summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--build/certs/Makefile.am19
-rw-r--r--common/attrs.c1
-rw-r--r--common/constants.c1
-rw-r--r--common/pkcs11x.h1
-rw-r--r--trust/builder.c118
-rw-r--r--trust/extract-info.c112
-rw-r--r--trust/extract-openssl.c37
-rw-r--r--trust/parser.c109
-rw-r--r--trust/tests/Makefile.am1
-rw-r--r--trust/tests/files/multiple.pem (renamed from trust/tests/files/cacert3-trusted-multiple.pem)53
-rw-r--r--trust/tests/files/verisign-v1.pem15
-rw-r--r--trust/tests/frob-eku.c1
-rw-r--r--trust/tests/frob-ext.c118
-rw-r--r--trust/tests/test-builder.c59
-rw-r--r--trust/tests/test-extract.c7
-rw-r--r--trust/tests/test-openssl.c33
-rw-r--r--trust/tests/test-parser.c30
-rw-r--r--trust/tests/test-trust.h62
18 files changed, 561 insertions, 216 deletions
diff --git a/build/certs/Makefile.am b/build/certs/Makefile.am
index 4231591..031cba0 100644
--- a/build/certs/Makefile.am
+++ b/build/certs/Makefile.am
@@ -4,27 +4,28 @@
# distributed in the tarballs
TRUST = $(top_srcdir)/trust/tests
-TOOLS = $(top_srcdir)/tools/tests
prepare-certs:
cp -v cacert3.der $(TRUST)/input/anchors
cp -v cacert3.der $(TRUST)/files
- cp -v cacert3.der $(TOOLS)/files
+ cp -v cacert3.der $(TRUST)/files
+ openssl x509 -in cacert3.der -inform DER -out $(TRUST)/files/cacert3.pem
openssl x509 -in cacert3.der -inform DER -out $(TRUST)/files/cacert3.pem
- openssl x509 -in cacert3.der -inform DER -out $(TOOLS)/files/cacert3.pem
- cat $(TOOLS)/files/cacert3.pem $(TOOLS)/files/cacert3.pem > $(TOOLS)/files/cacert3-twice.pem
+ cat $(TRUST)/files/cacert3.pem $(TRUST)/files/cacert3.pem > $(TRUST)/files/cacert3-twice.pem
openssl x509 -in cacert3.der -inform DER -out $(TRUST)/files/cacert3-trusted.pem \
-addtrust serverAuth -addreject emailProtection \
-setalias "Custom Label"
- cp $(TRUST)/files/cacert3-trusted.pem $(TOOLS)/files/cacert3-trusted-server-alias.pem
- openssl x509 -in cacert3.der -inform DER -out $(TOOLS)/files/cacert3-trusted-alias.pem \
+ cp $(TRUST)/files/cacert3-trusted.pem $(TRUST)/files/cacert3-trusted-server-alias.pem
+ openssl x509 -in cacert3.der -inform DER -out $(TRUST)/files/cacert3-trusted-alias.pem \
-setalias "Custom Label"
- openssl x509 -in cacert3.der -inform DER -out $(TOOLS)/files/cacert3-distrust-all.pem \
+ openssl x509 -in cacert3.der -inform DER -out $(TRUST)/files/cacert3-distrust-all.pem \
-addreject serverAuth -addreject clientAuth -addreject codeSigning \
-addreject emailProtection -addreject ipsecEndSystem -addreject ipsecTunnel \
-addreject ipsecUser -addreject timeStamping
- cat $(TOOLS)/files/cacert3-trusted-server-alias.pem \
- $(TOOLS)/files/cacert3-trusted-alias.pem > $(TOOLS)/files/cacert3-trusted-multiple.pem
+ openssl x509 -in verisign-v1.der -inform DER -out $(TRUST)/files/verisign-v1.pem \
+ -setalias "Custom Label"
+ cat $(TRUST)/files/cacert3-trusted-server-alias.pem \
+ $(TRUST)/files/verisign-v1.pem > $(TRUST)/files/multiple.pem
cp -v cacert-ca.der $(TRUST)/input
cp -v cacert-ca.der $(TRUST)/files
openssl x509 -in redhat-newca.der -inform DER -out $(TRUST)/files/distrusted.pem \
diff --git a/common/attrs.c b/common/attrs.c
index 88906f4..8054e38 100644
--- a/common/attrs.c
+++ b/common/attrs.c
@@ -657,6 +657,7 @@ attribute_is_sensitive (const CK_ATTRIBUTE *attr,
X (CKA_X_PEER)
X (CKA_X_DISTRUSTED)
X (CKA_X_CRITICAL)
+ X (CKA_X_PUBLIC_KEY_INFO)
X (CKA_NSS_URL)
X (CKA_NSS_EMAIL)
X (CKA_NSS_SMIME_INFO)
diff --git a/common/constants.c b/common/constants.c
index 3ff93bd..ca956d3 100644
--- a/common/constants.c
+++ b/common/constants.c
@@ -175,6 +175,7 @@ const p11_constant p11_constant_types[] = {
CT (CKA_X_PEER, "x-peer")
CT (CKA_X_DISTRUSTED, "x-distrusted")
CT (CKA_X_CRITICAL, "x-critical")
+ CT (CKA_X_PUBLIC_KEY_INFO, "x-public-key-info")
{ CKA_INVALID },
};
diff --git a/common/pkcs11x.h b/common/pkcs11x.h
index dfb2a6c..d1c52c3 100644
--- a/common/pkcs11x.h
+++ b/common/pkcs11x.h
@@ -146,6 +146,7 @@ typedef CK_ULONG CK_X_ASSERTION_TYPE;
#define CKO_X_CERTIFICATE_EXTENSION (CKO_X_VENDOR + 200)
#define CKA_X_DISTRUSTED (CKA_X_VENDOR + 100)
#define CKA_X_CRITICAL (CKA_X_VENDOR + 101)
+#define CKA_X_PUBLIC_KEY_INFO (CKA_X_VENDOR + 102)
#endif /* CRYPTOKI_X_VENDOR_DEFINED */
diff --git a/trust/builder.c b/trust/builder.c
index ddca4c6..106968c 100644
--- a/trust/builder.c
+++ b/trust/builder.c
@@ -107,37 +107,38 @@ static unsigned char *
lookup_extension (p11_builder *builder,
p11_index *index,
CK_ATTRIBUTE *cert,
+ CK_ATTRIBUTE *public_key,
const unsigned char *oid,
size_t *ext_len)
{
CK_OBJECT_CLASS klass = CKO_X_CERTIFICATE_EXTENSION;
CK_OBJECT_HANDLE obj;
CK_ATTRIBUTE *attrs;
- unsigned char *ext;
void *value;
size_t length;
node_asn *node;
CK_ATTRIBUTE match[] = {
- { CKA_ID, },
+ { CKA_X_PUBLIC_KEY_INFO, },
{ CKA_OBJECT_ID, (void *)oid, p11_oid_length (oid) },
{ CKA_CLASS, &klass, sizeof (klass) },
{ CKA_INVALID },
};
- /* Look for a stapled certificate extension */
- match[0].pValue = p11_attrs_find_value (cert, CKA_ID, &length);
- if (match[0].pValue != NULL) {
- match[0].ulValueLen = length;
+ if (public_key == NULL)
+ public_key = p11_attrs_find_valid (cert, CKA_X_PUBLIC_KEY_INFO);
+ /* Look for a stapled certificate extension */
+ if (public_key != NULL) {
+ memcpy (match, public_key, sizeof (CK_ATTRIBUTE));
obj = p11_index_find (index, match, -1);
attrs = p11_index_lookup (index, obj);
if (attrs != NULL) {
- value = p11_attrs_find_value (attrs, CKA_VALUE, ext_len);
+ value = p11_attrs_find_value (attrs, CKA_VALUE, &length);
if (value != NULL) {
- ext = memdup (value, *ext_len);
- return_val_if_fail (ext != NULL, NULL);
- return ext;
+ node = decode_or_get_asn1 (builder, "PKIX1.Extension", value, length);
+ return_val_if_fail (node != NULL, NULL);
+ return p11_asn1_read (node, "extnValue", ext_len);
}
}
}
@@ -146,7 +147,7 @@ lookup_extension (p11_builder *builder,
value = p11_attrs_find_value (cert, CKA_VALUE, &length);
if (value != NULL) {
node = decode_or_get_asn1 (builder, "PKIX1.Certificate", value, length);
- return_val_if_fail (node != NULL, false);
+ return_val_if_fail (node != NULL, NULL);
return p11_x509_find_extension (node, oid, value, length, ext_len);
}
@@ -156,19 +157,14 @@ lookup_extension (p11_builder *builder,
static CK_OBJECT_HANDLE *
lookup_related (p11_index *index,
CK_OBJECT_CLASS klass,
- CK_ATTRIBUTE *id)
+ CK_ATTRIBUTE *attr)
{
CK_ATTRIBUTE match[] = {
- { CKA_ID, },
+ { attr->type, attr->pValue, attr->ulValueLen },
{ CKA_CLASS, &klass, sizeof (klass) },
{ CKA_INVALID }
};
- return_val_if_fail (id != NULL, NULL);
-
- match[0].pValue = id->pValue;
- match[0].ulValueLen = id->ulValueLen;
-
return p11_index_find_all (index, match, -1);
}
@@ -312,10 +308,23 @@ static bool
type_der_cert (p11_builder *builder,
CK_ATTRIBUTE *attr)
{
- /* AttributeType is an OBJECT ID */
return check_der_struct (builder, "PKIX1.Certificate", attr);
}
+static bool
+type_der_key (p11_builder *builder,
+ CK_ATTRIBUTE *attr)
+{
+ return check_der_struct (builder, "PKIX1.SubjectPublicKeyInfo", attr);
+}
+
+static bool
+type_der_ext (p11_builder *builder,
+ CK_ATTRIBUTE *attr)
+{
+ return check_der_struct (builder, "PKIX1.Extension", attr);
+}
+
#define COMMON_ATTRS \
{ CKA_CLASS, REQUIRE | CREATE, type_ulong }, \
{ CKA_TOKEN, CREATE | WANT, type_bool }, \
@@ -539,6 +548,7 @@ static bool
calc_certificate_category (p11_builder *builder,
p11_index *index,
CK_ATTRIBUTE *cert,
+ CK_ATTRIBUTE *public_key,
CK_ULONG *category)
{
unsigned char *ext;
@@ -555,7 +565,7 @@ calc_certificate_category (p11_builder *builder,
*/
/* See if we have a basic constraints extension */
- ext = lookup_extension (builder, index, cert, P11_OID_BASIC_CONSTRAINTS, &ext_len);
+ ext = lookup_extension (builder, index, cert, public_key, P11_OID_BASIC_CONSTRAINTS, &ext_len);
if (ext != NULL) {
ret = p11_x509_parse_basic_constraints (builder->asn1_defs, ext, ext_len, &is_ca);
free (ext);
@@ -589,7 +599,8 @@ static CK_ATTRIBUTE *
certificate_value_attrs (CK_ATTRIBUTE *attrs,
node_asn *node,
const unsigned char *der,
- size_t der_len)
+ size_t der_len,
+ CK_ATTRIBUTE *public_key)
{
unsigned char checksum[P11_HASH_SHA1_LEN];
CK_BBOOL falsev = CK_FALSE;
@@ -626,6 +637,10 @@ certificate_value_attrs (CK_ATTRIBUTE *attrs,
if (!calc_date (node, "tbsCertificate.validity.notAfter", &endv))
end_date.ulValueLen = 0;
+ if (calc_element (node, der, der_len, "tbsCertificate.subjectPublicKeyInfo", public_key))
+ public_key->type = CKA_X_PUBLIC_KEY_INFO;
+ else
+ public_key->type = CKA_INVALID;
calc_element (node, der, der_len, "tbsCertificate.issuer.rdnSequence", &issuer);
if (!calc_element (node, der, der_len, "tbsCertificate.subject.rdnSequence", &subject))
subject.type = CKA_INVALID;
@@ -657,7 +672,7 @@ certificate_value_attrs (CK_ATTRIBUTE *attrs,
attrs = p11_attrs_build (attrs, &trusted, &distrusted, &url, &hash_of_issuer_public_key,
&hash_of_subject_public_key, &java_midp_security_domain,
&check_value, &start_date, &end_date, &id,
- &subject, &issuer, &serial_number, &label,
+ &subject, &issuer, &serial_number, &label, public_key,
NULL);
return_val_if_fail (attrs != NULL, NULL);
@@ -672,6 +687,7 @@ certificate_populate (p11_builder *builder,
{
CK_ULONG categoryv = 0UL;
CK_ATTRIBUTE *attrs = NULL;
+ CK_ATTRIBUTE public_key;
node_asn *node = NULL;
unsigned char *der = NULL;
size_t der_len = 0;
@@ -686,10 +702,10 @@ certificate_populate (p11_builder *builder,
if (der != NULL)
node = decode_or_get_asn1 (builder, "PKIX1.Certificate", der, der_len);
- attrs = certificate_value_attrs (attrs, node, der, der_len);
+ attrs = certificate_value_attrs (attrs, node, der, der_len, &public_key);
return_val_if_fail (attrs != NULL, NULL);
- if (!calc_certificate_category (builder, index, cert, &categoryv))
+ if (!calc_certificate_category (builder, index, cert, &public_key, &categoryv))
categoryv = 0;
return p11_attrs_build (attrs, &category, &empty_value, NULL);
@@ -745,6 +761,7 @@ const static builder_schema certificate_schema = {
{ CKA_HASH_OF_SUBJECT_PUBLIC_KEY, CREATE },
{ CKA_HASH_OF_ISSUER_PUBLIC_KEY, CREATE },
{ CKA_JAVA_MIDP_SECURITY_DOMAIN, CREATE, type_ulong },
+ { CKA_X_PUBLIC_KEY_INFO, CREATE | WANT, type_der_key },
{ CKA_INVALID },
}, certificate_populate, certificate_validate,
};
@@ -754,16 +771,27 @@ extension_populate (p11_builder *builder,
p11_index *index,
CK_ATTRIBUTE *extension)
{
+ CK_ATTRIBUTE object_id = { CKA_OBJECT_ID };
CK_ATTRIBUTE *attrs = NULL;
+ void *der;
+ size_t len;
+ node_asn *asn;
attrs = common_populate (builder, index, extension);
return_val_if_fail (attrs != NULL, NULL);
- if (!p11_attrs_find_valid (extension, CKA_X_CRITICAL)) {
- CK_BBOOL falsev = CK_FALSE;
- CK_ATTRIBUTE critical = { CKA_X_CRITICAL, &falsev, sizeof (falsev) };
- attrs = p11_attrs_build (attrs, &critical, NULL);
- return_val_if_fail (attrs != NULL, NULL);
+ /* Pull the object id out of the extension if not present */
+ if (!p11_attrs_find_valid (attrs, CKA_OBJECT_ID)) {
+ der = p11_attrs_find_value (extension, CKA_VALUE, &len);
+ return_val_if_fail (der != NULL, NULL);
+
+ asn = decode_or_get_asn1 (builder, "PKIX1.Extension", der, len);
+ return_val_if_fail (asn != NULL, NULL);
+
+ if (calc_element (asn, der, len, "extnID", &object_id)) {
+ attrs = p11_attrs_build (attrs, &object_id, NULL);
+ return_val_if_fail (attrs != NULL, NULL);
+ }
}
return attrs;
@@ -772,10 +800,10 @@ extension_populate (p11_builder *builder,
const static builder_schema extension_schema = {
NORMAL_BUILD,
{ COMMON_ATTRS,
- { CKA_VALUE, REQUIRE | CREATE },
- { CKA_X_CRITICAL, WANT, type_bool },
- { CKA_OBJECT_ID, REQUIRE | CREATE, type_der_oid },
- { CKA_ID, CREATE | MODIFY | WANT },
+ { CKA_VALUE, REQUIRE | CREATE, type_der_ext },
+ { CKA_X_PUBLIC_KEY_INFO, REQUIRE | CREATE, type_der_key },
+ { CKA_OBJECT_ID, CREATE | WANT, type_der_oid },
+ { CKA_ID, CREATE | MODIFY },
{ CKA_INVALID },
}, extension_populate,
};
@@ -1175,7 +1203,7 @@ build_trust_object_ku (p11_builder *builder,
/* If blacklisted, don't even bother looking at extensions */
if (present != CKT_NSS_NOT_TRUSTED)
- data = lookup_extension (builder, index, cert, P11_OID_KEY_USAGE, &length);
+ data = lookup_extension (builder, index, cert, NULL, P11_OID_KEY_USAGE, &length);
if (data) {
/*
@@ -1648,7 +1676,7 @@ replace_trust_and_assertions (p11_builder *builder,
authority = CK_TRUE;
if (!distrust) {
- ext = lookup_extension (builder, index, cert, P11_OID_EXTENDED_KEY_USAGE, &ext_len);
+ ext = lookup_extension (builder, index, cert, NULL, P11_OID_EXTENDED_KEY_USAGE, &ext_len);
if (ext != NULL) {
purposes = p11_x509_parse_extended_key_usage (builder->asn1_defs, ext, ext_len);
if (purposes == NULL)
@@ -1656,7 +1684,7 @@ replace_trust_and_assertions (p11_builder *builder,
free (ext);
}
- ext = lookup_extension (builder, index, cert, P11_OID_OPENSSL_REJECT, &ext_len);
+ ext = lookup_extension (builder, index, cert, NULL, P11_OID_OPENSSL_REJECT, &ext_len);
if (ext != NULL) {
rejects = p11_x509_parse_extended_key_usage (builder->asn1_defs, ext, ext_len);
if (rejects == NULL)
@@ -1734,14 +1762,14 @@ replace_compat_for_ext (p11_builder *builder,
{
CK_OBJECT_HANDLE *handles;
- CK_ATTRIBUTE *id;
+ CK_ATTRIBUTE *public_key;
int i;
- id = p11_attrs_find_valid (attrs, CKA_ID);
- if (id == NULL)
+ public_key = p11_attrs_find_valid (attrs, CKA_X_PUBLIC_KEY_INFO);
+ if (public_key == NULL)
return;
- handles = lookup_related (index, CKO_CERTIFICATE, id);
+ handles = lookup_related (index, CKO_CERTIFICATE, public_key);
for (i = 0; handles && handles[i] != 0; i++) {
attrs = p11_index_lookup (index, handles[i]);
replace_trust_and_assertions (builder, index, attrs);
@@ -1759,7 +1787,7 @@ update_related_category (p11_builder *builder,
CK_ULONG categoryv = 0UL;
CK_ATTRIBUTE *update;
CK_ATTRIBUTE *cert;
- CK_ATTRIBUTE *id;
+ CK_ATTRIBUTE *public_key;
CK_RV rv;
int i;
@@ -1768,17 +1796,17 @@ update_related_category (p11_builder *builder,
{ CKA_INVALID, },
};
- id = p11_attrs_find_valid (attrs, CKA_ID);
- if (id == NULL)
+ public_key = p11_attrs_find_valid (attrs, CKA_X_PUBLIC_KEY_INFO);
+ if (public_key == NULL)
return;
/* Find all other objects with this handle */
- handles = lookup_related (index, CKO_CERTIFICATE, id);
+ handles = lookup_related (index, CKO_CERTIFICATE, public_key);
for (i = 0; handles && handles[i] != 0; i++) {
cert = p11_index_lookup (index, handle);
- if (calc_certificate_category (builder, index, cert, &categoryv)) {
+ if (calc_certificate_category (builder, index, cert, public_key, &categoryv)) {
update = p11_attrs_build (NULL, &category, NULL);
rv = p11_index_update (index, handles[i], update);
return_if_fail (rv == CKR_OK);
diff --git a/trust/extract-info.c b/trust/extract-info.c
index f125b8a..63fd03e 100644
--- a/trust/extract-info.c
+++ b/trust/extract-info.c
@@ -50,10 +50,50 @@
#include <stdlib.h>
#include <string.h>
+static bool
+load_stapled_extension (p11_dict *stapled,
+ p11_dict *asn1_defs,
+ const unsigned char *der,
+ size_t len)
+{
+ char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE];
+ node_asn *ext;
+ char *oid;
+ int length;
+ int start;
+ int end;
+ int ret;
+
+ ext = p11_asn1_decode (asn1_defs, "PKIX1.Extension", der, len, message);
+ if (ext == NULL) {
+ p11_message ("couldn't parse stapled certificate extension: %s", message);
+ return false;
+ }
+
+ ret = asn1_der_decoding_startEnd (ext, der, len, "extnID", &start, &end);
+ return_val_if_fail (ret == ASN1_SUCCESS, false);
+
+ /* Make sure it's a straightforward oid with certain assumptions */
+ length = (end - start) + 1;
+ if (!p11_oid_simple (der + start, length)) {
+ p11_debug ("strange complex certificate extension object id");
+ return false;
+ }
+
+ oid = memdup (der + start, length);
+ return_val_if_fail (oid != NULL, false);
+
+ if (!p11_dict_set (stapled, oid, ext))
+ return_val_if_reached (false);
+
+ return true;
+}
+
static p11_dict *
-load_stapled_extensions (CK_FUNCTION_LIST_PTR module,
+load_stapled_extensions (p11_extract_info *ex,
+ CK_FUNCTION_LIST_PTR module,
CK_SESSION_HANDLE session,
- CK_ATTRIBUTE *id)
+ CK_ATTRIBUTE *spki)
{
CK_OBJECT_CLASS extension = CKO_X_CERTIFICATE_EXTENSION;
CK_ATTRIBUTE *attrs;
@@ -63,21 +103,18 @@ load_stapled_extensions (CK_FUNCTION_LIST_PTR module,
CK_ATTRIBUTE match[] = {
{ CKA_CLASS, &extension, sizeof (extension) },
- { CKA_ID, id->pValue, id->ulValueLen },
+ { CKA_X_PUBLIC_KEY_INFO, spki->pValue, spki->ulValueLen },
};
CK_ATTRIBUTE template[] = {
- { CKA_OBJECT_ID, },
- { CKA_X_CRITICAL, },
{ CKA_VALUE, },
};
- stapled = p11_dict_new (p11_attr_hash,
- (p11_dict_equals)p11_attr_equal,
- NULL, p11_attrs_free);
+ stapled = p11_dict_new (p11_oid_hash, p11_oid_equal,
+ free, p11_asn1_free);
/* No ID to use, just short circuit */
- if (!id->pValue || !id->ulValueLen)
+ if (!spki->pValue || !spki->ulValueLen)
return stapled;
iter = p11_kit_iter_new (NULL, 0);
@@ -87,16 +124,16 @@ load_stapled_extensions (CK_FUNCTION_LIST_PTR module,
while (rv == CKR_OK) {
rv = p11_kit_iter_next (iter);
if (rv == CKR_OK) {
- attrs = p11_attrs_buildn (NULL, template, 3);
- rv = p11_kit_iter_load_attributes (iter, attrs, 3);
- if (rv == CKR_OK || rv == CKR_ATTRIBUTE_TYPE_INVALID) {
- /* CKA_OBJECT_ID is the first attribute, use it as the key */
- if (!p11_dict_set (stapled, attrs, attrs))
- return_val_if_reached (NULL);
- rv = CKR_OK;
- } else {
- p11_attrs_free (attrs);
+ attrs = p11_attrs_buildn (NULL, template, 1);
+ rv = p11_kit_iter_load_attributes (iter, attrs, 1);
+ if (rv == CKR_OK) {
+ if (!load_stapled_extension (stapled, ex->asn1_defs,
+ attrs[0].pValue,
+ attrs[0].ulValueLen)) {
+ rv = CKR_GENERAL_ERROR;
+ }
}
+ p11_attrs_free (attrs);
}
}
@@ -113,33 +150,30 @@ load_stapled_extensions (CK_FUNCTION_LIST_PTR module,
static bool
extract_purposes (p11_extract_info *ex)
{
- CK_ATTRIBUTE oid = { CKA_OBJECT_ID,
- (void *)P11_OID_EXTENDED_KEY_USAGE,
- sizeof (P11_OID_EXTENDED_KEY_USAGE) };
- const unsigned char *ext = NULL;
- unsigned char *alloc = NULL;
- CK_ATTRIBUTE *attrs;
- size_t ext_len;
+ node_asn *ext = NULL;
+ unsigned char *value = NULL;
+ size_t length;
if (ex->stapled) {
- attrs = p11_dict_get (ex->stapled, &oid);
- if (attrs != NULL)
- ext = p11_attrs_find_value (attrs, CKA_VALUE, &ext_len);
+ ext = p11_dict_get (ex->stapled, P11_OID_EXTENDED_KEY_USAGE);
+ if (ext != NULL) {
+ value = p11_asn1_read (ext, "extnValue", &length);
+ return_val_if_fail (value != NULL, false);
+ }
}
- if (ext == NULL && ex->cert_asn) {
- alloc = p11_x509_find_extension (ex->cert_asn, P11_OID_EXTENDED_KEY_USAGE,
- ex->cert_der, ex->cert_len, &ext_len);
- ext = alloc;
+ if (value == NULL && ex->cert_asn) {
+ value = p11_x509_find_extension (ex->cert_asn, P11_OID_EXTENDED_KEY_USAGE,
+ ex->cert_der, ex->cert_len, &length);
}
/* No such extension, match anything */
- if (ext == NULL)
+ if (value == NULL)
return true;
- ex->purposes = p11_x509_parse_extended_key_usage (ex->asn1_defs, ext, ext_len);
+ ex->purposes = p11_x509_parse_extended_key_usage (ex->asn1_defs, value, length);
- free (alloc);
+ free (value);
return ex->purposes != NULL;
}
@@ -292,6 +326,7 @@ extract_info (P11KitIter *iter,
{ CKA_TRUSTED, },
{ CKA_CERTIFICATE_CATEGORY },
{ CKA_X_DISTRUSTED },
+ { CKA_X_PUBLIC_KEY_INFO },
{ CKA_INVALID, },
};
@@ -317,11 +352,10 @@ extract_info (P11KitIter *iter,
if (!extract_certificate (iter, ex))
return false;
- attr = p11_attrs_find_valid (ex->attrs, CKA_ID);
+ attr = p11_attrs_find_valid (ex->attrs, CKA_X_PUBLIC_KEY_INFO);
if (attr) {
- ex->stapled = load_stapled_extensions (p11_kit_iter_get_module (iter),
- p11_kit_iter_get_session (iter),
- attr);
+ ex->stapled = load_stapled_extensions (ex, p11_kit_iter_get_module (iter),
+ p11_kit_iter_get_session (iter), attr);
if (!ex->stapled)
return false;
}
diff --git a/trust/extract-openssl.c b/trust/extract-openssl.c
index 312a779..b7603b0 100644
--- a/trust/extract-openssl.c
+++ b/trust/extract-openssl.c
@@ -106,20 +106,24 @@ load_usage_ext (p11_extract_info *ex,
const unsigned char *ext_oid,
p11_array **oids)
{
- CK_ATTRIBUTE attr = { CKA_OBJECT_ID, (void *)ext_oid,
- p11_oid_length (ext_oid) };
- void *value;
+ unsigned char *value;
+ node_asn *ext = NULL;
size_t length;
- value = p11_attrs_find_value (p11_dict_get (ex->stapled, &attr), CKA_VALUE, &length);
- if (value == NULL) {
+ if (ex->stapled)
+ ext = p11_dict_get (ex->stapled, ext_oid);
+ if (ext == NULL) {
*oids = NULL;
return true;
}
+ value = p11_asn1_read (ext, "extnValue", &length);
+ return_val_if_fail (value != NULL, false);
+
*oids = p11_x509_parse_extended_key_usage (ex->asn1_defs, value, length);
return_val_if_fail (*oids != NULL, false);
+ free (value);
return true;
}
@@ -221,21 +225,22 @@ static bool
write_keyid (p11_extract_info *ex,
node_asn *asn)
{
- CK_ATTRIBUTE attr = { CKA_OBJECT_ID,
- (void *)P11_OID_SUBJECT_KEY_IDENTIFIER,
- sizeof (P11_OID_SUBJECT_KEY_IDENTIFIER) };
- CK_ATTRIBUTE *value;
+ unsigned char *value = NULL;
+ node_asn *ext = NULL;
+ size_t length = 0;
int ret;
- value = p11_attrs_find_valid (p11_dict_get (ex->stapled, &attr), CKA_VALUE);
- if (value == NULL) {
- ret = asn1_write_value (asn, "keyid", NULL, 0);
- return_val_if_fail (ret == ASN1_SUCCESS, false);
- } else {
- ret = asn1_write_value (asn, "keyid", value->pValue, value->ulValueLen);
- return_val_if_fail (ret == ASN1_SUCCESS, false);
+ if (ex->stapled)
+ ext = p11_dict_get (ex->stapled, P11_OID_SUBJECT_KEY_IDENTIFIER);
+ if (ext != NULL) {
+ value = p11_asn1_read (ext, "extnValue", &length);
+ return_val_if_fail (value != NULL, false);
}
+ ret = asn1_write_value (asn, "keyid", value, length);
+ return_val_if_fail (ret == ASN1_SUCCESS, false);
+ free (value);
+
return true;
}
diff --git a/trust/parser.c b/trust/parser.c
index 77e41bc..26d911b 100644
--- a/trust/parser.c
+++ b/trust/parser.c
@@ -200,44 +200,75 @@ parse_der_x509_certificate (p11_parser *parser,
static CK_ATTRIBUTE *
extension_attrs (p11_parser *parser,
CK_ATTRIBUTE *id,
+ CK_ATTRIBUTE *public_key_info,
+ const char *oid_str,
const unsigned char *oid_der,
- CK_BBOOL vcritical,
- const unsigned char *ext_der,
- int ext_len)
+ bool critical,
+ const unsigned char *value,
+ int length)
{
CK_OBJECT_CLASS klassv = CKO_X_CERTIFICATE_EXTENSION;
CK_BBOOL modifiablev = CK_FALSE;
CK_ATTRIBUTE klass = { CKA_CLASS, &klassv, sizeof (klassv) };
CK_ATTRIBUTE modifiable = { CKA_MODIFIABLE, &modifiablev, sizeof (modifiablev) };
- CK_ATTRIBUTE critical = { CKA_X_CRITICAL, &vcritical, sizeof (vcritical) };
CK_ATTRIBUTE oid = { CKA_OBJECT_ID, (void *)oid_der, p11_oid_length (oid_der) };
- CK_ATTRIBUTE value = { CKA_VALUE, (void *)ext_der, ext_len };
- if (ext_der == NULL)
- value.type = CKA_INVALID;
+ CK_ATTRIBUTE *attrs;
+ node_asn *dest;
+ unsigned char *der;
+ size_t len;
+ int ret;
+
+ attrs = p11_attrs_build (NULL, id, public_key_info, &klass, &modifiable, &oid, NULL);
+ return_val_if_fail (attrs != NULL, NULL);
+
+ dest = p11_asn1_create (parser->asn1_defs, "PKIX1.Extension");
+ return_val_if_fail (dest != NULL, NULL);
+
+ ret = asn1_write_value (dest, "extnID", oid_str, 1);
+ return_val_if_fail (ret == ASN1_SUCCESS, NULL);
+
+ if (critical)
+ ret = asn1_write_value (dest, "critical", "TRUE", 1);
+ return_val_if_fail (ret == ASN1_SUCCESS, NULL);
+
+ ret = asn1_write_value (dest, "extnValue", value, length);
+ return_val_if_fail (ret == ASN1_SUCCESS, NULL);
+
+ der = p11_asn1_encode (dest, &len);
+ return_val_if_fail (der != NULL, NULL);
- return p11_attrs_build (NULL, id, &klass, &modifiable, &oid, &critical, &value, NULL);
+ attrs = p11_attrs_take (attrs, CKA_VALUE, der, len);
+ return_val_if_fail (attrs != NULL, NULL);
+
+ /* An opmitization so that the builder can get at this without parsing */
+ p11_asn1_cache_take (parser->asn1_cache, dest, "PKIX1.Extension", der, len);
+ return attrs;
}
static CK_ATTRIBUTE *
stapled_attrs (p11_parser *parser,
CK_ATTRIBUTE *id,
- const unsigned char *oid,
- CK_BBOOL critical,
+ CK_ATTRIBUTE *public_key_info,
+ const char *oid_str,
+ const unsigned char *oid_der,
+ bool critical,
node_asn *ext)
{
CK_ATTRIBUTE *attrs;
unsigned char *der;
size_t len;
- attrs = extension_attrs (parser, id, oid, critical, NULL, 0);
- return_val_if_fail (attrs != NULL, NULL);
-
der = p11_asn1_encode (ext, &len);
return_val_if_fail (der != NULL, NULL);
- return p11_attrs_take (attrs, CKA_VALUE, der, len);
+ attrs = extension_attrs (parser, id, public_key_info, oid_str, oid_der,
+ critical, der, len);
+ return_val_if_fail (attrs != NULL, NULL);
+
+ free (der);
+ return attrs;
}
static p11_dict *
@@ -270,8 +301,10 @@ load_seq_of_oid_str (node_asn *node,
static CK_ATTRIBUTE *
stapled_eku_attrs (p11_parser *parser,
CK_ATTRIBUTE *id,
- const unsigned char *oid,
- CK_BBOOL critical,
+ CK_ATTRIBUTE *public_key_info,
+ const char *oid_str,
+ const unsigned char *oid_der,
+ bool critical,
p11_dict *oid_strs)
{
CK_ATTRIBUTE *attrs;
@@ -317,7 +350,7 @@ stapled_eku_attrs (p11_parser *parser,
}
- attrs = stapled_attrs (parser, id, oid, critical, dest);
+ attrs = stapled_attrs (parser, id, public_key_info, oid_str, oid_der, critical, dest);
asn1_delete_structure (&dest);
return attrs;
@@ -327,6 +360,7 @@ static CK_ATTRIBUTE *
build_openssl_extensions (p11_parser *parser,
CK_ATTRIBUTE *cert,
CK_ATTRIBUTE *id,
+ CK_ATTRIBUTE *public_key_info,
node_asn *aux,
const unsigned char *aux_der,
size_t aux_len)
@@ -379,7 +413,10 @@ build_openssl_extensions (p11_parser *parser,
*/
if (trust) {
- attrs = stapled_eku_attrs (parser, id, P11_OID_EXTENDED_KEY_USAGE, CK_TRUE, trust);
+ attrs = stapled_eku_attrs (parser, id, public_key_info,
+ P11_OID_EXTENDED_KEY_USAGE_STR,
+ P11_OID_EXTENDED_KEY_USAGE,
+ true, trust);
return_val_if_fail (attrs != NULL, NULL);
sink_object (parser, attrs);
}
@@ -393,7 +430,10 @@ build_openssl_extensions (p11_parser *parser,
*/
if (reject && p11_dict_size (reject) > 0) {
- attrs = stapled_eku_attrs (parser, id, P11_OID_OPENSSL_REJECT, CK_FALSE, reject);
+ attrs = stapled_eku_attrs (parser, id, public_key_info,
+ P11_OID_OPENSSL_REJECT_STR,
+ P11_OID_OPENSSL_REJECT,
+ false, reject);
return_val_if_fail (attrs != NULL, NULL);
sink_object (parser, attrs);
}
@@ -439,8 +479,10 @@ build_openssl_extensions (p11_parser *parser,
return_val_if_fail (ret == ASN1_SUCCESS || ret == ASN1_ELEMENT_NOT_FOUND, NULL);
if (ret == ASN1_SUCCESS) {
- attrs = extension_attrs (parser, id, P11_OID_SUBJECT_KEY_IDENTIFIER, CK_FALSE,
- aux_der + start, (end - start) + 1);
+ attrs = extension_attrs (parser, id, public_key_info,
+ P11_OID_SUBJECT_KEY_IDENTIFIER_STR,
+ P11_OID_SUBJECT_KEY_IDENTIFIER,
+ false, aux_der + start, (end - start) + 1);
return_val_if_fail (attrs != NULL, NULL);
sink_object (parser, attrs);
}
@@ -458,12 +500,15 @@ parse_openssl_trusted_certificate (p11_parser *parser,
CK_ATTRIBUTE *attrs;
CK_BYTE idv[ID_LENGTH];
CK_ATTRIBUTE id = { CKA_ID, idv, sizeof (idv) };
+ CK_ATTRIBUTE public_key_info = { CKA_X_PUBLIC_KEY_INFO };
CK_ATTRIBUTE *value;
char *label = NULL;
node_asn *cert;
node_asn *aux;
ssize_t cert_len;
- int len;
+ size_t len;
+ int start;
+ int end;
int ret;
/*
@@ -497,23 +542,27 @@ parse_openssl_trusted_certificate (p11_parser *parser,
/* Cache the parsed certificate ASN.1 for later use by the builder */
value = p11_attrs_find_valid (attrs, CKA_VALUE);
return_val_if_fail (value != NULL, P11_PARSE_FAILURE);
+
+ /* Pull out the subject public key info */
+ ret = asn1_der_decoding_startEnd (cert, data, cert_len,
+ "tbsCertificate.subjectPublicKeyInfo", &start, &end);
+ return_val_if_fail (ret == ASN1_SUCCESS, P11_PARSE_FAILURE);
+
+ public_key_info.pValue = (char *)data + start;
+ public_key_info.ulValueLen = (end - start) + 1;
+
p11_asn1_cache_take (parser->asn1_cache, cert, "PKIX1.Certificate",
value->pValue, value->ulValueLen);
/* Pull the label out of the CertAux */
len = 0;
- ret = asn1_read_value (aux, "alias", NULL, &len);
- if (ret != ASN1_ELEMENT_NOT_FOUND) {
- return_val_if_fail (ret == ASN1_MEM_ERROR, P11_PARSE_FAILURE);
- label = calloc (len + 1, 1);
- return_val_if_fail (label != NULL, P11_PARSE_FAILURE);
- ret = asn1_read_value (aux, "alias", label, &len);
- return_val_if_fail (ret == ASN1_SUCCESS, P11_PARSE_FAILURE);
+ label = p11_asn1_read (aux, "alias", &len);
+ if (label != NULL) {
attrs = p11_attrs_take (attrs, CKA_LABEL, label, strlen (label));
return_val_if_fail (attrs != NULL, P11_PARSE_FAILURE);
}
- attrs = build_openssl_extensions (parser, attrs, &id, aux,
+ attrs = build_openssl_extensions (parser, attrs, &id, &public_key_info, aux,
data + cert_len, length - cert_len);
return_val_if_fail (attrs != NULL, P11_PARSE_FAILURE);
diff --git a/trust/tests/Makefile.am b/trust/tests/Makefile.am
index 9d5b3ae..b0581cb 100644
--- a/trust/tests/Makefile.am
+++ b/trust/tests/Makefile.am
@@ -60,6 +60,7 @@ noinst_PROGRAMS = \
frob-cert \
frob-ku \
frob-eku \
+ frob-ext \
frob-cert \
frob-oid \
$(CHECK_PROGS)
diff --git a/trust/tests/files/cacert3-trusted-multiple.pem b/trust/tests/files/multiple.pem
index e56a58f..d3e1775 100644
--- a/trust/tests/files/cacert3-trusted-multiple.pem
+++ b/trust/tests/files/multiple.pem
@@ -42,44 +42,17 @@ d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
TGFiZWw=
-----END TRUSTED CERTIFICATE-----
-----BEGIN TRUSTED CERTIFICATE-----
-MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
-b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
-Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
-dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
-MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
-Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
-AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
-iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
-aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
-jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
-pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
-FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
-XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
-oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
-R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
-rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
-LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
-BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
-gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
-BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
-A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
-c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
-AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
-BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
-MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
-Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
-ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
-b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
-QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
-7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
-Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
-D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
-VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
-lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
-Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
-hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
-0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
-ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
-d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
-4GGSt/M3mMS+lqO3ijAODAxDdXN0b20gTGFiZWw=
+MIICPDCCAaUCED9pHoGc8JpK83P/uUii5N0wDQYJKoZIhvcNAQEFBQAwXzELMAkG
+A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
+cyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
+MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
+BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmlt
+YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDlGb9to1ZhLZlIcfZn3rmN67eehoAKkQ76OCWvRoiC5XOooJskXQ0f
+zGVuDLDQVoQYh5oGmxChc9+0WDlrbsH2FdWoqD+qEgaNMax/sDTXjzRniAnNFBHi
+TkVWaR94AoDa3EeRKbs2yWNcxeDXLYd7obcysHswuiovMaruo2fa2wIDAQABMA0G
+CSqGSIb3DQEBBQUAA4GBAFgVKTk8d6PaXCUDfGD67gmZPCcQcMgMCeazh88K4hiW
+NWLMv5sneYlfycQJ9M61Hd8qveXbhpxoJeUwfLaJFf5n0a3hUKw8fGJLj7qE1xIV
+Gx/KXQ/BUpQqEZnae88MNhPVNdwQGVnqlMEAv3WP2fr9dgTbYruQagPZRjXZ+Hxb
+MA4MDEN1c3RvbSBMYWJlbA==
-----END TRUSTED CERTIFICATE-----
diff --git a/trust/tests/files/verisign-v1.pem b/trust/tests/files/verisign-v1.pem
new file mode 100644
index 0000000..ace4da5
--- /dev/null
+++ b/trust/tests/files/verisign-v1.pem
@@ -0,0 +1,15 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIICPDCCAaUCED9pHoGc8JpK83P/uUii5N0wDQYJKoZIhvcNAQEFBQAwXzELMAkG
+A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
+cyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
+MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
+BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmlt
+YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDlGb9to1ZhLZlIcfZn3rmN67eehoAKkQ76OCWvRoiC5XOooJskXQ0f
+zGVuDLDQVoQYh5oGmxChc9+0WDlrbsH2FdWoqD+qEgaNMax/sDTXjzRniAnNFBHi
+TkVWaR94AoDa3EeRKbs2yWNcxeDXLYd7obcysHswuiovMaruo2fa2wIDAQABMA0G
+CSqGSIb3DQEBBQUAA4GBAFgVKTk8d6PaXCUDfGD67gmZPCcQcMgMCeazh88K4hiW
+NWLMv5sneYlfycQJ9M61Hd8qveXbhpxoJeUwfLaJFf5n0a3hUKw8fGJLj7qE1xIV
+Gx/KXQ/BUpQqEZnae88MNhPVNdwQGVnqlMEAv3WP2fr9dgTbYruQagPZRjXZ+Hxb
+MA4MDEN1c3RvbSBMYWJlbA==
+-----END TRUSTED CERTIFICATE-----
diff --git a/trust/tests/frob-eku.c b/trust/tests/frob-eku.c
index 42bf50b..5cc5829 100644
--- a/trust/tests/frob-eku.c
+++ b/trust/tests/frob-eku.c
@@ -94,6 +94,7 @@ main (int argc,
fwrite (buf, 1, len, stdout);
fflush (stdout);
+ free (buf);
asn1_delete_structure (&ekus);
asn1_delete_structure (&definitions);
diff --git a/trust/tests/frob-ext.c b/trust/tests/frob-ext.c
new file mode 100644
index 0000000..b1b5dd5
--- /dev/null
+++ b/trust/tests/frob-ext.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 2013 Red Hat Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above
+ * copyright notice, this list of conditions and the
+ * following disclaimer.
+ * * Redistributions in binary form must reproduce the
+ * above copyright notice, this list of conditions and
+ * the following disclaimer in the documentation and/or
+ * other materials provided with the distribution.
+ * * The names of contributors to this software may not be
+ * used to endorse or promote products derived from this
+ * software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Stef Walter <stefw@gnome.org>
+ */
+
+#include "config.h"
+#include "compat.h"
+
+#include <libtasn1.h>
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "pkix.asn.h"
+
+#define err_if_fail(ret, msg) \
+ do { if ((ret) != ASN1_SUCCESS) { \
+ fprintf (stderr, "%s: %s\n", msg, asn1_strerror (ret)); \
+ exit (1); \
+ } } while (0)
+
+int
+main (int argc,
+ char *argv[])
+{
+ char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = { 0, };
+ node_asn *definitions = NULL;
+ node_asn *ext = NULL;
+ unsigned char input[1024];
+ char *buf;
+ size_t size;
+ int len;
+ int ret;
+
+ if (argc == 1 || argc > 3) {
+ fprintf (stderr, "usage: frob-ext 1.2.3 TRUE\n");
+ return 2;
+ }
+
+ size = fread (input, 1, sizeof (input), stdin);
+ if (ferror (stdin) || !feof (stdin)) {
+ fprintf (stderr, "bad input\n");
+ return 1;
+ }
+
+ ret = asn1_array2tree (pkix_asn1_tab, &definitions, message);
+ if (ret != ASN1_SUCCESS) {
+ fprintf (stderr, "definitions: %s\n", message);
+ return 1;
+ }
+
+
+ ret = asn1_create_element (definitions, "PKIX1.Extension", &ext);
+ err_if_fail (ret, "Extension");
+
+ ret = asn1_write_value (ext, "extnID", argv[1], 1);
+ err_if_fail (ret, "extnID");
+
+ if (argc == 3) {
+ ret = asn1_write_value (ext, "critical", argv[2], 1);
+ err_if_fail (ret, "critical");
+ }
+
+ ret = asn1_write_value (ext, "extnValue", input, size);
+ err_if_fail (ret, "extnValue");
+
+ len = 0;
+ ret = asn1_der_coding (ext, "", NULL, &len, message);
+ assert (ret == ASN1_MEM_ERROR);
+
+ buf = malloc (len);
+ assert (buf != NULL);
+ ret = asn1_der_coding (ext, "", buf, &len, message);
+ if (ret != ASN1_SUCCESS) {
+ fprintf (stderr, "asn1_der_coding: %s\n", message);
+ return 1;
+ }
+
+ fwrite (buf, 1, len, stdout);
+ fflush (stdout);
+
+ free (buf);
+ asn1_delete_structure (&ext);
+ asn1_delete_structure (&definitions);
+
+ return 0;
+}
diff --git a/trust/tests/test-builder.c b/trust/tests/test-builder.c
index 09a2590..72ee151 100644
--- a/trust/tests/test-builder.c
+++ b/trust/tests/test-builder.c
@@ -294,6 +294,28 @@ static const unsigned char entrust_pretend_ca[] = {
0xbd, 0x4c, 0x45, 0x9e, 0x61, 0xba, 0xbf, 0x84, 0x81, 0x92, 0x03, 0xd1, 0xd2, 0x69, 0x7c, 0xc5,
};
+static const unsigned char entrust_public_key[] = {
+ 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+ 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01,
+ 0x00, 0xad, 0x4d, 0x4b, 0xa9, 0x12, 0x86, 0xb2, 0xea, 0xa3, 0x20, 0x07, 0x15, 0x16, 0x64, 0x2a,
+ 0x2b, 0x4b, 0xd1, 0xbf, 0x0b, 0x4a, 0x4d, 0x8e, 0xed, 0x80, 0x76, 0xa5, 0x67, 0xb7, 0x78, 0x40,
+ 0xc0, 0x73, 0x42, 0xc8, 0x68, 0xc0, 0xdb, 0x53, 0x2b, 0xdd, 0x5e, 0xb8, 0x76, 0x98, 0x35, 0x93,
+ 0x8b, 0x1a, 0x9d, 0x7c, 0x13, 0x3a, 0x0e, 0x1f, 0x5b, 0xb7, 0x1e, 0xcf, 0xe5, 0x24, 0x14, 0x1e,
+ 0xb1, 0x81, 0xa9, 0x8d, 0x7d, 0xb8, 0xcc, 0x6b, 0x4b, 0x03, 0xf1, 0x02, 0x0c, 0xdc, 0xab, 0xa5,
+ 0x40, 0x24, 0x00, 0x7f, 0x74, 0x94, 0xa1, 0x9d, 0x08, 0x29, 0xb3, 0x88, 0x0b, 0xf5, 0x87, 0x77,
+ 0x9d, 0x55, 0xcd, 0xe4, 0xc3, 0x7e, 0xd7, 0x6a, 0x64, 0xab, 0x85, 0x14, 0x86, 0x95, 0x5b, 0x97,
+ 0x32, 0x50, 0x6f, 0x3d, 0xc8, 0xba, 0x66, 0x0c, 0xe3, 0xfc, 0xbd, 0xb8, 0x49, 0xc1, 0x76, 0x89,
+ 0x49, 0x19, 0xfd, 0xc0, 0xa8, 0xbd, 0x89, 0xa3, 0x67, 0x2f, 0xc6, 0x9f, 0xbc, 0x71, 0x19, 0x60,
+ 0xb8, 0x2d, 0xe9, 0x2c, 0xc9, 0x90, 0x76, 0x66, 0x7b, 0x94, 0xe2, 0xaf, 0x78, 0xd6, 0x65, 0x53,
+ 0x5d, 0x3c, 0xd6, 0x9c, 0xb2, 0xcf, 0x29, 0x03, 0xf9, 0x2f, 0xa4, 0x50, 0xb2, 0xd4, 0x48, 0xce,
+ 0x05, 0x32, 0x55, 0x8a, 0xfd, 0xb2, 0x64, 0x4c, 0x0e, 0xe4, 0x98, 0x07, 0x75, 0xdb, 0x7f, 0xdf,
+ 0xb9, 0x08, 0x55, 0x60, 0x85, 0x30, 0x29, 0xf9, 0x7b, 0x48, 0xa4, 0x69, 0x86, 0xe3, 0x35, 0x3f,
+ 0x1e, 0x86, 0x5d, 0x7a, 0x7a, 0x15, 0xbd, 0xef, 0x00, 0x8e, 0x15, 0x22, 0x54, 0x17, 0x00, 0x90,
+ 0x26, 0x93, 0xbc, 0x0e, 0x49, 0x68, 0x91, 0xbf, 0xf8, 0x47, 0xd3, 0x9d, 0x95, 0x42, 0xc1, 0x0e,
+ 0x4d, 0xdf, 0x6f, 0x26, 0xcf, 0xc3, 0x18, 0x21, 0x62, 0x66, 0x43, 0x70, 0xd6, 0xd5, 0xc0, 0x07,
+ 0xe1, 0x02, 0x03, 0x01, 0x00, 0x01,
+};
+
static void
test_build_certificate_non_ca (void)
{
@@ -354,8 +376,8 @@ test_build_certificate_staple_ca (void)
CK_ATTRIBUTE stapled[] = {
{ CKA_CLASS, &certificate_extension, sizeof (certificate_extension) },
{ CKA_OBJECT_ID, (void *)P11_OID_BASIC_CONSTRAINTS, sizeof (P11_OID_BASIC_CONSTRAINTS) },
- { CKA_VALUE, "\x30\x03\x01\x01\xFF", 5 },
- { CKA_ID, "the id", 6 },
+ { CKA_VALUE, "\x30\x0f\x06\x03\x55\x1d\x13\x01\x01\xff\x04\x05\x30\x03\x01\x01\xff", 17 },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)entrust_public_key, sizeof (entrust_public_key) },
{ CKA_INVALID },
};
@@ -363,7 +385,6 @@ test_build_certificate_staple_ca (void)
{ CKA_CLASS, &certificate, sizeof (certificate) },
{ CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) },
{ CKA_VALUE, (void *)entrust_pretend_ca, sizeof (entrust_pretend_ca) },
- { CKA_ID, "the id", 6 },
{ CKA_INVALID },
};
@@ -445,8 +466,8 @@ test_build_extension (void)
{
CK_ATTRIBUTE input[] = {
{ CKA_CLASS, &certificate_extension, sizeof (certificate_extension) },
- { CKA_OBJECT_ID, "\x06\x03\x55\x1d\x50", 5 },
- { CKA_VALUE, "the value", 9 },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) },
+ { CKA_VALUE, "\x30\x11\x06\x03\x55\x1d\x50\x04\x0a\x74\x68\x65\x20\x76\x61\x6c\x75\x65\x0a", 19 },
{ CKA_INVALID },
};
@@ -456,9 +477,9 @@ test_build_extension (void)
{ CKA_MODIFIABLE, &falsev, sizeof (falsev) },
{ CKA_PRIVATE, &falsev, sizeof (falsev) },
{ CKA_OBJECT_ID, "\x06\x03\x55\x1d\x50", 5 },
- { CKA_VALUE, "the value", 9 },
+ { CKA_VALUE, "\x30\x11\x06\x03\x55\x1d\x50\x04\x0a\x74\x68\x65\x20\x76\x61\x6c\x75\x65\x0a", 19 },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) },
{ CKA_LABEL, "", 0 },
- { CKA_X_CRITICAL, &falsev, sizeof (falsev) },
{ CKA_INVALID },
};
@@ -1396,29 +1417,31 @@ test_changed_trusted_certificate (void)
};
static unsigned char eku_server_and_client[] = {
- 0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06,
- 0x01, 0x05, 0x05, 0x07, 0x03, 0x02,
+ 0x30, 0x20, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08,
+ 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
+ 0x03, 0x02,
};
CK_ATTRIBUTE eku_extension_server_and_client[] = {
{ CKA_CLASS, &certificate_extension, sizeof (certificate_extension), },
{ CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) },
{ CKA_LABEL, "Custom Label", 12 },
- { CKA_X_CRITICAL, &truev, sizeof (truev) },
{ CKA_VALUE, eku_server_and_client, sizeof (eku_server_and_client) },
{ CKA_ID, "cacert3", 7 },
{ CKA_INVALID },
};
static char eku_client_email[] = {
+ 0x30, 0x1a, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x99, 0x77, 0x06, 0x0a, 0x01, 0x04, 0x0c,
0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04,
};
static CK_ATTRIBUTE reject_extension_email[] = {
{ CKA_CLASS, &certificate_extension, sizeof (certificate_extension), },
{ CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) },
{ CKA_LABEL, "Custom Label", 12 },
- { CKA_X_CRITICAL, &falsev, sizeof (falsev) },
{ CKA_VALUE, eku_client_email, sizeof (eku_client_email) },
{ CKA_ID, "cacert3", 7 },
{ CKA_INVALID },
@@ -1535,8 +1558,8 @@ test_changed_distrust_value (void)
CK_ATTRIBUTE eku_extension[] = {
{ CKA_CLASS, &certificate_extension, sizeof (certificate_extension), },
{ CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) },
- { CKA_X_CRITICAL, &truev, sizeof (truev) },
- { CKA_VALUE, "\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x10", 14 },
+ { CKA_VALUE, "\x30\x18\x06\x03\x55\x1d\x25\x01\x01\xff\x04\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x10", 26 },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) },
{ CKA_ID, "cacert3", 7 },
{ CKA_INVALID },
};
@@ -1544,8 +1567,8 @@ test_changed_distrust_value (void)
CK_ATTRIBUTE reject_extension[] = {
{ CKA_CLASS, &certificate_extension, sizeof (certificate_extension), },
{ CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) },
- { CKA_X_CRITICAL, &falsev, sizeof (falsev) },
- { CKA_VALUE, "\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02", 12 },
+ { CKA_VALUE, "\x30\x1a\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x01\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02", 28 },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) },
{ CKA_ID, "cacert3", 7 },
{ CKA_INVALID },
};
@@ -1891,7 +1914,8 @@ test_changed_staple_ca (void)
CK_ATTRIBUTE stapled[] = {
{ CKA_CLASS, &certificate_extension, sizeof (certificate_extension) },
{ CKA_OBJECT_ID, (void *)P11_OID_BASIC_CONSTRAINTS, sizeof (P11_OID_BASIC_CONSTRAINTS) },
- { CKA_VALUE, "\x30\x03\x01\x01\xFF", 5 },
+ { CKA_VALUE, "\x30\x0c\x06\x03\x55\x1d\x13\x04\x05\x30\x03\x01\x01\xff", 14 },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)entrust_public_key, sizeof (entrust_public_key) },
{ CKA_ID, "the id", 6 },
{ CKA_INVALID },
};
@@ -1938,7 +1962,8 @@ test_changed_staple_ku (void)
CK_ATTRIBUTE stapled_ds_and_np[] = {
{ CKA_CLASS, &certificate_extension, sizeof (certificate_extension) },
{ CKA_OBJECT_ID, (void *)P11_OID_KEY_USAGE, sizeof (P11_OID_KEY_USAGE) },
- { CKA_VALUE, "\x03\x03\x07\xc0\x00", 5 },
+ { CKA_VALUE, "\x30\x0c\x06\x03\x55\x1d\x0f\x04\x05\x03\x03\x07\xc0\x00", 14 },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)entrust_public_key, sizeof (entrust_public_key) },
{ CKA_ID, "the id", 6 },
{ CKA_INVALID },
};
diff --git a/trust/tests/test-extract.c b/trust/tests/test-extract.c
index ddb4a49..4fce711 100644
--- a/trust/tests/test-extract.c
+++ b/trust/tests/test-extract.c
@@ -183,6 +183,7 @@ static CK_ATTRIBUTE cacert3_trusted[] = {
{ CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) },
{ CKA_LABEL, "Cacert3 Here", 11 },
{ CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) },
{ CKA_TRUSTED, &truev, sizeof (truev) },
{ CKA_ID, "ID1", 3 },
{ CKA_INVALID },
@@ -207,7 +208,8 @@ static CK_ATTRIBUTE extension_eku_server_client[] = {
{ CKA_CLASS, &extension_class, sizeof (extension_class) },
{ CKA_ID, "ID1", 3 },
{ CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) },
- { CKA_VALUE, (void *)test_eku_server_and_client, sizeof (test_eku_server_and_client) },
+ { CKA_VALUE, "\x30\x1d\x06\x03\x55\x1d\x25\x04\x16\x30\x14\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x01\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02", 31 },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) },
{ CKA_INVALID },
};
@@ -215,7 +217,8 @@ static CK_ATTRIBUTE extension_eku_invalid[] = {
{ CKA_CLASS, &extension_class, sizeof (extension_class) },
{ CKA_ID, "ID1", 3 },
{ CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) },
- { CKA_VALUE, "invalid", 7 },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) },
+ { CKA_VALUE, "\x30\x0e\x06\x03\x55\x1d\x25\x04\x07\x69\x6e\x76\x61\x6c\x69\x64", 16 },
{ CKA_INVALID },
};
diff --git a/trust/tests/test-openssl.c b/trust/tests/test-openssl.c
index 2d41b92..1396102 100644
--- a/trust/tests/test-openssl.c
+++ b/trust/tests/test-openssl.c
@@ -113,6 +113,18 @@ static CK_ATTRIBUTE cacert3_authority_attrs[] = {
{ CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) },
{ CKA_LABEL, "Custom Label", 12 },
{ CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) },
+ { CKA_TRUSTED, &vtrue, sizeof (vtrue) },
+ { CKA_INVALID },
+};
+
+static CK_ATTRIBUTE verisign_v1_attrs[] = {
+ { CKA_VALUE, (void *)verisign_v1_ca, sizeof (verisign_v1_ca) },
+ { CKA_CLASS, &certificate_class, sizeof (certificate_class) },
+ { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) },
+ { CKA_LABEL, "Custom Label", 12 },
+ { CKA_SUBJECT, (void *)verisign_v1_ca_subject, sizeof (verisign_v1_ca_subject) },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)verisign_v1_ca_public_key, sizeof (verisign_v1_ca_public_key) },
{ CKA_TRUSTED, &vtrue, sizeof (vtrue) },
{ CKA_INVALID },
};
@@ -120,14 +132,16 @@ static CK_ATTRIBUTE cacert3_authority_attrs[] = {
static CK_ATTRIBUTE extension_eku_server[] = {
{ CKA_CLASS, &extension_class, sizeof (extension_class) },
{ CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) },
- { CKA_VALUE, (void *)test_eku_server, sizeof (test_eku_server) },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) },
+ { CKA_VALUE, "\x30\x13\x06\x03\x55\x1d\x25\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x01", 21 },
{ CKA_INVALID },
};
static CK_ATTRIBUTE extension_reject_email[] = {
{ CKA_CLASS, &extension_class, sizeof (extension_class) },
{ CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) },
- { CKA_VALUE, (void *)test_eku_email, sizeof (test_eku_email) },
+ { CKA_VALUE, "\x30\x1a\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x01\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x04", 28 },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) },
{ CKA_INVALID },
};
@@ -221,16 +235,16 @@ test_keyid (void)
{ CKA_CLASS, &certificate_class, sizeof (certificate_class) },
{ CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) },
{ CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) },
{ CKA_TRUSTED, &vtrue, sizeof (vtrue) },
{ CKA_INVALID },
};
- static unsigned char identifier[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 };
-
static CK_ATTRIBUTE extension_subject_key_identifier[] = {
{ CKA_CLASS, &extension_class, sizeof (extension_class) },
{ CKA_OBJECT_ID, (void *)P11_OID_SUBJECT_KEY_IDENTIFIER, sizeof (P11_OID_SUBJECT_KEY_IDENTIFIER) },
- { CKA_VALUE, identifier, sizeof (identifier) },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) },
+ { CKA_VALUE, "\x30\x0e\x06\x03\x55\x1d\x0e\x04\x07\x00\x01\x02\x03\x04\x05\x06", 16 },
{ CKA_INVALID },
};
@@ -325,7 +339,7 @@ test_file_multiple (void)
extension_reject_email,
NULL);
- setup_objects (cacert3_authority_attrs,
+ setup_objects (verisign_v1_attrs,
NULL);
p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL);
@@ -338,9 +352,7 @@ test_file_multiple (void)
ret = p11_extract_openssl_bundle (test.iter, &test.ex);
assert_num_eq (true, ret);
- test_check_file (test.directory, "extract.pem",
- SRCDIR "/files/cacert3-trusted-multiple.pem");
-
+ test_check_file (test.directory, "extract.pem", SRCDIR "/files/multiple.pem");
free (test.ex.destination);
}
@@ -573,6 +585,7 @@ test_directory (void)
extension_reject_email,
NULL);
+ /* Accesses the above objects */
setup_objects (cacert3_authority_attrs,
NULL);
@@ -596,7 +609,7 @@ test_directory (void)
test_check_file (test.directory, "Custom_Label.pem",
SRCDIR "/files/cacert3-trusted-server-alias.pem");
test_check_file (test.directory, "Custom_Label.1.pem",
- SRCDIR "/files/cacert3-trusted-alias.pem");
+ SRCDIR "/files/cacert3-trusted-server-alias.pem");
#ifdef OS_UNIX
test_check_symlink (test.directory, "e5662767.0", "Custom_Label.pem");
test_check_symlink (test.directory, "e5662767.1", "Custom_Label.1.pem");
diff --git a/trust/tests/test-parser.c b/trust/tests/test-parser.c
index b8d31df..cc71d1d 100644
--- a/trust/tests/test-parser.c
+++ b/trust/tests/test-parser.c
@@ -197,16 +197,16 @@ test_parse_openssl_trusted (void)
CK_ATTRIBUTE eku_extension[] = {
{ CKA_CLASS, &certificate_extension, sizeof (certificate_extension), },
{ CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) },
- { CKA_X_CRITICAL, &truev, sizeof (truev) },
- { CKA_VALUE, "\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x01", 12 },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) },
+ { CKA_VALUE, "\x30\x16\x06\x03\x55\x1d\x25\x01\x01\xff\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x01", 24 },
{ CKA_INVALID },
};
CK_ATTRIBUTE reject_extension[] = {
{ CKA_CLASS, &certificate_extension, sizeof (certificate_extension), },
{ CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) },
- { CKA_X_CRITICAL, &falsev, sizeof (falsev) },
- { CKA_VALUE, "\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x04", 12 },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) },
+ { CKA_VALUE, "\x30\x1a\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x01\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x04", 28 },
{ CKA_INVALID },
};
@@ -250,6 +250,20 @@ test_parse_openssl_trusted (void)
static void
test_parse_openssl_distrusted (void)
{
+ static const char distrust_public_key[] = {
+ 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
+ 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xdf, 0xc7, 0x0d,
+ 0x61, 0xa2, 0x2f, 0xc0, 0x5a, 0xad, 0x45, 0x83, 0x22, 0x33, 0x42, 0xea, 0xec, 0x42, 0x5e, 0xa6,
+ 0x0d, 0x42, 0x4c, 0x1c, 0x9a, 0x12, 0x0b, 0x5f, 0xe7, 0x25, 0xf9, 0x8b, 0x83, 0x0c, 0x0a, 0xc5,
+ 0x2f, 0x5a, 0x58, 0x56, 0xb8, 0xad, 0x87, 0x6d, 0xbc, 0x80, 0x5d, 0xdd, 0x49, 0x45, 0x39, 0x5f,
+ 0xb9, 0x08, 0x3a, 0x63, 0xe4, 0x92, 0x33, 0x61, 0x79, 0x19, 0x1b, 0x9d, 0xab, 0x3a, 0xd5, 0x7f,
+ 0xa7, 0x8b, 0x7f, 0x8a, 0x5a, 0xf6, 0xd7, 0xde, 0xaf, 0xa1, 0xe5, 0x53, 0x31, 0x29, 0x7d, 0x9c,
+ 0x03, 0x55, 0x3e, 0x47, 0x78, 0xcb, 0xb9, 0x7a, 0x98, 0x8c, 0x5f, 0x8d, 0xda, 0x09, 0x0f, 0xc8,
+ 0xfb, 0xf1, 0x7a, 0x80, 0xee, 0x12, 0x77, 0x0a, 0x00, 0x8b, 0x70, 0xfa, 0x62, 0xbf, 0xaf, 0xee,
+ 0x0b, 0x58, 0x16, 0xf9, 0x9c, 0x5c, 0xde, 0x93, 0xb8, 0x4f, 0xdf, 0x4d, 0x7b, 0x02, 0x03, 0x01,
+ 0x00, 0x01,
+ };
+
CK_ATTRIBUTE distrust_cert[] = {
{ CKA_CLASS, &certificate, sizeof (certificate), },
{ CKA_MODIFIABLE, &falsev, sizeof (falsev) },
@@ -262,16 +276,16 @@ test_parse_openssl_distrusted (void)
CK_ATTRIBUTE eku_extension[] = {
{ CKA_CLASS, &certificate_extension, sizeof (certificate_extension), },
{ CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) },
- { CKA_X_CRITICAL, &truev, sizeof (truev) },
- { CKA_VALUE, "\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x10", 14 },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)distrust_public_key, sizeof (distrust_public_key) },
+ { CKA_VALUE, "\x30\x18\x06\x03\x55\x1d\x25\x01\x01\xff\x04\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x10", 26 },
{ CKA_INVALID },
};
CK_ATTRIBUTE reject_extension[] = {
{ CKA_CLASS, &certificate_extension, sizeof (certificate_extension), },
{ CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) },
- { CKA_X_CRITICAL, &falsev, sizeof (falsev) },
- { CKA_VALUE, "\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02", 12 },
+ { CKA_X_PUBLIC_KEY_INFO, (void *)distrust_public_key, sizeof (distrust_public_key) },
+ { CKA_VALUE, "\x30\x1a\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x01\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02", 28 },
{ CKA_INVALID },
};
diff --git a/trust/tests/test-trust.h b/trust/tests/test-trust.h
index 4d2c5bf..b5aab5b 100644
--- a/trust/tests/test-trust.h
+++ b/trust/tests/test-trust.h
@@ -234,6 +234,44 @@ static const char test_cacert3_ca_serial[] = {
0x02, 0x03, 0x0a, 0x41, 0x8a,
};
+static const char test_cacert3_ca_public_key[] = {
+ 0x30, 0x82, 0x02, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+ 0x01, 0x05, 0x00, 0x03, 0x82, 0x02, 0x0f, 0x00, 0x30, 0x82, 0x02, 0x0a, 0x02, 0x82, 0x02, 0x01,
+ 0x00, 0xab, 0x49, 0x35, 0x11, 0x48, 0x7c, 0xd2, 0x26, 0x7e, 0x53, 0x94, 0xcf, 0x43, 0xa9, 0xdd,
+ 0x28, 0xd7, 0x42, 0x2a, 0x8b, 0xf3, 0x87, 0x78, 0x19, 0x58, 0x7c, 0x0f, 0x9e, 0xda, 0x89, 0x7d,
+ 0xe1, 0xfb, 0xeb, 0x72, 0x90, 0x0d, 0x74, 0xa1, 0x96, 0x64, 0xab, 0x9f, 0xa0, 0x24, 0x99, 0x73,
+ 0xda, 0xe2, 0x55, 0x76, 0xc7, 0x17, 0x7b, 0xf5, 0x04, 0xac, 0x46, 0xb8, 0xc3, 0xbe, 0x7f, 0x64,
+ 0x8d, 0x10, 0x6c, 0x24, 0xf3, 0x61, 0x9c, 0xc0, 0xf2, 0x90, 0xfa, 0x51, 0xe6, 0xf5, 0x69, 0x01,
+ 0x63, 0xc3, 0x0f, 0x56, 0xe2, 0x4a, 0x42, 0xcf, 0xe2, 0x44, 0x8c, 0x25, 0x28, 0xa8, 0xc5, 0x79,
+ 0x09, 0x7d, 0x46, 0xb9, 0x8a, 0xf3, 0xe9, 0xf3, 0x34, 0x29, 0x08, 0x45, 0xe4, 0x1c, 0x9f, 0xcb,
+ 0x94, 0x04, 0x1c, 0x81, 0xa8, 0x14, 0xb3, 0x98, 0x65, 0xc4, 0x43, 0xec, 0x4e, 0x82, 0x8d, 0x09,
+ 0xd1, 0xbd, 0xaa, 0x5b, 0x8d, 0x92, 0xd0, 0xec, 0xde, 0x90, 0xc5, 0x7f, 0x0a, 0xc2, 0xe3, 0xeb,
+ 0xe6, 0x31, 0x5a, 0x5e, 0x74, 0x3e, 0x97, 0x33, 0x59, 0xe8, 0xc3, 0x03, 0x3d, 0x60, 0x33, 0xbf,
+ 0xf7, 0xd1, 0x6f, 0x47, 0xc4, 0xcd, 0xee, 0x62, 0x83, 0x52, 0x6e, 0x2e, 0x08, 0x9a, 0xa4, 0xd9,
+ 0x15, 0x18, 0x91, 0xa6, 0x85, 0x92, 0x47, 0xb0, 0xae, 0x48, 0xeb, 0x6d, 0xb7, 0x21, 0xec, 0x85,
+ 0x1a, 0x68, 0x72, 0x35, 0xab, 0xff, 0xf0, 0x10, 0x5d, 0xc0, 0xf4, 0x94, 0xa7, 0x6a, 0xd5, 0x3b,
+ 0x92, 0x7e, 0x4c, 0x90, 0x05, 0x7e, 0x93, 0xc1, 0x2c, 0x8b, 0xa4, 0x8e, 0x62, 0x74, 0x15, 0x71,
+ 0x6e, 0x0b, 0x71, 0x03, 0xea, 0xaf, 0x15, 0x38, 0x9a, 0xd4, 0xd2, 0x05, 0x72, 0x6f, 0x8c, 0xf9,
+ 0x2b, 0xeb, 0x5a, 0x72, 0x25, 0xf9, 0x39, 0x46, 0xe3, 0x72, 0x1b, 0x3e, 0x04, 0xc3, 0x64, 0x27,
+ 0x22, 0x10, 0x2a, 0x8a, 0x4f, 0x58, 0xa7, 0x03, 0xad, 0xbe, 0xb4, 0x2e, 0x13, 0xed, 0x5d, 0xaa,
+ 0x48, 0xd7, 0xd5, 0x7d, 0xd4, 0x2a, 0x7b, 0x5c, 0xfa, 0x46, 0x04, 0x50, 0xe4, 0xcc, 0x0e, 0x42,
+ 0x5b, 0x8c, 0xed, 0xdb, 0xf2, 0xcf, 0xfc, 0x96, 0x93, 0xe0, 0xdb, 0x11, 0x36, 0x54, 0x62, 0x34,
+ 0x38, 0x8f, 0x0c, 0x60, 0x9b, 0x3b, 0x97, 0x56, 0x38, 0xad, 0xf3, 0xd2, 0x5b, 0x8b, 0xa0, 0x5b,
+ 0xea, 0x4e, 0x96, 0xb8, 0x7c, 0xd7, 0xd5, 0xa0, 0x86, 0x70, 0x40, 0xd3, 0x91, 0x29, 0xb7, 0xa2,
+ 0x3c, 0xad, 0xf5, 0x8c, 0xbb, 0xcf, 0x1a, 0x92, 0x8a, 0xe4, 0x34, 0x7b, 0xc0, 0xd8, 0x6c, 0x5f,
+ 0xe9, 0x0a, 0xc2, 0xc3, 0xa7, 0x20, 0x9a, 0x5a, 0xdf, 0x2c, 0x5d, 0x52, 0x5c, 0xba, 0x47, 0xd5,
+ 0x9b, 0xef, 0x24, 0x28, 0x70, 0x38, 0x20, 0x2f, 0xd5, 0x7f, 0x29, 0xc0, 0xb2, 0x41, 0x03, 0x68,
+ 0x92, 0xcc, 0xe0, 0x9c, 0xcc, 0x97, 0x4b, 0x45, 0xef, 0x3a, 0x10, 0x0a, 0xab, 0x70, 0x3a, 0x98,
+ 0x95, 0x70, 0xad, 0x35, 0xb1, 0xea, 0x85, 0x2b, 0xa4, 0x1c, 0x80, 0x21, 0x31, 0xa9, 0xae, 0x60,
+ 0x7a, 0x80, 0x26, 0x48, 0x00, 0xb8, 0x01, 0xc0, 0x93, 0x63, 0x55, 0x22, 0x91, 0x3c, 0x56, 0xe7,
+ 0xaf, 0xdb, 0x3a, 0x25, 0xf3, 0x8f, 0x31, 0x54, 0xea, 0x26, 0x8b, 0x81, 0x59, 0xf9, 0xa1, 0xd1,
+ 0x53, 0x11, 0xc5, 0x7b, 0x9d, 0x03, 0xf6, 0x74, 0x11, 0xe0, 0x6d, 0xb1, 0x2c, 0x3f, 0x2c, 0x86,
+ 0x91, 0x99, 0x71, 0x9a, 0xa6, 0x77, 0x8b, 0x34, 0x60, 0xd1, 0x14, 0xb4, 0x2c, 0xac, 0x9d, 0xaf,
+ 0x8c, 0x10, 0xd3, 0x9f, 0xc4, 0x6a, 0xf8, 0x6f, 0x13, 0xfc, 0x73, 0x59, 0xf7, 0x66, 0x42, 0x74,
+ 0x1e, 0x8a, 0xe3, 0xf8, 0xdc, 0xd2, 0x6f, 0x98, 0x9c, 0xcb, 0x47, 0x98, 0x95, 0x40, 0x05, 0xfb,
+ 0xe9, 0x02, 0x03, 0x01, 0x00, 0x01,
+};
+
static const unsigned char verisign_v1_ca[] = {
0x30, 0x82, 0x02, 0x3c, 0x30, 0x82, 0x01, 0xa5, 0x02, 0x10, 0x3f, 0x69, 0x1e, 0x81, 0x9c, 0xf0,
0x9a, 0x4a, 0xf3, 0x73, 0xff, 0xb9, 0x48, 0xa2, 0xe4, 0xdd, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
@@ -273,6 +311,30 @@ static const unsigned char verisign_v1_ca[] = {
0xfd, 0x76, 0x04, 0xdb, 0x62, 0xbb, 0x90, 0x6a, 0x03, 0xd9, 0x46, 0x35, 0xd9, 0xf8, 0x7c, 0x5b,
};
+static const unsigned char verisign_v1_ca_subject[] = {
+ 0x30, 0x5f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+ 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69,
+ 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x37, 0x30, 0x35, 0x06, 0x03, 0x55, 0x04,
+ 0x0b, 0x13, 0x2e, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x20, 0x31, 0x20, 0x50, 0x75, 0x62, 0x6c, 0x69,
+ 0x63, 0x20, 0x50, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
+ 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74,
+ 0x79,
+};
+
+static const unsigned char verisign_v1_ca_public_key[] = {
+ 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
+ 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xe5, 0x19, 0xbf,
+ 0x6d, 0xa3, 0x56, 0x61, 0x2d, 0x99, 0x48, 0x71, 0xf6, 0x67, 0xde, 0xb9, 0x8d, 0xeb, 0xb7, 0x9e,
+ 0x86, 0x80, 0x0a, 0x91, 0x0e, 0xfa, 0x38, 0x25, 0xaf, 0x46, 0x88, 0x82, 0xe5, 0x73, 0xa8, 0xa0,
+ 0x9b, 0x24, 0x5d, 0x0d, 0x1f, 0xcc, 0x65, 0x6e, 0x0c, 0xb0, 0xd0, 0x56, 0x84, 0x18, 0x87, 0x9a,
+ 0x06, 0x9b, 0x10, 0xa1, 0x73, 0xdf, 0xb4, 0x58, 0x39, 0x6b, 0x6e, 0xc1, 0xf6, 0x15, 0xd5, 0xa8,
+ 0xa8, 0x3f, 0xaa, 0x12, 0x06, 0x8d, 0x31, 0xac, 0x7f, 0xb0, 0x34, 0xd7, 0x8f, 0x34, 0x67, 0x88,
+ 0x09, 0xcd, 0x14, 0x11, 0xe2, 0x4e, 0x45, 0x56, 0x69, 0x1f, 0x78, 0x02, 0x80, 0xda, 0xdc, 0x47,
+ 0x91, 0x29, 0xbb, 0x36, 0xc9, 0x63, 0x5c, 0xc5, 0xe0, 0xd7, 0x2d, 0x87, 0x7b, 0xa1, 0xb7, 0x32,
+ 0xb0, 0x7b, 0x30, 0xba, 0x2a, 0x2f, 0x31, 0xaa, 0xee, 0xa3, 0x67, 0xda, 0xdb, 0x02, 0x03, 0x01,
+ 0x00, 0x01,
+};
+
static const char test_text[] = "This is the file text";
static const char test_eku_server_and_client[] = {