diff --git a/src/libp11-int.h b/src/libp11-int.h index 2de57bb6..08262bb9 100644 --- a/src/libp11-int.h +++ b/src/libp11-int.h @@ -48,7 +48,7 @@ struct pkcs11_ctx_private { CK_FUNCTION_LIST_PTR method; void *handle; char *init_args; - struct _CK_VERSION cryptoki_version; + CK_VERSION cryptoki_version; UI_METHOD *ui_method; /* UI_METHOD for CKU_CONTEXT_SPECIFIC PINs */ void *ui_user_data; unsigned int forkid; diff --git a/src/p11_cert.c b/src/p11_cert.c index 17f7ee9d..1791592e 100644 --- a/src/p11_cert.c +++ b/src/p11_cert.c @@ -30,7 +30,6 @@ static int pkcs11_find_certs(PKCS11_SLOT_private *, PKCS11_TEMPLATE *, CK_SESSIO static int pkcs11_next_cert(PKCS11_CTX_private *, PKCS11_SLOT_private *, CK_SESSION_HANDLE); static int pkcs11_init_cert(PKCS11_SLOT_private *token, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE o, PKCS11_CERT **); -static int is_version_ge(CK_VERSION version, CK_VERSION target); /* * Enumerate all certs matching with cert_template on the card @@ -201,15 +200,14 @@ int pkcs11_store_certificate(PKCS11_SLOT_private *slot, X509 *x509, char *label, CK_SESSION_HANDLE session; CK_OBJECT_HANDLE object; int rv, r = -1; - PKCS11_TEMPLATE tmpl = {0}; - CK_OBJECT_CLASS class_certificate = CKO_CERTIFICATE; - CK_CERTIFICATE_TYPE certificate_x509 = CKC_X_509; - int signature_nid; int evp_md_nid = NID_sha1; const EVP_MD* evp_md; unsigned char md[EVP_MAX_MD_SIZE]; unsigned int md_len; + PKCS11_TEMPLATE tmpl = {0}; + CK_OBJECT_CLASS class_certificate = CKO_CERTIFICATE; + CK_CERTIFICATE_TYPE certificate_x509 = CKC_X_509; CK_MECHANISM_TYPE ckm_md; /* First, make sure we have a session */ @@ -225,10 +223,12 @@ int pkcs11_store_certificate(PKCS11_SLOT_private *slot, X509 *x509, char *label, pkcs11_addattr_obj(&tmpl, CKA_ISSUER, (pkcs11_i2d_fn)i2d_X509_NAME, X509_get_issuer_name(x509)); - /* CKA_NAME_HASH_ALGORITHM was added in Cryptoki 2.30; older - * versions of PKCS#11 modules should not touch this attribute or - * any other attributes related to it */ - if (is_version_ge(ctx->cryptoki_version, (CK_VERSION){2, 30})) { + /* Get digest algorithm from x509 certificate */ + /* CKA_NAME_HASH_ALGORITHM was added in Cryptoki 2.30; + * older versions of PKCS#11 modules should not touch + * this attribute or any other related attributes */ + if (ctx->cryptoki_version.major > 2 || + (ctx->cryptoki_version.major == 2 && ctx->cryptoki_version.minor >= 30)) { /* Get digest algorithm from x509 certificate */ #if OPENSSL_VERSION_NUMBER >= 0x10002000L || ( defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3050000fL ) signature_nid = X509_get_signature_nid(x509); @@ -275,7 +275,7 @@ int pkcs11_store_certificate(PKCS11_SLOT_private *slot, X509 *x509, char *label, /* Set hash algorithm; default is SHA-1 */ pkcs11_addattr_var(&tmpl, CKA_NAME_HASH_ALGORITHM, ckm_md); - if (X509_pubkey_digest(x509,evp_md,md,&md_len)) + if (X509_pubkey_digest(x509, evp_md, md, &md_len)) pkcs11_addattr(&tmpl, CKA_HASH_OF_SUBJECT_PUBLIC_KEY, md, md_len); } @@ -301,15 +301,4 @@ int pkcs11_store_certificate(PKCS11_SLOT_private *slot, X509 *x509, char *label, return r; } -/** - * Compare two CK_VERSION(s). - * - * Return 1 if version is greater or equal with the target version. - * Return 0, otherwise. - */ -int is_version_ge(CK_VERSION version, CK_VERSION target) { - return version.major > target.major || - (version.major == target.major && version.minor >= target.minor); -} - /* vim: set noexpandtab: */