guint
_gcr_subject_public_key_calculate_size (GNode *subject_public_key)
{
GBytes *key;
GNode *params;
guint key_size = 0;
guint n_bits;
GQuark oid;
/* Figure out the algorithm */
oid = egg_asn1x_get_oid_as_quark (egg_asn1x_node (subject_public_key,
"algorithm", "algorithm", NULL));
g_return_val_if_fail (oid != 0, 0);
/* RSA keys are stored in the main subjectPublicKey field */
if (oid == GCR_OID_PKIX1_RSA) {
key = egg_asn1x_get_bits_as_raw (egg_asn1x_node (subject_public_key, "subjectPublicKey", NULL), &n_bits);
g_return_val_if_fail (key != NULL, 0);
key_size = calculate_rsa_key_size (key);
g_bytes_unref (key);
/* The DSA key size is discovered by the prime in params */
} else if (oid == GCR_OID_PKIX1_DSA) {
params = egg_asn1x_node (subject_public_key, "algorithm", "parameters", NULL);
key_size = calculate_dsa_params_size (params);
} else {
g_message ("unsupported key algorithm: %s", g_quark_to_string (oid));
}
return key_size;
}
static gint
find_certificate_extension (GkmCertificate *self, GQuark oid)
{
GQuark exoid;
GNode *node;
guint index;
g_assert (oid);
g_assert (GKM_IS_CERTIFICATE (self));
g_assert (self->pv->asn1);
for (index = 1; TRUE; ++index) {
/* Make sure it is present */
node = egg_asn1x_node (self->pv->asn1, "tbsCertificate", "extensions", index, NULL);
if (node == NULL)
break;
/* See if it's the same */
exoid = egg_asn1x_get_oid_as_quark (egg_asn1x_node (node, "extnID", NULL));
if(exoid == oid)
return index;
}
return 0;
}
static GkmXdgTrust*
create_trust_for_complete (GkmModule *module, GkmManager *manager,
CK_ATTRIBUTE_PTR cert)
{
GkmXdgTrust *trust;
GNode *asn, *ref, *node;
GBytes *bytes;
asn = egg_asn1x_create (xdg_asn1_tab, "trust-1");
g_return_val_if_fail (asn, NULL);
ref = egg_asn1x_node (asn, "reference", NULL);
node = egg_asn1x_node (ref, "certComplete", NULL);
egg_asn1x_set_choice (ref, node);
bytes = g_bytes_new (cert->pValue, cert->ulValueLen);
egg_asn1x_set_any_raw (node, bytes);
g_bytes_unref (bytes);
trust = g_object_new (GKM_XDG_TYPE_TRUST, "module", module, "manager", manager, NULL);
trust->pv->asn = asn;
/* Encode it, which validates, and so we have read access to all the data */
trust->pv->bytes = egg_asn1x_encode (asn, NULL);
if (!trust->pv->bytes) {
g_warning ("created invalid trust object: %s", egg_asn1x_message (asn));
return NULL;
}
return trust;
}
const gchar*
gkm_certificate_get_label (GkmCertificate *self)
{
gchar *label;
g_return_val_if_fail (GKM_IS_CERTIFICATE (self), "");
if (!self->pv->label) {
g_return_val_if_fail (self->pv->asn1, "");
/* Look for the CN in the certificate */
label = egg_dn_read_part (egg_asn1x_node (self->pv->asn1, "tbsCertificate", "subject", "rdnSequence", NULL), "cn");
/* Otherwise use the full DN */
if (!label)
label = egg_dn_read (egg_asn1x_node (self->pv->asn1, "tbsCertificate", "subject", "rdnSequence", NULL));
if (!label)
label = g_strdup (_("Unnamed Certificate"));
self->pv->label = label;
}
return self->pv->label;
}
static void
dump_assertion (GNode *asn)
{
gchar *purpose, *peer;
GQuark level;
purpose = egg_asn1x_get_string_as_utf8 (egg_asn1x_node (asn, "purpose", NULL), NULL);
g_return_if_fail (purpose);
level = egg_asn1x_get_enumerated (egg_asn1x_node (asn, "level", NULL));
g_return_if_fail (level);
if (egg_asn1x_have (egg_asn1x_node (asn, "peer", NULL)))
peer = egg_asn1x_get_string_as_utf8 (egg_asn1x_node (asn, "peer", NULL), NULL);
else
peer = NULL;
g_print ("Assertion\n");
g_print (" purpose: %s\n", purpose);
g_print (" level: %s\n", g_quark_to_string (level));
if (peer)
g_print (" peer: %s\n", peer);
g_free (purpose);
g_free (peer);
}
static GkmXdgTrust*
create_trust_for_reference (GkmModule *module, GkmManager *manager,
CK_ATTRIBUTE_PTR serial, CK_ATTRIBUTE_PTR issuer)
{
GkmXdgTrust *trust;
GNode *asn, *ref, *node;
asn = egg_asn1x_create (xdg_asn1_tab, "trust-1");
g_return_val_if_fail (asn, NULL);
ref = egg_asn1x_node (asn, "reference", NULL);
node = egg_asn1x_node (ref, "certReference", NULL);
egg_asn1x_set_choice (ref, node);
egg_asn1x_set_integer_as_raw (egg_asn1x_node (node, "serialNumber", NULL),
g_memdup (serial->pValue, serial->ulValueLen),
serial->ulValueLen, g_free);
egg_asn1x_set_raw_element (egg_asn1x_node (node, "issuer", NULL),
g_memdup (issuer->pValue, issuer->ulValueLen),
issuer->ulValueLen, g_free);
trust = g_object_new (GKM_XDG_TYPE_TRUST, "module", module, "manager", manager, NULL);
trust->pv->asn = asn;
/* Encode it, so we have read access to all the data */
trust->pv->data = egg_asn1x_encode (asn, NULL, &trust->pv->n_data);
if (!trust->pv->data) {
g_warning ("created invalid trust object: %s", egg_asn1x_message (asn));
return NULL;
}
return trust;
}
static const guchar*
find_extension (GNode *asn, const guchar *data, gsize n_data, const gchar *oid, gsize *n_extension)
{
const guchar *value;
GNode *node = NULL;
gchar *exoid;
guint index;
int len;
len = strlen (oid);
for (index = 1; TRUE; ++index) {
/* Make sure it is present */
node = egg_asn1x_node (asn, "tbsCertificate", "extensions", index, "extnID", NULL);
if (node == NULL)
return NULL;
exoid = egg_asn1x_get_oid_as_string (node);
g_assert (exoid);
if (strcmp (exoid, oid) == 0) {
g_free (exoid);
node = egg_asn1x_node (asn, "tbsCertificate", "extensions", index, "extnValue", NULL);
value = egg_asn1x_get_raw_value (node, n_extension);
g_assert (value);
return value;
}
g_free (exoid);
}
g_assert_not_reached ();
}
guchar*
gkm_data_der_write_private_key_dsa_params (gcry_sexp_t skey, gsize *n_params)
{
GNode *asn = NULL;
gcry_mpi_t p, q, g;
guchar *result = NULL;
p = q = g = NULL;
asn = egg_asn1x_create (pk_asn1_tab, "DSAParameters");
g_return_val_if_fail (asn, NULL);
if (!gkm_sexp_extract_mpi (skey, &p, "dsa", "p", NULL) ||
!gkm_sexp_extract_mpi (skey, &q, "dsa", "q", NULL) ||
!gkm_sexp_extract_mpi (skey, &g, "dsa", "g", NULL))
goto done;
if (!gkm_data_asn1_write_mpi (egg_asn1x_node (asn, "p", NULL), p) ||
!gkm_data_asn1_write_mpi (egg_asn1x_node (asn, "q", NULL), q) ||
!gkm_data_asn1_write_mpi (egg_asn1x_node (asn, "g", NULL), g))
goto done;
result = egg_asn1x_encode (asn, egg_secure_realloc, n_params);
if (result == NULL)
g_warning ("couldn't encode private dsa params: %s", egg_asn1x_message (asn));
done:
egg_asn1x_destroy (asn);
gcry_mpi_release (p);
gcry_mpi_release (q);
gcry_mpi_release (g);
return result;
}
guchar*
gkm_data_der_write_public_key_rsa (gcry_sexp_t s_key, gsize *len)
{
GNode *asn = NULL;
gcry_mpi_t n, e;
guchar *result = NULL;
n = e = NULL;
asn = egg_asn1x_create (pk_asn1_tab, "RSAPublicKey");
g_return_val_if_fail (asn, NULL);
if (!gkm_sexp_extract_mpi (s_key, &n, "rsa", "n", NULL) ||
!gkm_sexp_extract_mpi (s_key, &e, "rsa", "e", NULL))
goto done;
if (!gkm_data_asn1_write_mpi (egg_asn1x_node (asn, "modulus", NULL), n) ||
!gkm_data_asn1_write_mpi (egg_asn1x_node (asn, "publicExponent", NULL), e))
goto done;
result = egg_asn1x_encode (asn, NULL, len);
if (result == NULL)
g_warning ("couldn't encode public rsa key: %s", egg_asn1x_message (asn));
done:
egg_asn1x_destroy (asn);
gcry_mpi_release (n);
gcry_mpi_release (e);
return result;
}
GkmDataResult
gkm_data_der_read_public_key_info (const guchar* data, gsize n_data, gcry_sexp_t* s_key)
{
GkmDataResult ret = GKM_DATA_UNRECOGNIZED;
GQuark oid;
GNode *asn = NULL;
gsize n_params;
guint n_bits;
const guchar *params;
guchar *key = NULL;
init_quarks ();
asn = egg_asn1x_create_and_decode (pkix_asn1_tab, "SubjectPublicKeyInfo", data, n_data);
if (!asn)
goto done;
ret = GKM_DATA_FAILURE;
/* Figure out the algorithm */
oid = egg_asn1x_get_oid_as_quark (egg_asn1x_node (asn, "algorithm", "algorithm", NULL));
if (!oid)
goto done;
/* A bit string so we cannot process in place */
key = egg_asn1x_get_bits_as_raw (egg_asn1x_node (asn, "subjectPublicKey", NULL), NULL, &n_bits);
if (!key)
goto done;
/* An RSA key is simple */
if (oid == OID_PKIX1_RSA) {
ret = gkm_data_der_read_public_key_rsa (key, n_bits / 8, s_key);
/* A DSA key paramaters are stored separately */
} else if (oid == OID_PKIX1_DSA) {
params = egg_asn1x_get_raw_element (egg_asn1x_node (asn, "algorithm", "parameters", NULL), &n_params);
if (!params)
goto done;
ret = gkm_data_der_read_public_key_dsa_parts (key, n_bits / 8, params, n_params, s_key);
} else {
g_message ("unsupported key algorithm in certificate: %s", g_quark_to_string (oid));
ret = GKM_DATA_UNRECOGNIZED;
goto done;
}
done:
egg_asn1x_destroy (asn);
g_free (key);
if (ret == GKM_DATA_FAILURE)
g_message ("invalid subject public-key info");
return ret;
}
GkmDataResult
gkm_data_der_read_private_key_dsa_parts (const guchar *keydata, gsize n_keydata,
const guchar *params, gsize n_params,
gcry_sexp_t *s_key)
{
gcry_mpi_t p, q, g, y, x;
GkmDataResult ret = GKM_DATA_UNRECOGNIZED;
int res;
GNode *asn_params = NULL;
GNode *asn_key = NULL;
p = q = g = y = x = NULL;
asn_params = egg_asn1x_create_and_decode (pk_asn1_tab, "DSAParameters", params, n_params);
asn_key = egg_asn1x_create_and_decode (pk_asn1_tab, "DSAPrivatePart", keydata, n_keydata);
if (!asn_params || !asn_key)
goto done;
ret = GKM_DATA_FAILURE;
if (!gkm_data_asn1_read_mpi (egg_asn1x_node (asn_params, "p", NULL), &p) ||
!gkm_data_asn1_read_mpi (egg_asn1x_node (asn_params, "q", NULL), &q) ||
!gkm_data_asn1_read_mpi (egg_asn1x_node (asn_params, "g", NULL), &g))
goto done;
if (!gkm_data_asn1_read_mpi (asn_key, &x))
goto done;
/* Now we calculate y */
y = gcry_mpi_snew (1024);
gcry_mpi_powm (y, g, x, p);
res = gcry_sexp_build (s_key, NULL, SEXP_PRIVATE_DSA, p, q, g, y, x);
if (res)
goto done;
g_assert (*s_key);
ret = GKM_DATA_SUCCESS;
done:
egg_asn1x_destroy (asn_key);
egg_asn1x_destroy (asn_params);
gcry_mpi_release (p);
gcry_mpi_release (q);
gcry_mpi_release (g);
gcry_mpi_release (y);
gcry_mpi_release (x);
if (ret == GKM_DATA_FAILURE)
g_message ("invalid DSA key");
return ret;
}
static gboolean
load_assertions (GkmXdgTrust *self, GNode *asn)
{
gconstpointer element;
GHashTable *assertions;
GkmAssertion *assertion;
gsize n_element;
GByteArray *key;
GNode *node;
guint count, i;
g_assert (self);
g_assert (asn);
assertions = self->pv->assertions;
self->pv->assertions = create_assertions ();
count = egg_asn1x_count (egg_asn1x_node (asn, "assertions", NULL));
for (i = 0; i < count; ++i) {
node = egg_asn1x_node (asn, "assertions", i + 1, NULL);
g_return_val_if_fail (node, FALSE);
/* We use the raw DER encoding as an assertion */
element = egg_asn1x_get_raw_element (node, &n_element);
g_return_val_if_fail (node, FALSE);
/* Double check that this is valid, because it's how we hash */
key = g_byte_array_new ();
g_byte_array_append (key, element, n_element);
/* Already have this assertion? */
assertion = g_hash_table_lookup (assertions, key);
if (assertion) {
if (!g_hash_table_steal (assertions, key))
g_assert_not_reached ();
/* Create a new assertion */
} else {
assertion = create_assertion (self, node);
}
add_assertion_to_trust (self, assertion, NULL);
g_byte_array_unref (key);
g_object_unref (assertion);
}
/* Override the stored assertions and netscape trust */
g_hash_table_remove_all (assertions);
g_hash_table_unref (assertions);
return TRUE;
}
static gboolean
rsa_subject_public_key_from_attributes (GckAttributes *attrs,
GNode *info_asn)
{
const GckAttribute *modulus;
const GckAttribute *exponent;
GNode *key_asn;
GNode *params_asn;
GBytes *key;
GBytes *usg;
modulus = gck_attributes_find (attrs, CKA_MODULUS);
exponent = gck_attributes_find (attrs, CKA_PUBLIC_EXPONENT);
if (modulus == NULL || gck_attribute_is_invalid (modulus) ||
exponent == NULL || gck_attribute_is_invalid (exponent))
return FALSE;
key_asn = egg_asn1x_create (pk_asn1_tab, "RSAPublicKey");
g_return_val_if_fail (key_asn, FALSE);
params_asn = egg_asn1x_create (pk_asn1_tab, "RSAParameters");
g_return_val_if_fail (params_asn, FALSE);
usg = g_bytes_new_with_free_func (modulus->value, modulus->length,
gck_attributes_unref,
gck_attributes_ref (attrs));
egg_asn1x_set_integer_as_usg (egg_asn1x_node (key_asn, "modulus", NULL), usg);
g_bytes_unref (usg);
usg = g_bytes_new_with_free_func (exponent->value, exponent->length,
gck_attributes_unref,
gck_attributes_ref (attrs));
egg_asn1x_set_integer_as_usg (egg_asn1x_node (key_asn, "publicExponent", NULL), usg);
g_bytes_unref (usg);
key = egg_asn1x_encode (key_asn, NULL);
egg_asn1x_destroy (key_asn);
egg_asn1x_set_null (params_asn);
egg_asn1x_set_bits_as_raw (egg_asn1x_node (info_asn, "subjectPublicKey", NULL),
key, g_bytes_get_size (key) * 8);
egg_asn1x_set_oid_as_quark (egg_asn1x_node (info_asn, "algorithm", "algorithm", NULL), GCR_OID_PKIX1_RSA);
egg_asn1x_set_any_from (egg_asn1x_node (info_asn, "algorithm", "parameters", NULL), params_asn);
egg_asn1x_destroy (params_asn);
g_bytes_unref (key);
return TRUE;
}
static gboolean
append_extension (GcrCertificateDetailsWidget *self, GNode *asn,
const guchar *data, gsize n_data, gint index)
{
GQuark oid;
gchar *display;
gsize n_value;
const guchar *value;
const gchar *text;
gboolean critical;
GNode *node;
/* Make sure it is present */
asn = egg_asn1x_node (asn, "tbsCertificate", "extensions", index, NULL);
if (asn == NULL)
return FALSE;
/* Dig out the OID */
oid = egg_asn1x_get_oid_as_quark (egg_asn1x_node (asn, "extnID", NULL));
g_return_val_if_fail (oid, FALSE);
append_heading (self, _("Extension"));
/* Extension type */
text = egg_oid_get_description (oid);
append_field_and_value (self, _("Identifier"), text, FALSE);
/* Extension value */
value = egg_asn1x_get_raw_value (egg_asn1x_node (asn, "extnValue", NULL), &n_value);
/* TODO: Parsing of extensions that we understand */
display = egg_hex_encode_full (value, n_value, TRUE, ' ', 1);
append_field_and_value (self, _("Value"), display, TRUE);
g_free (display);
/* Critical */
node = egg_asn1x_node (asn, "critical", NULL);
if (node != NULL) {
if (egg_asn1x_get_boolean (node, &critical))
append_field_and_value (self, _("Critical"), critical ? _("Yes") : _("No"), FALSE);
}
return TRUE;
}
GkmDataResult
gkm_data_der_read_public_key_dsa_parts (const guchar *keydata, gsize n_keydata,
const guchar *params, gsize n_params,
gcry_sexp_t *s_key)
{
gcry_mpi_t p, q, g, y;
GkmDataResult ret = GKM_DATA_UNRECOGNIZED;
GNode *asn_params = NULL;
GNode *asn_key = NULL;
int res;
p = q = g = y = NULL;
asn_params = egg_asn1x_create_and_decode (pk_asn1_tab, "DSAParameters", params, n_params);
asn_key = egg_asn1x_create_and_decode (pk_asn1_tab, "DSAPublicPart", keydata, n_keydata);
if (!asn_params || !asn_key)
goto done;
ret = GKM_DATA_FAILURE;
if (!gkm_data_asn1_read_mpi (egg_asn1x_node (asn_params, "p", NULL), &p) ||
!gkm_data_asn1_read_mpi (egg_asn1x_node (asn_params, "q", NULL), &q) ||
!gkm_data_asn1_read_mpi (egg_asn1x_node (asn_params, "g", NULL), &g))
goto done;
if (!gkm_data_asn1_read_mpi (asn_key, &y))
goto done;
res = gcry_sexp_build (s_key, NULL, SEXP_PUBLIC_DSA, p, q, g, y);
if (res)
goto done;
g_assert (*s_key);
ret = GKM_DATA_SUCCESS;
done:
egg_asn1x_destroy (asn_key);
egg_asn1x_destroy (asn_params);
gcry_mpi_release (p);
gcry_mpi_release (q);
gcry_mpi_release (g);
gcry_mpi_release (y);
if (ret == GKM_DATA_FAILURE)
g_message ("invalid DSA key");
return ret;
}
static CK_RV
trust_get_integer (GkmXdgTrust *self, const gchar *part, CK_ATTRIBUTE_PTR attr)
{
GNode *node;
gpointer integer;
gsize n_integer;
CK_RV rv;
g_assert (GKM_XDG_IS_TRUST (self));
node = egg_asn1x_node (self->pv->asn, "reference", "certReference", part, NULL);
g_return_val_if_fail (node, CKR_GENERAL_ERROR);
/* If the assertion doesn't contain this info ... */
if (!egg_asn1x_have (node))
return CKR_ATTRIBUTE_TYPE_INVALID;
integer = egg_asn1x_get_integer_as_raw (node, NULL, &n_integer);
g_return_val_if_fail (integer, CKR_GENERAL_ERROR);
rv = gkm_attribute_set_data (attr, integer, n_integer);
g_free (integer);
return rv;
}
static void
on_ca_certificate_public_key_info (GQuark type, const guchar *data, gsize n_data,
GHashTable *headers, gpointer user_data)
{
GNode *asn1 = NULL;
GkmDataResult res;
gpointer keydata;
gsize n_keydata;
gcry_sexp_t sexp;
g_assert (g_quark_try_string ("CERTIFICATE") == type);
/* Parse the ASN1 data */
res = gkm_data_der_read_certificate (data, n_data, &asn1);
g_assert (res == GKM_DATA_SUCCESS);
/* Generate a raw public key from our certificate */
keydata = egg_asn1x_encode (egg_asn1x_node (asn1, "tbsCertificate", "subjectPublicKeyInfo", NULL), NULL, &n_keydata);
g_assert (keydata);
/* Now create us a nice public key with that identifier */
res = gkm_data_der_read_public_key_info (keydata, n_keydata, &sexp);
g_assert (res == GKM_DATA_SUCCESS || res == GKM_DATA_UNRECOGNIZED);
if (res == GKM_DATA_SUCCESS)
gcry_sexp_release (sexp);
g_free (keydata);
}
static CK_RV
trust_get_integer (GkmXdgTrust *self, const gchar *part, CK_ATTRIBUTE_PTR attr)
{
GNode *node;
GBytes *integer;
CK_RV rv;
g_assert (GKM_XDG_IS_TRUST (self));
node = egg_asn1x_node (self->pv->asn, "reference", "certReference", part, NULL);
g_return_val_if_fail (node, CKR_GENERAL_ERROR);
/* If the assertion doesn't contain this info ... */
if (!egg_asn1x_have (node)) {
gkm_debug ("CKR_ATTRIBUTE_TYPE_INVALID: %s wants %s which is not part of assertion",
gkm_log_attr_type (attr->type), part);
return CKR_ATTRIBUTE_TYPE_INVALID;
}
integer = egg_asn1x_get_integer_as_raw (node);
g_return_val_if_fail (integer, CKR_GENERAL_ERROR);
rv = gkm_attribute_set_bytes (attr, integer);
g_bytes_unref (integer);
return rv;
}
static CK_RV
trust_get_complete (GkmXdgTrust *self, CK_ATTRIBUTE_PTR attr)
{
GNode *cert;
GBytes *element;
CK_RV rv;
cert = egg_asn1x_node (self->pv->asn, "reference", "certComplete", NULL);
g_return_val_if_fail (cert, CKR_GENERAL_ERROR);
/* If it's not stored, then this attribute is not present */
if (!egg_asn1x_have (cert)) {
gkm_debug ("CKR_ATTRIBUTE_TYPE_INVALID: %s wants certComplete which is not part of assertion",
gkm_log_attr_type (attr->type));
return CKR_ATTRIBUTE_TYPE_INVALID;
}
element = egg_asn1x_get_element_raw (cert);
g_return_val_if_fail (element != NULL, CKR_GENERAL_ERROR);
rv = gkm_attribute_set_bytes (attr, element);
g_bytes_unref (element);
return rv;
}
static GNode *
cert_subject_public_key_from_attributes (GckAttributes *attributes)
{
const GckAttribute *attr;
GBytes *bytes;
GNode *cert;
GNode *asn;
attr = gck_attributes_find (attributes, CKA_VALUE);
if (attr == NULL || gck_attribute_is_invalid (attr)) {
_gcr_debug ("no value attribute for certificate");
return NULL;
}
bytes = g_bytes_new_with_free_func (attr->value, attr->length,
gck_attributes_unref,
gck_attributes_ref (attributes));
cert = egg_asn1x_create_and_decode (pkix_asn1_tab, "Certificate", bytes);
g_bytes_unref (bytes);
if (cert == NULL) {
_gcr_debug ("couldn't parse certificate value");
return NULL;
}
asn = egg_asn1x_node (cert, "tbsCertificate", "subjectPublicKeyInfo", NULL);
g_return_val_if_fail (asn != NULL, NULL);
/* Remove the subject public key out of the certificate */
g_node_unlink (asn);
egg_asn1x_destroy (cert);
return asn;
}
GkmDataResult
gkm_data_der_read_enhanced_usage (const guchar *data, gsize n_data, GQuark **usage_oids)
{
GkmDataResult ret = GKM_DATA_UNRECOGNIZED;
GNode *asn = NULL;
GNode *node;
GArray *array;
GQuark oid;
int i;
asn = egg_asn1x_create_and_decode (pkix_asn1_tab, "ExtKeyUsageSyntax", data, n_data);
if (!asn)
goto done;
ret = GKM_DATA_FAILURE;
array = g_array_new (TRUE, TRUE, sizeof (GQuark));
for (i = 0; TRUE; ++i) {
node = egg_asn1x_node (asn, i + 1, NULL);
if (node == NULL)
break;
oid = egg_asn1x_get_oid_as_quark (node);
g_array_append_val (array, oid);
}
*usage_oids = (GQuark*)g_array_free (array, FALSE);
ret = GKM_DATA_SUCCESS;
done:
egg_asn1x_destroy (asn);
return ret;
}
int
main(int argc, char* argv[])
{
GError *err = NULL;
gchar *contents;
gsize n_contents;
GNode *asn, *node;
gint i, count;
if (argc != 2) {
g_printerr ("usage: dump-trust-file file\n");
return 2;
}
if (!g_file_get_contents (argv[1], &contents, &n_contents, &err))
barf_and_die ("couldn't load file", egg_error_message (err));
asn = egg_asn1x_create (xdg_asn1_tab, "trust-1");
g_return_val_if_fail (asn, 1);
if (!egg_asn1x_decode (asn, contents, n_contents))
barf_and_die ("couldn't parse file", egg_asn1x_message (asn));
/* Print out the certificate we refer to first */
node = egg_asn1x_node (asn, "reference", "certReference", NULL);
if (egg_asn1x_have (node)) {
dump_certificate_reference (node);
} else {
node = egg_asn1x_node (asn, "reference", "certComplete", NULL);
if (egg_asn1x_have (node))
dump_certificate_complete (node);
else
barf_and_die ("unsupported certificate reference", NULL);
}
/* Then the assertions */
count = egg_asn1x_count (egg_asn1x_node (asn, "assertions", NULL));
for (i = 0; i < count; ++i) {
node = egg_asn1x_node (asn, "assertions", i + 1, NULL);
dump_assertion (node);
}
egg_asn1x_destroy (asn);
g_free (contents);
return 0;
}
static gboolean
load_assertions (GkmXdgTrust *self, GNode *asn)
{
GHashTable *assertions;
GkmAssertion *assertion;
GBytes *key;
GNode *node;
guint count, i;
g_assert (self);
g_assert (asn);
assertions = self->pv->assertions;
self->pv->assertions = create_assertions ();
count = egg_asn1x_count (egg_asn1x_node (asn, "assertions", NULL));
for (i = 0; i < count; ++i) {
node = egg_asn1x_node (asn, "assertions", i + 1, NULL);
g_return_val_if_fail (node != NULL, FALSE);
/* We use the raw DER encoding as an assertion */
key = egg_asn1x_get_element_raw (node);
g_return_val_if_fail (key != NULL, FALSE);
/* Already have this assertion? */
assertion = g_hash_table_lookup (assertions, key);
if (assertion) {
if (!g_hash_table_steal (assertions, key))
g_assert_not_reached ();
/* Create a new assertion */
} else {
assertion = create_assertion (self, node);
}
add_assertion_to_trust (self, assertion, NULL);
g_bytes_unref (key);
g_object_unref (assertion);
}
/* Override the stored assertions and netscape trust */
g_hash_table_remove_all (assertions);
g_hash_table_unref (assertions);
return TRUE;
}
static gboolean
prepare_subject_public_key_and_mechanisms (GcrCertificateRequest *self,
GNode *subject_public_key,
GQuark *algorithm,
const gulong **mechanisms,
gsize *n_mechanisms,
GError **error)
{
GBytes *encoded;
GNode *node;
GQuark oid;
g_assert (algorithm != NULL);
g_assert (mechanisms != NULL);
g_assert (n_mechanisms != NULL);
encoded = egg_asn1x_encode (subject_public_key, NULL);
g_return_val_if_fail (encoded != NULL, FALSE);
node = egg_asn1x_node (subject_public_key, "algorithm", "algorithm", NULL);
oid = egg_asn1x_get_oid_as_quark (node);
if (oid == GCR_OID_PKIX1_RSA) {
*mechanisms = RSA_MECHANISMS;
*n_mechanisms = G_N_ELEMENTS (RSA_MECHANISMS);
*algorithm = GCR_OID_PKIX1_SHA1_WITH_RSA;
} else if (oid == GCR_OID_PKIX1_DSA) {
*mechanisms = DSA_MECHANISMS;
*n_mechanisms = G_N_ELEMENTS (DSA_MECHANISMS);
*algorithm = GCR_OID_PKIX1_SHA1_WITH_DSA;
} else {
g_bytes_unref (encoded);
g_set_error (error, GCR_DATA_ERROR, GCR_ERROR_UNRECOGNIZED,
_("Unsupported key type for certificate request"));
return FALSE;
}
node = egg_asn1x_node (self->asn, "certificationRequestInfo", "subjectPKInfo", NULL);
if (!egg_asn1x_decode (node, encoded))
g_return_val_if_reached (FALSE);
g_bytes_unref (encoded);
return TRUE;
}
/**
* gcr_certificate_request_set_cn:
* @self: the certificate request
* @cn: common name to set on the request
*
* Set the common name encoded in the certificate request.
*/
void
gcr_certificate_request_set_cn (GcrCertificateRequest *self,
const gchar *cn)
{
GNode *subject;
GNode *dn;
g_return_if_fail (GCR_IS_CERTIFICATE_REQUEST (self));
g_return_if_fail (cn != NULL);
subject = egg_asn1x_node (self->asn, "certificationRequestInfo", "subject", NULL);
dn = egg_asn1x_node (subject, "rdnSequence", NULL);
/* TODO: we shouldn't really be clearing this, but replacing CN */
egg_asn1x_set_choice (subject, dn);
egg_asn1x_clear (dn);
egg_dn_add_string_part (dn, GCR_OID_NAME_CN, cn);
}
GkmDataResult
gkm_data_der_read_private_key_dsa (GBytes *data,
gcry_sexp_t *s_key)
{
gcry_mpi_t p, q, g, y, x;
GkmDataResult ret = GKM_DATA_UNRECOGNIZED;
int res;
GNode *asn = NULL;
p = q = g = y = x = NULL;
asn = egg_asn1x_create_and_decode (pk_asn1_tab, "DSAPrivateKey", data);
if (!asn)
goto done;
ret = GKM_DATA_FAILURE;
if (!gkm_data_asn1_read_mpi (egg_asn1x_node (asn, "p", NULL), &p) ||
!gkm_data_asn1_read_mpi (egg_asn1x_node (asn, "q", NULL), &q) ||
!gkm_data_asn1_read_mpi (egg_asn1x_node (asn, "g", NULL), &g) ||
!gkm_data_asn1_read_mpi (egg_asn1x_node (asn, "Y", NULL), &y) ||
!gkm_data_asn1_read_mpi (egg_asn1x_node (asn, "priv", NULL), &x))
goto done;
res = gcry_sexp_build (s_key, NULL, SEXP_PRIVATE_DSA, p, q, g, y, x);
if (res)
goto done;
g_assert (*s_key);
ret = GKM_DATA_SUCCESS;
done:
egg_asn1x_destroy (asn);
gcry_mpi_release (p);
gcry_mpi_release (q);
gcry_mpi_release (g);
gcry_mpi_release (y);
gcry_mpi_release (x);
if (ret == GKM_DATA_FAILURE)
g_message ("invalid DSA key");
return ret;
}
static void
test_asn1_bit_string (Test *test, gconstpointer unused)
{
GNode *asn;
GBytes *data;
gboolean ret;
GBytes *source, *target;
gsize target_bits, source_bits;
asn = egg_asn1x_create (test_asn1_tab, "TestBitString");
g_assert ("asn test structure is null" && asn != NULL);
/* Create a string */
source = g_bytes_new (TEST_STRING, strlen(TEST_STRING));
g_return_if_fail (source);
source_bits = g_bytes_get_size(source)*8;
/* Write the string out */
ret = gkm_data_asn1_write_bit_string (egg_asn1x_node (asn, "data", NULL),
source, source_bits);
g_assert ("couldn't write string to asn1" && ret);
/* Now encode the whole caboodle */
data = egg_asn1x_encode (asn, NULL);
g_assert ("encoding asn1 didn't work" && data != NULL);
egg_asn1x_destroy (asn);
/* Now decode it all nicely */
asn = egg_asn1x_create_and_decode (test_asn1_tab, "TestBitString", data);
g_assert (asn != NULL);
ret = gkm_data_asn1_read_bit_string (egg_asn1x_node (asn, "data", NULL),
&target, &target_bits);
egg_asn1x_destroy (asn);
g_assert ("couldn't read bit string from asn1" && ret);
g_assert ("bit string returned is null" && target != NULL);
g_assert ("Source and target length differ" && target_bits == source_bits);
g_assert ("Bit strings differ" && g_bytes_equal (source, target));
g_bytes_unref (data);
g_bytes_unref (source);
g_bytes_unref (target);
}
static void
create_trust_file_for_certificate (const gchar *filename, const gchar *certificate)
{
GError *err = NULL;
GNode *asn, *cert, *choice, *ref;
GBytes *bytes, *result;
gchar *data;
gsize n_data;
if (!g_file_get_contents (certificate, &data, &n_data, &err))
barf_and_die ("couldn't read certificate file", egg_error_message (err));
/* Make sure the certificate is */
cert = egg_asn1x_create (pkix_asn1_tab, "Certificate");
g_return_if_fail (cert);
bytes = g_bytes_new_take (data, n_data);
if (!egg_asn1x_decode (cert, bytes))
barf_and_die ("couldn't parse der certificate file", egg_asn1x_message (cert));
asn = egg_asn1x_create (xdg_asn1_tab, "trust-1");
g_return_if_fail (asn);
ref = egg_asn1x_node (asn, "reference", NULL);
choice = egg_asn1x_node (ref, "certComplete", NULL);
if (!egg_asn1x_set_choice (ref, choice) || !egg_asn1x_set_any_raw (choice, bytes))
g_return_if_reached ();
g_bytes_unref (bytes);
result = egg_asn1x_encode (asn, NULL);
if (result == NULL)
barf_and_die ("couldn't encode the trust file", egg_asn1x_message (asn));
egg_asn1x_destroy (asn);
egg_asn1x_destroy (cert);
if (!g_file_set_contents (filename, g_bytes_get_data (result, NULL),
g_bytes_get_size (result), &err))
barf_and_die ("couldn't write trust file", egg_error_message (err));
g_bytes_unref (result);
}
static GkmAssertion*
create_assertion (GkmXdgTrust *self, GNode *asn)
{
CK_X_ASSERTION_TYPE type = 0;
GkmAssertion *assertion;
GQuark level;
gchar *purpose;
gchar *peer;
GNode *node;
/* Get the trust level */
level = egg_asn1x_get_enumerated (egg_asn1x_node (asn, "level", NULL));
g_return_val_if_fail (level != 0, NULL);
if (!level_enum_to_assertion_type (level, &type))
g_message ("unsupported trust level %s in trust object", g_quark_to_string (level));
else if (type == 0)
return NULL;
/* A purpose */
purpose = egg_asn1x_get_string_as_utf8 (egg_asn1x_node (asn, "purpose", NULL), NULL);
g_return_val_if_fail (purpose, NULL);
/* A peer name */
node = egg_asn1x_node (asn, "peer", NULL);
if (egg_asn1x_have (node))
peer = egg_asn1x_get_string_as_utf8 (node, NULL);
else
peer = NULL;
assertion = g_object_new (GKM_XDG_TYPE_ASSERTION,
"module", gkm_object_get_module (GKM_OBJECT (self)),
"manager", gkm_object_get_manager (GKM_OBJECT (self)),
"trust", self,
"type", type,
"purpose", purpose,
"peer", peer,
NULL);
g_free (purpose);
g_free (peer);
return assertion;
}
static gconstpointer
_gcr_certificate_get_subject_const (GcrCertificate *self, gsize *n_data)
{
GcrCertificateInfo *info;
info = certificate_info_load (self);
g_return_val_if_fail (info, NULL);
return egg_asn1x_get_raw_element (egg_asn1x_node (info->asn1, "tbsCertificate", "subject", NULL), n_data);
}
