]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
pkcs11: when no CKA_ID can be relied on fallback on checking the SubjectKeyIdentifier
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Tue, 7 Oct 2014 13:14:34 +0000 (15:14 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Tue, 7 Oct 2014 13:14:36 +0000 (15:14 +0200)
Patch by David Woodhouse.

lib/pkcs11.c
lib/x509/common.c
lib/x509/common.h

index e38098461f9c474dc222eba473897fef505b9802..cef0700dfde41b18dbf47e1b89be7a63b49558de 100644 (file)
@@ -3247,6 +3247,12 @@ find_cert_cb(struct pkcs11_session_info *sinfo,
                                gnutls_datum_t id =
                                    { a[1].value, a[1].value_len };
 
+                               if (i > 0 && priv->key_id.size > 0 &&
+                                   !_gnutls_check_subject_key_id2(&priv->key_id, &data)) {
+                                       gnutls_assert();
+                                       continue;
+                               }
+
                                if (priv->flags & GNUTLS_PKCS11_OBJ_FLAG_COMPARE) {
                                        if (priv->crt == NULL) {
                                                gnutls_assert();
index 3087183a58936d40e87de074bcc846afb6e0e311..a86bbe12922297bfd0a8e1d9b31d118b4659ac33 100644 (file)
@@ -1950,3 +1950,35 @@ int x509_raw_crt_to_raw_pubkey(const gnutls_datum_t * cert,
 
        return ret;
 }
+
+bool
+_gnutls_check_subject_key_id2(gnutls_datum_t *key_id,
+                             gnutls_datum_t *certbin)
+{
+       uint8_t id[MAX_KEY_ID_SIZE];
+       size_t id_size;
+       gnutls_x509_crt_t cert;
+       bool result = 0;
+
+       if (gnutls_x509_crt_init(&cert) < 0) {
+               gnutls_assert();
+               return 0;
+       }
+
+       if (gnutls_x509_crt_import(cert, certbin, GNUTLS_X509_FMT_DER) < 0) {
+               gnutls_assert();
+               goto out;
+       }
+
+       if (gnutls_x509_crt_get_subject_key_id(cert, id, &id_size, NULL) < 0) {
+               gnutls_assert();
+               goto out;
+       }
+
+       if (id_size == key_id->size && !memcmp(id, key_id->data, id_size))
+               result = 1;
+
+ out:
+       gnutls_x509_crt_deinit(cert);
+       return result;
+}
index 01f58527360d6e67b5786831f04e28069ea17e56..6af4c410b16afce1c4e023d113f3c1e724ce5d49 100644 (file)
@@ -191,6 +191,10 @@ bool
 _gnutls_check_if_same_key2(gnutls_x509_crt_t cert1,
                           gnutls_datum_t *cert2bin);
 
+bool
+_gnutls_check_subject_key_id2(gnutls_datum_t *key_id,
+                             gnutls_datum_t *certbin);
+
 bool
 _gnutls_check_if_same_cert(gnutls_x509_crt_t cert1,
                           gnutls_x509_crt_t cert2);