Check-in [b957a3fa2e]
Overview
Comment:Updated to allow the user to specify (via environment variables) whether or not to include the DoD certificates on the hardware slot tokens
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | dodcerts-on-seperate-slot
Files: files | file ages | folders
SHA1:b957a3fa2eb1a0b34e41ce4381477de4923a414d
User & Date: rkeene on 2012-07-21 06:50:25
Other Links: manifest | tags
Context
2012-07-21
06:54
Updated test for --enable-dod-certs-on-hw-slots configure option check-in: ba2bf716e9 user: rkeene tags: dodcerts-on-seperate-slot
06:50
Updated to allow the user to specify (via environment variables) whether or not to include the DoD certificates on the hardware slot tokens check-in: b957a3fa2e user: rkeene tags: dodcerts-on-seperate-slot
06:19
Protected access to cackey_slots with mutex check-in: 90faf75892 user: rkeene tags: dodcerts-on-seperate-slot
Changes

Modified cackey.c from [8e07ff4bd1] to [0661f619de].

  3408   3408   
  3409   3409   			cackey_free_certs(identities[id_idx].pcsc_identity, 1, 1);
  3410   3410   		}
  3411   3411   	}
  3412   3412   
  3413   3413   	free(identities);
  3414   3414   }
         3415  +
         3416  +static unsigned long cackey_read_dod_identities(struct cackey_identity *identities, unsigned long id_idx, unsigned long num_dod_certs) {
         3417  +	unsigned long cert_idx;
         3418  +
         3419  +	for (cert_idx = 0; cert_idx < num_dod_certs; cert_idx++) {
         3420  +		identities[id_idx].pcsc_identity = NULL;
         3421  +		identities[id_idx].attributes = cackey_get_attributes(CKO_CERTIFICATE, &extra_certs[cert_idx], 0xf000 | cert_idx, &identities[id_idx].attributes_count);
         3422  +		id_idx++;
         3423  +
         3424  +		identities[id_idx].pcsc_identity = NULL;
         3425  +		identities[id_idx].attributes = cackey_get_attributes(CKO_PUBLIC_KEY, &extra_certs[cert_idx], 0xf000 | cert_idx, &identities[id_idx].attributes_count);
         3426  +		id_idx++;
         3427  +
         3428  +		identities[id_idx].pcsc_identity = NULL;
         3429  +		identities[id_idx].attributes = cackey_get_attributes(CKO_NETSCAPE_TRUST, &extra_certs[cert_idx], 0xf000 | cert_idx, &identities[id_idx].attributes_count);
         3430  +		id_idx++;
         3431  +	}
         3432  +
         3433  +	return(id_idx);
         3434  +}
  3415   3435   
  3416   3436   static struct cackey_identity *cackey_read_identities(struct cackey_slot *slot, unsigned long *ids_found) {
  3417   3437   	struct cackey_pcsc_identity *pcsc_identities;
  3418   3438   	struct cackey_identity *identities;
  3419   3439   	unsigned long num_ids, id_idx, curr_id_type;
  3420   3440   	unsigned long num_certs, num_dod_certs, cert_idx;
         3441  +	int include_extra_certs = 0;
  3421   3442   
  3422   3443   	CACKEY_DEBUG_PRINTF("Called.");
  3423   3444   
  3424   3445   	if (ids_found == NULL) {
  3425   3446   		CACKEY_DEBUG_PRINTF("Error.  ids_found is NULL");
  3426   3447   
  3427   3448   		return(NULL);
  3428   3449   	}
  3429   3450   
  3430         -	if (slot->internal) {
  3431         -		/* Add DoD Certificates and Netscape Trust Objects */
         3451  +#ifdef CACKEY_CARD_SLOT_INCLUDE_EXTRA_CERTS
         3452  +	include_extra_certs = 1;
         3453  +#endif
         3454  +
         3455  +	if (getenv("CACKEY_DOD_CERTS_ON_HW_SLOTS") != NULL) {
         3456  +		include_extra_certs = 1;
         3457  +	}
         3458  +
         3459  +	if (getenv("CACKEY_NO_DOD_CERTS_ON_HW_SLOTS") != NULL) {
         3460  +		include_extra_certs = 0;
         3461  +	}
         3462  +
         3463  +	if (getenv("CACKEY_NO_EXTRA_CERTS") != NULL) {
         3464  +		num_dod_certs = 0;
         3465  +	} else {
  3432   3466   		num_dod_certs = sizeof(extra_certs) / sizeof(extra_certs[0]);
         3467  +	}
  3433   3468   
  3434         -		num_ids = num_dod_certs * 3;
         3469  +	if (slot->internal) {
         3470  +		num_ids = num_dod_certs;
  3435   3471   
  3436         -		identities = malloc(num_ids * sizeof(*identities));
         3472  +		if (num_ids != 0) {
         3473  +			identities = malloc(num_ids * sizeof(*identities));
  3437   3474   
  3438         -		id_idx = 0;
  3439         -		for (cert_idx = 0; cert_idx < num_dod_certs; cert_idx++) {
  3440         -			identities[id_idx].pcsc_identity = NULL;
  3441         -			identities[id_idx].attributes = cackey_get_attributes(CKO_CERTIFICATE, &extra_certs[cert_idx], 0xf000 | cert_idx, &identities[id_idx].attributes_count);
  3442         -			id_idx++;
  3443         -
  3444         -			identities[id_idx].pcsc_identity = NULL;
  3445         -			identities[id_idx].attributes = cackey_get_attributes(CKO_PUBLIC_KEY, &extra_certs[cert_idx], 0xf000 | cert_idx, &identities[id_idx].attributes_count);
  3446         -			id_idx++;
  3447         -
  3448         -			identities[id_idx].pcsc_identity = NULL;
  3449         -			identities[id_idx].attributes = cackey_get_attributes(CKO_NETSCAPE_TRUST, &extra_certs[cert_idx], 0xf000 | cert_idx, &identities[id_idx].attributes_count);
  3450         -			id_idx++;
         3475  +			cackey_read_dod_identities(identities, 0, num_dod_certs);
         3476  +		} else {
         3477  +			identities = NULL;
  3451   3478   		}
  3452   3479   
  3453   3480   		*ids_found = num_ids;
  3454   3481   
  3455   3482   		return(identities);
  3456   3483   	}
  3457   3484   
  3458   3485   	pcsc_identities = cackey_read_certs(slot, NULL, &num_certs);
  3459   3486   	if (pcsc_identities != NULL) {
  3460   3487   		/* Convert number of Certs to number of objects */
  3461   3488   		num_ids = (CKO_PRIVATE_KEY - CKO_CERTIFICATE + 1) * num_certs;
         3489  +
         3490  +		if (include_extra_certs) {
         3491  +			num_ids += num_dod_certs;
         3492  +		}
  3462   3493   
  3463   3494   		identities = malloc(num_ids * sizeof(*identities));
  3464   3495   
  3465   3496   		/* Add certificates, public keys, and private keys from the smartcard */
  3466   3497   		id_idx = 0;
  3467   3498   		for (cert_idx = 0; cert_idx < num_certs; cert_idx++) {
  3468   3499   			for (curr_id_type = CKO_CERTIFICATE; curr_id_type <= CKO_PRIVATE_KEY; curr_id_type++) {
................................................................................
  3473   3504   
  3474   3505   				identities[id_idx].pcsc_identity->certificate = malloc(pcsc_identities[cert_idx].certificate_len);
  3475   3506   				memcpy(identities[id_idx].pcsc_identity->certificate, pcsc_identities[cert_idx].certificate, pcsc_identities[cert_idx].certificate_len);
  3476   3507   
  3477   3508   				id_idx++;
  3478   3509   			}
  3479   3510   		}
         3511  +
         3512  +		if (include_extra_certs) {
         3513  +			CACKEY_DEBUG_PRINTF("Including DoD Certificates on hardware slot");
         3514  +
         3515  +			cackey_read_dod_identities(identities, id_idx, num_dod_certs);
         3516  +		}
  3480   3517   
  3481   3518   		cackey_free_certs(pcsc_identities, num_certs, 1);
  3482   3519   
  3483   3520   		*ids_found = num_ids;
  3484   3521   
  3485   3522   		return(identities);
  3486   3523   	}
         3524  +
  3487   3525   
  3488   3526   	*ids_found = 0;
  3489   3527   	return(NULL);
  3490   3528   }
  3491   3529   
  3492   3530   CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
  3493   3531   	CK_C_INITIALIZE_ARGS CK_PTR args;

Modified configure.ac from [8952b0e3fb] to [86141e7a07].

   138    138   		AC_MSG_RESULT(okay)
   139    139   	], [
   140    140   		AC_MSG_RESULT(failed)
   141    141   
   142    142   		AC_MSG_FAILURE([simple PC/SC program failed])
   143    143   	]
   144    144   )
          145  +
          146  +dnl Option to enable DoD certs on hardware slot
          147  +AC_ARG_ENABLE(dod-certs-on-hw-slots, AC_HELP_STRING([--enable-dod-certs-on-hw-slots], [Specify that DoD certificates should be made available on hardware token slots]), [
          148  +	AC_DEFINE(CACKEY_CARD_SLOT_INCLUDE_EXTRA_CERTS, [1], [Specify that DoD certificates should be made available on hardware token slots])
          149  +])
   145    150   
   146    151   dnl Set version script, to limit the scope of symbols
   147    152   DC_SETVERSIONSCRIPT(libcackey.vers, libcackey.syms)
   148    153   
   149    154   dnl Upate LDFLAGS to include setting the run-time linker path to the same as our compile-time linker
   150    155   DC_SYNC_RPATH
   151    156   
   152    157   dnl If we updated LIBOBJS, update SHLIBOBJS -- must be last.
   153    158   DC_SYNC_SHLIBOBJS
   154    159   
   155    160   dnl Produce Makefile
   156    161   AC_OUTPUT(Makefile libcackey.syms)