Fix some pkcs15-init issues
1. pkcs15-init is using XKU but it should use cert KU to check private key usage instead. 2. Don't mark imported keys as ALWAYSSENSITIVE and NEVEREXTRACTABLE as they are not. 3. When importing keys from PKCS#12 files (with several certs inside), use consecutive IDs for additional certificates (instead of starting from 45).
This commit is contained in:
parent
ba77042911
commit
18dc38a618
@ -1004,6 +1004,19 @@ failed: fprintf(stderr, "Failed to read PIN: %s\n", sc_strerror(r));
|
||||
return SC_ERROR_PKCS15INIT;
|
||||
}
|
||||
|
||||
static void sc_pkcs15_inc_id(sc_pkcs15_id_t *id)
|
||||
{
|
||||
int len;
|
||||
for (len = id->len - 1; len >= 0; len--) {
|
||||
if (id->value[len]++ != 0xFF)
|
||||
break;
|
||||
}
|
||||
if (len < 0 && id->len < SC_PKCS15_MAX_ID_SIZE) {
|
||||
memmove(id->value + 1, id->value, id->len++);
|
||||
id->value[0] = 1;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Store a private key
|
||||
*/
|
||||
@ -1042,12 +1055,14 @@ do_store_private_key(struct sc_profile *profile)
|
||||
|
||||
/* tell openssl to cache the extensions */
|
||||
X509_check_purpose(cert[0], -1, -1);
|
||||
usage = X509_get_extended_key_usage(cert[0]);
|
||||
usage = X509_get_key_usage(cert[0]);
|
||||
|
||||
/* No certificate usage? Assume ordinary
|
||||
* user cert */
|
||||
if (usage == 0)
|
||||
usage = 0x1F;
|
||||
usage = KU_NON_REPUDIATION
|
||||
| KU_DIGITAL_SIGNATURE
|
||||
| KU_KEY_ENCIPHERMENT;
|
||||
|
||||
/* If the user requested a specific key usage on the
|
||||
* command line check if it includes _more_
|
||||
@ -1065,10 +1080,7 @@ do_store_private_key(struct sc_profile *profile)
|
||||
args.x509_usage = opt_x509_usage? opt_x509_usage : usage;
|
||||
}
|
||||
|
||||
args.access_flags |=
|
||||
SC_PKCS15_PRKEY_ACCESS_SENSITIVE
|
||||
| SC_PKCS15_PRKEY_ACCESS_ALWAYSSENSITIVE
|
||||
| SC_PKCS15_PRKEY_ACCESS_NEVEREXTRACTABLE;
|
||||
args.access_flags |= SC_PKCS15_PRKEY_ACCESS_SENSITIVE;
|
||||
|
||||
r = sc_lock(p15card->card);
|
||||
if (r < 0)
|
||||
@ -1096,7 +1108,7 @@ do_store_private_key(struct sc_profile *profile)
|
||||
return r;
|
||||
|
||||
X509_check_purpose(cert[i], -1, -1);
|
||||
cargs.x509_usage = X509_get_extended_key_usage(cert[i]);
|
||||
cargs.x509_usage = X509_get_key_usage(cert[i]);
|
||||
|
||||
cargs.label = cert_common_name(cert[i]);
|
||||
if (!cargs.label)
|
||||
@ -1114,6 +1126,8 @@ do_store_private_key(struct sc_profile *profile)
|
||||
printf("Certificate #%d already present, not stored.\n", i);
|
||||
goto next_cert;
|
||||
}
|
||||
sc_pkcs15_inc_id(&args.id);
|
||||
cargs.id = args.id;
|
||||
cargs.authority = 1;
|
||||
}
|
||||
|
||||
@ -1238,10 +1252,7 @@ do_store_secret_key(struct sc_profile *profile)
|
||||
|
||||
args.algorithm = algorithm;
|
||||
args.value_len = keybits;
|
||||
args.access_flags |=
|
||||
SC_PKCS15_PRKEY_ACCESS_SENSITIVE
|
||||
| SC_PKCS15_PRKEY_ACCESS_ALWAYSSENSITIVE
|
||||
| SC_PKCS15_PRKEY_ACCESS_NEVEREXTRACTABLE;
|
||||
args.access_flags |= SC_PKCS15_PRKEY_ACCESS_SENSITIVE;
|
||||
|
||||
r = sc_lock(p15card->card);
|
||||
if (r < 0)
|
||||
|
Loading…
Reference in New Issue
Block a user