diff options
Diffstat (limited to 'trust/tests/test-parser.c')
-rw-r--r-- | trust/tests/test-parser.c | 666 |
1 files changed, 120 insertions, 546 deletions
diff --git a/trust/tests/test-parser.c b/trust/tests/test-parser.c index 0f40748..3ad89da 100644 --- a/trust/tests/test-parser.c +++ b/trust/tests/test-parser.c @@ -41,6 +41,7 @@ #include "array.h" #include "attrs.h" +#include "builder.h" #include "debug.h" #include "library.h" #include "oid.h" @@ -50,69 +51,75 @@ struct { p11_parser *parser; - p11_array *objects; + p11_asn1_cache *cache; + p11_index *index; } test; static void setup (CuTest *cu) { - test.parser = p11_parser_new (); + test.index = p11_index_new (NULL, NULL, NULL); + test.cache = p11_asn1_cache_new (); + test.parser = p11_parser_new (test.index, test.cache); CuAssertPtrNotNull (cu, test.parser); - - test.objects = p11_array_new (p11_attrs_free); - CuAssertPtrNotNull (cu, test.objects); } static void teardown (CuTest *cu) { p11_parser_free (test.parser); - p11_array_free (test.objects); + p11_index_free (test.index); + p11_asn1_cache_free (test.cache); memset (&test, 0, sizeof (test)); } -static void -on_parse_object (CK_ATTRIBUTE *attrs, - void *data) -{ - CuTest *cu = data; +static CK_OBJECT_CLASS certificate = CKO_CERTIFICATE; +static CK_OBJECT_CLASS certificate_extension = CKO_X_CERTIFICATE_EXTENSION; +static CK_BBOOL falsev = CK_FALSE; +static CK_BBOOL truev = CK_TRUE; +static CK_CERTIFICATE_TYPE x509 = CKC_X_509; - CuAssertPtrNotNull (cu, attrs); - CuAssertTrue (cu, p11_attrs_count (attrs) > 0); +static CK_ATTRIBUTE certificate_match[] = { + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_INVALID, }, +}; + +static CK_ATTRIBUTE * +parsed_attrs (CK_ATTRIBUTE *match) +{ + CK_OBJECT_HANDLE handle; + handle = p11_index_find (test.index, certificate_match); + return p11_index_lookup (test.index, handle); - p11_array_push (test.objects, attrs); } static void test_parse_der_certificate (CuTest *cu) { CK_ATTRIBUTE *cert; - CK_ATTRIBUTE *object; - CK_BBOOL bval; int ret; + CK_ATTRIBUTE expected[] = { + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, + { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, + { CKA_TRUSTED, &falsev, sizeof (falsev) }, + { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, + { CKA_INVALID }, + }; + setup (cu); ret = p11_parse_file (test.parser, SRCDIR "/files/cacert3.der", - 0, on_parse_object, cu); + P11_PARSE_FLAG_NONE); CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret); - /* Should have gotten certificate and a trust object */ - CuAssertIntEquals (cu, 2, test.objects->num); - - cert = test.objects->elem[0]; - test_check_cacert3_ca (cu, cert, NULL); - - if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval)) - CuFail (cu, "missing CKA_TRUSTED"); - CuAssertIntEquals (cu, CK_FALSE, bval); + /* Should have gotten certificate */ + CuAssertIntEquals (cu, 1, p11_index_size (test.index)); - if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval)) - CuFail (cu, "missing CKA_X_DISTRUSTED"); - CuAssertIntEquals (cu, CK_FALSE, bval); - - object = test.objects->elem[1]; - test_check_id (cu, cert, object); + cert = parsed_attrs (certificate_match); + test_check_attrs (cu, expected, cert); teardown (cu); } @@ -121,32 +128,29 @@ static void test_parse_pem_certificate (CuTest *cu) { CK_ATTRIBUTE *cert; - CK_ATTRIBUTE *object; - CK_BBOOL bval; int ret; + CK_ATTRIBUTE expected[] = { + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, + { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, + { CKA_TRUSTED, &falsev, sizeof (falsev) }, + { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, + { CKA_INVALID }, + }; + setup (cu); ret = p11_parse_file (test.parser, SRCDIR "/files/cacert3.pem", - 0, on_parse_object, cu); + P11_PARSE_FLAG_NONE); CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret); - /* Should have gotten certificate and a trust object */ - CuAssertIntEquals (cu, 2, test.objects->num); + /* Should have gotten certificate */ + CuAssertIntEquals (cu, 1, p11_index_size (test.index)); - cert = test.objects->elem[0]; - test_check_cacert3_ca (cu, cert, NULL); - - if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval)) - CuFail (cu, "missing CKA_TRUSTED"); - CuAssertIntEquals (cu, CK_FALSE, bval); - - if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval)) - CuFail (cu, "missing CKA_X_DISTRUSTED"); - CuAssertIntEquals (cu, CK_FALSE, bval); - - object = test.objects->elem[1]; - test_check_id (cu, cert, object); + cert = parsed_attrs (certificate_match); + test_check_attrs (cu, expected, cert); teardown (cu); } @@ -154,136 +158,71 @@ test_parse_pem_certificate (CuTest *cu) static void test_parse_openssl_trusted (CuTest *cu) { - CK_TRUST trusted = CKT_NSS_TRUSTED_DELEGATOR; - CK_TRUST distrusted = CKT_NSS_NOT_TRUSTED; - CK_TRUST unknown = CKT_NSS_TRUST_UNKNOWN; - CK_OBJECT_CLASS certificate_extension = CKO_X_CERTIFICATE_EXTENSION; - CK_OBJECT_CLASS trust_object = CKO_NSS_TRUST; - CK_OBJECT_CLASS trust_assertion = CKO_X_TRUST_ASSERTION; - CK_X_ASSERTION_TYPE anchored_certificate = CKT_X_ANCHORED_CERTIFICATE; - CK_X_ASSERTION_TYPE distrusted_certificate = CKT_X_DISTRUSTED_CERTIFICATE; - CK_BBOOL vtrue = CK_TRUE; - CK_BBOOL vfalse = CK_FALSE; + CK_ATTRIBUTE cacert3[] = { + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, + { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, + { CKA_TRUSTED, &truev, sizeof (truev) }, + { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, + { CKA_INVALID }, + }; CK_ATTRIBUTE eku_extension[] = { - { CKA_LABEL, "Custom Label", 12 }, { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, - { CKA_X_CRITICAL, &vtrue, sizeof (vtrue) }, + { CKA_X_CRITICAL, &truev, sizeof (truev) }, { CKA_VALUE, "\x30\x14\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x01\x06\x08\x2b\x06" "\x01\x05\x05\x07\x03\x02", 22 }, { CKA_INVALID }, }; CK_ATTRIBUTE reject_extension[] = { - { CKA_LABEL, "Custom Label", 12 }, { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) }, - { CKA_X_CRITICAL, &vfalse, sizeof (vfalse) }, + { CKA_X_CRITICAL, &falsev, sizeof (falsev) }, { CKA_VALUE, "\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x04", 12 }, { CKA_INVALID }, }; - CK_ATTRIBUTE nss_trust[] = { - { CKA_LABEL, "Custom Label", 12 }, - { CKA_CLASS, &trust_object, sizeof (trust_object), }, - { CKA_CERT_SHA1_HASH, "\xad\x7c\x3f\x64\xfc\x44\x39\xfe\xf4\xe9\x0b\xe8\xf4\x7c\x6c\xfa\x8a\xad\xfd\xce", 20 }, - { CKA_CERT_MD5_HASH, "\xf7\x25\x12\x82\x4e\x67\xb5\xd0\x8d\x92\xb7\x7c\x0b\x86\x7a\x42", 16 }, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_TRUST_SERVER_AUTH, &trusted, sizeof (trusted) }, - { CKA_TRUST_CLIENT_AUTH, &trusted, sizeof (trusted) }, - { CKA_TRUST_EMAIL_PROTECTION, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_CODE_SIGNING, &unknown, sizeof (unknown) }, - { CKA_TRUST_IPSEC_END_SYSTEM, &unknown, sizeof (unknown) }, - { CKA_TRUST_IPSEC_TUNNEL, &unknown, sizeof (unknown) }, - { CKA_TRUST_IPSEC_USER, &unknown, sizeof (unknown) }, - { CKA_TRUST_TIME_STAMPING, &unknown, sizeof (unknown) }, - { CKA_TRUST_DIGITAL_SIGNATURE, &trusted, sizeof (trusted) }, - { CKA_TRUST_NON_REPUDIATION, &trusted, sizeof (trusted) }, - { CKA_TRUST_KEY_ENCIPHERMENT, &trusted, sizeof (trusted) }, - { CKA_TRUST_DATA_ENCIPHERMENT, &trusted, sizeof (trusted) }, - { CKA_TRUST_KEY_AGREEMENT, &trusted, sizeof (trusted) }, - { CKA_TRUST_KEY_CERT_SIGN, &trusted, sizeof (trusted) }, - { CKA_TRUST_CRL_SIGN, &trusted, sizeof (trusted) }, - { CKA_INVALID, } - }; - - CK_ATTRIBUTE server_anchor[] = { - { CKA_LABEL, "Custom Label", 12 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_SERVER_AUTH_STR, strlen (P11_OID_SERVER_AUTH_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE client_anchor[] = { - { CKA_LABEL, "Custom Label", 12 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_CLIENT_AUTH_STR, strlen (P11_OID_CLIENT_AUTH_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE email_distrust[] = { - { CKA_LABEL, "Custom Label", 12 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_EMAIL_PROTECTION_STR, strlen (P11_OID_EMAIL_PROTECTION_STR) }, - { CKA_INVALID }, - }; - CK_ATTRIBUTE *expected[] = { - NULL, + cacert3, eku_extension, reject_extension, - nss_trust, - email_distrust, - server_anchor, - client_anchor + NULL }; CK_ATTRIBUTE *cert; CK_ATTRIBUTE *object; - CK_BBOOL bval; + CK_OBJECT_HANDLE handle; int ret; int i; setup (cu); ret = p11_parse_file (test.parser, SRCDIR "/files/cacert3-trusted.pem", - P11_PARSE_FLAG_ANCHOR, on_parse_object, cu); + P11_PARSE_FLAG_ANCHOR); CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret); /* * Should have gotten: * - 1 certificate * - 2 stapled extensions - * - 1 trust object - * - 3 trust assertions */ - CuAssertIntEquals (cu, 7, test.objects->num); + CuAssertIntEquals (cu, 3, p11_index_size (test.index)); /* The certificate */ - cert = test.objects->elem[0]; - test_check_cacert3_ca (cu, cert, NULL); + cert = parsed_attrs (certificate_match); + test_check_attrs (cu, expected[0], cert); - if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval)) - CuFail (cu, "missing CKA_TRUSTED"); - CuAssertIntEquals (cu, CK_TRUE, bval); + /* The other objects */ + for (i = 1; expected[i]; i++) { + handle = p11_index_findn (test.index, expected[i], 2); + CuAssertTrue (cu, handle != 0); - if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval)) - CuFail (cu, "missing CKA_X_DISTRUSTED"); - CuAssertIntEquals (cu, CK_FALSE, bval); + object = p11_index_lookup (test.index, handle); + CuAssertPtrNotNull (cu, object); - /* The other objects */ - for (i = 1; i < 7; i++) { - object = test.objects->elem[i]; test_check_attrs (cu, expected[i], object); test_check_id (cu, cert, object); } @@ -294,191 +233,41 @@ test_parse_openssl_trusted (CuTest *cu) static void test_parse_openssl_distrusted (CuTest *cu) { - CK_TRUST distrusted = CKT_NSS_NOT_TRUSTED; - CK_OBJECT_CLASS certificate_extension = CKO_X_CERTIFICATE_EXTENSION; - CK_OBJECT_CLASS trust_object = CKO_NSS_TRUST; - CK_OBJECT_CLASS klass = CKO_CERTIFICATE; - CK_OBJECT_CLASS trust_assertion = CKO_X_TRUST_ASSERTION; - CK_X_ASSERTION_TYPE distrusted_certificate = CKT_X_DISTRUSTED_CERTIFICATE; - CK_CERTIFICATE_TYPE x509 = CKC_X_509; - CK_ULONG category = 2; /* authority */ - CK_BBOOL vtrue = CK_TRUE; - CK_BBOOL vfalse = CK_FALSE; - - CK_ATTRIBUTE certificate[] = { - { CKA_CLASS, &klass, sizeof (klass), }, - { CKA_TOKEN, &vtrue, sizeof (vtrue) }, - { CKA_PRIVATE, &vfalse, sizeof (vfalse) }, - { CKA_MODIFIABLE, &vfalse, sizeof (vfalse) }, - { CKA_CLASS, &klass, sizeof (klass) }, - { CKA_LABEL, "Red Hat Is the CA", 17 }, + CK_ATTRIBUTE distrust_cert[] = { + { CKA_CLASS, &certificate, sizeof (certificate), }, + { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) }, - { CKA_CHECK_VALUE, "\xe9z}", 3 }, - { CKA_START_DATE, "20090916", 8 }, - { CKA_END_DATE, "20190914", 8, }, - { CKA_SERIAL_NUMBER, "\x02\x01\x01", 3 }, - { CKA_TRUSTED, &vfalse, sizeof (vfalse) }, - { CKA_X_DISTRUSTED, &vtrue, sizeof (vtrue) }, + { CKA_TRUSTED, &falsev, sizeof (falsev) }, + { CKA_X_DISTRUSTED, &truev, sizeof (truev) }, { CKA_INVALID }, }; CK_ATTRIBUTE eku_extension[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, - { CKA_X_CRITICAL, &vtrue, sizeof (vtrue) }, + { CKA_X_CRITICAL, &truev, sizeof (truev) }, { CKA_VALUE, "\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x10", 14 }, { CKA_INVALID }, }; CK_ATTRIBUTE reject_extension[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) }, - { CKA_X_CRITICAL, &vfalse, sizeof (vfalse) }, + { CKA_X_CRITICAL, &falsev, sizeof (falsev) }, { CKA_VALUE, "\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02", 12 }, { CKA_INVALID }, }; - CK_ATTRIBUTE nss_trust[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, - { CKA_CLASS, &trust_object, sizeof (trust_object), }, - { CKA_CERT_SHA1_HASH, "\xe9z}\xe3\x82""7\xa0U\xb1k\xfe\xffo.\x03\x15*\xba\xb9\x90", 20 }, - { CKA_CERT_MD5_HASH, "\xda\xb4<\xe7;QK\x1a\xe5\xeau\xa1\xc9 \xdf""B", 16 }, - { CKA_SERIAL_NUMBER, "\x02\x01\x01", 3 }, - { CKA_TRUST_SERVER_AUTH, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_CLIENT_AUTH, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_EMAIL_PROTECTION, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_CODE_SIGNING, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_IPSEC_END_SYSTEM, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_IPSEC_TUNNEL, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_IPSEC_USER, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_TIME_STAMPING, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_DIGITAL_SIGNATURE, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_NON_REPUDIATION, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_KEY_ENCIPHERMENT, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_DATA_ENCIPHERMENT, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_KEY_AGREEMENT, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_KEY_CERT_SIGN, &distrusted, sizeof (distrusted) }, - { CKA_TRUST_CRL_SIGN, &distrusted, sizeof (distrusted) }, - { CKA_INVALID, } - }; - - unsigned char red_hat_issuer[] = { - 0x30, 0x81, 0x9d, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, - 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0e, 0x4e, 0x6f, 0x72, 0x74, 0x68, - 0x20, 0x43, 0x61, 0x72, 0x6f, 0x6c, 0x69, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, - 0x04, 0x07, 0x13, 0x07, 0x52, 0x61, 0x6c, 0x65, 0x69, 0x67, 0x68, 0x31, 0x16, 0x30, 0x14, 0x06, - 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0d, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x2c, 0x20, 0x49, - 0x6e, 0x63, 0x2e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x02, 0x49, 0x53, - 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0d, 0x52, 0x65, 0x64, 0x20, 0x48, - 0x61, 0x74, 0x20, 0x49, 0x53, 0x20, 0x43, 0x41, 0x31, 0x26, 0x30, 0x24, 0x06, 0x09, 0x2a, 0x86, - 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x17, 0x73, 0x79, 0x73, 0x61, 0x64, 0x6d, 0x69, - 0x6e, 0x2d, 0x72, 0x64, 0x75, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74, 0x2e, 0x63, 0x6f, 0x6d, - }; - - unsigned char red_hat_serial[] = { - 0x02, 0x01, 0x01, - }; - - CK_ATTRIBUTE server_distrust[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_ISSUER, (void *)red_hat_issuer, sizeof (red_hat_issuer) }, - { CKA_SERIAL_NUMBER, (void *)red_hat_serial, sizeof (red_hat_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_SERVER_AUTH_STR, strlen (P11_OID_SERVER_AUTH_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE client_distrust[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_ISSUER, (void *)red_hat_issuer, sizeof (red_hat_issuer) }, - { CKA_SERIAL_NUMBER, (void *)red_hat_serial, sizeof (red_hat_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_CLIENT_AUTH_STR, strlen (P11_OID_CLIENT_AUTH_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE code_distrust[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_ISSUER, (void *)red_hat_issuer, sizeof (red_hat_issuer) }, - { CKA_SERIAL_NUMBER, (void *)red_hat_serial, sizeof (red_hat_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_CODE_SIGNING_STR, strlen (P11_OID_CODE_SIGNING_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE email_distrust[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_ISSUER, (void *)red_hat_issuer, sizeof (red_hat_issuer) }, - { CKA_SERIAL_NUMBER, (void *)red_hat_serial, sizeof (red_hat_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_EMAIL_PROTECTION_STR, strlen (P11_OID_EMAIL_PROTECTION_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE ipsec_system_distrust[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_ISSUER, (void *)red_hat_issuer, sizeof (red_hat_issuer) }, - { CKA_SERIAL_NUMBER, (void *)red_hat_serial, sizeof (red_hat_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_IPSEC_END_SYSTEM_STR, strlen (P11_OID_IPSEC_END_SYSTEM_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE ipsec_tunnel_distrust[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_ISSUER, (void *)red_hat_issuer, sizeof (red_hat_issuer) }, - { CKA_SERIAL_NUMBER, (void *)red_hat_serial, sizeof (red_hat_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_IPSEC_TUNNEL_STR, strlen (P11_OID_IPSEC_TUNNEL_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE ipsec_user_distrust[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_ISSUER, (void *)red_hat_issuer, sizeof (red_hat_issuer) }, - { CKA_SERIAL_NUMBER, (void *)red_hat_serial, sizeof (red_hat_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_IPSEC_USER_STR, strlen (P11_OID_IPSEC_USER_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE stamping_distrust[] = { - { CKA_LABEL, "Red Hat Is the CA", 17 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_ISSUER, (void *)red_hat_issuer, sizeof (red_hat_issuer) }, - { CKA_SERIAL_NUMBER, (void *)red_hat_serial, sizeof (red_hat_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_TIME_STAMPING_STR, strlen (P11_OID_TIME_STAMPING_STR) }, - { CKA_INVALID }, - }; - CK_ATTRIBUTE *expected[] = { - certificate, + distrust_cert, eku_extension, reject_extension, - nss_trust, - server_distrust, - client_distrust, - code_distrust, - email_distrust, - ipsec_system_distrust, - ipsec_tunnel_distrust, - ipsec_user_distrust, - stamping_distrust, + NULL }; CK_ATTRIBUTE *cert; CK_ATTRIBUTE *object; + CK_OBJECT_HANDLE handle; int ret; int i; @@ -489,22 +278,26 @@ test_parse_openssl_distrusted (CuTest *cu) * so we parse this as an anchor, but expect it to be blacklisted */ ret = p11_parse_file (test.parser, SRCDIR "/files/distrusted.pem", - P11_PARSE_FLAG_ANCHOR, on_parse_object, cu); + P11_PARSE_FLAG_ANCHOR); CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret); /* * Should have gotten: * - 1 certificate * - 2 stapled extensions - * - 1 trust object - * - 8 trust assertions */ - CuAssertIntEquals (cu, 12, test.objects->num); - cert = test.objects->elem[0]; + CuAssertIntEquals (cu, 3, p11_index_size (test.index)); + cert = parsed_attrs (certificate_match); + test_check_attrs (cu, expected[0], cert); /* The other objects */ - for (i = 0; i < 12; i++) { - object = test.objects->elem[i]; + for (i = 1; expected[i]; i++) { + handle = p11_index_findn (test.index, expected[i], 2); + CuAssertTrue (cu, handle != 0); + + object = p11_index_lookup (test.index, handle); + CuAssertPtrNotNull (cu, object); + test_check_attrs (cu, expected[i], object); test_check_id (cu, cert, object); } @@ -513,246 +306,35 @@ test_parse_openssl_distrusted (CuTest *cu) } static void -test_parse_with_key_usage (CuTest *cu) -{ - CK_TRUST trusted = CKT_NSS_TRUSTED; - CK_TRUST unknown = CKT_NSS_TRUST_UNKNOWN; - CK_OBJECT_CLASS klass = CKO_CERTIFICATE; - CK_OBJECT_CLASS trust_object = CKO_NSS_TRUST; - CK_BBOOL vtrue = CK_TRUE; - CK_BBOOL vfalse = CK_FALSE; - CK_CERTIFICATE_TYPE x509 = CKC_X_509; - CK_ULONG category = 3; /* other entity */ - - CK_ATTRIBUTE certificate[] = { - { CKA_CLASS, &klass, sizeof (klass), }, - { CKA_TOKEN, &vtrue, sizeof (vtrue) }, - { CKA_PRIVATE, &vfalse, sizeof (vfalse) }, - { CKA_MODIFIABLE, &vfalse, sizeof (vfalse) }, - { CKA_CLASS, &klass, sizeof (klass) }, - { CKA_LABEL, "self-signed-with-ku.example.com", 31 }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) }, - { CKA_CHECK_VALUE, "d/\x9c", 3 }, - { CKA_START_DATE, "20121211", 8 }, - { CKA_END_DATE, "20130110", 8, }, - { CKA_ISSUER, "0*1(0&\x06\x03U\x04\x03\x13\x1f""self-signed-with-ku.example.com", 44 }, - { CKA_SUBJECT, "0*1(0&\x06\x03U\x04\x03\x13\x1f""self-signed-with-ku.example.com", 44 }, - { CKA_SERIAL_NUMBER, "\x02\x02\x03x", 4 }, - { CKA_TRUSTED, &vtrue, sizeof (vtrue) }, - { CKA_X_DISTRUSTED, &vfalse, sizeof (vfalse) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE nss_trust[] = { - { CKA_LABEL, "self-signed-with-ku.example.com", 31 }, - { CKA_CLASS, &trust_object, sizeof (trust_object), }, - { CKA_CERT_SHA1_HASH, "d/\x9c=\xbc\x9a\x7f\x91\xc7wT\t`\x86\xe2\x8e\x8f\xa8J\x12", 20 }, - { CKA_CERT_MD5_HASH, "\xb1N=\x16\x12?dz\x97\x81""By/\xcc\x97\x82", 16 }, - { CKA_ISSUER, "0*1(0&\x06\x03U\x04\x03\x13\x1f""self-signed-with-ku.example.com", 44 }, - { CKA_SUBJECT, "0*1(0&\x06\x03U\x04\x03\x13\x1f""self-signed-with-ku.example.com", 44 }, - { CKA_SERIAL_NUMBER, "\x02\x02\x03x", 4 }, - { CKA_TRUST_SERVER_AUTH, &trusted, sizeof (trusted) }, - { CKA_TRUST_CLIENT_AUTH, &trusted, sizeof (trusted) }, - { CKA_TRUST_EMAIL_PROTECTION, &trusted, sizeof (trusted) }, - { CKA_TRUST_CODE_SIGNING, &trusted, sizeof (trusted) }, - { CKA_TRUST_IPSEC_END_SYSTEM, &trusted, sizeof (trusted) }, - { CKA_TRUST_IPSEC_TUNNEL, &trusted, sizeof (trusted) }, - { CKA_TRUST_IPSEC_USER, &trusted, sizeof (trusted) }, - { CKA_TRUST_TIME_STAMPING, &trusted, sizeof (trusted) }, - { CKA_TRUST_DIGITAL_SIGNATURE, &trusted, sizeof (trusted) }, - { CKA_TRUST_NON_REPUDIATION, &unknown, sizeof (unknown) }, - { CKA_TRUST_KEY_ENCIPHERMENT, &unknown, sizeof (unknown) }, - { CKA_TRUST_DATA_ENCIPHERMENT, &unknown, sizeof (unknown) }, - { CKA_TRUST_KEY_AGREEMENT, &unknown, sizeof (unknown) }, - { CKA_TRUST_KEY_CERT_SIGN, &trusted, sizeof (trusted) }, - { CKA_TRUST_CRL_SIGN, &unknown, sizeof (unknown) }, - { CKA_INVALID, } - }; - - CK_ATTRIBUTE *cert; - CK_ATTRIBUTE *object; - CK_BBOOL bval; - int ret; - - setup (cu); - - ret = p11_parse_file (test.parser, SRCDIR "/files/self-signed-with-ku.der", - P11_PARSE_FLAG_ANCHOR, on_parse_object, cu); - CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret); - - /* Should have gotten certificate, and a trust object */ - CuAssertIntEquals (cu, 2, test.objects->num); - - cert = test.objects->elem[0]; - test_check_attrs (cu, certificate, cert); - - if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &bval)) - CuFail (cu, "missing CKA_TRUSTED"); - CuAssertIntEquals (cu, CK_TRUE, bval); - - if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &bval)) - CuFail (cu, "missing CKA_X_DISTRUSTED"); - CuAssertIntEquals (cu, CK_FALSE, bval); - - object = test.objects->elem[1]; - test_check_attrs (cu, nss_trust, object); - test_check_id (cu, cert, object); - - teardown (cu); -} - -static void test_parse_anchor (CuTest *cu) { - CK_BBOOL vtrue = CK_TRUE; - CK_OBJECT_CLASS trust_object = CKO_NSS_TRUST; - CK_ATTRIBUTE trusted = { CKA_TRUSTED, &vtrue, sizeof (vtrue) }; - CK_TRUST delegator = CKT_NSS_TRUSTED_DELEGATOR; - CK_OBJECT_CLASS trust_assertion = CKO_X_TRUST_ASSERTION; - CK_X_ASSERTION_TYPE anchored_certificate = CKT_X_ANCHORED_CERTIFICATE; - - CK_ATTRIBUTE nss_trust[] = { - { CKA_LABEL, "CAcert Class 3 Root", 19 }, - { CKA_CLASS, &trust_object, sizeof (trust_object), }, - { CKA_CERT_SHA1_HASH, "\xad\x7c\x3f\x64\xfc\x44\x39\xfe\xf4\xe9\x0b\xe8\xf4\x7c\x6c\xfa\x8a\xad\xfd\xce", 20 }, - { CKA_CERT_MD5_HASH, "\xf7\x25\x12\x82\x4e\x67\xb5\xd0\x8d\x92\xb7\x7c\x0b\x86\x7a\x42", 16 }, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_TRUST_SERVER_AUTH, &delegator, sizeof (delegator) }, - { CKA_TRUST_CLIENT_AUTH, &delegator, sizeof (delegator) }, - { CKA_TRUST_EMAIL_PROTECTION, &delegator, sizeof (delegator) }, - { CKA_TRUST_CODE_SIGNING, &delegator, sizeof (delegator) }, - { CKA_TRUST_IPSEC_END_SYSTEM, &delegator, sizeof (delegator) }, - { CKA_TRUST_IPSEC_TUNNEL, &delegator, sizeof (delegator) }, - { CKA_TRUST_IPSEC_USER, &delegator, sizeof (delegator) }, - { CKA_TRUST_TIME_STAMPING, &delegator, sizeof (delegator) }, - { CKA_TRUST_DIGITAL_SIGNATURE, &delegator, sizeof (delegator) }, - { CKA_TRUST_NON_REPUDIATION, &delegator, sizeof (delegator) }, - { CKA_TRUST_KEY_ENCIPHERMENT, &delegator, sizeof (delegator) }, - { CKA_TRUST_DATA_ENCIPHERMENT, &delegator, sizeof (delegator) }, - { CKA_TRUST_KEY_AGREEMENT, &delegator, sizeof (delegator) }, - { CKA_TRUST_KEY_CERT_SIGN, &delegator, sizeof (delegator) }, - { CKA_TRUST_CRL_SIGN, &delegator, sizeof (delegator) }, - { CKA_INVALID, } - }; - - CK_ATTRIBUTE server_anchor[] = { - { CKA_LABEL, "CAcert Class 3 Root", 19 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_SERVER_AUTH_STR, strlen (P11_OID_SERVER_AUTH_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE client_anchor[] = { - { CKA_LABEL, "CAcert Class 3 Root", 19 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_CLIENT_AUTH_STR, strlen (P11_OID_CLIENT_AUTH_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE code_anchor[] = { - { CKA_LABEL, "CAcert Class 3 Root", 19 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_CODE_SIGNING_STR, strlen (P11_OID_CODE_SIGNING_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE email_anchor[] = { - { CKA_LABEL, "CAcert Class 3 Root", 19 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_EMAIL_PROTECTION_STR, strlen (P11_OID_EMAIL_PROTECTION_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE ipsec_system_anchor[] = { - { CKA_LABEL, "CAcert Class 3 Root", 19 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_IPSEC_END_SYSTEM_STR, strlen (P11_OID_IPSEC_END_SYSTEM_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE ipsec_tunnel_anchor[] = { - { CKA_LABEL, "CAcert Class 3 Root", 19 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_IPSEC_TUNNEL_STR, strlen (P11_OID_IPSEC_TUNNEL_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE ipsec_user_anchor[] = { - { CKA_LABEL, "CAcert Class 3 Root", 19 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_IPSEC_USER_STR, strlen (P11_OID_IPSEC_USER_STR) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE stamping_anchor[] = { - { CKA_LABEL, "CAcert Class 3 Root", 19 }, - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, + CK_ATTRIBUTE cacert3[] = { + { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, + { CKA_CLASS, &certificate, sizeof (certificate) }, { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_X_PURPOSE, (void *)P11_OID_TIME_STAMPING_STR, strlen (P11_OID_TIME_STAMPING_STR) }, + { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, + { CKA_TRUSTED, &truev, sizeof (truev) }, + { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, { CKA_INVALID }, }; - CK_ATTRIBUTE *expected[] = { - NULL, - nss_trust, - server_anchor, - client_anchor, - code_anchor, - email_anchor, - ipsec_system_anchor, - ipsec_tunnel_anchor, - ipsec_user_anchor, - stamping_anchor, - }; - CK_ATTRIBUTE *cert; - CK_ATTRIBUTE *object; - CK_ATTRIBUTE *attr; int ret; - int i; setup (cu); ret = p11_parse_file (test.parser, SRCDIR "/files/cacert3.der", - P11_PARSE_FLAG_ANCHOR, on_parse_object, cu); + P11_PARSE_FLAG_ANCHOR); CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret); /* * Should have gotten: * - 1 certificate - * - 1 trust object - * - 8 trust assertions */ - CuAssertIntEquals (cu, 10, test.objects->num); - - cert = test.objects->elem[0]; - test_check_cacert3_ca (cu, cert, NULL); - attr = p11_attrs_find (cert, CKA_TRUSTED); - test_check_attr (cu, &trusted, attr); + CuAssertIntEquals (cu, 1, p11_index_size (test.index)); - for (i = 1; i < 10; i++) { - object = test.objects->elem[i]; - test_check_attrs (cu, expected[i], object); - test_check_id (cu, cert, object); - } + cert = parsed_attrs (certificate_match); + test_check_attrs (cu, cacert3, cert); teardown (cu); } @@ -760,29 +342,20 @@ test_parse_anchor (CuTest *cu) /* TODO: A certificate that uses generalTime needs testing */ static void -test_parse_no_sink (CuTest *cu) -{ - int ret; - - setup (cu); - - ret = p11_parse_file (test.parser, SRCDIR "/files/cacert3.der", - 0, NULL, NULL); - CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret); - - teardown (cu); -} - -static void test_parse_invalid_file (CuTest *cu) { int ret; setup (cu); - ret = p11_parse_file (test.parser, "/nonexistant", 0, on_parse_object, cu); + p11_message_quiet (); + + ret = p11_parse_file (test.parser, "/nonexistant", + P11_PARSE_FLAG_NONE); CuAssertIntEquals (cu, P11_PARSE_FAILURE, ret); + p11_message_loud (); + teardown (cu); } @@ -793,10 +366,14 @@ test_parse_unrecognized (CuTest *cu) setup (cu); + p11_message_quiet (); + ret = p11_parse_file (test.parser, SRCDIR "/files/unrecognized-file.txt", - 0, on_parse_object, cu); + P11_PARSE_FLAG_NONE); CuAssertIntEquals (cu, P11_PARSE_UNRECOGNIZED, ret); + p11_message_loud (); + teardown (cu); } @@ -810,15 +387,12 @@ main (void) putenv ("P11_KIT_STRICT=1"); p11_library_init (); p11_debug_init (); - p11_message_quiet (); SUITE_ADD_TEST (suite, test_parse_der_certificate); SUITE_ADD_TEST (suite, test_parse_pem_certificate); SUITE_ADD_TEST (suite, test_parse_openssl_trusted); SUITE_ADD_TEST (suite, test_parse_openssl_distrusted); - SUITE_ADD_TEST (suite, test_parse_with_key_usage); SUITE_ADD_TEST (suite, test_parse_anchor); - SUITE_ADD_TEST (suite, test_parse_no_sink); SUITE_ADD_TEST (suite, test_parse_invalid_file); SUITE_ADD_TEST (suite, test_parse_unrecognized); |