diff options
author | Stef Walter <stefw@gnome.org> | 2013-03-14 21:08:01 +0100 |
---|---|---|
committer | Stef Walter <stefw@gnome.org> | 2013-03-15 18:00:10 +0100 |
commit | 2d75eb32793a569dc3de359bb623713c80393d24 (patch) | |
tree | aa62978bc970d95082769c9725325d31cc413058 /trust/tests | |
parent | d7d68de6c9de9190c85da36b731e61ae3421a811 (diff) |
trust: Add a builder which builds objects out of parsed data
The builder completes the objects from the parsed data and takes
over the responsibilities that the parser and adapter previously
shared.
This is necessary to prepare for arbitrary data coming from
the p11-kit specific input files.
https://bugs.freedesktop.org/show_bug.cgi?id=62329
Diffstat (limited to 'trust/tests')
-rw-r--r-- | trust/tests/Makefile.am | 1 | ||||
-rw-r--r-- | trust/tests/test-builder.c | 1611 | ||||
-rw-r--r-- | trust/tests/test-data.c | 2 | ||||
-rw-r--r-- | trust/tests/test-module.c | 28 | ||||
-rw-r--r-- | trust/tests/test-parser.c | 666 | ||||
-rw-r--r-- | trust/tests/test-token.c | 58 |
6 files changed, 1775 insertions, 591 deletions
diff --git a/trust/tests/Makefile.am b/trust/tests/Makefile.am index cdab991..a675a56 100644 --- a/trust/tests/Makefile.am +++ b/trust/tests/Makefile.am @@ -28,6 +28,7 @@ LDADD = \ CHECK_PROGS = \ test-parser \ test-index \ + test-builder \ test-token \ test-module \ $(NULL) diff --git a/trust/tests/test-builder.c b/trust/tests/test-builder.c new file mode 100644 index 0000000..8ffab88 --- /dev/null +++ b/trust/tests/test-builder.c @@ -0,0 +1,1611 @@ +/* + * Copyright (c) 2013 Red Hat Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above + * copyright notice, this list of conditions and the + * following disclaimer. + * * Redistributions in binary form must reproduce the + * above copyright notice, this list of conditions and + * the following disclaimer in the documentation and/or + * other materials provided with the distribution. + * * The names of contributors to this software may not be + * used to endorse or promote products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Author: Stef Walter <stefw@gnome.org> + */ + +#include "config.h" +#include "CuTest.h" + +#include <stdlib.h> +#include <stdio.h> +#include <string.h> + +#include "attrs.h" +#include "builder.h" +#include "checksum.h" +#include "debug.h" +#include "index.h" +#include "library.h" +#include "oid.h" +#include "pkcs11x.h" + +#include "test-data.h" + +struct { + p11_builder *builder; + p11_index *index; +} test; + +static CK_TRUST trusted = CKT_NSS_TRUSTED; +static CK_TRUST trusted_delegator = CKT_NSS_TRUSTED_DELEGATOR; +static CK_TRUST not_trusted = CKT_NSS_NOT_TRUSTED; +static CK_TRUST trust_unknown = CKT_NSS_TRUST_UNKNOWN; +static CK_OBJECT_CLASS certificate = CKO_CERTIFICATE; +static CK_OBJECT_CLASS data = CKO_DATA; +static CK_OBJECT_CLASS certificate_extension = CKO_X_CERTIFICATE_EXTENSION; +static CK_OBJECT_CLASS nss_trust = CKO_NSS_TRUST; +static CK_OBJECT_CLASS trust_assertion = CKO_X_TRUST_ASSERTION; +static CK_X_ASSERTION_TYPE anchored_certificate = CKT_X_ANCHORED_CERTIFICATE; +static CK_X_ASSERTION_TYPE distrusted_certificate = CKT_X_DISTRUSTED_CERTIFICATE; +static CK_CERTIFICATE_TYPE x509 = CKC_X_509; +static CK_ULONG certificate_authority = 2; +static CK_ULONG other_entity = 3; +static CK_BBOOL truev = CK_TRUE; +static CK_BBOOL falsev = CK_FALSE; + +static void +setup (CuTest *cu) +{ + test.builder = p11_builder_new (P11_BUILDER_FLAG_TOKEN); + CuAssertPtrNotNull (cu, test.builder); + + test.index = p11_index_new (p11_builder_build, p11_builder_changed, test.builder); + CuAssertPtrNotNull (cu, test.index); +} + +static void +teardown (CuTest *cu) +{ + p11_builder_free (test.builder); + p11_index_free (test.index); + memset (&test, 0, sizeof (test)); +} + +static void +test_get_cache (CuTest *cu) +{ + p11_asn1_cache *cache; + + setup (cu); + + cache = p11_builder_get_cache (test.builder); + CuAssertPtrEquals (cu, NULL, p11_asn1_cache_get (cache, "blah", (unsigned char *)"blah", 4)); + + teardown (cu); +} + +static void +test_build_data (CuTest *cu) +{ + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &data, sizeof (data) }, + { CKA_VALUE, "the value", 9 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE check[] = { + { CKA_CLASS, &data, sizeof (data) }, + { CKA_TOKEN, &truev, sizeof (truev) }, + { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, + { CKA_PRIVATE, &falsev, sizeof (falsev) }, + { CKA_LABEL, "", 0 }, + { CKA_VALUE, "the value", 9 }, + { CKA_APPLICATION, "", 0 }, + { CKA_OBJECT_ID, "", 0 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_ATTRIBUTE *merge; + CK_RV rv; + + setup (cu); + + attrs = NULL; + merge = p11_attrs_dup (input); + rv = p11_builder_build (test.builder, test.index, &attrs, merge); + CuAssertIntEquals (cu, CKR_OK, rv); + + test_check_attrs (cu, check, attrs); + p11_attrs_free (attrs); + + teardown (cu); +} + +static void +test_build_certificate (CuTest *cu) +{ + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, + { CKA_LABEL, "the label", 9 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_ATTRIBUTE *merge; + CK_RV rv; + + setup (cu); + + attrs = NULL; + merge = p11_attrs_dup (input); + rv = p11_builder_build (test.builder, test.index, &attrs, merge); + CuAssertIntEquals (cu, CKR_OK, rv); + + test_check_cacert3_ca (cu, attrs, "the label"); + p11_attrs_free (attrs); + + teardown (cu); +} + +static void +test_build_certificate_empty (CuTest *cu) +{ + unsigned char checksum[P11_CHECKSUM_SHA1_LENGTH]; + CK_ULONG domain = 0; + CK_ULONG category = 0; + + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_URL, "http://blah", 11 }, + { CKA_HASH_OF_ISSUER_PUBLIC_KEY, checksum, sizeof (checksum) }, + { CKA_HASH_OF_SUBJECT_PUBLIC_KEY, checksum, sizeof (checksum) }, + { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, + { CKA_LABEL, "the label", 9 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE expected[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) }, + { CKA_VALUE, "", 0 }, + { CKA_START_DATE, "", 0 }, + { CKA_END_DATE, "", 0, }, + { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, + { CKA_ISSUER, "", 0 }, + { CKA_SERIAL_NUMBER, "", 0 }, + { CKA_HASH_OF_ISSUER_PUBLIC_KEY, checksum, sizeof (checksum) }, + { CKA_HASH_OF_SUBJECT_PUBLIC_KEY, checksum, sizeof (checksum) }, + { CKA_LABEL, "the label", 9 }, + { CKA_JAVA_MIDP_SECURITY_DOMAIN, &domain, sizeof (domain) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_ATTRIBUTE *merge; + CK_RV rv; + + setup (cu); + + p11_checksum_sha1 (checksum, test_cacert3_ca_der, sizeof (test_cacert3_ca_der), NULL); + + attrs = NULL; + merge = p11_attrs_dup (input); + rv = p11_builder_build (test.builder, test.index, &attrs, merge); + CuAssertIntEquals (cu, CKR_OK, rv); + + test_check_attrs (cu, expected, attrs); + p11_attrs_free (attrs); + + teardown (cu); +} + +static const unsigned char entrust_pretend_ca[] = { + 0x30, 0x82, 0x04, 0x5c, 0x30, 0x82, 0x03, 0x44, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x04, 0x38, + 0x63, 0xb9, 0x66, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, + 0x05, 0x00, 0x30, 0x81, 0xb4, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b, + 0x45, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x31, 0x40, 0x30, 0x3e, 0x06, + 0x03, 0x55, 0x04, 0x0b, 0x14, 0x37, 0x77, 0x77, 0x77, 0x2e, 0x65, 0x6e, 0x74, 0x72, 0x75, 0x73, + 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x2f, 0x43, 0x50, 0x53, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x20, 0x69, + 0x6e, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x20, 0x62, 0x79, 0x20, 0x72, 0x65, 0x66, 0x2e, 0x20, 0x28, + 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x73, 0x20, 0x6c, 0x69, 0x61, 0x62, 0x2e, 0x29, 0x31, 0x25, 0x30, + 0x23, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1c, 0x28, 0x63, 0x29, 0x20, 0x31, 0x39, 0x39, 0x39, + 0x20, 0x45, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x20, 0x4c, 0x69, 0x6d, + 0x69, 0x74, 0x65, 0x64, 0x31, 0x33, 0x30, 0x31, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x2a, 0x45, + 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, + 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, + 0x74, 0x79, 0x20, 0x28, 0x32, 0x30, 0x34, 0x38, 0x29, 0x30, 0x1e, 0x17, 0x0d, 0x39, 0x39, 0x31, + 0x32, 0x32, 0x34, 0x31, 0x37, 0x35, 0x30, 0x35, 0x31, 0x5a, 0x17, 0x0d, 0x31, 0x39, 0x31, 0x32, + 0x32, 0x34, 0x31, 0x38, 0x32, 0x30, 0x35, 0x31, 0x5a, 0x30, 0x81, 0xb4, 0x31, 0x14, 0x30, 0x12, + 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b, 0x45, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, + 0x65, 0x74, 0x31, 0x40, 0x30, 0x3e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x14, 0x37, 0x77, 0x77, 0x77, + 0x2e, 0x65, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x2f, 0x43, 0x50, 0x53, + 0x5f, 0x32, 0x30, 0x34, 0x38, 0x20, 0x69, 0x6e, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x20, 0x62, 0x79, + 0x20, 0x72, 0x65, 0x66, 0x2e, 0x20, 0x28, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x73, 0x20, 0x6c, 0x69, + 0x61, 0x62, 0x2e, 0x29, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1c, 0x28, + 0x63, 0x29, 0x20, 0x31, 0x39, 0x39, 0x39, 0x20, 0x45, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, + 0x6e, 0x65, 0x74, 0x20, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x65, 0x64, 0x31, 0x33, 0x30, 0x31, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x13, 0x2a, 0x45, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65, + 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, + 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x28, 0x32, 0x30, 0x34, 0x38, 0x29, + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, + 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, + 0x00, 0xad, 0x4d, 0x4b, 0xa9, 0x12, 0x86, 0xb2, 0xea, 0xa3, 0x20, 0x07, 0x15, 0x16, 0x64, 0x2a, + 0x2b, 0x4b, 0xd1, 0xbf, 0x0b, 0x4a, 0x4d, 0x8e, 0xed, 0x80, 0x76, 0xa5, 0x67, 0xb7, 0x78, 0x40, + 0xc0, 0x73, 0x42, 0xc8, 0x68, 0xc0, 0xdb, 0x53, 0x2b, 0xdd, 0x5e, 0xb8, 0x76, 0x98, 0x35, 0x93, + 0x8b, 0x1a, 0x9d, 0x7c, 0x13, 0x3a, 0x0e, 0x1f, 0x5b, 0xb7, 0x1e, 0xcf, 0xe5, 0x24, 0x14, 0x1e, + 0xb1, 0x81, 0xa9, 0x8d, 0x7d, 0xb8, 0xcc, 0x6b, 0x4b, 0x03, 0xf1, 0x02, 0x0c, 0xdc, 0xab, 0xa5, + 0x40, 0x24, 0x00, 0x7f, 0x74, 0x94, 0xa1, 0x9d, 0x08, 0x29, 0xb3, 0x88, 0x0b, 0xf5, 0x87, 0x77, + 0x9d, 0x55, 0xcd, 0xe4, 0xc3, 0x7e, 0xd7, 0x6a, 0x64, 0xab, 0x85, 0x14, 0x86, 0x95, 0x5b, 0x97, + 0x32, 0x50, 0x6f, 0x3d, 0xc8, 0xba, 0x66, 0x0c, 0xe3, 0xfc, 0xbd, 0xb8, 0x49, 0xc1, 0x76, 0x89, + 0x49, 0x19, 0xfd, 0xc0, 0xa8, 0xbd, 0x89, 0xa3, 0x67, 0x2f, 0xc6, 0x9f, 0xbc, 0x71, 0x19, 0x60, + 0xb8, 0x2d, 0xe9, 0x2c, 0xc9, 0x90, 0x76, 0x66, 0x7b, 0x94, 0xe2, 0xaf, 0x78, 0xd6, 0x65, 0x53, + 0x5d, 0x3c, 0xd6, 0x9c, 0xb2, 0xcf, 0x29, 0x03, 0xf9, 0x2f, 0xa4, 0x50, 0xb2, 0xd4, 0x48, 0xce, + 0x05, 0x32, 0x55, 0x8a, 0xfd, 0xb2, 0x64, 0x4c, 0x0e, 0xe4, 0x98, 0x07, 0x75, 0xdb, 0x7f, 0xdf, + 0xb9, 0x08, 0x55, 0x60, 0x85, 0x30, 0x29, 0xf9, 0x7b, 0x48, 0xa4, 0x69, 0x86, 0xe3, 0x35, 0x3f, + 0x1e, 0x86, 0x5d, 0x7a, 0x7a, 0x15, 0xbd, 0xef, 0x00, 0x8e, 0x15, 0x22, 0x54, 0x17, 0x00, 0x90, + 0x26, 0x93, 0xbc, 0x0e, 0x49, 0x68, 0x91, 0xbf, 0xf8, 0x47, 0xd3, 0x9d, 0x95, 0x42, 0xc1, 0x0e, + 0x4d, 0xdf, 0x6f, 0x26, 0xcf, 0xc3, 0x18, 0x21, 0x62, 0x66, 0x43, 0x70, 0xd6, 0xd5, 0xc0, 0x07, + 0xe1, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x74, 0x30, 0x72, 0x30, 0x11, 0x06, 0x09, 0x60, 0x86, + 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x01, 0x04, 0x04, 0x03, 0x02, 0x00, 0x07, 0x30, 0x1f, 0x06, + 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x55, 0xe4, 0x81, 0xd1, 0x11, 0x80, + 0xbe, 0xd8, 0x89, 0xb9, 0x08, 0xa3, 0x31, 0xf9, 0xa1, 0x24, 0x09, 0x16, 0xb9, 0x70, 0x30, 0x1d, + 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x55, 0xe4, 0x81, 0xd1, 0x11, 0x80, 0xbe, + 0xd8, 0x89, 0xb9, 0x08, 0xa3, 0x31, 0xf9, 0xa1, 0x24, 0x09, 0x16, 0xb9, 0x70, 0x30, 0x1d, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf6, 0x7d, 0x07, 0x41, 0x00, 0x04, 0x10, 0x30, 0x0e, 0x1b, 0x08, + 0x56, 0x35, 0x2e, 0x30, 0x3a, 0x34, 0x2e, 0x30, 0x03, 0x02, 0x04, 0x90, 0x30, 0x0d, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, + 0x59, 0x47, 0xac, 0x21, 0x84, 0x8a, 0x17, 0xc9, 0x9c, 0x89, 0x53, 0x1e, 0xba, 0x80, 0x85, 0x1a, + 0xc6, 0x3c, 0x4e, 0x3e, 0xb1, 0x9c, 0xb6, 0x7c, 0xc6, 0x92, 0x5d, 0x18, 0x64, 0x02, 0xe3, 0xd3, + 0x06, 0x08, 0x11, 0x61, 0x7c, 0x63, 0xe3, 0x2b, 0x9d, 0x31, 0x03, 0x70, 0x76, 0xd2, 0xa3, 0x28, + 0xa0, 0xf4, 0xbb, 0x9a, 0x63, 0x73, 0xed, 0x6d, 0xe5, 0x2a, 0xdb, 0xed, 0x14, 0xa9, 0x2b, 0xc6, + 0x36, 0x11, 0xd0, 0x2b, 0xeb, 0x07, 0x8b, 0xa5, 0xda, 0x9e, 0x5c, 0x19, 0x9d, 0x56, 0x12, 0xf5, + 0x54, 0x29, 0xc8, 0x05, 0xed, 0xb2, 0x12, 0x2a, 0x8d, 0xf4, 0x03, 0x1b, 0xff, 0xe7, 0x92, 0x10, + 0x87, 0xb0, 0x3a, 0xb5, 0xc3, 0x9d, 0x05, 0x37, 0x12, 0xa3, 0xc7, 0xf4, 0x15, 0xb9, 0xd5, 0xa4, + 0x39, 0x16, 0x9b, 0x53, 0x3a, 0x23, 0x91, 0xf1, 0xa8, 0x82, 0xa2, 0x6a, 0x88, 0x68, 0xc1, 0x79, + 0x02, 0x22, 0xbc, 0xaa, 0xa6, 0xd6, 0xae, 0xdf, 0xb0, 0x14, 0x5f, 0xb8, 0x87, 0xd0, 0xdd, 0x7c, + 0x7f, 0x7b, 0xff, 0xaf, 0x1c, 0xcf, 0xe6, 0xdb, 0x07, 0xad, 0x5e, 0xdb, 0x85, 0x9d, 0xd0, 0x2b, + 0x0d, 0x33, 0xdb, 0x04, 0xd1, 0xe6, 0x49, 0x40, 0x13, 0x2b, 0x76, 0xfb, 0x3e, 0xe9, 0x9c, 0x89, + 0x0f, 0x15, 0xce, 0x18, 0xb0, 0x85, 0x78, 0x21, 0x4f, 0x6b, 0x4f, 0x0e, 0xfa, 0x36, 0x67, 0xcd, + 0x07, 0xf2, 0xff, 0x08, 0xd0, 0xe2, 0xde, 0xd9, 0xbf, 0x2a, 0xaf, 0xb8, 0x87, 0x86, 0x21, 0x3c, + 0x04, 0xca, 0xb7, 0x94, 0x68, 0x7f, 0xcf, 0x3c, 0xe9, 0x98, 0xd7, 0x38, 0xff, 0xec, 0xc0, 0xd9, + 0x50, 0xf0, 0x2e, 0x4b, 0x58, 0xae, 0x46, 0x6f, 0xd0, 0x2e, 0xc3, 0x60, 0xda, 0x72, 0x55, 0x72, + 0xbd, 0x4c, 0x45, 0x9e, 0x61, 0xba, 0xbf, 0x84, 0x81, 0x92, 0x03, 0xd1, 0xd2, 0x69, 0x7c, 0xc5, +}; + +static void +test_build_certificate_non_ca (CuTest *cu) +{ + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_VALUE, (void *)entrust_pretend_ca, sizeof (entrust_pretend_ca) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE expected[] = { + { CKA_CERTIFICATE_CATEGORY, &other_entity, sizeof (other_entity) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_RV rv; + + setup (cu); + + attrs = NULL; + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (input)); + CuAssertIntEquals (cu, CKR_OK, rv); + + test_check_attrs (cu, expected, attrs); + p11_attrs_free (attrs); + + teardown (cu); +} + +static const unsigned char verisign_v1_ca[] = { + 0x30, 0x82, 0x02, 0x3c, 0x30, 0x82, 0x01, 0xa5, 0x02, 0x10, 0x3f, 0x69, 0x1e, 0x81, 0x9c, 0xf0, + 0x9a, 0x4a, 0xf3, 0x73, 0xff, 0xb9, 0x48, 0xa2, 0xe4, 0xdd, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x5f, 0x31, 0x0b, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, + 0x0a, 0x13, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, + 0x2e, 0x31, 0x37, 0x30, 0x35, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x2e, 0x43, 0x6c, 0x61, 0x73, + 0x73, 0x20, 0x31, 0x20, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x20, 0x50, 0x72, 0x69, 0x6d, 0x61, + 0x72, 0x79, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1e, 0x17, 0x0d, 0x39, 0x36, + 0x30, 0x31, 0x32, 0x39, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x32, 0x38, 0x30, + 0x38, 0x30, 0x32, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x5f, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, + 0x04, 0x0a, 0x13, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, + 0x63, 0x2e, 0x31, 0x37, 0x30, 0x35, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x2e, 0x43, 0x6c, 0x61, + 0x73, 0x73, 0x20, 0x31, 0x20, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x20, 0x50, 0x72, 0x69, 0x6d, + 0x61, 0x72, 0x79, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x81, 0x9f, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, + 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xe5, 0x19, 0xbf, 0x6d, 0xa3, 0x56, 0x61, 0x2d, + 0x99, 0x48, 0x71, 0xf6, 0x67, 0xde, 0xb9, 0x8d, 0xeb, 0xb7, 0x9e, 0x86, 0x80, 0x0a, 0x91, 0x0e, + 0xfa, 0x38, 0x25, 0xaf, 0x46, 0x88, 0x82, 0xe5, 0x73, 0xa8, 0xa0, 0x9b, 0x24, 0x5d, 0x0d, 0x1f, + 0xcc, 0x65, 0x6e, 0x0c, 0xb0, 0xd0, 0x56, 0x84, 0x18, 0x87, 0x9a, 0x06, 0x9b, 0x10, 0xa1, 0x73, + 0xdf, 0xb4, 0x58, 0x39, 0x6b, 0x6e, 0xc1, 0xf6, 0x15, 0xd5, 0xa8, 0xa8, 0x3f, 0xaa, 0x12, 0x06, + 0x8d, 0x31, 0xac, 0x7f, 0xb0, 0x34, 0xd7, 0x8f, 0x34, 0x67, 0x88, 0x09, 0xcd, 0x14, 0x11, 0xe2, + 0x4e, 0x45, 0x56, 0x69, 0x1f, 0x78, 0x02, 0x80, 0xda, 0xdc, 0x47, 0x91, 0x29, 0xbb, 0x36, 0xc9, + 0x63, 0x5c, 0xc5, 0xe0, 0xd7, 0x2d, 0x87, 0x7b, 0xa1, 0xb7, 0x32, 0xb0, 0x7b, 0x30, 0xba, 0x2a, + 0x2f, 0x31, 0xaa, 0xee, 0xa3, 0x67, 0xda, 0xdb, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x0d, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, + 0x58, 0x15, 0x29, 0x39, 0x3c, 0x77, 0xa3, 0xda, 0x5c, 0x25, 0x03, 0x7c, 0x60, 0xfa, 0xee, 0x09, + 0x99, 0x3c, 0x27, 0x10, 0x70, 0xc8, 0x0c, 0x09, 0xe6, 0xb3, 0x87, 0xcf, 0x0a, 0xe2, 0x18, 0x96, + 0x35, 0x62, 0xcc, 0xbf, 0x9b, 0x27, 0x79, 0x89, 0x5f, 0xc9, 0xc4, 0x09, 0xf4, 0xce, 0xb5, 0x1d, + 0xdf, 0x2a, 0xbd, 0xe5, 0xdb, 0x86, 0x9c, 0x68, 0x25, 0xe5, 0x30, 0x7c, 0xb6, 0x89, 0x15, 0xfe, + 0x67, 0xd1, 0xad, 0xe1, 0x50, 0xac, 0x3c, 0x7c, 0x62, 0x4b, 0x8f, 0xba, 0x84, 0xd7, 0x12, 0x15, + 0x1b, 0x1f, 0xca, 0x5d, 0x0f, 0xc1, 0x52, 0x94, 0x2a, 0x11, 0x99, 0xda, 0x7b, 0xcf, 0x0c, 0x36, + 0x13, 0xd5, 0x35, 0xdc, 0x10, 0x19, 0x59, 0xea, 0x94, 0xc1, 0x00, 0xbf, 0x75, 0x8f, 0xd9, 0xfa, + 0xfd, 0x76, 0x04, 0xdb, 0x62, 0xbb, 0x90, 0x6a, 0x03, 0xd9, 0x46, 0x35, 0xd9, 0xf8, 0x7c, 0x5b, +}; + +static void +test_build_certificate_v1_ca (CuTest *cu) +{ + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_VALUE, (void *)verisign_v1_ca, sizeof (verisign_v1_ca) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE expected[] = { + { CKA_CERTIFICATE_CATEGORY, &certificate_authority, sizeof (certificate_authority) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_RV rv; + + setup (cu); + + attrs = NULL; + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (input)); + CuAssertIntEquals (cu, CKR_OK, rv); + + test_check_attrs (cu, expected, attrs); + p11_attrs_free (attrs); + + teardown (cu); +} + +static void +test_build_certificate_staple_ca (CuTest *cu) +{ + CK_ULONG category = 2; /* CA */ + + CK_ATTRIBUTE stapled[] = { + { CKA_CLASS, &certificate_extension, sizeof (certificate_extension) }, + { CKA_OBJECT_ID, (void *)P11_OID_BASIC_CONSTRAINTS, sizeof (P11_OID_BASIC_CONSTRAINTS) }, + { CKA_VALUE, "\x30\x03\x01\x01\xFF", 5 }, + { CKA_ID, "the id", 6 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_VALUE, (void *)entrust_pretend_ca, sizeof (entrust_pretend_ca) }, + { CKA_ID, "the id", 6 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE expected[] = { + { CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_RV rv; + + setup (cu); + + /* Add a stapled certificate */ + rv = p11_index_add (test.index, stapled, 4, NULL); + CuAssertIntEquals (cu, CKR_OK, rv); + + attrs = NULL; + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (input)); + CuAssertIntEquals (cu, CKR_OK, rv); + + /* + * Even though the certificate is not a valid CA, the presence of the + * stapled certificate extension transforms it into a CA. + */ + test_check_attrs (cu, expected, attrs); + p11_attrs_free (attrs); + + teardown (cu); +} + +static void +test_build_certificate_no_type (CuTest *cu) +{ + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_RV rv; + + setup (cu); + + p11_message_quiet (); + + attrs = NULL; + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (input)); + CuAssertIntEquals (cu, CKR_TEMPLATE_INCOMPLETE, rv); + + p11_message_loud (); + + teardown (cu); +} + +static void +test_build_certificate_bad_type (CuTest *cu) +{ + CK_CERTIFICATE_TYPE type = CKC_WTLS; + + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_CERTIFICATE_TYPE, &type, sizeof (type) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_RV rv; + + setup (cu); + + p11_message_quiet (); + + attrs = NULL; + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (input)); + CuAssertIntEquals (cu, CKR_TEMPLATE_INCONSISTENT, rv); + + p11_message_loud (); + + teardown (cu); +} + +static void +test_build_extension (CuTest *cu) +{ + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &certificate_extension, sizeof (certificate_extension) }, + { CKA_OBJECT_ID, "\x06\x03\x55\x1d\x50", 5 }, + { CKA_VALUE, "the value", 9 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE check[] = { + { CKA_CLASS, &certificate_extension, sizeof (certificate_extension) }, + { CKA_TOKEN, &truev, sizeof (truev) }, + { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, + { CKA_PRIVATE, &falsev, sizeof (falsev) }, + { CKA_OBJECT_ID, "\x06\x03\x55\x1d\x50", 5 }, + { CKA_VALUE, "the value", 9 }, + { CKA_LABEL, "", 0 }, + { CKA_X_CRITICAL, &falsev, sizeof (falsev) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_RV rv; + + setup (cu); + + attrs = NULL; + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (input)); + CuAssertIntEquals (cu, CKR_OK, rv); + + test_check_attrs (cu, check, attrs); + p11_attrs_free (attrs); + + teardown (cu); +} + +static void +test_create_not_settable (CuTest *cu) +{ + /* + * CKA_TRUSTED cannot be set by the normal user according to spec + */ + + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_TRUSTED, &falsev, sizeof (falsev) }, + { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_RV rv; + + setup (cu); + + p11_message_quiet (); + + attrs = NULL; + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (input)); + CuAssertIntEquals (cu, CKR_ATTRIBUTE_READ_ONLY, rv); + + p11_message_loud (); + + p11_attrs_free (attrs); + + teardown (cu); +} + +static void +test_create_but_loadable (CuTest *cu) +{ + /* + * CKA_TRUSTED cannot be set on creation, but can be set if we're + * loading from our store. This is signified by batching. + */ + + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_TRUSTED, &falsev, sizeof (falsev) }, + { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_RV rv; + + setup (cu); + + p11_index_batch (test.index); + + attrs = NULL; + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (input)); + CuAssertIntEquals (cu, CKR_OK, rv); + + p11_index_finish (test.index); + + test_check_attrs (cu, input, attrs); + p11_attrs_free (attrs); + + teardown (cu); +} + +static void +test_create_unsupported (CuTest *cu) +{ + CK_OBJECT_CLASS klass = CKO_PRIVATE_KEY; + + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &klass, sizeof (klass) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_RV rv; + + setup (cu); + + p11_message_quiet (); + + attrs = NULL; + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (input)); + CuAssertIntEquals (cu, CKR_TEMPLATE_INCONSISTENT, rv); + + p11_message_loud (); + + teardown (cu); +} + +static void +test_create_generated (CuTest *cu) +{ + CK_OBJECT_CLASS klass = CKO_NSS_TRUST; + + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &klass, sizeof (klass) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_RV rv; + + setup (cu); + + p11_message_quiet (); + + attrs = NULL; + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (input)); + CuAssertIntEquals (cu, CKR_TEMPLATE_INCONSISTENT, rv); + + p11_message_loud (); + + teardown (cu); +} + +static void +test_create_bad_attribute (CuTest *cu) +{ + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &data, sizeof (data) }, + { CKA_VALUE, "the value", 9 }, + { CKA_COLOR, "blue", 4 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_RV rv; + + setup (cu); + + p11_message_quiet (); + + attrs = NULL; + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (input)); + CuAssertIntEquals (cu, CKR_TEMPLATE_INCONSISTENT, rv); + + p11_message_loud (); + + teardown (cu); +} + +static void +test_create_missing_attribute (CuTest *cu) +{ + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &certificate_extension, sizeof (certificate_extension) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_RV rv; + + setup (cu); + + p11_message_quiet (); + + attrs = NULL; + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (input)); + CuAssertIntEquals (cu, CKR_TEMPLATE_INCOMPLETE, rv); + + p11_message_loud (); + + teardown (cu); +} + +static void +test_create_no_class (CuTest *cu) +{ + CK_ATTRIBUTE input[] = { + { CKA_VALUE, "the value", 9 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_RV rv; + + setup (cu); + + p11_message_quiet (); + + attrs = NULL; + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (input)); + CuAssertIntEquals (cu, CKR_TEMPLATE_INCOMPLETE, rv); + + p11_message_loud (); + + teardown (cu); +} + +static void +test_create_token_mismatch (CuTest *cu) +{ + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &data, sizeof (data) }, + { CKA_TOKEN, &falsev, sizeof (falsev) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_RV rv; + + setup (cu); + + p11_message_quiet (); + + attrs = NULL; + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (input)); + CuAssertIntEquals (cu, CKR_TEMPLATE_INCONSISTENT, rv); + + p11_message_loud (); + + teardown (cu); +} + +static void +test_modify_success (CuTest *cu) +{ + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &data, sizeof (data) }, + { CKA_MODIFIABLE, &truev, sizeof (truev) }, + { CKA_VALUE, "the value", 9 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE modify[] = { + { CKA_VALUE, "new value long", 14 }, + { CKA_LABEL, "new label", 9 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE expected[] = { + { CKA_CLASS, &data, sizeof (data) }, + { CKA_MODIFIABLE, &truev, sizeof (truev) }, + { CKA_VALUE, "new value long", 14 }, + { CKA_LABEL, "new label", 9 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_RV rv; + + setup (cu); + + attrs = NULL; + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (input)); + CuAssertIntEquals (cu, CKR_OK, rv); + + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (modify)); + CuAssertIntEquals (cu, CKR_OK, rv); + + test_check_attrs (cu, expected, attrs); + p11_attrs_free (attrs); + + teardown (cu); +} + +static void +test_modify_read_only (CuTest *cu) +{ + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &data, sizeof (data) }, + { CKA_MODIFIABLE, &truev, sizeof (truev) }, + { CKA_VALUE, "the value", 9 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE modify[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_ATTRIBUTE *merge; + CK_RV rv; + + setup (cu); + + attrs = NULL; + merge = p11_attrs_dup (input); + rv = p11_builder_build (test.builder, test.index, &attrs, merge); + CuAssertIntEquals (cu, CKR_OK, rv); + + p11_message_quiet (); + + merge = p11_attrs_dup (modify); + rv = p11_builder_build (test.builder, test.index, &attrs, merge); + CuAssertIntEquals (cu, CKR_ATTRIBUTE_READ_ONLY, rv); + + p11_message_loud (); + + p11_attrs_free (attrs); + + teardown (cu); +} + +static void +test_modify_unchanged (CuTest *cu) +{ + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &data, sizeof (data) }, + { CKA_MODIFIABLE, &truev, sizeof (truev) }, + { CKA_VALUE, "the value", 9 }, + { CKA_INVALID }, + }; + + /* + * Although CKA_CLASS is read-only, changing to same value + * shouldn't fail + */ + + CK_ATTRIBUTE modify[] = { + { CKA_CLASS, &data, sizeof (data) }, + { CKA_VALUE, "the other", 9 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE expected[] = { + { CKA_CLASS, &data, sizeof (data) }, + { CKA_VALUE, "the other", 9 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_RV rv; + + setup (cu); + + attrs = NULL; + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (input)); + CuAssertIntEquals (cu, CKR_OK, rv); + + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (modify)); + CuAssertIntEquals (cu, CKR_OK, rv); + + test_check_attrs (cu, expected, attrs); + p11_attrs_free (attrs); + + teardown (cu); +} + +static void +test_modify_not_modifiable (CuTest *cu) +{ + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &data, sizeof (data) }, + { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, + { CKA_VALUE, "the value", 9 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE modify[] = { + { CKA_VALUE, "the value", 9 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_RV rv; + + setup (cu); + + attrs = NULL; + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (input)); + CuAssertIntEquals (cu, CKR_OK, rv); + + p11_message_quiet (); + + rv = p11_builder_build (test.builder, test.index, &attrs, p11_attrs_dup (modify)); + CuAssertIntEquals (cu, CKR_ATTRIBUTE_READ_ONLY, rv); + + p11_message_loud (); + + p11_attrs_free (attrs); + + teardown (cu); +} + +static void +test_changed_trusted_certificate (CuTest *cu) +{ + static CK_ATTRIBUTE cacert3_trusted_certificate[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_CERTIFICATE_CATEGORY, &certificate_authority, sizeof (certificate_authority) }, + { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, + { CKA_CHECK_VALUE, "\xad\x7c\x3f", 3 }, + { CKA_START_DATE, "20110523", 8 }, + { CKA_END_DATE, "20210520", 8, }, + { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, + { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, + { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, + { CKA_TRUSTED, &truev, sizeof (truev) }, + { CKA_ID, "cacert3", 7 }, + { CKA_LABEL, "Custom Label", 12 }, + { CKA_INVALID }, + }; + + static unsigned char eku_server_and_client[] = { + 0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, + 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, + }; + + CK_ATTRIBUTE eku_extension_server_and_client[] = { + { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, + { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, + { CKA_LABEL, "Custom Label", 12 }, + { CKA_X_CRITICAL, &truev, sizeof (truev) }, + { CKA_VALUE, eku_server_and_client, sizeof (eku_server_and_client) }, + { CKA_ID, "cacert3", 7 }, + { CKA_INVALID }, + }; + + static char eku_client_email[] = { + 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04, + }; + + static CK_ATTRIBUTE reject_extension_email[] = { + { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, + { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) }, + { CKA_LABEL, "Custom Label", 12 }, + { CKA_X_CRITICAL, &falsev, sizeof (falsev) }, + { CKA_VALUE, eku_client_email, sizeof (eku_client_email) }, + { CKA_ID, "cacert3", 7 }, + { CKA_INVALID }, + }; + + static CK_ATTRIBUTE nss_trust_server_and_client_distrust_email[] = { + { CKA_CLASS, &nss_trust, sizeof (nss_trust), }, + { CKA_ID, "cacert3", 7 }, + { CKA_CERT_SHA1_HASH, "\xad\x7c\x3f\x64\xfc\x44\x39\xfe\xf4\xe9\x0b\xe8\xf4\x7c\x6c\xfa\x8a\xad\xfd\xce", 20 }, + { CKA_CERT_MD5_HASH, "\xf7\x25\x12\x82\x4e\x67\xb5\xd0\x8d\x92\xb7\x7c\x0b\x86\x7a\x42", 16 }, + { CKA_LABEL, "Custom Label", 12 }, + { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, + { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, + { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, + { CKA_TRUST_SERVER_AUTH, &trusted_delegator, sizeof (trusted_delegator) }, + { CKA_TRUST_CLIENT_AUTH, &trusted_delegator, sizeof (trusted_delegator) }, + { CKA_TRUST_EMAIL_PROTECTION, ¬_trusted, sizeof (not_trusted) }, + { CKA_TRUST_CODE_SIGNING, &trust_unknown, sizeof (trust_unknown) }, + { CKA_TRUST_IPSEC_END_SYSTEM, &trust_unknown, sizeof (trust_unknown) }, + { CKA_TRUST_IPSEC_TUNNEL, &trust_unknown, sizeof (trust_unknown) }, + { CKA_TRUST_IPSEC_USER, &trust_unknown, sizeof (trust_unknown) }, + { CKA_TRUST_TIME_STAMPING, &trust_unknown, sizeof (trust_unknown) }, + { CKA_TRUST_DIGITAL_SIGNATURE, &trusted_delegator, sizeof (trusted_delegator) }, + { CKA_TRUST_NON_REPUDIATION, &trusted_delegator, sizeof (trusted_delegator) }, + { CKA_TRUST_KEY_ENCIPHERMENT, &trusted_delegator, sizeof (trusted_delegator) }, + { CKA_TRUST_DATA_ENCIPHERMENT, &trusted_delegator, sizeof (trusted_delegator) }, + { CKA_TRUST_KEY_AGREEMENT, &trusted_delegator, sizeof (trusted_delegator) }, + { CKA_TRUST_KEY_CERT_SIGN, &trusted_delegator, sizeof (trusted_delegator) }, + { CKA_TRUST_CRL_SIGN, &trusted_delegator, sizeof (trusted_delegator) }, + { CKA_INVALID, } + }; + + static CK_ATTRIBUTE server_anchor_assertion[] = { + { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, + { CKA_X_PURPOSE, (void *)P11_OID_SERVER_AUTH_STR, sizeof (P11_OID_SERVER_AUTH_STR) - 1 }, + { CKA_LABEL, "Custom Label", 12 }, + { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, + { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, + { CKA_ID, "cacert3", 7 }, + { CKA_INVALID }, + }; + + static CK_ATTRIBUTE client_anchor_assertion[] = { + { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, + { CKA_X_PURPOSE, (void *)P11_OID_CLIENT_AUTH_STR, sizeof (P11_OID_CLIENT_AUTH_STR) - 1 }, + { CKA_LABEL, "Custom Label", 12 }, + { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, + { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, + { CKA_ID, "cacert3", 7 }, + { CKA_INVALID }, + }; + + static CK_ATTRIBUTE email_distrust_assertion[] = { + { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, + { CKA_X_PURPOSE, (void *)P11_OID_EMAIL_PROTECTION_STR, sizeof (P11_OID_EMAIL_PROTECTION_STR) - 1 }, + { CKA_LABEL, "Custom Label", 12 }, + { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, + { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, + { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, + { CKA_ID, "cacert3", 7 }, + { CKA_INVALID }, + }; + + /* + * We should get an NSS trust object and various assertions here. + * The first two attributes of each object are enough to look it up, + * and then we check the rest of the attributes match. + */ + + CK_ATTRIBUTE *expected[] = { + nss_trust_server_and_client_distrust_email, + email_distrust_assertion, + server_anchor_assertion, + client_anchor_assertion, + NULL, + }; + + CK_OBJECT_HANDLE handle; + CK_ATTRIBUTE *attrs; + CK_RV rv; + int i; + + setup (cu); + + /* + * A trusted cetrificate, trusted for server and client purposes, + * and explicitly rejects the email and timestamping purposes. + */ + p11_index_batch (test.index); + rv = p11_index_take (test.index, p11_attrs_dup (cacert3_trusted_certificate), NULL); + CuAssertIntEquals (cu, CKR_OK, rv); + rv = p11_index_take (test.index, p11_attrs_dup (eku_extension_server_and_client), NULL); + CuAssertIntEquals (cu, CKR_OK, rv); + rv = p11_index_take (test.index, p11_attrs_dup (reject_extension_email), NULL); + CuAssertIntEquals (cu, CKR_OK, rv); + p11_index_finish (test.index); + + + /* The other objects */ + for (i = 0; expected[i]; i++) { + handle = p11_index_findn (test.index, expected[i], 2); + CuAssertTrue (cu, handle != 0); + + attrs = p11_index_lookup (test.index, handle); + CuAssertPtrNotNull (cu, attrs); + + test_check_attrs (cu, expected[i], attrs); + } + + teardown (cu); +} + +static void +test_changed_distrusted (CuTest *cu) +{ + CK_ATTRIBUTE distrust_cert[] = { + { CKA_CLASS, &certificate, sizeof (certificate), }, + { CKA_CERTIFICATE_CATEGORY, &certificate_authority, sizeof (certificate_authority) }, + { CKA_PRIVATE, &falsev, sizeof (falsev) }, + { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_TRUSTED, &falsev, sizeof (falsev) }, + { CKA_X_DISTRUSTED, &truev, sizeof (truev) }, + { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, + { CKA_ID, "the id", 6 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE eku_extension[] = { + { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, + { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, + { CKA_X_CRITICAL, &truev, sizeof (truev) }, + { CKA_VALUE, "\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x10", 14 }, + { CKA_ID, "the id", 6 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE reject_extension[] = { + { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, + { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) }, + { CKA_X_CRITICAL, &falsev, sizeof (falsev) }, + { CKA_VALUE, "\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02", 12 }, + { CKA_ID, "the id", 6 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE nss_trust_nothing[] = { + { CKA_CLASS, &nss_trust, sizeof (nss_trust), }, + { CKA_ID, "the id", 6 }, + { CKA_CERT_SHA1_HASH, "\xad\x7c\x3f\x64\xfc\x44\x39\xfe\xf4\xe9\x0b\xe8\xf4\x7c\x6c\xfa\x8a\xad\xfd\xce", 20 }, + { CKA_CERT_MD5_HASH, "\xf7\x25\x12\x82\x4e\x67\xb5\xd0\x8d\x92\xb7\x7c\x0b\x86\x7a\x42", 16 }, + { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, + { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, + { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, + { CKA_TRUST_SERVER_AUTH, ¬_trusted, sizeof (not_trusted) }, + { CKA_TRUST_CLIENT_AUTH, ¬_trusted, sizeof (not_trusted) }, + { CKA_TRUST_EMAIL_PROTECTION, ¬_trusted, sizeof (not_trusted) }, + { CKA_TRUST_CODE_SIGNING, ¬_trusted, sizeof (not_trusted) }, + { CKA_TRUST_IPSEC_END_SYSTEM, ¬_trusted, sizeof (not_trusted) }, + { CKA_TRUST_IPSEC_TUNNEL, ¬_trusted, sizeof (not_trusted) }, + { CKA_TRUST_IPSEC_USER, ¬_trusted, sizeof (not_trusted) }, + { CKA_TRUST_TIME_STAMPING, ¬_trusted, sizeof (not_trusted) }, + { CKA_TRUST_DIGITAL_SIGNATURE, ¬_trusted, sizeof (not_trusted) }, + { CKA_TRUST_NON_REPUDIATION, ¬_trusted, sizeof (not_trusted) }, + { CKA_TRUST_KEY_ENCIPHERMENT, ¬_trusted, sizeof (not_trusted) }, + { CKA_TRUST_DATA_ENCIPHERMENT, ¬_trusted, sizeof (not_trusted) }, + { CKA_TRUST_KEY_AGREEMENT, ¬_trusted, sizeof (not_trusted) }, + { CKA_TRUST_KEY_CERT_SIGN, ¬_trusted, sizeof (not_trusted) }, + { CKA_TRUST_CRL_SIGN, ¬_trusted, sizeof (not_trusted) }, + { CKA_INVALID, } + }; + + CK_ATTRIBUTE server_distrust[] = { + { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, + { CKA_X_PURPOSE, (void *)P11_OID_SERVER_AUTH_STR, strlen (P11_OID_SERVER_AUTH_STR) }, + { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, + { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, + { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, + { CKA_ID, "the id", 6 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE client_distrust[] = { + { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, + { CKA_X_PURPOSE, (void *)P11_OID_CLIENT_AUTH_STR, strlen (P11_OID_CLIENT_AUTH_STR) }, + { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, + { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, + { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, + { CKA_ID, "the id", 6 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE code_distrust[] = { + { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, + { CKA_X_PURPOSE, (void *)P11_OID_CODE_SIGNING_STR, strlen (P11_OID_CODE_SIGNING_STR) }, + { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, + { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, + { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, + { CKA_ID, "the id", 6 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE email_distrust[] = { + { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, + { CKA_X_PURPOSE, (void *)P11_OID_EMAIL_PROTECTION_STR, strlen (P11_OID_EMAIL_PROTECTION_STR) }, + { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, + { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, + { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, + { CKA_ID, "the id", 6 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE ipsec_system_distrust[] = { + { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, + { CKA_X_PURPOSE, (void *)P11_OID_IPSEC_END_SYSTEM_STR, strlen (P11_OID_IPSEC_END_SYSTEM_STR) }, + { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, + { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, + { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, + { CKA_ID, "the id", 6 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE ipsec_tunnel_distrust[] = { + { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, + { CKA_X_PURPOSE, (void *)P11_OID_IPSEC_TUNNEL_STR, strlen (P11_OID_IPSEC_TUNNEL_STR) }, + { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, + { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, + { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, + { CKA_ID, "the id", 6 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE ipsec_user_distrust[] = { + { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, + { CKA_X_PURPOSE, (void *)P11_OID_IPSEC_USER_STR, strlen (P11_OID_IPSEC_USER_STR) }, + { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, + { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, + { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, + { CKA_ID, "the id", 6 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE stamping_distrust[] = { + { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, + { CKA_X_PURPOSE, (void *)P11_OID_TIME_STAMPING_STR, strlen (P11_OID_TIME_STAMPING_STR) }, + { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, + { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, + { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, + { CKA_ID, "the id", 6 }, + { CKA_INVALID }, + }; + + /* + * We should get an NSS trust object and various assertions here. + * The first two attributes of each object are enough to look it up, + * and then we check the rest of the attributes match. + */ + + CK_ATTRIBUTE *expected[] = { + nss_trust_nothing, + server_distrust, + client_distrust, + code_distrust, + email_distrust, + ipsec_system_distrust, + ipsec_tunnel_distrust, + ipsec_user_distrust, + stamping_distrust, + NULL + }; + + CK_OBJECT_HANDLE handle; + CK_ATTRIBUTE *attrs; + CK_RV rv; + int i; + + setup (cu); + + /* + * A trusted cetrificate, trusted for server and client purposes, + * and explicitly rejects the email and timestamping purposes. + */ + p11_index_batch (test.index); + rv = p11_index_take (test.index, p11_attrs_dup (distrust_cert), NULL); + CuAssertIntEquals (cu, CKR_OK, rv); + rv = p11_index_take (test.index, p11_attrs_dup (eku_extension), NULL); + CuAssertIntEquals (cu, CKR_OK, rv); + rv = p11_index_take (test.index, p11_attrs_dup (reject_extension), NULL); + CuAssertIntEquals (cu, CKR_OK, rv); + p11_index_finish (test.index); + + /* The other objects */ + for (i = 0; expected[i]; i++) { + handle = p11_index_findn (test.index, expected[i], 2); + CuAssertTrue (cu, handle != 0); + + attrs = p11_index_lookup (test.index, handle); + CuAssertPtrNotNull (cu, attrs); + + test_check_attrs (cu, expected[i], attrs); + } + + teardown (cu); +} + +static void +test_changed_dup_certificates (CuTest *cu) +{ + static CK_ATTRIBUTE trusted_cert[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_CERTIFICATE_CATEGORY, &certificate_authority, sizeof (certificate_authority) }, + { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, + { CKA_TRUSTED, &truev, sizeof (truev) }, + { CKA_ID, "cacert3", 7 }, + { CKA_INVALID }, + }; + + static CK_ATTRIBUTE distrust_cert[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_CERTIFICATE_CATEGORY, &certificate_authority, sizeof (certificate_authority) }, + { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, + { CKA_X_DISTRUSTED, &truev, sizeof (truev) }, + { CKA_ID, "cacert3", 7 }, + { CKA_INVALID }, + }; + + static CK_ATTRIBUTE trusted_nss[] = { + { CKA_CLASS, &nss_trust, sizeof (nss_trust), }, + { CKA_CERT_SHA1_HASH, "\xad\x7c\x3f\x64\xfc\x44\x39\xfe\xf4\xe9\x0b\xe8\xf4\x7c\x6c\xfa\x8a\xad\xfd\xce", 20 }, + { CKA_TRUST_SERVER_AUTH, &trusted_delegator, sizeof (trusted_delegator) }, + { CKA_ID, "cacert3", 7 }, + { CKA_INVALID, } + }; + + static CK_ATTRIBUTE distrust_nss[] = { + { CKA_CLASS, &nss_trust, sizeof (nss_trust), }, + { CKA_CERT_SHA1_HASH, "\xad\x7c\x3f\x64\xfc\x44\x39\xfe\xf4\xe9\x0b\xe8\xf4\x7c\x6c\xfa\x8a\xad\xfd\xce", 20 }, + { CKA_TRUST_SERVER_AUTH, ¬_trusted, sizeof (not_trusted) }, + { CKA_ID, "cacert3", 7 }, + { CKA_INVALID, } + }; + + static CK_ATTRIBUTE match_nss[] = { + { CKA_CLASS, &nss_trust, sizeof (nss_trust), }, + { CKA_ID, "cacert3", 7 }, + { CKA_INVALID, } + }; + + static CK_ATTRIBUTE anchor_assertion[] = { + { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, + { CKA_X_PURPOSE, (void *)P11_OID_SERVER_AUTH_STR, sizeof (P11_OID_SERVER_AUTH_STR) - 1 }, + { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, + { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, + { CKA_ID, "cacert3", 7 }, + { CKA_INVALID }, + }; + + static CK_ATTRIBUTE distrust_assertion[] = { + { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, + { CKA_X_PURPOSE, (void *)P11_OID_SERVER_AUTH_STR, sizeof (P11_OID_SERVER_AUTH_STR) - 1 }, + { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, + { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, + { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, + { CKA_ID, "cacert3", 7 }, + { CKA_INVALID }, + }; + + static CK_ATTRIBUTE match_assertion[] = { + { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, + { CKA_ID, "cacert3", 7 }, + { CKA_INVALID, } + }; + + CK_OBJECT_HANDLE handle1; + CK_OBJECT_HANDLE handle2; + CK_OBJECT_HANDLE handle; + CK_RV rv; + + setup (cu); + + /* + * A trusted certificate, should create trutsed nss trust + * and anchor assertions + */ + p11_index_batch (test.index); + rv = p11_index_take (test.index, p11_attrs_dup (trusted_cert), &handle1); + CuAssertIntEquals (cu, CKR_OK, rv); + p11_index_finish (test.index); + + handle = p11_index_find (test.index, match_nss); + CuAssertTrue (cu, handle != 0); + handle = p11_index_find (test.index, match_assertion); + CuAssertTrue (cu, handle != 0); + handle = p11_index_find (test.index, trusted_nss); + CuAssertTrue (cu, handle != 0); + handle = p11_index_find (test.index, anchor_assertion); + CuAssertTrue (cu, handle != 0); + + /* Now we add a distrusted certificate, should update the objects */ + p11_index_batch (test.index); + rv = p11_index_take (test.index, p11_attrs_dup (distrust_cert), &handle2); + CuAssertIntEquals (cu, CKR_OK, rv); + p11_index_finish (test.index); + + handle = p11_index_find (test.index, trusted_nss); + CuAssertTrue (cu, handle == 0); + handle = p11_index_find (test.index, distrust_nss); + CuAssertTrue (cu, handle != 0); + handle = p11_index_find (test.index, anchor_assertion); + CuAssertTrue (cu, handle == 0); + handle = p11_index_find (test.index, distrust_assertion); + CuAssertTrue (cu, handle != 0); + + /* Now remove the trusted cetrificate, should update again */ + rv = p11_index_remove (test.index, handle2); + CuAssertIntEquals (cu, CKR_OK, rv); + + handle = p11_index_find (test.index, trusted_nss); + CuAssertTrue (cu, handle != 0); + handle = p11_index_find (test.index, distrust_nss); + CuAssertTrue (cu, handle == 0); + handle = p11_index_find (test.index, anchor_assertion); + CuAssertTrue (cu, handle != 0); + handle = p11_index_find (test.index, distrust_assertion); + CuAssertTrue (cu, handle == 0); + + /* Now remove the original certificate, no more nss/assertions */ + rv = p11_index_remove (test.index, handle1); + CuAssertIntEquals (cu, CKR_OK, rv); + + handle = p11_index_find (test.index, match_nss); + CuAssertTrue (cu, handle == 0); + handle = p11_index_find (test.index, match_assertion); + CuAssertTrue (cu, handle == 0); + + teardown (cu); +} + +static void +test_changed_without_id (CuTest *cu) +{ + static CK_ATTRIBUTE trusted_without_id[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_CERTIFICATE_CATEGORY, &certificate_authority, sizeof (certificate_authority) }, + { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, + { CKA_TRUSTED, &truev, sizeof (truev) }, + { CKA_INVALID }, + }; + + CK_OBJECT_CLASS klass = 0; + CK_ATTRIBUTE match[] = { + { CKA_CLASS, &klass, sizeof (klass) }, + { CKA_INVALID }, + }; + + /* + * A cetrificate without a CKA_ID that's created should not + * automatically create any compat objects. + */ + + CK_OBJECT_HANDLE handle; + CK_RV rv; + + setup (cu); + + p11_index_batch (test.index); + rv = p11_index_take (test.index, p11_attrs_dup (trusted_without_id), NULL); + CuAssertIntEquals (cu, CKR_OK, rv); + p11_index_finish (test.index); + + klass = CKO_NSS_TRUST; + handle = p11_index_find (test.index, match); + CuAssertIntEquals (cu, 0, handle); + + klass = CKO_X_TRUST_ASSERTION; + handle = p11_index_find (test.index, match); + CuAssertIntEquals (cu, 0, handle); + + teardown (cu); +} + +static void +test_changed_staple_ca (CuTest *cu) +{ + CK_ULONG category = 0; + + CK_ATTRIBUTE stapled[] = { + { CKA_CLASS, &certificate_extension, sizeof (certificate_extension) }, + { CKA_OBJECT_ID, (void *)P11_OID_BASIC_CONSTRAINTS, sizeof (P11_OID_BASIC_CONSTRAINTS) }, + { CKA_VALUE, "\x30\x03\x01\x01\xFF", 5 }, + { CKA_ID, "the id", 6 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_VALUE, (void *)entrust_pretend_ca, sizeof (entrust_pretend_ca) }, + { CKA_ID, "the id", 6 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE match[] = { + { CKA_VALUE, (void *)entrust_pretend_ca, sizeof (entrust_pretend_ca) }, + { CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE *attrs; + CK_RV rv; + + setup (cu); + + attrs = NULL; + rv = p11_index_take (test.index, p11_attrs_dup (input), NULL); + CuAssertIntEquals (cu, CKR_OK, rv); + + /* Not a CA at this point, until we staple */ + category = 0; + CuAssertTrue (cu, p11_index_find (test.index, match) == 0); + + /* Add a stapled basic constraint */ + rv = p11_index_add (test.index, stapled, 4, NULL); + CuAssertIntEquals (cu, CKR_OK, rv); + + /* Now should be a CA */ + category = 2; + CuAssertTrue (cu, p11_index_find (test.index, match) != 0); + + p11_attrs_free (attrs); + + teardown (cu); +} + +static void +test_changed_staple_ku (CuTest *cu) +{ + CK_ATTRIBUTE stapled_ds_and_np[] = { + { CKA_CLASS, &certificate_extension, sizeof (certificate_extension) }, + { CKA_OBJECT_ID, (void *)P11_OID_KEY_USAGE, sizeof (P11_OID_KEY_USAGE) }, + { CKA_VALUE, "\x03\x03\x07\xc0\x00", 5 }, + { CKA_ID, "the id", 6 }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE input[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_VALUE, (void *)entrust_pretend_ca, sizeof (entrust_pretend_ca) }, + { CKA_TRUSTED, &truev, sizeof (truev) }, + { CKA_ID, "the id", 6 }, + { CKA_INVALID }, + }; + + static CK_ATTRIBUTE nss_trust_ds_and_np[] = { + { CKA_CLASS, &nss_trust, sizeof (nss_trust), }, + { CKA_ID, "the id", 6 }, + { CKA_TRUST_SERVER_AUTH, &trusted, sizeof (trusted) }, + { CKA_TRUST_CLIENT_AUTH, &trusted, sizeof (trusted) }, + { CKA_TRUST_EMAIL_PROTECTION, &trusted, sizeof (trusted) }, + { CKA_TRUST_CODE_SIGNING, &trusted, sizeof (trusted) }, + { CKA_TRUST_IPSEC_END_SYSTEM, &trusted, sizeof (trusted) }, + { CKA_TRUST_IPSEC_TUNNEL, &trusted, sizeof (trusted) }, + { CKA_TRUST_IPSEC_USER, &trusted, sizeof (trusted) }, + { CKA_TRUST_TIME_STAMPING, &trusted, sizeof (trusted) }, + { CKA_TRUST_DIGITAL_SIGNATURE, &trusted, sizeof (trusted) }, + { CKA_TRUST_NON_REPUDIATION, &trusted, sizeof (trusted) }, + { CKA_TRUST_KEY_ENCIPHERMENT, &trust_unknown, sizeof (trust_unknown) }, + { CKA_TRUST_DATA_ENCIPHERMENT, &trust_unknown, sizeof (trust_unknown) }, + { CKA_TRUST_KEY_AGREEMENT, &trust_unknown, sizeof (trust_unknown) }, + { CKA_TRUST_KEY_CERT_SIGN, &trust_unknown, sizeof (trust_unknown) }, + { CKA_TRUST_CRL_SIGN, &trust_unknown, sizeof (trust_unknown) }, + { CKA_INVALID, } + }; + + CK_OBJECT_HANDLE handle; + CK_ATTRIBUTE *attrs; + CK_RV rv; + + setup (cu); + + p11_index_batch (test.index); + rv = p11_index_take (test.index, p11_attrs_dup (input), NULL); + CuAssertIntEquals (cu, CKR_OK, rv); + rv = p11_index_take (test.index, p11_attrs_dup (stapled_ds_and_np), NULL); + CuAssertIntEquals (cu, CKR_OK, rv); + p11_index_finish (test.index); + + handle = p11_index_findn (test.index, nss_trust_ds_and_np, 2); + CuAssertTrue (cu, handle != 0); + + attrs = p11_index_lookup (test.index, handle); + test_check_attrs (cu, nss_trust_ds_and_np, attrs); + + teardown (cu); +} + +int +main (void) +{ + CuString *output = CuStringNew (); + CuSuite* suite = CuSuiteNew (); + int ret; + + putenv ("P11_KIT_STRICT=1"); + p11_library_init (); + p11_debug_init (); + /* p11_message_quiet (); */ + + SUITE_ADD_TEST (suite, test_get_cache); + SUITE_ADD_TEST (suite, test_build_data); + SUITE_ADD_TEST (suite, test_build_certificate); + SUITE_ADD_TEST (suite, test_build_certificate_empty); + SUITE_ADD_TEST (suite, test_build_certificate_non_ca); + SUITE_ADD_TEST (suite, test_build_certificate_v1_ca); + SUITE_ADD_TEST (suite, test_build_certificate_staple_ca); + SUITE_ADD_TEST (suite, test_build_certificate_no_type); + SUITE_ADD_TEST (suite, test_build_certificate_bad_type); + SUITE_ADD_TEST (suite, test_build_extension); + SUITE_ADD_TEST (suite, test_create_not_settable); + SUITE_ADD_TEST (suite, test_create_but_loadable); + SUITE_ADD_TEST (suite, test_create_unsupported); + SUITE_ADD_TEST (suite, test_create_generated); + SUITE_ADD_TEST (suite, test_create_bad_attribute); + SUITE_ADD_TEST (suite, test_create_missing_attribute); + SUITE_ADD_TEST (suite, test_create_no_class); + SUITE_ADD_TEST (suite, test_create_token_mismatch); + SUITE_ADD_TEST (suite, test_modify_success); + SUITE_ADD_TEST (suite, test_modify_read_only); + SUITE_ADD_TEST (suite, test_modify_unchanged); + SUITE_ADD_TEST (suite, test_modify_not_modifiable); + + SUITE_ADD_TEST (suite, test_changed_trusted_certificate); + SUITE_ADD_TEST (suite, test_changed_distrusted); + SUITE_ADD_TEST (suite, test_changed_without_id); + SUITE_ADD_TEST (suite, test_changed_staple_ca); + SUITE_ADD_TEST (suite, test_changed_staple_ku); + SUITE_ADD_TEST (suite, test_changed_dup_certificates); + + CuSuiteRun (suite); + CuSuiteSummary (suite, output); + CuSuiteDetails (suite, output); + printf ("%s\n", output->buffer); + ret = suite->failCount; + CuSuiteDelete (suite); + CuStringDelete (output); + + return ret; +} diff --git a/trust/tests/test-data.c b/trust/tests/test-data.c index f159926..0ddc4c6 100644 --- a/trust/tests/test-data.c +++ b/trust/tests/test-data.c @@ -51,11 +51,9 @@ test_check_object_msg (CuTest *cu, CK_OBJECT_CLASS klass, const char *label) { - CK_BBOOL vtrue = CK_TRUE; CK_BBOOL vfalse = CK_FALSE; CK_ATTRIBUTE expected[] = { - { CKA_TOKEN, &vtrue, sizeof (vtrue) }, { CKA_PRIVATE, &vfalse, sizeof (vfalse) }, { CKA_MODIFIABLE, &vfalse, sizeof (vfalse) }, { CKA_CLASS, &klass, sizeof (klass) }, diff --git a/trust/tests/test-module.c b/trust/tests/test-module.c index ddc31df..9c633f0 100644 --- a/trust/tests/test-module.c +++ b/trust/tests/test-module.c @@ -59,6 +59,8 @@ */ #define NUM_SLOTS 3 +static CK_OBJECT_CLASS data = CKO_DATA; + struct { CK_FUNCTION_LIST *module; CK_SLOT_ID slots[NUM_SLOTS]; @@ -357,7 +359,7 @@ check_trust_object_equiv (CuTest *cu, }; rv = test.module->C_GetAttributeValue (session, trust, equiv, 6); - CuAssertTrue (cu, rv == CKR_OK); + CuAssertIntEquals (cu, CKR_OK, rv); test_check_attrs (cu, equiv, cert); } @@ -551,6 +553,7 @@ static void test_session_object (CuTest *cu) { CK_ATTRIBUTE original[] = { + { CKA_CLASS, &data, sizeof (data) }, { CKA_LABEL, "yay", 3 }, { CKA_VALUE, "eight", 5 }, { CKA_INVALID } @@ -579,6 +582,7 @@ static void test_session_find (CuTest *cu) { CK_ATTRIBUTE original[] = { + { CKA_CLASS, &data, sizeof (data) }, { CKA_LABEL, "yay", 3 }, { CKA_VALUE, "eight", 5 }, { CKA_INVALID } @@ -593,21 +597,21 @@ test_session_find (CuTest *cu) setup (cu); rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION, NULL, NULL, &session); - CuAssertTrue (cu, rv == CKR_OK); + CuAssertIntEquals (cu, CKR_OK, rv); rv = test.module->C_CreateObject (session, original, 2, &handle); - CuAssertTrue (cu, rv == CKR_OK); + CuAssertIntEquals (cu, CKR_OK, rv); rv = test.module->C_FindObjectsInit (session, original, 2); - CuAssertTrue (cu, rv == CKR_OK); + CuAssertIntEquals (cu, CKR_OK, rv); rv = test.module->C_FindObjects (session, &check, 1, &count); - CuAssertTrue (cu, rv == CKR_OK); + CuAssertIntEquals (cu, CKR_OK, rv); CuAssertIntEquals (cu, 1, count); CuAssertIntEquals (cu, handle, check); rv = test.module->C_FindObjectsFinal (session); - CuAssertTrue (cu, rv == CKR_OK); + CuAssertIntEquals (cu, CKR_OK, rv); teardown (cu); } @@ -660,6 +664,7 @@ static void test_setattr_token (CuTest *cu) { CK_ATTRIBUTE original[] = { + { CKA_CLASS, &data, sizeof (data) }, { CKA_LABEL, "yay", 3 }, { CKA_VALUE, "eight", 5 }, { CKA_INVALID } @@ -692,6 +697,7 @@ static void test_session_copy (CuTest *cu) { CK_ATTRIBUTE original[] = { + { CKA_CLASS, &data, sizeof (data) }, { CKA_LABEL, "yay", 3 }, { CKA_VALUE, "eight", 5 }, { CKA_INVALID } @@ -706,16 +712,16 @@ test_session_copy (CuTest *cu) setup (cu); rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION, NULL, NULL, &session); - CuAssertTrue (cu, rv == CKR_OK); + CuAssertIntEquals (cu, CKR_OK, rv); rv = test.module->C_CreateObject (session, original, 2, &handle); - CuAssertTrue (cu, rv == CKR_OK); + CuAssertIntEquals (cu, CKR_OK, rv); rv = test.module->C_CopyObject (session, handle, original, 2, ©); - CuAssertTrue (cu, rv == CKR_OK); + CuAssertIntEquals (cu, CKR_OK, rv); rv = test.module->C_GetObjectSize (session, copy, &size); - CuAssertTrue (cu, rv == CKR_OK); + CuAssertIntEquals (cu, CKR_OK, rv); teardown (cu); } @@ -724,6 +730,7 @@ static void test_session_setattr (CuTest *cu) { CK_ATTRIBUTE original[] = { + { CKA_CLASS, &data, sizeof (data) }, { CKA_LABEL, "yay", 3 }, { CKA_VALUE, "eight", 5 }, { CKA_INVALID } @@ -751,6 +758,7 @@ static void test_session_remove (CuTest *cu) { CK_ATTRIBUTE original[] = { + { CKA_CLASS, &data, sizeof (data) }, { CKA_LABEL, "yay", 3 }, { CKA_VALUE, "eight", 5 }, { CKA_INVALID } diff --git a/trust/tests/test-parser.c b/trust/tests/test-parser.c index 0f40748..3ad89da 100644 --- a/trust/tests/test-parser.c +++ b/trust/tests/test-parser.c @@ -41,6 +41,7 @@ #include "array.h" #include "attrs.h" +#include "builder.h" #include "debug.h" #include "library.h" #include "oid.h" @@ -50,69 +51,75 @@ struct { p11_parser *parser; - p11_array *objects; + p11_asn1_cache *cache; + p11_index *index; } test; static void setup (CuTest *cu) { - test.parser = p11_parser_new (); + test.index = p11_index_new (NULL, NULL, NULL); + test.cache = p11_asn1_cache_new (); + test.parser = p11_parser_new (test.index, test.cache); CuAssertPtrNotNull (cu, test.parser); - - test.objects = p11_array_new (p11_attrs_free); - CuAssertPtrNotNull (cu, test.objects); } static void teardown (CuTest *cu) { p11_parser_free (test.parser); - p11_array_free (test.objects); + p11_index_free (test.index); + p11_asn1_cache_free (test.cache); memset (&test, 0, sizeof (test)); } -static void -on_parse_object (CK_ATTRIBUTE *attrs, - void *data) -{ - CuTest *cu = data; +static CK_OBJECT_CLASS certificate = CKO_CERTIFICATE; +static CK_OBJECT_CLASS certificate_extension = CKO_X_CERTIFICATE_EXTENSION; +static CK_BBOOL falsev = CK_FALSE; +static CK_BBOOL truev = CK_TRUE; +static CK_CERTIFICATE_TYPE x509 = CKC_X_509; - CuAssertPtrNotNull (cu, attrs); - CuAssertTrue (cu, p11_attrs_count (attrs) > 0); +static CK_ATTRIBUTE certificate_match[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_INVALID, }, +}; + +static CK_ATTRIBUTE * +parsed_attrs (CK_ATTRIBUTE *match) +{ + CK_OBJECT_HANDLE handle; + handle = p11_index_find (test.index, certificate_match); + return p11_index_lookup (test.index, handle); - p11_array_push (test.objects, attrs); } static void test_parse_der_certificate (CuTest *cu) { CK_ATTRIBUTE *cert; - CK_ATTRIBUTE *object; - CK_BBOOL bval; int ret; + CK_ATTRIBUTE expected[] = { + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, + { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, + { CKA_TRUSTED, &falsev, sizeof (falsev) }, + { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, + { CKA_INVALID }, + }; + setup (cu); ret = p11_parse_file (test.parser, SRCDIR "/files/cacert3.der", - 0, on_parse_object, cu); + P11_PARSE_FLAG_NONE); CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret); - /* Should have gotten certificate and a trust object */ - CuAssertIntEquals (cu, 2, test.objects->num); - - cert = test.objects->elem[0]; - test_check_cacert3_ca (cu, cert, NULL); - - if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval)) - CuFail (cu, "missing CKA_TRUSTED"); - CuAssertIntEquals (cu, CK_FALSE, bval); + /* Should have gotten certificate */ + CuAssertIntEquals (cu, 1, p11_index_size (test.index)); - if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval)) - CuFail (cu, "missing CKA_X_DISTRUSTED"); - CuAssertIntEquals (cu, CK_FALSE, bval); - - object = test.objects->elem[1]; - test_check_id (cu, cert, object); + cert = parsed_attrs (certificate_match); + test_check_attrs (cu, expected, cert); teardown (cu); } @@ -121,32 +128,29 @@ static void test_parse_pem_certificate (CuTest *cu) { CK_ATTRIBUTE *cert; - CK_ATTRIBUTE *object; - CK_BBOOL bval; int ret; + CK_ATTRIBUTE expected[] = { + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, + { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, + { CKA_TRUSTED, &falsev, sizeof (falsev) }, + { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, + { CKA_INVALID }, + }; + setup (cu); ret = p11_parse_file (test.parser, SRCDIR "/files/cacert3.pem", - 0, on_parse_object, cu); + P11_PARSE_FLAG_NONE); CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret); - /* Should have gotten certificate and a trust object */ - CuAssertIntEquals (cu, 2, test.objects->num); + /* Should have gotten certificate */ + CuAssertIntEquals (cu, 1, p11_index_size (test.index)); - cert = test.objects->elem[0]; - test_check_cacert3_ca (cu, cert, NULL); - - if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval)) - CuFail (cu, "missing CKA_TRUSTED"); - CuAssertIntEquals (cu, CK_FALSE, bval); - - if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval)) - CuFail (cu, "missing CKA_X_DISTRUSTED"); - CuAssertIntEquals (cu, CK_FALSE, bval); - - object = test.objects->elem[1]; - test_check_id (cu, cert, object); + cert = parsed_attrs (certificate_match); + test_check_attrs (cu, expected, cert); teardown (cu); } @@ -154,136 +158,71 @@ test_parse_pem_certificate (CuTest *cu) static void test_parse_openssl_trusted (CuTest *cu) { - CK_TRUST trusted = CKT_NSS_TRUSTED_DELEGATOR; - CK_TRUST distrusted = CKT_NSS_NOT_TRUSTED; - CK_TRUST unknown = CKT_NSS_TRUST_UNKNOWN; - CK_OBJECT_CLASS certificate_extension = CKO_X_CERTIFICATE_EXTENSION; - CK_OBJECT_CLASS trust_object = CKO_NSS_TRUST; - CK_OBJECT_CLASS trust_assertion = CKO_X_TRUST_ASSERTION; - CK_X_ASSERTION_TYPE anchored_certificate = CKT_X_ANCHORED_CERTIFICATE; - CK_X_ASSERTION_TYPE distrusted_certificate = CKT_X_DISTRUSTED_CERTIFICATE; - CK_BBOOL vtrue = CK_TRUE; - CK_BBOOL vfalse = CK_FALSE; + CK_ATTRIBUTE cacert3[] = { + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, + { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, + { CKA_TRUSTED, &truev, sizeof (truev) }, + { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, + { CKA_INVALID }, + }; CK_ATTRIBUTE eku_extension[] = { - { CKA_LABEL, "Custom Label", 12 }, { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, - { CKA_X_CRITICAL, &vtrue, sizeof (vtrue) }, + { CKA_X_CRITICAL, &truev, sizeof (truev) }, { CKA_VALUE, "\x30\x14\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x01\x06\x08\x2b\x06" "\x01\x05\x05\x07\x03\x02", 22 }, { CKA_INVALID }, }; CK_ATTRIBUTE reject_extension[] = { - { CKA_LABEL, "Custom Label", 12 }, { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) }, - { CKA_X_CRITICAL, &vfalse, sizeof (vfalse) }, + { CKA_X_CRITICAL, &falsev, sizeof (falsev) }, { CKA_VALUE, "\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x04", 12 }, { CKA_INVALID }, }; - CK_ATTRIBUTE nss_trust[] = { - { CKA_LABEL, "Custom Label", 12 }, - { CKA_CLASS, &trust_object, sizeof (trust_object), }, - { CKA_CERT_SHA1_HASH, "\xad\x7c\x3f\x64\xfc\x44\x39\xfe\xf4\xe9\x0b\xe8\xf4\x7c\x6c\xfa\x8a\xad\xfd\xce", 20 }, - { CKA_CERT_MD5_HASH, "\xf7\x25\x12\x82\x4e\x67\xb5\xd0\x8d\x92\xb7\x7c\x0b\x86\x7a\x42", 16 }, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_TRUST_SERVER_AUTH, &trusted, sizeof (trusted) }, - { CKA_TRUST_CLIENT_AUTH, &trusted, sizeof (trusted) }, - { CKA_TRUST_EMAIL_PROTECTION, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_CODE_SIGNING, &unknown, sizeof (unknown) }, - { CKA_TRUST_IPSEC_END_SYSTEM, &unknown, sizeof (unknown) }, - { CKA_TRUST_IPSEC_TUNNEL, &unknown, sizeof (unknown) }, - { CKA_TRUST_IPSEC_USER, &unknown, sizeof (unknown) }, - { CKA_TRUST_TIME_STAMPING, &unknown, sizeof (unknown) }, - { CKA_TRUST_DIGITAL_SIGNATURE, &trusted, sizeof (trusted) }, - { CKA_TRUST_NON_REPUDIATION, &trusted, sizeof (trusted) }, - { CKA_TRUST_KEY_ENCIPHERMENT, &trusted, sizeof (trusted) }, - { CKA_TRUST_DATA_ENCIPHERMENT, &trusted, sizeof (trusted) }, - { CKA_TRUST_KEY_AGREEMENT, &trusted, sizeof (trusted) }, - { CKA_TRUST_KEY_CERT_SIGN, &trusted, sizeof (trusted) }, - { CKA_TRUST_CRL_SIGN, &trusted, sizeof (trusted) }, - { CKA_INVALID, } - }; - - CK_ATTRIBUTE server_anchor[] = { - { CKA_LABEL, "Custom Label", 12 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_SERVER_AUTH_STR, strlen (P11_OID_SERVER_AUTH_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE client_anchor[] = { - { CKA_LABEL, "Custom Label", 12 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_CLIENT_AUTH_STR, strlen (P11_OID_CLIENT_AUTH_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE email_distrust[] = { - { CKA_LABEL, "Custom Label", 12 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_EMAIL_PROTECTION_STR, strlen (P11_OID_EMAIL_PROTECTION_STR) }, - { CKA_INVALID }, - }; - CK_ATTRIBUTE *expected[] = { - NULL, + cacert3, eku_extension, reject_extension, - nss_trust, - email_distrust, - server_anchor, - client_anchor + NULL }; CK_ATTRIBUTE *cert; CK_ATTRIBUTE *object; - CK_BBOOL bval; + CK_OBJECT_HANDLE handle; int ret; int i; setup (cu); ret = p11_parse_file (test.parser, SRCDIR "/files/cacert3-trusted.pem", - P11_PARSE_FLAG_ANCHOR, on_parse_object, cu); + P11_PARSE_FLAG_ANCHOR); CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret); /* * Should have gotten: * - 1 certificate * - 2 stapled extensions - * - 1 trust object - * - 3 trust assertions */ - CuAssertIntEquals (cu, 7, test.objects->num); + CuAssertIntEquals (cu, 3, p11_index_size (test.index)); /* The certificate */ - cert = test.objects->elem[0]; - test_check_cacert3_ca (cu, cert, NULL); + cert = parsed_attrs (certificate_match); + test_check_attrs (cu, expected[0], cert); - if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval)) - CuFail (cu, "missing CKA_TRUSTED"); - CuAssertIntEquals (cu, CK_TRUE, bval); + /* The other objects */ + for (i = 1; expected[i]; i++) { + handle = p11_index_findn (test.index, expected[i], 2); + CuAssertTrue (cu, handle != 0); - if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval)) - CuFail (cu, "missing CKA_X_DISTRUSTED"); - CuAssertIntEquals (cu, CK_FALSE, bval); + object = p11_index_lookup (test.index, handle); + CuAssertPtrNotNull (cu, object); - /* The other objects */ - for (i = 1; i < 7; i++) { - object = test.objects->elem[i]; test_check_attrs (cu, expected[i], object); test_check_id (cu, cert, object); } @@ -294,191 +233,41 @@ test_parse_openssl_trusted (CuTest *cu) static void test_parse_openssl_distrusted (CuTest *cu) { - CK_TRUST distrusted = CKT_NSS_NOT_TRUSTED; - CK_OBJECT_CLASS certificate_extension = CKO_X_CERTIFICATE_EXTENSION; - CK_OBJECT_CLASS trust_object = CKO_NSS_TRUST; - CK_OBJECT_CLASS klass = CKO_CERTIFICATE; - CK_OBJECT_CLASS trust_assertion = CKO_X_TRUST_ASSERTION; - CK_X_ASSERTION_TYPE distrusted_certificate = CKT_X_DISTRUSTED_CERTIFICATE; - CK_CERTIFICATE_TYPE x509 = CKC_X_509; - CK_ULONG category = 2; /* authority */ - CK_BBOOL vtrue = CK_TRUE; - CK_BBOOL vfalse = CK_FALSE; - - CK_ATTRIBUTE certificate[] = { - { CKA_CLASS, &klass, sizeof (klass), }, - { CKA_TOKEN, &vtrue, sizeof (vtrue) }, - { CKA_PRIVATE, &vfalse, sizeof (vfalse) }, - { CKA_MODIFIABLE, &vfalse, sizeof (vfalse) }, - { CKA_CLASS, &klass, sizeof (klass) }, - { CKA_LABEL, "Red Hat Is the CA", 17 }, + CK_ATTRIBUTE distrust_cert[] = { + { CKA_CLASS, &certificate, sizeof (certificate), }, + { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) }, - { CKA_CHECK_VALUE, "\xe9z}", 3 }, - { CKA_START_DATE, "20090916", 8 }, - { CKA_END_DATE, "20190914", 8, }, - { CKA_SERIAL_NUMBER, "\x02\x01\x01", 3 }, - { CKA_TRUSTED, &vfalse, sizeof (vfalse) }, - { CKA_X_DISTRUSTED, &vtrue, sizeof (vtrue) }, + { CKA_TRUSTED, &falsev, sizeof (falsev) }, + { CKA_X_DISTRUSTED, &truev, sizeof (truev) }, { CKA_INVALID }, }; CK_ATTRIBUTE eku_extension[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, - { CKA_X_CRITICAL, &vtrue, sizeof (vtrue) }, + { CKA_X_CRITICAL, &truev, sizeof (truev) }, { CKA_VALUE, "\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x10", 14 }, { CKA_INVALID }, }; CK_ATTRIBUTE reject_extension[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) }, - { CKA_X_CRITICAL, &vfalse, sizeof (vfalse) }, + { CKA_X_CRITICAL, &falsev, sizeof (falsev) }, { CKA_VALUE, "\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02", 12 }, { CKA_INVALID }, }; - CK_ATTRIBUTE nss_trust[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, - { CKA_CLASS, &trust_object, sizeof (trust_object), }, - { CKA_CERT_SHA1_HASH, "\xe9z}\xe3\x82""7\xa0U\xb1k\xfe\xffo.\x03\x15*\xba\xb9\x90", 20 }, - { CKA_CERT_MD5_HASH, "\xda\xb4<\xe7;QK\x1a\xe5\xeau\xa1\xc9 \xdf""B", 16 }, - { CKA_SERIAL_NUMBER, "\x02\x01\x01", 3 }, - { CKA_TRUST_SERVER_AUTH, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_CLIENT_AUTH, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_EMAIL_PROTECTION, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_CODE_SIGNING, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_IPSEC_END_SYSTEM, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_IPSEC_TUNNEL, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_IPSEC_USER, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_TIME_STAMPING, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_DIGITAL_SIGNATURE, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_NON_REPUDIATION, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_KEY_ENCIPHERMENT, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_DATA_ENCIPHERMENT, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_KEY_AGREEMENT, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_KEY_CERT_SIGN, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_CRL_SIGN, &distrusted, sizeof (distrusted) }, - { CKA_INVALID, } - }; - - unsigned char red_hat_issuer[] = { - 0x30, 0x81, 0x9d, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, - 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0e, 0x4e, 0x6f, 0x72, 0x74, 0x68, - 0x20, 0x43, 0x61, 0x72, 0x6f, 0x6c, 0x69, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, - 0x04, 0x07, 0x13, 0x07, 0x52, 0x61, 0x6c, 0x65, 0x69, 0x67, 0x68, 0x31, 0x16, 0x30, 0x14, 0x06, - 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0d, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x2c, 0x20, 0x49, - 0x6e, 0x63, 0x2e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x02, 0x49, 0x53, - 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0d, 0x52, 0x65, 0x64, 0x20, 0x48, - 0x61, 0x74, 0x20, 0x49, 0x53, 0x20, 0x43, 0x41, 0x31, 0x26, 0x30, 0x24, 0x06, 0x09, 0x2a, 0x86, - 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x17, 0x73, 0x79, 0x73, 0x61, 0x64, 0x6d, 0x69, - 0x6e, 0x2d, 0x72, 0x64, 0x75, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74, 0x2e, 0x63, 0x6f, 0x6d, - }; - - unsigned char red_hat_serial[] = { - 0x02, 0x01, 0x01, - }; - - CK_ATTRIBUTE server_distrust[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_ISSUER, (void *)red_hat_issuer, sizeof (red_hat_issuer) }, - { CKA_SERIAL_NUMBER, (void *)red_hat_serial, sizeof (red_hat_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_SERVER_AUTH_STR, strlen (P11_OID_SERVER_AUTH_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE client_distrust[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_ISSUER, (void *)red_hat_issuer, sizeof (red_hat_issuer) }, - { CKA_SERIAL_NUMBER, (void *)red_hat_serial, sizeof (red_hat_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_CLIENT_AUTH_STR, strlen (P11_OID_CLIENT_AUTH_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE code_distrust[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_ISSUER, (void *)red_hat_issuer, sizeof (red_hat_issuer) }, - { CKA_SERIAL_NUMBER, (void *)red_hat_serial, sizeof (red_hat_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_CODE_SIGNING_STR, strlen (P11_OID_CODE_SIGNING_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE email_distrust[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_ISSUER, (void *)red_hat_issuer, sizeof (red_hat_issuer) }, - { CKA_SERIAL_NUMBER, (void *)red_hat_serial, sizeof (red_hat_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_EMAIL_PROTECTION_STR, strlen (P11_OID_EMAIL_PROTECTION_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE ipsec_system_distrust[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_ISSUER, (void *)red_hat_issuer, sizeof (red_hat_issuer) }, - { CKA_SERIAL_NUMBER, (void *)red_hat_serial, sizeof (red_hat_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_IPSEC_END_SYSTEM_STR, strlen (P11_OID_IPSEC_END_SYSTEM_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE ipsec_tunnel_distrust[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_ISSUER, (void *)red_hat_issuer, sizeof (red_hat_issuer) }, - { CKA_SERIAL_NUMBER, (void *)red_hat_serial, sizeof (red_hat_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_IPSEC_TUNNEL_STR, strlen (P11_OID_IPSEC_TUNNEL_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE ipsec_user_distrust[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_ISSUER, (void *)red_hat_issuer, sizeof (red_hat_issuer) }, - { CKA_SERIAL_NUMBER, (void *)red_hat_serial, sizeof (red_hat_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_IPSEC_USER_STR, strlen (P11_OID_IPSEC_USER_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE stamping_distrust[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_ISSUER, (void *)red_hat_issuer, sizeof (red_hat_issuer) }, - { CKA_SERIAL_NUMBER, (void *)red_hat_serial, sizeof (red_hat_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_TIME_STAMPING_STR, strlen (P11_OID_TIME_STAMPING_STR) }, - { CKA_INVALID }, - }; - CK_ATTRIBUTE *expected[] = { - certificate, + distrust_cert, eku_extension, reject_extension, - nss_trust, - server_distrust, - client_distrust, - code_distrust, - email_distrust, - ipsec_system_distrust, - ipsec_tunnel_distrust, - ipsec_user_distrust, - stamping_distrust, + NULL }; CK_ATTRIBUTE *cert; CK_ATTRIBUTE *object; + CK_OBJECT_HANDLE handle; int ret; int i; @@ -489,22 +278,26 @@ test_parse_openssl_distrusted (CuTest *cu) * so we parse this as an anchor, but expect it to be blacklisted */ ret = p11_parse_file (test.parser, SRCDIR "/files/distrusted.pem", - P11_PARSE_FLAG_ANCHOR, on_parse_object, cu); + P11_PARSE_FLAG_ANCHOR); CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret); /* * Should have gotten: * - 1 certificate * - 2 stapled extensions - * - 1 trust object - * - 8 trust assertions */ - CuAssertIntEquals (cu, 12, test.objects->num); - cert = test.objects->elem[0]; + CuAssertIntEquals (cu, 3, p11_index_size (test.index)); + cert = parsed_attrs (certificate_match); + test_check_attrs (cu, expected[0], cert); /* The other objects */ - for (i = 0; i < 12; i++) { - object = test.objects->elem[i]; + for (i = 1; expected[i]; i++) { + handle = p11_index_findn (test.index, expected[i], 2); + CuAssertTrue (cu, handle != 0); + + object = p11_index_lookup (test.index, handle); + CuAssertPtrNotNull (cu, object); + test_check_attrs (cu, expected[i], object); test_check_id (cu, cert, object); } @@ -513,246 +306,35 @@ test_parse_openssl_distrusted (CuTest *cu) } static void -test_parse_with_key_usage (CuTest *cu) -{ - CK_TRUST trusted = CKT_NSS_TRUSTED; - CK_TRUST unknown = CKT_NSS_TRUST_UNKNOWN; - CK_OBJECT_CLASS klass = CKO_CERTIFICATE; - CK_OBJECT_CLASS trust_object = CKO_NSS_TRUST; - CK_BBOOL vtrue = CK_TRUE; - CK_BBOOL vfalse = CK_FALSE; - CK_CERTIFICATE_TYPE x509 = CKC_X_509; - CK_ULONG category = 3; /* other entity */ - - CK_ATTRIBUTE certificate[] = { - { CKA_CLASS, &klass, sizeof (klass), }, - { CKA_TOKEN, &vtrue, sizeof (vtrue) }, - { CKA_PRIVATE, &vfalse, sizeof (vfalse) }, - { CKA_MODIFIABLE, &vfalse, sizeof (vfalse) }, - { CKA_CLASS, &klass, sizeof (klass) }, - { CKA_LABEL, "self-signed-with-ku.example.com", 31 }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) }, - { CKA_CHECK_VALUE, "d/\x9c", 3 }, - { CKA_START_DATE, "20121211", 8 }, - { CKA_END_DATE, "20130110", 8, }, - { CKA_ISSUER, "0*1(0&\x06\x03U\x04\x03\x13\x1f""self-signed-with-ku.example.com", 44 }, - { CKA_SUBJECT, "0*1(0&\x06\x03U\x04\x03\x13\x1f""self-signed-with-ku.example.com", 44 }, - { CKA_SERIAL_NUMBER, "\x02\x02\x03x", 4 }, - { CKA_TRUSTED, &vtrue, sizeof (vtrue) }, - { CKA_X_DISTRUSTED, &vfalse, sizeof (vfalse) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE nss_trust[] = { - { CKA_LABEL, "self-signed-with-ku.example.com", 31 }, - { CKA_CLASS, &trust_object, sizeof (trust_object), }, - { CKA_CERT_SHA1_HASH, "d/\x9c=\xbc\x9a\x7f\x91\xc7wT\t`\x86\xe2\x8e\x8f\xa8J\x12", 20 }, - { CKA_CERT_MD5_HASH, "\xb1N=\x16\x12?dz\x97\x81""By/\xcc\x97\x82", 16 }, - { CKA_ISSUER, "0*1(0&\x06\x03U\x04\x03\x13\x1f""self-signed-with-ku.example.com", 44 }, - { CKA_SUBJECT, "0*1(0&\x06\x03U\x04\x03\x13\x1f""self-signed-with-ku.example.com", 44 }, - { CKA_SERIAL_NUMBER, "\x02\x02\x03x", 4 }, - { CKA_TRUST_SERVER_AUTH, &trusted, sizeof (trusted) }, - { CKA_TRUST_CLIENT_AUTH, &trusted, sizeof (trusted) }, - { CKA_TRUST_EMAIL_PROTECTION, &trusted, sizeof (trusted) }, - { CKA_TRUST_CODE_SIGNING, &trusted, sizeof (trusted) }, - { CKA_TRUST_IPSEC_END_SYSTEM, &trusted, sizeof (trusted) }, - { CKA_TRUST_IPSEC_TUNNEL, &trusted, sizeof (trusted) }, - { CKA_TRUST_IPSEC_USER, &trusted, sizeof (trusted) }, - { CKA_TRUST_TIME_STAMPING, &trusted, sizeof (trusted) }, - { CKA_TRUST_DIGITAL_SIGNATURE, &trusted, sizeof (trusted) }, - { CKA_TRUST_NON_REPUDIATION, &unknown, sizeof (unknown) }, - { CKA_TRUST_KEY_ENCIPHERMENT, &unknown, sizeof (unknown) }, - { CKA_TRUST_DATA_ENCIPHERMENT, &unknown, sizeof (unknown) }, - { CKA_TRUST_KEY_AGREEMENT, &unknown, sizeof (unknown) }, - { CKA_TRUST_KEY_CERT_SIGN, &trusted, sizeof (trusted) }, - { CKA_TRUST_CRL_SIGN, &unknown, sizeof (unknown) }, - { CKA_INVALID, } - }; - - CK_ATTRIBUTE *cert; - CK_ATTRIBUTE *object; - CK_BBOOL bval; - int ret; - - setup (cu); - - ret = p11_parse_file (test.parser, SRCDIR "/files/self-signed-with-ku.der", - P11_PARSE_FLAG_ANCHOR, on_parse_object, cu); - CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret); - - /* Should have gotten certificate, and a trust object */ - CuAssertIntEquals (cu, 2, test.objects->num); - - cert = test.objects->elem[0]; - test_check_attrs (cu, certificate, cert); - - if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval)) - CuFail (cu, "missing CKA_TRUSTED"); - CuAssertIntEquals (cu, CK_TRUE, bval); - - if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval)) - CuFail (cu, "missing CKA_X_DISTRUSTED"); - CuAssertIntEquals (cu, CK_FALSE, bval); - - object = test.objects->elem[1]; - test_check_attrs (cu, nss_trust, object); - test_check_id (cu, cert, object); - - teardown (cu); -} - -static void test_parse_anchor (CuTest *cu) { - CK_BBOOL vtrue = CK_TRUE; - CK_OBJECT_CLASS trust_object = CKO_NSS_TRUST; - CK_ATTRIBUTE trusted = { CKA_TRUSTED, &vtrue, sizeof (vtrue) }; - CK_TRUST delegator = CKT_NSS_TRUSTED_DELEGATOR; - CK_OBJECT_CLASS trust_assertion = CKO_X_TRUST_ASSERTION; - CK_X_ASSERTION_TYPE anchored_certificate = CKT_X_ANCHORED_CERTIFICATE; - - CK_ATTRIBUTE nss_trust[] = { - { CKA_LABEL, "CAcert Class 3 Root", 19 }, - { CKA_CLASS, &trust_object, sizeof (trust_object), }, - { CKA_CERT_SHA1_HASH, "\xad\x7c\x3f\x64\xfc\x44\x39\xfe\xf4\xe9\x0b\xe8\xf4\x7c\x6c\xfa\x8a\xad\xfd\xce", 20 }, - { CKA_CERT_MD5_HASH, "\xf7\x25\x12\x82\x4e\x67\xb5\xd0\x8d\x92\xb7\x7c\x0b\x86\x7a\x42", 16 }, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_TRUST_SERVER_AUTH, &delegator, sizeof (delegator) }, - { CKA_TRUST_CLIENT_AUTH, &delegator, sizeof (delegator) }, - { CKA_TRUST_EMAIL_PROTECTION, &delegator, sizeof (delegator) }, - { CKA_TRUST_CODE_SIGNING, &delegator, sizeof (delegator) }, - { CKA_TRUST_IPSEC_END_SYSTEM, &delegator, sizeof (delegator) }, - { CKA_TRUST_IPSEC_TUNNEL, &delegator, sizeof (delegator) }, - { CKA_TRUST_IPSEC_USER, &delegator, sizeof (delegator) }, - { CKA_TRUST_TIME_STAMPING, &delegator, sizeof (delegator) }, - { CKA_TRUST_DIGITAL_SIGNATURE, &delegator, sizeof (delegator) }, - { CKA_TRUST_NON_REPUDIATION, &delegator, sizeof (delegator) }, - { CKA_TRUST_KEY_ENCIPHERMENT, &delegator, sizeof (delegator) }, - { CKA_TRUST_DATA_ENCIPHERMENT, &delegator, sizeof (delegator) }, - { CKA_TRUST_KEY_AGREEMENT, &delegator, sizeof (delegator) }, - { CKA_TRUST_KEY_CERT_SIGN, &delegator, sizeof (delegator) }, - { CKA_TRUST_CRL_SIGN, &delegator, sizeof (delegator) }, - { CKA_INVALID, } - }; - - CK_ATTRIBUTE server_anchor[] = { - { CKA_LABEL, "CAcert Class 3 Root", 19 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_SERVER_AUTH_STR, strlen (P11_OID_SERVER_AUTH_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE client_anchor[] = { - { CKA_LABEL, "CAcert Class 3 Root", 19 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_CLIENT_AUTH_STR, strlen (P11_OID_CLIENT_AUTH_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE code_anchor[] = { - { CKA_LABEL, "CAcert Class 3 Root", 19 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_CODE_SIGNING_STR, strlen (P11_OID_CODE_SIGNING_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE email_anchor[] = { - { CKA_LABEL, "CAcert Class 3 Root", 19 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_EMAIL_PROTECTION_STR, strlen (P11_OID_EMAIL_PROTECTION_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE ipsec_system_anchor[] = { - { CKA_LABEL, "CAcert Class 3 Root", 19 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_IPSEC_END_SYSTEM_STR, strlen (P11_OID_IPSEC_END_SYSTEM_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE ipsec_tunnel_anchor[] = { - { CKA_LABEL, "CAcert Class 3 Root", 19 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_IPSEC_TUNNEL_STR, strlen (P11_OID_IPSEC_TUNNEL_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE ipsec_user_anchor[] = { - { CKA_LABEL, "CAcert Class 3 Root", 19 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_IPSEC_USER_STR, strlen (P11_OID_IPSEC_USER_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE stamping_anchor[] = { - { CKA_LABEL, "CAcert Class 3 Root", 19 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, + CK_ATTRIBUTE cacert3[] = { + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_CLASS, &certificate, sizeof (certificate) }, { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_TIME_STAMPING_STR, strlen (P11_OID_TIME_STAMPING_STR) }, + { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, + { CKA_TRUSTED, &truev, sizeof (truev) }, + { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, { CKA_INVALID }, }; - CK_ATTRIBUTE *expected[] = { - NULL, - nss_trust, - server_anchor, - client_anchor, - code_anchor, - email_anchor, - ipsec_system_anchor, - ipsec_tunnel_anchor, - ipsec_user_anchor, - stamping_anchor, - }; - CK_ATTRIBUTE *cert; - CK_ATTRIBUTE *object; - CK_ATTRIBUTE *attr; int ret; - int i; setup (cu); ret = p11_parse_file (test.parser, SRCDIR "/files/cacert3.der", - P11_PARSE_FLAG_ANCHOR, on_parse_object, cu); + P11_PARSE_FLAG_ANCHOR); CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret); /* * Should have gotten: * - 1 certificate - * - 1 trust object - * - 8 trust assertions */ - CuAssertIntEquals (cu, 10, test.objects->num); - - cert = test.objects->elem[0]; - test_check_cacert3_ca (cu, cert, NULL); - attr = p11_attrs_find (cert, CKA_TRUSTED); - test_check_attr (cu, &trusted, attr); + CuAssertIntEquals (cu, 1, p11_index_size (test.index)); - for (i = 1; i < 10; i++) { - object = test.objects->elem[i]; - test_check_attrs (cu, expected[i], object); - test_check_id (cu, cert, object); - } + cert = parsed_attrs (certificate_match); + test_check_attrs (cu, cacert3, cert); teardown (cu); } @@ -760,29 +342,20 @@ test_parse_anchor (CuTest *cu) /* TODO: A certificate that uses generalTime needs testing */ static void -test_parse_no_sink (CuTest *cu) -{ - int ret; - - setup (cu); - - ret = p11_parse_file (test.parser, SRCDIR "/files/cacert3.der", - 0, NULL, NULL); - CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret); - - teardown (cu); -} - -static void test_parse_invalid_file (CuTest *cu) { int ret; setup (cu); - ret = p11_parse_file (test.parser, "/nonexistant", 0, on_parse_object, cu); + p11_message_quiet (); + + ret = p11_parse_file (test.parser, "/nonexistant", + P11_PARSE_FLAG_NONE); CuAssertIntEquals (cu, P11_PARSE_FAILURE, ret); + p11_message_loud (); + teardown (cu); } @@ -793,10 +366,14 @@ test_parse_unrecognized (CuTest *cu) setup (cu); + p11_message_quiet (); + ret = p11_parse_file (test.parser, SRCDIR "/files/unrecognized-file.txt", - 0, on_parse_object, cu); + P11_PARSE_FLAG_NONE); CuAssertIntEquals (cu, P11_PARSE_UNRECOGNIZED, ret); + p11_message_loud (); + teardown (cu); } @@ -810,15 +387,12 @@ main (void) putenv ("P11_KIT_STRICT=1"); p11_library_init (); p11_debug_init (); - p11_message_quiet (); SUITE_ADD_TEST (suite, test_parse_der_certificate); SUITE_ADD_TEST (suite, test_parse_pem_certificate); SUITE_ADD_TEST (suite, test_parse_openssl_trusted); SUITE_ADD_TEST (suite, test_parse_openssl_distrusted); - SUITE_ADD_TEST (suite, test_parse_with_key_usage); SUITE_ADD_TEST (suite, test_parse_anchor); - SUITE_ADD_TEST (suite, test_parse_no_sink); SUITE_ADD_TEST (suite, test_parse_invalid_file); SUITE_ADD_TEST (suite, test_parse_unrecognized); diff --git a/trust/tests/test-token.c b/trust/tests/test-token.c index ad25da0..5cca233 100644 --- a/trust/tests/test-token.c +++ b/trust/tests/test-token.c @@ -83,33 +83,10 @@ test_token_load (CuTest *cu) teardown (cu); } -static bool -check_object (CK_ATTRIBUTE *match) -{ - CK_OBJECT_HANDLE *handles; - CK_ATTRIBUTE *attrs; - p11_index *index; - bool ret = false; - int i; - - index = p11_token_index (test.token); - handles = p11_index_snapshot (index, NULL, match, p11_attrs_count (match)); - - for (i = 0; handles[i] != 0; i++) { - attrs = p11_index_lookup (index, handles[i]); - if (p11_attrs_match (attrs, match)) { - ret = true; - break; - } - } - - free (handles); - return ret; -} - static void test_token_flags (CuTest *cu) { + CK_OBJECT_CLASS certificate = CKO_CERTIFICATE; CK_BBOOL falsev = CK_FALSE; CK_BBOOL truev = CK_TRUE; @@ -120,6 +97,7 @@ test_token_flags (CuTest *cu) */ CK_ATTRIBUTE blacklist[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, { CKA_LABEL, "Red Hat Is the CA", 17 }, { CKA_SERIAL_NUMBER, "\x02\x01\x01", 3 }, { CKA_TRUSTED, &falsev, sizeof (falsev) }, @@ -142,6 +120,7 @@ test_token_flags (CuTest *cu) }; CK_ATTRIBUTE blacklist2[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, { CKA_SUBJECT, (void *)self_server_subject, sizeof (self_server_subject) }, { CKA_TRUSTED, &falsev, sizeof (falsev) }, { CKA_X_DISTRUSTED, &truev, sizeof (truev) }, @@ -155,6 +134,7 @@ test_token_flags (CuTest *cu) */ CK_ATTRIBUTE anchor[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, { CKA_TRUSTED, &truev, sizeof (truev) }, { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, @@ -179,27 +159,40 @@ test_token_flags (CuTest *cu) */ CK_ATTRIBUTE notrust[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, { CKA_SUBJECT, (void *)cacert_root_subject, sizeof (cacert_root_subject) }, { CKA_TRUSTED, &falsev, sizeof (falsev) }, { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, { CKA_INVALID }, }; - CK_ATTRIBUTE invalid[] = { - { CKA_LABEL, "Waonec9aoe9", 8 }, - { CKA_INVALID }, + CK_ATTRIBUTE *expected[] = { + anchor, + blacklist, + blacklist2, + notrust, + NULL, }; + CK_OBJECT_HANDLE handle; + CK_ATTRIBUTE *object; + int i; + setup (cu, SRCDIR "/input"); if (p11_token_load (test.token) < 0) CuFail (cu, "should not be reached"); - CuAssertTrue (cu, !check_object (invalid)); - CuAssertTrue (cu, check_object (anchor)); - CuAssertTrue (cu, check_object (blacklist)); - CuAssertTrue (cu, check_object (blacklist2)); - CuAssertTrue (cu, check_object (notrust)); + /* The other objects */ + for (i = 0; expected[i]; i++) { + handle = p11_index_findn (p11_token_index (test.token), expected[i], 2); + CuAssertTrue (cu, handle != 0); + + object = p11_index_lookup (p11_token_index (test.token), handle); + CuAssertPtrNotNull (cu, object); + + test_check_attrs (cu, expected[i], object); + } teardown (cu); } @@ -234,7 +227,6 @@ main (void) putenv ("P11_KIT_STRICT=1"); p11_library_init (); p11_debug_init (); - p11_message_quiet (); SUITE_ADD_TEST (suite, test_token_load); SUITE_ADD_TEST (suite, test_token_flags); |