diff options
author | Stef Walter <stefw@gnome.org> | 2013-03-14 10:05:17 +0100 |
---|---|---|
committer | Stef Walter <stefw@gnome.org> | 2013-03-15 17:19:01 +0100 |
commit | 86e60637394340ef2fa3b3db6b451dac1d73052b (patch) | |
tree | 8fa4f4c353534ffc259f9e333e64fbf7d068e913 /trust/tests | |
parent | bf63f009cd4a1147a3e0684d898f140f46666b0e (diff) |
trust: Rework input path treatment
* Accept a single --with-trust-paths argument to ./configure
which cotnains all the input paths.
* The --with-system-anchors and --with-system-certificates
./configure arguments are no longer supported. Since they were
only present briefly, no provision is made for backwards
compatibility.
* Each input file is treated as containing anchors by default
unless an input certificate contains detailed trust information.
* The files in each input directory are not automatically treated
as anchors unless a certificate contains detailed trust information.
* The files in anchors/ subdirectory of each input directory are
automatically marked as anchors.
* The files in the blacklist/ subdirectory of each input directory
are automatically marked as blacklisted.
* Update tests and move around test certificates so we can
test these changes.
https://bugs.freedesktop.org/show_bug.cgi?id=62327
Diffstat (limited to 'trust/tests')
-rw-r--r-- | trust/tests/certificates/self-signed-with-ku.der | bin | 501 -> 0 bytes | |||
-rw-r--r-- | trust/tests/files/self-signed-with-eku.der (renamed from trust/tests/certificates/self-signed-with-eku.der) | bin | 480 -> 480 bytes | |||
-rw-r--r-- | trust/tests/frob-token.c | 2 | ||||
-rw-r--r-- | trust/tests/input/anchors/cacert3.der (renamed from trust/tests/anchors/cacert3.der) | bin | 1885 -> 1885 bytes | |||
-rw-r--r-- | trust/tests/input/anchors/testing-ca.der (renamed from trust/tests/anchors/testing-ca.der) | bin | 970 -> 970 bytes | |||
-rw-r--r-- | trust/tests/input/blacklist/self-server.der (renamed from trust/tests/files/self-server.der) | bin | 396 -> 396 bytes | |||
-rw-r--r-- | trust/tests/input/cacert-ca.der (renamed from trust/tests/certificates/cacert-ca.der) | bin | 1857 -> 1857 bytes | |||
-rw-r--r-- | trust/tests/input/distrusted.pem | 23 | ||||
-rw-r--r-- | trust/tests/test-module.c | 8 | ||||
-rw-r--r-- | trust/tests/test-session.c | 2 | ||||
-rw-r--r-- | trust/tests/test-token.c | 123 |
11 files changed, 148 insertions, 10 deletions
diff --git a/trust/tests/certificates/self-signed-with-ku.der b/trust/tests/certificates/self-signed-with-ku.der Binary files differdeleted file mode 100644 index e6f36e3..0000000 --- a/trust/tests/certificates/self-signed-with-ku.der +++ /dev/null diff --git a/trust/tests/certificates/self-signed-with-eku.der b/trust/tests/files/self-signed-with-eku.der Binary files differindex 33e0760..33e0760 100644 --- a/trust/tests/certificates/self-signed-with-eku.der +++ b/trust/tests/files/self-signed-with-eku.der diff --git a/trust/tests/frob-token.c b/trust/tests/frob-token.c index 95c129a..23856cf 100644 --- a/trust/tests/frob-token.c +++ b/trust/tests/frob-token.c @@ -52,7 +52,7 @@ main (int argc, return 2; } - token = p11_token_new (argv[1], NULL); + token = p11_token_new (argv[1]); count = p11_token_load (token); printf ("%d files loaded\n", count); diff --git a/trust/tests/anchors/cacert3.der b/trust/tests/input/anchors/cacert3.der Binary files differindex 56f8c88..56f8c88 100644 --- a/trust/tests/anchors/cacert3.der +++ b/trust/tests/input/anchors/cacert3.der diff --git a/trust/tests/anchors/testing-ca.der b/trust/tests/input/anchors/testing-ca.der Binary files differindex d3f70ea..d3f70ea 100644 --- a/trust/tests/anchors/testing-ca.der +++ b/trust/tests/input/anchors/testing-ca.der diff --git a/trust/tests/files/self-server.der b/trust/tests/input/blacklist/self-server.der Binary files differindex 68fe9af..68fe9af 100644 --- a/trust/tests/files/self-server.der +++ b/trust/tests/input/blacklist/self-server.der diff --git a/trust/tests/certificates/cacert-ca.der b/trust/tests/input/cacert-ca.der Binary files differindex 719b0ff..719b0ff 100644 --- a/trust/tests/certificates/cacert-ca.der +++ b/trust/tests/input/cacert-ca.der diff --git a/trust/tests/input/distrusted.pem b/trust/tests/input/distrusted.pem new file mode 100644 index 0000000..8de6ff0 --- /dev/null +++ b/trust/tests/input/distrusted.pem @@ -0,0 +1,23 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDsDCCAxmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBnTELMAkGA1UEBhMCVVMx +FzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHEwdSYWxlaWdoMRYwFAYD +VQQKEw1SZWQgSGF0LCBJbmMuMQswCQYDVQQLEwJJUzEWMBQGA1UEAxMNUmVkIEhh +dCBJUyBDQTEmMCQGCSqGSIb3DQEJARYXc3lzYWRtaW4tcmR1QHJlZGhhdC5jb20w +HhcNMDkwOTE2MTg0NTI1WhcNMTkwOTE0MTg0NTI1WjCBnTELMAkGA1UEBhMCVVMx +FzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHEwdSYWxlaWdoMRYwFAYD +VQQKEw1SZWQgSGF0LCBJbmMuMQswCQYDVQQLEwJJUzEWMBQGA1UEAxMNUmVkIEhh +dCBJUyBDQTEmMCQGCSqGSIb3DQEJARYXc3lzYWRtaW4tcmR1QHJlZGhhdC5jb20w +gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN/HDWGiL8BarUWDIjNC6uxCXqYN +QkwcmhILX+cl+YuDDArFL1pYVrith228gF3dSUU5X7kIOmPkkjNheRkbnas61X+n +i3+KWvbX3q+h5VMxKX2cA1U+R3jLuXqYjF+N2gkPyPvxeoDuEncKAItw+mK/r+4L +WBb5nFzek7hP3017AgMBAAGjgf0wgfowHQYDVR0OBBYEFA2sGXDtBKdeeKv+i6g0 +6yEmwVY1MIHKBgNVHSMEgcIwgb+AFA2sGXDtBKdeeKv+i6g06yEmwVY1oYGjpIGg +MIGdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xpbmExEDAOBgNV +BAcTB1JhbGVpZ2gxFjAUBgNVBAoTDVJlZCBIYXQsIEluYy4xCzAJBgNVBAsTAklT +MRYwFAYDVQQDEw1SZWQgSGF0IElTIENBMSYwJAYJKoZIhvcNAQkBFhdzeXNhZG1p +bi1yZHVAcmVkaGF0LmNvbYIBATAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA +A4GBAFBgO5y3JcPXH/goumNBW7rr8m9EFZmQyK5gT1Ljv5qaCSZwxkAomhriv04p +mb1y8yjrK5OY3WwgaRaAWRHp4/hn2HWaRvx3S+gwLM7p8V1pWnbSFJOXF3kbuC41 +voMIMqAFfHKidKN/yrjJg/1ahIjSt11lMUvRJ4TNT+pk5VnBMB+gCgYIKwYBBQUH +AwIMEVJlZCBIYXQgSXMgdGhlIENB +-----END TRUSTED CERTIFICATE----- diff --git a/trust/tests/test-module.c b/trust/tests/test-module.c index 2d0e488..52fbe03 100644 --- a/trust/tests/test-module.c +++ b/trust/tests/test-module.c @@ -59,8 +59,7 @@ static void setup (CuTest *cu) { CK_C_INITIALIZE_ARGS args; - const char *anchors; - const char *certs; + const char *paths; char *arguments; CK_ULONG count; CK_RV rv; @@ -72,9 +71,8 @@ setup (CuTest *cu) CuAssertTrue (cu, rv == CKR_OK); memset (&args, 0, sizeof (args)); - anchors = SRCDIR "/anchors:" SRCDIR "/files/cacert-ca.der"; - certs = SRCDIR "/certificates"; - if (asprintf (&arguments, "anchors='%s' certificates='%s'", anchors, certs) < 0) + paths = SRCDIR "/input:" SRCDIR "/files/cacert-ca.der"; + if (asprintf (&arguments, "paths='%s'", paths) < 0) CuAssertTrue (cu, false && "not reached"); args.pReserved = arguments; args.flags = CKF_OS_LOCKING_OK; diff --git a/trust/tests/test-session.c b/trust/tests/test-session.c index d420d5c..e9031f2 100644 --- a/trust/tests/test-session.c +++ b/trust/tests/test-session.c @@ -53,7 +53,7 @@ struct { static void setup (CuTest *cu) { - test.token = p11_token_new ("", ""); + test.token = p11_token_new (""); CuAssertPtrNotNull (cu, test.token); test.session = p11_session_new (test.token); diff --git a/trust/tests/test-token.c b/trust/tests/test-token.c index 382d021..c566406 100644 --- a/trust/tests/test-token.c +++ b/trust/tests/test-token.c @@ -41,7 +41,9 @@ #include "attrs.h" #include "debug.h" +#include "pkcs11x.h" #include "library.h" +#include "test-data.h" #include "token.h" struct { @@ -51,8 +53,7 @@ struct { static void setup (CuTest *cu) { - test.token = p11_token_new (SRCDIR "/anchors:" SRCDIR "/files/cacert-ca.der", - SRCDIR "/files/self-server.der"); + test.token = p11_token_new (SRCDIR "/input:" SRCDIR "/files/self-server.der:" SRCDIR "/files/cacert-ca.der"); CuAssertPtrNotNull (cu, test.token); } @@ -72,7 +73,7 @@ test_token_load (CuTest *cu) setup (cu); count = p11_token_load (test.token); - CuAssertIntEquals (cu, 5, count); + CuAssertIntEquals (cu, 7, count); /* A certificate and trust object for each parsed object + builtin */ objects = p11_token_objects (test.token); @@ -81,6 +82,121 @@ test_token_load (CuTest *cu) teardown (cu); } +static bool +check_object (CK_ATTRIBUTE *match) +{ + CK_ATTRIBUTE *attrs; + p11_dict *objects; + p11_dictiter iter; + + objects = p11_token_objects (test.token); + + p11_dict_iterate (objects, &iter); + while (p11_dict_next (&iter, NULL, (void **)&attrs)) { + if (p11_attrs_match (attrs, match)) + return true; + } + + return false; +} + +static void +test_token_flags (CuTest *cu) +{ + CK_BBOOL falsev = CK_FALSE; + CK_BBOOL truev = CK_TRUE; + + /* + * blacklist comes from the input/distrust.pem file. It is not in the blacklist + * directory, but is an OpenSSL trusted certificate file, and is marked + * in the blacklist style for OpenSSL. + */ + + CK_ATTRIBUTE blacklist[] = { + { CKA_LABEL, "Red Hat Is the CA", 17 }, + { CKA_SERIAL_NUMBER, "\x02\x01\x01", 3 }, + { CKA_TRUSTED, &falsev, sizeof (falsev) }, + { CKA_X_DISTRUSTED, &truev, sizeof (truev) }, + { CKA_INVALID }, + }; + + /* + * blacklist2 comes from the input/blacklist/self-server.der file. It is + * explicitly put on the blacklist, even though it containts no trust + * policy information. + */ + + const unsigned char self_server_subject[] = { + 0x30, 0x4b, 0x31, 0x13, 0x30, 0x11, 0x06, 0x0a, 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, + 0x01, 0x19, 0x16, 0x03, 0x43, 0x4f, 0x4d, 0x31, 0x17, 0x30, 0x15, 0x06, 0x0a, 0x09, 0x92, 0x26, + 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x07, 0x45, 0x58, 0x41, 0x4d, 0x50, 0x4c, 0x45, + 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x12, 0x73, 0x65, 0x72, 0x76, 0x65, + 0x72, 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, + }; + + CK_ATTRIBUTE blacklist2[] = { + { CKA_SUBJECT, (void *)self_server_subject, sizeof (self_server_subject) }, + { CKA_TRUSTED, &falsev, sizeof (falsev) }, + { CKA_X_DISTRUSTED, &truev, sizeof (truev) }, + { CKA_INVALID }, + }; + + /* + * anchor comes from the input/anchors/cacert3.der file. It is + * explicitly marked as an anchor, even though it containts no trust + * policy information. + */ + + CK_ATTRIBUTE anchor[] = { + { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, + { CKA_TRUSTED, &truev, sizeof (truev) }, + { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, + { CKA_INVALID }, + }; + + const unsigned char cacert_root_subject[] = { + 0x30, 0x79, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x07, 0x52, 0x6f, 0x6f, + 0x74, 0x20, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, 0x68, + 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x63, 0x61, 0x63, 0x65, 0x72, 0x74, + 0x2e, 0x6f, 0x72, 0x67, 0x31, 0x22, 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x19, 0x43, + 0x41, 0x20, 0x43, 0x65, 0x72, 0x74, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x41, + 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x73, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, + 0x40, 0x63, 0x61, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, 0x67, + }; + + /* + * notrust comes from the input/cacert-ca.der file. It contains no + * trust information, and is not explicitly marked as an anchor, so + * it's neither trusted or distrusted. + */ + + CK_ATTRIBUTE notrust[] = { + { CKA_SUBJECT, (void *)cacert_root_subject, sizeof (cacert_root_subject) }, + { CKA_TRUSTED, &falsev, sizeof (falsev) }, + { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE invalid[] = { + { CKA_LABEL, "Waonec9aoe9", 8 }, + { CKA_INVALID }, + }; + + setup (cu); + + if (p11_token_load (test.token) < 0) + CuFail (cu, "should not be reached"); + + CuAssertTrue (cu, !check_object (invalid)); + CuAssertTrue (cu, check_object (anchor)); + CuAssertTrue (cu, check_object (blacklist)); + CuAssertTrue (cu, check_object (blacklist2)); + CuAssertTrue (cu, check_object (notrust)); + + teardown (cu); +} + int main (void) { @@ -94,6 +210,7 @@ main (void) p11_message_quiet (); SUITE_ADD_TEST (suite, test_token_load); + SUITE_ADD_TEST (suite, test_token_flags); CuSuiteRun (suite); CuSuiteSummary (suite, output); |