Fill in certificate authority and trust data correctly

 * Fill in CKA_CERTIFICATE_CATEGORY properly for authorities
   based on the presence of BasicConstraints and/or v1 certificates
 * Fill in CKA_TRUSTED and CKA_X_DISTRUSTED based on whether the
   parser is running for anchors or blacklist
 * In addition support the concept of blacklisted certificates mixed
   in with the anchors (without any purposes) since that's what exists
   in the real world.
 * We do this after the various hooks have had a chance to mess
   with the certificate extensions and such.

4 files changed, 218 insertions, 57 deletions

diff --git a/trust/tests/test-data.c b/trust/tests/test-data.c
index a3d5373..f159926 100644
--- a/trust/tests/test-data.c
+++ b/trust/tests/test-data.c
@@ -74,7 +74,7 @@ test_check_cacert3_ca_msg (CuTest *cu,
                            const char *label)
 {
 	CK_CERTIFICATE_TYPE x509 = CKC_X_509;
-	CK_ULONG category = 0; /* TODO: Implement */
+	CK_ULONG category = 2; /* authority */
 
 	CK_ATTRIBUTE expected[] = {
 		{ CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) },
@@ -94,6 +94,22 @@ test_check_cacert3_ca_msg (CuTest *cu,
 }
 
 void
+test_check_id_msg (CuTest *cu,
+                   const char *file,
+                   int line,
+                   CK_ATTRIBUTE *expected,
+                   CK_ATTRIBUTE *attr)
+{
+	CK_ATTRIBUTE *one;
+	CK_ATTRIBUTE *two;
+
+	one = p11_attrs_find (expected, CKA_ID);
+	two = p11_attrs_find (attr, CKA_ID);
+
+	test_check_attr_msg (cu, file, line, one, two);
+}
+
+void
 test_check_attrs_msg (CuTest *cu,
                       const char *file,
                       int line,
diff --git a/trust/tests/test-data.h b/trust/tests/test-data.h
index e4ff938..300e342 100644
--- a/trust/tests/test-data.h
+++ b/trust/tests/test-data.h
@@ -74,6 +74,15 @@ void      test_check_attr_msg          (CuTest *cu,
                                         CK_ATTRIBUTE *expected,
                                         CK_ATTRIBUTE *attr);
 
+#define   test_check_id(cu, expected, attrs) \
+	test_check_id_msg (cu, __FILE__, __LINE__, expected, attrs)
+
+void      test_check_id_msg           (CuTest *cu,
+                                       const char *file,
+                                       int line,
+                                       CK_ATTRIBUTE *expected,
+                                       CK_ATTRIBUTE *attr);
+
 static const unsigned char test_cacert3_ca_der[] = {
 	0x30, 0x82, 0x07, 0x59, 0x30, 0x82, 0x05, 0x41, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x03, 0x0a,
 	0x41, 0x8a, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
diff --git a/trust/tests/test-parser.c b/trust/tests/test-parser.c
index 493dcb3..5bb690a 100644
--- a/trust/tests/test-parser.c
+++ b/trust/tests/test-parser.c
@@ -86,8 +86,9 @@ on_parse_object (CK_ATTRIBUTE *attrs,
 static void
 test_parse_der_certificate (CuTest *cu)
 {
-	CK_ATTRIBUTE *attrs;
-	CK_ATTRIBUTE *attr;
+	CK_ATTRIBUTE *cert;
+	CK_ATTRIBUTE *object;
+	CK_BBOOL bval;
 	int ret;
 
 	setup (cu);
@@ -99,11 +100,19 @@ test_parse_der_certificate (CuTest *cu)
 	/* Should have gotten certificate and a trust object */
 	CuAssertIntEquals (cu, 2, test.objects->num);
 
-	attrs = test.objects->elem[0];
-	test_check_cacert3_ca (cu, attrs, NULL);
+	cert = test.objects->elem[0];
+	test_check_cacert3_ca (cu, cert, NULL);
+
+	if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval))
+		CuFail (cu, "missing CKA_TRUSTED");
+	CuAssertIntEquals (cu, CK_FALSE, bval);
+
+	if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval))
+		CuFail (cu, "missing CKA_X_DISTRUSTED");
+	CuAssertIntEquals (cu, CK_FALSE, bval);
 
-	attr = p11_attrs_find (attrs, CKA_TRUSTED);
-	CuAssertPtrEquals (cu, NULL, attr);
+	object = test.objects->elem[1];
+	test_check_id (cu, cert, object);
 
 	teardown (cu);
 }
@@ -111,8 +120,9 @@ test_parse_der_certificate (CuTest *cu)
 static void
 test_parse_pem_certificate (CuTest *cu)
 {
-	CK_ATTRIBUTE *attrs;
-	CK_ATTRIBUTE *attr;
+	CK_ATTRIBUTE *cert;
+	CK_ATTRIBUTE *object;
+	CK_BBOOL bval;
 	int ret;
 
 	setup (cu);
@@ -124,11 +134,19 @@ test_parse_pem_certificate (CuTest *cu)
 	/* Should have gotten certificate and a trust object */
 	CuAssertIntEquals (cu, 2, test.objects->num);
 
-	attrs = test.objects->elem[0];
-	test_check_cacert3_ca (cu, attrs, NULL);
+	cert = test.objects->elem[0];
+	test_check_cacert3_ca (cu, cert, NULL);
+
+	if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval))
+		CuFail (cu, "missing CKA_TRUSTED");
+	CuAssertIntEquals (cu, CK_FALSE, bval);
+
+	if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval))
+		CuFail (cu, "missing CKA_X_DISTRUSTED");
+	CuAssertIntEquals (cu, CK_FALSE, bval);
 
-	attr = p11_attrs_find (attrs, CKA_TRUSTED);
-	CuAssertPtrEquals (cu, NULL, attr);
+	object = test.objects->elem[1];
+	test_check_id (cu, cert, object);
 
 	teardown (cu);
 }
@@ -136,7 +154,7 @@ test_parse_pem_certificate (CuTest *cu)
 static void
 test_parse_openssl_trusted (CuTest *cu)
 {
-	CK_TRUST trusted = CKT_NETSCAPE_TRUSTED;
+	CK_TRUST trusted = CKT_NETSCAPE_TRUSTED_DELEGATOR;
 	CK_TRUST distrusted = CKT_NETSCAPE_UNTRUSTED;
 	CK_TRUST unknown = CKT_NETSCAPE_TRUST_UNKNOWN;
 	CK_OBJECT_CLASS certificate_extension = CKO_X_CERTIFICATE_EXTENSION;
@@ -149,6 +167,8 @@ test_parse_openssl_trusted (CuTest *cu)
 		{ CKA_CLASS, &certificate_extension, sizeof (certificate_extension), },
 		{ CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) },
 		{ CKA_X_CRITICAL, &vtrue, sizeof (vtrue) },
+		{ CKA_VALUE, "\x30\x14\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x01\x06\x08\x2b\x06"
+			"\x01\x05\x05\x07\x03\x02", 22 },
 		{ CKA_INVALID },
 	};
 
@@ -157,6 +177,7 @@ test_parse_openssl_trusted (CuTest *cu)
 		{ CKA_CLASS, &certificate_extension, sizeof (certificate_extension), },
 		{ CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) },
 		{ CKA_X_CRITICAL, &vfalse, sizeof (vfalse) },
+		{ CKA_VALUE, "\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x04", 12 },
 		{ CKA_INVALID },
 	};
 
@@ -186,33 +207,149 @@ test_parse_openssl_trusted (CuTest *cu)
 		{ CKA_INVALID, }
 	};
 
-	CK_ATTRIBUTE *attrs;
-	CK_ATTRIBUTE *attr;
+	CK_ATTRIBUTE *cert;
+	CK_ATTRIBUTE *object;
+	CK_BBOOL bval;
 	int ret;
 
 	setup (cu);
 
 	ret = p11_parse_file (test.parser, SRCDIR "/files/cacert3-trusted.pem",
-	                      0, on_parse_object, cu);
+	                      P11_PARSE_FLAG_ANCHOR, on_parse_object, cu);
 	CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret);
 
 	/* Should have gotten certificate, two stapled extensions, and a trust object */
 	CuAssertIntEquals (cu, 4, test.objects->num);
 
-	attrs = test.objects->elem[0];
-	test_check_cacert3_ca (cu, attrs, NULL);
+	cert = test.objects->elem[0];
+	test_check_cacert3_ca (cu, cert, NULL);
+
+	if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval))
+		CuFail (cu, "missing CKA_TRUSTED");
+	CuAssertIntEquals (cu, CK_TRUE, bval);
+
+	if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval))
+		CuFail (cu, "missing CKA_X_DISTRUSTED");
+	CuAssertIntEquals (cu, CK_FALSE, bval);
+
+	object = test.objects->elem[1];
+	test_check_attrs (cu, eku_extension, object);
+	test_check_id (cu, cert, object);
+
+	object = test.objects->elem[2];
+	test_check_attrs (cu, reject_extension, object);
+	test_check_id (cu, cert, object);
+
+	object = test.objects->elem[3];
+	test_check_attrs (cu, nss_trust, object);
+	test_check_id (cu, cert, object);
+
+	teardown (cu);
+}
+
+static void
+test_parse_openssl_distrusted (CuTest *cu)
+{
+	CK_TRUST distrusted = CKT_NETSCAPE_UNTRUSTED;
+	CK_OBJECT_CLASS certificate_extension = CKO_X_CERTIFICATE_EXTENSION;
+	CK_OBJECT_CLASS trust_object = CKO_NETSCAPE_TRUST;
+	CK_OBJECT_CLASS klass = CKO_CERTIFICATE;
+	CK_CERTIFICATE_TYPE x509 = CKC_X_509;
+	CK_ULONG category = 2; /* authority */
+	CK_BBOOL vtrue = CK_TRUE;
+	CK_BBOOL vfalse = CK_FALSE;
+
+	CK_ATTRIBUTE certificate[] = {
+		{ CKA_CLASS, &klass, sizeof (klass), },
+		{ CKA_TOKEN, &vtrue, sizeof (vtrue) },
+		{ CKA_PRIVATE, &vfalse, sizeof (vfalse) },
+		{ CKA_MODIFIABLE, &vfalse, sizeof (vfalse) },
+		{ CKA_CLASS, &klass, sizeof (klass) },
+		{ CKA_LABEL, "Red Hat Is the CA", 17 },
+		{ CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) },
+		{ CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) },
+		{ CKA_CHECK_VALUE, "\xe9z}", 3 },
+		{ CKA_START_DATE, "20090916", 8 },
+		{ CKA_END_DATE, "20190914", 8, },
+		{ CKA_SERIAL_NUMBER, "\x02\x01\x01", 3 },
+		{ CKA_TRUSTED, &vfalse, sizeof (vfalse) },
+		{ CKA_X_DISTRUSTED, &vtrue, sizeof (vtrue) },
+		{ CKA_INVALID },
+	};
+
+	CK_ATTRIBUTE eku_extension[] = {
+		{ CKA_LABEL, "Red Hat Is the CA", 17 },
+		{ CKA_CLASS, &certificate_extension, sizeof (certificate_extension), },
+		{ CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) },
+		{ CKA_X_CRITICAL, &vtrue, sizeof (vtrue) },
+		{ CKA_VALUE, "\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x10", 14 },
+		{ CKA_INVALID },
+	};
+
+	CK_ATTRIBUTE reject_extension[] = {
+		{ CKA_LABEL, "Red Hat Is the CA", 17 },
+		{ CKA_CLASS, &certificate_extension, sizeof (certificate_extension), },
+		{ CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) },
+		{ CKA_X_CRITICAL, &vfalse, sizeof (vfalse) },
+		{ CKA_VALUE, "\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02", 12 },
+		{ CKA_INVALID },
+	};
+
+	CK_ATTRIBUTE nss_trust[] = {
+		{ CKA_LABEL, "Red Hat Is the CA", 17 },
+		{ CKA_CLASS, &trust_object, sizeof (trust_object), },
+		{ CKA_CERT_SHA1_HASH, "\xe9z}\xe3\x82""7\xa0U\xb1k\xfe\xffo.\x03\x15*\xba\xb9\x90", 20 },
+		{ CKA_CERT_MD5_HASH, "\xda\xb4<\xe7;QK\x1a\xe5\xeau\xa1\xc9 \xdf""B", 16 },
+		{ CKA_SERIAL_NUMBER, "\x02\x01\x01", 3 },
+		{ CKA_TRUST_SERVER_AUTH, &distrusted, sizeof (distrusted) },
+		{ CKA_TRUST_CLIENT_AUTH, &distrusted, sizeof (distrusted) },
+		{ CKA_TRUST_EMAIL_PROTECTION, &distrusted, sizeof (distrusted) },
+		{ CKA_TRUST_CODE_SIGNING, &distrusted, sizeof (distrusted) },
+		{ CKA_TRUST_IPSEC_END_SYSTEM, &distrusted, sizeof (distrusted) },
+		{ CKA_TRUST_IPSEC_TUNNEL, &distrusted, sizeof (distrusted) },
+		{ CKA_TRUST_IPSEC_USER, &distrusted, sizeof (distrusted) },
+		{ CKA_TRUST_TIME_STAMPING, &distrusted, sizeof (distrusted) },
+		{ CKA_TRUST_DIGITAL_SIGNATURE, &distrusted, sizeof (distrusted) },
+		{ CKA_TRUST_NON_REPUDIATION, &distrusted, sizeof (distrusted) },
+		{ CKA_TRUST_KEY_ENCIPHERMENT, &distrusted, sizeof (distrusted) },
+		{ CKA_TRUST_DATA_ENCIPHERMENT, &distrusted, sizeof (distrusted) },
+		{ CKA_TRUST_KEY_AGREEMENT, &distrusted, sizeof (distrusted) },
+		{ CKA_TRUST_KEY_CERT_SIGN, &distrusted, sizeof (distrusted) },
+		{ CKA_TRUST_CRL_SIGN, &distrusted, sizeof (distrusted) },
+		{ CKA_INVALID, }
+	};
 
-	attr = p11_attrs_find (attrs, CKA_TRUSTED);
-	CuAssertPtrEquals (cu, NULL, attr);
+	CK_ATTRIBUTE *cert;
+	CK_ATTRIBUTE *object;
+	int ret;
 
-	attrs = test.objects->elem[1];
-	test_check_attrs (cu, eku_extension, attrs);
+	setup (cu);
 
-	attrs = test.objects->elem[2];
-	test_check_attrs (cu, reject_extension, attrs);
+	/*
+	 * OpenSSL style is to litter the blacklist in with the anchors,
+	 * so we parse this as an anchor, but expect it to be blacklisted
+	 */
+	ret = p11_parse_file (test.parser, SRCDIR "/files/distrusted.pem",
+	                      P11_PARSE_FLAG_ANCHOR, on_parse_object, cu);
+	CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret);
 
-	attrs = test.objects->elem[3];
-	test_check_attrs (cu, nss_trust, attrs);
+	/* Should have gotten certificate, one stapled extensions, and a trust object */
+	CuAssertIntEquals (cu, 4, test.objects->num);
+
+	cert = test.objects->elem[0];
+	test_check_attrs (cu, certificate, cert);
+
+	object = test.objects->elem[1];
+	test_check_attrs (cu, eku_extension, object);
+	test_check_id (cu, cert, object);
+
+	object = test.objects->elem[2];
+	test_check_attrs (cu, reject_extension, object);
+	test_check_id (cu, cert, object);
+
+	object = test.objects->elem[3];
+	test_check_attrs (cu, nss_trust, object);
+	test_check_id (cu, cert, object);
 
 	teardown (cu);
 }
@@ -227,7 +364,7 @@ test_parse_with_key_usage (CuTest *cu)
 	CK_BBOOL vtrue = CK_TRUE;
 	CK_BBOOL vfalse = CK_FALSE;
 	CK_CERTIFICATE_TYPE x509 = CKC_X_509;
-	CK_ULONG category = 0; /* TODO: Implement */
+	CK_ULONG category = 3; /* other entity */
 
 	CK_ATTRIBUTE certificate[] = {
 		{ CKA_CLASS, &klass, sizeof (klass), },
@@ -244,6 +381,8 @@ test_parse_with_key_usage (CuTest *cu)
 		{ CKA_ISSUER, "0*1(0&\x06\x03U\x04\x03\x13\x1f""self-signed-with-ku.example.com", 44 },
 		{ CKA_SUBJECT, "0*1(0&\x06\x03U\x04\x03\x13\x1f""self-signed-with-ku.example.com", 44 },
 		{ CKA_SERIAL_NUMBER, "\x02\x02\x03x", 4 },
+		{ CKA_TRUSTED, &vtrue, sizeof (vtrue) },
+		{ CKA_X_DISTRUSTED, &vfalse, sizeof (vfalse) },
 		{ CKA_INVALID },
 	};
 
@@ -273,41 +412,34 @@ test_parse_with_key_usage (CuTest *cu)
 		{ CKA_INVALID, }
 	};
 
-	CK_ATTRIBUTE *attrs;
-	CK_ATTRIBUTE *attr;
+	CK_ATTRIBUTE *cert;
+	CK_ATTRIBUTE *object;
+	CK_BBOOL bval;
 	int ret;
 
 	setup (cu);
 
 	ret = p11_parse_file (test.parser, SRCDIR "/files/self-signed-with-ku.der",
-	                      0, on_parse_object, cu);
+	                      P11_PARSE_FLAG_ANCHOR, on_parse_object, cu);
 	CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret);
 
-	/* Should have gotten certificate, two stapled extensions, and a trust object */
+	/* Should have gotten certificate, and a trust object */
 	CuAssertIntEquals (cu, 2, test.objects->num);
 
-	attrs = test.objects->elem[0];
-	test_check_attrs (cu, certificate, attrs);
+	cert = test.objects->elem[0];
+	test_check_attrs (cu, certificate, cert);
 
-	attr = p11_attrs_find (attrs, CKA_TRUSTED);
-	CuAssertPtrEquals (cu, NULL, attr);
+	if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval))
+		CuFail (cu, "missing CKA_TRUSTED");
+	CuAssertIntEquals (cu, CK_TRUE, bval);
 
-	attrs = test.objects->elem[1];
-	test_check_attrs (cu, nss_trust, attrs);
+	if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval))
+		CuFail (cu, "missing CKA_X_DISTRUSTED");
+	CuAssertIntEquals (cu, CK_FALSE, bval);
 
-	teardown (cu);
-}
-
-static void
-test_parse_distrusted (CuTest *cu)
-{
-	int ret;
-
-	setup (cu);
-
-	ret = p11_parse_file (test.parser, SRCDIR "/files/distrusted.pem",
-	                      0, on_parse_object, cu);
-	CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret);
+	object = test.objects->elem[1];
+	test_check_attrs (cu, nss_trust, object);
+	test_check_id (cu, cert, object);
 
 	teardown (cu);
 }
@@ -315,7 +447,8 @@ test_parse_distrusted (CuTest *cu)
 static void
 test_parse_anchor (CuTest *cu)
 {
-	CK_ATTRIBUTE *attrs;
+	CK_ATTRIBUTE *cert;
+	CK_ATTRIBUTE *object;
 	CK_ATTRIBUTE *attr;
 	CK_BBOOL vtrue = CK_TRUE;
 	CK_ATTRIBUTE trusted = { CKA_TRUSTED, &vtrue, sizeof (vtrue) };
@@ -330,12 +463,15 @@ test_parse_anchor (CuTest *cu)
 	/* Should have gotten a certificate and a trust object */
 	CuAssertIntEquals (cu, 2, test.objects->num);
 
-	attrs = test.objects->elem[0];
-	test_check_cacert3_ca (cu, attrs, NULL);
+	cert = test.objects->elem[0];
+	test_check_cacert3_ca (cu, cert, NULL);
 
-	attr = p11_attrs_find (attrs, CKA_TRUSTED);
+	attr = p11_attrs_find (cert, CKA_TRUSTED);
 	test_check_attr (cu, &trusted, attr);
 
+	object = test.objects->elem[1];
+	test_check_id (cu, cert, object);
+
 	teardown (cu);
 }
 
@@ -499,8 +635,8 @@ main (void)
 	SUITE_ADD_TEST (suite, test_parse_der_certificate);
 	SUITE_ADD_TEST (suite, test_parse_pem_certificate);
 	SUITE_ADD_TEST (suite, test_parse_openssl_trusted);
+	SUITE_ADD_TEST (suite, test_parse_openssl_distrusted);
 	SUITE_ADD_TEST (suite, test_parse_with_key_usage);
-	SUITE_ADD_TEST (suite, test_parse_distrusted);
 	SUITE_ADD_TEST (suite, test_parse_anchor);
 	SUITE_ADD_TEST (suite, test_parse_no_sink);
 	SUITE_ADD_TEST (suite, test_parse_invalid_file);
diff --git a/trust/tests/test-token.c b/trust/tests/test-token.c
index 8a5b34d..2ed1134 100644
--- a/trust/tests/test-token.c
+++ b/trust/tests/test-token.c
@@ -76,7 +76,7 @@ test_token_load (CuTest *cu)
 
 	/* A certificate and trust object for each parsed object + builtin */
 	objects = p11_token_objects (test.token);
-	CuAssertIntEquals (cu, ((count - 1) * 2) + 1, p11_dict_size (objects));
+	CuAssertTrue (cu, ((count - 1) * 2) + 1 <= p11_dict_size (objects));
 
 	teardown (cu);
 }