giomba/opensc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix some pkcs15-init issues

Browse Source 
1. pkcs15-init is using XKU but it should use cert KU to check private key usage instead.
2. Don't mark imported keys as ALWAYSSENSITIVE and NEVEREXTRACTABLE as they are not.
3. When importing keys from PKCS#12 files (with several certs inside), use consecutive IDs for additional certificates (instead of starting from 45).
This commit is contained in:
Luka Logar 2018-11-27 12:53:54 +01:00 committed by Frank Morgner
parent ba77042911
commit 18dc38a618
1 changed files with 22 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/tools/pkcs15-init.c
View File

@ -1004,6 +1004,19 @@ failed: fprintf(stderr, "Failed to read PIN: %s\n", sc_strerror(r));
return SC_ERROR_PKCS15INIT;
}
static void sc_pkcs15_inc_id(sc_pkcs15_id_t *id)
{
int len;
for (len = id->len - 1; len >= 0; len--) {
if (id->value[len]++ != 0xFF)
break;
}
if (len < 0 && id->len < SC_PKCS15_MAX_ID_SIZE) {
memmove(id->value + 1, id->value, id->len++);
id->value[0] = 1;
}
}
/*
* Store a private key
*/
@ -1042,12 +1055,14 @@ do_store_private_key(struct sc_profile *profile)
/* tell openssl to cache the extensions */
X509_check_purpose(cert[0], -1, -1);
usage = X509_get_extended_key_usage(cert[0]);
usage = X509_get_key_usage(cert[0]);
/* No certificate usage? Assume ordinary
* user cert */
if (usage == 0)
usage = 0x1F;
usage = KU_NON_REPUDIATION
| KU_DIGITAL_SIGNATURE
| KU_KEY_ENCIPHERMENT;
/* If the user requested a specific key usage on the
* command line check if it includes _more_
@ -1065,10 +1080,7 @@ do_store_private_key(struct sc_profile *profile)
args.x509_usage = opt_x509_usage? opt_x509_usage : usage;
}
args.access_flags |=
SC_PKCS15_PRKEY_ACCESS_SENSITIVE
| SC_PKCS15_PRKEY_ACCESS_ALWAYSSENSITIVE
| SC_PKCS15_PRKEY_ACCESS_NEVEREXTRACTABLE;
args.access_flags |= SC_PKCS15_PRKEY_ACCESS_SENSITIVE;
r = sc_lock(p15card->card);
if (r < 0)
@ -1096,7 +1108,7 @@ do_store_private_key(struct sc_profile *profile)
return r;
X509_check_purpose(cert[i], -1, -1);
cargs.x509_usage = X509_get_extended_key_usage(cert[i]);
cargs.x509_usage = X509_get_key_usage(cert[i]);
cargs.label = cert_common_name(cert[i]);
if (!cargs.label)
@ -1114,6 +1126,8 @@ do_store_private_key(struct sc_profile *profile)
printf("Certificate #%d already present, not stored.\n", i);
goto next_cert;
}
sc_pkcs15_inc_id(&args.id);
cargs.id = args.id;
cargs.authority = 1;
}
@ -1238,10 +1252,7 @@ do_store_secret_key(struct sc_profile *profile)
args.algorithm = algorithm;
args.value_len = keybits;
args.access_flags |=
SC_PKCS15_PRKEY_ACCESS_SENSITIVE
| SC_PKCS15_PRKEY_ACCESS_ALWAYSSENSITIVE
| SC_PKCS15_PRKEY_ACCESS_NEVEREXTRACTABLE;
args.access_flags |= SC_PKCS15_PRKEY_ACCESS_SENSITIVE;
r = sc_lock(p15card->card);
if (r < 0)