diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-06-22 15:27:05 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-06-22 16:41:33 +0200 |
| commit | eff2e48de7066b0647fb45963bbb085634a12cb8 (patch) | |
| tree | 45f12aa20cf87d2be2594ed1a01f35eafd8381dd | |
| parent | 2bdca0326001d1223cf4bb3ffc41ba8db0c86df3 (diff) | |
| download | gnutls-eff2e48de7066b0647fb45963bbb085634a12cb8.tar.gz | |
pkcs11: correctly encode the serial number when searching for certificate
In gnutls_pkcs11_crt_is_known() corrected the encoding of the
serial number to TLV DER from LV DER. This is the encoding we
use when storing that number.
| -rw-r--r-- | lib/pkcs11.c | 25 |
1 files changed, 9 insertions, 16 deletions
diff --git a/lib/pkcs11.c b/lib/pkcs11.c index d75f75e8c5..d0dc001a0d 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -3367,8 +3367,6 @@ find_cert_cb(struct pkcs11_session_info *sinfo, id.data = a[1].value; id.size = a[1].value_len; - - found = 1; break; } else { @@ -3553,10 +3551,8 @@ int gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, { int ret; struct find_cert_st priv; - uint8_t serial[ASN1_MAX_TL_SIZE+64]; + uint8_t serial[128]; size_t serial_size; - uint8_t tag[ASN1_MAX_TL_SIZE]; - unsigned int tag_size; struct p11_kit_uri *info = NULL; PKCS11_CHECK_INIT_RET(0); @@ -3574,29 +3570,22 @@ int gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, } /* Attempt searching using the issuer DN + serial number */ - serial_size = sizeof(serial) - sizeof(tag); + serial_size = sizeof(serial); ret = - gnutls_x509_crt_get_serial(cert, serial+sizeof(tag), &serial_size); + gnutls_x509_crt_get_serial(cert, serial, &serial_size); if (ret < 0) { gnutls_assert(); ret = 0; goto cleanup; } - /* PKCS#11 requires a DER encoded serial, wtf. $@(*$@ */ - tag_size = sizeof(tag); - ret = asn1_encode_simple_der(ASN1_ETYPE_INTEGER, serial+sizeof(tag), serial_size, - tag, &tag_size); - if (ret != ASN1_SUCCESS) { + ret = _gnutls_x509_ext_gen_number(serial, serial_size, &priv.serial); + if (ret < 0) { gnutls_assert(); ret = 0; goto cleanup; } - memcpy(serial+sizeof(tag)-tag_size, tag, tag_size); - - priv.serial.data = serial+sizeof(tag)-tag_size; - priv.serial.size = serial_size + tag_size; priv.crt = cert; priv.issuer_dn.data = cert->raw_issuer_dn.data; @@ -3613,8 +3602,10 @@ int gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, _pkcs11_traverse_tokens(find_cert_cb, &priv, info, NULL, pkcs11_obj_flags_to_int(flags)); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n"); /* attempt searching with the subject DN only */ gnutls_assert(); + gnutls_free(priv.serial.data); memset(&priv, 0, sizeof(priv)); priv.crt = cert; priv.flags = flags; @@ -3627,6 +3618,7 @@ int gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, } if (ret < 0) { gnutls_assert(); + _gnutls_debug_log("crt_is_known: did not find any cert\n"); ret = 0; goto cleanup; } @@ -3636,6 +3628,7 @@ int gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, cleanup: if (info) p11_kit_uri_free(info); + gnutls_free(priv.serial.data); return ret; } |