From 03d280df9a73aca5cb6eabbcb97ef3ca4e1ae0e5 Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Thu, 9 Oct 2014 08:15:29 +0200
Subject: trust: Certificate CKA_ID is SubjectKeyIdentifier if possible

The PKCS#11 spec states that the CKA_ID should match the
SubjectKeyIdentifier if such an extension is present.

We delay the filling of CKA_ID until the builder phase of populating
attributes which allows us to have more control over how this works.

Note that we don't make CKA_ID reflect SubjectKeyIdentifier *attached*
extensions. The CKA_ID isn't supposed to change after object creation.
Making it dependent on attached extensions would be making promises
we cannot keep, since attached extensions can be added/removed at any
time.

This also means the CKA_ID of attached extensions and certificates
won't necessarily match up, but that was never promised, and not how
attached extensions should be matched to their certificate anyway.

Based on a patch and research done by David Woodhouse.

https://bugs.freedesktop.org/show_bug.cgi?id=84761
---
 trust/parser.c | 37 ++++++++++---------------------------
 1 file changed, 10 insertions(+), 27 deletions(-)

(limited to 'trust/parser.c')

diff --git a/trust/parser.c b/trust/parser.c
index 7f523e9..7b569d9 100644
--- a/trust/parser.c
+++ b/trust/parser.c
@@ -152,7 +152,6 @@ sink_object (p11_parser *parser,
 
 static CK_ATTRIBUTE *
 certificate_attrs (p11_parser *parser,
-                   CK_ATTRIBUTE *id,
                    const unsigned char *der,
                    size_t der_len)
 {
@@ -165,7 +164,7 @@ certificate_attrs (p11_parser *parser,
 	CK_ATTRIBUTE certificate_type = { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) };
 	CK_ATTRIBUTE value = { CKA_VALUE, (void *)der, der_len };
 
-	return p11_attrs_build (NULL, &klass, &modifiable, &certificate_type, &value, id, NULL);
+	return p11_attrs_build (NULL, &klass, &modifiable, &certificate_type, &value, NULL);
 }
 
 int
@@ -174,8 +173,6 @@ p11_parser_format_x509 (p11_parser *parser,
                         size_t length)
 {
 	char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE];
-	CK_BYTE idv[ID_LENGTH];
-	CK_ATTRIBUTE id = { CKA_ID, idv, sizeof (idv) };
 	CK_ATTRIBUTE *attrs;
 	CK_ATTRIBUTE *value;
 	node_asn *cert;
@@ -184,11 +181,7 @@ p11_parser_format_x509 (p11_parser *parser,
 	if (cert == NULL)
 		return P11_PARSE_UNRECOGNIZED;
 
-	/* The CKA_ID links related objects */
-	if (!p11_x509_calc_keyid (cert, data, length, idv))
-		id.type = CKA_INVALID;
-
-	attrs = certificate_attrs (parser, &id, data, length);
+	attrs = certificate_attrs (parser, data, length);
 	return_val_if_fail (attrs != NULL, P11_PARSE_FAILURE);
 
 	value = p11_attrs_find_valid (attrs, CKA_VALUE);
@@ -202,7 +195,6 @@ p11_parser_format_x509 (p11_parser *parser,
 
 static CK_ATTRIBUTE *
 extension_attrs (p11_parser *parser,
-                 CK_ATTRIBUTE *id,
                  CK_ATTRIBUTE *public_key_info,
                  const char *oid_str,
                  const unsigned char *oid_der,
@@ -223,7 +215,7 @@ extension_attrs (p11_parser *parser,
 	size_t len;
 	int ret;
 
-	attrs = p11_attrs_build (NULL, id, public_key_info, &klass, &modifiable, &oid, NULL);
+	attrs = p11_attrs_build (NULL, public_key_info, &klass, &modifiable, &oid, NULL);
 	return_val_if_fail (attrs != NULL, NULL);
 
 	dest = p11_asn1_create (parser->asn1_defs, "PKIX1.Extension");
@@ -252,7 +244,6 @@ extension_attrs (p11_parser *parser,
 
 static CK_ATTRIBUTE *
 attached_attrs (p11_parser *parser,
-                CK_ATTRIBUTE *id,
                 CK_ATTRIBUTE *public_key_info,
                 const char *oid_str,
                 const unsigned char *oid_der,
@@ -266,7 +257,7 @@ attached_attrs (p11_parser *parser,
 	der = p11_asn1_encode (ext, &len);
 	return_val_if_fail (der != NULL, NULL);
 
-	attrs = extension_attrs (parser, id, public_key_info, oid_str, oid_der,
+	attrs = extension_attrs (parser, public_key_info, oid_str, oid_der,
 	                         critical, der, len);
 	return_val_if_fail (attrs != NULL, NULL);
 
@@ -303,7 +294,6 @@ load_seq_of_oid_str (node_asn *node,
 
 static CK_ATTRIBUTE *
 attached_eku_attrs (p11_parser *parser,
-                    CK_ATTRIBUTE *id,
                     CK_ATTRIBUTE *public_key_info,
                     const char *oid_str,
                     const unsigned char *oid_der,
@@ -353,7 +343,7 @@ attached_eku_attrs (p11_parser *parser,
 	}
 
 
-	attrs = attached_attrs (parser, id, public_key_info, oid_str, oid_der, critical, dest);
+	attrs = attached_attrs (parser, public_key_info, oid_str, oid_der, critical, dest);
 	asn1_delete_structure (&dest);
 
 	return attrs;
@@ -362,7 +352,6 @@ attached_eku_attrs (p11_parser *parser,
 static CK_ATTRIBUTE *
 build_openssl_extensions (p11_parser *parser,
                           CK_ATTRIBUTE *cert,
-                          CK_ATTRIBUTE *id,
                           CK_ATTRIBUTE *public_key_info,
                           node_asn *aux,
                           const unsigned char *aux_der,
@@ -416,7 +405,7 @@ build_openssl_extensions (p11_parser *parser,
 	 */
 
 	if (trust) {
-		attrs = attached_eku_attrs (parser, id, public_key_info,
+		attrs = attached_eku_attrs (parser, public_key_info,
 		                            P11_OID_EXTENDED_KEY_USAGE_STR,
 		                            P11_OID_EXTENDED_KEY_USAGE,
 		                            true, trust);
@@ -433,7 +422,7 @@ build_openssl_extensions (p11_parser *parser,
 	 */
 
 	if (reject && p11_dict_size (reject) > 0) {
-		attrs = attached_eku_attrs (parser, id, public_key_info,
+		attrs = attached_eku_attrs (parser, public_key_info,
 		                            P11_OID_OPENSSL_REJECT_STR,
 		                            P11_OID_OPENSSL_REJECT,
 		                            false, reject);
@@ -482,7 +471,7 @@ build_openssl_extensions (p11_parser *parser,
 	return_val_if_fail (ret == ASN1_SUCCESS || ret == ASN1_ELEMENT_NOT_FOUND, NULL);
 
 	if (ret == ASN1_SUCCESS) {
-		attrs = extension_attrs (parser, id, public_key_info,
+		attrs = extension_attrs (parser, public_key_info,
 		                         P11_OID_SUBJECT_KEY_IDENTIFIER_STR,
 		                         P11_OID_SUBJECT_KEY_IDENTIFIER,
 		                         false, aux_der + start, (end - start) + 1);
@@ -501,8 +490,6 @@ parse_openssl_trusted_certificate (p11_parser *parser,
 {
 	char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE];
 	CK_ATTRIBUTE *attrs;
-	CK_BYTE idv[ID_LENGTH];
-	CK_ATTRIBUTE id = { CKA_ID, idv, sizeof (idv) };
 	CK_ATTRIBUTE public_key_info = { CKA_PUBLIC_KEY_INFO };
 	CK_ATTRIBUTE *value;
 	char *label = NULL;
@@ -539,11 +526,7 @@ parse_openssl_trusted_certificate (p11_parser *parser,
 		}
 	}
 
-	/* The CKA_ID links related objects */
-	if (!p11_x509_calc_keyid (cert, data, cert_len, idv))
-		id.type = CKA_INVALID;
-
-	attrs = certificate_attrs (parser, &id, data, cert_len);
+	attrs = certificate_attrs (parser, data, cert_len);
 	return_val_if_fail (attrs != NULL, P11_PARSE_FAILURE);
 
 	/* Cache the parsed certificate ASN.1 for later use by the builder */
@@ -570,7 +553,7 @@ parse_openssl_trusted_certificate (p11_parser *parser,
 			return_val_if_fail (attrs != NULL, P11_PARSE_FAILURE);
 		}
 
-		attrs = build_openssl_extensions (parser, attrs, &id, &public_key_info, aux,
+		attrs = build_openssl_extensions (parser, attrs, &public_key_info, aux,
 		                                  data + cert_len, length - cert_len);
 		return_val_if_fail (attrs != NULL, P11_PARSE_FAILURE);
 	}
-- 
cgit v1.1