From 32ca4f6d3167d08fc985d66fe48f453954596f87 Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Sun, 3 Feb 2013 23:26:10 +0100 Subject: Use the CN, OU or O of certificates to generate a label * This is in cases where the certificate information does not already have a friendly name or alias. --- trust/parser.c | 51 ++++++++++++++++++++++++++++------------------- trust/tests/test-parser.c | 22 ++++++++++---------- 2 files changed, 41 insertions(+), 32 deletions(-) (limited to 'trust') diff --git a/trust/parser.c b/trust/parser.c index f6da728..6229d09 100644 --- a/trust/parser.c +++ b/trust/parser.c @@ -69,7 +69,7 @@ struct _p11_parser { /* Set during a parse */ p11_parser_sink sink; void *sink_data; - const char *probable_label; + const char *basename; int flags; /* Parsing state */ @@ -152,12 +152,11 @@ static CK_ATTRIBUTE * build_object (p11_parser *parser, CK_OBJECT_CLASS vclass, CK_BYTE *vid, - const char *explicit_label) + const char *vlabel) { CK_ATTRIBUTE *attrs = NULL; CK_BBOOL vtrue = CK_TRUE; CK_BBOOL vfalse = CK_FALSE; - const char *vlabel; CK_ATTRIBUTE klass = { CKA_CLASS, &vclass, sizeof (vclass) }; CK_ATTRIBUTE token = { CKA_TOKEN, &vtrue, sizeof (vtrue) }; @@ -166,7 +165,8 @@ build_object (p11_parser *parser, CK_ATTRIBUTE id = { CKA_ID, vid, ID_LENGTH }; CK_ATTRIBUTE label = { CKA_LABEL, }; - vlabel = explicit_label ? (char *)explicit_label : parser->probable_label; + if (!vlabel) + vlabel = parser->basename; if (vlabel) { label.pValue = (void *)vlabel; label.ulValueLen = strlen (vlabel); @@ -277,6 +277,7 @@ build_x509_certificate (p11_parser *parser, CK_ATTRIBUTE *attrs; CK_CERTIFICATE_TYPE vx509 = CKC_X_509; CK_BYTE vchecksum[3]; + char *label; CK_DATE vstart; CK_DATE vend; @@ -321,8 +322,18 @@ build_x509_certificate (p11_parser *parser, if (!calc_element (cert, data, length, "tbsCertificate.serialNumber", &serial_number)) serial_number.type = CKA_INVALID; - attrs = build_object (parser, CKO_CERTIFICATE, vid, NULL); + label = p11_x509_lookup_dn_name (parser->cert_asn, "tbsCertificate.subject", + parser->cert_der, parser->cert_len, P11_OID_CN); + if (!label) + label = p11_x509_lookup_dn_name (parser->cert_asn, "tbsCertificate.subject", + parser->cert_der, parser->cert_len, P11_OID_OU); + if (!label) + label = p11_x509_lookup_dn_name (parser->cert_asn, "tbsCertificate.subject", + parser->cert_der, parser->cert_len, P11_OID_O); + + attrs = build_object (parser, CKO_CERTIFICATE, vid, label); return_val_if_fail (attrs != NULL, NULL); + free (label); attrs = p11_attrs_build (attrs, &certificate_type, &certificate_category, &check_value, &trusted, &distrusted, &start_date, &end_date, @@ -852,7 +863,7 @@ parse_openssl_trusted_certificate (p11_parser *parser, { CK_ATTRIBUTE *attrs; CK_BYTE vid[ID_LENGTH]; - const char *old_label = NULL; + CK_ATTRIBUTE *attr; char *label = NULL; node_asn *cert; node_asn *aux; @@ -883,6 +894,12 @@ parse_openssl_trusted_certificate (p11_parser *parser, begin_parsing (parser, cert, data, cert_len); + /* The CKA_ID links related objects */ + id_generate (parser, vid); + + attrs = build_x509_certificate (parser, vid, cert, data, cert_len); + return_val_if_fail (attrs != NULL, P11_PARSE_FAILURE); + /* Pull the label out of the CertAux */ len = 0; ret = asn1_read_value (aux, "alias", NULL, &len); @@ -893,16 +910,13 @@ parse_openssl_trusted_certificate (p11_parser *parser, ret = asn1_read_value (aux, "alias", label, &len); return_val_if_fail (ret == ASN1_SUCCESS, P11_PARSE_FAILURE); - old_label = parser->probable_label; - parser->probable_label = label; + attr = p11_attrs_find (attrs, CKA_LABEL); + assert (attr != NULL); + free (attr->pValue); + attr->pValue = label; + attr->ulValueLen = strlen (label); } - /* The CKA_ID links related objects */ - id_generate (parser, vid); - - attrs = build_x509_certificate (parser, vid, cert, data, cert_len); - return_val_if_fail (attrs != NULL, P11_PARSE_FAILURE); - ret = build_openssl_extensions (parser, attrs, aux, data + cert_len, length - cert_len); return_val_if_fail (ret == P11_PARSE_SUCCESS, ret); @@ -911,11 +925,6 @@ parse_openssl_trusted_certificate (p11_parser *parser, asn1_delete_structure (&cert); asn1_delete_structure (&aux); - if (label) { - parser->probable_label = old_label; - free (label); - } - return P11_PARSE_SUCCESS; } @@ -1002,7 +1011,7 @@ p11_parse_memory (p11_parser *parser, return_val_if_fail (parser->sink == NULL, P11_PARSE_FAILURE); base = basename (filename); - parser->probable_label = base; + parser->basename = base; parser->sink = sink; parser->sink_data = sink_data; parser->flags = flags; @@ -1019,7 +1028,7 @@ p11_parse_memory (p11_parser *parser, break; } - parser->probable_label = NULL; + parser->basename = NULL; parser->sink = NULL; parser->sink_data = NULL; parser->flags = 0; diff --git a/trust/tests/test-parser.c b/trust/tests/test-parser.c index a504cab..52092d0 100644 --- a/trust/tests/test-parser.c +++ b/trust/tests/test-parser.c @@ -530,7 +530,7 @@ test_parse_with_key_usage (CuTest *cu) { CKA_PRIVATE, &vfalse, sizeof (vfalse) }, { CKA_MODIFIABLE, &vfalse, sizeof (vfalse) }, { CKA_CLASS, &klass, sizeof (klass) }, - { CKA_LABEL, "self-signed-with-ku.der", 23 }, + { CKA_LABEL, "self-signed-with-ku.example.com", 31 }, { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, { CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) }, { CKA_CHECK_VALUE, "d/\x9c", 3 }, @@ -545,7 +545,7 @@ test_parse_with_key_usage (CuTest *cu) }; CK_ATTRIBUTE nss_trust[] = { - { CKA_LABEL, "self-signed-with-ku.der", 23 }, + { CKA_LABEL, "self-signed-with-ku.example.com", 31 }, { CKA_CLASS, &trust_object, sizeof (trust_object), }, { CKA_CERT_SHA1_HASH, "d/\x9c=\xbc\x9a\x7f\x91\xc7wT\t`\x86\xe2\x8e\x8f\xa8J\x12", 20 }, { CKA_CERT_MD5_HASH, "\xb1N=\x16\x12?dz\x97\x81""By/\xcc\x97\x82", 16 }, @@ -613,7 +613,7 @@ test_parse_anchor (CuTest *cu) CK_X_ASSERTION_TYPE anchored_certificate = CKT_X_ANCHORED_CERTIFICATE; CK_ATTRIBUTE nss_trust[] = { - { CKA_LABEL, "cacert3.der", 11 }, + { CKA_LABEL, "CAcert Class 3 Root", 19 }, { CKA_CLASS, &trust_object, sizeof (trust_object), }, { CKA_CERT_SHA1_HASH, "\xad\x7c\x3f\x64\xfc\x44\x39\xfe\xf4\xe9\x0b\xe8\xf4\x7c\x6c\xfa\x8a\xad\xfd\xce", 20 }, { CKA_CERT_MD5_HASH, "\xf7\x25\x12\x82\x4e\x67\xb5\xd0\x8d\x92\xb7\x7c\x0b\x86\x7a\x42", 16 }, @@ -639,7 +639,7 @@ test_parse_anchor (CuTest *cu) }; CK_ATTRIBUTE server_anchor[] = { - { CKA_LABEL, "cacert3.der", 11 }, + { CKA_LABEL, "CAcert Class 3 Root", 19 }, { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, @@ -648,7 +648,7 @@ test_parse_anchor (CuTest *cu) }; CK_ATTRIBUTE client_anchor[] = { - { CKA_LABEL, "cacert3.der", 11 }, + { CKA_LABEL, "CAcert Class 3 Root", 19 }, { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, @@ -657,7 +657,7 @@ test_parse_anchor (CuTest *cu) }; CK_ATTRIBUTE code_anchor[] = { - { CKA_LABEL, "cacert3.der", 11 }, + { CKA_LABEL, "CAcert Class 3 Root", 19 }, { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, @@ -666,7 +666,7 @@ test_parse_anchor (CuTest *cu) }; CK_ATTRIBUTE email_anchor[] = { - { CKA_LABEL, "cacert3.der", 11 }, + { CKA_LABEL, "CAcert Class 3 Root", 19 }, { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, @@ -675,7 +675,7 @@ test_parse_anchor (CuTest *cu) }; CK_ATTRIBUTE ipsec_system_anchor[] = { - { CKA_LABEL, "cacert3.der", 11 }, + { CKA_LABEL, "CAcert Class 3 Root", 19 }, { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, @@ -684,7 +684,7 @@ test_parse_anchor (CuTest *cu) }; CK_ATTRIBUTE ipsec_tunnel_anchor[] = { - { CKA_LABEL, "cacert3.der", 11 }, + { CKA_LABEL, "CAcert Class 3 Root", 19 }, { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, @@ -693,7 +693,7 @@ test_parse_anchor (CuTest *cu) }; CK_ATTRIBUTE ipsec_user_anchor[] = { - { CKA_LABEL, "cacert3.der", 11 }, + { CKA_LABEL, "CAcert Class 3 Root", 19 }, { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, @@ -702,7 +702,7 @@ test_parse_anchor (CuTest *cu) }; CK_ATTRIBUTE stamping_anchor[] = { - { CKA_LABEL, "cacert3.der", 11 }, + { CKA_LABEL, "CAcert Class 3 Root", 19 }, { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, -- cgit v1.1