Use the CN, OU or O of certificates to generate a label

* This is in cases where the certificate information does not already have a friendly name or alias.
author: Stef Walter <stefw@gnome.org> 2013-02-03 23:26:10 +0100
committer: Stef Walter <stefw@gnome.org> 2013-02-05 15:00:25 +0100
commit: 32ca4f6d3167d08fc985d66fe48f453954596f87 (patch)
tree: 4dd767287480a047e4f1370bc6925d2fb748ceea /trust
parent: 39e9f190416ecb4260a3b079e1d79fc2e55f5a33 (diff)
2 files changed, 41 insertions, 32 deletions
diff --git a/trust/parser.c b/trust/parser.c
index f6da728..6229d09 100644
--- a/trust/parser.c
+++ b/trust/parser.c
@@ -69,7 +69,7 @@ struct _p11_parser {
 	/* Set during a parse */
 	p11_parser_sink sink;
 	void *sink_data;
-	const char *probable_label;
+	const char *basename;
 	int flags;
 
 	/* Parsing state */
@@ -152,12 +152,11 @@ static CK_ATTRIBUTE *
 build_object (p11_parser *parser,
               CK_OBJECT_CLASS vclass,
               CK_BYTE *vid,
-              const char *explicit_label)
+              const char *vlabel)
 {
 	CK_ATTRIBUTE *attrs = NULL;
 	CK_BBOOL vtrue = CK_TRUE;
 	CK_BBOOL vfalse = CK_FALSE;
-	const char *vlabel;
 
 	CK_ATTRIBUTE klass = { CKA_CLASS, &vclass, sizeof (vclass) };
 	CK_ATTRIBUTE token = { CKA_TOKEN, &vtrue, sizeof (vtrue) };
@@ -166,7 +165,8 @@ build_object (p11_parser *parser,
 	CK_ATTRIBUTE id = { CKA_ID, vid, ID_LENGTH };
 	CK_ATTRIBUTE label = { CKA_LABEL, };
 
-	vlabel = explicit_label ? (char *)explicit_label : parser->probable_label;
+	if (!vlabel)
+		vlabel = parser->basename;
 	if (vlabel) {
 		label.pValue = (void *)vlabel;
 		label.ulValueLen = strlen (vlabel);
@@ -277,6 +277,7 @@ build_x509_certificate (p11_parser *parser,
 	CK_ATTRIBUTE *attrs;
 	CK_CERTIFICATE_TYPE vx509 = CKC_X_509;
 	CK_BYTE vchecksum[3];
+	char *label;
 
 	CK_DATE vstart;
 	CK_DATE vend;
@@ -321,8 +322,18 @@ build_x509_certificate (p11_parser *parser,
 	if (!calc_element (cert, data, length, "tbsCertificate.serialNumber", &serial_number))
 		serial_number.type = CKA_INVALID;
 
-	attrs = build_object (parser, CKO_CERTIFICATE, vid, NULL);
+	label = p11_x509_lookup_dn_name (parser->cert_asn, "tbsCertificate.subject",
+	                                 parser->cert_der, parser->cert_len, P11_OID_CN);
+	if (!label)
+		label = p11_x509_lookup_dn_name (parser->cert_asn, "tbsCertificate.subject",
+		                                 parser->cert_der, parser->cert_len, P11_OID_OU);
+	if (!label)
+		label = p11_x509_lookup_dn_name (parser->cert_asn, "tbsCertificate.subject",
+		                                 parser->cert_der, parser->cert_len, P11_OID_O);
+
+	attrs = build_object (parser, CKO_CERTIFICATE, vid, label);
 	return_val_if_fail (attrs != NULL, NULL);
+	free (label);
 
 	attrs = p11_attrs_build (attrs, &certificate_type, &certificate_category,
 	                         &check_value, &trusted, &distrusted, &start_date, &end_date,
@@ -852,7 +863,7 @@ parse_openssl_trusted_certificate (p11_parser *parser,
 {
 	CK_ATTRIBUTE *attrs;
 	CK_BYTE vid[ID_LENGTH];
-	const char *old_label = NULL;
+	CK_ATTRIBUTE *attr;
 	char *label = NULL;
 	node_asn *cert;
 	node_asn *aux;
@@ -883,6 +894,12 @@ parse_openssl_trusted_certificate (p11_parser *parser,
 
 	begin_parsing (parser, cert, data, cert_len);
 
+	/* The CKA_ID links related objects */
+	id_generate (parser, vid);
+
+	attrs = build_x509_certificate (parser, vid, cert, data, cert_len);
+	return_val_if_fail (attrs != NULL, P11_PARSE_FAILURE);
+
 	/* Pull the label out of the CertAux */
 	len = 0;
 	ret = asn1_read_value (aux, "alias", NULL, &len);
@@ -893,16 +910,13 @@ parse_openssl_trusted_certificate (p11_parser *parser,
 		ret = asn1_read_value (aux, "alias", label, &len);
 		return_val_if_fail (ret == ASN1_SUCCESS, P11_PARSE_FAILURE);
 
-		old_label = parser->probable_label;
-		parser->probable_label = label;
+		attr = p11_attrs_find (attrs, CKA_LABEL);
+		assert (attr != NULL);
+		free (attr->pValue);
+		attr->pValue = label;
+		attr->ulValueLen = strlen (label);
 	}
 
-	/* The CKA_ID links related objects */
-	id_generate (parser, vid);
-
-	attrs = build_x509_certificate (parser, vid, cert, data, cert_len);
-	return_val_if_fail (attrs != NULL, P11_PARSE_FAILURE);
-
 	ret = build_openssl_extensions (parser, attrs, aux, data + cert_len, length - cert_len);
 	return_val_if_fail (ret == P11_PARSE_SUCCESS, ret);
 
@@ -911,11 +925,6 @@ parse_openssl_trusted_certificate (p11_parser *parser,
 	asn1_delete_structure (&cert);
 	asn1_delete_structure (&aux);
 
-	if (label) {
-		parser->probable_label = old_label;
-		free (label);
-	}
-
 	return P11_PARSE_SUCCESS;
 }
 
@@ -1002,7 +1011,7 @@ p11_parse_memory (p11_parser *parser,
 	return_val_if_fail (parser->sink == NULL, P11_PARSE_FAILURE);
 
 	base = basename (filename);
-	parser->probable_label = base;
+	parser->basename = base;
 	parser->sink = sink;
 	parser->sink_data = sink_data;
 	parser->flags = flags;
@@ -1019,7 +1028,7 @@ p11_parse_memory (p11_parser *parser,
 			break;
 	}
 
-	parser->probable_label = NULL;
+	parser->basename = NULL;
 	parser->sink = NULL;
 	parser->sink_data = NULL;
 	parser->flags = 0;
diff --git a/trust/tests/test-parser.c b/trust/tests/test-parser.c
index a504cab..52092d0 100644
--- a/trust/tests/test-parser.c
+++ b/trust/tests/test-parser.c
@@ -530,7 +530,7 @@ test_parse_with_key_usage (CuTest *cu)
 		{ CKA_PRIVATE, &vfalse, sizeof (vfalse) },
 		{ CKA_MODIFIABLE, &vfalse, sizeof (vfalse) },
 		{ CKA_CLASS, &klass, sizeof (klass) },
-		{ CKA_LABEL, "self-signed-with-ku.der", 23 },
+		{ CKA_LABEL, "self-signed-with-ku.example.com", 31 },
 		{ CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) },
 		{ CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) },
 		{ CKA_CHECK_VALUE, "d/\x9c", 3 },
@@ -545,7 +545,7 @@ test_parse_with_key_usage (CuTest *cu)
 	};
 
 	CK_ATTRIBUTE nss_trust[] = {
-		{ CKA_LABEL, "self-signed-with-ku.der", 23 },
+		{ CKA_LABEL, "self-signed-with-ku.example.com", 31 },
 		{ CKA_CLASS, &trust_object, sizeof (trust_object), },
 		{ CKA_CERT_SHA1_HASH, "d/\x9c=\xbc\x9a\x7f\x91\xc7wT\t`\x86\xe2\x8e\x8f\xa8J\x12", 20 },
 		{ CKA_CERT_MD5_HASH, "\xb1N=\x16\x12?dz\x97\x81""By/\xcc\x97\x82", 16 },
@@ -613,7 +613,7 @@ test_parse_anchor (CuTest *cu)
 	CK_X_ASSERTION_TYPE anchored_certificate = CKT_X_ANCHORED_CERTIFICATE;
 
 	CK_ATTRIBUTE nss_trust[] = {
-		{ CKA_LABEL, "cacert3.der", 11 },
+		{ CKA_LABEL, "CAcert Class 3 Root", 19 },
 		{ CKA_CLASS, &trust_object, sizeof (trust_object), },
 		{ CKA_CERT_SHA1_HASH, "\xad\x7c\x3f\x64\xfc\x44\x39\xfe\xf4\xe9\x0b\xe8\xf4\x7c\x6c\xfa\x8a\xad\xfd\xce", 20 },
 		{ CKA_CERT_MD5_HASH, "\xf7\x25\x12\x82\x4e\x67\xb5\xd0\x8d\x92\xb7\x7c\x0b\x86\x7a\x42", 16 },
@@ -639,7 +639,7 @@ test_parse_anchor (CuTest *cu)
 	};
 
 	CK_ATTRIBUTE server_anchor[] = {
-		{ CKA_LABEL, "cacert3.der", 11 },
+		{ CKA_LABEL, "CAcert Class 3 Root", 19 },
 		{ CKA_CLASS, &trust_assertion, sizeof (trust_assertion) },
 		{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
 		{ CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) },
@@ -648,7 +648,7 @@ test_parse_anchor (CuTest *cu)
 	};
 
 	CK_ATTRIBUTE client_anchor[] = {
-		{ CKA_LABEL, "cacert3.der", 11 },
+		{ CKA_LABEL, "CAcert Class 3 Root", 19 },
 		{ CKA_CLASS, &trust_assertion, sizeof (trust_assertion) },
 		{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
 		{ CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) },
@@ -657,7 +657,7 @@ test_parse_anchor (CuTest *cu)
 	};
 
 	CK_ATTRIBUTE code_anchor[] = {
-		{ CKA_LABEL, "cacert3.der", 11 },
+		{ CKA_LABEL, "CAcert Class 3 Root", 19 },
 		{ CKA_CLASS, &trust_assertion, sizeof (trust_assertion) },
 		{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
 		{ CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) },
@@ -666,7 +666,7 @@ test_parse_anchor (CuTest *cu)
 	};
 
 	CK_ATTRIBUTE email_anchor[] = {
-		{ CKA_LABEL, "cacert3.der", 11 },
+		{ CKA_LABEL, "CAcert Class 3 Root", 19 },
 		{ CKA_CLASS, &trust_assertion, sizeof (trust_assertion) },
 		{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
 		{ CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) },
@@ -675,7 +675,7 @@ test_parse_anchor (CuTest *cu)
 	};
 
 	CK_ATTRIBUTE ipsec_system_anchor[] = {
-		{ CKA_LABEL, "cacert3.der", 11 },
+		{ CKA_LABEL, "CAcert Class 3 Root", 19 },
 		{ CKA_CLASS, &trust_assertion, sizeof (trust_assertion) },
 		{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
 		{ CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) },
@@ -684,7 +684,7 @@ test_parse_anchor (CuTest *cu)
 	};
 
 	CK_ATTRIBUTE ipsec_tunnel_anchor[] = {
-		{ CKA_LABEL, "cacert3.der", 11 },
+		{ CKA_LABEL, "CAcert Class 3 Root", 19 },
 		{ CKA_CLASS, &trust_assertion, sizeof (trust_assertion) },
 		{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
 		{ CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) },
@@ -693,7 +693,7 @@ test_parse_anchor (CuTest *cu)
 	};
 
 	CK_ATTRIBUTE ipsec_user_anchor[] = {
-		{ CKA_LABEL, "cacert3.der", 11 },
+		{ CKA_LABEL, "CAcert Class 3 Root", 19 },
 		{ CKA_CLASS, &trust_assertion, sizeof (trust_assertion) },
 		{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
 		{ CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) },
@@ -702,7 +702,7 @@ test_parse_anchor (CuTest *cu)
 	};
 
 	CK_ATTRIBUTE stamping_anchor[] = {
-		{ CKA_LABEL, "cacert3.der", 11 },
+		{ CKA_LABEL, "CAcert Class 3 Root", 19 },
 		{ CKA_CLASS, &trust_assertion, sizeof (trust_assertion) },
 		{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
 		{ CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) },
author	Stef Walter <stefw@gnome.org>	2013-02-03 23:26:10 +0100
committer	Stef Walter <stefw@gnome.org>	2013-02-05 15:00:25 +0100
commit	32ca4f6d3167d08fc985d66fe48f453954596f87 (patch)
tree	4dd767287480a047e4f1370bc6925d2fb748ceea /trust
parent	39e9f190416ecb4260a3b079e1d79fc2e55f5a33 (diff)