[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_7-22-gdc18e91
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_9_7-22-gdc18e91 |
|
Date: |
Sun, 25 Oct 2009 21:23:43 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=dc18e91405903607a7c5c8a9b185f8c286c244b6
The branch, master has been updated
via dc18e91405903607a7c5c8a9b185f8c286c244b6 (commit)
from ac0d81e93315fc3ac5595396a179b0d31189a7ef (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit dc18e91405903607a7c5c8a9b185f8c286c244b6
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Oct 25 20:49:18 2009 +0200
Added GNUTLS_BAG_SECRET that adds support for storing a randomly generated
key
into a PKCS-12 structure. This is a gnutls extension, since PKCS-12 does not
specify what should be in the secret bag. What we do is store the key as
OCTET string and specify an OID of the PKCS-9 random nonce.
-----------------------------------------------------------------------
Summary of changes:
lib/includes/gnutls/pkcs12.h | 4 +
lib/pkix.asn | 5 +
lib/pkix_asn1_tab.c | 5 +
lib/x509/pkcs12.c | 7 +-
lib/x509/pkcs12_bag.c | 253 ++++++++++++++++++++++++++----------------
lib/x509/x509_int.h | 1 +
src/certtool.c | 2 +
7 files changed, 182 insertions(+), 95 deletions(-)
diff --git a/lib/includes/gnutls/pkcs12.h b/lib/includes/gnutls/pkcs12.h
index d0d94cb..c9b250c 100644
--- a/lib/includes/gnutls/pkcs12.h
+++ b/lib/includes/gnutls/pkcs12.h
@@ -68,6 +68,10 @@ extern "C"
GNUTLS_BAG_PKCS8_KEY,
GNUTLS_BAG_CERTIFICATE,
GNUTLS_BAG_CRL,
+ GNUTLS_BAG_SECRET, /* secret data. Underspecified in pkcs-12, gnutls
extension. We use
+ * the PKCS-9 random nonce ID (1.2.840.113549.1.9.25.3)
to store randomly
+ * generated keys.
+ */
GNUTLS_BAG_ENCRYPTED = 10,
GNUTLS_BAG_UNKNOWN = 20
} gnutls_pkcs12_bag_type_t;
diff --git a/lib/pkix.asn b/lib/pkix.asn
index 51cd729..8b3993a 100644
--- a/lib/pkix.asn
+++ b/lib/pkix.asn
@@ -591,6 +591,11 @@ pkcs-12-CRLBag ::= SEQUENCE {
crlValue [0] EXPLICIT ANY DEFINED BY crlId
}
+pkcs-12-SecretBag ::= SEQUENCE {
+ secretTypeId OBJECT IDENTIFIER,
+ secretValue [0] EXPLICIT ANY DEFINED BY secretTypeId
+}
+
-- x509CRL BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-crlTypes 1}}
-- DER-encoded X.509 CRL stored in OCTET STRING
diff --git a/lib/pkix_asn1_tab.c b/lib/pkix_asn1_tab.c
index 1139a5f..bbba01f 100644
--- a/lib/pkix_asn1_tab.c
+++ b/lib/pkix_asn1_tab.c
@@ -478,6 +478,11 @@ const ASN1_ARRAY_TYPE pkix_asn1_tab[] = {
{ "crlValue", 541073421, NULL },
{ NULL, 1073743880, "0"},
{ "crlId", 1, NULL },
+ { "pkcs-12-SecretBag", 1610612741, NULL },
+ { "secretTypeId", 1073741836, NULL },
+ { "secretValue", 541073421, NULL },
+ { NULL, 1073743880, "0"},
+ { "secretTypeId", 1, NULL },
{ "pkcs-12-PKCS12Attribute", 1073741826, "Attribute"},
{ "pkcs-7-Data", 1073741831, NULL },
{ "pkcs-7-EncryptedData", 1610612741, NULL },
diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
index 3434e7f..6bfb402 100644
--- a/lib/x509/pkcs12.c
+++ b/lib/x509/pkcs12.c
@@ -301,6 +301,8 @@ oid2bag (const char *oid)
return GNUTLS_BAG_CERTIFICATE;
if (strcmp (oid, BAG_CRL) == 0)
return GNUTLS_BAG_CRL;
+ if (strcmp (oid, BAG_SECRET) == 0)
+ return GNUTLS_BAG_SECRET;
return GNUTLS_BAG_UNKNOWN;
}
@@ -318,6 +320,8 @@ bag_to_oid (int bag)
return BAG_CERTIFICATE;
case GNUTLS_BAG_CRL:
return BAG_CRL;
+ case GNUTLS_BAG_SECRET:
+ return BAG_SECRET;
}
return NULL;
}
@@ -423,7 +427,7 @@ _pkcs12_decode_safe_contents (const gnutls_datum_t *
content,
goto cleanup;
}
- if (bag_type == GNUTLS_BAG_CERTIFICATE || bag_type == GNUTLS_BAG_CRL)
+ if (bag_type == GNUTLS_BAG_CERTIFICATE || bag_type == GNUTLS_BAG_CRL ||
bag_type == GNUTLS_BAG_SECRET)
{
gnutls_datum_t tmp = bag->element[i].data;
@@ -1276,6 +1280,7 @@ _pkcs12_encode_safe_contents (gnutls_pkcs12_bag_t bag,
ASN1_TYPE * contents,
*/
if (bag->element[i].type == GNUTLS_BAG_CERTIFICATE ||
+ bag->element[i].type == GNUTLS_BAG_SECRET ||
bag->element[i].type == GNUTLS_BAG_CRL)
{
gnutls_datum_t tmp;
diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c
index 4e28348..9ed23af 100644
--- a/lib/x509/pkcs12_bag.c
+++ b/lib/x509/pkcs12_bag.c
@@ -173,6 +173,7 @@ gnutls_pkcs12_bag_get_data (gnutls_pkcs12_bag_t bag, int
indx,
#define X509_CERT_OID "1.2.840.113549.1.9.22.1"
#define X509_CRL_OID "1.2.840.113549.1.9.23.1"
+#define RANDOM_NONCE_OID "1.2.840.113549.1.9.25.3"
int
_pkcs12_decode_crt_bag (gnutls_pkcs12_bag_type_t type,
@@ -181,58 +182,90 @@ _pkcs12_decode_crt_bag (gnutls_pkcs12_bag_type_t type,
int ret;
ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
- if (type == GNUTLS_BAG_CERTIFICATE)
+ switch(type)
{
- if ((ret = asn1_create_element (_gnutls_get_pkix (),
+ case GNUTLS_BAG_CERTIFICATE:
+ if ((ret = asn1_create_element (_gnutls_get_pkix (),
"PKIX1.pkcs-12-CertBag",
&c2)) != ASN1_SUCCESS)
- {
- gnutls_assert ();
- ret = _gnutls_asn2err (ret);
- goto cleanup;
- }
-
- ret = asn1_der_decoding (&c2, in->data, in->size, NULL);
- if (ret != ASN1_SUCCESS)
- {
- gnutls_assert ();
- ret = _gnutls_asn2err (ret);
- goto cleanup;
- }
-
- ret = _gnutls_x509_read_value (c2, "certValue", out, 1);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
-
- }
- else
- { /* CRL */
- if ((ret = asn1_create_element (_gnutls_get_pkix (),
+ {
+ gnutls_assert ();
+ ret = _gnutls_asn2err (ret);
+ goto cleanup;
+ }
+
+ ret = asn1_der_decoding (&c2, in->data, in->size, NULL);
+ if (ret != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ ret = _gnutls_asn2err (ret);
+ goto cleanup;
+ }
+
+ ret = _gnutls_x509_read_value (c2, "certValue", out, 1);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ goto cleanup;
+ }
+ break;
+
+ case GNUTLS_BAG_CRL:
+ if ((ret = asn1_create_element (_gnutls_get_pkix (),
"PKIX1.pkcs-12-CRLBag",
&c2)) != ASN1_SUCCESS)
- {
- gnutls_assert ();
- ret = _gnutls_asn2err (ret);
- goto cleanup;
- }
-
- ret = asn1_der_decoding (&c2, in->data, in->size, NULL);
- if (ret != ASN1_SUCCESS)
- {
- gnutls_assert ();
- ret = _gnutls_asn2err (ret);
- goto cleanup;
- }
-
- ret = _gnutls_x509_read_value (c2, "crlValue", out, 1);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
+ {
+ gnutls_assert ();
+ ret = _gnutls_asn2err (ret);
+ goto cleanup;
+ }
+
+ ret = asn1_der_decoding (&c2, in->data, in->size, NULL);
+ if (ret != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ ret = _gnutls_asn2err (ret);
+ goto cleanup;
+ }
+
+ ret = _gnutls_x509_read_value (c2, "crlValue", out, 1);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ goto cleanup;
+ }
+ break;
+
+ case GNUTLS_BAG_SECRET:
+ if ((ret = asn1_create_element (_gnutls_get_pkix (),
+ "PKIX1.pkcs-12-SecretBag",
+ &c2)) != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ ret = _gnutls_asn2err (ret);
+ goto cleanup;
+ }
+
+ ret = asn1_der_decoding (&c2, in->data, in->size, NULL);
+ if (ret != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ ret = _gnutls_asn2err (ret);
+ goto cleanup;
+ }
+
+ ret = _gnutls_x509_read_value (c2, "secretValue", out, 1);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ goto cleanup;
+ }
+ break;
+
+ default:
+ gnutls_assert();
+ asn1_delete_structure (&c2);
+ return GNUTLS_E_UNIMPLEMENTED_FEATURE;
}
asn1_delete_structure (&c2);
@@ -254,58 +287,90 @@ _pkcs12_encode_crt_bag (gnutls_pkcs12_bag_type_t type,
int ret;
ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
- if (type == GNUTLS_BAG_CERTIFICATE)
+ switch(type)
{
- if ((ret = asn1_create_element (_gnutls_get_pkix (),
+ case GNUTLS_BAG_CERTIFICATE:
+ if ((ret = asn1_create_element (_gnutls_get_pkix (),
"PKIX1.pkcs-12-CertBag",
&c2)) != ASN1_SUCCESS)
- {
- gnutls_assert ();
- ret = _gnutls_asn2err (ret);
- goto cleanup;
- }
-
- ret = asn1_write_value (c2, "certId", X509_CERT_OID, 1);
- if (ret != ASN1_SUCCESS)
- {
- gnutls_assert ();
- ret = _gnutls_asn2err (ret);
- goto cleanup;
- }
-
- ret = _gnutls_x509_write_value (c2, "certValue", raw, 1);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
-
- }
- else
- { /* CRL */
- if ((ret = asn1_create_element (_gnutls_get_pkix (),
+ {
+ gnutls_assert ();
+ ret = _gnutls_asn2err (ret);
+ goto cleanup;
+ }
+
+ ret = asn1_write_value (c2, "certId", X509_CERT_OID, 1);
+ if (ret != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ ret = _gnutls_asn2err (ret);
+ goto cleanup;
+ }
+
+ ret = _gnutls_x509_write_value (c2, "certValue", raw, 1);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ goto cleanup;
+ }
+ break;
+
+ case GNUTLS_BAG_CRL:
+ if ((ret = asn1_create_element (_gnutls_get_pkix (),
"PKIX1.pkcs-12-CRLBag",
&c2)) != ASN1_SUCCESS)
- {
- gnutls_assert ();
- ret = _gnutls_asn2err (ret);
- goto cleanup;
- }
-
- ret = asn1_write_value (c2, "crlId", X509_CRL_OID, 1);
- if (ret != ASN1_SUCCESS)
- {
- gnutls_assert ();
- ret = _gnutls_asn2err (ret);
- goto cleanup;
- }
-
- ret = _gnutls_x509_write_value (c2, "crlValue", raw, 1);
- if (ret < 0)
- {
- gnutls_assert ();
- goto cleanup;
- }
+ {
+ gnutls_assert ();
+ ret = _gnutls_asn2err (ret);
+ goto cleanup;
+ }
+
+ ret = asn1_write_value (c2, "crlId", X509_CRL_OID, 1);
+ if (ret != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ ret = _gnutls_asn2err (ret);
+ goto cleanup;
+ }
+
+ ret = _gnutls_x509_write_value (c2, "crlValue", raw, 1);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ goto cleanup;
+ }
+ break;
+
+ case GNUTLS_BAG_SECRET:
+ if ((ret = asn1_create_element (_gnutls_get_pkix (),
+ "PKIX1.pkcs-12-SecretBag",
+ &c2)) != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ ret = _gnutls_asn2err (ret);
+ goto cleanup;
+ }
+
+ ret = asn1_write_value (c2, "secretTypeId", RANDOM_NONCE_OID, 1);
+ if (ret != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ ret = _gnutls_asn2err (ret);
+ goto cleanup;
+ }
+
+ ret = _gnutls_x509_write_value (c2, "secretValue", raw, 1);
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ goto cleanup;
+ }
+ break;
+
+ default:
+ gnutls_assert();
+ asn1_delete_structure (&c2);
+ return GNUTLS_E_UNIMPLEMENTED_FEATURE;
}
ret = _gnutls_x509_der_encode (c2, "", out, 0);
diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h
index dac7b1f..c749123 100644
--- a/lib/x509/x509_int.h
+++ b/lib/x509/x509_int.h
@@ -328,6 +328,7 @@ typedef struct gnutls_pkcs12_bag_int
#define BAG_PKCS8_ENCRYPTED_KEY "1.2.840.113549.1.12.10.1.2"
#define BAG_CERTIFICATE "1.2.840.113549.1.12.10.1.3"
#define BAG_CRL "1.2.840.113549.1.12.10.1.4"
+#define BAG_SECRET "1.2.840.113549.1.12.10.1.5"
/* PKCS #7
*/
diff --git a/src/certtool.c b/src/certtool.c
index ae61a8e..97647ea 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -2646,6 +2646,8 @@ BAGTYPE (gnutls_pkcs12_bag_type_t x)
return "Encrypted";
case GNUTLS_BAG_CRL:
return "CRL";
+ case GNUTLS_BAG_SECRET:
+ return "Secret";
default:
return "Unknown";
}
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_9_7-22-gdc18e91,
Nikos Mavrogiannopoulos <=