صفحهٔ اصلی گشت‌و‌گذار راهنما
ورود
fphammerle
/
scute
1
0
انشعاب 0
پرونده‌ها مشکلات 0 درخواست واکشی 0 ویکی
درخت: 7a2a44ce97
شاخه‌ها تگ‌ها
scute
/
src
/
cert-object.c

cert-object.c 16 KB
تاريخچه خام

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617 
  1. /* cert-object.c - Convert a GPGSM certificate into a PKCS #11 object.
    2. 

  2.    Copyright (C) 2006, 2007 g10 Code GmbH
    3. 

  3. 

  4.    This file is part of Scute.
    5. 

  5.  
    6. 

  6.    Scute is free software; you can redistribute it and/or modify it
    7. 

  7.    under the terms of the GNU General Public License as published by
    8. 

  8.    the Free Software Foundation; either version 2 of the License, or
    9. 

  9.    (at your option) any later version.
    10. 

  10. 

  11.    Scute is distributed in the hope that it will be useful, but
    12. 

  12.    WITHOUT ANY WARRANTY; without even the implied warranty of
    13. 

  13.    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    14. 

  14.    General Public License for more details.
    15. 

  15. 

  16.    You should have received a copy of the GNU General Public License
    17. 

  17.    along with Scute; if not, write to the Free Software Foundation,
    18. 

  18.    Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
    19. 

  19. 

  20.    In addition, as a special exception, g10 Code GmbH gives permission
    21. 

  21.    to link this library: with the Mozilla Foundation's code for
    22. 

  22.    Mozilla (or with modified versions of it that use the same license
    23. 

  23.    as the "Mozilla" code), and distribute the linked executables.  You
    24. 

  24.    must obey the GNU General Public License in all respects for all of
    25. 

  25.    the code used other than "Mozilla".  If you modify this file, you
    26. 

  26.    may extend this exception to your version of the file, but you are
    27. 

  27.    not obligated to do so.  If you do not wish to do so, delete this
    28. 

  28.    exception statement from your version.  */
    29. 

  29. 

  30. #if HAVE_CONFIG_H
    31. 

  31. #include <config.h>
    32. 

  32. #endif
    33. 

  33. 

  34. #include <stdbool.h>
    35. 

  35. #include <stdlib.h>
    36. 

  36. #include <assert.h>
    37. 

  37. #include <string.h>
    38. 

  38. #include <time.h>
    39. 

  39. 

  40. #include <gpg-error.h>
    41. 

  41. 

  42. #include "cryptoki.h"
    43. 

  43. #include "support.h"
    44. 

  44. #include "cert.h"
    45. 

  45. 

  46. 

  47. 
    48. 

  48. #define atoi_1(p)   (*(p) - '0' )
    49. 

  49. #define atoi_2(p)   ((atoi_1(p) * 10) + atoi_1((p)+1))
    50. 

  50. #define atoi_4(p)   ((atoi_2(p) * 100) + atoi_2((p)+2))
    51. 

  51. 

  52. 

  53. static bool
    54. 

  54. time_to_ck_date (time_t *atime, CK_DATE *ckdate)
    55. 

  55. {
    56. 

  56.   struct tm broken_time;
    57. 

  57.   int nr;
    58. 

  58. 

  59.   if (!*atime)
    60. 

  60.     return false;
    61. 

  61. 

  62. #ifdef HAVE_LOCALTIME_R
    63. 

  63.   if (!localtime_r (atime, &broken_time))
    64. 

  64.     return false;
    65. 

  65. #else
    66. 

  66.   {
    67. 

  67.     /* FIXME: This is not thread-safe, but it minimizes risk.  */
    68. 

  68.     struct tm *b_time = localtime (atime);
    69. 

  69.     if (!b_time)
    70. 

  70.       return false;
    71. 

  71.     memcpy (&broken_time, b_time, sizeof (*b_time));
    72. 

  72.   }
    73. 

  73. #endif
    74. 

  74. 

  75.   /* We can only represent years until 9999.  */
    76. 

  76.   if (!(broken_time.tm_year >= 0 && broken_time.tm_year <= 8099
    77. 

  77. 	&& broken_time.tm_mon >= 0 && broken_time.tm_mon <= 11
    78. 

  78. 	&& broken_time.tm_mday >= 1 && broken_time.tm_mday <= 31))
    79. 

  79.     return false;
    80. 

  80. 

  81. #define LAST_DIGIT(d) (((d) % 10) + '0')
    82. 

  82.   nr = broken_time.tm_year + 1900;
    83. 

  83.   ckdate->year[3] = LAST_DIGIT (nr);
    84. 

  84.   nr = nr / 10;
    85. 

  85.   ckdate->year[2] = LAST_DIGIT (nr);
    86. 

  86.   nr = nr / 10;
    87. 

  87.   ckdate->year[1] = LAST_DIGIT (nr);
    88. 

  88.   nr = nr / 10;
    89. 

  89.   ckdate->year[0] = LAST_DIGIT (nr);
    90. 

  90.   
    91. 

  91.   nr = broken_time.tm_mon + 1;
    92. 

  92.   ckdate->month[1] = LAST_DIGIT (nr);
    93. 

  93.   nr = nr / 10;
    94. 

  94.   ckdate->month[0] = LAST_DIGIT (nr);
    95. 

  95.   
    96. 

  96.   nr = broken_time.tm_mday;
    97. 

  97.   ckdate->day[1] = LAST_DIGIT (nr);
    98. 

  98.   nr = nr / 10;
    99. 

  99.   ckdate->day[0] = LAST_DIGIT (nr);
    100. 

  100. 

  101.   return true;
    102. 

  102. }
    103. 

  103. 

  104. 

  105. static gpg_error_t
    106. 

  106. asn1_get_len (unsigned char **asn1, int *asn1_len, int *rlen)
    107. 

  107. {
    108. 

  108.   unsigned char *ptr = *asn1;
    109. 

  109.   int len = *asn1_len;
    110. 

  110.   int cnt;
    111. 

  111.   int result = 0;
    112. 

  112. 

  113.   if (len < 1)
    114. 

  114.     return gpg_error (GPG_ERR_GENERAL);
    115. 

  115. 

  116.   if (*ptr & 0x80)
    117. 

  117.     {
    118. 

  118.       cnt = *ptr & 0x7f;
    119. 

  119.       ptr++;
    120. 

  120.       len--;
    121. 

  121.     }
    122. 

  122.   else
    123. 

  123.     cnt = 1;
    124. 

  124. 

  125.   /* We only support a limited number of length bytes.  */
    126. 

  126.   if (cnt > 2 || len < cnt)
    127. 

  127.     return gpg_error (GPG_ERR_GENERAL);
    128. 

  128. 

  129.   while (cnt--)
    130. 

  130.     {
    131. 

  131.       result = (result << 8) | *ptr;
    132. 

  132.       ptr++;
    133. 

  133.       len--;
    134. 

  134.     }
    135. 

  135. 

  136.   *asn1 = ptr;
    137. 

  137.   *asn1_len = len;
    138. 

  138.   *rlen = result;
    139. 

  139.   return 0;
    140. 

  140. }
    141. 

  141. 

  142. 

  143. /* A path to an ASN.1 element that can be looked up with
    144. 

  144.    asn1_get_element.  The last element in the list is returned (that
    145. 

  145.    one should have ENTER being false.  */
    146. 

  146. struct asn1_path
    147. 

  147. {
    148. 

  148.   unsigned char tag;
    149. 

  149.   /* True if we should enter the element, false if we should skip
    150. 

  150.      it.  */
    151. 

  151.   bool enter;
    152. 

  152. };
    153. 

  153. 

  154. static gpg_error_t
    155. 

  155. asn1_get_element (unsigned char *cert, int cert_len,
    156. 

  156. 		  unsigned char **sub_start, int *sub_len,
    157. 

  157. 		  struct asn1_path *path, int path_size)
    158. 

  158. {
    159. 

  159.   gpg_error_t err;
    160. 

  160.   unsigned char *prev_certp = NULL;
    161. 

  161.   unsigned char *certp = cert;
    162. 

  162.   int cert_left = cert_len;
    163. 

  163.   int len;
    164. 

  164.   int i;
    165. 

  165. 

  166.   for (i = 0; i < path_size; i++)
    167. 

  167.     {
    168. 

  168.       prev_certp = certp;
    169. 

  169.       if (cert_left < 1 || *certp != path[i].tag)
    170. 

  170. 	return gpg_error (GPG_ERR_GENERAL);
    171. 

  171.       certp++;
    172. 

  172.       cert_left--;
    173. 

  173.       err = asn1_get_len (&certp, &cert_left, &len);
    174. 

  174.       if (err)
    175. 

  175. 	return err;
    176. 

  176.       if (!path[i].enter)
    177. 

  177. 	{
    178. 

  178. 	  if (cert_left < len)
    179. 

  179. 	    return gpg_error (GPG_ERR_GENERAL);
    180. 

  180. 	  certp += len;
    181. 

  181. 	  cert_left -= len;
    182. 

  182. 	}
    183. 

  183.       else
    184. 

  184. 	{
    185. 

  185. 	  /* Special code to deal with ASN.1 data encapsulated in a
    186. 

  186. 	     bit string.  */
    187. 

  187. 	  if (path[i].tag == '\x03')
    188. 

  188. 	    {
    189. 

  189. 	      if (cert_left < 1 || *certp != '\x00')
    190. 

  190. 		return gpg_error (GPG_ERR_GENERAL);
    191. 

  191. 	      certp++;
    192. 

  192. 	      cert_left--;
    193. 

  193. 	    }
    194. 

  194. 	}
    195. 

  195.     }
    196. 

  196. 

  197.   /* We found the subject.  */
    198. 

  198.   *sub_start = prev_certp;
    199. 

  199.   *sub_len = certp - prev_certp;
    200. 

  200.   
    201. 

  201.   return 0;
    202. 

  202. }
    203. 

  203. 

  204. 

  205. static gpg_error_t
    206. 

  206. asn1_get_issuer (unsigned char *cert, int cert_len,
    207. 

  207. 		 unsigned char **sub_start, int *sub_len)
    208. 

  208. {
    209. 

  209.   /* The path to the issuer entry in the DER file.  This is
    210. 

  210.      Sequence->Sequence->Version,Serial,AlgID,Issuer.  */
    211. 

  211.   struct asn1_path path[] = { { '\x30', true }, { '\x30', true },
    212. 

  212. 			      { '\xa0', false }, { '\x02', false },
    213. 

  213. 			      { '\x30', false }, { '\x30', false } };
    214. 

  214. 

  215.   return asn1_get_element (cert, cert_len, sub_start, sub_len,
    216. 

  216. 			   path, DIM (path));
    217. 

  217. }
    218. 

  218. 

  219. 

  220. static gpg_error_t
    221. 

  221. asn1_get_subject (unsigned char *cert, int cert_len,
    222. 

  222. 		  unsigned char **sub_start, int *sub_len)
    223. 

  223. {
    224. 

  224.   /* The path to the subject entry in the DER file.  This is
    225. 

  225.      Sequence->Sequence->Version,Serial,AlgID,Issuer,Time,Subject.  */
    226. 

  226.   struct asn1_path path[] = { { '\x30', true }, { '\x30', true },
    227. 

  227. 			      { '\xa0', false }, { '\x02', false },
    228. 

  228. 			      { '\x30', false }, { '\x30', false },
    229. 

  229. 			      { '\x30', false }, { '\x30', false } };
    230. 

  230. 

  231.   return asn1_get_element (cert, cert_len, sub_start, sub_len,
    232. 

  232. 			   path, DIM (path));
    233. 

  233. }
    234. 

  234. 

  235. 

  236. static gpg_error_t
    237. 

  237. asn1_get_serial (unsigned char *cert, int cert_len,
    238. 

  238. 		 unsigned char **sub_start, int *sub_len)
    239. 

  239. {
    240. 

  240.   /* The path to the serial entry in the DER file.  This is
    241. 

  241.      Sequence->Sequence->Version,Serial.  */
    242. 

  242.   struct asn1_path path[] = { { '\x30', true }, { '\x30', true },
    243. 

  243. 			      { '\xa0', false }, { '\x02', false } };
    244. 

  244. 

  245.   return asn1_get_element (cert, cert_len, sub_start, sub_len,
    246. 

  246. 			   path, DIM (path));
    247. 

  247. }
    248. 

  248. 

  249. 

  250. static gpg_error_t
    251. 

  251. asn1_get_modulus (unsigned char *cert, int cert_len,
    252. 

  252. 		  unsigned char **sub_start, int *sub_len)
    253. 

  253. {
    254. 

  254.   gpg_error_t err;
    255. 

  255.   int len;
    256. 

  256.   struct asn1_path path[] = { { '\x30', true }, { '\x30', true },
    257. 

  257. 			      { '\xa0', false }, { '\x02', false },
    258. 

  258. 			      { '\x30', false }, { '\x30', false },
    259. 

  259. 			      { '\x30', false }, { '\x30', false },
    260. 

  260. 			      { '\x30', true }, { '\x30', false },
    261. 

  261. 			      { '\x03', true }, { '\x30', true },
    262. 

  262. 			      { '\x02', false } };
    263. 

  263. 

  264.   /* The path to the modulus entry in the DER file.  This is
    265. 

  265.      Sequence->Sequence->Version,Serial,AlgID,Issuer,Time,Subject,
    266. 

  266.      Sequence->Sequence,Bitstring->Sequence->Integer,Integer  */
    267. 

  267. 

  268.   err = asn1_get_element (cert, cert_len, sub_start, sub_len,
    269. 

  269. 			  path, DIM (path));
    270. 

  270.   if (err)
    271. 

  271.     return err;
    272. 

  272. 

  273.   if (*sub_len < 1)
    274. 

  274.     return gpg_error (GPG_ERR_GENERAL);
    275. 

  275. 

  276.   (*sub_start)++;
    277. 

  277.   (*sub_len)--;
    278. 

  278.   err = asn1_get_len (sub_start, sub_len, &len);
    279. 

  279.   if (err)
    280. 

  280.     return err;
    281. 

  281. 

  282.   /* PKCS #11 expects an unsigned big integer.  */
    283. 

  283.   while (**sub_start == '\x00' && *sub_len > 0)
    284. 

  284.     {
    285. 

  285.       (*sub_start)++;
    286. 

  286.       (*sub_len)--;
    287. 

  287.     }
    288. 

  288. 

  289.   return 0;
    290. 

  290. }
    291. 

  291. 

  292. static gpg_error_t
    293. 

  293. asn1_get_public_exp (unsigned char *cert, int cert_len,
    294. 

  294. 		     unsigned char **sub_start, int *sub_len)
    295. 

  295. {
    296. 

  296.   gpg_error_t err;
    297. 

  297.   int len;
    298. 

  298. 

  299.   /* The path to the public exp entry in the DER file.  This is
    300. 

  300.      Sequence->Sequence->Version,Serial,AlgID,Issuer,Time,Subject,
    301. 

  301.      Sequence->Sequence,Bitstring->Sequence->Integer,Integer  */
    302. 

  302.   struct asn1_path path[] = { { '\x30', true }, { '\x30', true },
    303. 

  303. 			      { '\xa0', false }, { '\x02', false },
    304. 

  304. 			      { '\x30', false }, { '\x30', false },
    305. 

  305. 			      { '\x30', false }, { '\x30', false },
    306. 

  306. 			      { '\x30', true }, { '\x30', false },
    307. 

  307. 			      { '\x03', true }, { '\x30', true },
    308. 

  308. 			      { '\x02', false }, { '\x02', false } };
    309. 

  309. 

  310.   err = asn1_get_element (cert, cert_len, sub_start, sub_len,
    311. 

  311. 			  path, DIM (path));
    312. 

  312.   if (err)
    313. 

  313.     return err;
    314. 

  314. 

  315.   if (*sub_len < 1)
    316. 

  316.     return gpg_error (GPG_ERR_GENERAL);
    317. 

  317. 

  318.   (*sub_start)++;
    319. 

  319.   (*sub_len)--;
    320. 

  320.   err = asn1_get_len (sub_start, sub_len, &len);
    321. 

  321.   if (err)
    322. 

  322.     return err;
    323. 

  323. 

  324.   /* PKCS #11 expects an unsigned big integer.  */
    325. 

  325.   while (**sub_start == '\x00' && *sub_len > 0)
    326. 

  326.     {
    327. 

  327.       (*sub_start)++;
    328. 

  328.       (*sub_len)--;
    329. 

  329.     }
    330. 

  330. 

  331.   return 0;
    332. 

  332. }
    333. 

  333. 

  334. 

  335. static gpg_error_t
    336. 

  336. attr_one (CK_ATTRIBUTE_PTR attr, CK_ULONG *attr_count,
    337. 

  337. 	  CK_ATTRIBUTE_TYPE type, CK_VOID_PTR val, CK_ULONG size)
    338. 

  338. {
    339. 

  339.   CK_ULONG i = *attr_count;
    340. 

  340.   attr[i].type = type;
    341. 

  341.   attr[i].ulValueLen = size;
    342. 

  342.   attr[i].pValue = malloc (size);
    343. 

  343.   if (attr[i].pValue == NULL)
    344. 

  344.     return gpg_error (GPG_ERR_ENOMEM);
    345. 

  345.   memcpy (attr[i].pValue, val, size);
    346. 

  346.   (*attr_count)++;
    347. 

  347.   return 0;
    348. 

  348. }
    349. 

  349. 

  350. 

  351. static gpg_error_t
    352. 

  352. attr_empty (CK_ATTRIBUTE_PTR attr, CK_ULONG *attr_count,
    353. 

  353. 	    CK_ATTRIBUTE_TYPE type)
    354. 

  354. {
    355. 

  355.   CK_ULONG i = *attr_count;
    356. 

  356.   attr[i].type = type;
    357. 

  357.   attr[i].ulValueLen = 0;
    358. 

  358.   attr[i].pValue = NULL_PTR;
    359. 

  359.   (*attr_count)++;
    360. 

  360.   return 0;
    361. 

  361. }
    362. 

  362. 

  363. 
    364. 

  364. void
    365. 

  365. scute_attr_free (CK_ATTRIBUTE_PTR attr, CK_ULONG attr_count)
    366. 

  366. {
    367. 

  367.   while (0 < attr_count--)
    368. 

  368.     free (attr[attr_count].pValue);
    369. 

  369. }
    370. 

  370. 

  371. 

  372. gpg_error_t
    373. 

  373. scute_attr_cert (struct cert *cert,
    374. 

  374. 		 CK_ATTRIBUTE_PTR *attrp, CK_ULONG *attr_countp)
    375. 

  375. {
    376. 

  376.   CK_RV err;
    377. 

  377.   CK_ATTRIBUTE_PTR attr;
    378. 

  378.   CK_ULONG attr_count;
    379. 

  379. 

  380.   unsigned char *subject_start;
    381. 

  381.   int subject_len;
    382. 

  382.   unsigned char *issuer_start;
    383. 

  383.   int issuer_len;
    384. 

  384.   unsigned char *serial_start;
    385. 

  385.   int serial_len;
    386. 

  386. 

  387.   CK_OBJECT_CLASS obj_class = CKO_CERTIFICATE;
    388. 

  388.   CK_BBOOL obj_token = CK_TRUE;
    389. 

  389.   CK_BBOOL obj_private = CK_FALSE;
    390. 

  390.   CK_BBOOL obj_modifiable = CK_FALSE;
    391. 

  391.   CK_BYTE obj_label[] = { 'D', 'u', 'm', 'm', 'y', ' ',
    392. 

  392. 			  'L', 'a', 'b', 'e', 'l' };
    393. 

  393. 

  394.   CK_CERTIFICATE_TYPE obj_cert_type = CKC_X_509;
    395. 

  395.   CK_BBOOL obj_trusted = cert->is_trusted;
    396. 

  396.   CK_ULONG obj_cert_cat = 0;
    397. 

  397.   CK_BYTE obj_check_value[3] = { '\0', '\0', '\0' };
    398. 

  398.   CK_DATE obj_start_date;
    399. 

  399.   CK_DATE obj_end_date;
    400. 

  400.   CK_ULONG obj_java_midp_sec_domain = 0;
    401. 

  401. 

  402.   err = asn1_get_subject (cert->cert_der, cert->cert_der_len,
    403. 

  403. 			  &subject_start, &subject_len);
    404. 

  404.   if (!err)
    405. 

  405.     err = asn1_get_issuer (cert->cert_der, cert->cert_der_len,
    406. 

  406. 			   &issuer_start, &issuer_len);
    407. 

  407.   if (!err)
    408. 

  408.     err = asn1_get_serial (cert->cert_der, cert->cert_der_len,
    409. 

  409. 			   &serial_start, &serial_len);
    410. 

  410.   if (err)
    411. 

  411.     return err;
    412. 

  412. 

  413. #define NR_ATTR_CERT 20
    414. 

  414.   attr = malloc (sizeof (CK_ATTRIBUTE) * NR_ATTR_CERT);
    415. 

  415.   attr_count = 0;
    416. 

  416.   if (!attr)
    417. 

  417.     return gpg_error (GPG_ERR_ENOMEM);
    418. 

  418. 

  419. #define one_attr_ext(type, val, size)					\
    420. 

  420.   if (!err)								\
    421. 

  421.     err = attr_one (attr, &attr_count, type, val, size)
    422. 

  422. 

  423. #define one_attr(type, val) one_attr_ext (type, &val, sizeof (val))
    424. 

  424. 

  425. #define empty_attr(type)						\
    426. 

  426.   if (!err)								\
    427. 

  427.     err = attr_empty (attr, &attr_count, type)
    428. 

  428. 

  429.   one_attr (CKA_CLASS, obj_class);
    430. 

  430.   one_attr (CKA_TOKEN, obj_token);
    431. 

  431.   one_attr (CKA_PRIVATE, obj_private);
    432. 

  432.   one_attr (CKA_MODIFIABLE, obj_modifiable);
    433. 

  433.   one_attr (CKA_LABEL, obj_label);
    434. 

  434.   one_attr (CKA_CERTIFICATE_TYPE, obj_cert_type);
    435. 

  435.   one_attr (CKA_TRUSTED, obj_trusted);
    436. 

  436.   one_attr (CKA_CERTIFICATE_CATEGORY, obj_cert_cat);
    437. 

  437. 

  438.   /* FIXME: Calculate check_value.  */
    439. 

  439.   one_attr (CKA_CHECK_VALUE, obj_check_value);
    440. 

  440. 

  441.   if (time_to_ck_date (&cert->timestamp, &obj_start_date))
    442. 

  442.     {
    443. 

  443.       one_attr (CKA_START_DATE, obj_start_date);
    444. 

  444.     }
    445. 

  445.   else
    446. 

  446.     {
    447. 

  447.       empty_attr (CKA_START_DATE);
    448. 

  448.     }
    449. 

  449. 

  450.   if (time_to_ck_date (&cert->expires, &obj_end_date))
    451. 

  451.     {
    452. 

  452.       one_attr (CKA_END_DATE, obj_end_date);
    453. 

  453.     }
    454. 

  454.   else
    455. 

  455.     {
    456. 

  456.       empty_attr (CKA_END_DATE);
    457. 

  457.     }
    458. 

  458. 

  459.   one_attr_ext (CKA_SUBJECT, subject_start, subject_len);
    460. 

  460.   one_attr_ext (CKA_ID, cert->fpr, 40);
    461. 

  461.   one_attr_ext (CKA_ISSUER, issuer_start, issuer_len);
    462. 

  462.   one_attr_ext (CKA_SERIAL_NUMBER, serial_start, serial_len);
    463. 

  463.   one_attr_ext (CKA_VALUE, cert->cert_der, cert->cert_der_len);
    464. 

  464.   
    465. 

  465.   empty_attr (CKA_URL);
    466. 

  466.   empty_attr (CKA_HASH_OF_SUBJECT_PUBLIC_KEY);
    467. 

  467.   empty_attr (CKA_HASH_OF_ISSUER_PUBLIC_KEY);
    468. 

  468. 

  469.   one_attr (CKA_JAVA_MIDP_SECURITY_DOMAIN, obj_java_midp_sec_domain);
    470. 

  470. 

  471.   if (err)
    472. 

  472.     {
    473. 

  473.       scute_attr_free (attr, attr_count);
    474. 

  474.       return err;
    475. 

  475.     }
    476. 

  476. 

  477.   /* FIXME: Not completely safe.  */
    478. 

  478.   assert (NR_ATTR_CERT == attr_count);
    479. 

  479. 

  480.   *attrp = attr;
    481. 

  481.   *attr_countp = attr_count;
    482. 

  482.   return 0;
    483. 

  483. }
    484. 

  484. 

  485. 

  486. gpg_error_t
    487. 

  487. scute_attr_prv (struct cert *cert, CK_ATTRIBUTE_PTR *attrp,
    488. 

  488. 		CK_ULONG *attr_countp)
    489. 

  489. {
    490. 

  490.   CK_RV err;
    491. 

  491.   CK_ATTRIBUTE_PTR attr;
    492. 

  492.   CK_ULONG attr_count;
    493. 

  493. 

  494.   unsigned char *subject_start;
    495. 

  495.   int subject_len;
    496. 

  496.   unsigned char *modulus_start;
    497. 

  497.   int modulus_len;
    498. 

  498.   unsigned char *public_exp_start;
    499. 

  499.   int public_exp_len;
    500. 

  500. 

  501.   CK_OBJECT_CLASS obj_class = CKO_PRIVATE_KEY;
    502. 

  502.   CK_BBOOL obj_token = CK_TRUE;
    503. 

  503.   CK_BBOOL obj_private = CK_FALSE;
    504. 

  504.   CK_BBOOL obj_modifiable = CK_FALSE;
    505. 

  505.   CK_BYTE obj_label[] = { 'O', 'P', 'E', 'N', 'P', 'G',
    506. 

  506. 			  'P', '.', '3' };
    507. 

  507. 

  508.   CK_KEY_TYPE obj_key_type = CKK_RSA;
    509. 

  509.   CK_DATE obj_start_date;
    510. 

  510.   CK_DATE obj_end_date;
    511. 

  511.   CK_BBOOL obj_derive = CK_FALSE;
    512. 

  512.   CK_BBOOL obj_local = CK_FALSE;	/* FIXME: Unknown.  */
    513. 

  513.   CK_MECHANISM_TYPE obj_key_gen = CKM_RSA_PKCS_KEY_PAIR_GEN;
    514. 

  514.   CK_MECHANISM_TYPE obj_mechanisms[] = { CKM_RSA_PKCS };
    515. 

  515. 

  516.   CK_BBOOL obj_sensitive = CK_TRUE;
    517. 

  517.   CK_BBOOL obj_decrypt = CK_FALSE;	/* Authentication only for now.  */
    518. 

  518.   CK_BBOOL obj_sign = CK_TRUE;
    519. 

  519.   CK_BBOOL obj_sign_recover = CK_FALSE;
    520. 

  520.   CK_BBOOL obj_unwrap = CK_FALSE;
    521. 

  521.   CK_BBOOL obj_extractable = CK_FALSE;
    522. 

  522.   CK_BBOOL obj_always_sensitive = CK_TRUE;
    523. 

  523.   CK_BBOOL obj_never_extractable = CK_TRUE;
    524. 

  524.   CK_BBOOL obj_wrap_with_trusted = CK_FALSE;
    525. 

  525.   CK_BBOOL obj_always_authenticate = CK_FALSE;
    526. 

  526. 

  527.   err = asn1_get_subject (cert->cert_der, cert->cert_der_len,
    528. 

  528. 			  &subject_start, &subject_len);
    529. 

  529.   if (!err)
    530. 

  530.     err = asn1_get_modulus (cert->cert_der, cert->cert_der_len,
    531. 

  531. 			    &modulus_start, &modulus_len);
    532. 

  532.   if (!err)
    533. 

  533.     err = asn1_get_public_exp (cert->cert_der, cert->cert_der_len,
    534. 

  534. 			       &public_exp_start, &public_exp_len);
    535. 

  535.   if (err)
    536. 

  536.     return err;
    537. 

  537. 

  538. #define NR_ATTR_PRV 27
    539. 

  539.   attr = malloc (sizeof (CK_ATTRIBUTE) * NR_ATTR_PRV);
    540. 

  540.   attr_count = 0;
    541. 

  541.   if (!attr)
    542. 

  542.     return gpg_error (GPG_ERR_ENOMEM);
    543. 

  543. 

  544. #undef one_attr_ext
    545. 

  545. #define one_attr_ext(type, val, size)					\
    546. 

  546.   if (!err)								\
    547. 

  547.     err = attr_one (attr, &attr_count, type, val, size)
    548. 

  548. 

  549. #undef one_attr
    550. 

  550. #define one_attr(type, val) one_attr_ext (type, &val, sizeof (val))
    551. 

  551. 

  552. #undef empty_attr
    553. 

  553. #define empty_attr(type)						\
    554. 

  554.   if (!err)								\
    555. 

  555.     err = attr_empty (attr, &attr_count, type)
    556. 

  556. 

  557.   one_attr (CKA_CLASS, obj_class);
    558. 

  558.   one_attr (CKA_TOKEN, obj_token);
    559. 

  559.   one_attr (CKA_PRIVATE, obj_private);
    560. 

  560.   one_attr (CKA_MODIFIABLE, obj_modifiable);
    561. 

  561.   one_attr (CKA_LABEL, obj_label);
    562. 

  562. 

  563.   one_attr (CKA_KEY_TYPE, obj_key_type);
    564. 

  564.   one_attr_ext (CKA_ID, cert->fpr, 40);
    565. 

  565. 

  566.   if (time_to_ck_date (&cert->timestamp, &obj_start_date))
    567. 

  567.     {
    568. 

  568.       one_attr (CKA_START_DATE, obj_start_date);
    569. 

  569.     }
    570. 

  570.   else
    571. 

  571.     {
    572. 

  572.       empty_attr (CKA_START_DATE);
    573. 

  573.     }
    574. 

  574. 

  575.   if (time_to_ck_date (&cert->expires, &obj_end_date))
    576. 

  576.     {
    577. 

  577.       one_attr (CKA_END_DATE, obj_end_date);
    578. 

  578.     }
    579. 

  579.   else
    580. 

  580.     {
    581. 

  581.       empty_attr (CKA_END_DATE);
    582. 

  582.     }
    583. 

  583. 

  584.   one_attr (CKA_DERIVE, obj_derive);
    585. 

  585.   one_attr (CKA_LOCAL, obj_local);
    586. 

  586.   one_attr (CKA_KEY_GEN_MECHANISM, obj_key_gen);
    587. 

  587.   one_attr (CKA_ALLOWED_MECHANISMS, obj_mechanisms);
    588. 

  588.   
    589. 

  589.   one_attr_ext (CKA_SUBJECT, subject_start, subject_len);
    590. 

  590.   one_attr (CKA_SENSITIVE, obj_sensitive);
    591. 

  591.   one_attr (CKA_DECRYPT, obj_decrypt);
    592. 

  592.   one_attr (CKA_SIGN, obj_sign);
    593. 

  593.   one_attr (CKA_SIGN_RECOVER, obj_sign_recover);
    594. 

  594.   one_attr (CKA_UNWRAP, obj_unwrap);
    595. 

  595.   one_attr (CKA_EXTRACTABLE, obj_extractable);
    596. 

  596.   one_attr (CKA_ALWAYS_SENSITIVE, obj_always_sensitive);
    597. 

  597.   one_attr (CKA_NEVER_EXTRACTABLE, obj_never_extractable);
    598. 

  598.   one_attr (CKA_WRAP_WITH_TRUSTED, obj_wrap_with_trusted);
    599. 

  599.   empty_attr (CKA_UNWRAP_TEMPLATE);
    600. 

  600.   one_attr (CKA_ALWAYS_AUTHENTICATE, obj_always_authenticate);
    601. 

  601. 

  602.   one_attr_ext (CKA_MODULUS, modulus_start, modulus_len);
    603. 

  603.   one_attr_ext (CKA_PUBLIC_EXPONENT, public_exp_start, public_exp_len);
    604. 

  604. 

  605.   if (err)
    606. 

  606.     {
    607. 

  607.       scute_attr_free (attr, attr_count);
    608. 

  608.       return err;
    609. 

  609.     }
    610. 

  610. 

  611.   /* FIXME: Not completely safe.  */
    612. 

  612.   assert (NR_ATTR_PRV == attr_count);
    613. 

  613. 

  614.   *attrp = attr;
    615. 

  615.   *attr_countp = attr_count;
    616. 

  616.   return 0;
    617. 

  617. }
    618.