summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStef Walter <stef@thewalter.net>2013-09-13 12:24:35 +0200
committerStef Walter <stef@thewalter.net>2013-10-14 15:17:22 +0200
commit5ed8c3d3ede6ef30e4b5a40db1438dd6231d5088 (patch)
treed7c07ed7a0fa4d9f9486b4049284a09dcef3c84f
parentbeb377f7479e834366be60dc6c1da2e53278e091 (diff)
trust: Check for race in BasicConstraints stapled extension
Related to the following bug: https://bugs.freedesktop.org/show_bug.cgi?id=69314
-rw-r--r--trust/tests/test-builder.c49
1 files changed, 49 insertions, 0 deletions
diff --git a/trust/tests/test-builder.c b/trust/tests/test-builder.c
index 5c3c15b..29bac07 100644
--- a/trust/tests/test-builder.c
+++ b/trust/tests/test-builder.c
@@ -422,6 +422,8 @@ test_build_certificate_staple_ca (void)
CK_ATTRIBUTE *extra;
CK_RV rv;
+ /* Adding the stapled extension *first*, and then the certificate */
+
/* Add a stapled certificate */
rv = p11_index_add (test.index, stapled, 4, NULL);
assert_num_eq (CKR_OK, rv);
@@ -443,6 +445,52 @@ test_build_certificate_staple_ca (void)
}
static void
+test_build_certificate_staple_ca_backwards (void)
+{
+ CK_ULONG category = 2; /* CA */
+
+ CK_ATTRIBUTE stapled[] = {
+ { CKA_CLASS, &certificate_extension, sizeof (certificate_extension) },
+ { CKA_OBJECT_ID, (void *)P11_OID_BASIC_CONSTRAINTS, sizeof (P11_OID_BASIC_CONSTRAINTS) },
+ { CKA_VALUE, "\x30\x0f\x06\x03\x55\x1d\x13\x01\x01\xff\x04\x05\x30\x03\x01\x01\xff", 17 },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)entrust_public_key, sizeof (entrust_public_key) },
+ { CKA_INVALID },
+ };
+
+ CK_ATTRIBUTE input[] = {
+ { CKA_CLASS, &certificate, sizeof (certificate) },
+ { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) },
+ { CKA_VALUE, (void *)entrust_pretend_ca, sizeof (entrust_pretend_ca) },
+ { CKA_INVALID },
+ };
+
+ CK_ATTRIBUTE expected[] = {
+ { CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) },
+ { CKA_INVALID },
+ };
+
+ CK_RV rv;
+ CK_ATTRIBUTE *attrs;
+ CK_OBJECT_HANDLE handle;
+
+ /* Adding the certificate *first*, and then the stapled extension */
+
+ rv = p11_index_add (test.index, input, 4, &handle);
+ assert_num_eq (CKR_OK, rv);
+
+ /* Add a stapled certificate */
+ rv = p11_index_add (test.index, stapled, 4, NULL);
+ assert_num_eq (CKR_OK, rv);
+
+ /*
+ * Even though the certificate is not a valid CA, the presence of the
+ * stapled certificate extension transforms it into a CA.
+ */
+ attrs = p11_index_lookup (test.index, handle);
+ test_check_attrs (expected, attrs);
+}
+
+static void
test_build_certificate_no_type (void)
{
CK_ATTRIBUTE input[] = {
@@ -2142,6 +2190,7 @@ main (int argc,
p11_test (test_build_certificate_non_ca, "/builder/build_certificate_non_ca");
p11_test (test_build_certificate_v1_ca, "/builder/build_certificate_v1_ca");
p11_test (test_build_certificate_staple_ca, "/builder/build_certificate_staple_ca");
+ p11_test (test_build_certificate_staple_ca_backwards, "/builder/build-certificate-staple-ca-backwards");
p11_test (test_build_certificate_no_type, "/builder/build_certificate_no_type");
p11_test (test_build_certificate_bad_type, "/builder/build_certificate_bad_type");
p11_test (test_build_extension, "/builder/build_extension");