static CK_RV trust_get_complete (GkmXdgTrust *self, CK_ATTRIBUTE_PTR attr) { GNode *cert; GBytes *element; CK_RV rv; cert = egg_asn1x_node (self->pv->asn, "reference", "certComplete", NULL); g_return_val_if_fail (cert, CKR_GENERAL_ERROR); /* If it's not stored, then this attribute is not present */ if (!egg_asn1x_have (cert)) { gkm_debug ("CKR_ATTRIBUTE_TYPE_INVALID: %s wants certComplete which is not part of assertion", gkm_log_attr_type (attr->type)); return CKR_ATTRIBUTE_TYPE_INVALID; } element = egg_asn1x_get_element_raw (cert); g_return_val_if_fail (element != NULL, CKR_GENERAL_ERROR); rv = gkm_attribute_set_bytes (attr, element); g_bytes_unref (element); return rv; }
static CK_RV trust_get_der (GkmXdgTrust *self, const gchar *part, CK_ATTRIBUTE_PTR attr) { GNode *node; GBytes *element; CK_RV rv; g_assert (GKM_XDG_IS_TRUST (self)); node = egg_asn1x_node (self->pv->asn, "reference", "certReference", part, NULL); g_return_val_if_fail (node, CKR_GENERAL_ERROR); /* If the assertion doesn't contain this info ... */ if (!egg_asn1x_have (node)) { gkm_debug ("CKR_ATTRIBUTE_TYPE_INVALID: %s wants %s which is not part of assertion", gkm_log_attr_type (attr->type), part); return CKR_ATTRIBUTE_TYPE_INVALID; } element = egg_asn1x_get_element_raw (node); rv = gkm_attribute_set_bytes (attr, element); g_bytes_unref (element); return rv; }
static EggBytes * _gcr_certificate_get_subject_const (GcrCertificate *self) { GcrCertificateInfo *info; g_return_val_if_fail (GCR_IS_CERTIFICATE (self), NULL); info = certificate_info_load (self); g_return_val_if_fail (info, NULL); return egg_asn1x_get_element_raw (egg_asn1x_node (info->asn1, "tbsCertificate", "subject", NULL)); }
static gboolean load_assertions (GkmXdgTrust *self, GNode *asn) { GHashTable *assertions; GkmAssertion *assertion; GBytes *key; GNode *node; guint count, i; g_assert (self); g_assert (asn); assertions = self->pv->assertions; self->pv->assertions = create_assertions (); count = egg_asn1x_count (egg_asn1x_node (asn, "assertions", NULL)); for (i = 0; i < count; ++i) { node = egg_asn1x_node (asn, "assertions", i + 1, NULL); g_return_val_if_fail (node != NULL, FALSE); /* We use the raw DER encoding as an assertion */ key = egg_asn1x_get_element_raw (node); g_return_val_if_fail (key != NULL, FALSE); /* Already have this assertion? */ assertion = g_hash_table_lookup (assertions, key); if (assertion) { if (!g_hash_table_steal (assertions, key)) g_assert_not_reached (); /* Create a new assertion */ } else { assertion = create_assertion (self, node); } add_assertion_to_trust (self, assertion, NULL); g_bytes_unref (key); g_object_unref (assertion); } /* Override the stored assertions and netscape trust */ g_hash_table_remove_all (assertions); g_hash_table_unref (assertions); return TRUE; }
static void create_trust_file_for_issuer_and_serial (const gchar *filename, const gchar *certificate) { GError *err = NULL; GNode *asn, *cert, *choice, *ref; GNode *issuer, *serial; gchar *data; GBytes *result; GBytes *value; GBytes *element; gsize n_data; GBytes *bytes; if (!g_file_get_contents (certificate, &data, &n_data, &err)) barf_and_die ("couldn't read certificate file", egg_error_message (err)); /* Make sure the certificate is */ cert = egg_asn1x_create (pkix_asn1_tab, "Certificate"); g_return_if_fail (cert); bytes = g_bytes_new_take (data, n_data); if (!egg_asn1x_decode (cert, bytes)) barf_and_die ("couldn't parse der certificate file", egg_asn1x_message (cert)); g_bytes_unref (bytes); /* Dig out the issuer and serial */ issuer = egg_asn1x_node (cert, "tbsCertificate", "issuer", NULL); serial = egg_asn1x_node (cert, "tbsCertificate", "serialNumber", NULL); g_return_if_fail (issuer && serial); /* Create up the trust structure */ asn = egg_asn1x_create (xdg_asn1_tab, "trust-1"); g_return_if_fail (asn); /* Setup the type of trust assertion */ ref = egg_asn1x_node (asn, "reference", NULL); choice = egg_asn1x_node (ref, "certReference", NULL); if (!egg_asn1x_set_choice (ref, choice)) g_return_if_reached (); /* Copy over the serial and issuer */ element = egg_asn1x_get_element_raw (issuer); if (!egg_asn1x_set_any_raw (egg_asn1x_node (choice, "issuer", NULL), element)) g_return_if_reached (); g_bytes_unref (element); value = egg_asn1x_get_integer_as_raw (serial); egg_asn1x_set_integer_as_raw (egg_asn1x_node (choice, "serialNumber", NULL), value); g_bytes_unref (value); result = egg_asn1x_encode (asn, NULL); if (result == NULL) barf_and_die ("couldn't encode the trust file", egg_asn1x_message (asn)); g_free (data); egg_asn1x_destroy (cert); egg_asn1x_destroy (asn); if (!g_file_set_contents (filename, g_bytes_get_data (result, NULL), g_bytes_get_size (result), &err)) barf_and_die ("couldn't write trust file", egg_error_message (err)); g_bytes_unref (result); }
GkmDataResult gkm_data_der_read_private_pkcs8_plain (GBytes *data, gcry_sexp_t *s_key) { GNode *asn = NULL; GkmDataResult ret; int algorithm; GQuark key_algo; GBytes *keydata = NULL; GBytes *params = NULL; ret = GKM_DATA_UNRECOGNIZED; init_quarks (); asn = egg_asn1x_create_and_decode (pkix_asn1_tab, "pkcs-8-PrivateKeyInfo", data); if (!asn) goto done; ret = GKM_DATA_FAILURE; algorithm = 0; key_algo = egg_asn1x_get_oid_as_quark (egg_asn1x_node (asn, "privateKeyAlgorithm", "algorithm", NULL)); if (!key_algo) goto done; else if (key_algo == OID_PKIX1_RSA) algorithm = GCRY_PK_RSA; else if (key_algo == OID_PKIX1_DSA) algorithm = GCRY_PK_DSA; if (!algorithm) { ret = GKM_DATA_UNRECOGNIZED; goto done; } keydata = egg_asn1x_get_string_as_bytes (egg_asn1x_node (asn, "privateKey", NULL)); if (!keydata) goto done; params = egg_asn1x_get_element_raw (egg_asn1x_node (asn, "privateKeyAlgorithm", "parameters", NULL)); ret = GKM_DATA_SUCCESS; done: if (ret == GKM_DATA_SUCCESS) { switch (algorithm) { case GCRY_PK_RSA: ret = gkm_data_der_read_private_key_rsa (keydata, s_key); break; case GCRY_PK_DSA: /* Try the normal one block format */ ret = gkm_data_der_read_private_key_dsa (keydata, s_key); /* Otherwise try the two part format that everyone seems to like */ if (ret == GKM_DATA_UNRECOGNIZED && params) ret = gkm_data_der_read_private_key_dsa_parts (keydata, params, s_key); break; default: g_message ("invalid or unsupported key type in PKCS#8 key"); ret = GKM_DATA_UNRECOGNIZED; break; }; } else if (ret == GKM_DATA_FAILURE) { g_message ("invalid PKCS#8 key"); } if (params) g_bytes_unref (params); if (keydata) g_bytes_unref (keydata); egg_asn1x_destroy (asn); return ret; }
GkmDataResult gkm_data_der_read_public_key_info (GBytes *data, gcry_sexp_t* s_key) { GkmDataResult ret = GKM_DATA_UNRECOGNIZED; GQuark oid; GNode *asn = NULL; GBytes *params; GBytes *key = NULL; guint n_bits; init_quarks (); asn = egg_asn1x_create_and_decode (pkix_asn1_tab, "SubjectPublicKeyInfo", data); if (!asn) goto done; ret = GKM_DATA_FAILURE; /* Figure out the algorithm */ oid = egg_asn1x_get_oid_as_quark (egg_asn1x_node (asn, "algorithm", "algorithm", NULL)); if (!oid) goto done; /* A bit string so we cannot process in place */ key = egg_asn1x_get_bits_as_raw (egg_asn1x_node (asn, "subjectPublicKey", NULL), &n_bits); if (!key) goto done; if (n_bits % 8 != 0) { g_message ("invalid bit length for public key: %u", n_bits); goto done; } /* An RSA key is simple */ if (oid == OID_PKIX1_RSA) { ret = gkm_data_der_read_public_key_rsa (key, s_key); /* A DSA key paramaters are stored separately */ } else if (oid == OID_PKIX1_DSA) { params = egg_asn1x_get_element_raw (egg_asn1x_node (asn, "algorithm", "parameters", NULL)); if (!params) goto done; ret = gkm_data_der_read_public_key_dsa_parts (key, params, s_key); g_bytes_unref (params); } else { g_message ("unsupported key algorithm in certificate: %s", g_quark_to_string (oid)); ret = GKM_DATA_UNRECOGNIZED; goto done; } done: egg_asn1x_destroy (asn); if (key) g_bytes_unref (key); if (ret == GKM_DATA_FAILURE) g_message ("invalid subject public-key info"); return ret; }