cert.c

IBM的Linux上的PKCS#11实现

             this Agreement, but in order to avoid inconsistency the
             Agreement is copyrighted and may only be modified in the
             following manner. The Agreement Steward reserves the right
             to publish new versions (including revisions) of this
             Agreement from time to time. No one other than the
             Agreement Steward has the right to modify this Agreement.

             IBM is the initial Agreement Steward. IBM may assign the
             responsibility to serve as the Agreement Steward to a
             suitable separate entity. Each new version of the
             Agreement will be given a distinguishing version number.
             The Program (including Contributions) may always be
             distributed subject to the version of the Agreement under
             which it was received. In addition, after a new version of
             the Agreement is published, Contributor may elect to
             distribute the Program (including its Contributions) under
             the new version. Except as expressly stated in Sections
             2(a) and 2(b) above, Recipient receives no rights or
             licenses to the intellectual property of any Contributor
             under this Agreement, whether expressly, by implication,
             estoppel or otherwise. All rights in the Program not
             expressly granted under this Agreement are reserved.


             This Agreement is governed by the laws of the State of New
             York and the intellectual property laws of the United
             States of America. No party to this Agreement will bring a
             legal action under this Agreement more than one year after
             the cause of action arose. Each party waives its rights to
             a jury trial in any resulting litigation. 



*/

/* (C) COPYRIGHT International Business Machines Corp. 2001,2002          */


// File:  cert.c
//
// Functions contained within:
//
//    cert_check_required_attributes
//    cert_validate_attribute
//    cert_x509_check_required_attributes
//    cert_x509_set_default_attributes
//    cert_x509_validate_attribute
//    cert_vendor_check_required_attributes
//    cert_vendor_validate_attribute
//

//#include <windows.h>

#include <pthread.h>
#include <stdlib.h>

  #include <string.h>  // for memcmp() et al

#include "pkcs11types.h"
#include "defs.h"
#include "host_defs.h"
#include "h_extern.h"



// cert_check_required_attributes
//
// Checks for required attributes for generic CKO_CERTIFICATE objects
//
//    CKA_CERTIFICATE_TYPE : must be present on MODE_CREATE.
//
CK_RV
cert_check_required_attributes( TEMPLATE *tmpl, CK_ULONG mode )
{
   CK_ATTRIBUTE        * attr = NULL;
   CK_BBOOL              found;

   if (!tmpl)
      return CKR_FUNCTION_FAILED;

   if (mode == MODE_CREATE) {
      found = template_attribute_find( tmpl, CKA_CERTIFICATE_TYPE, &attr );
      if (found == FALSE){
         st_err_log(48, __FILE__, __LINE__);
         return CKR_TEMPLATE_INCOMPLETE;
      }
      // don't bother checking the value.  it was checked in the 'validate'
      // routine.
   }

   return template_check_required_base_attributes( tmpl, mode );
}


// cert_validate_attribute()
//
CK_RV
cert_validate_attribute( TEMPLATE *tmpl, CK_ATTRIBUTE *attr, CK_ULONG mode )
{
   CK_CERTIFICATE_TYPE  type;

   switch (attr->type) {
      case CKA_CERTIFICATE_TYPE:
         {
            if (mode != MODE_CREATE){
               st_err_log(7, __FILE__, __LINE__);
               return CKR_ATTRIBUTE_READ_ONLY;
            }
            type = *(CK_CERTIFICATE_TYPE *)attr->pValue;
            if (type == CKC_X_509 || type >= CKC_VENDOR_DEFINED)
               return CKR_OK;
            else{
               st_err_log(9, __FILE__, __LINE__);
               return CKR_ATTRIBUTE_VALUE_INVALID;
            }
         }
         break;

      default:
         return template_validate_base_attribute( tmpl, attr, mode );
   }

   return template_validate_base_attribute( tmpl, attr, mode );
}


// cert_x509_check_required_attributes()
//
CK_RV
cert_x509_check_required_attributes( TEMPLATE *tmpl, CK_ULONG mode )
{
   CK_ATTRIBUTE *attr = NULL;
   CK_BBOOL      found;

   found = template_attribute_find( tmpl, CKA_SUBJECT, &attr );
   if (!found){
      st_err_log(9, __FILE__, __LINE__);
      return CKR_TEMPLATE_INCOMPLETE;
   }
   found = template_attribute_find( tmpl, CKA_VALUE, &attr );
   if (!found){
      st_err_log(9, __FILE__, __LINE__);
      return CKR_TEMPLATE_INCOMPLETE;
   }
   return cert_check_required_attributes( tmpl, mode );
}


// cert_x509_set_default_attributes()
//
// Set the default attributes for X.509 certificates
//
//    CKA_ID            : empty string
//    CKA_ISSUER        : empty string
//    CKA_SERIAL_NUMBER : empty string
//
CK_RV
cert_x509_set_default_attributes( TEMPLATE *tmpl, CK_ULONG mode )
{
   CK_ATTRIBUTE * id_attr = NULL;
   CK_ATTRIBUTE * issuer_attr = NULL;
   CK_ATTRIBUTE * serial_attr = NULL;

   // satisfy compiler warning....
   //
   if (mode)
      id_attr = NULL;

   id_attr     = (CK_ATTRIBUTE *)malloc( sizeof(CK_ATTRIBUTE) );
   issuer_attr = (CK_ATTRIBUTE *)malloc( sizeof(CK_ATTRIBUTE) );
   serial_attr = (CK_ATTRIBUTE *)malloc( sizeof(CK_ATTRIBUTE) );

   if (!id_attr || !issuer_attr || !serial_attr) {
      if (id_attr)      free( id_attr     );
      if (issuer_attr)  free( issuer_attr );
      if (serial_attr)  free( serial_attr );
      st_err_log(1, __FILE__, __LINE__);

      return CKR_HOST_MEMORY;
   }

   id_attr->type            = CKA_ID;
   id_attr->ulValueLen      = 0;   // empty string
   id_attr->pValue          = NULL;

   issuer_attr->type        = CKA_ISSUER;
   issuer_attr->ulValueLen  = 0;   // empty byte array
   issuer_attr->pValue      = NULL;

   serial_attr->type        = CKA_SERIAL_NUMBER;
   serial_attr->ulValueLen  = 0;   // empty byte array
   serial_attr->pValue      = NULL;

   template_update_attribute( tmpl, id_attr     );
   template_update_attribute( tmpl, issuer_attr );
   template_update_attribute( tmpl, serial_attr );

   return CKR_OK;
}


// cert_x509_validate_attributes()
//
CK_RV
cert_x509_validate_attribute( TEMPLATE *tmpl, CK_ATTRIBUTE *attr, CK_ULONG mode )
{
   switch (attr->type) {
      case CKA_SUBJECT:
         if (mode != MODE_CREATE){
            st_err_log(7, __FILE__, __LINE__);
            return CKR_ATTRIBUTE_READ_ONLY;
         }
         else
            return CKR_OK;

      case CKA_ID:
      case CKA_ISSUER:
      case CKA_SERIAL_NUMBER:
         return CKR_OK;

      case CKA_VALUE:
         if (mode != MODE_CREATE){
            st_err_log(7, __FILE__, __LINE__);
            return CKR_ATTRIBUTE_READ_ONLY;
         }
         else
            return CKR_OK;

      default:
         return cert_validate_attribute( tmpl, attr, mode );
   }
}


// cert_vendor_check_required_attributes()
//
CK_RV
cert_vendor_check_required_attributes( TEMPLATE *tmpl, CK_ULONG mode )
{
   // CKC_VENDOR has no required attributes
   //
   return cert_check_required_attributes( tmpl, mode );
}


// cert_vendor_validate_attribute()
//
CK_RV
cert_vendor_validate_attribute( TEMPLATE *tmpl, CK_ATTRIBUTE *attr, CK_ULONG mode )
{
   // cryptoki specifies no attributes for CKC_VENDOR certificates
   //
   return cert_validate_attribute( tmpl, attr, mode );
}