[pkg-opensc-commit] [opensc] 249/295: Do not use the hardcoded magic numbers in PIV
Eric Dorland
eric at moszumanska.debian.org
Sat Jun 24 21:11:37 UTC 2017
This is an automated email from the git hooks/post-receive script.
eric pushed a commit to branch master
in repository opensc.
commit 427c175c08177b8b6bf325404483e94ecaf32c8d
Author: Jakub Jelen <jjelen at redhat.com>
Date: Tue Apr 25 15:10:55 2017 +0200
Do not use the hardcoded magic numbers in PIV
---
src/libopensc/pkcs15-cac.c | 12 +-----------
src/libopensc/pkcs15-piv.c | 36 ++++++++++++++++++------------------
src/libopensc/pkcs15.h | 12 ++++++++++++
3 files changed, 31 insertions(+), 29 deletions(-)
diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c
index bab79f4..45e5988 100644
--- a/src/libopensc/pkcs15-cac.c
+++ b/src/libopensc/pkcs15-cac.c
@@ -120,16 +120,6 @@ cac_alg_flags_from_algorithm(int algorithm)
return 0;
}
-#define SC_X509_DIGITAL_SIGNATURE 0x0001UL
-#define SC_X509_NON_REPUDIATION 0x0002UL
-#define SC_X509_KEY_ENCIPHERMENT 0x0004UL
-#define SC_X509_DATA_ENCIPHERMENT 0x0008UL
-#define SC_X509_KEY_AGREEMENT 0x0010UL
-#define SC_X509_KEY_CERT_SIGN 0x0020UL
-#define SC_X509_CRL_SIGN 0x0040UL
-#define SC_X509_SIGN_ONLY 0x0080UL
-#define SC_X509_DECIPHER_ONLY 0x0100UL
-
/* These are the cert key usage bits that map to various PKCS #11 (and thus PKCS #15) flags */
#define CAC_X509_USAGE_SIGNATURE \
(SC_X509_DIGITAL_SIGNATURE | \
@@ -143,7 +133,7 @@ cac_alg_flags_from_algorithm(int algorithm)
SC_X509_KEY_AGREEMENT)
#define CAC_X509_USAGE_DECRYPT \
(SC_X509_DATA_ENCIPHERMENT | \
- SC_X509_SIGN_ONLY)
+ SC_X509_ENCIPHER_ONLY)
#define CAC_X509_USAGE_NONREPUDIATION \
SC_X509_NON_REPUDIATION
diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c
index 316459f..d38d7ba 100644
--- a/src/libopensc/pkcs15-piv.c
+++ b/src/libopensc/pkcs15-piv.c
@@ -793,7 +793,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
ckis[i].pubkey_len = cert_out->key->u.rsa.modulus.len * 8;
/* See RFC 5280 and PKCS#11 V2.40 */
if (ckis[i].cert_keyUsage_present) {
- if (ckis[i].cert_keyUsage & 0x01u) { /* digitalSignature RFC 5280 */
+ if (ckis[i].cert_keyUsage & SC_X509_DIGITAL_SIGNATURE) {
ckis[i].pub_usage |= SC_PKCS15_PRKEY_USAGE_ENCRYPT /* extra*/
|SC_PKCS15_PRKEY_USAGE_WRAP
|SC_PKCS15_PRKEY_USAGE_VERIFY
@@ -803,7 +803,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
|SC_PKCS15_PRKEY_USAGE_SIGN
|SC_PKCS15_PRKEY_USAGE_SIGNRECOVER;
}
- if(ckis[i].cert_keyUsage & 0x02u) { /* nonRepudation */
+ if (ckis[i].cert_keyUsage & SC_X509_NON_REPUDIATION) {
ckis[i].pub_usage |= SC_PKCS15_PRKEY_USAGE_ENCRYPT /* extra */
|SC_PKCS15_PRKEY_USAGE_NONREPUDIATION
|SC_PKCS15_PRKEY_USAGE_VERIFY
@@ -813,31 +813,31 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
|SC_PKCS15_PRKEY_USAGE_SIGN
|SC_PKCS15_PRKEY_USAGE_SIGNRECOVER;
}
- if(ckis[i].cert_keyUsage & 0x04u) { /* KeyEncipherment */
+ if (ckis[i].cert_keyUsage & SC_X509_KEY_ENCIPHERMENT) {
ckis[i].pub_usage |= SC_PKCS15_PRKEY_USAGE_ENCRYPT| SC_PKCS15_PRKEY_USAGE_WRAP;
ckis[i].priv_usage |= SC_PKCS15_PRKEY_USAGE_DECRYPT| SC_PKCS15_PRKEY_USAGE_UNWRAP;
}
- if(ckis[i].cert_keyUsage & 0x08u) { /* dataEncipherment */
+ if (ckis[i].cert_keyUsage & SC_X509_DATA_ENCIPHERMENT) {
ckis[i].pub_usage |= SC_PKCS15_PRKEY_USAGE_ENCRYPT;
ckis[i].priv_usage |= SC_PKCS15_PRKEY_USAGE_DECRYPT;
}
- if(ckis[i].cert_keyUsage & 0x10u) { /* keyAgreement */
+ if (ckis[i].cert_keyUsage & SC_X509_KEY_AGREEMENT) {
ckis[i].pub_usage |= SC_PKCS15_PRKEY_USAGE_DERIVE;
ckis[i].priv_usage |= SC_PKCS15_PRKEY_USAGE_DERIVE;
}
- if(ckis[i].cert_keyUsage & 0x20u) { /* keyCertSign */
+ if (ckis[i].cert_keyUsage & SC_X509_KEY_CERT_SIGN) {
ckis[i].pub_usage |= SC_PKCS15_PRKEY_USAGE_VERIFY|SC_PKCS15_PRKEY_USAGE_VERIFYRECOVER;
ckis[i].priv_usage |= SC_PKCS15_PRKEY_USAGE_SIGN;
}
- if(ckis[i].cert_keyUsage & 0x40u) { /* crlSign */
+ if (ckis[i].cert_keyUsage & SC_X509_CRL_SIGN) {
ckis[i].pub_usage |= SC_PKCS15_PRKEY_USAGE_VERIFY|SC_PKCS15_PRKEY_USAGE_VERIFYRECOVER;
ckis[i].priv_usage |= SC_PKCS15_PRKEY_USAGE_SIGN;
}
- if(ckis[i].cert_keyUsage & 0x80u) { /*encipherOnly */
+ if (ckis[i].cert_keyUsage & SC_X509_ENCIPHER_ONLY) {
ckis[i].pub_usage |= SC_PKCS15_PRKEY_USAGE_ENCRYPT|SC_PKCS15_PRKEY_USAGE_WRAP;
ckis[i].priv_usage |= SC_PKCS15_PRKEY_USAGE_DECRYPT|SC_PKCS15_PRKEY_USAGE_UNWRAP;
}
- if (ckis[i].cert_keyUsage & 0x100u) { /*decipherOnly */ /* TODO is this correct */
+ if (ckis[i].cert_keyUsage & SC_X509_DECIPHER_ONLY) { /* TODO is this correct */
ckis[i].pub_usage |= SC_PKCS15_PRKEY_USAGE_DECRYPT|SC_PKCS15_PRKEY_USAGE_UNWRAP;
ckis[i].priv_usage |= SC_PKCS15_PRKEY_USAGE_ENCRYPT|SC_PKCS15_PRKEY_USAGE_WRAP;
}
@@ -847,39 +847,39 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
case SC_ALGORITHM_EC:
ckis[i].pubkey_len = cert_out->key->u.ec.params.field_length;
if (ckis[i].cert_keyUsage_present) {
- if(ckis[i].cert_keyUsage & 0x01u) { /*digitalSignature RFC 5280 */
+ if (ckis[i].cert_keyUsage & SC_X509_DIGITAL_SIGNATURE) {
ckis[i].pub_usage |= SC_PKCS15_PRKEY_USAGE_VERIFY;
ckis[i].priv_usage |= SC_PKCS15_PRKEY_USAGE_SIGN;
}
- if(ckis[i].cert_keyUsage & 0x02u) { /* nonRepudation */
+ if (ckis[i].cert_keyUsage & SC_X509_NON_REPUDIATION) {
ckis[i].pub_usage |= SC_PKCS15_PRKEY_USAGE_NONREPUDIATION;
ckis[i].priv_usage |= SC_PKCS15_PRKEY_USAGE_NONREPUDIATION;
}
- if(ckis[i].cert_keyUsage & 0x04u) {/* KeyEncipherment */
+ if (ckis[i].cert_keyUsage & SC_X509_KEY_ENCIPHERMENT) {
ckis[i].pub_usage |= 0;
ckis[i].priv_usage |= 0;
}
- if(ckis[i].cert_keyUsage & 0x08u) { /* dataEncipherment */
+ if (ckis[i].cert_keyUsage & SC_X509_DATA_ENCIPHERMENT) {
ckis[i].pub_usage |= 0;
ckis[i].priv_usage |= 0;
}
- if(ckis[i].cert_keyUsage & 0x10u) { /* keyAgreement */
+ if (ckis[i].cert_keyUsage & SC_X509_KEY_AGREEMENT) {
ckis[i].pub_usage |= SC_PKCS15_PRKEY_USAGE_DERIVE;
ckis[i].priv_usage |= SC_PKCS15_PRKEY_USAGE_DERIVE;
}
- if(ckis[i].cert_keyUsage & 0x20u) { /* keyCertSign */
+ if (ckis[i].cert_keyUsage & SC_X509_KEY_CERT_SIGN) {
ckis[i].pub_usage |= SC_PKCS15_PRKEY_USAGE_VERIFY;
ckis[i].priv_usage |= SC_PKCS15_PRKEY_USAGE_SIGN;
}
- if(ckis[i].cert_keyUsage & 0x40u) { /* crlSign */
+ if (ckis[i].cert_keyUsage & SC_X509_CRL_SIGN) {
ckis[i].pub_usage |= SC_PKCS15_PRKEY_USAGE_VERIFY;
ckis[i].priv_usage |= SC_PKCS15_PRKEY_USAGE_SIGN;
}
- if(ckis[i].cert_keyUsage & 0x80u) { /*encipherOnly */
+ if (ckis[i].cert_keyUsage & SC_X509_ENCIPHER_ONLY) {
ckis[i].pub_usage |= 0;
ckis[i].priv_usage |= 0;
}
- if (ckis[i].cert_keyUsage & 0x100u) { /*decipherOnly */
+ if (ckis[i].cert_keyUsage & SC_X509_DECIPHER_ONLY) {
ckis[i].pub_usage |= 0;
ckis[i].priv_usage |= 0;
}
diff --git a/src/libopensc/pkcs15.h b/src/libopensc/pkcs15.h
index 1199ca8..1746cd3 100644
--- a/src/libopensc/pkcs15.h
+++ b/src/libopensc/pkcs15.h
@@ -610,6 +610,18 @@ typedef struct sc_pkcs15_card {
/* flags suitable for struct sc_pkcs15_card */
#define SC_PKCS15_CARD_FLAG_EMULATED 0x02000000
+/* X509 bits for certificate usage extansion */
+#define SC_X509_DIGITAL_SIGNATURE 0x0001UL
+#define SC_X509_NON_REPUDIATION 0x0002UL
+#define SC_X509_KEY_ENCIPHERMENT 0x0004UL
+#define SC_X509_DATA_ENCIPHERMENT 0x0008UL
+#define SC_X509_KEY_AGREEMENT 0x0010UL
+#define SC_X509_KEY_CERT_SIGN 0x0020UL
+#define SC_X509_CRL_SIGN 0x0040UL
+#define SC_X509_ENCIPHER_ONLY 0x0080UL
+#define SC_X509_DECIPHER_ONLY 0x0100UL
+
+
/* sc_pkcs15_bind: Binds a card object to a PKCS #15 card object
* and initializes a new PKCS #15 card object. Will return
* SC_ERROR_PKCS15_APP_NOT_FOUND, if the card hasn't got a
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/opensc.git
More information about the pkg-opensc-commit
mailing list