summaryrefslogtreecommitdiff
path: root/trust
diff options
context:
space:
mode:
authorStef Walter <stefw@gnome.org>2013-01-03 11:07:47 +0100
committerStef Walter <stefw@gnome.org>2013-02-05 14:54:53 +0100
commit8b02ff64b30311a4730b60dd72590435f56fb3a2 (patch)
tree20afcc494e8fd9032f9c3a94b27a316848b8728f /trust
parent18bb2582c32f4373f7ed85894fb490f2733cb03b (diff)
Fill in certificate authority and trust data correctly
* Fill in CKA_CERTIFICATE_CATEGORY properly for authorities based on the presence of BasicConstraints and/or v1 certificates * Fill in CKA_TRUSTED and CKA_X_DISTRUSTED based on whether the parser is running for anchors or blacklist * In addition support the concept of blacklisted certificates mixed in with the anchors (without any purposes) since that's what exists in the real world. * We do this after the various hooks have had a chance to mess with the certificate extensions and such.
Diffstat (limited to 'trust')
-rw-r--r--trust/mozilla.c74
-rw-r--r--trust/parser.c351
-rw-r--r--trust/parser.h11
-rw-r--r--trust/tests/test-data.c18
-rw-r--r--trust/tests/test-data.h9
-rw-r--r--trust/tests/test-parser.c246
-rw-r--r--trust/tests/test-token.c2
7 files changed, 548 insertions, 163 deletions
diff --git a/trust/mozilla.c b/trust/mozilla.c
index cd8ff25..fd5e287 100644
--- a/trust/mozilla.c
+++ b/trust/mozilla.c
@@ -53,12 +53,12 @@
static CK_ATTRIBUTE *
update_ku (p11_parser *parser,
p11_array *parsing,
- CK_ATTRIBUTE *object)
+ CK_ATTRIBUTE *object,
+ CK_TRUST present)
{
- unsigned char *data;
+ unsigned char *data = NULL;
unsigned int ku = 0;
size_t length;
- CK_TRUST present;
CK_TRUST defawlt;
CK_ULONG i;
@@ -78,22 +78,20 @@ update_ku (p11_parser *parser,
CK_ATTRIBUTE attrs[sizeof (ku_attribute_map)];
- if (p11_parsing_get_flags (parser) & P11_PARSE_FLAG_ANCHOR)
- present = CKT_NETSCAPE_TRUSTED_DELEGATOR;
- else
- present = CKT_NETSCAPE_TRUSTED;
defawlt = present;
- data = p11_parsing_get_extension (parser, parsing, P11_OID_KEY_USAGE, &length);
-
- /*
- * If the certificate extension was missing, then *all* key
- * usages are to be set. If the extension was invalid, then
- * fail safe to none of the key usages.
- */
+ /* If blacklisted, don't even bother looking at extensions */
+ if (present != CKT_NETSCAPE_UNTRUSTED)
+ data = p11_parsing_get_extension (parser, parsing, P11_OID_KEY_USAGE, &length);
if (data) {
+ /*
+ * If the certificate extension was missing, then *all* key
+ * usages are to be set. If the extension was invalid, then
+ * fail safe to none of the key usages.
+ */
defawlt = CKT_NETSCAPE_TRUST_UNKNOWN;
+
if (p11_parse_key_usage (parser, data, length, &ku) != P11_PARSE_SUCCESS)
p11_message ("invalid key usage certificate extension");
free (data);
@@ -116,12 +114,12 @@ update_ku (p11_parser *parser,
static CK_ATTRIBUTE *
update_eku (p11_parser *parser,
p11_array *parsing,
- CK_ATTRIBUTE *object)
+ CK_ATTRIBUTE *object,
+ CK_TRUST trust)
{
- CK_TRUST trust;
CK_TRUST defawlt;
CK_TRUST distrust;
- unsigned char *data;
+ unsigned char *data = NULL;
p11_dict *ekus = NULL;
p11_dict *reject = NULL;
size_t length;
@@ -145,28 +143,24 @@ update_eku (p11_parser *parser,
CK_ATTRIBUTE attrs[sizeof (eku_attribute_map)];
- /* The value set if an eku is present */
- if (p11_parsing_get_flags (parser) & P11_PARSE_FLAG_ANCHOR)
- trust = CKT_NETSCAPE_TRUSTED_DELEGATOR;
- else
- trust= CKT_NETSCAPE_TRUSTED;
-
/* The value set if an eku is not present, adjusted below */
defawlt = trust;
/* The value set if an eku is explictly rejected */
distrust = CKT_NETSCAPE_UNTRUSTED;
- /*
- * If the certificate extension was missing, then *all* extended key
- * usages are to be set. If the extension was invalid, then
- * fail safe to none of the extended key usages.
- */
-
- data = p11_parsing_get_extension (parser, parsing, P11_OID_EXTENDED_KEY_USAGE, &length);
+ /* If blacklisted, don't even bother looking at extensions */
+ if (trust != CKT_NETSCAPE_UNTRUSTED)
+ data = p11_parsing_get_extension (parser, parsing, P11_OID_EXTENDED_KEY_USAGE, &length);
if (data) {
+ /*
+ * If the certificate extension was missing, then *all* extended key
+ * usages are to be set. If the extension was invalid, then
+ * fail safe to none of the extended key usages.
+ */
defawlt = CKT_NETSCAPE_TRUST_UNKNOWN;
+
ekus = p11_parse_extended_key_usage (parser, data, length);
if (ekus == NULL)
p11_message ("invalid extended key usage certificate extension");
@@ -208,6 +202,9 @@ build_nss_trust_object (p11_parser *parser,
CK_ATTRIBUTE *cert)
{
CK_ATTRIBUTE *object = NULL;
+ CK_TRUST trust;
+ CK_ULONG category;
+ CK_BBOOL bval;
CK_OBJECT_CLASS vclass = CKO_NETSCAPE_TRUST;
CK_BYTE vsha1_hash[P11_CHECKSUM_SHA1_LENGTH];
@@ -259,10 +256,23 @@ build_nss_trust_object (p11_parser *parser,
&step_up_approved, NULL);
return_val_if_fail (object != NULL, NULL);
- object = update_ku (parser, parsing, object);
+ /* Calculate the default trust */
+ trust = CKT_NETSCAPE_TRUST_UNKNOWN;
+
+ if (p11_attrs_find_bool (cert, CKA_TRUSTED, &bval) && bval) {
+ if (p11_attrs_find_ulong (cert, CKA_CERTIFICATE_CATEGORY, &category) && category == 2)
+ trust = CKT_NETSCAPE_TRUSTED_DELEGATOR;
+ else
+ trust = CKT_NETSCAPE_TRUSTED;
+ }
+
+ if (p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval) && bval)
+ trust = CKT_NETSCAPE_UNTRUSTED;
+
+ object = update_ku (parser, parsing, object, trust);
return_val_if_fail (object != NULL, NULL);
- object = update_eku (parser, parsing, object);
+ object = update_eku (parser, parsing, object, trust);
return_val_if_fail (object != NULL, NULL);
if (!p11_array_push (parsing, object))
diff --git a/trust/parser.c b/trust/parser.c
index 3a81dcd..28464fd 100644
--- a/trust/parser.c
+++ b/trust/parser.c
@@ -163,6 +163,9 @@ finish_parsing (p11_parser *parser,
/* This is a double check */
return_if_fail (parser->cert_asn == cert_asn);
+ /* Update the certificate state */
+ p11_parsing_update_certificate (parser, parser->parsing);
+
/* Call all the hooks for generating further objects */
p11_mozilla_build_trust_object (parser, parser->parsing);
@@ -579,29 +582,6 @@ calc_date (node_asn *cert,
}
static bool
-calc_trusted (p11_parser *parser,
- node_asn *cert,
- CK_BBOOL *vtrusted)
-{
- assert (parser != NULL);
- assert (vtrusted != NULL);
-
- /*
- * This calculates CKA_TRUSTED, which is a silly attribute, don't
- * read too much into this. The real trust mechinisms are elsewhere.
- */
-
- *vtrusted = CK_FALSE;
- if (parser->flags & P11_PARSE_FLAG_ANCHOR) {
- *vtrusted = CK_TRUE;
- return true;
- }
-
- /* Don't add this attribute unless anchor */
- return false;
-}
-
-static bool
calc_element (node_asn *el,
const unsigned char *data,
size_t length,
@@ -631,18 +611,21 @@ build_x509_certificate (p11_parser *parser,
CK_CERTIFICATE_TYPE vx509 = CKC_X_509;
CK_BYTE vchecksum[3];
- /* TODO: Implement */
- CK_ULONG vcategory = 0;
- CK_BBOOL vtrusted = CK_FALSE;
CK_DATE vstart;
CK_DATE vend;
+ /* Filled in later */
+ CK_ULONG vcategory = 0;
+ CK_BBOOL vtrusted = CK_FALSE;
+ CK_BBOOL vdistrusted = CK_FALSE;
+
CK_ATTRIBUTE certificate_type = { CKA_CERTIFICATE_TYPE, &vx509, sizeof (vx509) };
CK_ATTRIBUTE certificate_category = { CKA_CERTIFICATE_CATEGORY, &vcategory, sizeof (vcategory) };
CK_ATTRIBUTE value = { CKA_VALUE, (void *)data, length };
CK_ATTRIBUTE check_value = { CKA_CHECK_VALUE, &vchecksum, sizeof (vchecksum) };
CK_ATTRIBUTE trusted = { CKA_TRUSTED, &vtrusted, sizeof (vtrusted) };
+ CK_ATTRIBUTE distrusted = { CKA_X_DISTRUSTED, &vdistrusted, sizeof (vdistrusted) };
CK_ATTRIBUTE start_date = { CKA_START_DATE, &vstart, sizeof (vstart) };
CK_ATTRIBUTE end_date = { CKA_END_DATE, &vend, sizeof (vend) };
CK_ATTRIBUTE subject = { CKA_SUBJECT, };
@@ -659,10 +642,6 @@ build_x509_certificate (p11_parser *parser,
calc_check_value (data, length, vchecksum);
- /* This is a silly trust flag, we set it if the cert is an anchor */
- if (!calc_trusted (parser, cert, &vtrusted))
- trusted.type = CKA_INVALID;
-
if (!calc_date (cert, "tbsCertificate.validity.notBefore", &vstart))
start_date.type = CKA_INVALID;
if (!calc_date (cert, "tbsCertificate.validity.notAfter", &vend))
@@ -679,7 +658,7 @@ build_x509_certificate (p11_parser *parser,
return_val_if_fail (attrs != NULL, NULL);
attrs = p11_attrs_build (attrs, &certificate_type, &certificate_category,
- &check_value, &trusted, &start_date, &end_date,
+ &check_value, &trusted, &distrusted, &start_date, &end_date,
&subject, &issuer, &serial_number, &value,
NULL);
return_val_if_fail (attrs != NULL, NULL);
@@ -802,13 +781,6 @@ p11_parsing_get_extension (p11_parser *parser,
return NULL;
}
-int
-p11_parsing_get_flags (p11_parser *parser)
-{
- return_val_if_fail (parser != NULL, 0);
- return parser->flags;
-}
-
CK_ATTRIBUTE *
p11_parsing_get_certificate (p11_parser *parser,
p11_array *parsing)
@@ -827,6 +799,32 @@ p11_parsing_get_certificate (p11_parser *parser,
}
int
+p11_parse_basic_constraints (p11_parser *parser,
+ const unsigned char *data,
+ size_t length,
+ int *is_ca)
+{
+ char buffer[8];
+ node_asn *ext;
+ int ret;
+ int len;
+
+ return_val_if_fail (is_ca != NULL, P11_PARSE_FAILURE);
+
+ ext = decode_asn1 (parser, "PKIX1.BasicConstraints", data, length, NULL);
+ return_val_if_fail (ext != NULL, P11_PARSE_UNRECOGNIZED);
+
+ len = sizeof (buffer);
+ ret = asn1_read_value (ext, "cA", buffer, &len);
+ return_val_if_fail (ret == ASN1_SUCCESS, P11_PARSE_FAILURE);
+
+ *is_ca = (strcmp (buffer, "TRUE") == 0);
+ asn1_delete_structure (&ext);
+
+ return P11_PARSE_SUCCESS;
+}
+
+int
p11_parse_key_usage (p11_parser *parser,
const unsigned char *data,
size_t length,
@@ -888,6 +886,10 @@ p11_parse_extended_key_usage (p11_parser *parser,
if (!p11_oid_simple (eku_der + start, (end - start) + 1))
continue;
+ /* If it's our reserved OID, then skip */
+ if (p11_oid_equal (eku_der + start, P11_OID_RESERVED_PURPOSE))
+ continue;
+
eku = memdup (eku_der + start, (end - start) + 1);
return_val_if_fail (eku != NULL, NULL);
@@ -950,12 +952,12 @@ calc_der_length (const unsigned char *data,
}
static int
-build_stapled_extension (p11_parser *parser,
- CK_ATTRIBUTE *cert,
- const unsigned char *oid_der,
- CK_BBOOL vcritical,
- const unsigned char *ext_der,
- size_t ext_len)
+build_der_extension (p11_parser *parser,
+ CK_ATTRIBUTE *cert,
+ const unsigned char *oid_der,
+ CK_BBOOL vcritical,
+ const unsigned char *ext_der,
+ int ext_len)
{
CK_ATTRIBUTE critical = { CKA_X_CRITICAL, &vcritical, sizeof (vcritical) };
CK_ATTRIBUTE oid = { CKA_OBJECT_ID, (void *)oid_der, p11_oid_length (oid_der) };
@@ -985,6 +987,34 @@ build_stapled_extension (p11_parser *parser,
return P11_PARSE_SUCCESS;
}
+static int
+build_stapled_extension (p11_parser *parser,
+ CK_ATTRIBUTE *cert,
+ const unsigned char *oid,
+ CK_BBOOL critical,
+ node_asn *ext)
+{
+ char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE];
+ char *der;
+ int len;
+ int ret;
+
+ len = 0;
+ ret = asn1_der_coding (ext, "", NULL, &len, message);
+ return_val_if_fail (ret == ASN1_MEM_ERROR, P11_PARSE_FAILURE);
+
+ der = malloc (len);
+ return_val_if_fail (der != NULL, P11_PARSE_FAILURE);
+
+ ret = asn1_der_coding (ext, "", der, &len, message);
+ return_val_if_fail (ret == ASN1_SUCCESS, P11_PARSE_FAILURE);
+
+ ret = build_der_extension (parser, cert, oid, critical, (unsigned char *)der, len);
+ free (der);
+
+ return ret;
+}
+
static p11_dict *
load_seq_of_oid_str (node_asn *node,
const char *seqof)
@@ -1033,8 +1063,6 @@ build_eku_extension (p11_parser *parser,
node_asn *dest;
int count = 0;
void *value;
- char *der;
- int len;
int ret;
ret = asn1_create_element (parser->pkix_definitions, "PKIX1.ExtKeyUsageSyntax", &dest);
@@ -1052,11 +1080,16 @@ build_eku_extension (p11_parser *parser,
}
/*
- * If no oids have been written, then we have to put some sort of
+ * If no oids have been written, then we have to put in a reserved
* value, due to the way that ExtendedKeyUsage is defined in RFC 5280.
* There must be at least one purpose. This is important since *not*
* having an ExtendedKeyUsage is very different than having one without
* certain usages.
+ *
+ * We account for this in p11_parse_extended_key_usage(). However for
+ * most callers this should not matter, as they only check whether a
+ * given purpose is present, and don't make assumptions about ones
+ * that they don't know about.
*/
if (count == 0) {
@@ -1067,31 +1100,198 @@ build_eku_extension (p11_parser *parser,
return_val_if_fail (ret == ASN1_SUCCESS, P11_PARSE_FAILURE);
}
- len = 0;
- ret = asn1_der_coding (dest, "", NULL, &len, NULL);
- return_val_if_fail (ret == ASN1_MEM_ERROR, P11_PARSE_FAILURE);
- der = malloc (len);
- return_val_if_fail (der != NULL, P11_PARSE_FAILURE);
+ ret = build_stapled_extension (parser, cert, oid, critical, dest);
+ asn1_delete_structure (&dest);
- ret = asn1_der_coding (dest, "", der, &len, NULL);
+ return ret;
+}
+
+static int
+build_bc_extension (p11_parser *parser,
+ CK_ATTRIBUTE *cert,
+ CK_BBOOL critical,
+ int is_ca)
+{
+ node_asn *ext;
+ int ret;
+
+ ret = asn1_create_element (parser->pkix_definitions, "PKIX1.BasicConstraints", &ext);
return_val_if_fail (ret == ASN1_SUCCESS, P11_PARSE_FAILURE);
- ret = build_stapled_extension (parser, cert, oid, critical,
- (unsigned char *)der, len);
+ /* FALSE is the default, so clear if not CA */
+ ret = asn1_write_value (ext, "cA", is_ca ? "TRUE" : NULL, is_ca ? -1 : 0);
+ return_val_if_fail (ret == ASN1_SUCCESS, P11_PARSE_FAILURE);
- free (der);
- asn1_delete_structure (&dest);
+ /* Clear this optional value */
+ ret = asn1_write_value (ext, "pathLenConstraint", NULL, 0);
+ return_val_if_fail (ret == ASN1_SUCCESS, P11_PARSE_FAILURE);
+
+ ret = build_stapled_extension (parser, cert, P11_OID_BASIC_CONSTRAINTS, critical, ext);
+ asn1_delete_structure (&ext);
return ret;
}
static int
-build_cert_aux_extensions (p11_parser *parser,
- CK_ATTRIBUTE *cert,
- node_asn *aux,
- const unsigned char *aux_der,
- size_t aux_len)
+is_v1_x509_authority (CK_ATTRIBUTE *cert,
+ node_asn *node)
+{
+ CK_ATTRIBUTE *subject;
+ CK_ATTRIBUTE *issuer;
+ char buffer[16];
+ int len;
+ int ret;
+
+ len = sizeof (buffer);
+ ret = asn1_read_value (node, "tbsCertificate.version", buffer, &len);
+
+ /* The default value */
+ if (ret == ASN1_ELEMENT_NOT_FOUND) {
+ ret = ASN1_SUCCESS;
+ buffer[0] = 0;
+ len = 1;
+ }
+
+ return_val_if_fail (ret == ASN1_SUCCESS, 0);
+
+ /*
+ * In X.509 version v1 is the integer zero. Two's complement
+ * integer, but zero is easy to read.
+ */
+ if (len != 1 || buffer[0] != 0)
+ return 0;
+
+ /* Must be self-signed, ie: same subject and issuer */
+ subject = p11_attrs_find (cert, CKA_SUBJECT);
+ issuer = p11_attrs_find (cert, CKA_ISSUER);
+ return (subject != NULL && issuer != NULL &&
+ p11_attr_match_value (subject, issuer->pValue, issuer->ulValueLen));
+}
+
+static void
+update_category (p11_parser *parser,
+ CK_ATTRIBUTE *cert)
+{
+ CK_ATTRIBUTE *category;
+ int is_ca = 0;
+ unsigned char *data;
+ size_t length;
+ int ret;
+
+ /* See if we have a basic constraints extension */
+ data = p11_parsing_get_extension (parser, parser->parsing, P11_OID_BASIC_CONSTRAINTS, &length);
+ if (data) {
+ if (!p11_parse_basic_constraints (parser, data, length, &is_ca))
+ p11_message ("invalid basic constraints certificate extension");
+ free (data);
+
+ } else if (is_v1_x509_authority (cert, parser->cert_asn)) {
+ /*
+ * If there is no basic constraints extension, and the CA version is
+ * v1, and is self-signed, then we assume this is a certificate authority.
+ * So we add a BasicConstraints stapled certificate extension
+ */
+ is_ca = 1;
+ ret = build_bc_extension (parser, cert, CK_FALSE, is_ca);
+ return_if_fail (ret == P11_PARSE_SUCCESS);
+ }
+
+ category = p11_attrs_find (cert, CKA_CERTIFICATE_CATEGORY);
+ assert (category != NULL);
+ assert (category->pValue != NULL);
+ assert (category->ulValueLen == sizeof (CK_ULONG));
+
+ /*
+ * In the PKCS#11 spec:
+ * 0 = unspecified (default value)
+ * 1 = token user
+ * 2 = authority
+ * 3 = other entity
+ */
+ *((CK_ULONG *)category->pValue) = is_ca ? 2 : 3;
+}
+
+static void
+update_trust_and_distrust (p11_parser *parser,
+ CK_ATTRIBUTE *cert)
+{
+ CK_ATTRIBUTE *attr;
+ CK_BBOOL trusted;
+ CK_BBOOL distrusted;
+ unsigned char *data;
+ size_t length;
+ p11_dict *ekus;
+
+ /*
+ * This function is called to update the CKA_TRUSTED and CKA_X_DISTRUSTED
+ * fields (anchor and blacklist). Some other code may have updated the
+ * related extensions, so this may be called more than once.
+ *
+ * Since some input like OpenSSL model blacklists as anchors with all
+ * purposes being removed/rejected, we account for that here. If there
+ * is an ExtendedKeyUsage without any useful purposes, then treat
+ * like a blacklist.
+ *
+ * The certificate is an anchor if the parser is in anchor mode.
+ */
+
+ trusted = (parser->flags & P11_PARSE_FLAG_ANCHOR) ? CK_TRUE : CK_FALSE;
+ distrusted = (parser->flags & P11_PARSE_FLAG_BLACKLIST) ? CK_TRUE : CK_FALSE;
+
+ /* See if we have a basic constraints extension */
+ data = p11_parsing_get_extension (parser, parser->parsing, P11_OID_EXTENDED_KEY_USAGE, &length);
+ if (data) {
+ ekus = p11_parse_extended_key_usage (parser, data, length);
+ if (ekus == NULL)
+ p11_message ("invalid extendend key usage certificate extension");
+ else if (p11_dict_size (ekus) == 0) {
+ distrusted = CK_TRUE;
+ trusted = CK_FALSE;
+ }
+
+ p11_dict_free (ekus);
+ free (data);
+ }
+
+ attr = p11_attrs_find (cert, CKA_TRUSTED);
+ assert (attr != NULL);
+ assert (attr->pValue != NULL);
+ assert (attr->ulValueLen == sizeof (CK_BBOOL));
+ *((CK_BBOOL *)attr->pValue) = trusted;
+
+ attr = p11_attrs_find (cert, CKA_X_DISTRUSTED);
+ assert (attr != NULL);
+ assert (attr->pValue != NULL);
+ assert (attr->ulValueLen == sizeof (CK_BBOOL));
+ *((CK_BBOOL *)attr->pValue) = distrusted;
+}
+
+void
+p11_parsing_update_certificate (p11_parser *parser,
+ p11_array *parsing)
+{
+ CK_ATTRIBUTE *cert;
+
+ /* Find the certificate to update */
+ cert = p11_parsing_get_certificate (parser, parsing);
+ if (cert == NULL)
+ return;
+
+ /* This should match the above cert */
+ assert (parser->cert_asn != NULL);
+
+ update_category (parser, cert);
+ update_trust_and_distrust (parser, cert);
+}
+
+
+static int
+build_openssl_extensions (p11_parser *parser,
+ CK_ATTRIBUTE *cert,
+ node_asn *aux,
+ const unsigned char *aux_der,
+ size_t aux_len)
{
p11_dict *trust = NULL;
p11_dict *reject = NULL;
@@ -1102,10 +1302,15 @@ build_cert_aux_extensions (p11_parser *parser,
int ret;
int num;
- ret = asn1_number_of_elements (aux, "trust", &num);
- return_val_if_fail (ret == ASN1_SUCCESS || ret == ASN1_ELEMENT_NOT_FOUND, P11_PARSE_FAILURE);
- if (ret == ASN1_SUCCESS)
- trust = load_seq_of_oid_str (aux, "trust");
+ /*
+ * This will load an empty list if there is no OPTIONAL trust field.
+ * OpenSSL assumes that for a TRUSTED CERTIFICATE a missing trust field
+ * is identical to untrusted for all purposes.
+ *
+ * This is different from ExtendedKeyUsage, where a missing certificate
+ * extension means that it is trusted for all purposes.
+ */
+ trust = load_seq_of_oid_str (aux, "trust");
ret = asn1_number_of_elements (aux, "reject", &num);
return_val_if_fail (ret == ASN1_SUCCESS || ret == ASN1_ELEMENT_NOT_FOUND, P11_PARSE_FAILURE);
@@ -1120,7 +1325,7 @@ build_cert_aux_extensions (p11_parser *parser,
}
/*
- * The trust field becomes a standard ExtKeyUsageSyntax.
+ * The trust field (or lack of it) becomes a standard ExtKeyUsageSyntax.
*
* critical: require that this is enforced
*/
@@ -1131,8 +1336,9 @@ build_cert_aux_extensions (p11_parser *parser,
}
/*
- * For the reject field we use a custom defined extension. See oid.h for
- * more details. It uses ExtKeyUsageSyntax structure.
+ * For the reject field we use a custom defined extension. We track this
+ * for completeness, although the above ExtendedKeyUsage extension handles
+ * this data fine. See oid.h for more details. It uses ExtKeyUsageSyntax structure.
*
* non-critical: non-standard, and also covered by trusts
*/
@@ -1156,11 +1362,12 @@ build_cert_aux_extensions (p11_parser *parser,
return_val_if_fail (ret == ASN1_SUCCESS || ret == ASN1_ELEMENT_NOT_FOUND, P11_PARSE_FAILURE);
if (ret == ASN1_SUCCESS) {
- ret = build_stapled_extension (parser, cert, P11_OID_SUBJECT_KEY_IDENTIFIER, CK_FALSE,
- aux_der + start, (end - start) + 1);
+ ret = build_der_extension (parser, cert, P11_OID_SUBJECT_KEY_IDENTIFIER, CK_FALSE,
+ aux_der + start, (end - start) + 1);
return_val_if_fail (ret == P11_PARSE_SUCCESS, ret);
}
+
return P11_PARSE_SUCCESS;
}
@@ -1222,7 +1429,7 @@ parse_openssl_trusted_certificate (p11_parser *parser,
attrs = build_x509_certificate (parser, vid, cert, data, cert_len);
return_val_if_fail (attrs != NULL, P11_PARSE_FAILURE);
- ret = build_cert_aux_extensions (parser, attrs, aux, data + cert_len, length - cert_len);
+ ret = build_openssl_extensions (parser, attrs, aux, data + cert_len, length - cert_len);
return_val_if_fail (ret == P11_PARSE_SUCCESS, ret);
finish_parsing (parser, cert);
diff --git a/trust/parser.h b/trust/parser.h
index 31f307c..da19bce 100644
--- a/trust/parser.h
+++ b/trust/parser.h
@@ -48,6 +48,7 @@ enum {
enum {
P11_PARSE_FLAG_NONE = 0,
P11_PARSE_FLAG_ANCHOR = 1 << 0,
+ P11_PARSE_FLAG_BLACKLIST = 1 << 1
};
#define P11_PARSER_FIRST_HANDLE 0xA0000000UL
@@ -75,6 +76,11 @@ int p11_parse_file (p11_parser *parser,
p11_parser_sink sink,
void *sink_data);
+int p11_parse_basic_constraints (p11_parser *parser,
+ const unsigned char *data,
+ size_t length,
+ int *is_ca);
+
int p11_parse_key_usage (p11_parser *parser,
const unsigned char *data,
size_t length,
@@ -86,8 +92,6 @@ p11_dict * p11_parse_extended_key_usage (p11_parser *parser,
/* Functions used for retrieving parsing information */
-int p11_parsing_get_flags (p11_parser *parser);
-
CK_ATTRIBUTE * p11_parsing_get_certificate (p11_parser *parser,
p11_array *parsing);
@@ -96,4 +100,7 @@ unsigned char * p11_parsing_get_extension (p11_parser *parser,
const unsigned char *oid,
size_t *length);
+void p11_parsing_update_certificate (p11_parser *parser,
+ p11_array *parsing);
+
#endif
diff --git a/trust/tests/test-data.c b/trust/tests/test-data.c
index a3d5373..f159926 100644
--- a/trust/tests/test-data.c
+++ b/trust/tests/test-data.c
@@ -74,7 +74,7 @@ test_check_cacert3_ca_msg (CuTest *cu,
const char *label)
{
CK_CERTIFICATE_TYPE x509 = CKC_X_509;
- CK_ULONG category = 0; /* TODO: Implement */
+ CK_ULONG category = 2; /* authority */
CK_ATTRIBUTE expected[] = {
{ CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) },
@@ -94,6 +94,22 @@ test_check_cacert3_ca_msg (CuTest *cu,
}
void
+test_check_id_msg (CuTest *cu,
+ const char *file,
+ int line,
+ CK_ATTRIBUTE *expected,
+ CK_ATTRIBUTE *attr)
+{
+ CK_ATTRIBUTE *one;
+ CK_ATTRIBUTE *two;
+
+ one = p11_attrs_find (expected, CKA_ID);
+ two = p11_attrs_find (attr, CKA_ID);
+
+ test_check_attr_msg (cu, file, line, one, two);
+}
+
+void
test_check_attrs_msg (CuTest *cu,
const char *file,
int line,
diff --git a/trust/tests/test-data.h b/trust/tests/test-data.h
index e4ff938..300e342 100644
--- a/trust/tests/test-data.h
+++ b/trust/tests/test-data.h
@@ -74,6 +74,15 @@ void test_check_attr_msg (CuTest *cu,
CK_ATTRIBUTE *expected,
CK_ATTRIBUTE *attr);
+#define test_check_id(cu, expected, attrs) \
+ test_check_id_msg (cu, __FILE__, __LINE__, expected, attrs)
+
+void test_check_id_msg (CuTest *cu,
+ const char *file,
+ int line,
+ CK_ATTRIBUTE *expected,
+ CK_ATTRIBUTE *attr);
+
static const unsigned char test_cacert3_ca_der[] = {
0x30, 0x82, 0x07, 0x59, 0x30, 0x82, 0x05, 0x41, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x03, 0x0a,
0x41, 0x8a, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
diff --git a/trust/tests/test-parser.c b/trust/tests/test-parser.c
index 493dcb3..5bb690a 100644
--- a/trust/tests/test-parser.c
+++ b/trust/tests/test-parser.c
@@ -86,8 +86,9 @@ on_parse_object (CK_ATTRIBUTE *attrs,
static void
test_parse_der_certificate (CuTest *cu)
{
- CK_ATTRIBUTE *attrs;
- CK_ATTRIBUTE *attr;
+ CK_ATTRIBUTE *cert;
+ CK_ATTRIBUTE *object;
+ CK_BBOOL bval;
int ret;
setup (cu);
@@ -99,11 +100,19 @@ test_parse_der_certificate (CuTest *cu)
/* Should have gotten certificate and a trust object */
CuAssertIntEquals (cu, 2, test.objects->num);
- attrs = test.objects->elem[0];
- test_check_cacert3_ca (cu, attrs, NULL);
+ cert = test.objects->elem[0];
+ test_check_cacert3_ca (cu, cert, NULL);
+
+ if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval))
+ CuFail (cu, "missing CKA_TRUSTED");
+ CuAssertIntEquals (cu, CK_FALSE, bval);
+
+ if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval))
+ CuFail (cu, "missing CKA_X_DISTRUSTED");
+ CuAssertIntEquals (cu, CK_FALSE, bval);
- attr = p11_attrs_find (attrs, CKA_TRUSTED);
- CuAssertPtrEquals (cu, NULL, attr);
+ object = test.objects->elem[1];
+ test_check_id (cu, cert, object);
teardown (cu);
}
@@ -111,8 +120,9 @@ test_parse_der_certificate (CuTest *cu)
static void
test_parse_pem_certificate (CuTest *cu)
{
- CK_ATTRIBUTE *attrs;
- CK_ATTRIBUTE *attr;
+ CK_ATTRIBUTE *cert;
+ CK_ATTRIBUTE *object;
+ CK_BBOOL bval;
int ret;
setup (cu);
@@ -124,11 +134,19 @@ test_parse_pem_certificate (CuTest *cu)
/* Should have gotten certificate and a trust object */
CuAssertIntEquals (cu, 2, test.objects->num);
- attrs = test.objects->elem[0];
- test_check_cacert3_ca (cu, attrs, NULL);
+ cert = test.objects->elem[0];
+ test_check_cacert3_ca (cu, cert, NULL);
+
+ if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval))
+ CuFail (cu, "missing CKA_TRUSTED");
+ CuAssertIntEquals (cu, CK_FALSE, bval);
+
+ if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval))
+ CuFail (cu, "missing CKA_X_DISTRUSTED");
+ CuAssertIntEquals (cu, CK_FALSE, bval);
- attr = p11_attrs_find (attrs, CKA_TRUSTED);
- CuAssertPtrEquals (cu, NULL, attr);
+ object = test.objects->elem[1];
+ test_check_id (cu, cert, object);
teardown (cu);
}
@@ -136,7 +154,7 @@ test_parse_pem_certificate (CuTest *cu)
static void
test_parse_openssl_trusted (CuTest *cu)
{
- CK_TRUST trusted = CKT_NETSCAPE_TRUSTED;
+ CK_TRUST trusted = CKT_NETSCAPE_TRUSTED_DELEGATOR;
CK_TRUST distrusted = CKT_NETSCAPE_UNTRUSTED;
CK_TRUST unknown = CKT_NETSCAPE_TRUST_UNKNOWN;
CK_OBJECT_CLASS certificate_extension = CKO_X_CERTIFICATE_EXTENSION;
@@ -149,6 +167,8 @@ test_parse_openssl_trusted (CuTest *cu)
{ CKA_CLASS, &certificate_extension, sizeof (certificate_extension), },
{ CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) },
{ CKA_X_CRITICAL, &vtrue, sizeof (vtrue) },
+ { CKA_VALUE, "\x30\x14\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x01\x06\x08\x2b\x06"
+ "\x01\x05\x05\x07\x03\x02", 22 },
{ CKA_INVALID },
};
@@ -157,6 +177,7 @@ test_parse_openssl_trusted (CuTest *cu)
{ CKA_CLASS, &certificate_extension, sizeof (certificate_extension), },
{ CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) },
{ CKA_X_CRITICAL, &vfalse, sizeof (vfalse) },
+ { CKA_VALUE, "\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x04", 12 },
{ CKA_INVALID },
};
@@ -186,33 +207,149 @@ test_parse_openssl_trusted (CuTest *cu)
{ CKA_INVALID, }
};
- CK_ATTRIBUTE *attrs;
- CK_ATTRIBUTE *attr;
+ CK_ATTRIBUTE *cert;
+ CK_ATTRIBUTE *object;
+ CK_BBOOL bval;
int ret;
setup (cu);
ret = p11_parse_file (test.parser, SRCDIR "/files/cacert3-trusted.pem",
- 0, on_parse_object, cu);
+ P11_PARSE_FLAG_ANCHOR, on_parse_object, cu);
CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret);
/* Should have gotten certificate, two stapled extensions, and a trust object */
CuAssertIntEquals (cu, 4, test.objects->num);
- attrs = test.objects->elem[0];
- test_check_cacert3_ca (cu, attrs, NULL);
+ cert = test.objects->elem[0];
+ test_check_cacert3_ca (cu, cert, NULL);
+
+ if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval))
+ CuFail (cu, "missing CKA_TRUSTED");
+ CuAssertIntEquals (cu, CK_TRUE, bval);
+
+ if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval))
+ CuFail (cu, "missing CKA_X_DISTRUSTED");
+ CuAssertIntEquals (cu, CK_FALSE, bval);
+
+ object = test.objects->elem[1];
+ test_check_attrs (cu, eku_extension, object);
+ test_check_id (cu, cert, object);
+
+ object = test.objects->elem[2];
+ test_check_attrs (cu, reject_extension, object);
+ test_check_id (cu, cert, object);
+
+ object = test.objects->elem[3];
+ test_check_attrs (cu, nss_trust, object);
+ test_check_id (cu, cert, object);
+
+ teardown (cu);
+}
+
+static void
+test_parse_openssl_distrusted (CuTest *cu)
+{
+ CK_TRUST distrusted = CKT_NETSCAPE_UNTRUSTED;
+ CK_OBJECT_CLASS certificate_extension = CKO_X_CERTIFICATE_EXTENSION;
+ CK_OBJECT_CLASS trust_object = CKO_NETSCAPE_TRUST;
+ CK_OBJECT_CLASS klass = CKO_CERTIFICATE;
+ CK_CERTIFICATE_TYPE x509 = CKC_X_509;
+ CK_ULONG category = 2; /* authority */
+ CK_BBOOL vtrue = CK_TRUE;
+ CK_BBOOL vfalse = CK_FALSE;
+
+ CK_ATTRIBUTE certificate[] = {
+ { CKA_CLASS, &klass, sizeof (klass), },
+ { CKA_TOKEN, &vtrue, sizeof (vtrue) },
+ { CKA_PRIVATE, &vfalse, sizeof (vfalse) },
+ { CKA_MODIFIABLE, &vfalse, sizeof (vfalse) },
+ { CKA_CLASS, &klass, sizeof (klass) },
+ { CKA_LABEL, "Red Hat Is the CA", 17 },
+ { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) },
+ { CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) },
+ { CKA_CHECK_VALUE, "\xe9z}", 3 },
+ { CKA_START_DATE, "20090916", 8 },
+ { CKA_END_DATE, "20190914", 8, },
+ { CKA_SERIAL_NUMBER, "\x02\x01\x01", 3 },
+ { CKA_TRUSTED, &vfalse, sizeof (vfalse) },
+ { CKA_X_DISTRUSTED, &vtrue, sizeof (vtrue) },
+ { CKA_INVALID },
+ };
+
+ CK_ATTRIBUTE eku_extension[] = {
+ { CKA_LABEL, "Red Hat Is the CA", 17 },
+ { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), },
+ { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) },
+ { CKA_X_CRITICAL, &vtrue, sizeof (vtrue) },
+ { CKA_VALUE, "\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x10", 14 },
+ { CKA_INVALID },
+ };
+
+ CK_ATTRIBUTE reject_extension[] = {
+ { CKA_LABEL, "Red Hat Is the CA", 17 },
+ { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), },
+ { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) },
+ { CKA_X_CRITICAL, &vfalse, sizeof (vfalse) },
+ { CKA_VALUE, "\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02", 12 },
+ { CKA_INVALID },
+ };
+
+ CK_ATTRIBUTE nss_trust[] = {
+ { CKA_LABEL, "Red Hat Is the CA", 17 },
+ { CKA_CLASS, &trust_object, sizeof (trust_object), },
+ { CKA_CERT_SHA1_HASH, "\xe9z}\xe3\x82""7\xa0U\xb1k\xfe\xffo.\x03\x15*\xba\xb9\x90", 20 },
+ { CKA_CERT_MD5_HASH, "\xda\xb4<\xe7;QK\x1a\xe5\xeau\xa1\xc9 \xdf""B", 16 },
+ { CKA_SERIAL_NUMBER, "\x02\x01\x01", 3 },
+ { CKA_TRUST_SERVER_AUTH, &distrusted, sizeof (distrusted) },
+ { CKA_TRUST_CLIENT_AUTH, &distrusted, sizeof (distrusted) },
+ { CKA_TRUST_EMAIL_PROTECTION, &distrusted, sizeof (distrusted) },
+ { CKA_TRUST_CODE_SIGNING, &distrusted, sizeof (distrusted) },
+ { CKA_TRUST_IPSEC_END_SYSTEM, &distrusted, sizeof (distrusted) },
+ { CKA_TRUST_IPSEC_TUNNEL, &distrusted, sizeof (distrusted) },
+ { CKA_TRUST_IPSEC_USER, &distrusted, sizeof (distrusted) },
+ { CKA_TRUST_TIME_STAMPING, &distrusted, sizeof (distrusted) },
+ { CKA_TRUST_DIGITAL_SIGNATURE, &distrusted, sizeof (distrusted) },
+ { CKA_TRUST_NON_REPUDIATION, &distrusted, sizeof (distrusted) },
+ { CKA_TRUST_KEY_ENCIPHERMENT, &distrusted, sizeof (distrusted) },
+ { CKA_TRUST_DATA_ENCIPHERMENT, &distrusted, sizeof (distrusted) },
+ { CKA_TRUST_KEY_AGREEMENT, &distrusted, sizeof (distrusted) },
+ { CKA_TRUST_KEY_CERT_SIGN, &distrusted, sizeof (distrusted) },
+ { CKA_TRUST_CRL_SIGN, &distrusted, sizeof (distrusted) },
+ { CKA_INVALID, }
+ };
- attr = p11_attrs_find (attrs, CKA_TRUSTED);
- CuAssertPtrEquals (cu, NULL, attr);
+ CK_ATTRIBUTE *cert;
+ CK_ATTRIBUTE *object;
+ int ret;
- attrs = test.objects->elem[1];
- test_check_attrs (cu, eku_extension, attrs);
+ setup (cu);
- attrs = test.objects->elem[2];
- test_check_attrs (cu, reject_extension, attrs);
+ /*
+ * OpenSSL style is to litter the blacklist in with the anchors,
+ * so we parse this as an anchor, but expect it to be blacklisted
+ */
+ ret = p11_parse_file (test.parser, SRCDIR "/files/distrusted.pem",
+ P11_PARSE_FLAG_ANCHOR, on_parse_object, cu);
+ CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret);
- attrs = test.objects->elem[3];
- test_check_attrs (cu, nss_trust, attrs);
+ /* Should have gotten certificate, one stapled extensions, and a trust object */
+ CuAssertIntEquals (cu, 4, test.objects->num);
+
+ cert = test.objects->elem[0];
+ test_check_attrs (cu, certificate, cert);
+
+ object = test.objects->elem[1];
+ test_check_attrs (cu, eku_extension, object);
+ test_check_id (cu, cert, object);
+
+ object = test.objects->elem[2];
+ test_check_attrs (cu, reject_extension, object);
+ test_check_id (cu, cert, object);
+
+ object = test.objects->elem[3];
+ test_check_attrs (cu, nss_trust, object);
+ test_check_id (cu, cert, object);
teardown (cu);
}
@@ -227,7 +364,7 @@ test_parse_with_key_usage (CuTest *cu)
CK_BBOOL vtrue = CK_TRUE;
CK_BBOOL vfalse = CK_FALSE;
CK_CERTIFICATE_TYPE x509 = CKC_X_509;
- CK_ULONG category = 0; /* TODO: Implement */
+ CK_ULONG category = 3; /* other entity */
CK_ATTRIBUTE certificate[] = {
{ CKA_CLASS, &klass, sizeof (klass), },
@@ -244,6 +381,8 @@ test_parse_with_key_usage (CuTest *cu)
{ CKA_ISSUER, "0*1(0&\x06\x03U\x04\x03\x13\x1f""self-signed-with-ku.example.com", 44 },
{ CKA_SUBJECT, "0*1(0&\x06\x03U\x04\x03\x13\x1f""self-signed-with-ku.example.com", 44 },
{ CKA_SERIAL_NUMBER, "\x02\x02\x03x", 4 },
+ { CKA_TRUSTED, &vtrue, sizeof (vtrue) },
+ { CKA_X_DISTRUSTED, &vfalse, sizeof (vfalse) },
{ CKA_INVALID },
};
@@ -273,41 +412,34 @@ test_parse_with_key_usage (CuTest *cu)
{ CKA_INVALID, }
};
- CK_ATTRIBUTE *attrs;
- CK_ATTRIBUTE *attr;
+ CK_ATTRIBUTE *cert;
+ CK_ATTRIBUTE *object;
+ CK_BBOOL bval;
int ret;
setup (cu);
ret = p11_parse_file (test.parser, SRCDIR "/files/self-signed-with-ku.der",
- 0, on_parse_object, cu);
+ P11_PARSE_FLAG_ANCHOR, on_parse_object, cu);
CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret);
- /* Should have gotten certificate, two stapled extensions, and a trust object */
+ /* Should have gotten certificate, and a trust object */
CuAssertIntEquals (cu, 2, test.objects->num);
- attrs = test.objects->elem[0];
- test_check_attrs (cu, certificate, attrs);
+ cert = test.objects->elem[0];
+ test_check_attrs (cu, certificate, cert);
- attr = p11_attrs_find (attrs, CKA_TRUSTED);
- CuAssertPtrEquals (cu, NULL, attr);
+ if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval))
+ CuFail (cu, "missing CKA_TRUSTED");
+ CuAssertIntEquals (cu, CK_TRUE, bval);
- attrs = test.objects->elem[1];
- test_check_attrs (cu, nss_trust, attrs);
+ if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval))
+ CuFail (cu, "missing CKA_X_DISTRUSTED");
+ CuAssertIntEquals (cu, CK_FALSE, bval);
- teardown (cu);
-}
-
-static void
-test_parse_distrusted (CuTest *cu)
-{
- int ret;
-
- setup (cu);
-
- ret = p11_parse_file (test.parser, SRCDIR "/files/distrusted.pem",
- 0, on_parse_object, cu);
- CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret);
+ object = test.objects->elem[1];
+ test_check_attrs (cu, nss_trust, object);
+ test_check_id (cu, cert, object);
teardown (cu);
}
@@ -315,7 +447,8 @@ test_parse_distrusted (CuTest *cu)
static void
test_parse_anchor (CuTest *cu)
{
- CK_ATTRIBUTE *attrs;
+ CK_ATTRIBUTE *cert;
+ CK_ATTRIBUTE *object;
CK_ATTRIBUTE *attr;
CK_BBOOL vtrue = CK_TRUE;
CK_ATTRIBUTE trusted = { CKA_TRUSTED, &vtrue, sizeof (vtrue) };
@@ -330,12 +463,15 @@ test_parse_anchor (CuTest *cu)
/* Should have gotten a certificate and a trust object */
CuAssertIntEquals (cu, 2, test.objects->num);
- attrs = test.objects->elem[0];
- test_check_cacert3_ca (cu, attrs, NULL);
+ cert = test.objects->elem[0];
+ test_check_cacert3_ca (cu, cert, NULL);
- attr = p11_attrs_find (attrs, CKA_TRUSTED);
+ attr = p11_attrs_find (cert, CKA_TRUSTED);
test_check_attr (cu, &trusted, attr);
+ object = test.objects->elem[1];
+ test_check_id (cu, cert, object);
+
teardown (cu);
}
@@ -499,8 +635,8 @@ main (void)
SUITE_ADD_TEST (suite, test_parse_der_certificate);
SUITE_ADD_TEST (suite, test_parse_pem_certificate);
SUITE_ADD_TEST (suite, test_parse_openssl_trusted);
+ SUITE_ADD_TEST (suite, test_parse_openssl_distrusted);
SUITE_ADD_TEST (suite, test_parse_with_key_usage);
- SUITE_ADD_TEST (suite, test_parse_distrusted);
SUITE_ADD_TEST (suite, test_parse_anchor);
SUITE_ADD_TEST (suite, test_parse_no_sink);
SUITE_ADD_TEST (suite, test_parse_invalid_file);
diff --git a/trust/tests/test-token.c b/trust/tests/test-token.c
index 8a5b34d..2ed1134 100644
--- a/trust/tests/test-token.c
+++ b/trust/tests/test-token.c
@@ -76,7 +76,7 @@ test_token_load (CuTest *cu)
/* A certificate and trust object for each parsed object + builtin */
objects = p11_token_objects (test.token);
- CuAssertIntEquals (cu, ((count - 1) * 2) + 1, p11_dict_size (objects));
+ CuAssertTrue (cu, ((count - 1) * 2) + 1 <= p11_dict_size (objects));
teardown (cu);
}