diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-09-26 14:00:32 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2016-09-26 20:53:39 +0200 |
| commit | cd8c42a866c6909467008662dbcb0257023a324c (patch) | |
| tree | 028646d4972bd590510f215ab89bacd391706459 /lib | |
| parent | 73129548538242131efafb4aa228d4b7f1f55c0c (diff) | |
| download | gnutls-cd8c42a866c6909467008662dbcb0257023a324c.tar.gz | |
pkcs11: only staple extensions from a trust module when they are from a non-distrusted certificate
That is, make sure that the API for stapling extensions is only used
for non-distrusted (blacklisted) certificates. The reason is to avoid
duplicate extension entries from the p11-kit trust database. These
come from blacklisted certificates, and we have no reason to support
stapled extensions with blacklisted certificates.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/pkcs11.c | 3 | ||||
| -rw-r--r-- | lib/pkcs11x.c | 16 |
2 files changed, 14 insertions, 5 deletions
diff --git a/lib/pkcs11.c b/lib/pkcs11.c index e1ea59ce33..ff618a7116 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -3634,7 +3634,8 @@ find_cert_cb(struct ck_function_list *module, struct pkcs11_session_info *sinfo, finalized = 1; if (found != 0) { - if (priv->flags & GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT && data.size > 0) { + if (!(priv->flags & GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED) && + (priv->flags & GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT) && data.size > 0) { gnutls_datum_t spki; rv = pkcs11_get_attribute_avalue(sinfo->module, sinfo->pks, ctx, CKA_PUBLIC_KEY_INFO, &spki); if (rv == CKR_OK) { diff --git a/lib/pkcs11x.c b/lib/pkcs11x.c index b12918a47a..a596c759b1 100644 --- a/lib/pkcs11x.c +++ b/lib/pkcs11x.c @@ -1,7 +1,7 @@ /* * GnuTLS PKCS#11 support - * Copyright (C) 2010-2014 Free Software Foundation, Inc. - * Copyright (C) 2014 Red Hat + * Copyright (C) 2010-2016 Free Software Foundation, Inc. + * Copyright (C) 2016 Red Hat * * Authors: Nikos Mavrogiannopoulos * @@ -61,11 +61,14 @@ static int override_ext(gnutls_x509_crt_t crt, gnutls_datum_t *ext) return ret; } +/* This function re-encodes a certificate to contain its stapled extensions. + * That assumes that the certificate is not in the distrusted list. + */ int pkcs11_override_cert_exts(struct pkcs11_session_info *sinfo, gnutls_datum_t *spki, gnutls_datum_t *der) { int ret; gnutls_datum_t new_der = {NULL, 0}; - struct ck_attribute a[2]; + struct ck_attribute a[3]; struct ck_attribute b[1]; unsigned long count; unsigned ext_data_size = der->size; @@ -75,6 +78,7 @@ int pkcs11_override_cert_exts(struct pkcs11_session_info *sinfo, gnutls_datum_t unsigned finalize = 0; ck_rv_t rv; ck_object_handle_t obj; + ck_bool_t tfalse = 0; /* retrieve the extensions */ class = CKO_X_CERTIFICATE_EXTENSION; @@ -86,7 +90,11 @@ int pkcs11_override_cert_exts(struct pkcs11_session_info *sinfo, gnutls_datum_t a[1].value = spki->data; a[1].value_len = spki->size; - rv = pkcs11_find_objects_init(sinfo->module, sinfo->pks, a, 2); + a[2].type = CKA_X_DISTRUSTED; + a[2].value = &tfalse; + a[2].value_len = sizeof(tfalse); + + rv = pkcs11_find_objects_init(sinfo->module, sinfo->pks, a, 3); if (rv != CKR_OK) { gnutls_assert(); _gnutls_debug_log |