate) (p11_builder *, p11_index *, CK_ATTRIBUTE *); - CK_RV (*validate) (p11_builder *, CK_ATTRIBUTE *, CK_ATTRIBUTE *); -} builder_schema; - -static node_asn * -decode_or_get_asn1 (p11_builder *builder, - const char *struct_name, - const unsigned char *der, - size_t length) -{ - node_asn *node; - - node = p11_asn1_cache_get (builder->asn1_cache, struct_name, der, length); - if (node != NULL) - return node; - - node = p11_asn1_decode (builder->asn1_defs, struct_name, der, length, NULL); - if (node != NULL) - p11_asn1_cache_take (builder->asn1_cache, node, struct_name, der, length); - - return node; -} - -static unsigned char * -lookup_extension (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *cert, - CK_ATTRIBUTE *public_key, - const unsigned char *oid, - size_t *ext_len) -{ - CK_OBJECT_CLASS klass = CKO_X_CERTIFICATE_EXTENSION; - CK_OBJECT_HANDLE obj; - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *label; - void *value; - size_t length; - node_asn *node; - - CK_ATTRIBUTE match[] = { - { CKA_PUBLIC_KEY_INFO, }, - { CKA_OBJECT_ID, (void *)oid, p11_oid_length (oid) }, - { CKA_CLASS, &klass, sizeof (klass) }, - { CKA_INVALID }, - }; - - if (public_key == NULL || public_key->type == CKA_INVALID) - public_key = p11_attrs_find_valid (cert, CKA_PUBLIC_KEY_INFO); - - /* Look for an attached certificate extension */ - if (public_key != NULL) { - memcpy (match, public_key, sizeof (CK_ATTRIBUTE)); - obj = p11_index_find (index, match, -1); - attrs = p11_index_lookup (index, obj); - if (attrs != NULL) { - value = p11_attrs_find_value (attrs, CKA_VALUE, &length); - if (value != NULL) { - node = decode_or_get_asn1 (builder, "PKIX1.Extension", value, length); - if (node == NULL) { - label = p11_attrs_find_valid (attrs, CKA_LABEL); - if (label == NULL) - label = p11_attrs_find_valid (cert, CKA_LABEL); - p11_message ("%.*s: invalid certificate extension", - label ? (int)label->ulValueLen : 7, - label ? (char *)label->pValue : "unknown"); - return NULL; - } - return p11_asn1_read (node, "extnValue", ext_len); - } - } - } - - /* Couldn't find a parsed extension, so look in the current certificate */ - value = p11_attrs_find_value (cert, CKA_VALUE, &length); - if (value != NULL) { - node = decode_or_get_asn1 (builder, "PKIX1.Certificate", value, length); - return_val_if_fail (node != NULL, NULL); - return p11_x509_find_extension (node, oid, value, length, ext_len); - } - - return NULL; -} - -static CK_OBJECT_HANDLE * -lookup_related (p11_index *index, - CK_OBJECT_CLASS klass, - CK_ATTRIBUTE *attr) -{ - CK_ATTRIBUTE match[] = { - { attr->type, attr->pValue, attr->ulValueLen }, - { CKA_CLASS, &klass, sizeof (klass) }, - { CKA_INVALID } - }; - - return p11_index_find_all (index, match, -1); -} - -p11_builder * -p11_builder_new (int flags) -{ - p11_builder *builder; - - builder = calloc (1, sizeof (p11_builder)); - return_val_if_fail (builder != NULL, NULL); - - builder->asn1_cache = p11_asn1_cache_new (); - return_val_if_fail (builder->asn1_cache, NULL); - builder->asn1_defs = p11_asn1_cache_defs (builder->asn1_cache); - - builder->flags = flags; - return builder; -} - -static int -atoin (const char *p, - int digits) -{ - int ret = 0, base = 1; - while(--digits >= 0) { - if (p[digits] < '0' || p[digits] > '9') - return -1; - ret += (p[digits] - '0') * base; - base *= 10; - } - return ret; -} - -static bool -type_bool (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - return (attr->pValue != NULL && - sizeof (CK_BBOOL) == attr->ulValueLen); -} - -static bool -type_ulong (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - return (attr->pValue != NULL && - sizeof (CK_ULONG) == attr->ulValueLen); -} - -static bool -type_utf8 (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - if (attr->ulValueLen == 0) - return true; - if (attr->pValue == NULL) - return false; - return p11_utf8_validate (attr->pValue, attr->ulValueLen); -} - -static bool -type_date (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - CK_DATE *date; - struct tm tm; - struct tm two; - - if (attr->ulValueLen == 0) - return true; - if (attr->pValue == NULL || attr->ulValueLen != sizeof (CK_DATE)) - return false; - - date = attr->pValue; - memset (&tm, 0, sizeof (tm)); - tm.tm_year = atoin ((char *)date->year, 4) - 1900; - tm.tm_mon = atoin ((char *)date->month, 2); - tm.tm_mday = atoin ((char *)date->day, 2); - - if (tm.tm_year < 0 || tm.tm_mon <= 0 || tm.tm_mday <= 0) - return false; - - memcpy (&two, &tm, sizeof (tm)); - if (mktime (&two) < 0) - return false; - - /* If mktime changed anything, then bad date */ - if (tm.tm_year != two.tm_year || - tm.tm_mon != two.tm_mon || - tm.tm_mday != two.tm_mday) - return false; - - return true; -} - -static bool -check_der_struct (p11_builder *builder, - const char *struct_name, - CK_ATTRIBUTE *attr) -{ - node_asn *asn; - - if (attr->ulValueLen == 0) - return true; - if (attr->pValue == NULL) - return false; - - asn = p11_asn1_decode (builder->asn1_defs, struct_name, - attr->pValue, attr->ulValueLen, NULL); - - if (asn == NULL) - return false; - - asn1_delete_structure (&asn); - return true; -} - -static bool -type_der_name (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - return check_der_struct (builder, "PKIX1.Name", attr); -} - -static bool -type_der_serial (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - return check_der_struct (builder, "PKIX1.CertificateSerialNumber", attr); -} - -static bool -type_der_oid (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - /* AttributeType is an OBJECT ID */ - return check_der_struct (builder, "PKIX1.AttributeType", attr); -} - -static bool -type_der_cert (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - return check_der_struct (builder, "PKIX1.Certificate", attr); -} - -static bool -type_der_key (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - return check_der_struct (builder, "PKIX1.SubjectPublicKeyInfo", attr); -} - -static bool -type_der_ext (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - return check_der_struct (builder, "PKIX1.Extension", attr); -} - -#define COMMON_ATTRS \ - { CKA_CLASS, REQUIRE | CREATE, type_ulong }, \ - { CKA_TOKEN, CREATE | WANT, type_bool }, \ - { CKA_MODIFIABLE, CREATE | WANT, type_bool }, \ - { CKA_PRIVATE, CREATE, type_bool }, \ - { CKA_LABEL, CREATE | MODIFY | WANT, type_utf8 }, \ - { CKA_X_GENERATED, CREATE }, \ - { CKA_X_ORIGIN, NONE } \ - -static CK_ATTRIBUTE * -common_populate (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *unused) -{ - CK_BBOOL tokenv = CK_FALSE; - CK_BBOOL modifiablev = CK_TRUE; - CK_BBOOL privatev = CK_FALSE; - CK_BBOOL generatedv = CK_FALSE; - - CK_ATTRIBUTE token = { CKA_TOKEN, &tokenv, sizeof (tokenv), }; - CK_ATTRIBUTE privat = { CKA_PRIVATE, &privatev, sizeof (privatev) }; - CK_ATTRIBUTE modifiable = { CKA_MODIFIABLE, &modifiablev, sizeof (modifiablev) }; - CK_ATTRIBUTE generated = { CKA_X_GENERATED, &generatedv, sizeof (generatedv) }; - CK_ATTRIBUTE label = { CKA_LABEL, "", 0 }; - - if (builder->flags & P11_BUILDER_FLAG_TOKEN) { - tokenv = CK_TRUE; - modifiablev = CK_FALSE; - } - - return p11_attrs_build (NULL, &token, &privat, &modifiable, &label, &generated, NULL); -} - -static void -calc_check_value (const unsigned char *data, - size_t length, - CK_BYTE *check_value) -{ - unsigned char checksum[P11_DIGEST_SHA1_LEN]; - p11_digest_sha1 (checksum, data, length, NULL); - memcpy (check_value, checksum, 3); -} - -static int -century_for_two_digit_year (int year) -{ - time_t now; - struct tm tm; - int century, current; - - return_val_if_fail (year >= 0 && year <= 99, -1); - - /* Get the current year */ - now = time (NULL); - return_val_if_fail (now >= 0, -1); - if (!gmtime_r (&now, &tm)) - return_val_if_reached (-1); - - current = (tm.tm_year % 100); - century = (tm.tm_year + 1900) - current; - - /* - * Check if it's within 40 years before the - * current date. - */ - if (current < 40) { - if (year < current) - return century; - if (year > 100 - (40 - current)) - return century - 100; - } else { - if (year < current && year > (current - 40)) - return century; - } - - /* - * If it's after then adjust for overflows to - * the next century. - */ - if (year < current) - return century + 100; - else - return century; -} - -static bool -calc_date (node_asn *node, - const char *field, - CK_DATE *date) -{ - node_asn *choice; - char buf[64]; - int century; - char *sub; - int year; - int len; - int ret; - - if (!node) - return false; - - choice = asn1_find_node (node, field); - return_val_if_fail (choice != NULL, false); - - len = sizeof (buf) - 1; - ret = asn1_read_value (node, field, buf, &len); - return_val_if_fail (ret == ASN1_SUCCESS, false); - - sub = strconcat (field, ".", buf, NULL); - - /* - * So here we take a shortcut and just copy the date from the - * certificate into the CK_DATE. This doesn't take into account - * time zones. However the PKCS#11 spec does not say what timezone - * the dates are in. In the PKCS#11 value have a day resolution, - * and time zones aren't that critical. - */ - - if (strcmp (buf, "generalTime") == 0) { - len = sizeof (buf) - 1; - ret = asn1_read_value (node, sub, buf, &len); - return_val_if_fail (ret == ASN1_SUCCESS, false); - return_val_if_fail (len >= 8, false); - - /* Same as first 8 characters of date */ - memcpy (date, buf, 8); - - } else if (strcmp (buf, "utcTime") == 0) { - len = sizeof (buf) - 1; - ret = asn1_read_value (node, sub, buf, &len); - return_val_if_fail (ret == ASN1_SUCCESS, false); - return_val_if_fail (len >= 6, false); - - year = atoin (buf, 2); - return_val_if_fail (year >= 0, false); - - century = century_for_two_digit_year (year); - return_val_if_fail (century >= 0, false); - - snprintf ((char *)date->year, 3, "%02d", century); - memcpy (((char *)date) + 2, buf, 6); - - } else { - return_val_if_reached (false); - } - - free (sub); - return true; -} - -static bool -calc_element (node_asn *node, - const unsigned char *data, - size_t length, - const char *field, - CK_ATTRIBUTE *attr) -{ - int ret; - int start, end; - - if (!node) - return false; - - ret = asn1_der_decoding_startEnd (node, data, length, field, &start, &end); - return_val_if_fail (ret == ASN1_SUCCESS, false); - return_val_if_fail (end >= start, false); - - attr->pValue = (void *)(data + start); - attr->ulValueLen = (end - start) + 1; - return true; -} - -static bool -is_v1_x509_authority (p11_builder *builder, - CK_ATTRIBUTE *cert) -{ - CK_ATTRIBUTE subject; - CK_ATTRIBUTE issuer; - CK_ATTRIBUTE *value; - char buffer[16]; - node_asn *node; - int len; - int ret; - - value = p11_attrs_find_valid (cert, CKA_VALUE); - if (value == NULL) - return false; - - node = decode_or_get_asn1 (builder, "PKIX1.Certificate", - value->pValue, value->ulValueLen); - return_val_if_fail (node != NULL, false); - - len = sizeof (buffer); - ret = asn1_read_value (node, "tbsCertificate.version", buffer, &len); - - /* The default value */ - if (ret == ASN1_ELEMENT_NOT_FOUND) { - ret = ASN1_SUCCESS; - buffer[0] = 0; - len = 1; - } - - return_val_if_fail (ret == ASN1_SUCCESS, false); - - /* - * In X.509 version v1 is the integer zero. Two's complement - * integer, but zero is easy to read. - */ - if (len != 1 || buffer[0] != 0) - return false; - - /* Must be self-signed, ie: same subject and issuer */ - if (!calc_element (node, value->pValue, value->ulValueLen, "tbsCertificate.subject", &subject)) - return_val_if_reached (false); - if (!calc_element (node, value->pValue, value->ulValueLen, "tbsCertificate.issuer", &issuer)) - return_val_if_reached (false); - return p11_attr_match_value (&subject, issuer.pValue, issuer.ulValueLen); -} - -static bool -calc_certificate_category (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *cert, - CK_ATTRIBUTE *public_key, - CK_ULONG *category) -{ - CK_ATTRIBUTE *label; - unsigned char *ext; - size_t ext_len; - bool is_ca = 0; - bool ret; - - /* - * In the PKCS#11 spec: - * 0 = unspecified (default value) - * 1 = token user - * 2 = authority - * 3 = other entity - */ - - /* See if we have a basic constraints extension */ - ext = lookup_extension (builder, index, cert, public_key, P11_OID_BASIC_CONSTRAINTS, &ext_len); - if (ext != NULL) { - ret = p11_x509_parse_basic_constraints (builder->asn1_defs, ext, ext_len, &is_ca); - free (ext); - if (!ret) { - label = p11_attrs_find_valid (cert, CKA_LABEL); - p11_message ("%.*s: invalid basic constraints certificate extension", - label ? (int)label->ulValueLen : 7, - label ? (char *)label->pValue : "unknown"); - return false; - } - - } else if (is_v1_x509_authority (builder, cert)) { - /* - * If there is no basic constraints extension, and the CA version is - * v1, and is self-signed, then we assume this is a certificate authority. - * So we add a BasicConstraints attached certificate extension - */ - is_ca = 1; - - } else if (!p11_attrs_find_valid (cert, CKA_VALUE)) { - /* - * If we have no certificate value, then this is unknown - */ - *category = 0; - return true; - - } - - *category = is_ca ? 2 : 3; - return true; -} - -static CK_ATTRIBUTE * -certificate_value_attrs (p11_builder *builder, - CK_ATTRIBUTE *attrs, - node_asn *node, - const unsigned char *der, - size_t der_len, - CK_ATTRIBUTE *public_key) -{ - unsigned char checksum[P11_DIGEST_SHA1_LEN]; - unsigned char *keyid = NULL; - size_t keyid_len; - unsigned char *ext = NULL; - size_t ext_len; - CK_BBOOL falsev = CK_FALSE; - CK_ULONG zero = 0UL; - CK_BYTE checkv[3]; - CK_DATE startv; - CK_DATE endv; - char *labelv = NULL; - - CK_ATTRIBUTE trusted = { CKA_TRUSTED, &falsev, sizeof (falsev) }; - CK_ATTRIBUTE distrusted = { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }; - CK_ATTRIBUTE url = { CKA_URL, "", 0 }; - CK_ATTRIBUTE hash_of_subject_public_key = { CKA_HASH_OF_SUBJECT_PUBLIC_KEY, checksum, sizeof (checksum) }; - CK_ATTRIBUTE hash_of_issuer_public_key = { CKA_HASH_OF_ISSUER_PUBLIC_KEY, "", 0 }; - CK_ATTRIBUTE java_midp_security_domain = { CKA_JAVA_MIDP_SECURITY_DOMAIN, &zero, sizeof (zero) }; - CK_ATTRIBUTE check_value = { CKA_CHECK_VALUE, &checkv, sizeof (checkv) }; - CK_ATTRIBUTE start_date = { CKA_START_DATE, &startv, sizeof (startv) }; - CK_ATTRIBUTE end_date = { CKA_END_DATE, &endv, sizeof (endv) }; - CK_ATTRIBUTE subject = { CKA_SUBJECT, }; - CK_ATTRIBUTE issuer = { CKA_ISSUER, "", 0 }; - CK_ATTRIBUTE serial_number = { CKA_SERIAL_NUMBER, "", 0 }; - CK_ATTRIBUTE label = { CKA_LABEL }; - CK_ATTRIBUTE id = { CKA_ID, NULL, 0 }; - - return_val_if_fail (attrs != NULL, NULL); - - if (der == NULL) - check_value.type = CKA_INVALID; - else - calc_check_value (der, der_len, checkv); - - if (!calc_date (node, "tbsCertificate.validity.notBefore", &startv)) - start_date.ulValueLen = 0; - if (!calc_date (node, "tbsCertificate.validity.notAfter", &endv)) - end_date.ulValueLen = 0; - - if (calc_element (node, der, der_len, "tbsCertificate.subjectPublicKeyInfo", public_key)) - public_key->type = CKA_PUBLIC_KEY_INFO; - else - public_key->type = CKA_INVALID; - calc_element (node, der, der_len, "tbsCertificate.issuer.rdnSequence", &issuer); - if (!calc_element (node, der, der_len, "tbsCertificate.subject.rdnSequence", &subject)) - subject.type = CKA_INVALID; - calc_element (node, der, der_len, "tbsCertificate.serialNumber", &serial_number); - - /* Try to build a keyid from an extension */ - if (node) { - ext = p11_x509_find_extension (node, P11_OID_SUBJECT_KEY_IDENTIFIER, der, der_len, &ext_len); - if (ext) { - keyid = p11_x509_parse_subject_key_identifier (builder->asn1_defs, ext, - ext_len, &keyid_len); - id.pValue = keyid; - id.ulValueLen = keyid_len; - } - } - - if (!node || !p11_x509_hash_subject_public_key (node, der, der_len, checksum)) - hash_of_subject_public_key.ulValueLen = 0; - - if (id.pValue == NULL) { - id.pValue = hash_of_subject_public_key.pValue; - id.ulValueLen = hash_of_subject_public_key.ulValueLen; - } - - if (node) { - labelv = p11_x509_lookup_dn_name (node, "tbsCertificate.subject", - der, der_len, P11_OID_CN); - if (!labelv) - labelv = p11_x509_lookup_dn_name (node, "tbsCertificate.subject", - der, der_len, P11_OID_OU); - if (!labelv) - labelv = p11_x509_lookup_dn_name (node, "tbsCertificate.subject", - der, der_len, P11_OID_O); - } - - if (labelv) { - label.pValue = labelv; - label.ulValueLen = strlen (labelv); - } else { - label.type = CKA_INVALID; - } - - attrs = p11_attrs_build (attrs, &trusted, &distrusted, &url, &hash_of_issuer_public_key, - &hash_of_subject_public_key, &java_midp_security_domain, - &check_value, &start_date, &end_date, &id, - &subject, &issuer, &serial_number, &label, public_key, - NULL); - return_val_if_fail (attrs != NULL, NULL); - - free (ext); - free (keyid); - free (labelv); - return attrs; -} - -static CK_ATTRIBUTE * -certificate_populate (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *cert) -{ - CK_ULONG categoryv = 0UL; - CK_ATTRIBUTE *attrs = NULL; - CK_ATTRIBUTE public_key; - node_asn *node = NULL; - unsigned char *der = NULL; - size_t der_len = 0; - - CK_ATTRIBUTE category = { CKA_CERTIFICATE_CATEGORY, &categoryv, sizeof (categoryv) }; - CK_ATTRIBUTE empty_value = { CKA_VALUE, "", 0 }; - - attrs = common_populate (builder, index, cert); - return_val_if_fail (attrs != NULL, NULL); - - der = p11_attrs_find_value (cert, CKA_VALUE, &der_len); - if (der != NULL) - node = decode_or_get_asn1 (builder, "PKIX1.Certificate", der, der_len); - - attrs = certificate_value_attrs (builder, attrs, node, der, der_len, &public_key); - return_val_if_fail (attrs != NULL, NULL); - - if (!calc_certificate_category (builder, index, cert, &public_key, &categoryv)) - categoryv = 0; - - return p11_attrs_build (attrs, &category, &empty_value, NULL); -} - -static bool -have_attribute (CK_ATTRIBUTE *attrs1, - CK_ATTRIBUTE *attrs2, - CK_ATTRIBUTE_TYPE type) -{ - CK_ATTRIBUTE *attr; - - attr = p11_attrs_find (attrs1, type); - if (attr == NULL) - attr = p11_attrs_find (attrs2, type); - return attr != NULL && attr->ulValueLen > 0; -} - -static CK_RV -certificate_validate (p11_builder *builder, - CK_ATTRIBUTE *attrs, - CK_ATTRIBUTE *merge) -{ - /* - * In theory we should be validating that in the absence of CKA_VALUE - * various other fields must be set. However we do not enforce this - * because we want to be able to have certificates without a value - * but issuer and serial number, for blacklisting purposes. - */ - - if (have_attribute (attrs, merge, CKA_URL)) { - if (!have_attribute (attrs, merge, CKA_HASH_OF_SUBJECT_PUBLIC_KEY)) { - p11_message ("missing the CKA_HASH_OF_SUBJECT_PUBLIC_KEY attribute"); - return CKR_TEMPLATE_INCONSISTENT; - } - - if (!have_attribute (attrs, merge, CKA_HASH_OF_SUBJECT_PUBLIC_KEY)) { - p11_message ("missing the CKA_HASH_OF_ISSUER_PUBLIC_KEY attribute"); - return CKR_TEMPLATE_INCONSISTENT; - } - } - - return CKR_OK; -} - -const static builder_schema certificate_schema = { - NORMAL_BUILD, - { COMMON_ATTRS, - { CKA_CERTIFICATE_TYPE, REQUIRE | CREATE, type_ulong }, - { CKA_TRUSTED, CREATE | WANT, type_bool }, - { CKA_X_DISTRUSTED, CREATE | WANT, type_bool }, - { CKA_CERTIFICATE_CATEGORY, CREATE | WANT, type_ulong }, - { CKA_CHECK_VALUE, CREATE | WANT, }, - { CKA_START_DATE, CREATE | MODIFY | WANT, type_date }, - { CKA_END_DATE, CREATE | MODIFY | WANT, type_date }, - { CKA_SUBJECT, CREATE | WANT, type_der_name }, - { CKA_ID, CREATE | MODIFY | WANT }, - { CKA_ISSUER, CREATE | MODIFY | WANT, type_der_name }, - { CKA_SERIAL_NUMBER, CREATE | MODIFY | WANT, type_der_serial }, - { CKA_VALUE, CREATE, type_der_cert }, - { CKA_URL, CREATE, type_utf8 }, - { CKA_HASH_OF_SUBJECT_PUBLIC_KEY, CREATE }, - { CKA_HASH_OF_ISSUER_PUBLIC_KEY, CREATE }, - { CKA_JAVA_MIDP_SECURITY_DOMAIN, CREATE, type_ulong }, - { CKA_PUBLIC_KEY_INFO, WANT, type_der_key }, - { CKA_INVALID }, - }, certificate_populate, certificate_validate, -}; - -static CK_ATTRIBUTE * -extension_populate (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *extension) -{ - unsigned char checksum[P11_DIGEST_SHA1_LEN]; - CK_ATTRIBUTE object_id = { CKA_INVALID }; - CK_ATTRIBUTE id = { CKA_INVALID }; - CK_ATTRIBUTE *attrs = NULL; - - void *der; - size_t len; - node_asn *asn; - - attrs = common_populate (builder, index, extension); - return_val_if_fail (attrs != NULL, NULL); - - if (!p11_attrs_find_valid (attrs, CKA_ID)) { - der = p11_attrs_find_value (extension, CKA_PUBLIC_KEY_INFO, &len); - return_val_if_fail (der != NULL, NULL); - - p11_digest_sha1 (checksum, der, len, NULL); - id.pValue = checksum; - id.ulValueLen = sizeof (checksum); - id.type = CKA_ID; - } - - /* Pull the object id out of the extension if not present */ - if (!p11_attrs_find_valid (attrs, CKA_OBJECT_ID)) { - der = p11_attrs_find_value (extension, CKA_VALUE, &len); - return_val_if_fail (der != NULL, NULL); - - asn = decode_or_get_asn1 (builder, "PKIX1.Extension", der, len); - return_val_if_fail (asn != NULL, NULL); - - if (calc_element (asn, der, len, "extnID", &object_id)) - object_id.type = CKA_OBJECT_ID; - } - - attrs = p11_attrs_build (attrs, &object_id, &id, NULL); - return_val_if_fail (attrs != NULL, NULL); - - return attrs; -} - -const static builder_schema extension_schema = { - NORMAL_BUILD, - { COMMON_ATTRS, - { CKA_VALUE, REQUIRE | CREATE, type_der_ext }, - { CKA_PUBLIC_KEY_INFO, REQUIRE | CREATE, type_der_key }, - { CKA_OBJECT_ID, CREATE | WANT, type_der_oid }, - { CKA_ID, CREATE | MODIFY }, - { CKA_INVALID }, - }, extension_populate, -}; - -static CK_ATTRIBUTE * -data_populate (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *data) -{ - static const CK_ATTRIBUTE value = { CKA_VALUE, "", 0 }; - static const CK_ATTRIBUTE application = { CKA_APPLICATION, "", 0 }; - static const CK_ATTRIBUTE object_id = { CKA_OBJECT_ID, "", 0 }; - CK_ATTRIBUTE *attrs; - - attrs = common_populate (builder, index, data); - return_val_if_fail (attrs != NULL, NULL); - - return p11_attrs_build (attrs, &value, &application, &object_id, NULL); -} - -const static builder_schema data_schema = { - NORMAL_BUILD, - { COMMON_ATTRS, - { CKA_VALUE, CREATE | MODIFY | WANT }, - { CKA_APPLICATION, CREATE | MODIFY | WANT, type_utf8 }, - { CKA_OBJECT_ID, CREATE | MODIFY | WANT, type_der_oid }, - { CKA_INVALID }, - }, data_populate, -}; - -const static builder_schema trust_schema = { - GENERATED_CLASS, - { COMMON_ATTRS, - { CKA_CERT_SHA1_HASH, CREATE }, - { CKA_CERT_MD5_HASH, CREATE }, - { CKA_ISSUER, CREATE }, - { CKA_SUBJECT, CREATE }, - { CKA_SERIAL_NUMBER, CREATE }, - { CKA_TRUST_SERVER_AUTH, CREATE }, - { CKA_TRUST_CLIENT_AUTH, CREATE }, - { CKA_TRUST_EMAIL_PROTECTION, CREATE }, - { CKA_TRUST_CODE_SIGNING, CREATE }, - { CKA_TRUST_IPSEC_END_SYSTEM, CREATE }, - { CKA_TRUST_IPSEC_TUNNEL, CREATE }, - { CKA_TRUST_IPSEC_USER, CREATE }, - { CKA_TRUST_TIME_STAMPING, CREATE }, - { CKA_TRUST_DIGITAL_SIGNATURE, CREATE }, - { CKA_TRUST_NON_REPUDIATION, CREATE }, - { CKA_TRUST_KEY_ENCIPHERMENT, CREATE }, - { CKA_TRUST_DATA_ENCIPHERMENT, CREATE }, - { CKA_TRUST_KEY_AGREEMENT, CREATE }, - { CKA_TRUST_KEY_CERT_SIGN, CREATE }, - { CKA_TRUST_CRL_SIGN, CREATE }, - { CKA_TRUST_STEP_UP_APPROVED, CREATE }, - { CKA_ID, CREATE }, - { CKA_INVALID }, - }, common_populate -}; - -const static builder_schema assertion_schema = { - GENERATED_CLASS, - { COMMON_ATTRS, - { CKA_X_PURPOSE, REQUIRE | CREATE }, - { CKA_X_CERTIFICATE_VALUE, CREATE }, - { CKA_X_ASSERTION_TYPE, REQUIRE | CREATE }, - { CKA_ISSUER, CREATE }, - { CKA_SERIAL_NUMBER, CREATE }, - { CKA_X_PEER, CREATE }, - { CKA_ID, CREATE }, - { CKA_INVALID }, - }, common_populate -}; - -const static builder_schema builtin_schema = { - GENERATED_CLASS, - { COMMON_ATTRS, - { CKA_INVALID }, - }, common_populate -}; - -static const char * -value_name (const p11_constant *info, - CK_ATTRIBUTE_TYPE type) -{ - const char *name = p11_constant_name (info, type); - return name ? name : "unknown"; -} - -static const char * -type_name (CK_ATTRIBUTE_TYPE type) -{ - return value_name (p11_constant_types, type); -} - -static CK_RV -build_for_schema (p11_builder *builder, - p11_index *index, - const builder_schema *schema, - CK_ATTRIBUTE *attrs, - CK_ATTRIBUTE *merge, - CK_ATTRIBUTE **extra) -{ - CK_BBOOL modifiable; - CK_ATTRIBUTE *attr; - bool modifying; - bool creating; - bool populate; - bool loading; - bool found; - int flags; - int i, j; - CK_RV rv; - - populate = false; - - /* Signifies that data is being loaded */ - loading = p11_index_loading (index); - - /* Signifies that this is being created by a caller, instead of loaded */ - creating = (attrs == NULL && !loading); - - /* Item is being modified by a caller */ - modifying = (attrs != NULL && !loading); - - /* This item may not be modifiable */ - if (modifying) { - if (!p11_attrs_find_bool (attrs, CKA_MODIFIABLE, &modifiable) || !modifiable) { - p11_message ("the object is not modifiable"); - return CKR_ATTRIBUTE_READ_ONLY; - } - } - - if (creating && (builder->flags & P11_BUILDER_FLAG_TOKEN)) { - if (schema->build_flags & GENERATED_CLASS) { - p11_message ("objects of this type cannot be created"); - return CKR_TEMPLATE_INCONSISTENT; - } - } - - for (i = 0; merge[i].type != CKA_INVALID; i++) { - - /* Don't validate attribute if not changed */ - attr = p11_attrs_find (attrs, merge[i].type); - if (attr && p11_attr_equal (attr, merge + i)) - continue; - - found = false; - for (j = 0; schema->attrs[j].type != CKA_INVALID; j++) { - if (schema->attrs[j].type != merge[i].type) - continue; - - flags = schema->attrs[j].flags; - if (creating && !(flags & CREATE)) { - p11_message ("the %s attribute cannot be set", - type_name (schema->attrs[j].type)); - return CKR_ATTRIBUTE_READ_ONLY; - } - if (modifying && !(flags & MODIFY)) { - p11_message ("the %s attribute cannot be changed", - type_name (schema->attrs[j].type)); - return CKR_ATTRIBUTE_READ_ONLY; - } - if (!loading && schema->attrs[j].validate != NULL && - !schema->attrs[j].validate (builder, merge + i)) { - p11_message ("the %s attribute has an invalid value", - type_name (schema->attrs[j].type)); - return CKR_ATTRIBUTE_VALUE_INVALID; - } - found = true; - break; - } - - if (!found) { - p11_message ("the %s attribute is not valid for the object", - type_name (merge[i].type)); - return CKR_TEMPLATE_INCONSISTENT; - } - } - - if (attrs == NULL) { - for (j = 0; schema->attrs[j].type != CKA_INVALID; j++) { - flags = schema->attrs[j].flags; - found = false; - - if ((flags & REQUIRE) || (flags & WANT)) { - for (i = 0; merge[i].type != CKA_INVALID; i++) { - if (schema->attrs[j].type == merge[i].type) { - found = true; - break; - } - } - } - - if (!found) { - if (flags & REQUIRE) { - p11_message ("missing the %s attribute", - type_name (schema->attrs[j].type)); - return CKR_TEMPLATE_INCOMPLETE; - } else if (flags & WANT) { - populate = true; - } - } - } - } - - /* Validate the result, before committing to the change. */ - if (!loading && schema->validate) { - rv = (schema->validate) (builder, attrs, merge); - if (rv != CKR_OK) - return rv; - } - - if (populate && schema->populate) - *extra = schema->populate (builder, index, merge); - - return CKR_OK; -} - -CK_RV -p11_builder_build (void *bilder, - p11_index *index, - CK_ATTRIBUTE *attrs, - CK_ATTRIBUTE *merge, - CK_ATTRIBUTE **populate) -{ - p11_builder *builder = bilder; - CK_OBJECT_CLASS klass; - CK_CERTIFICATE_TYPE type; - CK_BBOOL token; - - return_val_if_fail (builder != NULL, CKR_GENERAL_ERROR); - return_val_if_fail (index != NULL, CKR_GENERAL_ERROR); - return_val_if_fail (merge != NULL, CKR_GENERAL_ERROR); - - if (!p11_attrs_find_ulong (attrs ? attrs : merge, CKA_CLASS, &klass)) { - p11_message ("no CKA_CLASS attribute found"); - return CKR_TEMPLATE_INCOMPLETE; - } - - if (!attrs && p11_attrs_find_bool (merge, CKA_TOKEN, &token)) { - if (token != ((builder->flags & P11_BUILDER_FLAG_TOKEN) ? CK_TRUE : CK_FALSE)) { - p11_message ("cannot create a %s object", token ? "token" : "non-token"); - return CKR_TEMPLATE_INCONSISTENT; - } - } - - switch (klass) { - case CKO_CERTIFICATE: - if (!p11_attrs_find_ulong (attrs ? attrs : merge, CKA_CERTIFICATE_TYPE, &type)) { - p11_message ("missing %s on object", type_name (CKA_CERTIFICATE_TYPE)); - return CKR_TEMPLATE_INCOMPLETE; - } else if (type == CKC_X_509) { - return build_for_schema (builder, index, &certificate_schema, attrs, merge, populate); - } else { - p11_message ("%s unsupported %s", value_name (p11_constant_certs, type), - type_name (CKA_CERTIFICATE_TYPE)); - return CKR_TEMPLATE_INCONSISTENT; - } - - case CKO_X_CERTIFICATE_EXTENSION: - return build_for_schema (builder, index, &extension_schema, attrs, merge, populate); - - case CKO_DATA: - return build_for_schema (builder, index, &data_schema, attrs, merge, populate); - - case CKO_NSS_TRUST: - return build_for_schema (builder, index, &trust_schema, attrs, merge, populate); - - case CKO_NSS_BUILTIN_ROOT_LIST: - return build_for_schema (builder, index, &builtin_schema, attrs, merge, populate); - - case CKO_X_TRUST_ASSERTION: - return build_for_schema (builder, index, &assertion_schema, attrs, merge, populate); - - default: - p11_message ("%s unsupported object class", - value_name (p11_constant_classes, klass)); - return CKR_TEMPLATE_INCONSISTENT; - } -} - -void -p11_builder_free (p11_builder *builder) -{ - return_if_fail (builder != NULL); - - p11_asn1_cache_free (builder->asn1_cache); - free (builder); -} - -p11_asn1_cache * -p11_builder_get_cache (p11_builder *builder) -{ - return_val_if_fail (builder != NULL, NULL); - return builder->asn1_cache; -} - -static CK_ATTRIBUTE * -build_trust_object_ku (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *cert, - CK_ATTRIBUTE *object, - CK_TRUST present) -{ - unsigned char *data = NULL; - unsigned int ku = 0; - size_t length; - CK_TRUST defawlt; - CK_ULONG i; - - struct { - CK_ATTRIBUTE_TYPE type; - unsigned int ku; - } ku_attribute_map[] = { - { CKA_TRUST_DIGITAL_SIGNATURE, P11_KU_DIGITAL_SIGNATURE }, - { CKA_TRUST_NON_REPUDIATION, P11_KU_NON_REPUDIATION }, - { CKA_TRUST_KEY_ENCIPHERMENT, P11_KU_KEY_ENCIPHERMENT }, - { CKA_TRUST_DATA_ENCIPHERMENT, P11_KU_DATA_ENCIPHERMENT }, - { CKA_TRUST_KEY_AGREEMENT, P11_KU_KEY_AGREEMENT }, - { CKA_TRUST_KEY_CERT_SIGN, P11_KU_KEY_CERT_SIGN }, - { CKA_TRUST_CRL_SIGN, P11_KU_CRL_SIGN }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE attrs[sizeof (ku_attribute_map)]; - - defawlt = present; - - /* If blacklisted, don't even bother looking at extensions */ - if (present != CKT_NSS_NOT_TRUSTED) - data = lookup_extension (builder, index, cert, NULL, P11_OID_KEY_USAGE, &length); - - if (data) { - /* - * If the certificate extension was missing, then *all* key - * usages are to be set. If the extension was invalid, then - * fail safe to none of the key usages. - */ - defawlt = CKT_NSS_TRUST_UNKNOWN; - - if (!p11_x509_parse_key_usage (builder->asn1_defs, data, length, &ku)) - p11_message ("invalid key usage certificate extension"); - free (data); - } - - for (i = 0; ku_attribute_map[i].type != CKA_INVALID; i++) { - attrs[i].type = ku_attribute_map[i].type; - if (data && (ku & ku_attribute_map[i].ku) == ku_attribute_map[i].ku) { - attrs[i].pValue = &present; - attrs[i].ulValueLen = sizeof (present); - } else { - attrs[i].pValue = &defawlt; - attrs[i].ulValueLen = sizeof (defawlt); - } - } - - return p11_attrs_buildn (object, attrs, i); -} - -static bool -strv_to_dict (const char **array, - p11_dict **dict) -{ - int i; - - if (!array) { - *dict = NULL; - return true; - } - - *dict = p11_dict_new (p11_dict_str_hash, p11_dict_str_equal, NULL, NULL); - return_val_if_fail (*dict != NULL, false); - - for (i = 0; array[i] != NULL; i++) { - if (!p11_dict_set (*dict, (void *)array[i], (void *)array[i])) - return_val_if_reached (false); - } - - return true; -} - -static CK_ATTRIBUTE * -build_trust_object_eku (CK_ATTRIBUTE *object, - CK_TRUST allow, - const char **purposes, - const char **rejects) -{ - p11_dict *dict_purp; - p11_dict *dict_rej; - CK_TRUST neutral; - CK_TRUST disallow; - CK_ULONG i; - - struct { - CK_ATTRIBUTE_TYPE type; - const char *oid; - } eku_attribute_map[] = { - { CKA_TRUST_SERVER_AUTH, P11_OID_SERVER_AUTH_STR }, - { CKA_TRUST_CLIENT_AUTH, P11_OID_CLIENT_AUTH_STR }, - { CKA_TRUST_CODE_SIGNING, P11_OID_CODE_SIGNING_STR }, - { CKA_TRUST_EMAIL_PROTECTION, P11_OID_EMAIL_PROTECTION_STR }, - { CKA_TRUST_IPSEC_END_SYSTEM, P11_OID_IPSEC_END_SYSTEM_STR }, - { CKA_TRUST_IPSEC_TUNNEL, P11_OID_IPSEC_TUNNEL_STR }, - { CKA_TRUST_IPSEC_USER, P11_OID_IPSEC_USER_STR }, - { CKA_TRUST_TIME_STAMPING, P11_OID_TIME_STAMPING_STR }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE attrs[sizeof (eku_attribute_map)]; - - if (!strv_to_dict (purposes, &dict_purp) || - !strv_to_dict (rejects, &dict_rej)) - return_val_if_reached (NULL); - - /* The neutral value is set if an purpose is not present */ - if (allow == CKT_NSS_NOT_TRUSTED) - neutral = CKT_NSS_NOT_TRUSTED; - - /* If anything explicitly set, then neutral is unknown */ - else if (purposes || rejects) - neutral = CKT_NSS_TRUST_UNKNOWN; - - /* Otherwise neutral will allow any purpose */ - else - neutral = allow; - - /* The value set if a purpose is explicitly rejected */ - disallow = CKT_NSS_NOT_TRUSTED; - - for (i = 0; eku_attribute_map[i].type != CKA_INVALID; i++) { - attrs[i].type = eku_attribute_map[i].type; - if (dict_rej && p11_dict_get (dict_rej, eku_attribute_map[i].oid)) { - attrs[i].pValue = &disallow; - attrs[i].ulValueLen = sizeof (disallow); - } else if (dict_purp && p11_dict_get (dict_purp, eku_attribute_map[i].oid)) { - attrs[i].pValue = &allow; - attrs[i].ulValueLen = sizeof (allow); - } else { - attrs[i].pValue = &neutral; - attrs[i].ulValueLen = sizeof (neutral); - } - } - - p11_dict_free (dict_purp); - p11_dict_free (dict_rej); - - return p11_attrs_buildn (object, attrs, i); -} - -static void -replace_nss_trust_object (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *cert, - CK_BBOOL trust, - CK_BBOOL distrust, - CK_BBOOL authority, - const char **purposes, - const char **rejects) -{ - CK_ATTRIBUTE *attrs = NULL; - CK_ATTRIBUTE *match = NULL; - CK_TRUST allow; - CK_RV rv; - - CK_OBJECT_CLASS klassv = CKO_NSS_TRUST; - CK_BYTE sha1v[P11_DIGEST_SHA1_LEN]; - CK_BYTE md5v[P11_DIGEST_MD5_LEN]; - CK_BBOOL generatedv = CK_FALSE; - CK_BBOOL falsev = CK_FALSE; - - CK_ATTRIBUTE klass = { CKA_CLASS, &klassv, sizeof (klassv) }; - CK_ATTRIBUTE modifiable = { CKA_MODIFIABLE, &falsev, sizeof (falsev) }; - CK_ATTRIBUTE generated = { CKA_X_GENERATED, &generatedv, sizeof (generatedv) }; - CK_ATTRIBUTE invalid = { CKA_INVALID, }; - - CK_ATTRIBUTE md5_hash = { CKA_CERT_MD5_HASH, md5v, sizeof (md5v) }; - CK_ATTRIBUTE sha1_hash = { CKA_CERT_SHA1_HASH, sha1v, sizeof (sha1v) }; - - CK_ATTRIBUTE step_up_approved = { CKA_TRUST_STEP_UP_APPROVED, &falsev, sizeof (falsev) }; - - CK_ATTRIBUTE_PTR label; - CK_ATTRIBUTE_PTR id; - CK_ATTRIBUTE_PTR subject; - CK_ATTRIBUTE_PTR issuer; - CK_ATTRIBUTE_PTR serial_number; - - p11_array *array; - void *value; - size_t length; - - issuer = p11_attrs_find_valid (cert, CKA_ISSUER); - serial_number = p11_attrs_find_valid (cert, CKA_SERIAL_NUMBER); - value = p11_attrs_find_value (cert, CKA_VALUE, &length); - - if (!issuer && !serial_number && !value) { - p11_debug ("can't generate nss trust object for certificate without issuer+serial or value"); - return; - } - - if (value == NULL) { - md5_hash.type = CKA_INVALID; - sha1_hash.type = CKA_INVALID; - } else { - p11_digest_md5 (md5v, value, length, NULL); - p11_digest_sha1 (sha1v, value, length, NULL); - } - if (!issuer) - issuer = &invalid; - if (!serial_number) - serial_number = &invalid; - - match = p11_attrs_build (NULL, issuer, serial_number, &sha1_hash, - &generated, &klass, NULL); - return_if_fail (match != NULL); - - /* If we find a non-generated object, then don't generate */ - if (p11_index_find (index, match, -1)) { - p11_debug ("not generating nss trust object because one already exists"); - attrs = NULL; - - } else { - generatedv = CK_TRUE; - match = p11_attrs_build (match, &generated, NULL); - return_if_fail (match != NULL); - - /* Copy all of the following attributes from certificate */ - id = p11_attrs_find_valid (cert, CKA_ID); - if (id == NULL) - id = &invalid; - subject = p11_attrs_find_valid (cert, CKA_SUBJECT); - if (subject == NULL) - subject = &invalid; - label = p11_attrs_find_valid (cert, CKA_LABEL); - if (label == NULL) - label = &invalid; - - attrs = p11_attrs_dup (match); - return_if_fail (attrs != NULL); - - attrs = p11_attrs_build (attrs, &klass, &modifiable, id, label, - subject, issuer, serial_number, - &md5_hash, &sha1_hash, &step_up_approved, NULL); - return_if_fail (attrs != NULL); - - /* Calculate the default allow trust */ - if (distrust) - allow = CKT_NSS_NOT_TRUSTED; - else if (trust && authority) - allow = CKT_NSS_TRUSTED_DELEGATOR; - else if (trust) - allow = CKT_NSS_TRUSTED; - else - allow = CKT_NSS_TRUST_UNKNOWN; - - attrs = build_trust_object_ku (builder, index, cert, attrs, allow); - return_if_fail (attrs != NULL); - - attrs = build_trust_object_eku (attrs, allow, purposes, rejects); - return_if_fail (attrs != NULL); - } - - /* Replace related generated object with this new one */ - array = p11_array_new (NULL); - p11_array_push (array, attrs); - rv = p11_index_replace_all (index, match, CKA_INVALID, array); - return_if_fail (rv == CKR_OK); - p11_array_free (array); - - p11_attrs_free (match); -} - -static void -build_assertions (p11_array *array, - CK_ATTRIBUTE *cert, - CK_X_ASSERTION_TYPE type, - const char **oids) -{ - CK_OBJECT_CLASS assertion = CKO_X_TRUST_ASSERTION; - CK_BBOOL truev = CK_TRUE; - CK_BBOOL falsev = CK_FALSE; - - CK_ATTRIBUTE klass = { CKA_CLASS, &assertion, sizeof (assertion) }; - CK_ATTRIBUTE private = { CKA_PRIVATE, &falsev, sizeof (falsev) }; - CK_ATTRIBUTE modifiable = { CKA_MODIFIABLE, &falsev, sizeof (falsev) }; - CK_ATTRIBUTE assertion_type = { CKA_X_ASSERTION_TYPE, &type, sizeof (type) }; - CK_ATTRIBUTE autogen = { CKA_X_GENERATED, &truev, sizeof (truev) }; - CK_ATTRIBUTE purpose = { CKA_X_PURPOSE, }; - CK_ATTRIBUTE invalid = { CKA_INVALID, }; - CK_ATTRIBUTE certificate_value = { CKA_X_CERTIFICATE_VALUE, }; - - CK_ATTRIBUTE *issuer; - CK_ATTRIBUTE *serial; - CK_ATTRIBUTE *value; - CK_ATTRIBUTE *label; - CK_ATTRIBUTE *id; - CK_ATTRIBUTE *attrs; - int i; - - if (type == CKT_X_DISTRUSTED_CERTIFICATE) { - certificate_value.type = CKA_INVALID; - issuer = p11_attrs_find_valid (cert, CKA_ISSUER); - serial = p11_attrs_find_valid (cert, CKA_SERIAL_NUMBER); - - if (!issuer || !serial) { - p11_debug ("not building negative trust assertion for certificate without serial or issuer"); - return; - } - - } else { - issuer = &invalid; - serial = &invalid; - value = p11_attrs_find_valid (cert, CKA_VALUE); - - if (value == NULL) { - p11_debug ("not building positive trust assertion for certificate without value"); - return; - } - - certificate_value.pValue = value->pValue; - certificate_value.ulValueLen = value->ulValueLen; - } - - label = p11_attrs_find (cert, CKA_LABEL); - if (label == NULL) - label = &invalid; - id = p11_attrs_find (cert, CKA_ID); - if (id == NULL) - id = &invalid; - - for (i = 0; oids[i] != NULL; i++) { - purpose.pValue = (void *)oids[i]; - purpose.ulValueLen = strlen (oids[i]); - - attrs = p11_attrs_build (NULL, &klass, &private, &modifiable, - id, label, &assertion_type, &purpose, - issuer, serial, &certificate_value, &autogen, NULL); - return_if_fail (attrs != NULL); - - if (!p11_array_push (array, attrs)) - return_if_reached (); - } -} - -static void -build_trust_assertions (p11_array *positives, - p11_array *negatives, - CK_ATTRIBUTE *cert, - CK_BBOOL trust, - CK_BBOOL distrust, - CK_BBOOL authority, - const char **purposes, - const char **rejects) -{ - const char *all_purposes[] = { - P11_OID_SERVER_AUTH_STR, - P11_OID_CLIENT_AUTH_STR, - P11_OID_CODE_SIGNING_STR, - P11_OID_EMAIL_PROTECTION_STR, - P11_OID_IPSEC_END_SYSTEM_STR, - P11_OID_IPSEC_TUNNEL_STR, - P11_OID_IPSEC_USER_STR, - P11_OID_TIME_STAMPING_STR, - NULL, - }; - - /* Build assertions for anything that's explicitly rejected */ - if (rejects && negatives) { - build_assertions (negatives, cert, CKT_X_DISTRUSTED_CERTIFICATE, rejects); - } - - if (distrust && negatives) { - /* - * Trust assertions are defficient in that they don't blacklist a certificate - * for any purposes. So we just have to go wild and write out a bunch of - * assertions for all our known purposes. - */ - build_assertions (negatives, cert, CKT_X_DISTRUSTED_CERTIFICATE, all_purposes); - } - - /* - * TODO: Build pinned certificate assertions. That is, trusted - * certificates where not an authority. - */ - - if (trust && authority && positives) { - if (purposes) { - /* If purposes explicitly set, then anchor for those purposes */ - build_assertions (positives, cert, CKT_X_ANCHORED_CERTIFICATE, purposes); - } else { - /* If purposes not-explicitly set, then anchor for all known */ - build_assertions (positives, cert, CKT_X_ANCHORED_CERTIFICATE, all_purposes); - } - } -} - -static void -replace_trust_assertions (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *cert, - CK_BBOOL trust, - CK_BBOOL distrust, - CK_BBOOL authority, - const char **purposes, - const char **rejects) -{ - CK_OBJECT_CLASS assertion = CKO_X_TRUST_ASSERTION; - CK_BBOOL generated = CK_TRUE; - p11_array *positives = NULL; - p11_array *negatives = NULL; - CK_ATTRIBUTE *value; - CK_ATTRIBUTE *issuer; - CK_ATTRIBUTE *serial; - CK_RV rv; - - CK_ATTRIBUTE match_positive[] = { - { CKA_X_CERTIFICATE_VALUE, }, - { CKA_CLASS, &assertion, sizeof (assertion) }, - { CKA_X_GENERATED, &generated, sizeof (generated) }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE match_negative[] = { - { CKA_ISSUER, }, - { CKA_SERIAL_NUMBER, }, - { CKA_CLASS, &assertion, sizeof (assertion) }, - { CKA_X_GENERATED, &generated, sizeof (generated) }, - { CKA_INVALID } - }; - - value = p11_attrs_find_valid (cert, CKA_VALUE); - if (value) { - positives = p11_array_new (NULL); - match_positive[0].pValue = value->pValue; - match_positive[0].ulValueLen = value->ulValueLen; - } - - issuer = p11_attrs_find_valid (cert, CKA_ISSUER); - serial = p11_attrs_find_valid (cert, CKA_SERIAL_NUMBER); - if (issuer && serial) { - negatives = p11_array_new (NULL); - memcpy (match_negative + 0, issuer, sizeof (CK_ATTRIBUTE)); - memcpy (match_negative + 1, serial, sizeof (CK_ATTRIBUTE)); - } - - build_trust_assertions (positives, negatives, cert, trust, distrust, - authority, purposes, rejects); - - if (positives) { - rv = p11_index_replace_all (index, match_positive, CKA_X_PURPOSE, positives); - return_if_fail (rv == CKR_OK); - p11_array_free (positives); - } - - if (negatives) { - rv = p11_index_replace_all (index, match_negative, CKA_X_PURPOSE, negatives); - return_if_fail (rv == CKR_OK); - p11_array_free (negatives); - } -} - -static void -remove_trust_and_assertions (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *attrs) -{ - replace_nss_trust_object (builder, index, attrs, - CK_FALSE, CK_FALSE, CK_FALSE, - NULL, NULL); - replace_trust_assertions (builder, index, attrs, - CK_FALSE, CK_FALSE, CK_FALSE, - NULL, NULL); -} - -static void -replace_trust_and_assertions (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *cert) -{ - CK_BBOOL trust = CK_FALSE; - CK_BBOOL distrust = CK_FALSE; - CK_BBOOL authority = CK_FALSE; - p11_array *purposes = NULL; - p11_array *rejects = NULL; - const char **purposev; - const char **rejectv; - CK_ULONG category; - unsigned char *ext; - size_t ext_len; - - /* - * We look up all this information in advance, since it's used - * by the various adapter objects, and we don't have to parse - * it multiple times. - */ - - if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &trust)) - trust = CK_FALSE; - if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &distrust)) - distrust = CK_FALSE; - if (p11_attrs_find_ulong (cert, CKA_CERTIFICATE_CATEGORY, &category) && category == 2) - authority = CK_TRUE; - - if (!distrust) { - ext = lookup_extension (builder, index, cert, NULL, P11_OID_EXTENDED_KEY_USAGE, &ext_len); - if (ext != NULL) { - purposes = p11_x509_parse_extended_key_usage (builder->asn1_defs, ext, ext_len); - if (purposes == NULL) - p11_message ("invalid extended key usage certificate extension"); - free (ext); - } - - ext = lookup_extension (builder, index, cert, NULL, P11_OID_OPENSSL_REJECT, &ext_len); - if (ext != NULL) { - rejects = p11_x509_parse_extended_key_usage (builder->asn1_defs, ext, ext_len); - if (rejects == NULL) - p11_message ("invalid reject key usage certificate extension"); - free (ext); - } - } - - /* null-terminate these arrays and use as strv's */ - purposev = rejectv = NULL; - if (rejects) { - if (!p11_array_push (rejects, NULL)) - return_if_reached (); - rejectv = (const char **)rejects->elem; - } - if (purposes) { - if (!p11_array_push (purposes, NULL)) - return_if_reached (); - purposev = (const char **)purposes->elem; - } - - replace_nss_trust_object (builder, index, cert, trust, distrust, - authority, purposev, rejectv); - replace_trust_assertions (builder, index, cert, trust, distrust, - authority, purposev, rejectv); - - p11_array_free (purposes); - p11_array_free (rejects); -} - -static void -replace_compat_for_cert (p11_builder *builder, - p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *attrs) -{ - static const CK_OBJECT_CLASS certificate = CKO_CERTIFICATE; - static const CK_CERTIFICATE_TYPE x509 = CKC_X_509; - CK_ATTRIBUTE *value; - - CK_ATTRIBUTE match[] = { - { CKA_VALUE, }, - { CKA_CLASS, (void *)&certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, (void *)&x509, sizeof (x509) }, - { CKA_INVALID } - }; - - /* - * If this certificate is going away, then find duplicate. In this - * case all the trust assertions are recalculated with this new - * certificate in mind. - */ - if (handle == 0) { - value = p11_attrs_find_valid (attrs, CKA_VALUE); - if (value != NULL) { - match[0].pValue = value->pValue; - match[0].ulValueLen = value->ulValueLen; - handle = p11_index_find (index, match, -1); - } - if (handle != 0) - attrs = p11_index_lookup (index, handle); - } - - if (handle == 0) - remove_trust_and_assertions (builder, index, attrs); - else - replace_trust_and_assertions (builder, index, attrs); -} - -static void -replace_compat_for_ext (p11_builder *builder, - p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *attrs) -{ - - CK_OBJECT_HANDLE *handles; - CK_ATTRIBUTE *public_key; - int i; - - public_key = p11_attrs_find_valid (attrs, CKA_PUBLIC_KEY_INFO); - if (public_key == NULL) - return; - - handles = lookup_related (index, CKO_CERTIFICATE, public_key); - for (i = 0; handles && handles[i] != 0; i++) { - attrs = p11_index_lookup (index, handles[i]); - replace_trust_and_assertions (builder, index, attrs); - } - free (handles); -} - -static void -update_related_category (p11_builder *builder, - p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *attrs) -{ - CK_OBJECT_HANDLE *handles; - CK_ULONG categoryv = 0UL; - CK_ATTRIBUTE *update; - CK_ATTRIBUTE *cert; - CK_ATTRIBUTE *public_key; - CK_RV rv; - int i; - - CK_ATTRIBUTE category[] = { - { CKA_CERTIFICATE_CATEGORY, &categoryv, sizeof (categoryv) }, - { CKA_INVALID, }, - }; - - public_key = p11_attrs_find_valid (attrs, CKA_PUBLIC_KEY_INFO); - if (public_key == NULL) - return; - - /* Find all other objects with this handle */ - handles = lookup_related (index, CKO_CERTIFICATE, public_key); - - for (i = 0; handles && handles[i] != 0; i++) { - cert = p11_index_lookup (index, handle); - - if (calc_certificate_category (builder, index, cert, public_key, &categoryv)) { - update = p11_attrs_build (NULL, &category, NULL); - rv = p11_index_update (index, handles[i], update); - return_if_fail (rv == CKR_OK); - } - } - - free (handles); -} - -void -p11_builder_changed (void *bilder, - p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *attrs) -{ - static const CK_OBJECT_CLASS certificate = CKO_CERTIFICATE; - static const CK_OBJECT_CLASS extension = CKO_X_CERTIFICATE_EXTENSION; - static const CK_CERTIFICATE_TYPE x509 = CKC_X_509; - - static const CK_ATTRIBUTE match_cert[] = { - { CKA_CLASS, (void *)&certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, (void *)&x509, sizeof (x509) }, - { CKA_INVALID } - }; - - static const CK_ATTRIBUTE match_eku[] = { - { CKA_CLASS, (void *)&extension, sizeof (extension) }, - { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, - sizeof (P11_OID_EXTENDED_KEY_USAGE) }, - { CKA_INVALID } - }; - - static const CK_ATTRIBUTE match_ku[] = { - { CKA_CLASS, (void *)&extension, sizeof (extension) }, - { CKA_OBJECT_ID, (void *)P11_OID_KEY_USAGE, - sizeof (P11_OID_KEY_USAGE) }, - { CKA_INVALID } - }; - - static const CK_ATTRIBUTE match_bc[] = { - { CKA_CLASS, (void *)&extension, sizeof (extension) }, - { CKA_OBJECT_ID, (void *)P11_OID_BASIC_CONSTRAINTS, - sizeof (P11_OID_BASIC_CONSTRAINTS) }, - { CKA_INVALID } - }; - - p11_builder *builder = bilder; - - return_if_fail (builder != NULL); - return_if_fail (index != NULL); - return_if_fail (attrs != NULL); - - /* - * Treat these operations as loading, not modifying/creating, so we get - * around many of the rules that govern object creation - */ - p11_index_load (index); - - /* A certificate */ - if (p11_attrs_match (attrs, match_cert)) { - replace_compat_for_cert (builder, index, handle, attrs); - - /* An ExtendedKeyUsage extension */ - } else if (p11_attrs_match (attrs, match_eku) || - p11_attrs_match (attrs, match_ku)) { - replace_compat_for_ext (builder, index, handle, attrs); - - /* A BasicConstraints extension */ - } else if (p11_attrs_match (attrs, match_bc)) { - update_related_category (builder, index, handle, attrs); - } - - p11_index_finish (index); -} |