Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Bug 1475274, Provide a way to specify tokens by PKCS #11 URI, r=rrelyea
Summary: This patch allows client applications to specify tokens unambiguously with PKCS #11 URI, instead of token name.  It also includes a minor fixes to PKCS #11 URI handling that previously treated the scheme case sensitively.

Reviewers: kaie, rrelyea

Bug #: 1475274

Differential Revision: https://phabricator.services.mozilla.com/D2099

--HG--
extra : amend_source : 2c523bef26f62206b178c9ba04833c85cf5492cb
  • Loading branch information
ueno committed Jul 23, 2018
1 parent a2e0739 commit 804e6ff
Show file tree
Hide file tree
Showing 5 changed files with 69 additions and 36 deletions.
1 change: 1 addition & 0 deletions gtests/util_gtest/util_pkcs11uri_unittest.cc
Expand Up @@ -160,6 +160,7 @@ TEST_F(PK11URITest, ParseRetrieveTest) {

TEST_F(PK11URITest, ParseFormatTest) {
TestParseFormat("pkcs11:", "pkcs11:");
TestParseFormat("PKCS11:", "pkcs11:");
TestParseFormat("pkcs11:token=aaa", "pkcs11:token=aaa");
TestParseFormat("pkcs11:token=aaa;manufacturer=bbb",
"pkcs11:token=aaa;manufacturer=bbb");
Expand Down
2 changes: 1 addition & 1 deletion lib/pk11wrap/pk11cert.c
Expand Up @@ -741,7 +741,7 @@ find_certs_from_nickname(const char *nickname, void *wincx)
char *delimit = NULL;
char *tokenName;

if (!strncmp(nickname, "pkcs11:", strlen("pkcs11:"))) {
if (!PORT_Strncasecmp(nickname, "pkcs11:", strlen("pkcs11:"))) {
certs = find_certs_from_uri(nickname, wincx);
if (certs)
return certs;
Expand Down
82 changes: 48 additions & 34 deletions lib/pk11wrap/pk11slot.c
Expand Up @@ -607,31 +607,47 @@ PK11_FindSlotsByNames(const char *dllName, const char *slotName,
return slotList;
}

PK11SlotInfo *
PK11_FindSlotByName(const char *name)
typedef PRBool (*PK11SlotMatchFunc)(PK11SlotInfo *slot, const void *arg);

static PRBool
pk11_MatchSlotByTokenName(PK11SlotInfo *slot, const void *arg)
{
return PORT_Strcmp(slot->token_name, arg) == 0;
}

static PRBool
pk11_MatchSlotBySerial(PK11SlotInfo *slot, const void *arg)
{
return PORT_Memcmp(slot->serial, arg, sizeof(slot->serial)) == 0;
}

static PRBool
pk11_MatchSlotByTokenURI(PK11SlotInfo *slot, const void *arg)
{
return pk11_MatchUriTokenInfo(slot, (PK11URI *)arg);
}

static PK11SlotInfo *
pk11_FindSlot(const void *arg, PK11SlotMatchFunc func)
{
SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
SECMODModuleList *mlp;
SECMODModuleList *modules;
SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
int i;
PK11SlotInfo *slot = NULL;

if (!moduleLock) {
PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
return slot;
}
if ((name == NULL) || (*name == 0)) {
return PK11_GetInternalKeySlot();
}

/* work through all the slots */
SECMOD_GetReadLock(moduleLock);
modules = SECMOD_GetDefaultModuleList();
for (mlp = modules; mlp != NULL; mlp = mlp->next) {
for (i = 0; i < mlp->module->slotCount; i++) {
PK11SlotInfo *tmpSlot = mlp->module->slots[i];
if (PK11_IsPresent(tmpSlot)) {
if (PORT_Strcmp(tmpSlot->token_name, name) == 0) {
if (func(tmpSlot, arg)) {
slot = PK11_ReferenceSlot(tmpSlot);
break;
}
Expand All @@ -649,43 +665,41 @@ PK11_FindSlotByName(const char *name)
return slot;
}

PK11SlotInfo *
PK11_FindSlotBySerial(char *serial)
static PK11SlotInfo *
pk11_FindSlotByTokenURI(const char *uriString)
{
SECMODModuleList *mlp;
SECMODModuleList *modules;
SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
int i;
PK11SlotInfo *slot = NULL;
PK11URI *uri;

if (!moduleLock) {
PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
uri = PK11URI_ParseURI(uriString);
if (!uri) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return slot;
}
/* work through all the slots */
SECMOD_GetReadLock(moduleLock);
modules = SECMOD_GetDefaultModuleList();
for (mlp = modules; mlp != NULL; mlp = mlp->next) {
for (i = 0; i < mlp->module->slotCount; i++) {
PK11SlotInfo *tmpSlot = mlp->module->slots[i];
if (PK11_IsPresent(tmpSlot)) {
if (PORT_Memcmp(tmpSlot->serial, serial,
sizeof(tmpSlot->serial)) == 0) {
slot = PK11_ReferenceSlot(tmpSlot);
break;
}

slot = pk11_FindSlot(uri, pk11_MatchSlotByTokenURI);
PK11URI_DestroyURI(uri);
return slot;
}

PK11SlotInfo *
PK11_FindSlotByName(const char *name)
{
if ((name == NULL) || (*name == 0)) {
return PK11_GetInternalKeySlot();
}
if (slot != NULL)
break;

if (!PORT_Strncasecmp(name, "pkcs11:", strlen("pkcs11:"))) {
return pk11_FindSlotByTokenURI(name);
}
SECMOD_ReleaseReadLock(moduleLock);

if (slot == NULL) {
PORT_SetError(SEC_ERROR_NO_TOKEN);
return pk11_FindSlot(name, pk11_MatchSlotByTokenName);
}

return slot;
PK11SlotInfo *
PK11_FindSlotBySerial(char *serial)
{
return pk11_FindSlot(serial, pk11_MatchSlotBySerial);
}

/*
Expand Down
2 changes: 1 addition & 1 deletion lib/util/pkcs11uri.c
Expand Up @@ -674,7 +674,7 @@ PK11URI_ParseURI(const char *string)
const char *p = string;
SECStatus ret;

if (strncmp("pkcs11:", p, 7) != 0) {
if (PORT_Strncasecmp("pkcs11:", p, 7) != 0) {
return NULL;
}
p += 7;
Expand Down
18 changes: 18 additions & 0 deletions tests/cert/cert.sh
Expand Up @@ -2124,6 +2124,23 @@ cert_test_implicit_db_init()
certu -A -n ca -t 'C,C,C' -d ${P_R_IMPLICIT_INIT_DIR} -i "${SERVER_CADIR}/serverCA.ca.cert"
}

cert_test_token_uri()
{
echo "$SCRIPTNAME: specify token with PKCS#11 URI"

CERTIFICATE_DB_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*NSS%20Certificate%20DB.*\)/\1/p'`
BUILTIN_OBJECTS_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*Builtin%20Object%20Token.*\)/\1/p'`

CU_ACTION="List keys in NSS Certificate DB"
certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${CERTIFICATE_DB_URI}

# This token shouldn't have any keys
CU_ACTION="List keys in NSS Builtin Objects"
RETEXPECTED=255
certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${BUILTIN_OBJECTS_URI}
RETEXPECTED=0
}

check_sign_algo()
{
certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \
Expand Down Expand Up @@ -2579,6 +2596,7 @@ cert_test_password
cert_test_distrust
cert_test_ocspresp
cert_test_rsapss
cert_test_token_uri

if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
cert_crl_ssl
Expand Down

0 comments on commit 804e6ff

Please sign in to comment.