Move the X.509 extension parsing code in common/

 * So it can be used by other code, in addition to the trust stuff

2 files changed, 80 insertions, 121 deletions

diff --git a/trust/adapter.c b/trust/adapter.c
index c698382..d17cb70 100644
--- a/trust/adapter.c
+++ b/trust/adapter.c
@@ -113,14 +113,38 @@ build_trust_object_ku (p11_parser *parser,
 	return p11_attrs_buildn (object, attrs, i);
 }
 
+static bool
+strv_to_dict (const char **array,
+              p11_dict **dict)
+{
+	int i;
+
+	if (!array) {
+		*dict = NULL;
+		return true;
+	}
+
+	*dict = p11_dict_new (p11_dict_str_hash, p11_dict_str_equal, NULL, NULL);
+	return_val_if_fail (*dict != NULL, false);
+
+	for (i = 0; array[i] != NULL; i++) {
+		if (!p11_dict_set (*dict, (void *)array[i], (void *)array[i]))
+			return_val_if_reached (false);
+	}
+
+	return true;
+}
+
 static CK_ATTRIBUTE *
 build_trust_object_eku (p11_parser *parser,
                         p11_array *parsing,
                         CK_ATTRIBUTE *object,
                         CK_TRUST allow,
-                        p11_dict *purposes,
-                        p11_dict *rejects)
+                        const char **purposes,
+                        const char **rejects)
 {
+	p11_dict *dict_purp;
+	p11_dict *dict_rej;
 	CK_TRUST neutral;
 	CK_TRUST disallow;
 	CK_ULONG i;
@@ -142,6 +166,10 @@ build_trust_object_eku (p11_parser *parser,
 
 	CK_ATTRIBUTE attrs[sizeof (eku_attribute_map)];
 
+	if (!strv_to_dict (purposes, &dict_purp) ||
+	    !strv_to_dict (rejects, &dict_rej))
+		return_val_if_reached (NULL);
+
 	/* The neutral value is set if an purpose is not present */
 	if (allow == CKT_NETSCAPE_UNTRUSTED)
 		neutral = CKT_NETSCAPE_UNTRUSTED;
@@ -159,10 +187,10 @@ build_trust_object_eku (p11_parser *parser,
 
 	for (i = 0; eku_attribute_map[i].type != CKA_INVALID; i++) {
 		attrs[i].type = eku_attribute_map[i].type;
-		if (rejects && p11_dict_get (rejects, eku_attribute_map[i].oid)) {
+		if (dict_rej && p11_dict_get (dict_rej, eku_attribute_map[i].oid)) {
 			attrs[i].pValue = &disallow;
 			attrs[i].ulValueLen = sizeof (disallow);
-		} else if (purposes && p11_dict_get (purposes, eku_attribute_map[i].oid)) {
+		} else if (dict_purp && p11_dict_get (dict_purp, eku_attribute_map[i].oid)) {
 			attrs[i].pValue = &allow;
 			attrs[i].ulValueLen = sizeof (allow);
 		} else {
@@ -171,6 +199,9 @@ build_trust_object_eku (p11_parser *parser,
 		}
 	}
 
+	p11_dict_free (dict_purp);
+	p11_dict_free (dict_rej);
+
 	return p11_attrs_buildn (object, attrs, i);
 }
 
@@ -181,8 +212,8 @@ build_nss_trust_object (p11_parser *parser,
                         CK_BBOOL trust,
                         CK_BBOOL distrust,
                         CK_BBOOL authority,
-                        p11_dict *purposes,
-                        p11_dict *rejects)
+                        const char **purposes,
+                        const char **rejects)
 {
 	CK_ATTRIBUTE *object = NULL;
 	CK_TRUST allow;
@@ -257,34 +288,12 @@ build_nss_trust_object (p11_parser *parser,
 		return_if_reached ();
 }
 
-static const char *
-yield_oid_from_vec (void **state)
-{
-	const char **oids = *state;
-	const char *ret = NULL;
-	if (*oids != NULL)
-		ret = *(oids++);
-	*state = oids;
-	return ret;
-}
-
-static const char *
-yield_oid_from_dict (void **state)
-{
-	p11_dictiter *iter = *state;
-	const char *ret = NULL;
-	if (iter && !p11_dict_next (iter, (void**)&ret, NULL))
-		*state = NULL;
-	return ret;
-}
-
 static void
 build_assertions (p11_parser *parser,
                   p11_array *parsing,
                   CK_ATTRIBUTE *cert,
                   CK_X_ASSERTION_TYPE type,
-                  const char * (oid_iter) (void **),
-                  void *oid_state)
+                  const char **oids)
 {
 	CK_OBJECT_CLASS assertion = CKO_X_TRUST_ASSERTION;
 	CK_BBOOL vtrue = CK_TRUE;
@@ -304,7 +313,7 @@ build_assertions (p11_parser *parser,
 	CK_ATTRIBUTE *label;
 	CK_ATTRIBUTE *id;
 	CK_ATTRIBUTE *object;
-	const char *oid_str;
+	int i;
 
 	label = p11_attrs_find (cert, CKA_LABEL);
 	if (label == NULL)
@@ -317,13 +326,9 @@ build_assertions (p11_parser *parser,
 
 	return_if_fail (id != NULL && issuer != NULL && serial != NULL && value != NULL);
 
-	for (;;) {
-		oid_str = (oid_iter) (&oid_state);
-		if (!oid_str)
-			break;
-
-		purpose.pValue = (void *)oid_str;
-		purpose.ulValueLen = strlen (oid_str);
+	for (i = 0; oids[i] != NULL; i++) {
+		purpose.pValue = (void *)oids[i];
+		purpose.ulValueLen = strlen (oids[i]);
 
 		object = p11_attrs_build (NULL, &klass, &token, &private, &modifiable,
 		                          id, label, &assertion_type, &purpose,
@@ -342,11 +347,9 @@ build_trust_assertions (p11_parser *parser,
                         CK_BBOOL trust,
                         CK_BBOOL distrust,
                         CK_BBOOL authority,
-                        p11_dict *purposes,
-                        p11_dict *rejects)
+                        const char **purposes,
+                        const char **rejects)
 {
-	p11_dictiter iter;
-
 	const char *all_purposes[] = {
 		P11_OID_SERVER_AUTH_STR,
 		P11_OID_CLIENT_AUTH_STR,
@@ -361,9 +364,8 @@ build_trust_assertions (p11_parser *parser,
 
 	/* Build assertions for anything that's explicitly rejected */
 	if (rejects) {
-		p11_dict_iterate (rejects, &iter);
-		build_assertions (parser, parsing, cert, CKT_X_DISTRUSTED_CERTIFICATE,
-		                  yield_oid_from_dict, &iter);
+		build_assertions (parser, parsing, cert,
+		                  CKT_X_DISTRUSTED_CERTIFICATE, rejects);
 	}
 
 	if (distrust) {
@@ -372,8 +374,8 @@ build_trust_assertions (p11_parser *parser,
 		 * for any purposes. So we just have to go wild and write out a bunch of
 		 * assertions for all our known purposes.
 		 */
-		build_assertions (parser, parsing, cert, CKT_X_DISTRUSTED_CERTIFICATE,
-		                  yield_oid_from_vec, all_purposes);
+		build_assertions (parser, parsing, cert,
+		                  CKT_X_DISTRUSTED_CERTIFICATE, all_purposes);
 	}
 
 	/*
@@ -384,13 +386,12 @@ build_trust_assertions (p11_parser *parser,
 	if (trust && authority) {
 		if (purposes) {
 			/* If purposes explicitly set, then anchor for those purposes */
-			p11_dict_iterate (purposes, &iter);
-			build_assertions (parser, parsing, cert, CKT_X_ANCHORED_CERTIFICATE,
-			                  yield_oid_from_dict, &iter);
+			build_assertions (parser, parsing, cert,
+			                  CKT_X_ANCHORED_CERTIFICATE, purposes);
 		} else {
 			/* If purposes not-explicitly set, then anchor for all known */
-			build_assertions (parser, parsing, cert, CKT_X_ANCHORED_CERTIFICATE,
-			                  yield_oid_from_vec, all_purposes);
+			build_assertions (parser, parsing, cert,
+			                  CKT_X_ANCHORED_CERTIFICATE, all_purposes);
 		}
 	}
 }
@@ -404,8 +405,10 @@ p11_adapter_build_objects (p11_parser *parser,
 	CK_BBOOL trust = CK_FALSE;
 	CK_BBOOL distrust = CK_FALSE;
 	CK_BBOOL authority = CK_FALSE;
-	p11_dict *purposes = NULL;
-	p11_dict *rejects = NULL;
+	p11_array *purposes = NULL;
+	p11_array *rejects = NULL;
+	const char **purposev;
+	const char **rejectv;
 	unsigned char *data;
 	p11_dict *defs;
 	size_t length;
@@ -431,7 +434,7 @@ p11_adapter_build_objects (p11_parser *parser,
 		if (data) {
 			defs = p11_parser_get_asn1_defs (parser);
 			purposes = p11_x509_parse_extended_key_usage (defs, data, length);
-			if (purposes  == NULL)
+			if (purposes == NULL)
 				p11_message ("invalid extended key usage certificate extension");
 			free (data);
 		}
@@ -446,11 +449,24 @@ p11_adapter_build_objects (p11_parser *parser,
 		}
 	}
 
+	/* null-terminate these arrays and use as strv's */
+	purposev = rejectv = NULL;
+	if (rejects) {
+		if (!p11_array_push (rejects, NULL))
+			return_if_reached ();
+		rejectv = (const char **)rejects->elem;
+	}
+	if (purposes) {
+		if (!p11_array_push (purposes, NULL))
+			return_if_reached ();
+		purposev = (const char **)purposes->elem;
+	}
+
 	build_nss_trust_object (parser, parsing, cert, trust, distrust,
-	                        authority, purposes, rejects);
+	                        authority, purposev, rejectv);
 	build_trust_assertions (parser, parsing, cert, trust, distrust,
-	                        authority, purposes, rejects);
+	                        authority, purposev, rejectv);
 
-	p11_dict_free (purposes);
-	p11_dict_free (rejects);
+	p11_array_free (purposes);
+	p11_array_free (rejects);
 }
diff --git a/trust/parser.c b/trust/parser.c
index 4f8c407..f6da728 100644
--- a/trust/parser.c
+++ b/trust/parser.c
@@ -336,64 +336,6 @@ build_x509_certificate (p11_parser *parser,
 	return attrs;
 }
 
-static unsigned char *
-find_cert_extension (node_asn *cert,
-                     const unsigned char *der,
-                     size_t der_len,
-                     const unsigned char *oid,
-                     size_t *length)
-{
-	char field[128];
-	char *value;
-	int start;
-	int end;
-	int ret;
-	int len;
-	int i;
-
-	assert (oid != NULL);
-	assert (length != NULL);
-
-	for (i = 1; ; i++) {
-		if (snprintf (field, sizeof (field), "tbsCertificate.extensions.?%u.extnID", i) < 0)
-			return_val_if_reached (NULL);
-
-		ret = asn1_der_decoding_startEnd (cert, der, der_len, field, &start, &end);
-
-		/* No more extensions */
-		if (ret == ASN1_ELEMENT_NOT_FOUND)
-			break;
-
-		return_val_if_fail (ret == ASN1_SUCCESS, NULL);
-
-		/* Make sure it's a straightforward oid with certain assumptions */
-		if (!p11_oid_simple (der + start, (end - start) + 1))
-			continue;
-
-		/* The one we're lookin for? */
-		if (!p11_oid_equal (der + start, oid))
-			continue;
-
-		if (snprintf (field, sizeof (field), "tbsCertificate.extensions.?%u.extnValue", i) < 0)
-			return_val_if_reached (NULL);
-
-		len = 0;
-		ret = asn1_read_value (cert, field, NULL, &len);
-		return_val_if_fail (ret == ASN1_MEM_ERROR, NULL);
-
-		value = malloc (len);
-		return_val_if_fail (value != NULL, NULL);
-
-		ret = asn1_read_value (cert, field, value, &len);
-		return_val_if_fail (ret == ASN1_SUCCESS, NULL);
-
-		*length = len;
-		return (unsigned char *)value;
-	}
-
-	return NULL;
-}
-
 static CK_ATTRIBUTE *
 match_parsing_object (p11_parser *parser,
                       CK_ATTRIBUTE *match)
@@ -441,8 +383,9 @@ p11_parsing_get_extension (p11_parser *parser,
 
 	/* Couldn't find a parsed extension, so look in the current certificate */
 	} else if (parser->cert_asn) {
-		return find_cert_extension (parser->cert_asn, parser->cert_der,
-		                            parser->cert_len, oid, length);
+		return p11_x509_find_extension (parser->cert_asn, oid,
+		                                parser->cert_der, parser->cert_len,
+		                                length);
 	}
 
 	return NULL;
@@ -753,7 +696,7 @@ update_trust_and_distrust (p11_parser *parser,
 	CK_BBOOL distrusted;
 	unsigned char *data;
 	size_t length;
-	p11_dict *ekus;
+	p11_array *ekus;
 
 	/*
 	 * This function is called to update the CKA_TRUSTED and CKA_X_DISTRUSTED
@@ -776,12 +719,12 @@ update_trust_and_distrust (p11_parser *parser,
 		ekus = p11_x509_parse_extended_key_usage (parser->asn1_defs, data, length);
 		if (ekus == NULL)
 			p11_message ("invalid extendend key usage certificate extension");
-		else if (p11_dict_size (ekus) == 0) {
+		else if (ekus->num == 0) {
 			distrusted = CK_TRUE;
 			trusted = CK_FALSE;
 		}
 
-		p11_dict_free (ekus);
+		p11_array_free (ekus);
 		free (data);
 	}