|
|
|
@ -1,38 +1,83 @@
|
|
|
|
|
commit 90590b02085edc3830bdfe0942a46c4e7bf3f1ab (HEAD -> master)
|
|
|
|
|
Author: David Woodhouse <David.Woodhouse@intel.com>
|
|
|
|
|
Date: Thu Apr 30 14:58:24 2015 +0100
|
|
|
|
|
From 14e09211c3d50eb06825090c9765e4382cf52f19 Mon Sep 17 00:00:00 2001
|
|
|
|
|
From: David Woodhouse <David.Woodhouse@intel.com>
|
|
|
|
|
Date: Sun, 14 Dec 2014 19:42:18 +0000
|
|
|
|
|
Subject: [PATCH 1/3] Stop _pkcs11h_util_hexToBinary() checking for trailing
|
|
|
|
|
NUL
|
|
|
|
|
|
|
|
|
|
We are going to want to use this for parsing %XX hex escapes in RFC7512
|
|
|
|
|
PKCS#11 URIs, where we cannot expect a trailing NUL. Since there's only
|
|
|
|
|
one existing caller at the moment, it's simple just to let the caller
|
|
|
|
|
have responsibility for that check.
|
|
|
|
|
|
|
|
|
|
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
|
|
|
|
|
---
|
|
|
|
|
lib/pkcs11h-serialization.c | 8 +++++++-
|
|
|
|
|
lib/pkcs11h-util.c | 7 +------
|
|
|
|
|
2 files changed, 8 insertions(+), 7 deletions(-)
|
|
|
|
|
|
|
|
|
|
Serialize to RFC7512-compliant PKCS#11 URIs
|
|
|
|
|
diff --git a/lib/pkcs11h-serialization.c b/lib/pkcs11h-serialization.c
|
|
|
|
|
index 74b4ca7..a45a6c5 100644
|
|
|
|
|
--- a/lib/pkcs11h-serialization.c
|
|
|
|
|
+++ b/lib/pkcs11h-serialization.c
|
|
|
|
|
@@ -368,6 +368,7 @@ pkcs11h_certificate_deserializeCertificateId (
|
|
|
|
|
CK_RV rv = CKR_FUNCTION_FAILED;
|
|
|
|
|
char *p = NULL;
|
|
|
|
|
char *_sz = NULL;
|
|
|
|
|
+ size_t id_hex_len;
|
|
|
|
|
|
|
|
|
|
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
|
|
|
|
|
_PKCS11H_ASSERT (p_certificate_id!=NULL);
|
|
|
|
|
_PKCS11H_ASSERT (sz!=NULL);
|
|
|
|
|
@@ -413,7 +414,12 @@ pkcs11h_certificate_deserializeCertificateId (
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
commit 4d5280da8df591aab701dff4493d13a835a9b29c
|
|
|
|
|
Author: David Woodhouse <David.Woodhouse@intel.com>
|
|
|
|
|
Date: Wed Dec 10 14:00:21 2014 +0000
|
|
|
|
|
- certificate_id->attrCKA_ID_size = strlen (p)/2;
|
|
|
|
|
+ id_hex_len = strlen (p);
|
|
|
|
|
+ if (id_hex_len & 1) {
|
|
|
|
|
+ rv = CKR_ATTRIBUTE_VALUE_INVALID;
|
|
|
|
|
+ goto cleanup;
|
|
|
|
|
+ }
|
|
|
|
|
+ certificate_id->attrCKA_ID_size = id_hex_len/2;
|
|
|
|
|
|
|
|
|
|
Accept RFC7512-compliant PKCS#11 URIs as serialized token/certificate IDs
|
|
|
|
|
if (
|
|
|
|
|
(rv = _pkcs11h_mem_malloc (
|
|
|
|
|
diff --git a/lib/pkcs11h-util.c b/lib/pkcs11h-util.c
|
|
|
|
|
index 7325db4..7dfe9a3 100644
|
|
|
|
|
--- a/lib/pkcs11h-util.c
|
|
|
|
|
+++ b/lib/pkcs11h-util.c
|
|
|
|
|
@@ -109,12 +109,7 @@ _pkcs11h_util_hexToBinary (
|
|
|
|
|
p++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
The old format is still accepted for compatibility.
|
|
|
|
|
- if (*p != '\x0') {
|
|
|
|
|
- return CKR_ATTRIBUTE_VALUE_INVALID;
|
|
|
|
|
- }
|
|
|
|
|
- else {
|
|
|
|
|
- return CKR_OK;
|
|
|
|
|
- }
|
|
|
|
|
+ return CKR_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
|
|
|
|
|
CK_RV
|
|
|
|
|
|
|
|
|
|
commit 14e09211c3d50eb06825090c9765e4382cf52f19
|
|
|
|
|
Author: David Woodhouse <David.Woodhouse@intel.com>
|
|
|
|
|
Date: Sun Dec 14 19:42:18 2014 +0000
|
|
|
|
|
From 4d5280da8df591aab701dff4493d13a835a9b29c Mon Sep 17 00:00:00 2001
|
|
|
|
|
From: David Woodhouse <David.Woodhouse@intel.com>
|
|
|
|
|
Date: Wed, 10 Dec 2014 14:00:21 +0000
|
|
|
|
|
Subject: [PATCH 2/3] Accept RFC7512-compliant PKCS#11 URIs as serialized
|
|
|
|
|
token/certificate IDs
|
|
|
|
|
|
|
|
|
|
Stop _pkcs11h_util_hexToBinary() checking for trailing NUL
|
|
|
|
|
The old format is still accepted for compatibility.
|
|
|
|
|
|
|
|
|
|
We are going to want to use this for parsing %XX hex escapes in RFC7512
|
|
|
|
|
PKCS#11 URIs, where we cannot expect a trailing NUL. Since there's only
|
|
|
|
|
one existing caller at the moment, it's simple just to let the caller
|
|
|
|
|
have responsibility for that check.
|
|
|
|
|
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
|
|
|
|
|
---
|
|
|
|
|
lib/pkcs11h-serialization.c | 305 ++++++++++++++++++++++++++++++------
|
|
|
|
|
1 file changed, 256 insertions(+), 49 deletions(-)
|
|
|
|
|
|
|
|
|
|
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
|
|
|
|
|
diff --git a/lib/pkcs11h-serialization.c b/lib/pkcs11h-serialization.c
|
|
|
|
|
index ad275f8..1d077e4 100644
|
|
|
|
|
index a45a6c5..390ac0e 100644
|
|
|
|
|
--- a/lib/pkcs11h-serialization.c
|
|
|
|
|
+++ b/lib/pkcs11h-serialization.c
|
|
|
|
|
@@ -61,29 +61,127 @@
|
|
|
|
|
@@ -60,6 +60,26 @@
|
|
|
|
|
|
|
|
|
|
#if defined(ENABLE_PKCS11H_TOKEN) || defined(ENABLE_PKCS11H_CERTIFICATE)
|
|
|
|
|
|
|
|
|
@ -55,154 +100,18 @@ index ad275f8..1d077e4 100644
|
|
|
|
|
+ token_field ("serial", serialNumber ),
|
|
|
|
|
+ { NULL },
|
|
|
|
|
+};
|
|
|
|
|
+
|
|
|
|
|
+#define P11_URL_VERBATIM "abcdefghijklmnopqrstuvwxyz" \
|
|
|
|
|
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \
|
|
|
|
|
+ "0123456789_-."
|
|
|
|
|
+
|
|
|
|
|
+static
|
|
|
|
|
+int
|
|
|
|
|
+__token_attr_escape(char *uri, char *attr, size_t attrlen)
|
|
|
|
|
+{
|
|
|
|
|
+ int len = 0, i;
|
|
|
|
|
+
|
|
|
|
|
+ for (i = 0; i < attrlen; i++) {
|
|
|
|
|
+ if ((attr[i] != '\x0') && strchr(P11_URL_VERBATIM, attr[i])) {
|
|
|
|
|
+ if (uri) {
|
|
|
|
|
+ *(uri++) = attr[i];
|
|
|
|
|
+ }
|
|
|
|
|
+ len++;
|
|
|
|
|
+ } else {
|
|
|
|
|
+ if (uri) {
|
|
|
|
|
+ sprintf(uri, "%%%02x", (unsigned char)attr[i]);
|
|
|
|
|
+ uri += 3;
|
|
|
|
|
+ }
|
|
|
|
|
+ len += 3;
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+ return len;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
+static
|
|
|
|
|
+CK_RV
|
|
|
|
|
+__generate_pkcs11_uri (
|
|
|
|
|
+ OUT char * const sz,
|
|
|
|
|
+ IN OUT size_t *max,
|
|
|
|
|
+ IN const pkcs11h_certificate_id_t certificate_id,
|
|
|
|
|
+ IN const pkcs11h_token_id_t token_id
|
|
|
|
|
+) {
|
|
|
|
|
+ size_t _max;
|
|
|
|
|
+ char *p = sz;
|
|
|
|
|
+ int i;
|
|
|
|
|
+
|
|
|
|
|
+ _PKCS11H_ASSERT (max!=NULL);
|
|
|
|
|
+ _PKCS11H_ASSERT (token_id!=NULL);
|
|
|
|
|
+
|
|
|
|
|
+ _max = strlen(URI_SCHEME);
|
|
|
|
|
+ for (i = 0; __token_fields[i].name; i++) {
|
|
|
|
|
+ char *field = ((char *)token_id) + __token_fields[i].field_ofs;
|
|
|
|
|
+
|
|
|
|
|
+ _max += __token_fields[i].namelen;
|
|
|
|
|
+ _max += __token_attr_escape (NULL, field, strlen(field));
|
|
|
|
|
+ _max++; /* For a semicolon or trailing NUL */
|
|
|
|
|
+ }
|
|
|
|
|
+ if (certificate_id) {
|
|
|
|
|
+ _max += strlen (";id=");
|
|
|
|
|
+ _max += __token_attr_escape (NULL,
|
|
|
|
|
+ (char *)certificate_id->attrCKA_ID,
|
|
|
|
|
+ certificate_id->attrCKA_ID_size);
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ if (!sz) {
|
|
|
|
|
+ *max = _max;
|
|
|
|
|
+ return CKR_OK;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ if (sz && *max < _max)
|
|
|
|
|
+ return CKR_ATTRIBUTE_VALUE_INVALID;
|
|
|
|
|
+
|
|
|
|
|
+ p += sprintf(p, URI_SCHEME);
|
|
|
|
|
+ for (i = 0; __token_fields[i].name; i++) {
|
|
|
|
|
+ char *field = ((char *)token_id) + __token_fields[i].field_ofs;
|
|
|
|
|
+
|
|
|
|
|
+ p += sprintf (p, "%s", __token_fields[i].name);
|
|
|
|
|
+ p += __token_attr_escape (p, field, strlen(field));
|
|
|
|
|
+ *(p++) = ';';
|
|
|
|
|
+ }
|
|
|
|
|
+ if (certificate_id) {
|
|
|
|
|
+ p += sprintf (p, "id=");
|
|
|
|
|
+ p += __token_attr_escape (p,
|
|
|
|
|
+ (char *)certificate_id->attrCKA_ID,
|
|
|
|
|
+ certificate_id->attrCKA_ID_size);
|
|
|
|
|
+ } else {
|
|
|
|
|
+ /* Remove the unneeded trailing semicolon */
|
|
|
|
|
+ p--;
|
|
|
|
|
+ }
|
|
|
|
|
+ *(p++) = 0;
|
|
|
|
|
+
|
|
|
|
|
+ *max = _max;
|
|
|
|
|
+
|
|
|
|
|
+ return CKR_OK;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
CK_RV
|
|
|
|
|
pkcs11h_token_serializeTokenId (
|
|
|
|
|
OUT char * const sz,
|
|
|
|
|
IN OUT size_t *max,
|
|
|
|
|
IN const pkcs11h_token_id_t token_id
|
|
|
|
|
) {
|
|
|
|
|
- const char *sources[5];
|
|
|
|
|
CK_RV rv = CKR_FUNCTION_FAILED;
|
|
|
|
|
- size_t n;
|
|
|
|
|
- int e;
|
|
|
|
|
|
|
|
|
|
/*_PKCS11H_ASSERT (sz!=NULL); Not required*/
|
|
|
|
|
_PKCS11H_ASSERT (max!=NULL);
|
|
|
|
|
_PKCS11H_ASSERT (token_id!=NULL);
|
|
|
|
|
|
|
|
|
|
- { /* Must be after assert */
|
|
|
|
|
- sources[0] = token_id->manufacturerID;
|
|
|
|
|
- sources[1] = token_id->model;
|
|
|
|
|
- sources[2] = token_id->serialNumber;
|
|
|
|
|
- sources[3] = token_id->label;
|
|
|
|
|
- sources[4] = NULL;
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
_PKCS11H_DEBUG (
|
|
|
|
|
PKCS11H_LOG_DEBUG2,
|
|
|
|
|
"PKCS#11: pkcs11h_token_serializeTokenId entry sz=%p, *max="P_Z", token_id=%p",
|
|
|
|
|
@@ -92,67 +190,161 @@ pkcs11h_token_serializeTokenId (
|
|
|
|
|
(void *)token_id
|
|
|
|
|
);
|
|
|
|
|
@@ -149,9 +169,147 @@ pkcs11h_token_serializeTokenId (
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- n = 0;
|
|
|
|
|
- for (e=0;sources[e] != NULL;e++) {
|
|
|
|
|
- size_t t;
|
|
|
|
|
- if (
|
|
|
|
|
- (rv = _pkcs11h_util_escapeString (
|
|
|
|
|
- NULL,
|
|
|
|
|
- sources[e],
|
|
|
|
|
- &t,
|
|
|
|
|
- __PKCS11H_SERIALIZE_INVALID_CHARS
|
|
|
|
|
- )) != CKR_OK
|
|
|
|
|
- ) {
|
|
|
|
|
- goto cleanup;
|
|
|
|
|
+ rv = __generate_pkcs11_uri(sz, max, NULL, token_id);
|
|
|
|
|
+
|
|
|
|
|
+ _PKCS11H_DEBUG (
|
|
|
|
|
+ PKCS11H_LOG_DEBUG2,
|
|
|
|
|
+ "PKCS#11: pkcs11h_token_serializeTokenId return rv=%lu-'%s', *max="P_Z", sz='%s'",
|
|
|
|
|
+ rv,
|
|
|
|
|
+ pkcs11h_getMessage (rv),
|
|
|
|
|
+ *max,
|
|
|
|
|
+ sz
|
|
|
|
|
+ );
|
|
|
|
|
+
|
|
|
|
|
+ return rv;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
+static
|
|
|
|
|
+CK_RV
|
|
|
|
|
CK_RV
|
|
|
|
|
-pkcs11h_token_deserializeTokenId (
|
|
|
|
|
- OUT pkcs11h_token_id_t *p_token_id,
|
|
|
|
|
+__parse_token_uri_attr (
|
|
|
|
|
+ const char *uri,
|
|
|
|
|
+ size_t urilen,
|
|
|
|
@ -232,19 +141,14 @@ index ad275f8..1d077e4 100644
|
|
|
|
|
+ urilen -= 2;
|
|
|
|
|
+ } else {
|
|
|
|
|
+ *tokstr = *uri;
|
|
|
|
|
}
|
|
|
|
|
- n+=t;
|
|
|
|
|
+ }
|
|
|
|
|
+ tokstr++;
|
|
|
|
|
+ uri++;
|
|
|
|
|
+ toklen--;
|
|
|
|
|
+ urilen--;
|
|
|
|
|
+ tokstr[0] = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- if (sz != NULL) {
|
|
|
|
|
- if (*max < n) {
|
|
|
|
|
- rv = CKR_ATTRIBUTE_VALUE_INVALID;
|
|
|
|
|
- goto cleanup;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ if (urilen) {
|
|
|
|
|
+ rv = CKR_ATTRIBUTE_VALUE_INVALID;
|
|
|
|
|
+ } else if (parsed_len) {
|
|
|
|
@ -295,7 +199,7 @@ index ad275f8..1d077e4 100644
|
|
|
|
|
+
|
|
|
|
|
+ goto matched;
|
|
|
|
|
+ }
|
|
|
|
|
}
|
|
|
|
|
+ }
|
|
|
|
|
+ if (certificate_id && !strncmp(p, "id=", 3)) {
|
|
|
|
|
+ p += 3;
|
|
|
|
|
+
|
|
|
|
@ -304,45 +208,28 @@ index ad275f8..1d077e4 100644
|
|
|
|
|
+ if (rv != CKR_OK) {
|
|
|
|
|
+ goto cleanup;
|
|
|
|
|
+ }
|
|
|
|
|
|
|
|
|
|
- n = 0;
|
|
|
|
|
- for (e=0;sources[e] != NULL;e++) {
|
|
|
|
|
- size_t t = *max-n;
|
|
|
|
|
- if (
|
|
|
|
|
- (rv = _pkcs11h_util_escapeString (
|
|
|
|
|
- sz+n,
|
|
|
|
|
- sources[e],
|
|
|
|
|
- &t,
|
|
|
|
|
- __PKCS11H_SERIALIZE_INVALID_CHARS
|
|
|
|
|
- )) != CKR_OK
|
|
|
|
|
- ) {
|
|
|
|
|
+
|
|
|
|
|
+ rv = __parse_token_uri_attr (p, end - p,
|
|
|
|
|
+ (char *)certificate_id->attrCKA_ID,
|
|
|
|
|
+ end - p + 1,
|
|
|
|
|
+ &certificate_id->attrCKA_ID_size);
|
|
|
|
|
+ if (rv != CKR_OK) {
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
- n+=t;
|
|
|
|
|
- sz[n-1] = '/';
|
|
|
|
|
+ goto cleanup;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ goto matched;
|
|
|
|
|
}
|
|
|
|
|
- sz[n-1] = '\x0';
|
|
|
|
|
- }
|
|
|
|
|
|
|
|
|
|
- *max = n;
|
|
|
|
|
- rv = CKR_OK;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ /* We don't parse object= because the match code doesn't support
|
|
|
|
|
+ matching by label. */
|
|
|
|
|
+
|
|
|
|
|
+ /* Failed to parse PKCS#11 URI element. */
|
|
|
|
|
+ return CKR_ATTRIBUTE_VALUE_INVALID;
|
|
|
|
|
|
|
|
|
|
+
|
|
|
|
|
+ matched:
|
|
|
|
|
+ ;
|
|
|
|
|
+ }
|
|
|
|
|
cleanup:
|
|
|
|
|
+cleanup:
|
|
|
|
|
+ /* The matching code doesn't support support partial matches; it needs
|
|
|
|
|
+ * *all* of manufacturer, model, serial and label attributes to be
|
|
|
|
|
+ * defined. So reject partial URIs early instead of letting it do the
|
|
|
|
@ -351,33 +238,23 @@ index ad275f8..1d077e4 100644
|
|
|
|
|
+ !token_id->manufacturerID[0] || !token_id->serialNumber[0]) {
|
|
|
|
|
+ return CKR_ATTRIBUTE_VALUE_INVALID;
|
|
|
|
|
+ }
|
|
|
|
|
|
|
|
|
|
- _PKCS11H_DEBUG (
|
|
|
|
|
- PKCS11H_LOG_DEBUG2,
|
|
|
|
|
- "PKCS#11: pkcs11h_token_serializeTokenId return rv=%lu-'%s', *max="P_Z", sz='%s'",
|
|
|
|
|
- rv,
|
|
|
|
|
- pkcs11h_getMessage (rv),
|
|
|
|
|
- *max,
|
|
|
|
|
- sz
|
|
|
|
|
- );
|
|
|
|
|
+
|
|
|
|
|
+ /* For a certificate ID we need CKA_ID */
|
|
|
|
|
+ if (certificate_id && !certificate_id->attrCKA_ID_size) {
|
|
|
|
|
+ return CKR_ATTRIBUTE_VALUE_INVALID;
|
|
|
|
|
+ }
|
|
|
|
|
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
+
|
|
|
|
|
+ return rv;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
+static
|
|
|
|
|
CK_RV
|
|
|
|
|
-pkcs11h_token_deserializeTokenId (
|
|
|
|
|
- OUT pkcs11h_token_id_t *p_token_id,
|
|
|
|
|
+CK_RV
|
|
|
|
|
+__pkcs11h_token_legacy_deserializeTokenId (
|
|
|
|
|
+ OUT pkcs11h_token_id_t token_id,
|
|
|
|
|
IN const char * const sz
|
|
|
|
|
) {
|
|
|
|
|
#define __PKCS11H_TARGETS_NUMBER 4
|
|
|
|
|
@@ -161,24 +353,11 @@ pkcs11h_token_deserializeTokenId (
|
|
|
|
|
@@ -160,24 +318,11 @@ pkcs11h_token_deserializeTokenId (
|
|
|
|
|
size_t s;
|
|
|
|
|
} targets[__PKCS11H_TARGETS_NUMBER];
|
|
|
|
|
|
|
|
|
@ -402,7 +279,7 @@ index ad275f8..1d077e4 100644
|
|
|
|
|
if (
|
|
|
|
|
(rv = _pkcs11h_mem_strdup (
|
|
|
|
|
(void *)&_sz,
|
|
|
|
|
@@ -190,10 +369,6 @@ pkcs11h_token_deserializeTokenId (
|
|
|
|
|
@@ -189,10 +334,6 @@ pkcs11h_token_deserializeTokenId (
|
|
|
|
|
|
|
|
|
|
p1 = _sz;
|
|
|
|
|
|
|
|
|
@ -413,7 +290,7 @@ index ad275f8..1d077e4 100644
|
|
|
|
|
targets[0].p = token_id->manufacturerID;
|
|
|
|
|
targets[0].s = sizeof (token_id->manufacturerID);
|
|
|
|
|
targets[1].p = token_id->model;
|
|
|
|
|
@@ -252,6 +427,51 @@ pkcs11h_token_deserializeTokenId (
|
|
|
|
|
@@ -251,6 +392,51 @@ pkcs11h_token_deserializeTokenId (
|
|
|
|
|
p1 = p2+1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -465,7 +342,7 @@ index ad275f8..1d077e4 100644
|
|
|
|
|
strncpy (
|
|
|
|
|
token_id->display,
|
|
|
|
|
token_id->label,
|
|
|
|
|
@@ -264,11 +484,6 @@ pkcs11h_token_deserializeTokenId (
|
|
|
|
|
@@ -263,11 +449,6 @@ pkcs11h_token_deserializeTokenId (
|
|
|
|
|
rv = CKR_OK;
|
|
|
|
|
|
|
|
|
|
cleanup:
|
|
|
|
@ -477,7 +354,7 @@ index ad275f8..1d077e4 100644
|
|
|
|
|
if (token_id != NULL) {
|
|
|
|
|
pkcs11h_token_freeTokenId (token_id);
|
|
|
|
|
}
|
|
|
|
|
@@ -281,7 +496,6 @@ cleanup:
|
|
|
|
|
@@ -280,7 +461,6 @@ pkcs11h_token_deserializeTokenId (
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
return rv;
|
|
|
|
@ -485,77 +362,24 @@ index ad275f8..1d077e4 100644
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif /* ENABLE_PKCS11H_TOKEN || ENABLE_PKCS11H_CERTIFICATE */
|
|
|
|
|
@@ -295,9 +509,6 @@ pkcs11h_certificate_serializeCertificateId (
|
|
|
|
|
IN const pkcs11h_certificate_id_t certificate_id
|
|
|
|
|
@@ -359,29 +539,17 @@ pkcs11h_certificate_serializeCertificateId (
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
+static
|
|
|
|
|
CK_RV
|
|
|
|
|
-pkcs11h_certificate_deserializeCertificateId (
|
|
|
|
|
- OUT pkcs11h_certificate_id_t * const p_certificate_id,
|
|
|
|
|
+__pkcs11h_certificate_legacy_deserializeCertificateId (
|
|
|
|
|
+ OUT pkcs11h_certificate_id_t certificate_id,
|
|
|
|
|
IN const char * const sz
|
|
|
|
|
) {
|
|
|
|
|
- pkcs11h_certificate_id_t certificate_id = NULL;
|
|
|
|
|
CK_RV rv = CKR_FUNCTION_FAILED;
|
|
|
|
|
- size_t saved_max = 0;
|
|
|
|
|
- size_t n = 0;
|
|
|
|
|
- size_t _max = 0;
|
|
|
|
|
char *p = NULL;
|
|
|
|
|
char *_sz = NULL;
|
|
|
|
|
size_t id_hex_len;
|
|
|
|
|
|
|
|
|
|
/*_PKCS11H_ASSERT (sz!=NULL); Not required */
|
|
|
|
|
_PKCS11H_ASSERT (max!=NULL);
|
|
|
|
|
@@ -311,42 +522,7 @@ pkcs11h_certificate_serializeCertificateId (
|
|
|
|
|
(void *)certificate_id
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
- if (sz != NULL) {
|
|
|
|
|
- saved_max = n = *max;
|
|
|
|
|
- }
|
|
|
|
|
- *max = 0;
|
|
|
|
|
-
|
|
|
|
|
- if (
|
|
|
|
|
- (rv = pkcs11h_token_serializeTokenId (
|
|
|
|
|
- sz,
|
|
|
|
|
- &n,
|
|
|
|
|
- certificate_id->token_id
|
|
|
|
|
- )) != CKR_OK
|
|
|
|
|
- ) {
|
|
|
|
|
- goto cleanup;
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- _max = n + certificate_id->attrCKA_ID_size*2 + 1;
|
|
|
|
|
-
|
|
|
|
|
- if (sz != NULL) {
|
|
|
|
|
- if (saved_max < _max) {
|
|
|
|
|
- rv = CKR_ATTRIBUTE_VALUE_INVALID;
|
|
|
|
|
- goto cleanup;
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- sz[n-1] = '/';
|
|
|
|
|
- rv = _pkcs11h_util_binaryToHex (
|
|
|
|
|
- sz+n,
|
|
|
|
|
- saved_max-n,
|
|
|
|
|
- certificate_id->attrCKA_ID,
|
|
|
|
|
- certificate_id->attrCKA_ID_size
|
|
|
|
|
- );
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- *max = _max;
|
|
|
|
|
- rv = CKR_OK;
|
|
|
|
|
-
|
|
|
|
|
-cleanup:
|
|
|
|
|
+ rv = __generate_pkcs11_uri(sz, max, certificate_id, certificate_id->token_id);
|
|
|
|
|
|
|
|
|
|
_PKCS11H_DEBUG (
|
|
|
|
|
PKCS11H_LOG_DEBUG2,
|
|
|
|
|
@@ -360,27 +536,16 @@ cleanup:
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
+static
|
|
|
|
|
CK_RV
|
|
|
|
|
-pkcs11h_certificate_deserializeCertificateId (
|
|
|
|
|
- OUT pkcs11h_certificate_id_t * const p_certificate_id,
|
|
|
|
|
+__pkcs11h_certificate_legacy_deserializeCertificateId (
|
|
|
|
|
+ OUT pkcs11h_certificate_id_t certificate_id,
|
|
|
|
|
IN const char * const sz
|
|
|
|
|
) {
|
|
|
|
|
- pkcs11h_certificate_id_t certificate_id = NULL;
|
|
|
|
|
CK_RV rv = CKR_FUNCTION_FAILED;
|
|
|
|
|
char *p = NULL;
|
|
|
|
|
char *_sz = NULL;
|
|
|
|
|
-
|
|
|
|
|
- _PKCS11H_ASSERT (p_certificate_id!=NULL);
|
|
|
|
|
- _PKCS11H_ASSERT (sz!=NULL);
|
|
|
|
|
-
|
|
|
|
@ -567,11 +391,11 @@ index ad275f8..1d077e4 100644
|
|
|
|
|
- (void *)p_certificate_id,
|
|
|
|
|
- sz
|
|
|
|
|
- );
|
|
|
|
|
+ size_t id_hex_len;
|
|
|
|
|
|
|
|
|
|
-
|
|
|
|
|
if (
|
|
|
|
|
(rv = _pkcs11h_mem_strdup (
|
|
|
|
|
@@ -393,10 +558,6 @@ pkcs11h_certificate_deserializeCertificateId (
|
|
|
|
|
(void *)&_sz,
|
|
|
|
|
@@ -393,10 +561,6 @@ pkcs11h_certificate_deserializeCertificateId (
|
|
|
|
|
|
|
|
|
|
p = _sz;
|
|
|
|
|
|
|
|
|
@ -582,21 +406,7 @@ index ad275f8..1d077e4 100644
|
|
|
|
|
if ((p = strrchr (_sz, '/')) == NULL) {
|
|
|
|
|
rv = CKR_ATTRIBUTE_VALUE_INVALID;
|
|
|
|
|
goto cleanup;
|
|
|
|
|
@@ -414,7 +575,12 @@ pkcs11h_certificate_deserializeCertificateId (
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- certificate_id->attrCKA_ID_size = strlen (p)/2;
|
|
|
|
|
+ id_hex_len = strlen (p);
|
|
|
|
|
+ if (id_hex_len & 1) {
|
|
|
|
|
+ rv = CKR_ATTRIBUTE_VALUE_INVALID;
|
|
|
|
|
+ goto cleanup;
|
|
|
|
|
+ }
|
|
|
|
|
+ certificate_id->attrCKA_ID_size = id_hex_len/2;
|
|
|
|
|
|
|
|
|
|
if (
|
|
|
|
|
(rv = _pkcs11h_mem_malloc (
|
|
|
|
|
@@ -430,21 +596,64 @@ pkcs11h_certificate_deserializeCertificateId (
|
|
|
|
|
@@ -435,21 +599,64 @@ pkcs11h_certificate_deserializeCertificateId (
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -666,21 +476,244 @@ index ad275f8..1d077e4 100644
|
|
|
|
|
_PKCS11H_DEBUG (
|
|
|
|
|
PKCS11H_LOG_DEBUG2,
|
|
|
|
|
"PKCS#11: pkcs11h_certificate_deserializeCertificateId return rv=%lu-'%s'",
|
|
|
|
|
diff --git a/lib/pkcs11h-util.c b/lib/pkcs11h-util.c
|
|
|
|
|
index 0743fd1..f90e443 100644
|
|
|
|
|
--- a/lib/pkcs11h-util.c
|
|
|
|
|
+++ b/lib/pkcs11h-util.c
|
|
|
|
|
@@ -110,12 +110,7 @@ _pkcs11h_util_hexToBinary (
|
|
|
|
|
p++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- if (*p != '\x0') {
|
|
|
|
|
- return CKR_ATTRIBUTE_VALUE_INVALID;
|
|
|
|
|
From 90590b02085edc3830bdfe0942a46c4e7bf3f1ab Mon Sep 17 00:00:00 2001
|
|
|
|
|
From: David Woodhouse <David.Woodhouse@intel.com>
|
|
|
|
|
Date: Thu, 30 Apr 2015 14:58:24 +0100
|
|
|
|
|
Subject: [PATCH 3/3] Serialize to RFC7512-compliant PKCS#11 URIs
|
|
|
|
|
|
|
|
|
|
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
|
|
|
|
|
---
|
|
|
|
|
lib/pkcs11h-serialization.c | 186 ++++++++++++++++++------------------
|
|
|
|
|
1 file changed, 91 insertions(+), 95 deletions(-)
|
|
|
|
|
|
|
|
|
|
diff --git a/lib/pkcs11h-serialization.c b/lib/pkcs11h-serialization.c
|
|
|
|
|
index 390ac0e..0ea1861 100644
|
|
|
|
|
--- a/lib/pkcs11h-serialization.c
|
|
|
|
|
+++ b/lib/pkcs11h-serialization.c
|
|
|
|
|
@@ -80,29 +80,107 @@ static struct {
|
|
|
|
|
{ NULL },
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
+#define P11_URL_VERBATIM "abcdefghijklmnopqrstuvwxyz" \
|
|
|
|
|
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \
|
|
|
|
|
+ "0123456789_-."
|
|
|
|
|
+
|
|
|
|
|
+static
|
|
|
|
|
+int
|
|
|
|
|
+__token_attr_escape(char *uri, char *attr, size_t attrlen)
|
|
|
|
|
+{
|
|
|
|
|
+ int len = 0, i;
|
|
|
|
|
+
|
|
|
|
|
+ for (i = 0; i < attrlen; i++) {
|
|
|
|
|
+ if ((attr[i] != '\x0') && strchr(P11_URL_VERBATIM, attr[i])) {
|
|
|
|
|
+ if (uri) {
|
|
|
|
|
+ *(uri++) = attr[i];
|
|
|
|
|
+ }
|
|
|
|
|
+ len++;
|
|
|
|
|
+ } else {
|
|
|
|
|
+ if (uri) {
|
|
|
|
|
+ sprintf(uri, "%%%02x", (unsigned char)attr[i]);
|
|
|
|
|
+ uri += 3;
|
|
|
|
|
+ }
|
|
|
|
|
+ len += 3;
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+ return len;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
+static
|
|
|
|
|
+CK_RV
|
|
|
|
|
+__generate_pkcs11_uri (
|
|
|
|
|
+ OUT char * const sz,
|
|
|
|
|
+ IN OUT size_t *max,
|
|
|
|
|
+ IN const pkcs11h_certificate_id_t certificate_id,
|
|
|
|
|
+ IN const pkcs11h_token_id_t token_id
|
|
|
|
|
+) {
|
|
|
|
|
+ size_t _max;
|
|
|
|
|
+ char *p = sz;
|
|
|
|
|
+ int i;
|
|
|
|
|
+
|
|
|
|
|
+ _PKCS11H_ASSERT (max!=NULL);
|
|
|
|
|
+ _PKCS11H_ASSERT (token_id!=NULL);
|
|
|
|
|
+
|
|
|
|
|
+ _max = strlen(URI_SCHEME);
|
|
|
|
|
+ for (i = 0; __token_fields[i].name; i++) {
|
|
|
|
|
+ char *field = ((char *)token_id) + __token_fields[i].field_ofs;
|
|
|
|
|
+
|
|
|
|
|
+ _max += __token_fields[i].namelen;
|
|
|
|
|
+ _max += __token_attr_escape (NULL, field, strlen(field));
|
|
|
|
|
+ _max++; /* For a semicolon or trailing NUL */
|
|
|
|
|
+ }
|
|
|
|
|
+ if (certificate_id) {
|
|
|
|
|
+ _max += strlen (";id=");
|
|
|
|
|
+ _max += __token_attr_escape (NULL,
|
|
|
|
|
+ (char *)certificate_id->attrCKA_ID,
|
|
|
|
|
+ certificate_id->attrCKA_ID_size);
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ if (!sz) {
|
|
|
|
|
+ *max = _max;
|
|
|
|
|
+ return CKR_OK;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ if (sz && *max < _max)
|
|
|
|
|
+ return CKR_ATTRIBUTE_VALUE_INVALID;
|
|
|
|
|
+
|
|
|
|
|
+ p += sprintf(p, URI_SCHEME);
|
|
|
|
|
+ for (i = 0; __token_fields[i].name; i++) {
|
|
|
|
|
+ char *field = ((char *)token_id) + __token_fields[i].field_ofs;
|
|
|
|
|
+
|
|
|
|
|
+ p += sprintf (p, "%s", __token_fields[i].name);
|
|
|
|
|
+ p += __token_attr_escape (p, field, strlen(field));
|
|
|
|
|
+ *(p++) = ';';
|
|
|
|
|
+ }
|
|
|
|
|
+ if (certificate_id) {
|
|
|
|
|
+ p += sprintf (p, "id=");
|
|
|
|
|
+ p += __token_attr_escape (p,
|
|
|
|
|
+ (char *)certificate_id->attrCKA_ID,
|
|
|
|
|
+ certificate_id->attrCKA_ID_size);
|
|
|
|
|
+ } else {
|
|
|
|
|
+ /* Remove the unneeded trailing semicolon */
|
|
|
|
|
+ p--;
|
|
|
|
|
+ }
|
|
|
|
|
+ *(p++) = 0;
|
|
|
|
|
+
|
|
|
|
|
+ *max = _max;
|
|
|
|
|
+
|
|
|
|
|
+ return CKR_OK;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
CK_RV
|
|
|
|
|
pkcs11h_token_serializeTokenId (
|
|
|
|
|
OUT char * const sz,
|
|
|
|
|
IN OUT size_t *max,
|
|
|
|
|
IN const pkcs11h_token_id_t token_id
|
|
|
|
|
) {
|
|
|
|
|
- const char *sources[5];
|
|
|
|
|
CK_RV rv = CKR_FUNCTION_FAILED;
|
|
|
|
|
- size_t n;
|
|
|
|
|
- int e;
|
|
|
|
|
|
|
|
|
|
/*_PKCS11H_ASSERT (sz!=NULL); Not required*/
|
|
|
|
|
_PKCS11H_ASSERT (max!=NULL);
|
|
|
|
|
_PKCS11H_ASSERT (token_id!=NULL);
|
|
|
|
|
|
|
|
|
|
- { /* Must be after assert */
|
|
|
|
|
- sources[0] = token_id->manufacturerID;
|
|
|
|
|
- sources[1] = token_id->model;
|
|
|
|
|
- sources[2] = token_id->serialNumber;
|
|
|
|
|
- sources[3] = token_id->label;
|
|
|
|
|
- sources[4] = NULL;
|
|
|
|
|
- }
|
|
|
|
|
- else {
|
|
|
|
|
- return CKR_OK;
|
|
|
|
|
-
|
|
|
|
|
_PKCS11H_DEBUG (
|
|
|
|
|
PKCS11H_LOG_DEBUG2,
|
|
|
|
|
"PKCS#11: pkcs11h_token_serializeTokenId entry sz=%p, *max="P_Z", token_id=%p",
|
|
|
|
|
@@ -111,51 +189,7 @@ pkcs11h_token_serializeTokenId (
|
|
|
|
|
(void *)token_id
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
- n = 0;
|
|
|
|
|
- for (e=0;sources[e] != NULL;e++) {
|
|
|
|
|
- size_t t;
|
|
|
|
|
- if (
|
|
|
|
|
- (rv = _pkcs11h_util_escapeString (
|
|
|
|
|
- NULL,
|
|
|
|
|
- sources[e],
|
|
|
|
|
- &t,
|
|
|
|
|
- __PKCS11H_SERIALIZE_INVALID_CHARS
|
|
|
|
|
- )) != CKR_OK
|
|
|
|
|
- ) {
|
|
|
|
|
- goto cleanup;
|
|
|
|
|
- }
|
|
|
|
|
+ return CKR_OK;
|
|
|
|
|
}
|
|
|
|
|
- n+=t;
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- if (sz != NULL) {
|
|
|
|
|
- if (*max < n) {
|
|
|
|
|
- rv = CKR_ATTRIBUTE_VALUE_INVALID;
|
|
|
|
|
- goto cleanup;
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- n = 0;
|
|
|
|
|
- for (e=0;sources[e] != NULL;e++) {
|
|
|
|
|
- size_t t = *max-n;
|
|
|
|
|
- if (
|
|
|
|
|
- (rv = _pkcs11h_util_escapeString (
|
|
|
|
|
- sz+n,
|
|
|
|
|
- sources[e],
|
|
|
|
|
- &t,
|
|
|
|
|
- __PKCS11H_SERIALIZE_INVALID_CHARS
|
|
|
|
|
- )) != CKR_OK
|
|
|
|
|
- ) {
|
|
|
|
|
- goto cleanup;
|
|
|
|
|
- }
|
|
|
|
|
- n+=t;
|
|
|
|
|
- sz[n-1] = '/';
|
|
|
|
|
- }
|
|
|
|
|
- sz[n-1] = '\x0';
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- *max = n;
|
|
|
|
|
- rv = CKR_OK;
|
|
|
|
|
-
|
|
|
|
|
-cleanup:
|
|
|
|
|
+ rv = __generate_pkcs11_uri(sz, max, NULL, token_id);
|
|
|
|
|
|
|
|
|
|
CK_RV
|
|
|
|
|
_PKCS11H_DEBUG (
|
|
|
|
|
PKCS11H_LOG_DEBUG2,
|
|
|
|
|
@@ -474,9 +508,6 @@ pkcs11h_certificate_serializeCertificateId (
|
|
|
|
|
IN const pkcs11h_certificate_id_t certificate_id
|
|
|
|
|
) {
|
|
|
|
|
CK_RV rv = CKR_FUNCTION_FAILED;
|
|
|
|
|
- size_t saved_max = 0;
|
|
|
|
|
- size_t n = 0;
|
|
|
|
|
- size_t _max = 0;
|
|
|
|
|
|
|
|
|
|
/*_PKCS11H_ASSERT (sz!=NULL); Not required */
|
|
|
|
|
_PKCS11H_ASSERT (max!=NULL);
|
|
|
|
|
@@ -490,42 +521,7 @@ pkcs11h_certificate_serializeCertificateId (
|
|
|
|
|
(void *)certificate_id
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
- if (sz != NULL) {
|
|
|
|
|
- saved_max = n = *max;
|
|
|
|
|
- }
|
|
|
|
|
- *max = 0;
|
|
|
|
|
-
|
|
|
|
|
- if (
|
|
|
|
|
- (rv = pkcs11h_token_serializeTokenId (
|
|
|
|
|
- sz,
|
|
|
|
|
- &n,
|
|
|
|
|
- certificate_id->token_id
|
|
|
|
|
- )) != CKR_OK
|
|
|
|
|
- ) {
|
|
|
|
|
- goto cleanup;
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- _max = n + certificate_id->attrCKA_ID_size*2 + 1;
|
|
|
|
|
-
|
|
|
|
|
- if (sz != NULL) {
|
|
|
|
|
- if (saved_max < _max) {
|
|
|
|
|
- rv = CKR_ATTRIBUTE_VALUE_INVALID;
|
|
|
|
|
- goto cleanup;
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- sz[n-1] = '/';
|
|
|
|
|
- rv = _pkcs11h_util_binaryToHex (
|
|
|
|
|
- sz+n,
|
|
|
|
|
- saved_max-n,
|
|
|
|
|
- certificate_id->attrCKA_ID,
|
|
|
|
|
- certificate_id->attrCKA_ID_size
|
|
|
|
|
- );
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- *max = _max;
|
|
|
|
|
- rv = CKR_OK;
|
|
|
|
|
-
|
|
|
|
|
-cleanup:
|
|
|
|
|
+ rv = __generate_pkcs11_uri(sz, max, certificate_id, certificate_id->token_id);
|
|
|
|
|
|
|
|
|
|
_PKCS11H_DEBUG (
|
|
|
|
|
PKCS11H_LOG_DEBUG2,
|
|
|
|
|