[pkg-opensc-commit] [opensc] 196/295: pkcs11-tool: Do not allow to write PEM encoded certificates to cards Resolves #834

Eric Dorland eric at moszumanska.debian.org
Sat Jun 24 21:11:31 UTC 2017 

This is an automated email from the git hooks/post-receive script.

eric pushed a commit to branch master
in repository opensc.

commit 74c6494f1946841c4df6e67aa451ad7e114ab018
Author: Jakub Jelen <jjelen at redhat.com>
Date:   Tue Mar 7 11:17:36 2017 +0100

    pkcs11-tool: Do not allow to write PEM encoded certificates to cards
    Resolves #834
---
 src/tools/pkcs11-tool.c | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index 6990d14..06a1f3b 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -1984,18 +1984,28 @@ gen_key(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hSecretKey
 
 #ifdef ENABLE_OPENSSL
 static void	parse_certificate(struct x509cert_info *cert,
-		unsigned char *data, int len)
+		unsigned char *data, int len, unsigned char *contents,
+		int *contents_len)
 {
 	X509 *x = NULL;
 	unsigned char *p;
 	int n;
 
-	if (!strstr((char *)data, "-----BEGIN CERTIFICATE-----"))
-		x = d2i_X509(NULL, (const unsigned char **)&data, len);
-	else {
+	if (strstr((char *)data, "-----BEGIN CERTIFICATE-----")) {
 		BIO *mem = BIO_new_mem_buf(data, len);
 		x = PEM_read_bio_X509(mem, NULL, NULL, NULL);
+		/* Update what is written to the card to be DER encoded
+		 * If we use  --attr-from  do not check anything and write
+		 * blob to the card */
+		if (contents != NULL) {
+			unsigned char *contents_pointer = contents;
+			*contents_len = i2d_X509(x, &contents_pointer);
+			if (*contents_len < 0)
+				util_fatal("Failed to convert PEM to DER");
+		}
 		BIO_free(mem);
+	} else {
+		x = d2i_X509(NULL, (const unsigned char **)&data, len);
 	}
 	if (!x) {
 		util_fatal("OpenSSL error during X509 certificate parsing");
@@ -2293,7 +2303,8 @@ static int write_object(CK_SESSION_HANDLE session)
 
 	if (need_to_parse_certdata) {
 #ifdef ENABLE_OPENSSL
-		parse_certificate(&cert, certdata, certdata_len);
+		parse_certificate(&cert, certdata, certdata_len,
+			(opt_attr_from_file ? NULL : contents), &contents_len);
 #else
 		util_fatal("No OpenSSL support, cannot parse certificate");
 #endif

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/opensc.git

More information about the pkg-opensc-commit mailing list