static int HX509_LIB_CALL add_cert(hx509_context hxctx, void *ctx, hx509_cert cert) { static char empty[] = ""; struct foo *foo = (struct foo *)ctx; struct st_object *o = NULL; CK_OBJECT_CLASS type; CK_BBOOL bool_true = CK_TRUE; CK_BBOOL bool_false = CK_FALSE; CK_CERTIFICATE_TYPE cert_type = CKC_X_509; CK_KEY_TYPE key_type; CK_MECHANISM_TYPE mech_type; CK_RV ret = CKR_GENERAL_ERROR; int hret; heim_octet_string cert_data, subject_data, issuer_data, serial_data; st_logf("adding certificate\n"); serial_data.data = NULL; serial_data.length = 0; cert_data = subject_data = issuer_data = serial_data; hret = hx509_cert_binary(hxctx, cert, &cert_data); if (hret) goto out; { hx509_name name; hret = hx509_cert_get_issuer(cert, &name); if (hret) goto out; hret = hx509_name_binary(name, &issuer_data); hx509_name_free(&name); if (hret) goto out; hret = hx509_cert_get_subject(cert, &name); if (hret) goto out; hret = hx509_name_binary(name, &subject_data); hx509_name_free(&name); if (hret) goto out; } { AlgorithmIdentifier alg; hret = hx509_cert_get_SPKI_AlgorithmIdentifier(context, cert, &alg); if (hret) { ret = CKR_DEVICE_MEMORY; goto out; } key_type = CKK_RSA; /* XXX */ free_AlgorithmIdentifier(&alg); } type = CKO_CERTIFICATE; o = add_st_object(); if (o == NULL) { ret = CKR_DEVICE_MEMORY; goto out; } o->cert = hx509_cert_ref(cert); add_object_attribute(o, 0, CKA_CLASS, &type, sizeof(type)); add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true)); add_object_attribute(o, 0, CKA_PRIVATE, &bool_false, sizeof(bool_false)); add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false)); add_object_attribute(o, 0, CKA_LABEL, foo->label, strlen(foo->label)); add_object_attribute(o, 0, CKA_CERTIFICATE_TYPE, &cert_type, sizeof(cert_type)); add_object_attribute(o, 0, CKA_ID, foo->id, strlen(foo->id)); add_object_attribute(o, 0, CKA_SUBJECT, subject_data.data, subject_data.length); add_object_attribute(o, 0, CKA_ISSUER, issuer_data.data, issuer_data.length); add_object_attribute(o, 0, CKA_SERIAL_NUMBER, serial_data.data, serial_data.length); add_object_attribute(o, 0, CKA_VALUE, cert_data.data, cert_data.length); add_object_attribute(o, 0, CKA_TRUSTED, &bool_false, sizeof(bool_false)); st_logf("add cert ok: %lx\n", (unsigned long)OBJECT_ID(o)); type = CKO_PUBLIC_KEY; o = add_st_object(); if (o == NULL) { ret = CKR_DEVICE_MEMORY; goto out; } o->cert = hx509_cert_ref(cert); add_object_attribute(o, 0, CKA_CLASS, &type, sizeof(type)); add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true)); add_object_attribute(o, 0, CKA_PRIVATE, &bool_false, sizeof(bool_false)); add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false)); add_object_attribute(o, 0, CKA_LABEL, foo->label, strlen(foo->label)); add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type)); add_object_attribute(o, 0, CKA_ID, foo->id, strlen(foo->id)); add_object_attribute(o, 0, CKA_START_DATE, empty, 1); /* XXX */ add_object_attribute(o, 0, CKA_END_DATE, empty, 1); /* XXX */ add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false)); add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false)); mech_type = CKM_RSA_X_509; add_object_attribute(o, 0, CKA_KEY_GEN_MECHANISM, &mech_type, sizeof(mech_type)); add_object_attribute(o, 0, CKA_SUBJECT, subject_data.data, subject_data.length); add_object_attribute(o, 0, CKA_ENCRYPT, &bool_true, sizeof(bool_true)); add_object_attribute(o, 0, CKA_VERIFY, &bool_true, sizeof(bool_true)); add_object_attribute(o, 0, CKA_VERIFY_RECOVER, &bool_false, sizeof(bool_false)); add_object_attribute(o, 0, CKA_WRAP, &bool_true, sizeof(bool_true)); add_object_attribute(o, 0, CKA_TRUSTED, &bool_true, sizeof(bool_true)); add_pubkey_info(hxctx, o, key_type, cert); st_logf("add key ok: %lx\n", (unsigned long)OBJECT_ID(o)); if (hx509_cert_have_private_key(cert)) { CK_FLAGS flags; type = CKO_PRIVATE_KEY; /* Note to static analyzers: `o' is still referred to via globals */ o = add_st_object(); if (o == NULL) { ret = CKR_DEVICE_MEMORY; goto out; } o->cert = hx509_cert_ref(cert); add_object_attribute(o, 0, CKA_CLASS, &type, sizeof(type)); add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true)); add_object_attribute(o, 0, CKA_PRIVATE, &bool_true, sizeof(bool_false)); add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false)); add_object_attribute(o, 0, CKA_LABEL, foo->label, strlen(foo->label)); add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type)); add_object_attribute(o, 0, CKA_ID, foo->id, strlen(foo->id)); add_object_attribute(o, 0, CKA_START_DATE, empty, 1); /* XXX */ add_object_attribute(o, 0, CKA_END_DATE, empty, 1); /* XXX */ add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false)); add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false)); mech_type = CKM_RSA_X_509; add_object_attribute(o, 0, CKA_KEY_GEN_MECHANISM, &mech_type, sizeof(mech_type)); add_object_attribute(o, 0, CKA_SUBJECT, subject_data.data, subject_data.length); add_object_attribute(o, 0, CKA_SENSITIVE, &bool_true, sizeof(bool_true)); add_object_attribute(o, 0, CKA_SECONDARY_AUTH, &bool_false, sizeof(bool_true)); flags = 0; add_object_attribute(o, 0, CKA_AUTH_PIN_FLAGS, &flags, sizeof(flags)); add_object_attribute(o, 0, CKA_DECRYPT, &bool_true, sizeof(bool_true)); add_object_attribute(o, 0, CKA_SIGN, &bool_true, sizeof(bool_true)); add_object_attribute(o, 0, CKA_SIGN_RECOVER, &bool_false, sizeof(bool_false)); add_object_attribute(o, 0, CKA_UNWRAP, &bool_true, sizeof(bool_true)); add_object_attribute(o, 0, CKA_EXTRACTABLE, &bool_true, sizeof(bool_true)); add_object_attribute(o, 0, CKA_NEVER_EXTRACTABLE, &bool_false, sizeof(bool_false)); add_pubkey_info(hxctx, o, key_type, cert); } ret = CKR_OK; out: if (ret != CKR_OK) { st_logf("something went wrong when adding cert!\n"); /* XXX wack o */; } hx509_xfree(cert_data.data); hx509_xfree(serial_data.data); hx509_xfree(issuer_data.data); hx509_xfree(subject_data.data); /* Note to static analyzers: `o' is still referred to via globals */ return 0; }
krb5_error_code _gsspku2u_principal(krb5_context context, struct hx509_cert_data *cert, krb5_principal *principal) { hx509_octet_string_list list; krb5_error_code ret; int found = 0; unsigned i; char *name; *principal = NULL; /* * First try to map PKINIT SAN to a Kerberos principal */ ret = hx509_cert_find_subjectAltName_otherName(context->hx509ctx, cert, &asn1_oid_id_pkinit_san, &list); if (ret == 0) { for (i = 0; !found && i < list.len; i++) { KRB5PrincipalName r; ret = decode_KRB5PrincipalName(list.val[i].data, list.val[i].length, &r, NULL); if (ret) continue; ret = _krb5_principalname2krb5_principal(context, principal, r.principalName, KRB5_PKU2U_REALM_NAME); free_KRB5PrincipalName(&r); if (ret == 0) found = 1; } hx509_free_octet_string_list(&list); } if (found) return 0; /* * */ ret = hx509_cert_get_appleid(context->hx509ctx, cert, &name); if (ret == 0) { ret = krb5_make_principal(context, principal, KRB5_PKU2U_REALM_NAME, name, NULL); hx509_xfree(name); if (ret == 0) { (*principal)->name.name_type = KRB5_NT_ENTERPRISE_PRINCIPAL; return 0; } } /* * Give up and just WELLKNOWN and assertion instead */ ret = krb5_make_principal(context, principal, KRB5_PKU2U_REALM_NAME, KRB5_WELLKNOWN_NAME, KRB5_NULL_NAME, NULL); if (ret == 0) (*principal)->name.name_type = KRB5_NT_WELLKNOWN; return ret; }