diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-06-22 15:27:05 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-06-22 16:39:58 +0200 |
commit | f65d0e417b71a5fdbcea9ae5298379d3c940b924 (patch) | |
tree | 8c515ec4e07b9dfbdc94a2d691856513fe9e7a8f /lib/pkcs11.c | |
parent | bd8961071fb849bd719a4cb828380573025e74da (diff) | |
download | gnutls-f65d0e417b71a5fdbcea9ae5298379d3c940b924.tar.gz |
pkcs11: correctly encode the serial number when searching for certificate
In gnutls_pkcs11_crt_is_known() corrected the encoding of the
serial number to TLV DER from LV DER. This is the encoding we
use when storing that number.
Diffstat (limited to 'lib/pkcs11.c')
-rw-r--r-- | lib/pkcs11.c | 25 |
1 files changed, 9 insertions, 16 deletions
diff --git a/lib/pkcs11.c b/lib/pkcs11.c index 15596eaf68..3f6afccbb9 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -3614,8 +3614,6 @@ find_cert_cb(struct ck_function_list *module, struct pkcs11_session_info *sinfo, id.data = a[1].value; id.size = a[1].value_len; - - found = 1; break; } else { @@ -3976,10 +3974,8 @@ int gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, { int ret; struct find_cert_st priv; - uint8_t serial[ASN1_MAX_TL_SIZE+64]; + uint8_t serial[128]; size_t serial_size; - uint8_t tag[ASN1_MAX_TL_SIZE]; - unsigned int tag_size; struct p11_kit_uri *info = NULL; PKCS11_CHECK_INIT_RET(0); @@ -3997,29 +3993,22 @@ int gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, } /* Attempt searching using the issuer DN + serial number */ - serial_size = sizeof(serial) - sizeof(tag); + serial_size = sizeof(serial); ret = - gnutls_x509_crt_get_serial(cert, serial+sizeof(tag), &serial_size); + gnutls_x509_crt_get_serial(cert, serial, &serial_size); if (ret < 0) { gnutls_assert(); ret = 0; goto cleanup; } - /* PKCS#11 requires a DER encoded serial, wtf. $@(*$@ */ - tag_size = sizeof(tag); - ret = asn1_encode_simple_der(ASN1_ETYPE_INTEGER, serial+sizeof(tag), serial_size, - tag, &tag_size); - if (ret != ASN1_SUCCESS) { + ret = _gnutls_x509_ext_gen_number(serial, serial_size, &priv.serial); + if (ret < 0) { gnutls_assert(); ret = 0; goto cleanup; } - memcpy(serial+sizeof(tag)-tag_size, tag, tag_size); - - priv.serial.data = serial+sizeof(tag)-tag_size; - priv.serial.size = serial_size + tag_size; priv.crt = cert; priv.issuer_dn.data = cert->raw_issuer_dn.data; @@ -4036,8 +4025,10 @@ int gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, _pkcs11_traverse_tokens(find_cert_cb, &priv, info, NULL, pkcs11_obj_flags_to_int(flags)); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n"); /* attempt searching with the subject DN only */ gnutls_assert(); + gnutls_free(priv.serial.data); memset(&priv, 0, sizeof(priv)); priv.crt = cert; priv.flags = flags; @@ -4050,6 +4041,7 @@ int gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, } if (ret < 0) { gnutls_assert(); + _gnutls_debug_log("crt_is_known: did not find any cert\n"); ret = 0; goto cleanup; } @@ -4059,6 +4051,7 @@ int gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, cleanup: if (info) p11_kit_uri_free(info); + gnutls_free(priv.serial.data); return ret; } |