static CK_RV
trust_get_complete (GkmXdgTrust *self, CK_ATTRIBUTE_PTR attr)
{
GNode *cert;
GBytes *element;
CK_RV rv;
cert = egg_asn1x_node (self->pv->asn, "reference", "certComplete", NULL);
g_return_val_if_fail (cert, CKR_GENERAL_ERROR);
/* If it's not stored, then this attribute is not present */
if (!egg_asn1x_have (cert)) {
gkm_debug ("CKR_ATTRIBUTE_TYPE_INVALID: %s wants certComplete which is not part of assertion",
gkm_log_attr_type (attr->type));
return CKR_ATTRIBUTE_TYPE_INVALID;
}
element = egg_asn1x_get_element_raw (cert);
g_return_val_if_fail (element != NULL, CKR_GENERAL_ERROR);
rv = gkm_attribute_set_bytes (attr, element);
g_bytes_unref (element);
return rv;
}
static CK_RV
trust_get_der (GkmXdgTrust *self, const gchar *part, CK_ATTRIBUTE_PTR attr)
{
GNode *node;
GBytes *element;
CK_RV rv;
g_assert (GKM_XDG_IS_TRUST (self));
node = egg_asn1x_node (self->pv->asn, "reference", "certReference", part, NULL);
g_return_val_if_fail (node, CKR_GENERAL_ERROR);
/* If the assertion doesn't contain this info ... */
if (!egg_asn1x_have (node)) {
gkm_debug ("CKR_ATTRIBUTE_TYPE_INVALID: %s wants %s which is not part of assertion",
gkm_log_attr_type (attr->type), part);
return CKR_ATTRIBUTE_TYPE_INVALID;
}
element = egg_asn1x_get_element_raw (node);
rv = gkm_attribute_set_bytes (attr, element);
g_bytes_unref (element);
return rv;
}
static EggBytes *
_gcr_certificate_get_subject_const (GcrCertificate *self)
{
GcrCertificateInfo *info;
g_return_val_if_fail (GCR_IS_CERTIFICATE (self), NULL);
info = certificate_info_load (self);
g_return_val_if_fail (info, NULL);
return egg_asn1x_get_element_raw (egg_asn1x_node (info->asn1, "tbsCertificate", "subject", NULL));
}
static gboolean
load_assertions (GkmXdgTrust *self, GNode *asn)
{
GHashTable *assertions;
GkmAssertion *assertion;
GBytes *key;
GNode *node;
guint count, i;
g_assert (self);
g_assert (asn);
assertions = self->pv->assertions;
self->pv->assertions = create_assertions ();
count = egg_asn1x_count (egg_asn1x_node (asn, "assertions", NULL));
for (i = 0; i < count; ++i) {
node = egg_asn1x_node (asn, "assertions", i + 1, NULL);
g_return_val_if_fail (node != NULL, FALSE);
/* We use the raw DER encoding as an assertion */
key = egg_asn1x_get_element_raw (node);
g_return_val_if_fail (key != NULL, FALSE);
/* Already have this assertion? */
assertion = g_hash_table_lookup (assertions, key);
if (assertion) {
if (!g_hash_table_steal (assertions, key))
g_assert_not_reached ();
/* Create a new assertion */
} else {
assertion = create_assertion (self, node);
}
add_assertion_to_trust (self, assertion, NULL);
g_bytes_unref (key);
g_object_unref (assertion);
}
/* Override the stored assertions and netscape trust */
g_hash_table_remove_all (assertions);
g_hash_table_unref (assertions);
return TRUE;
}
static void
create_trust_file_for_issuer_and_serial (const gchar *filename, const gchar *certificate)
{
GError *err = NULL;
GNode *asn, *cert, *choice, *ref;
GNode *issuer, *serial;
gchar *data;
GBytes *result;
GBytes *value;
GBytes *element;
gsize n_data;
GBytes *bytes;
if (!g_file_get_contents (certificate, &data, &n_data, &err))
barf_and_die ("couldn't read certificate file", egg_error_message (err));
/* Make sure the certificate is */
cert = egg_asn1x_create (pkix_asn1_tab, "Certificate");
g_return_if_fail (cert);
bytes = g_bytes_new_take (data, n_data);
if (!egg_asn1x_decode (cert, bytes))
barf_and_die ("couldn't parse der certificate file", egg_asn1x_message (cert));
g_bytes_unref (bytes);
/* Dig out the issuer and serial */
issuer = egg_asn1x_node (cert, "tbsCertificate", "issuer", NULL);
serial = egg_asn1x_node (cert, "tbsCertificate", "serialNumber", NULL);
g_return_if_fail (issuer && serial);
/* Create up the trust structure */
asn = egg_asn1x_create (xdg_asn1_tab, "trust-1");
g_return_if_fail (asn);
/* Setup the type of trust assertion */
ref = egg_asn1x_node (asn, "reference", NULL);
choice = egg_asn1x_node (ref, "certReference", NULL);
if (!egg_asn1x_set_choice (ref, choice))
g_return_if_reached ();
/* Copy over the serial and issuer */
element = egg_asn1x_get_element_raw (issuer);
if (!egg_asn1x_set_any_raw (egg_asn1x_node (choice, "issuer", NULL), element))
g_return_if_reached ();
g_bytes_unref (element);
value = egg_asn1x_get_integer_as_raw (serial);
egg_asn1x_set_integer_as_raw (egg_asn1x_node (choice, "serialNumber", NULL), value);
g_bytes_unref (value);
result = egg_asn1x_encode (asn, NULL);
if (result == NULL)
barf_and_die ("couldn't encode the trust file", egg_asn1x_message (asn));
g_free (data);
egg_asn1x_destroy (cert);
egg_asn1x_destroy (asn);
if (!g_file_set_contents (filename, g_bytes_get_data (result, NULL),
g_bytes_get_size (result), &err))
barf_and_die ("couldn't write trust file", egg_error_message (err));
g_bytes_unref (result);
}
GkmDataResult
gkm_data_der_read_private_pkcs8_plain (GBytes *data,
gcry_sexp_t *s_key)
{
GNode *asn = NULL;
GkmDataResult ret;
int algorithm;
GQuark key_algo;
GBytes *keydata = NULL;
GBytes *params = NULL;
ret = GKM_DATA_UNRECOGNIZED;
init_quarks ();
asn = egg_asn1x_create_and_decode (pkix_asn1_tab, "pkcs-8-PrivateKeyInfo", data);
if (!asn)
goto done;
ret = GKM_DATA_FAILURE;
algorithm = 0;
key_algo = egg_asn1x_get_oid_as_quark (egg_asn1x_node (asn, "privateKeyAlgorithm", "algorithm", NULL));
if (!key_algo)
goto done;
else if (key_algo == OID_PKIX1_RSA)
algorithm = GCRY_PK_RSA;
else if (key_algo == OID_PKIX1_DSA)
algorithm = GCRY_PK_DSA;
if (!algorithm) {
ret = GKM_DATA_UNRECOGNIZED;
goto done;
}
keydata = egg_asn1x_get_string_as_bytes (egg_asn1x_node (asn, "privateKey", NULL));
if (!keydata)
goto done;
params = egg_asn1x_get_element_raw (egg_asn1x_node (asn, "privateKeyAlgorithm", "parameters", NULL));
ret = GKM_DATA_SUCCESS;
done:
if (ret == GKM_DATA_SUCCESS) {
switch (algorithm) {
case GCRY_PK_RSA:
ret = gkm_data_der_read_private_key_rsa (keydata, s_key);
break;
case GCRY_PK_DSA:
/* Try the normal one block format */
ret = gkm_data_der_read_private_key_dsa (keydata, s_key);
/* Otherwise try the two part format that everyone seems to like */
if (ret == GKM_DATA_UNRECOGNIZED && params)
ret = gkm_data_der_read_private_key_dsa_parts (keydata, params, s_key);
break;
default:
g_message ("invalid or unsupported key type in PKCS#8 key");
ret = GKM_DATA_UNRECOGNIZED;
break;
};
} else if (ret == GKM_DATA_FAILURE) {
g_message ("invalid PKCS#8 key");
}
if (params)
g_bytes_unref (params);
if (keydata)
g_bytes_unref (keydata);
egg_asn1x_destroy (asn);
return ret;
}
GkmDataResult
gkm_data_der_read_public_key_info (GBytes *data,
gcry_sexp_t* s_key)
{
GkmDataResult ret = GKM_DATA_UNRECOGNIZED;
GQuark oid;
GNode *asn = NULL;
GBytes *params;
GBytes *key = NULL;
guint n_bits;
init_quarks ();
asn = egg_asn1x_create_and_decode (pkix_asn1_tab, "SubjectPublicKeyInfo", data);
if (!asn)
goto done;
ret = GKM_DATA_FAILURE;
/* Figure out the algorithm */
oid = egg_asn1x_get_oid_as_quark (egg_asn1x_node (asn, "algorithm", "algorithm", NULL));
if (!oid)
goto done;
/* A bit string so we cannot process in place */
key = egg_asn1x_get_bits_as_raw (egg_asn1x_node (asn, "subjectPublicKey", NULL), &n_bits);
if (!key)
goto done;
if (n_bits % 8 != 0) {
g_message ("invalid bit length for public key: %u", n_bits);
goto done;
}
/* An RSA key is simple */
if (oid == OID_PKIX1_RSA) {
ret = gkm_data_der_read_public_key_rsa (key, s_key);
/* A DSA key paramaters are stored separately */
} else if (oid == OID_PKIX1_DSA) {
params = egg_asn1x_get_element_raw (egg_asn1x_node (asn, "algorithm", "parameters", NULL));
if (!params)
goto done;
ret = gkm_data_der_read_public_key_dsa_parts (key, params, s_key);
g_bytes_unref (params);
} else {
g_message ("unsupported key algorithm in certificate: %s", g_quark_to_string (oid));
ret = GKM_DATA_UNRECOGNIZED;
goto done;
}
done:
egg_asn1x_destroy (asn);
if (key)
g_bytes_unref (key);
if (ret == GKM_DATA_FAILURE)
g_message ("invalid subject public-key info");
return ret;
}
