[rt-commit] r123 - in /redwax-tool/trunk: ChangeLog redwax_p11kit.c
rt-commit at redwax.eu
rt-commit at redwax.eu
Fri Dec 10 19:39:20 CET 2021
Author: minfrin at redwax.eu
Date: Fri Dec 10 19:39:19 2021
New Revision: 123
Log:
Allow the key to pick up an ID or a label from matching
certificates in the pkcs11 case, covering all the options
where the ID and label might need to be generated.
Modified:
redwax-tool/trunk/ChangeLog
redwax-tool/trunk/redwax_p11kit.c
Modified: redwax-tool/trunk/ChangeLog
==============================================================================
--- redwax-tool/trunk/ChangeLog (original)
+++ redwax-tool/trunk/ChangeLog Fri Dec 10 19:39:19 2021
@@ -1,5 +1,10 @@
Changes with v0.9.1
+
+ *) Allow the key to pick up an ID or a label from matching
+ certificates in the pkcs11 case, covering all the options
+ where the ID and label might need to be generated.
+ [Graham Leggett]
*) Decide on and write the label on certificates and keys when
writing to pkcs11. [Graham Leggett]
Modified: redwax-tool/trunk/redwax_p11kit.c
==============================================================================
--- redwax-tool/trunk/redwax_p11kit.c (original)
+++ redwax-tool/trunk/redwax_p11kit.c Fri Dec 10 19:39:19 2021
@@ -1261,6 +1261,82 @@
return 0;
}
+static void redwax_pk11_scan_cert(redwax_tool_t *r, redwax_certificate_t *cert,
+ redwax_key_t *key)
+{
+
+ if (key->common.subjectpublickeyinfo_len
+ == cert->common.subjectpublickeyinfo_len
+ && !memcmp(key->common.subjectpublickeyinfo_der,
+ cert->common.subjectpublickeyinfo_der,
+ key->common.subjectpublickeyinfo_len)) {
+
+ /* otherwise keep the original ID */
+ if (cert->id_len) {
+ key->common.cid_der = cert->id_der;
+ key->common.cid_len = cert->id_len;
+ }
+
+ /* failing that use the subject key identifier */
+ else if (cert->x509 && cert->x509->skid_len) {
+ key->common.cid_der = cert->x509->skid_der;
+ key->common.cid_len = cert->x509->skid_len;
+ }
+
+ /* last resort, use generated ID */
+ else if (cert->x509 && cert->x509->gid_len) {
+ key->common.cid_der = cert->x509->gid_der;
+ key->common.cid_len = cert->x509->gid_len;
+ }
+
+ /* LABEL comes from the original input key... */
+ if (cert->label) {
+ key->common.clabel_der = (void *)cert->label;
+ key->common.clabel_len = cert->label_len;
+ }
+ /* ...otherwise LABEL is generated from the CN of the subject */
+ else if (cert->common.glabel) {
+ key->common.clabel_der = (void *)cert->common.glabel;
+ key->common.clabel_len = cert->common.glabel_len;
+ }
+
+ }
+
+}
+
+static void redwax_pk11_scan_certs(redwax_tool_t *r, redwax_key_t *key)
+{
+
+ int i;
+
+ for (i = 0; i < r->certs_out->nelts; i++)
+ {
+ redwax_certificate_t
+ *cert = &APR_ARRAY_IDX(r->certs_out, i,
+ redwax_certificate_t);
+
+ redwax_pk11_scan_cert(r, cert, key);
+ }
+
+ for (i = 0; i < r->intermediates_out->nelts; i++)
+ {
+ redwax_certificate_t
+ *cert = &APR_ARRAY_IDX(r->intermediates_out, i,
+ redwax_certificate_t);
+
+ redwax_pk11_scan_cert(r, cert, key);
+ }
+
+ for (i = 0; i < r->trusted_out->nelts; i++)
+ {
+ redwax_certificate_t *cert =
+ &APR_ARRAY_IDX(r->trusted_out, i, redwax_certificate_t);
+
+ redwax_pk11_scan_cert(r, cert, key);
+ }
+
+}
+
static apr_status_t redwax_p11kit_handle_slot(redwax_tool_t *r,
P11KitUri *parsed, CK_FUNCTION_LIST *module, CK_TOKEN_INFO *tokenInfo,
CK_SLOT_ID_PTR slot_id, apr_hash_t *secrets)
@@ -1341,6 +1417,11 @@
}
redwax_print_error(r, "pkcs11-out: key\n");
+
+ /* walk the certificates to see if there is a match, if so, we grab
+ * the ID and LABEL from that certificate.
+ */
+ redwax_pk11_scan_certs(r, key);
status = redwax_pkcs11_write_key(r, parsed, module, tokenInfo,
session, key, label);
More information about the rt-commit
mailing list