From 18bb2582c32f4373f7ed85894fb490f2733cb03b Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Wed, 2 Jan 2013 16:06:19 +0100 Subject: Implement stapled certificate extensions internally * Use stapled certificate extensions to represent loaded trust policy * Build NSS trust objects from stapled certificate extensions * Add further attribute debugging for NSS trust objects * Use a custom certificate extension for the OpenSSL reject purpose data * Use SubjectKeyIdentifier for OpenSSL keyid data * Use ExtendedKeyUsage for OpenSSL trust purpose data * Implement simple way to handle binary DER OIDs, using the DER TLV length. DER OIDs are used in the CKA_OBJECT_ID value, and elsewhere. * Split out the building of NSS trust objects from the main parser --- common/tests/Makefile.am | 2 + common/tests/frob-ku.c | 28 ++++------ common/tests/frob-oid.c | 100 +++++++++++++++++++++++++++++++++++ common/tests/test-oid.c | 133 +++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 244 insertions(+), 19 deletions(-) create mode 100644 common/tests/frob-oid.c create mode 100644 common/tests/test-oid.c (limited to 'common/tests') diff --git a/common/tests/Makefile.am b/common/tests/Makefile.am index ac2ab38..94c6556 100644 --- a/common/tests/Makefile.am +++ b/common/tests/Makefile.am @@ -36,12 +36,14 @@ LDADD += \ CHECK_PROGS += \ test-checksum \ test-pem \ + test-oid \ $(NULL) noinst_PROGRAMS += \ frob-ku \ frob-eku \ frob-cert \ + frob-oid \ $(NULL) endif # WITH_ASN1 diff --git a/common/tests/frob-ku.c b/common/tests/frob-ku.c index c0abd88..00d45c6 100644 --- a/common/tests/frob-ku.c +++ b/common/tests/frob-ku.c @@ -35,6 +35,8 @@ #include "config.h" #include "compat.h" +#include "oid.h" + #include #include @@ -50,18 +52,6 @@ exit (1); \ } } while (0) -enum { - KU_DIGITAL_SIGNATURE = 128, - KU_NON_REPUDIATION = 64, - KU_KEY_ENCIPHERMENT = 32, - KU_DATA_ENCIPHERMENT = 16, - KU_KEY_AGREEMENT = 8, - KU_KEY_CERT_SIGN = 4, - KU_CRL_SIGN = 2, - KU_ENCIPHER_ONLY = 1, - KU_DECIPHER_ONLY = 32768, -}; - int main (int argc, char *argv[]) @@ -78,19 +68,19 @@ main (int argc, for (i = 1; i < argc; i++) { if (strcmp (argv[i], "digital-signature") == 0) - usage |= KU_DIGITAL_SIGNATURE; + usage |= P11_KU_DIGITAL_SIGNATURE; else if (strcmp (argv[i], "non-repudiation") == 0) - usage |= KU_NON_REPUDIATION; + usage |= P11_KU_NON_REPUDIATION; else if (strcmp (argv[i], "key-encipherment") == 0) - usage |= KU_KEY_ENCIPHERMENT; + usage |= P11_KU_KEY_ENCIPHERMENT; else if (strcmp (argv[i], "data-encipherment") == 0) - usage |= KU_DATA_ENCIPHERMENT; + usage |= P11_KU_DATA_ENCIPHERMENT; else if (strcmp (argv[i], "key-agreement") == 0) - usage |= KU_KEY_AGREEMENT; + usage |= P11_KU_KEY_AGREEMENT; else if (strcmp (argv[i], "key-cert-sign") == 0) - usage |= KU_KEY_CERT_SIGN; + usage |= P11_KU_KEY_CERT_SIGN; else if (strcmp (argv[i], "crl-sign") == 0) - usage |= KU_CRL_SIGN; + usage |= P11_KU_CRL_SIGN; else { fprintf (stderr, "unsupported or unknown key usage: %s\n", argv[i]); return 2; diff --git a/common/tests/frob-oid.c b/common/tests/frob-oid.c new file mode 100644 index 0000000..b4c7658 --- /dev/null +++ b/common/tests/frob-oid.c @@ -0,0 +1,100 @@ +/* + * Copyright (c) 2012 Red Hat Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above + * copyright notice, this list of conditions and the + * following disclaimer. + * * Redistributions in binary form must reproduce the + * above copyright notice, this list of conditions and + * the following disclaimer in the documentation and/or + * other materials provided with the distribution. + * * The names of contributors to this software may not be + * used to endorse or promote products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Author: Stef Walter + */ + +#include "config.h" +#include "compat.h" + +#include + +#include +#include +#include +#include + +#include "pkix.asn.h" + +#define err_if_fail(ret, msg) \ + do { if ((ret) != ASN1_SUCCESS) { \ + fprintf (stderr, "%s: %s\n", msg, asn1_strerror (ret)); \ + exit (1); \ + } } while (0) +int +main (int argc, + char *argv[]) +{ + char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = { 0, }; + node_asn *definitions = NULL; + node_asn *oid = NULL; + char *buf; + int len; + int ret; + + if (argc != 2) { + fprintf (stderr, "usage: frob-oid 1.1.1\n"); + return 2; + } + + ret = asn1_array2tree (pkix_asn1_tab, &definitions, message); + if (ret != ASN1_SUCCESS) { + fprintf (stderr, "definitions: %s\n", message); + return 1; + } + + /* AttributeType is a OBJECT IDENTIFIER */ + ret = asn1_create_element (definitions, "PKIX1.AttributeType", &oid); + err_if_fail (ret, "AttributeType"); + + ret = asn1_write_value (oid, "", argv[1], strlen (argv[1])); + err_if_fail (ret, "asn1_write_value"); + + len = 0; + ret = asn1_der_coding (oid, "", NULL, &len, message); + assert (ret == ASN1_MEM_ERROR); + + buf = malloc (len); + assert (buf != NULL); + ret = asn1_der_coding (oid, "", buf, &len, message); + if (ret != ASN1_SUCCESS) { + fprintf (stderr, "asn1_der_coding: %s\n", message); + return 1; + } + + fwrite (buf, 1, len, stdout); + fflush (stdout); + + asn1_delete_structure (&oid); + asn1_delete_structure (&definitions); + + return 0; +} diff --git a/common/tests/test-oid.c b/common/tests/test-oid.c new file mode 100644 index 0000000..616512b --- /dev/null +++ b/common/tests/test-oid.c @@ -0,0 +1,133 @@ +/* + * Copyright (c) 2012 Red Hat Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above + * copyright notice, this list of conditions and the + * following disclaimer. + * * Redistributions in binary form must reproduce the + * above copyright notice, this list of conditions and + * the following disclaimer in the documentation and/or + * other materials provided with the distribution. + * * The names of contributors to this software may not be + * used to endorse or promote products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Author: Stef Walter + */ + +#include "config.h" +#include "CuTest.h" + +#include +#include +#include + +#include "debug.h" +#include "oid.h" + +#include + +#include "pkix.asn.h" + +static void +test_known_oids (CuTest *cu) +{ + char buffer[128]; + node_asn *definitions = NULL; + node_asn *node; + int ret; + int len; + int i; + + struct { + const unsigned char *oid; + size_t length; + const char *string; + } known_oids[] = { + { P11_OID_SUBJECT_KEY_IDENTIFIER, sizeof (P11_OID_SUBJECT_KEY_IDENTIFIER), "2.5.29.14", }, + { P11_OID_KEY_USAGE, sizeof (P11_OID_KEY_USAGE), "2.5.29.15", }, + { P11_OID_BASIC_CONSTRAINTS, sizeof (P11_OID_BASIC_CONSTRAINTS), "2.5.29.19" }, + { P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE), "2.5.29.37" }, + { P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT), "1.3.6.1.4.1.3319.6.10.1" }, + { P11_OID_SERVER_AUTH, sizeof (P11_OID_SERVER_AUTH), "1.3.6.1.5.5.7.3.1", }, + { P11_OID_CLIENT_AUTH, sizeof (P11_OID_CLIENT_AUTH), "1.3.6.1.5.5.7.3.2", }, + { P11_OID_CODE_SIGNING, sizeof (P11_OID_CODE_SIGNING), "1.3.6.1.5.5.7.3.3", }, + { P11_OID_EMAIL_PROTECTION, sizeof (P11_OID_EMAIL_PROTECTION), "1.3.6.1.5.5.7.3.4", }, + { P11_OID_IPSEC_END_SYSTEM, sizeof (P11_OID_IPSEC_END_SYSTEM), "1.3.6.1.5.5.7.3.5", }, + { P11_OID_IPSEC_TUNNEL, sizeof (P11_OID_IPSEC_TUNNEL), "1.3.6.1.5.5.7.3.6", }, + { P11_OID_IPSEC_USER, sizeof (P11_OID_IPSEC_USER), "1.3.6.1.5.5.7.3.7" }, + { P11_OID_TIME_STAMPING, sizeof (P11_OID_TIME_STAMPING), "1.3.6.1.5.5.7.3.8" }, + { P11_OID_RESERVED_PURPOSE, sizeof (P11_OID_RESERVED_PURPOSE), "1.3.6.1.4.1.3319.6.10.16" }, + { NULL }, + }; + + ret = asn1_array2tree (pkix_asn1_tab, &definitions, NULL); + CuAssertTrue (cu, ret == ASN1_SUCCESS); + + for (i = 0; known_oids[i].oid != NULL; i++) { + + CuAssertTrue (cu, p11_oid_simple (known_oids[i].oid, known_oids[i].length)); + CuAssertIntEquals (cu, known_oids[i].length, p11_oid_length (known_oids[i].oid)); + CuAssertTrue (cu, p11_oid_equal (known_oids[i].oid, known_oids[i].oid)); + + if (i > 0) + CuAssertTrue (cu, !p11_oid_equal (known_oids[i].oid, known_oids[i - 1].oid)); + + /* AttributeType is a OBJECT IDENTIFIER */ + ret = asn1_create_element (definitions, "PKIX1.AttributeType", &node); + CuAssertTrue (cu, ret == ASN1_SUCCESS); + + ret = asn1_der_decoding (&node, known_oids[i].oid, known_oids[i].length, NULL); + CuAssertTrue (cu, ret == ASN1_SUCCESS); + + len = sizeof (buffer); + ret = asn1_read_value (node, "", buffer, &len); + CuAssertTrue (cu, ret == ASN1_SUCCESS); + + CuAssertStrEquals (cu, known_oids[i].string, buffer); + + asn1_delete_structure (&node); + } + + asn1_delete_structure (&definitions); +} + +int +main (void) +{ + CuString *output = CuStringNew (); + CuSuite* suite = CuSuiteNew (); + int ret; + + setenv ("P11_KIT_STRICT", "1", 1); + p11_debug_init (); + + SUITE_ADD_TEST (suite, test_known_oids); + + CuSuiteRun (suite); + CuSuiteSummary (suite, output); + CuSuiteDetails (suite, output); + printf ("%s\n", output->buffer); + ret = suite->failCount; + CuSuiteDelete (suite); + CuStringDelete (output); + + return ret; +} -- cgit v1.1