diff options
-rw-r--r-- | lib/pkcs11.c | 94 | ||||
-rw-r--r-- | lib/x509/common.c | 14 | ||||
-rw-r--r-- | lib/x509/common.h | 2 |
3 files changed, 66 insertions, 44 deletions
diff --git a/lib/pkcs11.c b/lib/pkcs11.c index e86314c68d..03385bc041 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -3107,6 +3107,66 @@ const char *gnutls_pkcs11_type_get_name(gnutls_pkcs11_obj_type_t type) } } +static +int check_found_cert(struct find_cert_st *priv, gnutls_datum_t *data, time_t now) +{ + gnutls_x509_crt_t tcrt = NULL; + int ret; + + ret = gnutls_x509_crt_init(&tcrt); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = gnutls_x509_crt_import(tcrt, data, GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + if (priv->key_id.size > 0 && + !_gnutls_check_valid_key_id(&priv->key_id, tcrt, now)) { + gnutls_assert(); + ret = -1; + goto cleanup; + } + + if (priv->flags & GNUTLS_PKCS11_OBJ_FLAG_COMPARE) { + if (priv->crt == NULL) { + gnutls_assert(); + ret = -1; + goto cleanup; + } + + if (_gnutls_check_if_same_cert(priv->crt, tcrt) == 0) { + /* doesn't match */ + ret = -1; + goto cleanup; + } + } + + if (priv->flags & GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY) { + if (priv->crt == NULL) { + gnutls_assert(); + ret = -1; + goto cleanup; + } + + if (_gnutls_check_if_same_key(priv->crt, tcrt, 1) == 0) { + /* doesn't match */ + ret = -1; + goto cleanup; + } + } + + ret = 0; +cleanup: + if (tcrt != NULL) + gnutls_x509_crt_deinit(tcrt); + return ret; +} + static int find_cert_cb(struct pkcs11_session_info *sinfo, struct token_info *info, struct ck_info *lib_info, void *input) @@ -3250,38 +3310,12 @@ find_cert_cb(struct pkcs11_session_info *sinfo, gnutls_datum_t id = { a[1].value, a[1].value_len }; - if (priv->key_id.size > 0 && - !_gnutls_check_valid_key_id(&priv->key_id, &data, now)) { - gnutls_assert(); + ret = check_found_cert(priv, &data, now); + if (ret < 0) { + _gnutls_free_datum(&data); continue; } - if (priv->flags & GNUTLS_PKCS11_OBJ_FLAG_COMPARE) { - if (priv->crt == NULL) { - gnutls_assert(); - break; - } - - if (_gnutls_check_if_same_cert2(priv->crt, &data) == 0) { - /* doesn't match */ - _gnutls_free_datum(&data); - continue; - } - } - - if (priv->flags & GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY) { - if (priv->crt == NULL) { - gnutls_assert(); - break; - } - - if (_gnutls_check_if_same_key2(priv->crt, &data) == 0) { - /* doesn't match */ - _gnutls_free_datum(&data); - continue; - } - } - if (priv->flags & GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT) { gnutls_datum_t spki; rv = pkcs11_get_attribute_avalue(sinfo->module, sinfo->pks, obj, CKA_PUBLIC_KEY_INFO, &spki); @@ -3289,7 +3323,7 @@ find_cert_cb(struct pkcs11_session_info *sinfo, ret = pkcs11_override_cert_exts(sinfo, &spki, &data); if (ret < 0) { gnutls_assert(); - /* non fatal errors */ + /* non fatal error */ } } } diff --git a/lib/x509/common.c b/lib/x509/common.c index 616228f152..9ff1c0ff4f 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -1953,23 +1953,12 @@ int x509_raw_crt_to_raw_pubkey(const gnutls_datum_t * cert, bool _gnutls_check_valid_key_id(gnutls_datum_t *key_id, - gnutls_datum_t *certbin, time_t now) + gnutls_x509_crt_t cert, time_t now) { uint8_t id[MAX_KEY_ID_SIZE]; size_t id_size; - gnutls_x509_crt_t cert; bool result = 0; - if (gnutls_x509_crt_init(&cert) < 0) { - gnutls_assert(); - return 0; - } - - if (gnutls_x509_crt_import(cert, certbin, GNUTLS_X509_FMT_DER) < 0) { - gnutls_assert(); - goto out; - } - if (now > gnutls_x509_crt_get_expiration_time(cert) && now < gnutls_x509_crt_get_activation_time(cert)) { /* don't bother, certificate is not yet activated or expired */ @@ -1986,6 +1975,5 @@ _gnutls_check_valid_key_id(gnutls_datum_t *key_id, result = 1; out: - gnutls_x509_crt_deinit(cert); return result; } diff --git a/lib/x509/common.h b/lib/x509/common.h index bf12fc7c3e..d39a87c24f 100644 --- a/lib/x509/common.h +++ b/lib/x509/common.h @@ -193,7 +193,7 @@ _gnutls_check_if_same_key2(gnutls_x509_crt_t cert1, bool _gnutls_check_valid_key_id(gnutls_datum_t *key_id, - gnutls_datum_t *certbin, time_t now); + gnutls_x509_crt_t cert, time_t now); bool _gnutls_check_if_same_cert(gnutls_x509_crt_t cert1, |