File 0001-trust-Support-CKA_NSS_-SERVER-EMAIL-_DISTRUST_AFTER.patch of Package p11-kit.25027
From 1def8077a2bc1fc2a6bd3685a9d94a9a51f40e23 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Thu, 31 Oct 2019 11:18:42 +0100
Subject: [PATCH] trust: Support CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER
These new attributes are introduced in:
https://bugzilla.mozilla.org/show_bug.cgi?id=1465613
The value of the attribute can be either false (represented as a
single octed "\x00"), or a UTCTime in a restricted form (i.e.,
"YYMMDDHHMMSSZ"). For future proof, we also support GeneralizedTime
in the form "YYYYMMDDHHMMSSZ".
---
common/constants.c | 2 ++
common/pkcs11x.h | 2 ++
trust/builder.c | 78 ++++++++++++++++++++++++++++++++++++++++++++
trust/test-builder.c | 75 ++++++++++++++++++++++++++++++++++++++++++
4 files changed, 157 insertions(+)
Index: p11-kit-0.23.2/common/constants.c
===================================================================
--- p11-kit-0.23.2.orig/common/constants.c
+++ p11-kit-0.23.2/common/constants.c
@@ -155,6 +155,8 @@ const p11_constant p11_constant_types[]
CT (CKA_NSS_PQG_SEED_BITS, "nss-pqg-seed-bits")
CT (CKA_NSS_MODULE_SPEC, "nss-module-spec")
CT (CKA_NSS_MOZILLA_CA_POLICY, "nss-mozilla-ca-policy")
+ CT (CKA_NSS_SERVER_DISTRUST_AFTER, "nss-server-distrust-after")
+ CT (CKA_NSS_EMAIL_DISTRUST_AFTER, "nss-email-distrust-after")
CT (CKA_TRUST_DIGITAL_SIGNATURE, "trust-digital-signature")
CT (CKA_TRUST_NON_REPUDIATION, "trust-non-repudiation")
CT (CKA_TRUST_KEY_ENCIPHERMENT, "trust-key-encipherment")
Index: p11-kit-0.23.2/common/pkcs11x.h
===================================================================
--- p11-kit-0.23.2.orig/common/pkcs11x.h
+++ p11-kit-0.23.2/common/pkcs11x.h
@@ -75,6 +75,8 @@ extern "C" {
#define CKA_NSS_PQG_SEED_BITS 0xce534367UL
#define CKA_NSS_MODULE_SPEC 0xce534368UL
#define CKA_NSS_MOZILLA_CA_POLICY 0xce534372UL
+#define CKA_NSS_SERVER_DISTRUST_AFTER 0xce534373UL
+#define CKA_NSS_EMAIL_DISTRUST_AFTER 0xce534374UL
/* NSS trust attributes */
#define CKA_TRUST_DIGITAL_SIGNATURE 0xce536351UL
Index: p11-kit-0.23.2/trust/builder.c
===================================================================
--- p11-kit-0.23.2.orig/trust/builder.c
+++ p11-kit-0.23.2/trust/builder.c
@@ -335,6 +335,82 @@ type_der_ext (p11_builder *builder,
return check_der_struct (builder, "PKIX1.Extension", attr);
}
+static bool
+type_false_or_time (p11_builder *builder,
+ CK_ATTRIBUTE *attr)
+{
+ struct tm tm;
+ struct tm two;
+ char *value;
+
+ if (sizeof (CK_BBOOL) == attr->ulValueLen &&
+ *((CK_BBOOL *)attr->pValue) == CK_FALSE)
+ return true;
+
+ value = attr->pValue;
+
+ switch (attr->ulValueLen) {
+ case 13:
+ /* UTCTime restricted by RFC 5280 4.1.2.5.1, i.e., in
+ * the format "YYMMDDHHMMSSZ" */
+ if (value[attr->ulValueLen - 1] != 'Z')
+ return false;
+
+ tm.tm_year = atoin (value, 2);
+ if (tm.tm_year < 0)
+ return false;
+ if (tm.tm_year >= 50)
+ tm.tm_year += 1900;
+ else if (tm.tm_year >= 0)
+ tm.tm_year += 2000;
+ value += 2;
+
+ break;
+ case 15:
+ /* GeneralizedTime restricted by RFC 5280 4.1.2.5.2,
+ * i.e., in the form "YYYYMMDDHHMMSSZ" */
+ if (value[attr->ulValueLen - 1] != 'Z')
+ return false;
+
+ tm.tm_year = atoin (value, 4);
+ if (tm.tm_year < 0)
+ return false;
+ value += 4;
+
+ break;
+ default:
+ return false;
+ }
+
+ tm.tm_mon = atoin (value, 2);
+ value += 2;
+ tm.tm_mday = atoin (value, 2);
+ value += 2;
+ tm.tm_hour = atoin (value, 2);
+ value += 2;
+ tm.tm_min = atoin (value, 2);
+ value += 2;
+ tm.tm_sec = atoin (value, 2);
+
+ if (tm.tm_mon <= 0 || tm.tm_mday <= 0 ||
+ tm.tm_hour < 0 || tm.tm_min < 0 || tm.tm_sec < 0)
+ return false;
+
+ memcpy (&two, &tm, sizeof (tm));
+ two.tm_isdst = -1; /* do not perform tz fixup */
+
+ /* If mktime changed anything, then bad time */
+ if (tm.tm_year != two.tm_year ||
+ tm.tm_mon != two.tm_mon ||
+ tm.tm_mday != two.tm_mday ||
+ tm.tm_hour != two.tm_hour ||
+ tm.tm_min != two.tm_min ||
+ tm.tm_sec != two.tm_sec)
+ return false;
+
+ return true;
+}
+
#define COMMON_ATTRS \
{ CKA_CLASS, REQUIRE | CREATE, type_ulong }, \
{ CKA_TOKEN, CREATE | WANT, type_bool }, \
@@ -793,6 +869,8 @@ const static builder_schema certificate_
{ CKA_TRUSTED, CREATE | WANT, type_bool },
{ CKA_X_DISTRUSTED, CREATE | WANT, type_bool },
{ CKA_NSS_MOZILLA_CA_POLICY, CREATE | WANT, type_bool },
+ { CKA_NSS_SERVER_DISTRUST_AFTER, CREATE | WANT, type_false_or_time },
+ { CKA_NSS_EMAIL_DISTRUST_AFTER, CREATE | WANT, type_false_or_time },
{ CKA_CERTIFICATE_CATEGORY, CREATE | WANT, type_ulong },
{ CKA_CHECK_VALUE, CREATE | WANT, },
{ CKA_START_DATE, CREATE | MODIFY | WANT, type_date },
Index: p11-kit-0.23.2/trust/test-builder.c
===================================================================
--- p11-kit-0.23.2.orig/trust/test-builder.c
+++ p11-kit-0.23.2/trust/test-builder.c
@@ -864,6 +864,79 @@ test_invalid_dates (void)
}
static void
+test_valid_false_or_time (void)
+{
+ CK_ATTRIBUTE *attrs = NULL;
+ CK_ATTRIBUTE *extra = NULL;
+ CK_RV rv;
+
+ CK_ATTRIBUTE input[] = {
+ { CKA_NSS_SERVER_DISTRUST_AFTER, NULL, 0 },
+ { CKA_CLASS, &certificate, sizeof (certificate) },
+ { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) },
+ { CKA_INVALID },
+ };
+
+ input[0].pValue = "\x00";
+ input[0].ulValueLen = 1;
+ rv = p11_builder_build (test.builder, test.index, attrs, input, &extra);
+ assert_num_eq (CKR_OK, rv);
+
+ p11_attrs_free (extra);
+ p11_attrs_free (attrs);
+ attrs = NULL;
+
+ input[0].pValue = "190701000000Z";
+ input[0].ulValueLen = 13;
+ rv = p11_builder_build (test.builder, test.index, attrs, input, &extra);
+ assert_num_eq (CKR_OK, rv);
+
+ p11_attrs_free (extra);
+ p11_attrs_free (attrs);
+
+ input[0].pValue = "20190701000000Z";
+ input[0].ulValueLen = 15;
+ rv = p11_builder_build (test.builder, test.index, attrs, input, &extra);
+ assert_num_eq (CKR_OK, rv);
+
+ p11_attrs_free (extra);
+ p11_attrs_free (attrs);
+}
+
+static void
+test_invalid_false_or_time (void)
+{
+ CK_ATTRIBUTE *attrs = NULL;
+ CK_ATTRIBUTE *extra = NULL;
+ CK_RV rv;
+
+ CK_ATTRIBUTE input[] = {
+ { CKA_NSS_SERVER_DISTRUST_AFTER, NULL, 0 },
+ { CKA_CLASS, &certificate, sizeof (certificate) },
+ { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) },
+ { CKA_INVALID },
+ };
+
+ p11_message_quiet ();
+
+ input[0].pValue = "\x01";
+ input[0].ulValueLen = 1;
+ rv = p11_builder_build (test.builder, test.index, attrs, input, &extra);
+ assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv);
+
+ input[0].pValue = "\x01\x02\x03";
+ input[0].ulValueLen = 3;
+ rv = p11_builder_build (test.builder, test.index, attrs, input, &extra);
+ assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv);
+
+ input[0].pValue = NULL;
+ rv = p11_builder_build (test.builder, test.index, attrs, input, &extra);
+ assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv);
+
+ p11_message_loud ();
+}
+
+static void
test_valid_name (void)
{
CK_ATTRIBUTE *attrs = NULL;
@@ -2204,6 +2277,7 @@ main (int argc,
p11_test (test_valid_name, "/builder/valid-name");
p11_test (test_valid_serial, "/builder/valid-serial");
p11_test (test_valid_cert, "/builder/valid-cert");
+ p11_test (test_valid_false_or_time, "/builder/valid-false-or-time");
p11_test (test_invalid_bool, "/builder/invalid-bool");
p11_test (test_invalid_ulong, "/builder/invalid-ulong");
p11_test (test_invalid_utf8, "/builder/invalid-utf8");
@@ -2211,6 +2285,7 @@ main (int argc,
p11_test (test_invalid_name, "/builder/invalid-name");
p11_test (test_invalid_serial, "/builder/invalid-serial");
p11_test (test_invalid_cert, "/builder/invalid-cert");
+ p11_test (test_invalid_false_or_time, "/builder/invalid-false-or-time");
p11_test (test_invalid_schema, "/builder/invalid-schema");
p11_test (test_create_not_settable, "/builder/create_not_settable");
