summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--trust/input/extensions.p11-kit23
-rw-r--r--trust/input/extensions.pem13
-rw-r--r--trust/module.c42
-rw-r--r--trust/test-module.c45
-rw-r--r--trust/test-token.c2
5 files changed, 120 insertions, 5 deletions
diff --git a/trust/input/extensions.p11-kit b/trust/input/extensions.p11-kit
new file mode 100644
index 0000000..7a2fdb0
--- /dev/null
+++ b/trust/input/extensions.p11-kit
@@ -0,0 +1,23 @@
+[p11-kit-object-v1]
+class: x-certificate-extension
+label: "Example CA restriction for example.com and corp.example.com"
+object-id: 2.5.29.30
+value: "%30%2e%06%03%55%1d%1e%04%27%30%25%a0%23%30%0d%82%0b%65%78%61%6d%70%6c%65%2e%63%6f%6d%30%12%82%10%63%6f%72%70%2e%65%78%61%6d%70%6c%65%2e%63%6f%6d"
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRtTajie6qgC9T/RJ1PvN6ntav
++rwcYBBLJoETGlnj/kVsOAQ5J0ZX/dW8jYoQtjvUCoFaRS/sPoHw2U5Pl99LMg8I
+sSaivWlhXWY5Yy8QcDX7B4UK/1cSwfSDHfnG06S2cCuAoUB/SE7ZreuAzM+SwdGD
+ZAEjR469MZgFa2t8NwIDAQAB
+-----END PUBLIC KEY-----
+
+[p11-kit-object-v1]
+class: x-certificate-extension
+label: "Example CA restriction for example.com and corp.example.org"
+object-id: 2.5.29.30
+value: "%30%2e%06%03%55%1d%1e%04%27%30%25%a0%23%30%0d%82%0b%65%78%61%6d%70%6c%65%2e%63%6f%6d%30%12%82%10%63%6f%72%70%2e%65%78%61%6d%70%6c%65%2e%6f%72%67"
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRtTajie6qgC9T/RJ1PvN6ntav
++rwcYBBLJoETGlnj/kVsOAQ5J0ZX/dW8jYoQtjvUCoFaRS/sPoHw2U5Pl99LMg8I
+sSaivWlhXWY5Yy8QcDX7B4UK/1cSwfSDHfnG06S2cCuAoUB/SE7ZreuAzM+SwdGD
+ZAEjR469MZgFa2t8NwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/trust/input/extensions.pem b/trust/input/extensions.pem
new file mode 100644
index 0000000..8369815
--- /dev/null
+++ b/trust/input/extensions.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB7DCCAVWgAwIBAgIIWRMNpygap1cwDQYJKoZIhvcNAQELBQAwFTETMBEGA1UE
+AxMKRXhhbXBsZSBDQTAgFw0xNzA1MTAxMjU1MDVaGA85OTk5MTIzMTIzNTk1OVow
+FTETMBEGA1UEAxMKRXhhbXBsZSBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEA0bU2o4nuqoAvU/0SdT7zep7Wr/q8HGAQSyaBExpZ4/5FbDgEOSdGV/3VvI2K
+ELY71AqBWkUv7D6B8NlOT5ffSzIPCLEmor1pYV1mOWMvEHA1+weFCv9XEsH0gx35
+xtOktnArgKFAf0hO2a3rgMzPksHRg2QBI0eOvTGYBWtrfDcCAwEAAaNDMEEwDwYD
+VR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBTAf2LZgNFX
+6uQKWnFh05Br9JgOUjANBgkqhkiG9w0BAQsFAAOBgQA0xZVI3WmyWaa56nTSiuco
+3u0Cye7N8bSzlfi2kmyh8efA7/OCyBuUzCtvmiftsfcG6fPz3A8fdk5sA2oy0gyY
+kJXukhHmLP0FHLVpa3vw1Sva5AlAkLGeQ25aSeYVZCASalMAAS72WAhsKdaD5TRS
+ifWyno0SswLLpXIJsLW2Lw==
+-----END CERTIFICATE-----
diff --git a/trust/module.c b/trust/module.c
index 7fce465..e6fb7a9 100644
--- a/trust/module.c
+++ b/trust/module.c
@@ -45,6 +45,7 @@
#include "library.h"
#include "message.h"
#include "module.h"
+#include "oid.h"
#include "parser.h"
#include "path.h"
#include "pkcs11.h"
@@ -77,6 +78,8 @@ typedef struct _FindObjects {
CK_ATTRIBUTE *match;
CK_OBJECT_HANDLE *snapshot;
CK_ULONG iterator;
+ CK_ATTRIBUTE *public_key;
+ p11_dict *extensions;
} FindObjects;
static CK_FUNCTION_LIST sys_function_list;
@@ -87,6 +90,7 @@ find_objects_free (void *data)
FindObjects *find = data;
p11_attrs_free (find->match);
free (find->snapshot);
+ p11_dict_free (find->extensions);
free (find);
}
@@ -1147,6 +1151,7 @@ sys_C_FindObjectsInit (CK_SESSION_HANDLE handle,
char *string;
CK_RV rv;
int n = 0;
+ CK_OBJECT_CLASS klass;
if (p11_debugging) {
string = p11_attrs_to_string (template, count);
@@ -1190,6 +1195,14 @@ sys_C_FindObjectsInit (CK_SESSION_HANDLE handle,
find->iterator = 0;
find->snapshot = p11_index_snapshot (indices[0], indices[1], template, count);
warn_if_fail (find->snapshot != NULL);
+
+ if (p11_attrs_find_ulong (find->match, CKA_CLASS, &klass) &&
+ klass == CKO_X_CERTIFICATE_EXTENSION) {
+ find->public_key = p11_attrs_find (find->match, CKA_PUBLIC_KEY_INFO);
+ find->extensions = p11_dict_new (p11_oid_hash,
+ p11_oid_equal,
+ free, NULL);
+ }
}
if (!find || !find->snapshot || !find->match)
@@ -1243,10 +1256,10 @@ match_for_broken_nss_serial_number_lookups (CK_ATTRIBUTE *attr,
static bool
find_objects_match (CK_ATTRIBUTE *attrs,
- CK_ATTRIBUTE *match)
+ FindObjects *find)
{
CK_OBJECT_CLASS klass;
- CK_ATTRIBUTE *attr;
+ CK_ATTRIBUTE *attr, *match = find->match;
for (; !p11_attrs_terminator (match); match++) {
attr = p11_attrs_find ((CK_ATTRIBUTE *)attrs, match->type);
@@ -1274,6 +1287,29 @@ find_objects_match (CK_ATTRIBUTE *attrs,
return false;
}
+ /*
+ * WORKAROUND: We keep all objects in the database, while PKIX
+ * doesn't allow multiple extensions identified by the same
+ * OID can be attached to a certificate. Check any duplicate
+ * and only return the first matching object.
+ */
+ if (find->public_key &&
+ p11_attrs_find_ulong (attrs, CKA_CLASS, &klass) &&
+ klass == CKO_X_CERTIFICATE_EXTENSION) {
+ CK_ATTRIBUTE *oid = p11_attrs_find (attrs, CKA_OBJECT_ID);
+ if (oid) {
+ void *value;
+ if (p11_oid_simple (oid->pValue, oid->ulValueLen) &&
+ p11_dict_get (find->extensions, oid->pValue)) {
+ p11_debug ("duplicate extension object");
+ return false;
+ }
+ value = memdup (oid->pValue, oid->ulValueLen);
+ return_val_if_fail (value != NULL, false);
+ p11_dict_set (find->extensions, value, value);
+ }
+ }
+
return true;
}
@@ -1317,7 +1353,7 @@ sys_C_FindObjects (CK_SESSION_HANDLE handle,
if (attrs == NULL)
continue;
- if (find_objects_match (attrs, find->match)) {
+ if (find_objects_match (attrs, find)) {
objects[matched] = object;
matched++;
}
diff --git a/trust/test-module.c b/trust/test-module.c
index 1729b41..36fbfe4 100644
--- a/trust/test-module.c
+++ b/trust/test-module.c
@@ -623,13 +623,55 @@ test_find_certificates (void)
CK_ULONG i;
count = find_objects (match, sessions, objects, 16);
- assert_num_eq (8, count);
+ assert_num_eq (9, count);
for (i = 0; i < count; i++)
check_certificate (sessions[i], objects[i]);
}
static void
+test_find_extensions (void)
+{
+ CK_OBJECT_CLASS klass = CKO_X_CERTIFICATE_EXTENSION;
+ unsigned char spki[] = {
+ 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
+ 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81,
+ 0x89, 0x02, 0x81, 0x81, 0x00, 0xd1, 0xb5, 0x36,
+ 0xa3, 0x89, 0xee, 0xaa, 0x80, 0x2f, 0x53, 0xfd,
+ 0x12, 0x75, 0x3e, 0xf3, 0x7a, 0x9e, 0xd6, 0xaf,
+ 0xfa, 0xbc, 0x1c, 0x60, 0x10, 0x4b, 0x26, 0x81,
+ 0x13, 0x1a, 0x59, 0xe3, 0xfe, 0x45, 0x6c, 0x38,
+ 0x04, 0x39, 0x27, 0x46, 0x57, 0xfd, 0xd5, 0xbc,
+ 0x8d, 0x8a, 0x10, 0xb6, 0x3b, 0xd4, 0x0a, 0x81,
+ 0x5a, 0x45, 0x2f, 0xec, 0x3e, 0x81, 0xf0, 0xd9,
+ 0x4e, 0x4f, 0x97, 0xdf, 0x4b, 0x32, 0x0f, 0x08,
+ 0xb1, 0x26, 0xa2, 0xbd, 0x69, 0x61, 0x5d, 0x66,
+ 0x39, 0x63, 0x2f, 0x10, 0x70, 0x35, 0xfb, 0x07,
+ 0x85, 0x0a, 0xff, 0x57, 0x12, 0xc1, 0xf4, 0x83,
+ 0x1d, 0xf9, 0xc6, 0xd3, 0xa4, 0xb6, 0x70, 0x2b,
+ 0x80, 0xa1, 0x40, 0x7f, 0x48, 0x4e, 0xd9, 0xad,
+ 0xeb, 0x80, 0xcc, 0xcf, 0x92, 0xc1, 0xd1, 0x83,
+ 0x64, 0x01, 0x23, 0x47, 0x8e, 0xbd, 0x31, 0x98,
+ 0x05, 0x6b, 0x6b, 0x7c, 0x37, 0x02, 0x03, 0x01,
+ 0x00, 0x01
+ };
+
+ CK_ATTRIBUTE match[] = {
+ { CKA_CLASS, &klass, sizeof (klass) },
+ { CKA_PUBLIC_KEY_INFO, spki, sizeof (spki) },
+ { CKA_INVALID, }
+ };
+
+ CK_OBJECT_HANDLE objects[16];
+ CK_SESSION_HANDLE sessions[16];
+ CK_ULONG count;
+
+ count = find_objects (match, sessions, objects, 16);
+ assert_num_eq (1, count);
+}
+
+static void
test_find_builtin (void)
{
CK_OBJECT_CLASS klass = CKO_NSS_BUILTIN_ROOT_LIST;
@@ -1194,6 +1236,7 @@ main (int argc,
p11_test (test_get_session_info, "/module/get_session_info");
p11_test (test_close_all_sessions, "/module/close_all_sessions");
p11_test (test_find_certificates, "/module/find_certificates");
+ p11_test (test_find_extensions, "/module/find_extensions");
p11_test (test_find_builtin, "/module/find_builtin");
p11_test (test_lookup_invalid, "/module/lookup_invalid");
p11_test (test_remove_token, "/module/remove_token");
diff --git a/trust/test-token.c b/trust/test-token.c
index 3e7d735..0206bc1 100644
--- a/trust/test-token.c
+++ b/trust/test-token.c
@@ -102,7 +102,7 @@ test_token_load (void *path)
int count;
count = p11_token_load (test.token);
- assert_num_eq (6, count);
+ assert_num_eq (8, count);
/* A certificate and trust object for each parsed object */
index = p11_token_index (test.token);