packages/pkcs11-helper
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to 1.29.0

Browse Source
This commit is contained in:
starlet-dx 2023-02-09 15:13:11 +08:00
parent 18dee0df33
commit a0baec2feb
4 changed files with 493 additions and 457 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
pkcs11-helper-1.25.1.tar.bz2
View File

Binary file not shown.

BIN
pkcs11-helper-1.29.0.tar.bz2 Normal file
View File

Binary file not shown.

935
pkcs11-helper-rfc7512.patch
View File

@ -1,26 +1,8 @@
commit 8b614fd9554d3b372a829e4a05e21c5899f581ca From 14e09211c3d50eb06825090c9765e4382cf52f19 Mon Sep 17 00:00:00 2001
Author: David Woodhouse <David.Woodhouse@intel.com> From: David Woodhouse <David.Woodhouse@intel.com>
Date: Thu Apr 30 14:58:24 2015 +0100 Date: Sun, 14 Dec 2014 19:42:18 +0000
Subject: [PATCH 1/3] Stop _pkcs11h_util_hexToBinary() checking for trailing
Serialize to RFC7512-compliant PKCS#11 URIs NUL
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
commit db7a561668614b16b3a14564b3b4f71912db8e17
Author: David Woodhouse <David.Woodhouse@intel.com>
Date: Wed Dec 10 14:00:21 2014 +0000
Accept RFC7512-compliant PKCS#11 URIs as serialized token/certificate IDs
The old format is still accepted for compatibility.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
commit 7f89de7690edc3dfbd4eb70ad457814a2489a5bc
Author: David Woodhouse <David.Woodhouse@intel.com>
Date: Sun Dec 14 19:42:18 2014 +0000
Stop _pkcs11h_util_hexToBinary() checking for trailing NUL
We are going to want to use this for parsing %XX hex escapes in RFC7512 We are going to want to use this for parsing %XX hex escapes in RFC7512
PKCS#11 URIs, where we cannot expect a trailing NUL. Since there's only PKCS#11 URIs, where we cannot expect a trailing NUL. Since there's only
@ -28,11 +10,74 @@ Date: Sun Dec 14 19:42:18 2014 +0000
have responsibility for that check. have responsibility for that check.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
---
lib/pkcs11h-serialization.c | 8 +++++++-
lib/pkcs11h-util.c | 7 +------
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/lib/pkcs11h-serialization.c b/lib/pkcs11h-serialization.c diff --git a/lib/pkcs11h-serialization.c b/lib/pkcs11h-serialization.c
index ad275f8..1d077e4 100644 index 74b4ca7..a45a6c5 100644
--- a/lib/pkcs11h-serialization.c --- a/lib/pkcs11h-serialization.c
+++ b/lib/pkcs11h-serialization.c +++ b/lib/pkcs11h-serialization.c
@@ -61,29 +61,127 @@ @@ -368,6 +368,7 @@ pkcs11h_certificate_deserializeCertificateId (
CK_RV rv = CKR_FUNCTION_FAILED;
char *p = NULL;
char *_sz = NULL;
+ size_t id_hex_len;
_PKCS11H_ASSERT (p_certificate_id!=NULL);
_PKCS11H_ASSERT (sz!=NULL);
@@ -413,7 +414,12 @@ pkcs11h_certificate_deserializeCertificateId (
goto cleanup;
}
- certificate_id->attrCKA_ID_size = strlen (p)/2;
+ id_hex_len = strlen (p);
+ if (id_hex_len & 1) {
+ rv = CKR_ATTRIBUTE_VALUE_INVALID;
+ goto cleanup;
+ }
+ certificate_id->attrCKA_ID_size = id_hex_len/2;
if (
(rv = _pkcs11h_mem_malloc (
diff --git a/lib/pkcs11h-util.c b/lib/pkcs11h-util.c
index 7325db4..7dfe9a3 100644
--- a/lib/pkcs11h-util.c
+++ b/lib/pkcs11h-util.c
@@ -109,12 +109,7 @@ _pkcs11h_util_hexToBinary (
p++;
}
- if (*p != '\x0') {
- return CKR_ATTRIBUTE_VALUE_INVALID;
- }
- else {
- return CKR_OK;
- }
+ return CKR_OK;
}
CK_RV
From 4d5280da8df591aab701dff4493d13a835a9b29c Mon Sep 17 00:00:00 2001
From: David Woodhouse <David.Woodhouse@intel.com>
Date: Wed, 10 Dec 2014 14:00:21 +0000
Subject: [PATCH 2/3] Accept RFC7512-compliant PKCS#11 URIs as serialized
token/certificate IDs
The old format is still accepted for compatibility.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
---
lib/pkcs11h-serialization.c | 305 ++++++++++++++++++++++++++++++------
1 file changed, 256 insertions(+), 49 deletions(-)
diff --git a/lib/pkcs11h-serialization.c b/lib/pkcs11h-serialization.c
index a45a6c5..390ac0e 100644
--- a/lib/pkcs11h-serialization.c
+++ b/lib/pkcs11h-serialization.c
@@ -60,6 +60,26 @@
#if defined(ENABLE_PKCS11H_TOKEN) || defined(ENABLE_PKCS11H_CERTIFICATE) #if defined(ENABLE_PKCS11H_TOKEN) || defined(ENABLE_PKCS11H_CERTIFICATE)
@ -56,6 +101,400 @@ index ad275f8..1d077e4 100644
+ { NULL }, + { NULL },
+}; +};
+ +
CK_RV
pkcs11h_token_serializeTokenId (
OUT char * const sz,
@@ -149,9 +169,147 @@ pkcs11h_token_serializeTokenId (
return rv;
}
+static
CK_RV
-pkcs11h_token_deserializeTokenId (
- OUT pkcs11h_token_id_t *p_token_id,
+__parse_token_uri_attr (
+ const char *uri,
+ size_t urilen,
+ char *tokstr,
+ size_t toklen,
+ size_t *parsed_len
+) {
+ size_t orig_toklen = toklen;
+ CK_RV rv = CKR_OK;
+
+ while (urilen && toklen > 1) {
+ if (*uri == '%') {
+ size_t size = 1;
+
+ if (urilen < 3) {
+ rv = CKR_ATTRIBUTE_VALUE_INVALID;
+ goto done;
+ }
+
+ rv = _pkcs11h_util_hexToBinary ((unsigned char *)tokstr,
+ uri + 1, &size);
+ if (rv != CKR_OK) {
+ goto done;
+ }
+
+ uri += 2;
+ urilen -= 2;
+ } else {
+ *tokstr = *uri;
+ }
+ tokstr++;
+ uri++;
+ toklen--;
+ urilen--;
+ tokstr[0] = 0;
+ }
+
+ if (urilen) {
+ rv = CKR_ATTRIBUTE_VALUE_INVALID;
+ } else if (parsed_len) {
+ *parsed_len = orig_toklen - toklen;
+ }
+
+ done:
+ return rv;
+}
+
+static
+CK_RV
+__parse_pkcs11_uri (
+ OUT pkcs11h_token_id_t token_id,
+ OUT pkcs11h_certificate_id_t certificate_id,
+ IN const char * const sz
+) {
+ const char *end, *p;
+ CK_RV rv = CKR_OK;
+
+ _PKCS11H_ASSERT (token_id!=NULL);
+ _PKCS11H_ASSERT (sz!=NULL);
+
+ if (strncmp (sz, URI_SCHEME, strlen (URI_SCHEME)))
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+
+ end = sz + strlen (URI_SCHEME) - 1;
+ while (rv == CKR_OK && end[0] && end[1]) {
+ int i;
+
+ p = end + 1;
+ end = strchr (p, ';');
+ if (!end)
+ end = p + strlen(p);
+
+ for (i = 0; __token_fields[i].name; i++) {
+ /* Parse the token=, label=, manufacturer= and serial= fields */
+ if (!strncmp(p, __token_fields[i].name, __token_fields[i].namelen)) {
+ char *field = ((char *)token_id) + __token_fields[i].field_ofs;
+
+ p += __token_fields[i].namelen;
+ rv = __parse_token_uri_attr (p, end - p, field,
+ __token_fields[i].field_size,
+ NULL);
+ if (rv != CKR_OK) {
+ goto cleanup;
+ }
+
+ goto matched;
+ }
+ }
+ if (certificate_id && !strncmp(p, "id=", 3)) {
+ p += 3;
+
+ rv = _pkcs11h_mem_malloc ((void *)&certificate_id->attrCKA_ID,
+ end - p + 1);
+ if (rv != CKR_OK) {
+ goto cleanup;
+ }
+
+ rv = __parse_token_uri_attr (p, end - p,
+ (char *)certificate_id->attrCKA_ID,
+ end - p + 1,
+ &certificate_id->attrCKA_ID_size);
+ if (rv != CKR_OK) {
+ goto cleanup;
+ }
+
+ goto matched;
+ }
+
+ /* We don't parse object= because the match code doesn't support
+ matching by label. */
+
+ /* Failed to parse PKCS#11 URI element. */
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+
+ matched:
+ ;
+ }
+cleanup:
+ /* The matching code doesn't support support partial matches; it needs
+ * *all* of manufacturer, model, serial and label attributes to be
+ * defined. So reject partial URIs early instead of letting it do the
+ * wrong thing. We can maybe improve this later. */
+ if (!token_id->model[0] || !token_id->label[0] ||
+ !token_id->manufacturerID[0] || !token_id->serialNumber[0]) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ /* For a certificate ID we need CKA_ID */
+ if (certificate_id && !certificate_id->attrCKA_ID_size) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ return rv;
+}
+
+static
+CK_RV
+__pkcs11h_token_legacy_deserializeTokenId (
+ OUT pkcs11h_token_id_t token_id,
IN const char * const sz
) {
#define __PKCS11H_TARGETS_NUMBER 4
@@ -160,24 +318,11 @@ pkcs11h_token_deserializeTokenId (
size_t s;
} targets[__PKCS11H_TARGETS_NUMBER];
- pkcs11h_token_id_t token_id = NULL;
char *p1 = NULL;
char *_sz = NULL;
int e;
CK_RV rv = CKR_FUNCTION_FAILED;
- _PKCS11H_ASSERT (p_token_id!=NULL);
- _PKCS11H_ASSERT (sz!=NULL);
-
- _PKCS11H_DEBUG (
- PKCS11H_LOG_DEBUG2,
- "PKCS#11: pkcs11h_token_deserializeTokenId entry p_token_id=%p, sz='%s'",
- (void *)p_token_id,
- sz
- );
-
- *p_token_id = NULL;
-
if (
(rv = _pkcs11h_mem_strdup (
(void *)&_sz,
@@ -189,10 +334,6 @@ pkcs11h_token_deserializeTokenId (
p1 = _sz;
- if ((rv = _pkcs11h_token_newTokenId (&token_id)) != CKR_OK) {
- goto cleanup;
- }
-
targets[0].p = token_id->manufacturerID;
targets[0].s = sizeof (token_id->manufacturerID);
targets[1].p = token_id->model;
@@ -251,6 +392,51 @@ pkcs11h_token_deserializeTokenId (
p1 = p2+1;
}
+ rv = CKR_OK;
+
+cleanup:
+
+ if (_sz != NULL) {
+ _pkcs11h_mem_free ((void *)&_sz);
+ }
+
+ return rv;
+#undef __PKCS11H_TARGETS_NUMBER
+}
+
+CK_RV
+pkcs11h_token_deserializeTokenId (
+ OUT pkcs11h_token_id_t *p_token_id,
+ IN const char * const sz
+) {
+ pkcs11h_token_id_t token_id = NULL;
+ CK_RV rv = CKR_FUNCTION_FAILED;
+
+ _PKCS11H_ASSERT (p_token_id!=NULL);
+ _PKCS11H_ASSERT (sz!=NULL);
+
+ _PKCS11H_DEBUG (
+ PKCS11H_LOG_DEBUG2,
+ "PKCS#11: pkcs11h_token_deserializeTokenId entry p_token_id=%p, sz='%s'",
+ (void *)p_token_id,
+ sz
+ );
+
+ *p_token_id = NULL;
+
+ if ((rv = _pkcs11h_token_newTokenId (&token_id)) != CKR_OK) {
+ goto cleanup;
+ }
+
+ if (!strncmp (sz, URI_SCHEME, strlen (URI_SCHEME))) {
+ rv = __parse_pkcs11_uri(token_id, NULL, sz);
+ } else {
+ rv = __pkcs11h_token_legacy_deserializeTokenId(token_id, sz);
+ }
+ if (rv != CKR_OK) {
+ goto cleanup;
+ }
+
strncpy (
token_id->display,
token_id->label,
@@ -263,11 +449,6 @@ pkcs11h_token_deserializeTokenId (
rv = CKR_OK;
cleanup:
-
- if (_sz != NULL) {
- _pkcs11h_mem_free ((void *)&_sz);
- }
-
if (token_id != NULL) {
pkcs11h_token_freeTokenId (token_id);
}
@@ -280,7 +461,6 @@ pkcs11h_token_deserializeTokenId (
);
return rv;
-#undef __PKCS11H_TARGETS_NUMBER
}
#endif /* ENABLE_PKCS11H_TOKEN || ENABLE_PKCS11H_CERTIFICATE */
@@ -359,29 +539,17 @@ pkcs11h_certificate_serializeCertificateId (
return rv;
}
+static
CK_RV
-pkcs11h_certificate_deserializeCertificateId (
- OUT pkcs11h_certificate_id_t * const p_certificate_id,
+__pkcs11h_certificate_legacy_deserializeCertificateId (
+ OUT pkcs11h_certificate_id_t certificate_id,
IN const char * const sz
) {
- pkcs11h_certificate_id_t certificate_id = NULL;
CK_RV rv = CKR_FUNCTION_FAILED;
char *p = NULL;
char *_sz = NULL;
size_t id_hex_len;
- _PKCS11H_ASSERT (p_certificate_id!=NULL);
- _PKCS11H_ASSERT (sz!=NULL);
-
- *p_certificate_id = NULL;
-
- _PKCS11H_DEBUG (
- PKCS11H_LOG_DEBUG2,
- "PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=%p, sz='%s'",
- (void *)p_certificate_id,
- sz
- );
-
if (
(rv = _pkcs11h_mem_strdup (
(void *)&_sz,
@@ -393,10 +561,6 @@ pkcs11h_certificate_deserializeCertificateId (
p = _sz;
- if ((rv = _pkcs11h_certificate_newCertificateId (&certificate_id)) != CKR_OK) {
- goto cleanup;
- }
-
if ((p = strrchr (_sz, '/')) == NULL) {
rv = CKR_ATTRIBUTE_VALUE_INVALID;
goto cleanup;
@@ -435,21 +599,64 @@ pkcs11h_certificate_deserializeCertificateId (
goto cleanup;
}
+ rv = CKR_OK;
+
+cleanup:
+
+ if (_sz != NULL) {
+ _pkcs11h_mem_free ((void *)&_sz);
+ }
+
+ return rv;
+
+}
+
+CK_RV
+pkcs11h_certificate_deserializeCertificateId (
+ OUT pkcs11h_certificate_id_t * const p_certificate_id,
+ IN const char * const sz
+) {
+ pkcs11h_certificate_id_t certificate_id = NULL;
+ CK_RV rv = CKR_FUNCTION_FAILED;
+
+ _PKCS11H_ASSERT (p_certificate_id!=NULL);
+ _PKCS11H_ASSERT (sz!=NULL);
+
+ *p_certificate_id = NULL;
+
+ _PKCS11H_DEBUG (
+ PKCS11H_LOG_DEBUG2,
+ "PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=%p, sz='%s'",
+ (void *)p_certificate_id,
+ sz
+ );
+
+ if ((rv = _pkcs11h_certificate_newCertificateId (&certificate_id)) != CKR_OK) {
+ goto cleanup;
+ }
+ if ((rv = _pkcs11h_token_newTokenId (&certificate_id->token_id)) != CKR_OK) {
+ goto cleanup;
+ }
+
+ if (!strncmp(sz, URI_SCHEME, strlen (URI_SCHEME))) {
+ rv = __parse_pkcs11_uri (certificate_id->token_id, certificate_id, sz);
+ } else {
+ rv = __pkcs11h_certificate_legacy_deserializeCertificateId (certificate_id, sz);
+ }
+ if (rv != CKR_OK) {
+ goto cleanup;
+ }
+
*p_certificate_id = certificate_id;
certificate_id = NULL;
rv = CKR_OK;
cleanup:
-
if (certificate_id != NULL) {
pkcs11h_certificate_freeCertificateId (certificate_id);
certificate_id = NULL;
}
- if (_sz != NULL) {
- _pkcs11h_mem_free ((void *)&_sz);
- }
-
_PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG2,
"PKCS#11: pkcs11h_certificate_deserializeCertificateId return rv=%lu-'%s'",
From 90590b02085edc3830bdfe0942a46c4e7bf3f1ab Mon Sep 17 00:00:00 2001
From: David Woodhouse <David.Woodhouse@intel.com>
Date: Thu, 30 Apr 2015 14:58:24 +0100
Subject: [PATCH 3/3] Serialize to RFC7512-compliant PKCS#11 URIs
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
---
lib/pkcs11h-serialization.c | 186 ++++++++++++++++++------------------
1 file changed, 91 insertions(+), 95 deletions(-)
diff --git a/lib/pkcs11h-serialization.c b/lib/pkcs11h-serialization.c
index 390ac0e..0ea1861 100644
--- a/lib/pkcs11h-serialization.c
+++ b/lib/pkcs11h-serialization.c
@@ -80,29 +80,107 @@ static struct {
{ NULL },
};
+#define P11_URL_VERBATIM "abcdefghijklmnopqrstuvwxyz" \ +#define P11_URL_VERBATIM "abcdefghijklmnopqrstuvwxyz" \
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \ + "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \
+ "0123456789_-." + "0123456789_-."
@ -67,7 +506,7 @@ index ad275f8..1d077e4 100644
+ int len = 0, i; + int len = 0, i;
+ +
+ for (i = 0; i < attrlen; i++) { + for (i = 0; i < attrlen; i++) {
+ if (strchr(P11_URL_VERBATIM, attr[i])) { + if ((attr[i] != '\x0') && strchr(P11_URL_VERBATIM, attr[i])) {
+ if (uri) { + if (uri) {
+ *(uri++) = attr[i]; + *(uri++) = attr[i];
+ } + }
@ -171,7 +610,7 @@ index ad275f8..1d077e4 100644
_PKCS11H_DEBUG ( _PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG2, PKCS11H_LOG_DEBUG2,
"PKCS#11: pkcs11h_token_serializeTokenId entry sz=%p, *max="P_Z", token_id=%p", "PKCS#11: pkcs11h_token_serializeTokenId entry sz=%p, *max="P_Z", token_id=%p",
@@ -92,67 +190,161 @@ pkcs11h_token_serializeTokenId ( @@ -111,51 +189,7 @@ pkcs11h_token_serializeTokenId (
(void *)token_id (void *)token_id
); );
@ -187,124 +626,16 @@ index ad275f8..1d077e4 100644
- )) != CKR_OK - )) != CKR_OK
- ) { - ) {
- goto cleanup; - goto cleanup;
+ rv = __generate_pkcs11_uri(sz, max, NULL, token_id); - }
+
+ _PKCS11H_DEBUG (
+ PKCS11H_LOG_DEBUG2,
+ "PKCS#11: pkcs11h_token_serializeTokenId return rv=%lu-'%s', *max="P_Z", sz='%s'",
+ rv,
+ pkcs11h_getMessage (rv),
+ *max,
+ sz
+ );
+
+ return rv;
+}
+
+static
+CK_RV
+__parse_token_uri_attr (
+ const char *uri,
+ size_t urilen,
+ char *tokstr,
+ size_t toklen,
+ size_t *parsed_len
+) {
+ size_t orig_toklen = toklen;
+ CK_RV rv = CKR_OK;
+
+ while (urilen && toklen > 1) {
+ if (*uri == '%') {
+ size_t size = 1;
+
+ if (urilen < 3) {
+ rv = CKR_ATTRIBUTE_VALUE_INVALID;
+ goto done;
+ }
+
+ rv = _pkcs11h_util_hexToBinary ((unsigned char *)tokstr,
+ uri + 1, &size);
+ if (rv != CKR_OK) {
+ goto done;
+ }
+
+ uri += 2;
+ urilen -= 2;
+ } else {
+ *tokstr = *uri;
}
- n+=t; - n+=t;
+ tokstr++; - }
+ uri++; -
+ toklen--;
+ urilen--;
+ tokstr[0] = 0;
}
- if (sz != NULL) { - if (sz != NULL) {
- if (*max < n) { - if (*max < n) {
- rv = CKR_ATTRIBUTE_VALUE_INVALID; - rv = CKR_ATTRIBUTE_VALUE_INVALID;
- goto cleanup; - goto cleanup;
+ if (urilen) { - }
+ rv = CKR_ATTRIBUTE_VALUE_INVALID; -
+ } else if (parsed_len) {
+ *parsed_len = orig_toklen - toklen;
+ }
+
+ done:
+ return rv;
+}
+
+static
+CK_RV
+__parse_pkcs11_uri (
+ OUT pkcs11h_token_id_t token_id,
+ OUT pkcs11h_certificate_id_t certificate_id,
+ IN const char * const sz
+) {
+ const char *end, *p;
+ CK_RV rv = CKR_OK;
+
+ _PKCS11H_ASSERT (token_id!=NULL);
+ _PKCS11H_ASSERT (sz!=NULL);
+
+ if (strncmp (sz, URI_SCHEME, strlen (URI_SCHEME)))
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+
+ end = sz + strlen (URI_SCHEME) - 1;
+ while (rv == CKR_OK && end[0] && end[1]) {
+ int i;
+
+ p = end + 1;
+ end = strchr (p, ';');
+ if (!end)
+ end = p + strlen(p);
+
+ for (i = 0; __token_fields[i].name; i++) {
+ /* Parse the token=, label=, manufacturer= and serial= fields */
+ if (!strncmp(p, __token_fields[i].name, __token_fields[i].namelen)) {
+ char *field = ((char *)token_id) + __token_fields[i].field_ofs;
+
+ p += __token_fields[i].namelen;
+ rv = __parse_token_uri_attr (p, end - p, field,
+ __token_fields[i].field_size,
+ NULL);
+ if (rv != CKR_OK) {
+ goto cleanup;
+ }
+
+ goto matched;
+ }
}
+ if (certificate_id && !strncmp(p, "id=", 3)) {
+ p += 3;
+
+ rv = _pkcs11h_mem_malloc ((void *)&certificate_id->attrCKA_ID,
+ end - p + 1);
+ if (rv != CKR_OK) {
+ goto cleanup;
+ }
- n = 0; - n = 0;
- for (e=0;sources[e] != NULL;e++) { - for (e=0;sources[e] != NULL;e++) {
- size_t t = *max-n; - size_t t = *max-n;
@ -316,176 +647,23 @@ index ad275f8..1d077e4 100644
- __PKCS11H_SERIALIZE_INVALID_CHARS - __PKCS11H_SERIALIZE_INVALID_CHARS
- )) != CKR_OK - )) != CKR_OK
- ) { - ) {
+ rv = __parse_token_uri_attr (p, end - p,
+ (char *)certificate_id->attrCKA_ID,
+ end - p + 1,
+ &certificate_id->attrCKA_ID_size);
+ if (rv != CKR_OK) {
goto cleanup;
}
- n+=t;
- sz[n-1] = '/';
+
+ goto matched;
}
- sz[n-1] = '\x0';
- }
- *max = n;
- rv = CKR_OK;
+ /* We don't parse object= because the match code doesn't support
+ matching by label. */
+
+ /* Failed to parse PKCS#11 URI element. */
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ matched:
+ ;
+ }
cleanup:
+ /* The matching code doesn't support support partial matches; it needs
+ * *all* of manufacturer, model, serial and label attributes to be
+ * defined. So reject partial URIs early instead of letting it do the
+ * wrong thing. We can maybe improve this later. */
+ if (!token_id->model[0] || !token_id->label[0] ||
+ !token_id->manufacturerID[0] || !token_id->serialNumber[0]) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
- _PKCS11H_DEBUG (
- PKCS11H_LOG_DEBUG2,
- "PKCS#11: pkcs11h_token_serializeTokenId return rv=%lu-'%s', *max="P_Z", sz='%s'",
- rv,
- pkcs11h_getMessage (rv),
- *max,
- sz
- );
+ /* For a certificate ID we need CKA_ID */
+ if (certificate_id && !certificate_id->attrCKA_ID_size) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
return rv;
}
+static
CK_RV
-pkcs11h_token_deserializeTokenId (
- OUT pkcs11h_token_id_t *p_token_id,
+__pkcs11h_token_legacy_deserializeTokenId (
+ OUT pkcs11h_token_id_t token_id,
IN const char * const sz
) {
#define __PKCS11H_TARGETS_NUMBER 4
@@ -161,24 +353,11 @@ pkcs11h_token_deserializeTokenId (
size_t s;
} targets[__PKCS11H_TARGETS_NUMBER];
- pkcs11h_token_id_t token_id = NULL;
char *p1 = NULL;
char *_sz = NULL;
int e;
CK_RV rv = CKR_FUNCTION_FAILED;
- _PKCS11H_ASSERT (p_token_id!=NULL);
- _PKCS11H_ASSERT (sz!=NULL);
-
- _PKCS11H_DEBUG (
- PKCS11H_LOG_DEBUG2,
- "PKCS#11: pkcs11h_token_deserializeTokenId entry p_token_id=%p, sz='%s'",
- (void *)p_token_id,
- sz
- );
-
- *p_token_id = NULL;
-
if (
(rv = _pkcs11h_mem_strdup (
(void *)&_sz,
@@ -190,10 +369,6 @@ pkcs11h_token_deserializeTokenId (
p1 = _sz;
- if ((rv = _pkcs11h_token_newTokenId (&token_id)) != CKR_OK) {
- goto cleanup; - goto cleanup;
- } - }
- - n+=t;
targets[0].p = token_id->manufacturerID; - sz[n-1] = '/';
targets[0].s = sizeof (token_id->manufacturerID); - }
targets[1].p = token_id->model; - sz[n-1] = '\x0';
@@ -252,6 +427,51 @@ pkcs11h_token_deserializeTokenId (
p1 = p2+1;
}
+ rv = CKR_OK;
+
+cleanup:
+
+ if (_sz != NULL) {
+ _pkcs11h_mem_free ((void *)&_sz);
+ }
+
+ return rv;
+#undef __PKCS11H_TARGETS_NUMBER
+}
+
+CK_RV
+pkcs11h_token_deserializeTokenId (
+ OUT pkcs11h_token_id_t *p_token_id,
+ IN const char * const sz
+) {
+ pkcs11h_token_id_t token_id = NULL;
+ CK_RV rv = CKR_FUNCTION_FAILED;
+
+ _PKCS11H_ASSERT (p_token_id!=NULL);
+ _PKCS11H_ASSERT (sz!=NULL);
+
+ _PKCS11H_DEBUG (
+ PKCS11H_LOG_DEBUG2,
+ "PKCS#11: pkcs11h_token_deserializeTokenId entry p_token_id=%p, sz='%s'",
+ (void *)p_token_id,
+ sz
+ );
+
+ *p_token_id = NULL;
+
+ if ((rv = _pkcs11h_token_newTokenId (&token_id)) != CKR_OK) {
+ goto cleanup;
+ }
+
+ if (!strncmp (sz, URI_SCHEME, strlen (URI_SCHEME))) {
+ rv = __parse_pkcs11_uri(token_id, NULL, sz);
+ } else {
+ rv = __pkcs11h_token_legacy_deserializeTokenId(token_id, sz);
+ }
+ if (rv != CKR_OK) {
+ goto cleanup;
+ }
+
strncpy (
token_id->display,
token_id->label,
@@ -264,11 +484,6 @@ pkcs11h_token_deserializeTokenId (
rv = CKR_OK;
cleanup:
-
- if (_sz != NULL) {
- _pkcs11h_mem_free ((void *)&_sz);
- } - }
- -
if (token_id != NULL) { - *max = n;
pkcs11h_token_freeTokenId (token_id); - rv = CKR_OK;
} -
@@ -281,7 +496,6 @@ cleanup: -cleanup:
); + rv = __generate_pkcs11_uri(sz, max, NULL, token_id);
return rv; _PKCS11H_DEBUG (
-#undef __PKCS11H_TARGETS_NUMBER PKCS11H_LOG_DEBUG2,
} @@ -474,9 +508,6 @@ pkcs11h_certificate_serializeCertificateId (
#endif /* ENABLE_PKCS11H_TOKEN || ENABLE_PKCS11H_CERTIFICATE */
@@ -295,9 +509,6 @@ pkcs11h_certificate_serializeCertificateId (
IN const pkcs11h_certificate_id_t certificate_id IN const pkcs11h_certificate_id_t certificate_id
) { ) {
CK_RV rv = CKR_FUNCTION_FAILED; CK_RV rv = CKR_FUNCTION_FAILED;
@ -495,7 +673,7 @@ index ad275f8..1d077e4 100644
/*_PKCS11H_ASSERT (sz!=NULL); Not required */ /*_PKCS11H_ASSERT (sz!=NULL); Not required */
_PKCS11H_ASSERT (max!=NULL); _PKCS11H_ASSERT (max!=NULL);
@@ -311,42 +522,7 @@ pkcs11h_certificate_serializeCertificateId ( @@ -490,42 +521,7 @@ pkcs11h_certificate_serializeCertificateId (
(void *)certificate_id (void *)certificate_id
); );
@ -539,148 +717,3 @@ index ad275f8..1d077e4 100644
_PKCS11H_DEBUG ( _PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG2, PKCS11H_LOG_DEBUG2,
@@ -360,27 +536,16 @@ cleanup:
return rv;
}
+static
CK_RV
-pkcs11h_certificate_deserializeCertificateId (
- OUT pkcs11h_certificate_id_t * const p_certificate_id,
+__pkcs11h_certificate_legacy_deserializeCertificateId (
+ OUT pkcs11h_certificate_id_t certificate_id,
IN const char * const sz
) {
- pkcs11h_certificate_id_t certificate_id = NULL;
CK_RV rv = CKR_FUNCTION_FAILED;
char *p = NULL;
char *_sz = NULL;
-
- _PKCS11H_ASSERT (p_certificate_id!=NULL);
- _PKCS11H_ASSERT (sz!=NULL);
-
- *p_certificate_id = NULL;
-
- _PKCS11H_DEBUG (
- PKCS11H_LOG_DEBUG2,
- "PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=%p, sz='%s'",
- (void *)p_certificate_id,
- sz
- );
+ size_t id_hex_len;
if (
(rv = _pkcs11h_mem_strdup (
@@ -393,10 +558,6 @@ pkcs11h_certificate_deserializeCertificateId (
p = _sz;
- if ((rv = _pkcs11h_certificate_newCertificateId (&certificate_id)) != CKR_OK) {
- goto cleanup;
- }
-
if ((p = strrchr (_sz, '/')) == NULL) {
rv = CKR_ATTRIBUTE_VALUE_INVALID;
goto cleanup;
@@ -414,7 +575,12 @@ pkcs11h_certificate_deserializeCertificateId (
goto cleanup;
}
- certificate_id->attrCKA_ID_size = strlen (p)/2;
+ id_hex_len = strlen (p);
+ if (id_hex_len & 1) {
+ rv = CKR_ATTRIBUTE_VALUE_INVALID;
+ goto cleanup;
+ }
+ certificate_id->attrCKA_ID_size = id_hex_len/2;
if (
(rv = _pkcs11h_mem_malloc (
@@ -430,21 +596,64 @@ pkcs11h_certificate_deserializeCertificateId (
goto cleanup;
}
+ rv = CKR_OK;
+
+cleanup:
+
+ if (_sz != NULL) {
+ _pkcs11h_mem_free ((void *)&_sz);
+ }
+
+ return rv;
+
+}
+
+CK_RV
+pkcs11h_certificate_deserializeCertificateId (
+ OUT pkcs11h_certificate_id_t * const p_certificate_id,
+ IN const char * const sz
+) {
+ pkcs11h_certificate_id_t certificate_id = NULL;
+ CK_RV rv = CKR_FUNCTION_FAILED;
+
+ _PKCS11H_ASSERT (p_certificate_id!=NULL);
+ _PKCS11H_ASSERT (sz!=NULL);
+
+ *p_certificate_id = NULL;
+
+ _PKCS11H_DEBUG (
+ PKCS11H_LOG_DEBUG2,
+ "PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=%p, sz='%s'",
+ (void *)p_certificate_id,
+ sz
+ );
+
+ if ((rv = _pkcs11h_certificate_newCertificateId (&certificate_id)) != CKR_OK) {
+ goto cleanup;
+ }
+ if ((rv = _pkcs11h_token_newTokenId (&certificate_id->token_id)) != CKR_OK) {
+ goto cleanup;
+ }
+
+ if (!strncmp(sz, URI_SCHEME, strlen (URI_SCHEME))) {
+ rv = __parse_pkcs11_uri (certificate_id->token_id, certificate_id, sz);
+ } else {
+ rv = __pkcs11h_certificate_legacy_deserializeCertificateId (certificate_id, sz);
+ }
+ if (rv != CKR_OK) {
+ goto cleanup;
+ }
+
*p_certificate_id = certificate_id;
certificate_id = NULL;
rv = CKR_OK;
cleanup:
-
if (certificate_id != NULL) {
pkcs11h_certificate_freeCertificateId (certificate_id);
certificate_id = NULL;
}
- if (_sz != NULL) {
- _pkcs11h_mem_free ((void *)&_sz);
- }
-
_PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG2,
"PKCS#11: pkcs11h_certificate_deserializeCertificateId return rv=%lu-'%s'",
diff --git a/lib/pkcs11h-util.c b/lib/pkcs11h-util.c
index 0743fd1..f90e443 100644
--- a/lib/pkcs11h-util.c
+++ b/lib/pkcs11h-util.c
@@ -110,12 +110,7 @@ _pkcs11h_util_hexToBinary (
p++;
}
- if (*p != '\x0') {
- return CKR_ATTRIBUTE_VALUE_INVALID;
- }
- else {
- return CKR_OK;
- }
+ return CKR_OK;
}
CK_RV

13
pkcs11-helper.spec
View File

@ -1,6 +1,6 @@
Name: pkcs11-helper Name: pkcs11-helper
Version: 1.25.1 Version: 1.29.0
Release: 2 Release: 1
Summary: A library that simplifies the interaction with PKCS#11 providers Summary: A library that simplifies the interaction with PKCS#11 providers
License: BSD and GPLv2 License: BSD and GPLv2
URL: https://github.com/OpenSC/OpenSC/wiki URL: https://github.com/OpenSC/OpenSC/wiki
@ -8,7 +8,7 @@ Source0: https://github.com/OpenSC/%{name}/releases/download/%{name}-%{ve
Patch1: pkcs11-helper-rfc7512.patch Patch1: pkcs11-helper-rfc7512.patch
BuildRequires: gcc compat-openssl11-devel doxygen BuildRequires: gcc openssl-devel doxygen
%description %description
PKCS#11 is published standard. PKCS#11 is the de-facto standard to access cryptographic devices. PKCS#11 is published standard. PKCS#11 is the de-facto standard to access cryptographic devices.
@ -25,7 +25,7 @@ decryption.
%package devel %package devel
Summary: Development files for %{name} Summary: Development files for %{name}
Requires: %{name} = %{version}-%{release} Requires: %{name} = %{version}-%{release}
Requires: automake compat-openssl11-devel Requires: automake openssl-devel
%description devel %description devel
This package contains the development files for %{name}. This package contains the development files for %{name}.
@ -37,7 +37,7 @@ This package contains the development files for %{name}.
%build %build
%configure --enable-doc %configure --enable-doc --disable-static
%make_build %make_build
%install %install
@ -65,6 +65,9 @@ This package contains the development files for %{name}.
%{_mandir}/man8/* %{_mandir}/man8/*
%changelog %changelog
* Thu Feb 09 2023 yaoxin <yaoxin30@h-partners.com> - 1.29.0-1
- Update to 1.29.0
* Fri Feb 03 2023 yaoxin <yaoxin30@h-partners.com> - 1.25.1-2 * Fri Feb 03 2023 yaoxin <yaoxin30@h-partners.com> - 1.25.1-2
- Fix build error due to openssl update to 3.0 - Fix build error due to openssl update to 3.0