Implement stapled certificate extensions internally

* Use stapled certificate extensions to represent loaded trust policy * Build NSS trust objects from stapled certificate extensions * Add further attribute debugging for NSS trust objects * Use a custom certificate extension for the OpenSSL reject purpose data * Use SubjectKeyIdentifier for OpenSSL keyid data * Use ExtendedKeyUsage for OpenSSL trust purpose data * Implement simple way to handle binary DER OIDs, using the DER TLV length. DER OIDs are used in the CKA_OBJECT_ID value, and elsewhere. * Split out the building of NSS trust objects from the main parser
author: Stef Walter <stefw@gnome.org> 2013-01-02 16:06:19 +0100
committer: Stef Walter <stefw@gnome.org> 2013-02-05 14:54:53 +0100
commit: 18bb2582c32f4373f7ed85894fb490f2733cb03b (patch)
tree: 3ecdcbc5451beb67e095ebaf0f233cdfd680ad94 /common/tests
parent: 3b482acc47ba971406db526ebddf589ad1a8f16e (diff)
4 files changed, 244 insertions, 19 deletions
diff --git a/common/tests/Makefile.am b/common/tests/Makefile.am
index ac2ab38..94c6556 100644
--- a/common/tests/Makefile.am
+++ b/common/tests/Makefile.am
@@ -36,12 +36,14 @@ LDADD += \
 CHECK_PROGS += \
 	test-checksum \
 	test-pem \
+	test-oid \
 	$(NULL)
 
 noinst_PROGRAMS += \
 	frob-ku \
 	frob-eku \
 	frob-cert \
+	frob-oid \
 	$(NULL)
 
 endif # WITH_ASN1
diff --git a/common/tests/frob-ku.c b/common/tests/frob-ku.c
index c0abd88..00d45c6 100644
--- a/common/tests/frob-ku.c
+++ b/common/tests/frob-ku.c
@@ -35,6 +35,8 @@
 #include "config.h"
 #include "compat.h"
 
+#include "oid.h"
+
 #include <libtasn1.h>
 
 #include <assert.h>
@@ -50,18 +52,6 @@
 		exit (1); \
 	} } while (0)
 
-enum {
-	KU_DIGITAL_SIGNATURE = 128,
-	KU_NON_REPUDIATION = 64,
-	KU_KEY_ENCIPHERMENT = 32,
-	KU_DATA_ENCIPHERMENT = 16,
-	KU_KEY_AGREEMENT = 8,
-	KU_KEY_CERT_SIGN = 4,
-	KU_CRL_SIGN = 2,
-	KU_ENCIPHER_ONLY = 1,
-	KU_DECIPHER_ONLY = 32768,
-};
-
 int
 main (int argc,
       char *argv[])
@@ -78,19 +68,19 @@ main (int argc,
 
 	for (i = 1; i < argc; i++) {
 		if (strcmp (argv[i], "digital-signature") == 0)
-			usage |= KU_DIGITAL_SIGNATURE;
+			usage |= P11_KU_DIGITAL_SIGNATURE;
 		else if (strcmp (argv[i], "non-repudiation") == 0)
-			usage |= KU_NON_REPUDIATION;
+			usage |= P11_KU_NON_REPUDIATION;
 		else if (strcmp (argv[i], "key-encipherment") == 0)
-			usage |= KU_KEY_ENCIPHERMENT;
+			usage |= P11_KU_KEY_ENCIPHERMENT;
 		else if (strcmp (argv[i], "data-encipherment") == 0)
-			usage |= KU_DATA_ENCIPHERMENT;
+			usage |= P11_KU_DATA_ENCIPHERMENT;
 		else if (strcmp (argv[i], "key-agreement") == 0)
-			usage |= KU_KEY_AGREEMENT;
+			usage |= P11_KU_KEY_AGREEMENT;
 		else if (strcmp (argv[i], "key-cert-sign") == 0)
-			usage |= KU_KEY_CERT_SIGN;
+			usage |= P11_KU_KEY_CERT_SIGN;
 		else if (strcmp (argv[i], "crl-sign") == 0)
-			usage |= KU_CRL_SIGN;
+			usage |= P11_KU_CRL_SIGN;
 		else {
 			fprintf (stderr, "unsupported or unknown key usage: %s\n", argv[i]);
 			return 2;
diff --git a/common/tests/frob-oid.c b/common/tests/frob-oid.c
new file mode 100644
index 0000000..b4c7658
--- /dev/null
+++ b/common/tests/frob-oid.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 2012 Red Hat Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *     * Redistributions of source code must retain the above
+ *       copyright notice, this list of conditions and the
+ *       following disclaimer.
+ *     * Redistributions in binary form must reproduce the
+ *       above copyright notice, this list of conditions and
+ *       the following disclaimer in the documentation and/or
+ *       other materials provided with the distribution.
+ *     * The names of contributors to this software may not be
+ *       used to endorse or promote products derived from this
+ *       software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Stef Walter <stefw@gnome.org>
+ */
+
+#include "config.h"
+#include "compat.h"
+
+#include <libtasn1.h>
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "pkix.asn.h"
+
+#define err_if_fail(ret, msg) \
+	do { if ((ret) != ASN1_SUCCESS) { \
+		fprintf (stderr, "%s: %s\n", msg, asn1_strerror (ret)); \
+		exit (1); \
+	} } while (0)
+int
+main (int argc,
+      char *argv[])
+{
+	char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = { 0, };
+	node_asn *definitions = NULL;
+	node_asn *oid = NULL;
+	char *buf;
+	int len;
+	int ret;
+
+	if (argc != 2) {
+		fprintf (stderr, "usage: frob-oid 1.1.1\n");
+		return 2;
+	}
+
+	ret = asn1_array2tree (pkix_asn1_tab, &definitions, message);
+	if (ret != ASN1_SUCCESS) {
+		fprintf (stderr, "definitions: %s\n", message);
+		return 1;
+	}
+
+	/* AttributeType is a OBJECT IDENTIFIER */
+	ret = asn1_create_element (definitions, "PKIX1.AttributeType", &oid);
+	err_if_fail (ret, "AttributeType");
+
+	ret = asn1_write_value (oid, "", argv[1], strlen (argv[1]));
+	err_if_fail (ret, "asn1_write_value");
+
+	len = 0;
+	ret = asn1_der_coding (oid, "", NULL, &len, message);
+	assert (ret == ASN1_MEM_ERROR);
+
+	buf = malloc (len);
+	assert (buf != NULL);
+	ret = asn1_der_coding (oid, "", buf, &len, message);
+	if (ret != ASN1_SUCCESS) {
+		fprintf (stderr, "asn1_der_coding: %s\n", message);
+		return 1;
+	}
+
+	fwrite (buf, 1, len, stdout);
+	fflush (stdout);
+
+	asn1_delete_structure (&oid);
+	asn1_delete_structure (&definitions);
+
+	return 0;
+}
diff --git a/common/tests/test-oid.c b/common/tests/test-oid.c
new file mode 100644
index 0000000..616512b
--- /dev/null
+++ b/common/tests/test-oid.c
@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 2012 Red Hat Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *     * Redistributions of source code must retain the above
+ *       copyright notice, this list of conditions and the
+ *       following disclaimer.
+ *     * Redistributions in binary form must reproduce the
+ *       above copyright notice, this list of conditions and
+ *       the following disclaimer in the documentation and/or
+ *       other materials provided with the distribution.
+ *     * The names of contributors to this software may not be
+ *       used to endorse or promote products derived from this
+ *       software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Stef Walter <stefw@gnome.org>
+ */
+
+#include "config.h"
+#include "CuTest.h"
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "debug.h"
+#include "oid.h"
+
+#include <libtasn1.h>
+
+#include "pkix.asn.h"
+
+static void
+test_known_oids (CuTest *cu)
+{
+	char buffer[128];
+	node_asn *definitions = NULL;
+	node_asn *node;
+	int ret;
+	int len;
+	int i;
+
+	struct {
+		const unsigned char *oid;
+		size_t length;
+		const char *string;
+	} known_oids[] = {
+		{ P11_OID_SUBJECT_KEY_IDENTIFIER, sizeof (P11_OID_SUBJECT_KEY_IDENTIFIER), "2.5.29.14", },
+		{ P11_OID_KEY_USAGE, sizeof (P11_OID_KEY_USAGE), "2.5.29.15", },
+		{ P11_OID_BASIC_CONSTRAINTS, sizeof (P11_OID_BASIC_CONSTRAINTS), "2.5.29.19" },
+		{ P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE), "2.5.29.37" },
+		{ P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT), "1.3.6.1.4.1.3319.6.10.1" },
+		{ P11_OID_SERVER_AUTH, sizeof (P11_OID_SERVER_AUTH), "1.3.6.1.5.5.7.3.1", },
+		{ P11_OID_CLIENT_AUTH, sizeof (P11_OID_CLIENT_AUTH), "1.3.6.1.5.5.7.3.2", },
+		{ P11_OID_CODE_SIGNING, sizeof (P11_OID_CODE_SIGNING), "1.3.6.1.5.5.7.3.3", },
+		{ P11_OID_EMAIL_PROTECTION, sizeof (P11_OID_EMAIL_PROTECTION), "1.3.6.1.5.5.7.3.4", },
+		{ P11_OID_IPSEC_END_SYSTEM, sizeof (P11_OID_IPSEC_END_SYSTEM), "1.3.6.1.5.5.7.3.5", },
+		{ P11_OID_IPSEC_TUNNEL, sizeof (P11_OID_IPSEC_TUNNEL), "1.3.6.1.5.5.7.3.6", },
+		{ P11_OID_IPSEC_USER, sizeof (P11_OID_IPSEC_USER), "1.3.6.1.5.5.7.3.7" },
+		{ P11_OID_TIME_STAMPING, sizeof (P11_OID_TIME_STAMPING), "1.3.6.1.5.5.7.3.8" },
+		{ P11_OID_RESERVED_PURPOSE, sizeof (P11_OID_RESERVED_PURPOSE), "1.3.6.1.4.1.3319.6.10.16" },
+		{ NULL },
+	};
+
+	ret = asn1_array2tree (pkix_asn1_tab, &definitions, NULL);
+	CuAssertTrue (cu, ret == ASN1_SUCCESS);
+
+	for (i = 0; known_oids[i].oid != NULL; i++) {
+
+		CuAssertTrue (cu, p11_oid_simple (known_oids[i].oid, known_oids[i].length));
+		CuAssertIntEquals (cu, known_oids[i].length, p11_oid_length (known_oids[i].oid));
+		CuAssertTrue (cu, p11_oid_equal (known_oids[i].oid, known_oids[i].oid));
+
+		if (i > 0)
+			CuAssertTrue (cu, !p11_oid_equal (known_oids[i].oid, known_oids[i - 1].oid));
+
+		/* AttributeType is a OBJECT IDENTIFIER */
+		ret = asn1_create_element (definitions, "PKIX1.AttributeType", &node);
+		CuAssertTrue (cu, ret == ASN1_SUCCESS);
+
+		ret = asn1_der_decoding (&node, known_oids[i].oid, known_oids[i].length, NULL);
+		CuAssertTrue (cu, ret == ASN1_SUCCESS);
+
+		len = sizeof (buffer);
+		ret = asn1_read_value (node, "", buffer, &len);
+		CuAssertTrue (cu, ret == ASN1_SUCCESS);
+
+		CuAssertStrEquals (cu, known_oids[i].string, buffer);
+
+		asn1_delete_structure (&node);
+	}
+
+	asn1_delete_structure (&definitions);
+}
+
+int
+main (void)
+{
+	CuString *output = CuStringNew ();
+	CuSuite* suite = CuSuiteNew ();
+	int ret;
+
+	setenv ("P11_KIT_STRICT", "1", 1);
+	p11_debug_init ();
+
+	SUITE_ADD_TEST (suite, test_known_oids);
+
+	CuSuiteRun (suite);
+	CuSuiteSummary (suite, output);
+	CuSuiteDetails (suite, output);
+	printf ("%s\n", output->buffer);
+	ret = suite->failCount;
+	CuSuiteDelete (suite);
+	CuStringDelete (output);
+
+	return ret;
+}
author	Stef Walter <stefw@gnome.org>	2013-01-02 16:06:19 +0100
committer	Stef Walter <stefw@gnome.org>	2013-02-05 14:54:53 +0100
commit	18bb2582c32f4373f7ed85894fb490f2733cb03b (patch)
tree	3ecdcbc5451beb67e095ebaf0f233cdfd680ad94 /common/tests
parent	3b482acc47ba971406db526ebddf589ad1a8f16e (diff)