summaryrefslogtreecommitdiff
path: root/trust
Commit message (Collapse)AuthorAgeFilesLines
* trust: Provide better debugging of trust module functionsStef Walter2013-03-181-5/+15
| | | | | Make C_FindObjects() and C_GetAttributeValue() functions dump the attributes that they're dealing with when in debug mode.
* attrs: Change p11_attrs_to_string() to allow static templatesStef Walter2013-03-181-1/+1
| | | | | Allow passing the number of attributes to print, which lets us use this directly on templates passed in by callers of the PKCS#11 API.
* trust: Handle incorrectly encoded CKA_SERIAL_NUMBER lookupsStef Walter2013-03-183-1/+114
| | | | | | | | Handle lookups for trust objects (by NSS) which expect CKA_SERIAL_NUMBER attributes without appropriate DER encoding. In addition allow creation of NSS trust objects as PKCS#11 session objects, so that we can test this behavior.
* trust: Better generation of nss objects and assertions for serial+issuerStef Walter2013-03-183-225/+341
| | | | | | | In many cases certficates are distrusted by serial+issuer. Make sure this works, and fix various cases where we weren't generating compat NSS objects and compat trust assertions for these types of input.
* Refine looking up of attributes in arraysStef Walter2013-03-185-60/+52
| | | | | | | | There was a class of bugs for looking up invalid or empty attributes in the internal PKCS#11 attribute arrays. * Refine what p11_attrs_find_valid() treats as valid * Rename p11_attrs_is_empty() to p11_attrs_terminator() for clarity
* trust: Remove file that's no longer usedStef Walter2013-03-171-301/+0
|
* Fix distcheck and documentationStef Walter2013-03-152-4/+6
|
* trust: Update frob-nss-tool so it can compare modules for trust infoStef Walter2013-03-151-35/+139
| | | | | Can run with two modules now so that it can compare tokens NSS trust info.
* trust: Support a p11-kit specific serialization formatStef Walter2013-03-1512-41/+1059
| | | | | | | This is documented in doc/internals/ subdirectory Add tests for the format as well. https://bugs.freedesktop.org/show_bug.cgi?id=62156
* trust: Use a SHA-1 hash of subjectPublicKeyInfo as CKA_ID by defaultStef Walter2013-03-156-39/+88
| | | | | | | This is what's recommended by the spec, and allows stapled extensions to hang off a predictable CKA_ID. https://bugs.freedesktop.org/show_bug.cgi?id=62329
* trust: Add a builder which builds objects out of parsed dataStef Walter2013-03-1515-1750/+3593
| | | | | | | | | | | The builder completes the objects from the parsed data and takes over the responsibilities that the parser and adapter previously shared. This is necessary to prepare for arbitrary data coming from the p11-kit specific input files. https://bugs.freedesktop.org/show_bug.cgi?id=62329
* trust: Refactor to include concept of the indexStef Walter2013-03-1514-384/+2097
| | | | | | | | | | * The index holds PKCS#11 objects whether for the token or for the session. * The index provides hook for a builder to expand or validate objects being added to the index. * In addition theres a change hook so that a builder can maintain state between objects, such as the compat NSS trust objects. https://bugs.freedesktop.org/show_bug.cgi?id=62329
* p11-kit: New priority option and change trust-policy optionStef Walter2013-03-151-3/+11
| | | | | | | | | | | | | | * Sort loaded modules appropriately using the 'priority' option. This allows us to have a predictable order for callers, when callers iterate through modules. * Modules default to having an 'priority' option of '0'. * If modules have the same order value, then sort by name. * The above assumes the role of ordering trust-policy sources. * Change the trust-policy option to a boolean * Some of this code will be rearranged when the managed branch is merged. https://bugs.freedesktop.org/show_bug.cgi?id=61978
* trust: Make each configured path its own tokenStef Walter2013-03-157-136/+460
| | | | | | | | | | | | | | | | | | | * Each source directory or file configured into the module or passed in as an initialization argument becomes its own token. Previously there was one token that contained certificates from all the configured paths. * These tokens are clearly labeled in the token info as to the directory or file that they represent. * Update PKCS#11 module logic to deal with multiple tokens, validate the slot ids and so on. * The order in which the paths are configured will become the order of trust priority. This is the same order in which they are listed through 'p11-kit list-modules' and C_GetSlotList. * Update the frob-token internal tool to only play with one path * Adjust tests where necessary to reflect the new state of things and add tests for modified trust module code https://bugs.freedesktop.org/show_bug.cgi?id=61499
* trust: Rework input path treatmentStef Walter2013-03-1515-54/+253
| | | | | | | | | | | | | | | | | | | | | * Accept a single --with-trust-paths argument to ./configure which cotnains all the input paths. * The --with-system-anchors and --with-system-certificates ./configure arguments are no longer supported. Since they were only present briefly, no provision is made for backwards compatibility. * Each input file is treated as containing anchors by default unless an input certificate contains detailed trust information. * The files in each input directory are not automatically treated as anchors unless a certificate contains detailed trust information. * The files in anchors/ subdirectory of each input directory are automatically marked as anchors. * The files in the blacklist/ subdirectory of each input directory are automatically marked as blacklisted. * Update tests and move around test certificates so we can test these changes. https://bugs.freedesktop.org/show_bug.cgi?id=62327
* pem: Fix a bug decoding some PEM filesStef Walter2013-03-151-0/+25
| | | | | When bringing over the BSD base64 code, there was a regression. In addition add some tests for the base64 stuff.
* trust: add a simple frob-nss-token tool to dump distrustStef Walter2013-03-082-0/+109
| | | | | Add a simple tool to dump NSS style distrust attributes from a module.
* trust: Use the new NSS PKCS#11 extension codesStef Walter2013-03-084-27/+27
| | | | | NSS had subtly changed the values of the distrust CK_TRUST codes so update them to stay in sync.
* Hard code distrust temporarily.Stef Walter2013-03-081-1/+149
| | | | | This is because we have no way to load this data into the trust module. Working on a real solution.
* trust: Refactor how we load builtin objectsStef Walter2013-03-081-11/+13
|
* Build with the libtasn1 CFLAGS properlyStef Walter2013-03-041-0/+1
| | | | | | Tweaks by: Roman Bogorodskiy <bogorodskiy@gmail.com> https://bugs.freedesktop.org/show_bug.cgi?id=61739
* Initialize modules correctly in testsStef Walter2013-03-034-1/+4
| | | | This fixes hangs when running tests on windows
* Fix syntax errors in OS_WIN32 ifdefsStef Walter2013-03-032-2/+6
|
* Abstract mmap() into a compat APIStef Walter2013-03-031-21/+7
| | | | | The Win32 for mmap() is very different from Unix, so abstract this into our own p11_mmap_xxx() functions.
* Use putenv() instead of setenv()Stef Walter2013-03-034-4/+4
| | | | Since older operating systems don't support setenv()
* Only do shared object and DLL initialization in librariesStef Walter2013-02-201-0/+55
| | | | | | Don't do library initialization on shared object load when not running in a library. We'll want to plug into this and do different things per library in the future.
* Use the CN, OU or O of certificates to generate a labelStef Walter2013-02-052-32/+41
| | | | | * This is in cases where the certificate information does not already have a friendly name or alias.
* Move the X.509 extension parsing code in common/Stef Walter2013-02-052-121/+80
| | | | * So it can be used by other code, in addition to the trust stuff
* Implement trust assertion PKCS#11 objectsStef Walter2013-02-057-43/+783
| | | | | | * Implement trust assertions for anchored and distrusted certs * Pinned certificate trust assertions are not implemented yet * Add an internal tool for pulling apart bits of certificates
* Refactor how parsing of ASN.1 data and certificate extensions workStef Walter2013-02-055-664/+58
|
* Fill in certificate authority and trust data correctlyStef Walter2013-02-057-163/+548
| | | | | | | | | | | | * Fill in CKA_CERTIFICATE_CATEGORY properly for authorities based on the presence of BasicConstraints and/or v1 certificates * Fill in CKA_TRUSTED and CKA_X_DISTRUSTED based on whether the parser is running for anchors or blacklist * In addition support the concept of blacklisted certificates mixed in with the anchors (without any purposes) since that's what exists in the real world. * We do this after the various hooks have had a chance to mess with the certificate extensions and such.
* Implement stapled certificate extensions internallyStef Walter2013-02-058-366/+894
| | | | | | | | | | | | * Use stapled certificate extensions to represent loaded trust policy * Build NSS trust objects from stapled certificate extensions * Add further attribute debugging for NSS trust objects * Use a custom certificate extension for the OpenSSL reject purpose data * Use SubjectKeyIdentifier for OpenSSL keyid data * Use ExtendedKeyUsage for OpenSSL trust purpose data * Implement simple way to handle binary DER OIDs, using the DER TLV length. DER OIDs are used in the CKA_OBJECT_ID value, and elsewhere. * Split out the building of NSS trust objects from the main parser
* Better debugging and checks for attribute valuesStef Walter2013-02-054-86/+124
|
* Add tool for testing how fast the token loadsStef Walter2013-02-052-0/+65
|
* Some debug info about which files are being loadedStef Walter2013-02-051-2/+15
|
* Test a TRUSTED CERTIFICATE without any trust OIDsStef Walter2013-02-052-0/+38
|
* Add the builtin roots NSS specific objectStef Walter2013-02-053-4/+57
| | | | This tells NSS that this is a source of anchors.
* Add support for openssl TRUSTED CERTIFICATE PEM filesStef Walter2013-02-053-40/+299
|
* Add support for parsing PEM filesStef Walter2013-02-054-1/+108
|
* Add basic trust moduleStef Walter2013-02-0527-0/+4724
This is based off the roots-store from gnome-keyring and loads certificates from a root directory and exposes them as PKCS#11 objects.