[rs-commit] r94 - in /redwax-tool/trunk: redwax-tool.h redwax_openssl.c redwax_p11kit.c
rs-commit at redwax.eu
rs-commit at redwax.eu
Mon Nov 29 14:30:55 CET 2021
Author: minfrin at redwax.eu
Date: Mon Nov 29 14:30:53 2021
New Revision: 94
Log:
Track the id, subject key identifier, and generated id seperately.
Add explicit warnings when reading the ids in and they don't
match the expected patterns.
Modified:
redwax-tool/trunk/redwax-tool.h
redwax-tool/trunk/redwax_openssl.c
redwax-tool/trunk/redwax_p11kit.c
Modified: redwax-tool/trunk/redwax-tool.h
==============================================================================
--- redwax-tool/trunk/redwax-tool.h (original)
+++ redwax-tool/trunk/redwax-tool.h Mon Nov 29 14:30:53 2021
@@ -134,6 +134,10 @@
apr_size_t subject_len;
const unsigned char *id_der;
apr_size_t id_len;
+ const unsigned char *skid_der;
+ apr_size_t skid_len;
+ const unsigned char *gid_der;
+ apr_size_t gid_len;
const unsigned char *issuer_der;
apr_size_t issuer_len;
const unsigned char *serial_der;
@@ -181,6 +185,8 @@
redwax_key_type_e type;
const unsigned char *id_der;
apr_size_t id_len;
+ const unsigned char *gid_der;
+ apr_size_t gid_len;
const unsigned char *subject_der;
apr_size_t subject_len;
const unsigned char *subjectpublickeyinfo_der;
Modified: redwax-tool/trunk/redwax_openssl.c
==============================================================================
--- redwax-tool/trunk/redwax_openssl.c (original)
+++ redwax-tool/trunk/redwax_openssl.c Mon Nov 29 14:30:53 2021
@@ -3206,8 +3206,8 @@
EVP_Digest(key->rsa->modulus, key->rsa->modulus_len, digest, &len,
EVP_sha1(), NULL);
- key->common.id_der = apr_pmemdup(key->pool, digest, len);
- key->common.id_len = len;
+ key->common.gid_der = apr_pmemdup(key->pool, digest, len);
+ key->common.gid_len = len;
#if HAVE_EVP_PKEY_GET_BN_PARAM
BN_clear_free(n);
@@ -3472,8 +3472,13 @@
}
+ x509 = cert->x509 = apr_pcalloc(cert->pool,
+ sizeof(redwax_certificate_x509_t));
+
pub = X509_get_X509_PUBKEY(x);
if (pub) {
+
+ EVP_PKEY *pkey = X509_PUBKEY_get(pub);
unsigned char *der;
@@ -3481,13 +3486,51 @@
cert->common.subjectpublickeyinfo_der = der = apr_palloc(r->pool,
cert->common.subjectpublickeyinfo_len);
i2d_X509_PUBKEY(pub, &der);
+
+ switch(EVP_PKEY_base_id(pkey)) {
+ case EVP_PKEY_RSA: {
+
+#if HAVE_EVP_PKEY_GET_BN_PARAM
+ BIGNUM *n = NULL;
+
+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &n);
+#else
+ RSA *rsa = EVP_PKEY_get1_RSA(pkey);
+
+ const BIGNUM *n = RSA_get0_n(rsa);
+#endif
+
+ /* public */
+ if (n) {
+
+ unsigned char digest[EVP_MAX_MD_SIZE];
+ unsigned int len = BN_num_bytes(n);
+ unsigned char *modulus = apr_palloc(cert->pool,
+ len);
+
+ BN_bn2bin(n, modulus);
+
+ EVP_Digest(modulus, len, digest, &len, EVP_sha1(), NULL);
+ x509->gid_der = apr_pmemdup(cert->pool, digest, len);
+ x509->gid_len = len;
+
+ }
+
+#if HAVE_EVP_PKEY_GET_BN_PARAM
+ BN_clear_free(n);
+#else
+ RSA_free(rsa);
+#endif
+ break;
+ }
+ default:
+ break;
+ }
+
}
cert->common.subject = redwax_openssl_name(cert->pool,
X509_get_subject_name(x));
-
- x509 = cert->x509 = apr_pcalloc(cert->pool,
- sizeof(redwax_certificate_x509_t));
name = X509_get_subject_name(x);
if (name) {
@@ -3501,38 +3544,8 @@
skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
if (skid) {
- x509->id_len = skid->length;
- x509->id_der = apr_pmemdup(cert->pool, skid->data, skid->length);
- }
- else if (pub) {
- EVP_PKEY *pkey = X509_PUBKEY_get(pub);
-
- switch(EVP_PKEY_base_id(pkey)) {
- case EVP_PKEY_RSA: {
- /* id is the sha1 hash of the modulus */
- unsigned char digest[EVP_MAX_MD_SIZE];
- RSA *rsa = EVP_PKEY_get1_RSA(pkey);
- const BIGNUM *n = RSA_get0_n(rsa);
- unsigned char *buf = apr_palloc(cert->pool, BN_num_bytes(n));
- unsigned int len;
- BN_bn2bin(n, buf);
- EVP_Digest(buf, BN_num_bytes(n), digest, &len, EVP_sha1(), NULL);
- x509->id_der = apr_pmemdup(cert->pool, digest, len);
- x509->id_len = len;
- RSA_free(rsa);
- break;
- }
-#if 0
- case EVP_PKEY_DSA:
- break;
- case EVP_PKEY_DH:
- break;
- case EVP_PKEY_EC:
- break;
-#endif
- }
-
- EVP_PKEY_free(pkey);
+ x509->skid_len = skid->length;
+ x509->skid_der = apr_pmemdup(cert->pool, skid->data, skid->length);
}
name = X509_get_issuer_name(x);
Modified: redwax-tool/trunk/redwax_p11kit.c
==============================================================================
--- redwax-tool/trunk/redwax_p11kit.c (original)
+++ redwax-tool/trunk/redwax_p11kit.c Mon Nov 29 14:30:53 2021
@@ -428,14 +428,29 @@
redwax_certificate_x509_t *x509 = cert->x509;
+ /* id from URL has top priority */
attr = p11_kit_uri_get_attribute(parsed, CKA_ID);
if (attr) {
redwax_pkcs11_add_attribute(template, CKA_ID,
attr->pValue, attr->ulValueLen);
}
+
+ /* otherwise keep the original ID */
else if (x509->id_len) {
redwax_pkcs11_add_attribute(template, CKA_ID,
(void *)x509->id_der, x509->id_len);
+ }
+
+ /* failing that use the subject key identifier */
+ else if (x509->skid_len) {
+ redwax_pkcs11_add_attribute(template, CKA_ID,
+ (void *)x509->skid_der, x509->skid_len);
+ }
+
+ /* last resort, use generated ID */
+ else if (x509->gid_len) {
+ redwax_pkcs11_add_attribute(template, CKA_ID,
+ (void *)x509->gid_der, x509->gid_len);
}
if (x509->subject_len) {
@@ -632,6 +647,12 @@
redwax_pkcs11_add_attribute(privateTemplate, CKA_ID,
(void *)key->common.id_der, key->common.id_len);
}
+ else if (key->common.gid_len) {
+ redwax_pkcs11_add_attribute(publicTemplate, CKA_ID,
+ (void *)key->common.gid_der, key->common.gid_len);
+ redwax_pkcs11_add_attribute(privateTemplate, CKA_ID,
+ (void *)key->common.gid_der, key->common.gid_len);
+ }
if (key->common.subject_len) {
redwax_pkcs11_add_attribute(publicTemplate, CKA_SUBJECT,
@@ -1242,6 +1263,56 @@
}
return NULL;
+}
+
+static void redwax_p11kit_check_cert(redwax_tool_t *r,
+ redwax_certificate_t *cert, apr_pool_t *pool)
+{
+
+ if (cert->x509) {
+
+ redwax_certificate_x509_t *x509 = cert->x509;
+
+ if (!x509->id_der && !x509->skid_der) {
+
+ redwax_print_error(r,
+ "pkcs11-in: certificate on token '%s' has no ID and no Subject Key "
+ "Identifier, and is therefore unlikely to be found by most software. "
+ "Reading certificate anyway.\n", cert->token);
+
+ }
+
+ else if (!x509->id_der && x509->skid_der) {
+
+ redwax_print_error(r,
+ "pkcs11-in: certificate on token '%s' has no ID, with Subject Key "
+ "Identifier '%s' present, and is therefore unlikely to be found by "
+ "most software. Reading certificate anyway.\n",
+ cert->token,
+ redwax_pstrntrim(pool, (const char*) x509->id_der,
+ x509->id_len));
+
+ }
+
+ else if (x509->id_der && x509->skid_der
+ && (x509->id_len != x509->skid_len
+ || memcmp(x509->id_der, x509->skid_der,
+ x509->id_len))) {
+
+ redwax_print_error(r,
+ "pkcs11-in: certificate on token '%s' has ID '%s', but different "
+ "Subject Key Identifier '%s', and is therefore unlikely to be found "
+ "by most software. Reading certificate anyway.\n",
+ cert->token,
+ redwax_pstrntrim(pool, (const char*) x509->id_der,
+ x509->id_len),
+ redwax_pstrntrim(pool, (const char*) x509->skid_der,
+ x509->skid_len));
+
+ }
+
+ }
+
}
static apr_status_t redwax_p11kit_read_slot(redwax_tool_t *r,
@@ -1410,6 +1481,8 @@
(const char*) tokenInfo->label,
sizeof(tokenInfo->label));
cert->token_len = strlen(cert->token);
+
+ redwax_p11kit_check_cert(r, cert, pool);
if (REDWAX_CERTIFICATE_ROOT
== cert->common.category && trusted) {
More information about the rs-commit
mailing list