pkcs11-tool: Do not allow to write PEM encoded certificates to cards
Resolves #834
This commit is contained in:
parent
c77cb511d9
commit
74c6494f19
|
@ -1984,18 +1984,28 @@ gen_key(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hSecretKey
|
||||||
|
|
||||||
#ifdef ENABLE_OPENSSL
|
#ifdef ENABLE_OPENSSL
|
||||||
static void parse_certificate(struct x509cert_info *cert,
|
static void parse_certificate(struct x509cert_info *cert,
|
||||||
unsigned char *data, int len)
|
unsigned char *data, int len, unsigned char *contents,
|
||||||
|
int *contents_len)
|
||||||
{
|
{
|
||||||
X509 *x = NULL;
|
X509 *x = NULL;
|
||||||
unsigned char *p;
|
unsigned char *p;
|
||||||
int n;
|
int n;
|
||||||
|
|
||||||
if (!strstr((char *)data, "-----BEGIN CERTIFICATE-----"))
|
if (strstr((char *)data, "-----BEGIN CERTIFICATE-----")) {
|
||||||
x = d2i_X509(NULL, (const unsigned char **)&data, len);
|
|
||||||
else {
|
|
||||||
BIO *mem = BIO_new_mem_buf(data, len);
|
BIO *mem = BIO_new_mem_buf(data, len);
|
||||||
x = PEM_read_bio_X509(mem, NULL, NULL, NULL);
|
x = PEM_read_bio_X509(mem, NULL, NULL, NULL);
|
||||||
|
/* Update what is written to the card to be DER encoded
|
||||||
|
* If we use --attr-from do not check anything and write
|
||||||
|
* blob to the card */
|
||||||
|
if (contents != NULL) {
|
||||||
|
unsigned char *contents_pointer = contents;
|
||||||
|
*contents_len = i2d_X509(x, &contents_pointer);
|
||||||
|
if (*contents_len < 0)
|
||||||
|
util_fatal("Failed to convert PEM to DER");
|
||||||
|
}
|
||||||
BIO_free(mem);
|
BIO_free(mem);
|
||||||
|
} else {
|
||||||
|
x = d2i_X509(NULL, (const unsigned char **)&data, len);
|
||||||
}
|
}
|
||||||
if (!x) {
|
if (!x) {
|
||||||
util_fatal("OpenSSL error during X509 certificate parsing");
|
util_fatal("OpenSSL error during X509 certificate parsing");
|
||||||
|
@ -2293,7 +2303,8 @@ static int write_object(CK_SESSION_HANDLE session)
|
||||||
|
|
||||||
if (need_to_parse_certdata) {
|
if (need_to_parse_certdata) {
|
||||||
#ifdef ENABLE_OPENSSL
|
#ifdef ENABLE_OPENSSL
|
||||||
parse_certificate(&cert, certdata, certdata_len);
|
parse_certificate(&cert, certdata, certdata_len,
|
||||||
|
(opt_attr_from_file ? NULL : contents), &contents_len);
|
||||||
#else
|
#else
|
||||||
util_fatal("No OpenSSL support, cannot parse certificate");
|
util_fatal("No OpenSSL support, cannot parse certificate");
|
||||||
#endif
|
#endif
|
||||||
|
|
Loading…
Reference in New Issue