Implement stapled certificate extensions internally

 * Use stapled certificate extensions to represent loaded trust policy
 * Build NSS trust objects from stapled certificate extensions
 * Add further attribute debugging for NSS trust objects
 * Use a custom certificate extension for the OpenSSL reject purpose data
 * Use SubjectKeyIdentifier for OpenSSL keyid data
 * Use ExtendedKeyUsage for OpenSSL trust purpose data
 * Implement simple way to handle binary DER OIDs, using the DER TLV
   length. DER OIDs are used in the CKA_OBJECT_ID value, and elsewhere.
 * Split out the building of NSS trust objects from the main parser

9 files changed, 556 insertions, 21 deletions

diff --git a/common/Makefile.am b/common/Makefile.am
index d527e95..bed4630 100644
--- a/common/Makefile.am
+++ b/common/Makefile.am
@@ -41,6 +41,7 @@ noinst_LTLIBRARIES += \
 libp11_data_la_SOURCES = \
 	base64.c base64.h \
 	checksum.c checksum.h \
+	oid.c oid.h \
 	openssl.asn openssl.asn.h \
 	pem.c pem.h \
 	pkix.asn pkix.asn.h \
diff --git a/common/compat.c b/common/compat.c
index 74fb130..b917cfa 100644
--- a/common/compat.c
+++ b/common/compat.c
@@ -255,7 +255,7 @@ strnstr (const char *s,
 #ifndef HAVE_MEMDUP
 
 void *
-memdup (void *data,
+memdup (const void *data,
         size_t length)
 {
 	void *dup;
diff --git a/common/compat.h b/common/compat.h
index 68786a7..7f848d2 100644
--- a/common/compat.h
+++ b/common/compat.h
@@ -183,7 +183,7 @@ char *     strnstr          (const char *s,
 
 #ifndef HAVE_MEMDUP
 
-void *     memdup           (void *data,
+void *     memdup           (const void *data,
                              size_t length);
 
 #endif /* HAVE_MEMDUP */
diff --git a/common/oid.c b/common/oid.c
new file mode 100644
index 0000000..0c876ec
--- /dev/null
+++ b/common/oid.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2012 Red Hat Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *     * Redistributions of source code must retain the above
+ *       copyright notice, this list of conditions and the
+ *       following disclaimer.
+ *     * Redistributions in binary form must reproduce the
+ *       above copyright notice, this list of conditions and
+ *       the following disclaimer in the documentation and/or
+ *       other materials provided with the distribution.
+ *     * The names of contributors to this software may not be
+ *       used to endorse or promote products derived from this
+ *       software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Stef Walter <stefw@redhat.com>
+ */
+
+#include "config.h"
+
+#include "oid.h"
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+/*
+ * We deal with OIDs a lot in their DER form. These have the
+ * advantage of having the length encoded in their second byte,
+ * at least for all the OIDs we're interested in.
+ *
+ * The goal here is to avoid carrying around extra length
+ * information about DER encoded OIDs.
+ */
+
+bool
+p11_oid_simple (const unsigned char *oid,
+                int len)
+{
+	return (oid != NULL &&
+	        len > 3 &&                   /* minimum length */
+	        oid[0] == 0x06 &&            /* simple encoding */
+	        (oid[1] & 128) == 0 &&       /* short form length */
+	        (size_t)oid[1] == len - 2);  /* matches length */
+}
+
+unsigned int
+p11_oid_hash (const void *oid)
+{
+	const unsigned char *v = oid;
+	unsigned int hash;
+	int len;
+	int i;
+
+	len = p11_oid_length (v);
+	hash = v[0];
+
+	for (i = 1; i < len; i++)
+		hash = (hash << 5) - hash + v[i];
+
+	return hash;
+}
+
+bool
+p11_oid_equal (const void *oid_one,
+               const void *oid_two)
+{
+	int len_one;
+	int len_two;
+
+	len_one = p11_oid_length (oid_one);
+	len_two = p11_oid_length (oid_two);
+
+	return (len_one == len_two &&
+	        memcmp (oid_one, oid_two, len_one) == 0);
+}
+
+int
+p11_oid_length (const unsigned char *oid)
+{
+	assert (oid[0] == 0x06);
+	assert ((oid[1] & 128) == 0);
+	return (int)oid[1] + 2;
+}
diff --git a/common/oid.h b/common/oid.h
new file mode 100644
index 0000000..b0c8538
--- /dev/null
+++ b/common/oid.h
@@ -0,0 +1,209 @@
+/*
+ * Copyright (C) 2012 Red Hat Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *     * Redistributions of source code must retain the above
+ *       copyright notice, this list of conditions and the
+ *       following disclaimer.
+ *     * Redistributions in binary form must reproduce the
+ *       above copyright notice, this list of conditions and
+ *       the following disclaimer in the documentation and/or
+ *       other materials provided with the distribution.
+ *     * The names of contributors to this software may not be
+ *       used to endorse or promote products derived from this
+ *       software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Stef Walter <stefw@redhat.com>
+ */
+
+#ifndef P11_OIDS_H_
+#define P11_OIDS_H_
+
+#include "compat.h"
+
+bool           p11_oid_simple  (const unsigned char *oid,
+                                int len);
+
+unsigned int   p11_oid_hash    (const void *oid);
+
+bool           p11_oid_equal   (const void *oid_one,
+                                const void *oid_two);
+
+int            p11_oid_length  (const unsigned char *oid);
+
+/*
+ * Our support of certificate extensions and so on is not limited to what is
+ * listed here. This is simply the OIDs used by the parsing code that generates
+ * backwards compatible PKCS#11 objects for NSS and the like.
+ */
+
+/*
+ * 2.5.29.14: SubjectKeyIdentifier
+ */
+static const unsigned char P11_OID_SUBJECT_KEY_IDENTIFIER[] =
+	{ 0x06, 0x03, 0x55, 0x1d, 0x0e };
+
+/*
+ * 2.5.29.15: KeyUsage
+ *
+ * Defined in RFC 5280
+ */
+static const unsigned char P11_OID_KEY_USAGE[] =
+	{ 0x06, 0x03, 0x55, 0x1d, 0x0f };
+
+enum {
+	P11_KU_DIGITAL_SIGNATURE = 128,
+	P11_KU_NON_REPUDIATION = 64,
+	P11_KU_KEY_ENCIPHERMENT = 32,
+	P11_KU_DATA_ENCIPHERMENT = 16,
+	P11_KU_KEY_AGREEMENT = 8,
+	P11_KU_KEY_CERT_SIGN = 4,
+	P11_KU_CRL_SIGN = 2,
+	P11_KU_ENCIPHER_ONLY = 1,
+	P11_KU_DECIPHER_ONLY = 32768,
+};
+
+/*
+ * 2.5.29.19: BasicConstraints
+ *
+ * Defined in RFC 5280
+ */
+static const unsigned char P11_OID_BASIC_CONSTRAINTS[] =
+	{ 0x06, 0x03, 0x55, 0x1d, 0x13 };
+
+
+/*
+ * 2.5.29.37: ExtendedKeyUsage
+ *
+ * Defined in RFC 5280
+ */
+static const unsigned char P11_OID_EXTENDED_KEY_USAGE[] =
+	{ 0x06, 0x03, 0x55, 0x1d, 0x25 };
+
+/*
+ * 1.3.6.1.4.1.3319.6.10.1: OpenSSL reject extension
+ *
+ * An internally defined certificate extension.
+ *
+ * OpenSSL contains a list of OID extended key usages to reject.
+ * The normal X.509 model is to only *include* the extended key
+ * usages that are to be allowed (ie: a whitelist). It's not clear
+ * exactly how valid and useful the reject per extended key usage
+ * model is. In fact, it appears that openssl does not use this
+ * information.
+ *
+ * However in order to parse openssl trust policy information and
+ * be able to write it back out in the same way, we define a custom
+ * certificate extension to store it.
+ *
+ * It is not expected (or supported) for others outside of p11-kit
+ * to read this information at this point.
+ *
+ * This extension is never marked critical. It is not necessary to
+ * respect information in this certificate extension given that the
+ * ExtendedKeyUsage extension carries the same information as a
+ * whitelist.
+ */
+static const unsigned char P11_OID_OPENSSL_REJECT[] =
+	{ 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x99, 0x77, 0x06, 0x0a, 0x01 };
+
+/*
+ * 1.3.6.1.5.5.7.3.1: Server Auth
+ *
+ * Defined in RFC 5280
+ */
+static const unsigned char P11_OID_SERVER_AUTH[] =
+	{ 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01 };
+
+/*
+ * 1.3.6.1.5.5.7.3.2: Client Auth
+ *
+ * Defined in RFC 5280
+ */
+static const unsigned char P11_OID_CLIENT_AUTH[] =
+	{ 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02 };
+
+/*
+ * 1.3.6.1.5.5.7.3.3: Code Signing
+ *
+ * Defined in RFC 5280
+ */
+static const unsigned char P11_OID_CODE_SIGNING[] =
+	{ 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03 };
+
+/*
+ * 1.3.6.1.5.5.7.3.4: Email Protection
+ *
+ * Defined in RFC 5280
+ */
+static const unsigned char P11_OID_EMAIL_PROTECTION[] =
+	{ 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04 };
+
+/*
+ * 1.3.6.1.5.5.7.3.5: IPSec End System
+ *
+ * Defined in RFC 2459
+ */
+static const unsigned char P11_OID_IPSEC_END_SYSTEM[] =
+	{ 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x05 };
+
+/*
+ * 1.3.6.1.5.5.7.3.6: IPSec Tunnel
+ *
+ * Defined in RFC 2459
+ */
+static const unsigned char P11_OID_IPSEC_TUNNEL[] =
+	{ 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x06 };
+
+/*
+ * 1.3.6.1.5.5.7.3.7: IPSec User
+ *
+ * Defined in RFC 2459
+ */
+static const unsigned char P11_OID_IPSEC_USER[] =
+	{ 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x07 };
+
+/*
+ * 1.3.6.1.5.5.7.3.8: Time Stamping
+ *
+ * Defined in RFC 2459
+ */
+static const unsigned char P11_OID_TIME_STAMPING[] =
+	{ 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x08 };
+
+/*
+ * 1.3.6.1.4.1.3319.6.10.16: Reserved key purpose
+ *
+ * An internally defined reserved/dummy key purpose
+ *
+ * This is used with ExtendedKeyUsage certificate extensions to
+ * be a place holder when no other purposes are defined.
+ *
+ * In theory such a certificate should be blacklisted. But in reality
+ * OpenSSL supports such empty sets of purposes. RFC 5280 requires at
+ * least one purpose in an ExtendedKeyUsage.
+ *
+ * This purpose should never be used or checked.
+ */
+static const unsigned char P11_OID_RESERVED_PURPOSE[] =
+	{ 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x99, 0x77, 0x06, 0x0a, 0x10 };
+static const char P11_OID_RESERVED_PURPOSE_STR[] =
+	"1.3.6.1.4.1.3319.6.10.16";
+
+#endif
diff --git a/common/tests/Makefile.am b/common/tests/Makefile.am
index ac2ab38..94c6556 100644
--- a/common/tests/Makefile.am
+++ b/common/tests/Makefile.am
@@ -36,12 +36,14 @@ LDADD += \
 CHECK_PROGS += \
 	test-checksum \
 	test-pem \
+	test-oid \
 	$(NULL)
 
 noinst_PROGRAMS += \
 	frob-ku \
 	frob-eku \
 	frob-cert \
+	frob-oid \
 	$(NULL)
 
 endif # WITH_ASN1
diff --git a/common/tests/frob-ku.c b/common/tests/frob-ku.c
index c0abd88..00d45c6 100644
--- a/common/tests/frob-ku.c
+++ b/common/tests/frob-ku.c
@@ -35,6 +35,8 @@
 #include "config.h"
 #include "compat.h"
 
+#include "oid.h"
+
 #include <libtasn1.h>
 
 #include <assert.h>
@@ -50,18 +52,6 @@
 		exit (1); \
 	} } while (0)
 
-enum {
-	KU_DIGITAL_SIGNATURE = 128,
-	KU_NON_REPUDIATION = 64,
-	KU_KEY_ENCIPHERMENT = 32,
-	KU_DATA_ENCIPHERMENT = 16,
-	KU_KEY_AGREEMENT = 8,
-	KU_KEY_CERT_SIGN = 4,
-	KU_CRL_SIGN = 2,
-	KU_ENCIPHER_ONLY = 1,
-	KU_DECIPHER_ONLY = 32768,
-};
-
 int
 main (int argc,
       char *argv[])
@@ -78,19 +68,19 @@ main (int argc,
 
 	for (i = 1; i < argc; i++) {
 		if (strcmp (argv[i], "digital-signature") == 0)
-			usage |= KU_DIGITAL_SIGNATURE;
+			usage |= P11_KU_DIGITAL_SIGNATURE;
 		else if (strcmp (argv[i], "non-repudiation") == 0)
-			usage |= KU_NON_REPUDIATION;
+			usage |= P11_KU_NON_REPUDIATION;
 		else if (strcmp (argv[i], "key-encipherment") == 0)
-			usage |= KU_KEY_ENCIPHERMENT;
+			usage |= P11_KU_KEY_ENCIPHERMENT;
 		else if (strcmp (argv[i], "data-encipherment") == 0)
-			usage |= KU_DATA_ENCIPHERMENT;
+			usage |= P11_KU_DATA_ENCIPHERMENT;
 		else if (strcmp (argv[i], "key-agreement") == 0)
-			usage |= KU_KEY_AGREEMENT;
+			usage |= P11_KU_KEY_AGREEMENT;
 		else if (strcmp (argv[i], "key-cert-sign") == 0)
-			usage |= KU_KEY_CERT_SIGN;
+			usage |= P11_KU_KEY_CERT_SIGN;
 		else if (strcmp (argv[i], "crl-sign") == 0)
-			usage |= KU_CRL_SIGN;
+			usage |= P11_KU_CRL_SIGN;
 		else {
 			fprintf (stderr, "unsupported or unknown key usage: %s\n", argv[i]);
 			return 2;
diff --git a/common/tests/frob-oid.c b/common/tests/frob-oid.c
new file mode 100644
index 0000000..b4c7658
--- /dev/null
+++ b/common/tests/frob-oid.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 2012 Red Hat Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *     * Redistributions of source code must retain the above
+ *       copyright notice, this list of conditions and the
+ *       following disclaimer.
+ *     * Redistributions in binary form must reproduce the
+ *       above copyright notice, this list of conditions and
+ *       the following disclaimer in the documentation and/or
+ *       other materials provided with the distribution.
+ *     * The names of contributors to this software may not be
+ *       used to endorse or promote products derived from this
+ *       software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Stef Walter <stefw@gnome.org>
+ */
+
+#include "config.h"
+#include "compat.h"
+
+#include <libtasn1.h>
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "pkix.asn.h"
+
+#define err_if_fail(ret, msg) \
+	do { if ((ret) != ASN1_SUCCESS) { \
+		fprintf (stderr, "%s: %s\n", msg, asn1_strerror (ret)); \
+		exit (1); \
+	} } while (0)
+int
+main (int argc,
+      char *argv[])
+{
+	char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = { 0, };
+	node_asn *definitions = NULL;
+	node_asn *oid = NULL;
+	char *buf;
+	int len;
+	int ret;
+
+	if (argc != 2) {
+		fprintf (stderr, "usage: frob-oid 1.1.1\n");
+		return 2;
+	}
+
+	ret = asn1_array2tree (pkix_asn1_tab, &definitions, message);
+	if (ret != ASN1_SUCCESS) {
+		fprintf (stderr, "definitions: %s\n", message);
+		return 1;
+	}
+
+	/* AttributeType is a OBJECT IDENTIFIER */
+	ret = asn1_create_element (definitions, "PKIX1.AttributeType", &oid);
+	err_if_fail (ret, "AttributeType");
+
+	ret = asn1_write_value (oid, "", argv[1], strlen (argv[1]));
+	err_if_fail (ret, "asn1_write_value");
+
+	len = 0;
+	ret = asn1_der_coding (oid, "", NULL, &len, message);
+	assert (ret == ASN1_MEM_ERROR);
+
+	buf = malloc (len);
+	assert (buf != NULL);
+	ret = asn1_der_coding (oid, "", buf, &len, message);
+	if (ret != ASN1_SUCCESS) {
+		fprintf (stderr, "asn1_der_coding: %s\n", message);
+		return 1;
+	}
+
+	fwrite (buf, 1, len, stdout);
+	fflush (stdout);
+
+	asn1_delete_structure (&oid);
+	asn1_delete_structure (&definitions);
+
+	return 0;
+}
diff --git a/common/tests/test-oid.c b/common/tests/test-oid.c
new file mode 100644
index 0000000..616512b
--- /dev/null
+++ b/common/tests/test-oid.c
@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 2012 Red Hat Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *     * Redistributions of source code must retain the above
+ *       copyright notice, this list of conditions and the
+ *       following disclaimer.
+ *     * Redistributions in binary form must reproduce the
+ *       above copyright notice, this list of conditions and
+ *       the following disclaimer in the documentation and/or
+ *       other materials provided with the distribution.
+ *     * The names of contributors to this software may not be
+ *       used to endorse or promote products derived from this
+ *       software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Stef Walter <stefw@gnome.org>
+ */
+
+#include "config.h"
+#include "CuTest.h"
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "debug.h"
+#include "oid.h"
+
+#include <libtasn1.h>
+
+#include "pkix.asn.h"
+
+static void
+test_known_oids (CuTest *cu)
+{
+	char buffer[128];
+	node_asn *definitions = NULL;
+	node_asn *node;
+	int ret;
+	int len;
+	int i;
+
+	struct {
+		const unsigned char *oid;
+		size_t length;
+		const char *string;
+	} known_oids[] = {
+		{ P11_OID_SUBJECT_KEY_IDENTIFIER, sizeof (P11_OID_SUBJECT_KEY_IDENTIFIER), "2.5.29.14", },
+		{ P11_OID_KEY_USAGE, sizeof (P11_OID_KEY_USAGE), "2.5.29.15", },
+		{ P11_OID_BASIC_CONSTRAINTS, sizeof (P11_OID_BASIC_CONSTRAINTS), "2.5.29.19" },
+		{ P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE), "2.5.29.37" },
+		{ P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT), "1.3.6.1.4.1.3319.6.10.1" },
+		{ P11_OID_SERVER_AUTH, sizeof (P11_OID_SERVER_AUTH), "1.3.6.1.5.5.7.3.1", },
+		{ P11_OID_CLIENT_AUTH, sizeof (P11_OID_CLIENT_AUTH), "1.3.6.1.5.5.7.3.2", },
+		{ P11_OID_CODE_SIGNING, sizeof (P11_OID_CODE_SIGNING), "1.3.6.1.5.5.7.3.3", },
+		{ P11_OID_EMAIL_PROTECTION, sizeof (P11_OID_EMAIL_PROTECTION), "1.3.6.1.5.5.7.3.4", },
+		{ P11_OID_IPSEC_END_SYSTEM, sizeof (P11_OID_IPSEC_END_SYSTEM), "1.3.6.1.5.5.7.3.5", },
+		{ P11_OID_IPSEC_TUNNEL, sizeof (P11_OID_IPSEC_TUNNEL), "1.3.6.1.5.5.7.3.6", },
+		{ P11_OID_IPSEC_USER, sizeof (P11_OID_IPSEC_USER), "1.3.6.1.5.5.7.3.7" },
+		{ P11_OID_TIME_STAMPING, sizeof (P11_OID_TIME_STAMPING), "1.3.6.1.5.5.7.3.8" },
+		{ P11_OID_RESERVED_PURPOSE, sizeof (P11_OID_RESERVED_PURPOSE), "1.3.6.1.4.1.3319.6.10.16" },
+		{ NULL },
+	};
+
+	ret = asn1_array2tree (pkix_asn1_tab, &definitions, NULL);
+	CuAssertTrue (cu, ret == ASN1_SUCCESS);
+
+	for (i = 0; known_oids[i].oid != NULL; i++) {
+
+		CuAssertTrue (cu, p11_oid_simple (known_oids[i].oid, known_oids[i].length));
+		CuAssertIntEquals (cu, known_oids[i].length, p11_oid_length (known_oids[i].oid));
+		CuAssertTrue (cu, p11_oid_equal (known_oids[i].oid, known_oids[i].oid));
+
+		if (i > 0)
+			CuAssertTrue (cu, !p11_oid_equal (known_oids[i].oid, known_oids[i - 1].oid));
+
+		/* AttributeType is a OBJECT IDENTIFIER */
+		ret = asn1_create_element (definitions, "PKIX1.AttributeType", &node);
+		CuAssertTrue (cu, ret == ASN1_SUCCESS);
+
+		ret = asn1_der_decoding (&node, known_oids[i].oid, known_oids[i].length, NULL);
+		CuAssertTrue (cu, ret == ASN1_SUCCESS);
+
+		len = sizeof (buffer);
+		ret = asn1_read_value (node, "", buffer, &len);
+		CuAssertTrue (cu, ret == ASN1_SUCCESS);
+
+		CuAssertStrEquals (cu, known_oids[i].string, buffer);
+
+		asn1_delete_structure (&node);
+	}
+
+	asn1_delete_structure (&definitions);
+}
+
+int
+main (void)
+{
+	CuString *output = CuStringNew ();
+	CuSuite* suite = CuSuiteNew ();
+	int ret;
+
+	setenv ("P11_KIT_STRICT", "1", 1);
+	p11_debug_init ();
+
+	SUITE_ADD_TEST (suite, test_known_oids);
+
+	CuSuiteRun (suite);
+	CuSuiteSummary (suite, output);
+	CuSuiteDetails (suite, output);
+	printf ("%s\n", output->buffer);
+	ret = suite->failCount;
+	CuSuiteDelete (suite);
+	CuStringDelete (output);
+
+	return ret;
+}