diff options
author | Stef Walter <stefw@redhat.com> | 2014-10-09 08:15:29 +0200 |
---|---|---|
committer | Stef Walter <stefw@redhat.com> | 2014-10-09 13:08:05 +0200 |
commit | 03d280df9a73aca5cb6eabbcb97ef3ca4e1ae0e5 (patch) | |
tree | 943e5da0523a6c6094026cc96e393d40fee1e282 /trust/x509.c | |
parent | b3579cb54bd5cd16e9740404408b2505b4b1e26b (diff) | |
download | p11-kit-03d280df9a73aca5cb6eabbcb97ef3ca4e1ae0e5.tar.gz |
trust: Certificate CKA_ID is SubjectKeyIdentifier if possible
The PKCS#11 spec states that the CKA_ID should match the
SubjectKeyIdentifier if such an extension is present.
We delay the filling of CKA_ID until the builder phase of populating
attributes which allows us to have more control over how this works.
Note that we don't make CKA_ID reflect SubjectKeyIdentifier *attached*
extensions. The CKA_ID isn't supposed to change after object creation.
Making it dependent on attached extensions would be making promises
we cannot keep, since attached extensions can be added/removed at any
time.
This also means the CKA_ID of attached extensions and certificates
won't necessarily match up, but that was never promised, and not how
attached extensions should be matched to their certificate anyway.
Based on a patch and research done by David Woodhouse.
https://bugs.freedesktop.org/show_bug.cgi?id=84761
Diffstat (limited to 'trust/x509.c')
-rw-r--r-- | trust/x509.c | 32 |
1 files changed, 27 insertions, 5 deletions
diff --git a/trust/x509.c b/trust/x509.c index b93d26c..3b4fb2d 100644 --- a/trust/x509.c +++ b/trust/x509.c @@ -92,10 +92,10 @@ p11_x509_find_extension (node_asn *cert, } bool -p11_x509_calc_keyid (node_asn *cert, - const unsigned char *der, - size_t der_len, - unsigned char *keyid) +p11_x509_hash_subject_public_key (node_asn *cert, + const unsigned char *der, + size_t der_len, + unsigned char *keyid) { int start, end; size_t len; @@ -103,7 +103,6 @@ p11_x509_calc_keyid (node_asn *cert, return_val_if_fail (cert != NULL, NULL); return_val_if_fail (der != NULL, NULL); - return_val_if_fail (keyid != NULL, NULL); ret = asn1_der_decoding_startEnd (cert, der, der_len, "tbsCertificate.subjectPublicKeyInfo", &start, &end); return_val_if_fail (ret == ASN1_SUCCESS, false); @@ -114,6 +113,29 @@ p11_x509_calc_keyid (node_asn *cert, return true; } +unsigned char * +p11_x509_parse_subject_key_identifier (p11_dict *asn1_defs, + const unsigned char *ext_der, + size_t ext_len, + size_t *keyid_len) +{ + unsigned char *keyid; + node_asn *ext; + + return_val_if_fail (keyid_len != NULL, false); + + ext = p11_asn1_decode (asn1_defs, "PKIX1.SubjectKeyIdentifier", ext_der, ext_len, NULL); + if (ext == NULL) + return NULL; + + keyid = p11_asn1_read (ext, "", keyid_len); + return_val_if_fail (keyid != NULL, NULL); + + asn1_delete_structure (&ext); + + return keyid; +} + bool p11_x509_parse_basic_constraints (p11_dict *asn1_defs, const unsigned char *ext_der, |