static int
attributes_match(const struct st_object *obj,
const CK_ATTRIBUTE *attributes,
CK_ULONG num_attributes)
{
CK_ULONG i;
int j;
st_logf("attributes_match: %ld\n", (unsigned long)OBJECT_ID(obj));
for (i = 0; i < num_attributes; i++) {
int match = 0;
for (j = 0; j < obj->num_attributes; j++) {
if (attributes[i].type == obj->attrs[j].attribute.type &&
attributes[i].ulValueLen == obj->attrs[j].attribute.ulValueLen &&
memcmp(attributes[i].pValue, obj->attrs[j].attribute.pValue,
attributes[i].ulValueLen) == 0) {
match = 1;
break;
}
}
if (match == 0) {
st_logf("type %d attribute have no match\n", attributes[i].type);
return 0;
}
}
st_logf("attribute matches\n");
return 1;
}
/*
* Given a reference obtained from JNI or JVMTI, return an object
* id suitable for sending to the debugger front end. The original
* reference is not deleted.
*/
jlong
commonRef_refToID(jobject ref)
{
JNIEnv *env;
RefNode *node;
jlong id;
if (ref == NULL) {
return NULL_OBJECT_ID;
}
env = getEnv();
debugMonitorEnter(refLock);
node = findNodeByRef(env, ref);
if (node == NULL) {
node = newCommonRef(env, ref);
} else {
node->count++;
}
id = OBJECT_ID(node);
debugMonitorExit(refLock);
return id;
}
CK_RV
C_VerifyInit(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_OBJECT_HANDLE hKey)
{
struct session_state *state;
CK_MECHANISM_TYPE mechs[] = { CKM_RSA_PKCS };
CK_BBOOL bool_true = CK_TRUE;
CK_ATTRIBUTE attr[] = {
{ CKA_VERIFY, &bool_true, sizeof(bool_true) }
};
struct st_object *o;
CK_RV ret;
INIT_CONTEXT();
st_logf("VerifyInit\n");
VERIFY_SESSION_HANDLE(hSession, &state);
ret = commonInit(attr, sizeof(attr)/sizeof(attr[0]),
mechs, sizeof(mechs)/sizeof(mechs[0]),
pMechanism, hKey, &o);
if (ret)
return ret;
ret = dup_mechanism(&state->verify_mechanism, pMechanism);
if (ret == CKR_OK)
state->verify_object = OBJECT_ID(o);
return ret;
}
/*
* Returns the node stored in the object hash table for the given object
* id. The id should be a value previously returned by
* commonRef_refToID.
*/
static RefNode *
findNodeByID(JNIEnv *env, jlong id)
{
jint slot = hashID(id);
RefNode *node = objectsByID[slot];
while (node != NULL) {
/*
* Use this opportunity to clean up any nodes for weak
* references that have been garbage collected.
*/
if (isSameObject(env, node->ref, NULL)) {
jlong collectedID = OBJECT_ID(node);
node = node->nextByID;
deleteNodeByID(env, collectedID, ALL_REFS);
} else if (id == OBJECT_ID(node)) {
break; /* found it */
} else {
node = node->nextByID;
}
}
return node;
}
static void
deleteNodeByID(JNIEnv *env, jlong id, jint refCount)
{
jint slot = hashID(id);
RefNode *node = objectsByID[slot];
RefNode *prev = NULL;
while (node != NULL) {
if (id == OBJECT_ID(node)) {
if (refCount != ALL_REFS) {
node->count -= refCount;
} else {
node->count = 0;
}
if (node->count <= 0) {
detachIDNode(env, slot, prev, node);
deleteNode(env, node);
}
break;
}
prev = node;
node = node->nextByID;
}
}
static int HX509_LIB_CALL
add_cert(hx509_context hxctx, void *ctx, hx509_cert cert)
{
static char empty[] = "";
struct foo *foo = (struct foo *)ctx;
struct st_object *o = NULL;
CK_OBJECT_CLASS type;
CK_BBOOL bool_true = CK_TRUE;
CK_BBOOL bool_false = CK_FALSE;
CK_CERTIFICATE_TYPE cert_type = CKC_X_509;
CK_KEY_TYPE key_type;
CK_MECHANISM_TYPE mech_type;
CK_RV ret = CKR_GENERAL_ERROR;
int hret;
heim_octet_string cert_data, subject_data, issuer_data, serial_data;
st_logf("adding certificate\n");
serial_data.data = NULL;
serial_data.length = 0;
cert_data = subject_data = issuer_data = serial_data;
hret = hx509_cert_binary(hxctx, cert, &cert_data);
if (hret)
goto out;
{
hx509_name name;
hret = hx509_cert_get_issuer(cert, &name);
if (hret)
goto out;
hret = hx509_name_binary(name, &issuer_data);
hx509_name_free(&name);
if (hret)
goto out;
hret = hx509_cert_get_subject(cert, &name);
if (hret)
goto out;
hret = hx509_name_binary(name, &subject_data);
hx509_name_free(&name);
if (hret)
goto out;
}
{
AlgorithmIdentifier alg;
hret = hx509_cert_get_SPKI_AlgorithmIdentifier(context, cert, &alg);
if (hret) {
ret = CKR_DEVICE_MEMORY;
goto out;
}
key_type = CKK_RSA; /* XXX */
free_AlgorithmIdentifier(&alg);
}
type = CKO_CERTIFICATE;
o = add_st_object();
if (o == NULL) {
ret = CKR_DEVICE_MEMORY;
goto out;
}
o->cert = hx509_cert_ref(cert);
add_object_attribute(o, 0, CKA_CLASS, &type, sizeof(type));
add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));
add_object_attribute(o, 0, CKA_PRIVATE, &bool_false, sizeof(bool_false));
add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));
add_object_attribute(o, 0, CKA_LABEL, foo->label, strlen(foo->label));
add_object_attribute(o, 0, CKA_CERTIFICATE_TYPE, &cert_type, sizeof(cert_type));
add_object_attribute(o, 0, CKA_ID, foo->id, strlen(foo->id));
add_object_attribute(o, 0, CKA_SUBJECT, subject_data.data, subject_data.length);
add_object_attribute(o, 0, CKA_ISSUER, issuer_data.data, issuer_data.length);
add_object_attribute(o, 0, CKA_SERIAL_NUMBER, serial_data.data, serial_data.length);
add_object_attribute(o, 0, CKA_VALUE, cert_data.data, cert_data.length);
add_object_attribute(o, 0, CKA_TRUSTED, &bool_false, sizeof(bool_false));
st_logf("add cert ok: %lx\n", (unsigned long)OBJECT_ID(o));
type = CKO_PUBLIC_KEY;
o = add_st_object();
if (o == NULL) {
ret = CKR_DEVICE_MEMORY;
goto out;
}
o->cert = hx509_cert_ref(cert);
add_object_attribute(o, 0, CKA_CLASS, &type, sizeof(type));
add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));
add_object_attribute(o, 0, CKA_PRIVATE, &bool_false, sizeof(bool_false));
add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));
add_object_attribute(o, 0, CKA_LABEL, foo->label, strlen(foo->label));
add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type));
add_object_attribute(o, 0, CKA_ID, foo->id, strlen(foo->id));
add_object_attribute(o, 0, CKA_START_DATE, empty, 1); /* XXX */
add_object_attribute(o, 0, CKA_END_DATE, empty, 1); /* XXX */
add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false));
add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false));
mech_type = CKM_RSA_X_509;
add_object_attribute(o, 0, CKA_KEY_GEN_MECHANISM, &mech_type, sizeof(mech_type));
add_object_attribute(o, 0, CKA_SUBJECT, subject_data.data, subject_data.length);
add_object_attribute(o, 0, CKA_ENCRYPT, &bool_true, sizeof(bool_true));
add_object_attribute(o, 0, CKA_VERIFY, &bool_true, sizeof(bool_true));
add_object_attribute(o, 0, CKA_VERIFY_RECOVER, &bool_false, sizeof(bool_false));
add_object_attribute(o, 0, CKA_WRAP, &bool_true, sizeof(bool_true));
add_object_attribute(o, 0, CKA_TRUSTED, &bool_true, sizeof(bool_true));
add_pubkey_info(hxctx, o, key_type, cert);
st_logf("add key ok: %lx\n", (unsigned long)OBJECT_ID(o));
if (hx509_cert_have_private_key(cert)) {
CK_FLAGS flags;
type = CKO_PRIVATE_KEY;
/* Note to static analyzers: `o' is still referred to via globals */
o = add_st_object();
if (o == NULL) {
ret = CKR_DEVICE_MEMORY;
goto out;
}
o->cert = hx509_cert_ref(cert);
add_object_attribute(o, 0, CKA_CLASS, &type, sizeof(type));
add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));
add_object_attribute(o, 0, CKA_PRIVATE, &bool_true, sizeof(bool_false));
add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));
add_object_attribute(o, 0, CKA_LABEL, foo->label, strlen(foo->label));
add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type));
add_object_attribute(o, 0, CKA_ID, foo->id, strlen(foo->id));
add_object_attribute(o, 0, CKA_START_DATE, empty, 1); /* XXX */
add_object_attribute(o, 0, CKA_END_DATE, empty, 1); /* XXX */
add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false));
add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false));
mech_type = CKM_RSA_X_509;
add_object_attribute(o, 0, CKA_KEY_GEN_MECHANISM, &mech_type, sizeof(mech_type));
add_object_attribute(o, 0, CKA_SUBJECT, subject_data.data, subject_data.length);
add_object_attribute(o, 0, CKA_SENSITIVE, &bool_true, sizeof(bool_true));
add_object_attribute(o, 0, CKA_SECONDARY_AUTH, &bool_false, sizeof(bool_true));
flags = 0;
add_object_attribute(o, 0, CKA_AUTH_PIN_FLAGS, &flags, sizeof(flags));
add_object_attribute(o, 0, CKA_DECRYPT, &bool_true, sizeof(bool_true));
add_object_attribute(o, 0, CKA_SIGN, &bool_true, sizeof(bool_true));
add_object_attribute(o, 0, CKA_SIGN_RECOVER, &bool_false, sizeof(bool_false));
add_object_attribute(o, 0, CKA_UNWRAP, &bool_true, sizeof(bool_true));
add_object_attribute(o, 0, CKA_EXTRACTABLE, &bool_true, sizeof(bool_true));
add_object_attribute(o, 0, CKA_NEVER_EXTRACTABLE, &bool_false, sizeof(bool_false));
add_pubkey_info(hxctx, o, key_type, cert);
}
ret = CKR_OK;
out:
if (ret != CKR_OK) {
st_logf("something went wrong when adding cert!\n");
/* XXX wack o */;
}
hx509_xfree(cert_data.data);
hx509_xfree(serial_data.data);
hx509_xfree(issuer_data.data);
hx509_xfree(subject_data.data);
/* Note to static analyzers: `o' is still referred to via globals */
return 0;
}
CK_RV
gpkcs11_add_certificate(char *label,
X509 *cert,
char *id,
int anchor)
{
struct gpkcs11_st_object *o = NULL;
void *cert_data = NULL;
size_t cert_length;
void *subject_data = NULL;
size_t subject_length;
void *issuer_data = NULL;
size_t issuer_length;
void *serial_data = NULL;
size_t serial_length;
EVP_PKEY *public_key;
unsigned char sha1[SHA_DIGEST_LENGTH];
CK_TRUST trust_ca = CKT_NSS_TRUSTED_DELEGATOR;
int ret;
CK_BBOOL bool_true = CK_TRUE;
CK_BBOOL bool_false = CK_FALSE;
CK_OBJECT_CLASS c;
CK_CERTIFICATE_TYPE cert_type = CKC_X_509;
CK_KEY_TYPE key_type;
CK_MECHANISM_TYPE mech_type;
size_t id_len = strlen(id);
OPENSSL_ASN1_MALLOC_ENCODE(X509, cert_data, cert_length, cert, ret);
if (ret)
goto out;
OPENSSL_ASN1_MALLOC_ENCODE(X509_NAME, issuer_data, issuer_length,
X509_get_issuer_name(cert), ret);
if (ret)
goto out;
OPENSSL_ASN1_MALLOC_ENCODE(X509_NAME, subject_data, subject_length,
X509_get_subject_name(cert), ret);
if (ret)
goto out;
OPENSSL_ASN1_MALLOC_ENCODE(ASN1_INTEGER, serial_data, serial_length,
X509_get_serialNumber(cert), ret);
if (ret)
goto out;
gpkcs11_log("done parsing, adding to internal structure\n");
o = add_st_object();
if (o == NULL) {
ret = CKR_DEVICE_MEMORY;
goto out;
}
o->type = STO_T_CERTIFICATE;
o->u.cert = cert;
public_key = X509_get_pubkey(o->u.cert);
switch (EVP_PKEY_type(public_key->type)) {
case EVP_PKEY_RSA:
key_type = CKK_RSA;
break;
case EVP_PKEY_DSA:
key_type = CKK_DSA;
break;
default:
/* XXX */
break;
}
c = CKO_CERTIFICATE;
add_object_attribute(o, 0, CKA_CLASS, &c, sizeof(c));
add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));
add_object_attribute(o, 0, CKA_PRIVATE, &bool_false, sizeof(bool_false));
add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));
add_object_attribute(o, 0, CKA_LABEL, label, strlen(label));
add_object_attribute(o, 0, CKA_CERTIFICATE_TYPE, &cert_type, sizeof(cert_type));
add_object_attribute(o, 0, CKA_ID, id, id_len);
add_object_attribute(o, 0, CKA_SUBJECT, subject_data, subject_length);
add_object_attribute(o, 0, CKA_ISSUER, issuer_data, issuer_length);
add_object_attribute(o, 0, CKA_SERIAL_NUMBER, serial_data, serial_length);
add_object_attribute(o, 0, CKA_VALUE, cert_data, cert_length);
if (anchor)
add_object_attribute(o, 0, CKA_TRUSTED, &bool_true, sizeof(bool_true));
else
add_object_attribute(o, 0, CKA_TRUSTED, &bool_false, sizeof(bool_false));
gpkcs11_log("add cert ok: %lx\n", (unsigned long)OBJECT_ID(o));
if (anchor) {
o = add_st_object();
if (o == NULL) {
ret = CKR_DEVICE_MEMORY;
goto out;
}
o->type = STO_T_NETSCAPE_TRUST;
c = CKO_NETSCAPE_TRUST;
add_object_attribute(o, 0, CKA_CLASS, &c, sizeof(c));
add_object_attribute(o, 0, CKA_LABEL, "IGTF CA Trust", 13);
add_object_attribute(o, 0, CKA_ID, id, id_len);
add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));
add_object_attribute(o, 0, CKA_ISSUER, issuer_data, issuer_length);
add_object_attribute(o, 0, CKA_SUBJECT, subject_data, subject_length);
add_object_attribute(o, 0, CKA_SERIAL_NUMBER, serial_data, serial_length);
EVP_Digest(cert_data, cert_length, sha1, NULL, EVP_sha1(), NULL);
add_object_attribute(o, 0, CKA_CERT_SHA1_HASH, sha1, sizeof(sha1));
add_object_attribute(o, 0, CKA_TRUST_SERVER_AUTH, &trust_ca, sizeof(trust_ca));
add_object_attribute(o, 0, CKA_TRUST_CLIENT_AUTH, &trust_ca, sizeof(trust_ca));
add_object_attribute(o, 0, CKA_TRUST_CODE_SIGNING, &trust_ca, sizeof(trust_ca));
add_object_attribute(o, 0, CKA_TRUST_EMAIL_PROTECTION, &trust_ca, sizeof(trust_ca));
gpkcs11_log("add Netscape trust object: %lx\n", (unsigned long)OBJECT_ID(o));
}
o = add_st_object();
if (o == NULL) {
ret = CKR_DEVICE_MEMORY;
goto out;
}
o->type = STO_T_PUBLIC_KEY;
o->u.public_key = public_key;
c = CKO_PUBLIC_KEY;
add_object_attribute(o, 0, CKA_CLASS, &c, sizeof(c));
add_object_attribute(o, 0, CKA_TOKEN, &bool_true, sizeof(bool_true));
add_object_attribute(o, 0, CKA_PRIVATE, &bool_false, sizeof(bool_false));
add_object_attribute(o, 0, CKA_MODIFIABLE, &bool_false, sizeof(bool_false));
add_object_attribute(o, 0, CKA_LABEL, label, strlen(label));
add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type));
add_object_attribute(o, 0, CKA_ID, id, id_len);
add_object_attribute(o, 0, CKA_START_DATE, "", 1); /* XXX */
add_object_attribute(o, 0, CKA_END_DATE, "", 1); /* XXX */
add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false));
add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false));
mech_type = CKM_RSA_X_509;
add_object_attribute(o, 0, CKA_KEY_GEN_MECHANISM, &mech_type, sizeof(mech_type));
add_object_attribute(o, 0, CKA_SUBJECT, subject_data, subject_length);
add_object_attribute(o, 0, CKA_ENCRYPT, &bool_true, sizeof(bool_true));
add_object_attribute(o, 0, CKA_VERIFY, &bool_true, sizeof(bool_true));
add_object_attribute(o, 0, CKA_VERIFY_RECOVER, &bool_false, sizeof(bool_false));
add_object_attribute(o, 0, CKA_WRAP, &bool_true, sizeof(bool_true));
add_object_attribute(o, 0, CKA_TRUSTED, &bool_true, sizeof(bool_true));
add_pubkey_info(o, key_type, public_key);
gpkcs11_log("add key ok: %lx\n", (unsigned long)OBJECT_ID(o));
ret = CKR_OK;
out:
free(cert_data);
free(serial_data);
free(issuer_data);
free(subject_data);
return ret;
}
