[pkg-opensc-commit] [opensc] 196/295: pkcs11-tool: Do not allow to write PEM encoded certificates to cards Resolves #834
Eric Dorland
eric at moszumanska.debian.org
Sat Jun 24 21:11:31 UTC 2017
This is an automated email from the git hooks/post-receive script.
eric pushed a commit to branch master
in repository opensc.
commit 74c6494f1946841c4df6e67aa451ad7e114ab018
Author: Jakub Jelen <jjelen at redhat.com>
Date: Tue Mar 7 11:17:36 2017 +0100
pkcs11-tool: Do not allow to write PEM encoded certificates to cards
Resolves #834
---
src/tools/pkcs11-tool.c | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index 6990d14..06a1f3b 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -1984,18 +1984,28 @@ gen_key(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hSecretKey
#ifdef ENABLE_OPENSSL
static void parse_certificate(struct x509cert_info *cert,
- unsigned char *data, int len)
+ unsigned char *data, int len, unsigned char *contents,
+ int *contents_len)
{
X509 *x = NULL;
unsigned char *p;
int n;
- if (!strstr((char *)data, "-----BEGIN CERTIFICATE-----"))
- x = d2i_X509(NULL, (const unsigned char **)&data, len);
- else {
+ if (strstr((char *)data, "-----BEGIN CERTIFICATE-----")) {
BIO *mem = BIO_new_mem_buf(data, len);
x = PEM_read_bio_X509(mem, NULL, NULL, NULL);
+ /* Update what is written to the card to be DER encoded
+ * If we use --attr-from do not check anything and write
+ * blob to the card */
+ if (contents != NULL) {
+ unsigned char *contents_pointer = contents;
+ *contents_len = i2d_X509(x, &contents_pointer);
+ if (*contents_len < 0)
+ util_fatal("Failed to convert PEM to DER");
+ }
BIO_free(mem);
+ } else {
+ x = d2i_X509(NULL, (const unsigned char **)&data, len);
}
if (!x) {
util_fatal("OpenSSL error during X509 certificate parsing");
@@ -2293,7 +2303,8 @@ static int write_object(CK_SESSION_HANDLE session)
if (need_to_parse_certdata) {
#ifdef ENABLE_OPENSSL
- parse_certificate(&cert, certdata, certdata_len);
+ parse_certificate(&cert, certdata, certdata_len,
+ (opt_attr_from_file ? NULL : contents), &contents_len);
#else
util_fatal("No OpenSSL support, cannot parse certificate");
#endif
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/opensc.git
More information about the pkg-opensc-commit
mailing list