diff options
Diffstat (limited to 'trust')
-rw-r--r-- | trust/enumerate.c | 5 | ||||
-rw-r--r-- | trust/oid.h | 9 | ||||
-rw-r--r-- | trust/test-enumerate.c | 31 |
3 files changed, 45 insertions, 0 deletions
diff --git a/trust/enumerate.c b/trust/enumerate.c index 731fadc..9b43b9b 100644 --- a/trust/enumerate.c +++ b/trust/enumerate.c @@ -374,6 +374,11 @@ on_iterate_load_filter (p11_kit_iter *iter, if (ex->limit_to_purposes && ex->purposes) { *matches = CK_FALSE; for (i = 0; i < ex->purposes->num; i++) { + if (strcmp (ex->purposes->elem[i], P11_OID_ANY_EXTENDED_KEY_USAGE_STR) == 0) { + p11_debug ("anyExtendedKeyUsage is set, skipping filtering by purposes"); + *matches = CK_TRUE; + break; + } if (p11_dict_get (ex->limit_to_purposes, ex->purposes->elem[i])) { *matches = CK_TRUE; break; diff --git a/trust/oid.h b/trust/oid.h index cf510fe..297e7a6 100644 --- a/trust/oid.h +++ b/trust/oid.h @@ -118,6 +118,15 @@ static const unsigned char P11_OID_EXTENDED_KEY_USAGE[] = static const char P11_OID_EXTENDED_KEY_USAGE_STR[] = "2.5.29.37"; /* + * 2.5.29.37.0: anyExtendedKeyUsage + * + * Defined in RFC 5280 + */ +static const unsigned char P11_OID_ANY_EXTENDED_KEY_USAGE[] = + { 0x06, 0x03, 0x55, 0x1d, 0x25, 0x00 }; +static const char P11_OID_ANY_EXTENDED_KEY_USAGE_STR[] = "2.5.29.37.0"; + +/* * 1.3.6.1.4.1.3319.6.10.1: OpenSSL reject extension * * An internally defined certificate extension. diff --git a/trust/test-enumerate.c b/trust/test-enumerate.c index 3e188b2..0ac3a33 100644 --- a/trust/test-enumerate.c +++ b/trust/test-enumerate.c @@ -243,6 +243,17 @@ static CK_ATTRIBUTE extension_eku_invalid[] = { { CKA_INVALID }, }; +static CK_ATTRIBUTE extension_eku_any[] = { + { CKA_CLASS, &extension_class, sizeof (extension_class) }, + { CKA_ID, "ID1", 3 }, + { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, + { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, + /* anyExtendedKeyUsage ('2 5 29 37 0') and + * Microsoft Smart Card Logon ('1 3 6 1 4 1 311 20 2 2') */ + { CKA_VALUE, "\x30\x1b\x06\x03\x55\x1d\x25\x04\x14\x30\x12\x06\x04\x55\x1d\x25\x00\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x14\x02\x02", 29 }, + { CKA_INVALID }, +}; + static void test_info_simple_certificate (void) { @@ -375,6 +386,25 @@ test_limit_to_purpose_no_match (void) } static void +test_limit_to_purpose_match_any (void) +{ + CK_RV rv; + + mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_trusted); + mock_module_add_object (MOCK_SLOT_ONE_ID, extension_eku_any); + + p11_enumerate_opt_purpose (&test.ex, P11_OID_SERVER_AUTH_STR); + p11_enumerate_ready (&test.ex, NULL); + + p11_message_quiet (); + + rv = p11_kit_iter_next (test.ex.iter); + assert_num_eq (CKR_OK, rv); + + p11_message_loud (); +} + +static void test_duplicate_extract (void) { CK_ATTRIBUTE certificate = { CKA_CLASS, &certificate_class, sizeof (certificate_class) }; @@ -529,6 +559,7 @@ main (int argc, p11_test (test_info_skip_non_certificate, "/extract/test_info_skip_non_certificate"); p11_test (test_limit_to_purpose_match, "/extract/test_limit_to_purpose_match"); p11_test (test_limit_to_purpose_no_match, "/extract/test_limit_to_purpose_no_match"); + p11_test (test_limit_to_purpose_match_any, "/extract/test_limit_to_purpose_no_match_any"); p11_test (test_duplicate_extract, "/extract/test_duplicate_extract"); p11_test (test_duplicate_distrusted, "/extract/test-duplicate-distrusted"); p11_test (test_trusted_match, "/extract/test_trusted_match"); |