File 0001-trust-Support-CKA_NSS_-SERVER-EMAIL-_DISTR... of Package p11-kit

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-trust-Support-CKA_NSS_-SERVER-EMAIL-_DISTRUST_AFTER.patch of Package p11-kit

From 1def8077a2bc1fc2a6bd3685a9d94a9a51f40e23 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Thu, 31 Oct 2019 11:18:42 +0100
Subject: [PATCH] trust: Support CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER

These new attributes are introduced in:
https://bugzilla.mozilla.org/show_bug.cgi?id=1465613

The value of the attribute can be either false (represented as a
single octed "\x00"), or a UTCTime in a restricted form (i.e.,
"YYMMDDHHMMSSZ").  For future proof, we also support GeneralizedTime
in the form "YYYYMMDDHHMMSSZ".
---
 common/constants.c   |  2 ++
 common/pkcs11x.h     |  2 ++
 trust/builder.c      | 78 ++++++++++++++++++++++++++++++++++++++++++++
 trust/test-builder.c | 75 ++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 157 insertions(+)

Index: p11-kit-0.23.2/common/constants.c
===================================================================
--- p11-kit-0.23.2.orig/common/constants.c
+++ p11-kit-0.23.2/common/constants.c
@@ -155,6 +155,8 @@ const p11_constant p11_constant_types[]
 	CT (CKA_NSS_PQG_SEED_BITS, "nss-pqg-seed-bits")
 	CT (CKA_NSS_MODULE_SPEC, "nss-module-spec")
 	CT (CKA_NSS_MOZILLA_CA_POLICY, "nss-mozilla-ca-policy")
+	CT (CKA_NSS_SERVER_DISTRUST_AFTER, "nss-server-distrust-after")
+	CT (CKA_NSS_EMAIL_DISTRUST_AFTER, "nss-email-distrust-after")
 	CT (CKA_TRUST_DIGITAL_SIGNATURE, "trust-digital-signature")
 	CT (CKA_TRUST_NON_REPUDIATION, "trust-non-repudiation")
 	CT (CKA_TRUST_KEY_ENCIPHERMENT, "trust-key-encipherment")
Index: p11-kit-0.23.2/common/pkcs11x.h
===================================================================
--- p11-kit-0.23.2.orig/common/pkcs11x.h
+++ p11-kit-0.23.2/common/pkcs11x.h
@@ -75,6 +75,8 @@ extern "C" {
 #define CKA_NSS_PQG_SEED_BITS           0xce534367UL
 #define CKA_NSS_MODULE_SPEC             0xce534368UL
 #define CKA_NSS_MOZILLA_CA_POLICY       0xce534372UL
+#define CKA_NSS_SERVER_DISTRUST_AFTER   0xce534373UL
+#define CKA_NSS_EMAIL_DISTRUST_AFTER    0xce534374UL
 
 /* NSS trust attributes */
 #define CKA_TRUST_DIGITAL_SIGNATURE     0xce536351UL
Index: p11-kit-0.23.2/trust/builder.c
===================================================================
--- p11-kit-0.23.2.orig/trust/builder.c
+++ p11-kit-0.23.2/trust/builder.c
@@ -335,6 +335,82 @@ type_der_ext (p11_builder *builder,
 	return check_der_struct (builder, "PKIX1.Extension", attr);
 }
 
+static bool
+type_false_or_time (p11_builder *builder,
+		    CK_ATTRIBUTE *attr)
+{
+	struct tm tm;
+	struct tm two;
+	char *value;
+
+	if (sizeof (CK_BBOOL) == attr->ulValueLen &&
+	    *((CK_BBOOL *)attr->pValue) == CK_FALSE)
+		return true;
+
+	value = attr->pValue;
+
+	switch (attr->ulValueLen) {
+	case 13:
+		/* UTCTime restricted by RFC 5280 4.1.2.5.1, i.e., in
+		 * the format "YYMMDDHHMMSSZ" */
+		if (value[attr->ulValueLen - 1] != 'Z')
+			return false;
+
+		tm.tm_year = atoin (value, 2);
+		if (tm.tm_year < 0)
+			return false;
+		if (tm.tm_year >= 50)
+			tm.tm_year += 1900;
+		else if (tm.tm_year >= 0)
+			tm.tm_year += 2000;
+		value += 2;
+
+		break;
+	case 15:
+		/* GeneralizedTime restricted by RFC 5280 4.1.2.5.2,
+		 * i.e., in the form "YYYYMMDDHHMMSSZ" */
+		if (value[attr->ulValueLen - 1] != 'Z')
+			return false;
+
+		tm.tm_year = atoin (value, 4);
+		if (tm.tm_year < 0)
+			return false;
+		value += 4;
+
+		break;
+	default:
+		return false;
+	}
+
+	tm.tm_mon = atoin (value, 2);
+	value += 2;
+	tm.tm_mday = atoin (value, 2);
+	value += 2;
+	tm.tm_hour = atoin (value, 2);
+	value += 2;
+	tm.tm_min = atoin (value, 2);
+	value += 2;
+	tm.tm_sec = atoin (value, 2);
+
+	if (tm.tm_mon <= 0 || tm.tm_mday <= 0 ||
+	    tm.tm_hour < 0 || tm.tm_min < 0 || tm.tm_sec < 0)
+		return false;
+
+	memcpy (&two, &tm, sizeof (tm));
+	two.tm_isdst = -1;	/* do not perform tz fixup */
+
+	/* If mktime changed anything, then bad time */
+	if (tm.tm_year != two.tm_year ||
+	    tm.tm_mon != two.tm_mon ||
+	    tm.tm_mday != two.tm_mday ||
+	    tm.tm_hour != two.tm_hour ||
+	    tm.tm_min != two.tm_min ||
+	    tm.tm_sec != two.tm_sec)
+		return false;
+
+	return true;
+}
+
 #define COMMON_ATTRS \
 	{ CKA_CLASS, REQUIRE | CREATE, type_ulong }, \
 	{ CKA_TOKEN, CREATE | WANT, type_bool }, \
@@ -793,6 +869,8 @@ const static builder_schema certificate_
 	  { CKA_TRUSTED, CREATE | WANT, type_bool },
 	  { CKA_X_DISTRUSTED, CREATE | WANT, type_bool },
 	  { CKA_NSS_MOZILLA_CA_POLICY, CREATE | WANT, type_bool },
+	  { CKA_NSS_SERVER_DISTRUST_AFTER, CREATE | WANT, type_false_or_time },
+	  { CKA_NSS_EMAIL_DISTRUST_AFTER, CREATE | WANT, type_false_or_time },
 	  { CKA_CERTIFICATE_CATEGORY, CREATE | WANT, type_ulong },
 	  { CKA_CHECK_VALUE, CREATE | WANT, },
 	  { CKA_START_DATE, CREATE | MODIFY | WANT, type_date },
Index: p11-kit-0.23.2/trust/test-builder.c
===================================================================
--- p11-kit-0.23.2.orig/trust/test-builder.c
+++ p11-kit-0.23.2/trust/test-builder.c
@@ -864,6 +864,79 @@ test_invalid_dates (void)
 }
 
 static void
+test_valid_false_or_time (void)
+{
+	CK_ATTRIBUTE *attrs = NULL;
+	CK_ATTRIBUTE *extra = NULL;
+	CK_RV rv;
+
+	CK_ATTRIBUTE input[] = {
+		{ CKA_NSS_SERVER_DISTRUST_AFTER, NULL, 0 },
+		{ CKA_CLASS, &certificate, sizeof (certificate) },
+		{ CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) },
+		{ CKA_INVALID },
+	};
+
+	input[0].pValue = "\x00";
+	input[0].ulValueLen = 1;
+	rv = p11_builder_build (test.builder, test.index, attrs, input, &extra);
+	assert_num_eq (CKR_OK, rv);
+
+	p11_attrs_free (extra);
+	p11_attrs_free (attrs);
+	attrs = NULL;
+
+	input[0].pValue = "190701000000Z";
+	input[0].ulValueLen = 13;
+	rv = p11_builder_build (test.builder, test.index, attrs, input, &extra);
+	assert_num_eq (CKR_OK, rv);
+
+	p11_attrs_free (extra);
+	p11_attrs_free (attrs);
+
+	input[0].pValue = "20190701000000Z";
+	input[0].ulValueLen = 15;
+	rv = p11_builder_build (test.builder, test.index, attrs, input, &extra);
+	assert_num_eq (CKR_OK, rv);
+
+	p11_attrs_free (extra);
+	p11_attrs_free (attrs);
+}
+
+static void
+test_invalid_false_or_time (void)
+{
+	CK_ATTRIBUTE *attrs = NULL;
+	CK_ATTRIBUTE *extra = NULL;
+	CK_RV rv;
+
+	CK_ATTRIBUTE input[] = {
+		{ CKA_NSS_SERVER_DISTRUST_AFTER, NULL, 0 },
+		{ CKA_CLASS, &certificate, sizeof (certificate) },
+		{ CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) },
+		{ CKA_INVALID },
+	};
+
+	p11_message_quiet ();
+
+	input[0].pValue = "\x01";
+	input[0].ulValueLen = 1;
+	rv = p11_builder_build (test.builder, test.index, attrs, input, &extra);
+	assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv);
+
+	input[0].pValue = "\x01\x02\x03";
+	input[0].ulValueLen = 3;
+	rv = p11_builder_build (test.builder, test.index, attrs, input, &extra);
+	assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv);
+
+	input[0].pValue = NULL;
+	rv = p11_builder_build (test.builder, test.index, attrs, input, &extra);
+	assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv);
+
+	p11_message_loud ();
+}
+
+static void
 test_valid_name (void)
 {
 	CK_ATTRIBUTE *attrs = NULL;
@@ -2204,6 +2277,7 @@ main (int argc,
 	p11_test (test_valid_name, "/builder/valid-name");
 	p11_test (test_valid_serial, "/builder/valid-serial");
 	p11_test (test_valid_cert, "/builder/valid-cert");
+	p11_test (test_valid_false_or_time, "/builder/valid-false-or-time");
 	p11_test (test_invalid_bool, "/builder/invalid-bool");
 	p11_test (test_invalid_ulong, "/builder/invalid-ulong");
 	p11_test (test_invalid_utf8, "/builder/invalid-utf8");
@@ -2211,6 +2285,7 @@ main (int argc,
 	p11_test (test_invalid_name, "/builder/invalid-name");
 	p11_test (test_invalid_serial, "/builder/invalid-serial");
 	p11_test (test_invalid_cert, "/builder/invalid-cert");
+	p11_test (test_invalid_false_or_time, "/builder/invalid-false-or-time");
 	p11_test (test_invalid_schema, "/builder/invalid-schema");
 
 	p11_test (test_create_not_settable, "/builder/create_not_settable");

Places

File 0001-trust-Support-CKA_NSS_-SERVER-EMAIL-_DISTRUST_AFTER.patch of Package p11-kit

Places