fixup! pk11_uri: Visible string instead of oId

latchset · Feb 14, 2024 · cb895df · cb895df
1 parent 317df6d
commit cb895df
Show file tree

Hide file tree

Showing 9 changed files with 266 additions and 189 deletions.
diff --git a/src/decoder.c b/src/decoder.c
diff --git a/src/decoder.h b/src/decoder.h
@@ -6,6 +6,9 @@
 
 #include <openssl/core.h>
 
+#define RET_OSSL_CARRY_ON_DECODING 1
+#define RET_OSSL_STOP_DECODING 1
+
 /* DECODERs */
 #define DISPATCH_TEXT_DECODER_FN(type, name) \
     static OSSL_FUNC_DECODER_##name##_fn p11prov_##type##_DECODER_##name##_text
@@ -29,8 +32,8 @@
             (void (*)( \
                 void))p11prov_##type##_decoder_##structure##_##format##_##name \
     }
-extern const OSSL_DISPATCH p11prov_der_decoder_p11_rsa_functions[];
-extern const OSSL_DISPATCH p11prov_der_decoder_p11_ec_functions[];
-extern const OSSL_DISPATCH p11prov_pem_decoder_p11_der_functions[];
+extern const OSSL_DISPATCH p11prov_der_decoder_p11prov_rsa_functions[];
+extern const OSSL_DISPATCH p11prov_der_decoder_p11prov_ec_functions[];
+extern const OSSL_DISPATCH p11prov_pem_decoder_p11prov_der_functions[];
 
 #endif /* _DECODER_H */
diff --git a/src/encoder.c b/src/encoder.c
@@ -482,7 +482,10 @@ static P11PROV_PK11_URI *p11prov_encoder_private_key_to_asn1(P11PROV_CTX *pctx,
         goto error;
     }
 
-    out->type = OBJ_txt2obj(P11PROV_OID_URI, 1);
+    if (!ASN1_STRING_set(out->desc, P11PROV_DESCS_URI_FILE,
+                         sizeof(P11PROV_DESCS_URI_FILE) - 1)) {
+        goto error;
+    }
     if (!ASN1_STRING_set(out->uri, uri, uri_len)) {
         goto error;
     }

diff --git a/src/pk11_uri.gen.c b/src/pk11_uri.gen.c
@@ -7,9 +7,8 @@ extern P11PROV_PK11_URI *
 d2i_P11PROV_PK11_URI(P11PROV_PK11_URI **a, const unsigned char **in, long len);
 extern int i2d_P11PROV_PK11_URI(const P11PROV_PK11_URI *a, unsigned char **out);
 extern const ASN1_ITEM *P11PROV_PK11_URI_it(void);
-
-P11PROV_PK11_URI
-*d2i_P11PROV_PK11_URI(P11PROV_PK11_URI **a, const unsigned char **in, long len)
+P11PROV_PK11_URI *d2i_P11PROV_PK11_URI(P11PROV_PK11_URI **a,
+                                       const unsigned char **in, long len)
 {
     return (P11PROV_PK11_URI *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
                                              (P11PROV_PK11_URI_it()));
@@ -18,8 +17,7 @@ int i2d_P11PROV_PK11_URI(const P11PROV_PK11_URI *a, unsigned char **out)
 {
     return ASN1_item_i2d((const ASN1_VALUE *)a, out, (P11PROV_PK11_URI_it()));
 }
-P11PROV_PK11_URI
-*P11PROV_PK11_URI_new(void)
+P11PROV_PK11_URI *P11PROV_PK11_URI_new(void)
 {
     return (P11PROV_PK11_URI *)ASN1_item_new((P11PROV_PK11_URI_it()));
 }
@@ -29,10 +27,8 @@ void P11PROV_PK11_URI_free(P11PROV_PK11_URI *a)
 }
 
 static const ASN1_TEMPLATE P11PROV_PK11_URI_seq_tt[] = {
-
-    { (0), (0), __builtin_offsetof(P11PROV_PK11_URI, type), "type",
-      (ASN1_OBJECT_it) },
-
+    { (0), (0), __builtin_offsetof(P11PROV_PK11_URI, desc), "desc",
+      (ASN1_VISIBLESTRING_it) },
     { (0), (0), __builtin_offsetof(P11PROV_PK11_URI, uri), "uri",
       (ASN1_UTF8STRING_it) },
 };
@@ -53,19 +49,17 @@ extern int PEM_write_bio_P11PROV_PK11_URI(BIO *out, const P11PROV_PK11_URI *x);
 int PEM_write_bio_P11PROV_PK11_URI(BIO *out, const P11PROV_PK11_URI *x)
 {
     return PEM_ASN1_write_bio((i2d_of_void *)i2d_P11PROV_PK11_URI,
-                              P11PROV_PRIVKEY_PEM_NAME, out, x, ((void *)0),
+                              P11PROV_PEM_LABEL, out, x, ((void *)0),
                               ((void *)0), 0, ((void *)0), ((void *)0));
 }
 
 extern P11PROV_PK11_URI *PEM_read_bio_P11PROV_PK11_URI(BIO *out,
                                                        P11PROV_PK11_URI **x,
                                                        pem_password_cb *cb,
                                                        void *u);
-
-P11PROV_PK11_URI
-*PEM_read_bio_P11PROV_PK11_URI(BIO *bp, P11PROV_PK11_URI **x,
-                               pem_password_cb *cb, void *u)
+P11PROV_PK11_URI *PEM_read_bio_P11PROV_PK11_URI(BIO *bp, P11PROV_PK11_URI **x,
+                                                pem_password_cb *cb, void *u)
 {
     return PEM_ASN1_read_bio((d2i_of_void *)d2i_P11PROV_PK11_URI,
-                             P11PROV_PRIVKEY_PEM_NAME, bp, (void **)x, cb, u);
+                             P11PROV_PEM_LABEL, bp, (void **)x, cb, u);
 }
diff --git a/src/pk11_uri.h b/src/pk11_uri.h
@@ -6,12 +6,12 @@
 
 #include <openssl/asn1t.h>
 
-#define P11PROV_OID_URI "2.5.4.83" /* TODO: find a more appropriate oId */
-#define P11PROV_PK11_URI_STRUCTURE "pk11-uri"
-#define P11PROV_PRIVKEY_PEM_NAME "PRIVATE KEY PK11-URI"
+#define P11PROV_DER_STRUCTURE "pk11-uri"
+#define P11PROV_PEM_LABEL "PKCS#11 PROVIDER URI"
+#define P11PROV_DESCS_URI_FILE "PKCS#11 Provider URI v1.0"
 
 typedef struct {
-    ASN1_OBJECT *type;
+    ASN1_VISIBLESTRING *desc;
     ASN1_UTF8STRING *uri;
 } P11PROV_PK11_URI;
 

diff --git a/src/pk11_uri.pre b/src/pk11_uri.pre
@@ -10,14 +10,14 @@ DECLARE_ASN1_FUNCTIONS(P11PROV_PK11_URI)
 IMPLEMENT_ASN1_FUNCTIONS(P11PROV_PK11_URI)
 
 ASN1_SEQUENCE(P11PROV_PK11_URI) = {
-    ASN1_SIMPLE(P11PROV_PK11_URI, type, ASN1_OBJECT),
+    ASN1_SIMPLE(P11PROV_PK11_URI, desc, ASN1_VISIBLESTRING),
     ASN1_SIMPLE(P11PROV_PK11_URI, uri, ASN1_UTF8STRING),
 } ASN1_SEQUENCE_END(P11PROV_PK11_URI)
 
 DECLARE_PEM_write_bio(P11PROV_PK11_URI, P11PROV_PK11_URI)
 IMPLEMENT_PEM_write_bio(P11PROV_PK11_URI, P11PROV_PK11_URI,
-                        P11PROV_PRIVKEY_PEM_NAME, P11PROV_PK11_URI)
+                        P11PROV_PEM_LABEL, P11PROV_PK11_URI)
 
 DECLARE_PEM_read_bio(P11PROV_PK11_URI, P11PROV_PK11_URI)
 IMPLEMENT_PEM_read_bio(P11PROV_PK11_URI, P11PROV_PK11_URI,
-                       P11PROV_PRIVKEY_PEM_NAME, P11PROV_PK11_URI)
+                       P11PROV_PEM_LABEL, P11PROV_PK11_URI)
diff --git a/src/provider.c b/src/provider.c
@@ -1132,13 +1132,13 @@ static const OSSL_ALGORITHM p11prov_store[] = {
 
 static const OSSL_ALGORITHM p11prov_decoders[] = {
     { "DER", "provider=pkcs11,input=pem",
-      p11prov_pem_decoder_p11_der_functions },
+      p11prov_pem_decoder_p11prov_der_functions },
     { "RSA:rsaEncryption",
-      "provider=pkcs11,input=der,structure=" P11PROV_PK11_URI_STRUCTURE,
-      p11prov_der_decoder_p11_rsa_functions },
+      "provider=pkcs11,input=der,structure=" P11PROV_DER_STRUCTURE,
+      p11prov_der_decoder_p11prov_rsa_functions },
     { "EC:id-ecPublicKey",
-      "provider=pkcs11,input=der,structure=" P11PROV_PK11_URI_STRUCTURE,
-      p11prov_der_decoder_p11_ec_functions },
+      "provider=pkcs11,input=der,structure=" P11PROV_DER_STRUCTURE,
+      p11prov_der_decoder_p11prov_ec_functions },
     { NULL, NULL, NULL }
 };
 
@@ -1326,7 +1326,7 @@ enum p11prov_cfg_enum {
     P11PROV_CFG_CACHE_KEYS,
     P11PROV_CFG_QUIRKS,
     P11PROV_CFG_CACHE_SESSIONS,
-    P11PROV_CFG_ENCODE_PK11_URI_TO_PEM,
+    P11PROV_CFG_ENCODE_PROVIDER_URI_TO_PEM,
     P11PROV_CFG_SIZE,
 };
 
@@ -1343,7 +1343,7 @@ static struct p11prov_cfg_names {
     { "pkcs11-module-cache-keys" },
     { "pkcs11-module-quirks" },
     { "pkcs11-module-cache-sessions" },
-    { "pkcs11-module-encode-key-uri-to-pem" },
+    { "pkcs11-module-encode-provider-uri-to-pem" },
 };
 
 int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in,
@@ -1553,8 +1553,8 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in,
     }
     P11PROV_debug("Cache Sessions: %d", ctx->cache_sessions);
 
-    if (cfg[P11PROV_CFG_ENCODE_PK11_URI_TO_PEM] != NULL
-        && strcmp(cfg[P11PROV_CFG_ENCODE_PK11_URI_TO_PEM], "true") == 0) {
+    if (cfg[P11PROV_CFG_ENCODE_PROVIDER_URI_TO_PEM] != NULL
+        && strcmp(cfg[P11PROV_CFG_ENCODE_PROVIDER_URI_TO_PEM], "true") == 0) {
         ctx->encode_pkey_as_pk11_uri = true;
     } else {
         ctx->encode_pkey_as_pk11_uri = false;

diff --git a/tests/openssl.cnf.in b/tests/openssl.cnf.in
@@ -24,7 +24,7 @@ activate = 1
 module = @libtoollibs@/pkcs11@SHARED_EXT@
 pkcs11-module-init-args = configDir=@testsblddir@/tmp.softokn/tokens
 pkcs11-module-token-pin = file:@testsblddir@/pinfile.txt
-#pkcs11-module-encode-key-uri-to-pem
+#pkcs11-module-encode-provider-uri-to-pem
 #pkcs11-module-allow-export
 #pkcs11-module-load-behavior
 ##QUIRKS

diff --git a/tests/tpem_encoder b/tests/tpem_encoder
@@ -6,28 +6,31 @@ source "${TESTSSRCDIR}/helpers.sh"
 
 # We need to configure early loading otherwise no digests are loaded,
 # and all checks are skipped
-sed -e "s/#pkcs11-module-encode-key-uri-to-pem/pkcs11-module-encode-key-uri-to-pem = true/" \
+sed -e "s/#pkcs11-module-encode-provider-uri-to-pem/pkcs11-module-encode-provider-uri-to-pem = true/" \
     -e "s/#pkcs11-module-load-behavior/pkcs11-module-load-behavior = early/" \
     "${OPENSSL_CONF}" > "${OPENSSL_CONF}.encode_to_pem"
 OPENSSL_CONF=${OPENSSL_CONF}.encode_to_pem
+make-uri-pem() {
+    export LC_ALL=C
 
-make-pkey-pem() {
     URI=$1
     OUT=$2
+    DESC="${3:-PKCS#11 Provider URI v1.0}"
 
-    OID="06 03 55 04 53"
-    URI_HEX=$(printf '%s' "${URI}" | perl -lne 'print unpack "H*", $_')
+    DESC_HEX=$(printf '%s' "${DESC}" | perl -ne 'print unpack "H*", $_')
+    URI_HEX=$(printf '%s' "${URI}" | perl -ne 'print unpack "H*", $_')
     {
-        echo "-----BEGIN PRIVATE KEY PK11-URI-----"
-        printf '30 82 %04x %s 0c 82 %04x %s'  \
-               "$((${#URI} + 9))" \
-               "${OID}" \
+        echo "-----BEGIN PKCS#11 PROVIDER URI-----"
+        printf '30 82 %04x 1a 82 %04x %s 0c 82 %04x %s'  \
+               "$((${#URI} + ${#DESC} + 8))" \
+               "${#DESC}" \
+               "${DESC_HEX[*]}" \
                "${#URI}" \
                "${URI_HEX[*]}" \
             | tr -d ' ' \
-            | perl -lne 'print pack "H*", $_' \
-            | base64
-        echo "-----END PRIVATE KEY PK11-URI-----"
+	    | perl -ne 'print pack "H*", $_' \
+	    | base64
+        echo "-----END PKCS#11 PROVIDER URI-----"
     }  > "${OUT}"
 }
 
@@ -53,14 +56,14 @@ sign-verify() {
     rm "${TMP_FILE}"
 }
 
+RANDOM_HEX=$(od -A n -N 15 -t x1 /dev/random)
+export LABEL_SUFFIX_URI=${RANDOM_HEX// /}
+
 title PARA "Test PEM Encoding RSA support"
 
-make-pkey-pem "${PRIURI}" "${TMPPDIR}/priuri-pkey.pem"
+make-uri-pem "${PRIURI}" "${TMPPDIR}/priuri-pkey.pem"
 sign-verify "${TMPPDIR}/priuri-pkey.pem" "${PUBURI}" "${TMPPDIR}/64krandom.bin"
 
-RANDOM_HEX=$(od -A n -N 15 -t x1 /dev/random)
-export LABEL_SUFFIX_URI=${RANDOM_HEX// /}
-
 export ALGORITHM=rsa
 export ALGORITHM_OPT=rsa_keygen_bits:2048
 ossl '
@@ -69,16 +72,15 @@ genpkey -propquery "provider=pkcs11"
         -pkeyopt "pkcs11_uri:pkcs11:object=Test-PEM-Encode-RSA-${LABEL_SUFFIX_URI}"
         -out "${TMPPDIR}/rsa-pkey-uri.pem"'
 
-grep -e "-----BEGIN PRIVATE KEY PK11-URI-----" "${TMPPDIR}/rsa-pkey-uri.pem"
+grep -e "-----BEGIN PKCS#11 PROVIDER URI-----" "${TMPPDIR}/rsa-pkey-uri.pem"
 
 sign-verify "${TMPPDIR}/rsa-pkey-uri.pem" \
             "pkcs11:object=Test-PEM-Encode-RSA-${LABEL_SUFFIX_URI}" \
             "${TMPPDIR}/64krandom.bin"
 
-
 title PARA "Test PEM Encoding EC support"
 
-make-pkey-pem "${ECPRIURI}" "${TMPPDIR}/ecpriuri-pkey.pem"
+make-uri-pem "${ECPRIURI}" "${TMPPDIR}/ecpriuri-pkey.pem"
 sign-verify "${TMPPDIR}/ecpriuri-pkey.pem" "${ECPUBURI}" "${TMPPDIR}/64krandom.bin"
 
 export ALGORITHM=EC
@@ -89,30 +91,70 @@ genpkey -propquery "provider=pkcs11"
         -pkeyopt "pkcs11_uri:pkcs11:object=Test-PEM-Encode-EC-${LABEL_SUFFIX_URI}"
         -out "${TMPPDIR}/ec-pkey-uri.pem"'
 
-grep -e "-----BEGIN PRIVATE KEY PK11-URI-----" "${TMPPDIR}/ec-pkey-uri.pem"
+grep -e "-----BEGIN PKCS#11 PROVIDER URI-----" "${TMPPDIR}/ec-pkey-uri.pem"
 
 sign-verify "${TMPPDIR}/ec-pkey-uri.pem" \
             "pkcs11:object=Test-PEM-Encode-EC-${LABEL_SUFFIX_URI}" \
             "${TMPPDIR}/64krandom.bin"
 
 
-title PARA "Test ambiguous key is unusable"
+title PARA "Test visible string has to match"
+make-uri-pem "${PRIURI}" "${TMPPDIR}/priuri-wrong-version-key.pem" "PKCS#11 Provider URI v2.0"
+ossl '
+storeutl
+	-out "${TMPPDIR}/storeutl-priuri-wrong-version-key.txt"
+	"${TMPPDIR}/priuri-wrong-version-key.pem"' || :
+DATA=$(cat "${TMPPDIR}/storeutl-priuri-wrong-version-key.txt")
+if [[ ! ${DATA} =~ "Total found: 0" ]]; then
+    echo "Should fail because visible string does not match"
+    exit 1
+fi
 
-make-pkey-pem "${BASEURI}" "${TMPPDIR}/baseuri-key.pem"
-FAIL=0
+make-uri-pem "${PRIURI}" "${TMPPDIR}/priuri-too-long-key.pem" "PKCS#11 Provider URI v1.0-INVALID"
 ossl '
-pkey -in "${TMPPDIR}/baseuri-key.pem"' || FAIL=1
-if [ $FAIL -eq 0 ]; then
-    echo "Should fail because the pem references multiple and/or non-private keys"
+storeutl
+	-out "${TMPPDIR}/storeutl-priuri-too-long-key.txt"
+	"${TMPPDIR}/priuri-too-long-key.pem"' || :
+DATA=$(cat "${TMPPDIR}/storeutl-priuri-too-long-key.txt")
+if [[ ! ${DATA} =~ "Total found: 0" ]]; then
+    echo "Should fail because visible string does not match"
     exit 1
 fi
 
-make-pkey-pem "${PUBURI}" "${TMPPDIR}/puburi-key.pem"
+make-uri-pem "${PRIURI}" "${TMPPDIR}/priuri-too-short-key.pem" "PKCS#11 Provider URI v1"
+ossl '
+storeutl
+	-out "${TMPPDIR}/storeutl-priuri-too-short-key.txt"
+	"${TMPPDIR}/priuri-too-short-key.pem"' || :
+DATA=$(cat "${TMPPDIR}/storeutl-priuri-too-short-key.txt")
+if [[ ! ${DATA} =~ "Total found: 0" ]]; then
+    echo "Should fail because visible string does not match"
+    exit 1
+fi
+
+
+title PARA "Test public key is usable"
+make-uri-pem "${PUBURI}" "${TMPPDIR}/puburi-key.pem"
+ossl '
+storeutl
+	-out "${TMPPDIR}/storeutl-puburi-key.txt"
+	"${TMPPDIR}/puburi-key.pem"'
+DATA=$(cat "${TMPPDIR}/storeutl-puburi-key.txt")
+if [[ ! ${DATA} =~ "Total found: 1" ]]; then
+    echo "Cert not found matching by subject=${subj}"
+    exit 1
+fi
+ossl 'storeutl "${TMPPDIR}/puburi-key.pem"' | grep "Total found: 1"
+
+
+title PARA "Test ambiguous key is unusable"
+
+make-uri-pem "${BASEURI}" "${TMPPDIR}/baseuri-key.pem"
 FAIL=0
 ossl '
-pkey -in "${TMPPDIR}/puburi-key.pem"' || FAIL=1
+pkey -in "${TMPPDIR}/baseuri-key.pem"' || FAIL=1
 if [ $FAIL -eq 0 ]; then
-    echo "Should fail because the pem references multiple and/or non-private keys"
+    echo "Should fail for now URI from PEM need to be unique"
     exit 1
 fi