| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
| |
See also NSS bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334976
and p11-kit bug https://bugs.freedesktop.org/show_bug.cgi?id=99453
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKCS#11 spec states that the CKA_ID should match the
SubjectKeyIdentifier if such an extension is present.
We delay the filling of CKA_ID until the builder phase of populating
attributes which allows us to have more control over how this works.
Note that we don't make CKA_ID reflect SubjectKeyIdentifier *attached*
extensions. The CKA_ID isn't supposed to change after object creation.
Making it dependent on attached extensions would be making promises
we cannot keep, since attached extensions can be added/removed at any
time.
This also means the CKA_ID of attached extensions and certificates
won't necessarily match up, but that was never promised, and not how
attached extensions should be matched to their certificate anyway.
Based on a patch and research done by David Woodhouse.
https://bugs.freedesktop.org/show_bug.cgi?id=84761
|
|
|
|
|
|
|
| |
The term 'stapled extensions' is confusing because it overloads
terminology used with OSCP stapling.
Suggested by Daniel Kahn Gillmor.
|
|
|
|
|
|
|
| |
Move our internal stuff to pkcs11i.h, and install the pkcs11x.h
header containing extensions.
https://bugs.freedesktop.org/show_bug.cgi?id=83495
|
|
|
|
|
|
|
|
|
| |
CKA_PUBLIC_KEY_INFO is defined in the PKCS#11 2.40 draft, so use that
rather than defining our own.
* Fixed up by Nikos Mavrogiannopoulos <nmav@redhat.com>
https://bugs.freedesktop.org/show_bug.cgi?id=83495
|
|
|
|
|
|
| |
Previously we would output a line like this:
p11-kit: 'node != NULL' not true at lookup_extension
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=82328
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=82328
|
| |
|
|
|
|
|
| |
* Add a testing sanity check to see if we're catching errors
* Fix a few other testing issues
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=985337
|
|
|
|
|
|
| |
Since we don't want to link freebl3 to libp11-kit.so where it isn't
needed, move the SHA-1 and MD5 digest functionality to the trust/
directory.
|
|
|
|
|
|
|
|
| |
* Create directory before trying to write files to it
* Handle write failures appropriately
Refactor how we build and store objects in the index to handle
the above cases properly.
|
|
|
|
|
|
|
|
|
|
| |
* Use the concepts and PKCS#11 objects described in the
recently updated (still work in progress) storing trust spec.
* Define our own CKA_X_PUBLIC_KEY_INFO define for now, since the
the CKA_PUBLIC_KEY_INFO isn't defined yet.
* Most notably, the association between certificates and stapled
extensions is by public key.
* Rework some of the tests to take into account the above.
|
|
|
|
|
|
| |
The name makes it clearer what's going on. This is only used
during loading, so we can track whether a change has resulted
from the trust module or from the file storage.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Reload token data whenever a new session is opened.
* Only reload files/directories that have changed.
* Move duplicate anchor/blacklist detection logic into
the extract code. This is in line with the approach
being discussed on the mailing lists and spec document.
* New internal attribute CKA_X_ORIGIN set on all objects
so we can track where an object came from, and replace
it when reloaded.
In general this is a prerequisite for modification of objects
reload before modify is necessary to prevent multiple callers
clobbering each other's changes.
|
| |
|
|
|
|
|
| |
We didn't treat the two digit year 00 as a valid year, whereas it
actually represents the year 2000. This is in a non-critical code path.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKCS#11 specification does not note what timezone these dates
are in. In addition the time values are not represented in PKCS#11.
So don't reinterpret certificate dates, other than filling in the
century for dates that have a two digit year.
Lastly, these are low resolution optional fields so not being all
strict about timezones here is appropriate.
https://bugs.freedesktop.org/show_bug.cgi?id=62825
|
|
|
|
|
|
|
|
|
|
|
| |
Put library init/uninit code its into their own statically
linked library so that they don't get linked into the p11-kit
executable.
Refactor the message code so that the library initialization can
plug in its per thread message buffer.
https://bugs.freedesktop.org/show_bug.cgi?id=63046
|
|
|
|
|
|
|
| |
These don't contain the CKA_VALUE attribute for certificate data
but rather the CKA_X_CERTIFICATE_VALUE attribute.
https://bugs.freedesktop.org/show_bug.cgi?id=62896
|
|
|
|
|
|
|
|
|
| |
Since CKA_START_DATE and CKA_END_DATE are the only places
where we want to parse out times, and these are optional, just
leave blank if the time overflows what libc can handle on
a 32-bit system.
https://bugs.freedesktop.org/show_bug.cgi?id=62825
|
| |
|
|
|
|
|
|
|
|
|
| |
The index now uses a sort of cross between a hash table and a bloom
filter internally to select matching items. This is needed for the
massive amount of lookups we want to do during loading.
In addition make p11_index_find() and p11_index_replace() easier
to use.
|
|
|
|
|
| |
We're going to be adding other hashes. Also build as part of a
different common library.
|
| |
|
|
|
|
|
|
|
|
| |
Handle lookups for trust objects (by NSS) which expect CKA_SERIAL_NUMBER
attributes without appropriate DER encoding.
In addition allow creation of NSS trust objects as PKCS#11 session
objects, so that we can test this behavior.
|
|
|
|
|
|
|
| |
In many cases certficates are distrusted by serial+issuer. Make sure
this works, and fix various cases where we weren't generating
compat NSS objects and compat trust assertions for these types
of input.
|
|
|
|
|
|
|
|
| |
There was a class of bugs for looking up invalid or empty
attributes in the internal PKCS#11 attribute arrays.
* Refine what p11_attrs_find_valid() treats as valid
* Rename p11_attrs_is_empty() to p11_attrs_terminator() for clarity
|
|
|
|
|
|
|
| |
This is what's recommended by the spec, and allows stapled extensions
to hang off a predictable CKA_ID.
https://bugs.freedesktop.org/show_bug.cgi?id=62329
|
|
The builder completes the objects from the parsed data and takes
over the responsibilities that the parser and adapter previously
shared.
This is necessary to prepare for arbitrary data coming from
the p11-kit specific input files.
https://bugs.freedesktop.org/show_bug.cgi?id=62329
|