diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-12-23 12:24:35 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-12-23 13:12:02 +0200 |
commit | c5791c82c66393bd8dd458718a6d0b2b526aba35 (patch) | |
tree | b684afdd8a75df8227396c458f7eb1651e9368c3 | |
parent | 7ce1f28d0fd8816323dee4ced4ff93ca87192fe0 (diff) | |
download | gnutls-c5791c82c66393bd8dd458718a6d0b2b526aba35.tar.gz |
Instead of sanitizing URLs, use hints to support incomplete PKCS#11 URIs
-rw-r--r-- | lib/includes/gnutls/pkcs11.h | 3 | ||||
-rw-r--r-- | lib/pkcs11.c | 42 | ||||
-rw-r--r-- | lib/pkcs11_int.h | 8 | ||||
-rw-r--r-- | lib/pkcs11_privkey.c | 4 | ||||
-rw-r--r-- | lib/pkcs11_secret.c | 2 | ||||
-rw-r--r-- | lib/pkcs11_write.c | 14 |
6 files changed, 50 insertions, 23 deletions
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h index 10494c497e..ba981ba50a 100644 --- a/lib/includes/gnutls/pkcs11.h +++ b/lib/includes/gnutls/pkcs11.h @@ -143,7 +143,8 @@ typedef enum gnutls_pkcs11_obj_flags { GNUTLS_PKCS11_OBJ_FLAG_CRT = (1<<18), GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY = (1<<19), GNUTLS_PKCS11_OBJ_FLAG_PUBKEY = (1<<20), - GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY = (1<<21), + GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY = (1<<21) + /* flags 1<<29 and later are reserved - see pkcs11_int.h */ } gnutls_pkcs11_obj_flags; #define gnutls_pkcs11_obj_attr_t gnutls_pkcs11_obj_flags diff --git a/lib/pkcs11.c b/lib/pkcs11.c index b990c64525..a2b497cbb0 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -702,7 +702,7 @@ gnutls_pkcs11_set_token_function(gnutls_pkcs11_token_callback_t fn, _gnutls_token_data = userdata; } -int pkcs11_url_to_info(const char *url, struct p11_kit_uri **info) +int pkcs11_url_to_info(const char *url, struct p11_kit_uri **info, unsigned flags) { int allocated = 0; int ret; @@ -727,6 +727,26 @@ int pkcs11_url_to_info(const char *url, struct p11_kit_uri **info) GNUTLS_E_MEMORY_ERROR : GNUTLS_E_PARSING_ERROR; } + /* check for incomplete URIs */ + if (p11_kit_uri_get_attribute (*info, CKA_CLASS) == NULL) { + struct ck_attribute at; + ck_object_class_t klass; + + if (flags & GNUTLS_PKCS11_OBJ_FLAG_EXPECT_CERT) { + klass = CKO_CERTIFICATE; + at.type = CKA_CLASS; + at.value = &klass; + at.value_len = sizeof (klass); + p11_kit_uri_set_attribute (*info, &at); + } else if (flags & GNUTLS_PKCS11_OBJ_FLAG_EXPECT_PRIVKEY) { + klass = CKO_PRIVATE_KEY; + at.type = CKA_CLASS; + at.value = &klass; + at.value_len = sizeof (klass); + p11_kit_uri_set_attribute (*info, &at); + } + } + return 0; } @@ -1821,7 +1841,7 @@ gnutls_pkcs11_obj_import_url(gnutls_pkcs11_obj_t obj, const char *url, /* fill in the find data structure */ find_data.obj = obj; - ret = pkcs11_url_to_info(url, &obj->info); + ret = pkcs11_url_to_info(url, &obj->info, flags); if (ret < 0) { gnutls_assert(); return ret; @@ -1941,7 +1961,7 @@ gnutls_pkcs11_token_get_info(const char *url, PKCS11_CHECK_INIT; - ret = pkcs11_url_to_info(url, &info); + ret = pkcs11_url_to_info(url, &info, 0); if (ret < 0) { gnutls_assert(); return ret; @@ -2724,7 +2744,7 @@ gnutls_pkcs11_obj_list_import_url3(gnutls_pkcs11_obj_t * p_list, url = "pkcs11:"; } - ret = pkcs11_url_to_info(url, &priv.info); + ret = pkcs11_url_to_info(url, &priv.info, flags); if (ret < 0) { gnutls_assert(); return ret; @@ -2805,7 +2825,7 @@ gnutls_pkcs11_obj_list_import_url4(gnutls_pkcs11_obj_t ** p_list, url = "pkcs11:"; } - ret = pkcs11_url_to_info(url, &priv.info); + ret = pkcs11_url_to_info(url, &priv.info, flags); if (ret < 0) { gnutls_assert(); return ret; @@ -2884,7 +2904,7 @@ _gnutls_x509_crt_import_pkcs11_url(gnutls_x509_crt_t crt, gnutls_pkcs11_obj_set_pin_function(pcrt, crt->pin.cb, crt->pin.data); - ret = gnutls_pkcs11_obj_import_url(pcrt, url, flags); + ret = gnutls_pkcs11_obj_import_url(pcrt, url, flags|GNUTLS_PKCS11_OBJ_FLAG_EXPECT_CERT); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -3002,7 +3022,7 @@ int gnutls_pkcs11_token_get_flags(const char *url, unsigned int *flags) PKCS11_CHECK_INIT; memset(&find_data, 0, sizeof(find_data)); - ret = pkcs11_url_to_info(url, &find_data.info); + ret = pkcs11_url_to_info(url, &find_data.info, 0); if (ret < 0) { gnutls_assert(); return ret; @@ -3058,7 +3078,7 @@ gnutls_pkcs11_token_get_mechanism(const char *url, unsigned int idx, PKCS11_CHECK_INIT; - ret = pkcs11_url_to_info(url, &info); + ret = pkcs11_url_to_info(url, &info, 0); if (ret < 0) { gnutls_assert(); return ret; @@ -3426,7 +3446,7 @@ int gnutls_pkcs11_get_raw_issuer(const char *url, gnutls_x509_crt_t cert, url = "pkcs11:"; } - ret = pkcs11_url_to_info(url, &info); + ret = pkcs11_url_to_info(url, &info, flags); if (ret < 0) { gnutls_assert(); return ret; @@ -3518,7 +3538,7 @@ int gnutls_pkcs11_get_raw_issuer_by_dn (const char *url, const gnutls_datum_t *d url = "pkcs11:"; } - ret = pkcs11_url_to_info(url, &info); + ret = pkcs11_url_to_info(url, &info, flags); if (ret < 0) { gnutls_assert(); return ret; @@ -3609,7 +3629,7 @@ int gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, url = "pkcs11:"; } - ret = pkcs11_url_to_info(url, &info); + ret = pkcs11_url_to_info(url, &info, 0); if (ret < 0) { gnutls_assert(); return 0; diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h index 7d2ed676a1..7cec42bd8a 100644 --- a/lib/pkcs11_int.h +++ b/lib/pkcs11_int.h @@ -82,7 +82,7 @@ typedef int (*find_func_t) (struct pkcs11_session_info *, void *input); int pkcs11_rv_to_err(ck_rv_t rv); -int pkcs11_url_to_info(const char *url, struct p11_kit_uri **info); +int pkcs11_url_to_info(const char *url, struct p11_kit_uri **info, unsigned flags); int pkcs11_find_slot(struct ck_function_list **module, ck_slot_id_t * slot, struct p11_kit_uri *info, struct ck_token_info *_tinfo, @@ -128,6 +128,12 @@ int _pkcs11_traverse_tokens(find_func_t find_func, void *input, unsigned int flags); ck_object_class_t pkcs11_strtype_to_class(const char *type); +/* Additional internal flags for gnutls_pkcs11_obj_flags */ +/* @GNUTLS_PKCS11_OBJ_FLAG_EXPECT_CERT: When importing an object, provide a hint on the type, to allow incomplete URLs + * @GNUTLS_PKCS11_OBJ_FLAG_EXPECT_PRIVKEY: Hint for private key */ +#define GNUTLS_PKCS11_OBJ_FLAG_EXPECT_CERT (1<<29) +#define GNUTLS_PKCS11_OBJ_FLAG_EXPECT_PRIVKEY (1<<30) + int pkcs11_token_matches_info(struct p11_kit_uri *info, struct ck_token_info *tinfo, struct ck_info *lib_info); diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c index d59b77c9d5..3d8ba58590 100644 --- a/lib/pkcs11_privkey.c +++ b/lib/pkcs11_privkey.c @@ -407,7 +407,7 @@ gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey, if (pkey->url == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - ret = pkcs11_url_to_info(pkey->url, &pkey->uinfo); + ret = pkcs11_url_to_info(pkey->url, &pkey->uinfo, flags|GNUTLS_PKCS11_OBJ_FLAG_EXPECT_PRIVKEY); if (ret < 0) { gnutls_assert(); return ret; @@ -656,7 +656,7 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk, memset(&sinfo, 0, sizeof(sinfo)); - ret = pkcs11_url_to_info(url, &info); + ret = pkcs11_url_to_info(url, &info, 0); if (ret < 0) { gnutls_assert(); return ret; diff --git a/lib/pkcs11_secret.c b/lib/pkcs11_secret.c index 5c46519fca..0b90ee8993 100644 --- a/lib/pkcs11_secret.c +++ b/lib/pkcs11_secret.c @@ -65,7 +65,7 @@ gnutls_pkcs11_copy_secret_key(const char *token_url, gnutls_datum_t * key, memset(&sinfo, 0, sizeof(sinfo)); - ret = pkcs11_url_to_info(token_url, &info); + ret = pkcs11_url_to_info(token_url, &info, 0); if (ret < 0) { gnutls_assert(); return ret; diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c index 5d6bf3a7a4..55fc6e5259 100644 --- a/lib/pkcs11_write.c +++ b/lib/pkcs11_write.c @@ -108,7 +108,7 @@ gnutls_pkcs11_copy_x509_crt(const char *token_url, memset(&sinfo, 0, sizeof(sinfo)); - ret = pkcs11_url_to_info(token_url, &info); + ret = pkcs11_url_to_info(token_url, &info, 0); if (ret < 0) { gnutls_assert(); return ret; @@ -251,7 +251,7 @@ gnutls_pkcs11_copy_attached_extension(const char *token_url, memset(&sinfo, 0, sizeof(sinfo)); - ret = pkcs11_url_to_info(token_url, &info); + ret = pkcs11_url_to_info(token_url, &info, 0); if (ret < 0) { gnutls_assert(); return ret; @@ -369,7 +369,7 @@ gnutls_pkcs11_copy_x509_privkey(const char *token_url, memset(&exp1, 0, sizeof(exp1)); memset(&exp2, 0, sizeof(exp2)); - ret = pkcs11_url_to_info(token_url, &info); + ret = pkcs11_url_to_info(token_url, &info, 0); if (ret < 0) { gnutls_assert(); return ret; @@ -783,7 +783,7 @@ int gnutls_pkcs11_delete_url(const char *object_url, unsigned int flags) memset(&find_data, 0, sizeof(find_data)); - ret = pkcs11_url_to_info(object_url, &find_data.info); + ret = pkcs11_url_to_info(object_url, &find_data.info, 0); if (ret < 0) { gnutls_assert(); return ret; @@ -831,7 +831,7 @@ gnutls_pkcs11_token_init(const char *token_url, PKCS11_CHECK_INIT; - ret = pkcs11_url_to_info(token_url, &info); + ret = pkcs11_url_to_info(token_url, &info, 0); if (ret < 0) { gnutls_assert(); return ret; @@ -891,7 +891,7 @@ gnutls_pkcs11_token_set_pin(const char *token_url, memset(&sinfo, 0, sizeof(sinfo)); - ret = pkcs11_url_to_info(token_url, &info); + ret = pkcs11_url_to_info(token_url, &info, 0); if (ret < 0) { gnutls_assert(); return ret; @@ -968,7 +968,7 @@ gnutls_pkcs11_token_get_random(const char *token_url, memset(&sinfo, 0, sizeof(sinfo)); - ret = pkcs11_url_to_info(token_url, &info); + ret = pkcs11_url_to_info(token_url, &info, 0); if (ret < 0) { gnutls_assert(); return ret; |