From 29af2c1eeca2fb0257e1172753b129d638472f0f Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Fri, 15 Mar 2013 16:24:27 +0100 Subject: trust: Use a SHA-1 hash of subjectPublicKeyInfo as CKA_ID by default This is what's recommended by the spec, and allows stapled extensions to hang off a predictable CKA_ID. https://bugs.freedesktop.org/show_bug.cgi?id=62329 --- common/x509.c | 22 ++++++++++++++++++++++ common/x509.h | 5 +++++ 2 files changed, 27 insertions(+) (limited to 'common') diff --git a/common/x509.c b/common/x509.c index f86d2b3..ae1c810 100644 --- a/common/x509.c +++ b/common/x509.c @@ -36,6 +36,7 @@ #include "asn1.h" #define P11_DEBUG_FLAG P11_DEBUG_TRUST +#include "checksum.h" #include "debug.h" #include "oid.h" #include "utf8.h" @@ -104,6 +105,27 @@ p11_x509_find_extension (node_asn *cert, } bool +p11_x509_calc_keyid (node_asn *cert, + const unsigned char *der, + size_t der_len, + unsigned char *keyid) +{ + int start, end; + int ret; + + return_val_if_fail (cert != NULL, NULL); + return_val_if_fail (der != NULL, NULL); + return_val_if_fail (keyid != NULL, NULL); + + ret = asn1_der_decoding_startEnd (cert, der, der_len, "tbsCertificate.subjectPublicKeyInfo", &start, &end); + return_val_if_fail (ret == ASN1_SUCCESS, false); + return_val_if_fail (end >= start, false); + + p11_checksum_sha1 (keyid, (der + start), (end - start) + 1, NULL); + return true; +} + +bool p11_x509_parse_basic_constraints (p11_dict *asn1_defs, const unsigned char *ext_der, size_t ext_len, diff --git a/common/x509.h b/common/x509.h index cbfc574..af91c28 100644 --- a/common/x509.h +++ b/common/x509.h @@ -46,6 +46,11 @@ unsigned char * p11_x509_find_extension (node_asn *cert, size_t der_len, size_t *ext_len); +bool p11_x509_calc_keyid (node_asn *cert, + const unsigned char *der, + size_t der_len, + unsigned char *keyid); + bool p11_x509_parse_basic_constraints (p11_dict *asn1_defs, const unsigned char *ext_der, size_t ext_len, -- cgit v1.1