From: Nikos Mavrogiannopoulos Date: Tue, 7 Oct 2014 13:14:34 +0000 (+0200) Subject: pkcs11: when no CKA_ID can be relied on fallback on checking the SubjectKeyIdentifier X-Git-Tag: gnutls_3_4_0~831 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=22bf04879b7031e8f2ca3c02a605e200d8f48403;p=thirdparty%2Fgnutls.git pkcs11: when no CKA_ID can be relied on fallback on checking the SubjectKeyIdentifier Patch by David Woodhouse. --- diff --git a/lib/pkcs11.c b/lib/pkcs11.c index e38098461f..cef0700dfd 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -3247,6 +3247,12 @@ find_cert_cb(struct pkcs11_session_info *sinfo, gnutls_datum_t id = { a[1].value, a[1].value_len }; + if (i > 0 && priv->key_id.size > 0 && + !_gnutls_check_subject_key_id2(&priv->key_id, &data)) { + gnutls_assert(); + continue; + } + if (priv->flags & GNUTLS_PKCS11_OBJ_FLAG_COMPARE) { if (priv->crt == NULL) { gnutls_assert(); diff --git a/lib/x509/common.c b/lib/x509/common.c index 3087183a58..a86bbe1292 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -1950,3 +1950,35 @@ int x509_raw_crt_to_raw_pubkey(const gnutls_datum_t * cert, return ret; } + +bool +_gnutls_check_subject_key_id2(gnutls_datum_t *key_id, + gnutls_datum_t *certbin) +{ + uint8_t id[MAX_KEY_ID_SIZE]; + size_t id_size; + gnutls_x509_crt_t cert; + bool result = 0; + + if (gnutls_x509_crt_init(&cert) < 0) { + gnutls_assert(); + return 0; + } + + if (gnutls_x509_crt_import(cert, certbin, GNUTLS_X509_FMT_DER) < 0) { + gnutls_assert(); + goto out; + } + + if (gnutls_x509_crt_get_subject_key_id(cert, id, &id_size, NULL) < 0) { + gnutls_assert(); + goto out; + } + + if (id_size == key_id->size && !memcmp(id, key_id->data, id_size)) + result = 1; + + out: + gnutls_x509_crt_deinit(cert); + return result; +} diff --git a/lib/x509/common.h b/lib/x509/common.h index 01f5852736..6af4c410b1 100644 --- a/lib/x509/common.h +++ b/lib/x509/common.h @@ -191,6 +191,10 @@ bool _gnutls_check_if_same_key2(gnutls_x509_crt_t cert1, gnutls_datum_t *cert2bin); +bool +_gnutls_check_subject_key_id2(gnutls_datum_t *key_id, + gnutls_datum_t *certbin); + bool _gnutls_check_if_same_cert(gnutls_x509_crt_t cert1, gnutls_x509_crt_t cert2);