From 18bb2582c32f4373f7ed85894fb490f2733cb03b Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Wed, 2 Jan 2013 16:06:19 +0100 Subject: Implement stapled certificate extensions internally * Use stapled certificate extensions to represent loaded trust policy * Build NSS trust objects from stapled certificate extensions * Add further attribute debugging for NSS trust objects * Use a custom certificate extension for the OpenSSL reject purpose data * Use SubjectKeyIdentifier for OpenSSL keyid data * Use ExtendedKeyUsage for OpenSSL trust purpose data * Implement simple way to handle binary DER OIDs, using the DER TLV length. DER OIDs are used in the CKA_OBJECT_ID value, and elsewhere. * Split out the building of NSS trust objects from the main parser --- common/Makefile.am | 1 + common/compat.c | 2 +- common/compat.h | 2 +- common/oid.c | 100 +++++++++++++++++++++++ common/oid.h | 209 +++++++++++++++++++++++++++++++++++++++++++++++ common/tests/Makefile.am | 2 + common/tests/frob-ku.c | 28 ++----- common/tests/frob-oid.c | 100 +++++++++++++++++++++++ common/tests/test-oid.c | 133 ++++++++++++++++++++++++++++++ 9 files changed, 556 insertions(+), 21 deletions(-) create mode 100644 common/oid.c create mode 100644 common/oid.h create mode 100644 common/tests/frob-oid.c create mode 100644 common/tests/test-oid.c (limited to 'common') diff --git a/common/Makefile.am b/common/Makefile.am index d527e95..bed4630 100644 --- a/common/Makefile.am +++ b/common/Makefile.am @@ -41,6 +41,7 @@ noinst_LTLIBRARIES += \ libp11_data_la_SOURCES = \ base64.c base64.h \ checksum.c checksum.h \ + oid.c oid.h \ openssl.asn openssl.asn.h \ pem.c pem.h \ pkix.asn pkix.asn.h \ diff --git a/common/compat.c b/common/compat.c index 74fb130..b917cfa 100644 --- a/common/compat.c +++ b/common/compat.c @@ -255,7 +255,7 @@ strnstr (const char *s, #ifndef HAVE_MEMDUP void * -memdup (void *data, +memdup (const void *data, size_t length) { void *dup; diff --git a/common/compat.h b/common/compat.h index 68786a7..7f848d2 100644 --- a/common/compat.h +++ b/common/compat.h @@ -183,7 +183,7 @@ char * strnstr (const char *s, #ifndef HAVE_MEMDUP -void * memdup (void *data, +void * memdup (const void *data, size_t length); #endif /* HAVE_MEMDUP */ diff --git a/common/oid.c b/common/oid.c new file mode 100644 index 0000000..0c876ec --- /dev/null +++ b/common/oid.c @@ -0,0 +1,100 @@ +/* + * Copyright (C) 2012 Red Hat Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above + * copyright notice, this list of conditions and the + * following disclaimer. + * * Redistributions in binary form must reproduce the + * above copyright notice, this list of conditions and + * the following disclaimer in the documentation and/or + * other materials provided with the distribution. + * * The names of contributors to this software may not be + * used to endorse or promote products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Author: Stef Walter + */ + +#include "config.h" + +#include "oid.h" + +#include +#include +#include + +/* + * We deal with OIDs a lot in their DER form. These have the + * advantage of having the length encoded in their second byte, + * at least for all the OIDs we're interested in. + * + * The goal here is to avoid carrying around extra length + * information about DER encoded OIDs. + */ + +bool +p11_oid_simple (const unsigned char *oid, + int len) +{ + return (oid != NULL && + len > 3 && /* minimum length */ + oid[0] == 0x06 && /* simple encoding */ + (oid[1] & 128) == 0 && /* short form length */ + (size_t)oid[1] == len - 2); /* matches length */ +} + +unsigned int +p11_oid_hash (const void *oid) +{ + const unsigned char *v = oid; + unsigned int hash; + int len; + int i; + + len = p11_oid_length (v); + hash = v[0]; + + for (i = 1; i < len; i++) + hash = (hash << 5) - hash + v[i]; + + return hash; +} + +bool +p11_oid_equal (const void *oid_one, + const void *oid_two) +{ + int len_one; + int len_two; + + len_one = p11_oid_length (oid_one); + len_two = p11_oid_length (oid_two); + + return (len_one == len_two && + memcmp (oid_one, oid_two, len_one) == 0); +} + +int +p11_oid_length (const unsigned char *oid) +{ + assert (oid[0] == 0x06); + assert ((oid[1] & 128) == 0); + return (int)oid[1] + 2; +} diff --git a/common/oid.h b/common/oid.h new file mode 100644 index 0000000..b0c8538 --- /dev/null +++ b/common/oid.h @@ -0,0 +1,209 @@ +/* + * Copyright (C) 2012 Red Hat Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above + * copyright notice, this list of conditions and the + * following disclaimer. + * * Redistributions in binary form must reproduce the + * above copyright notice, this list of conditions and + * the following disclaimer in the documentation and/or + * other materials provided with the distribution. + * * The names of contributors to this software may not be + * used to endorse or promote products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Author: Stef Walter + */ + +#ifndef P11_OIDS_H_ +#define P11_OIDS_H_ + +#include "compat.h" + +bool p11_oid_simple (const unsigned char *oid, + int len); + +unsigned int p11_oid_hash (const void *oid); + +bool p11_oid_equal (const void *oid_one, + const void *oid_two); + +int p11_oid_length (const unsigned char *oid); + +/* + * Our support of certificate extensions and so on is not limited to what is + * listed here. This is simply the OIDs used by the parsing code that generates + * backwards compatible PKCS#11 objects for NSS and the like. + */ + +/* + * 2.5.29.14: SubjectKeyIdentifier + */ +static const unsigned char P11_OID_SUBJECT_KEY_IDENTIFIER[] = + { 0x06, 0x03, 0x55, 0x1d, 0x0e }; + +/* + * 2.5.29.15: KeyUsage + * + * Defined in RFC 5280 + */ +static const unsigned char P11_OID_KEY_USAGE[] = + { 0x06, 0x03, 0x55, 0x1d, 0x0f }; + +enum { + P11_KU_DIGITAL_SIGNATURE = 128, + P11_KU_NON_REPUDIATION = 64, + P11_KU_KEY_ENCIPHERMENT = 32, + P11_KU_DATA_ENCIPHERMENT = 16, + P11_KU_KEY_AGREEMENT = 8, + P11_KU_KEY_CERT_SIGN = 4, + P11_KU_CRL_SIGN = 2, + P11_KU_ENCIPHER_ONLY = 1, + P11_KU_DECIPHER_ONLY = 32768, +}; + +/* + * 2.5.29.19: BasicConstraints + * + * Defined in RFC 5280 + */ +static const unsigned char P11_OID_BASIC_CONSTRAINTS[] = + { 0x06, 0x03, 0x55, 0x1d, 0x13 }; + + +/* + * 2.5.29.37: ExtendedKeyUsage + * + * Defined in RFC 5280 + */ +static const unsigned char P11_OID_EXTENDED_KEY_USAGE[] = + { 0x06, 0x03, 0x55, 0x1d, 0x25 }; + +/* + * 1.3.6.1.4.1.3319.6.10.1: OpenSSL reject extension + * + * An internally defined certificate extension. + * + * OpenSSL contains a list of OID extended key usages to reject. + * The normal X.509 model is to only *include* the extended key + * usages that are to be allowed (ie: a whitelist). It's not clear + * exactly how valid and useful the reject per extended key usage + * model is. In fact, it appears that openssl does not use this + * information. + * + * However in order to parse openssl trust policy information and + * be able to write it back out in the same way, we define a custom + * certificate extension to store it. + * + * It is not expected (or supported) for others outside of p11-kit + * to read this information at this point. + * + * This extension is never marked critical. It is not necessary to + * respect information in this certificate extension given that the + * ExtendedKeyUsage extension carries the same information as a + * whitelist. + */ +static const unsigned char P11_OID_OPENSSL_REJECT[] = + { 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x99, 0x77, 0x06, 0x0a, 0x01 }; + +/* + * 1.3.6.1.5.5.7.3.1: Server Auth + * + * Defined in RFC 5280 + */ +static const unsigned char P11_OID_SERVER_AUTH[] = + { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01 }; + +/* + * 1.3.6.1.5.5.7.3.2: Client Auth + * + * Defined in RFC 5280 + */ +static const unsigned char P11_OID_CLIENT_AUTH[] = + { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02 }; + +/* + * 1.3.6.1.5.5.7.3.3: Code Signing + * + * Defined in RFC 5280 + */ +static const unsigned char P11_OID_CODE_SIGNING[] = + { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03 }; + +/* + * 1.3.6.1.5.5.7.3.4: Email Protection + * + * Defined in RFC 5280 + */ +static const unsigned char P11_OID_EMAIL_PROTECTION[] = + { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04 }; + +/* + * 1.3.6.1.5.5.7.3.5: IPSec End System + * + * Defined in RFC 2459 + */ +static const unsigned char P11_OID_IPSEC_END_SYSTEM[] = + { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x05 }; + +/* + * 1.3.6.1.5.5.7.3.6: IPSec Tunnel + * + * Defined in RFC 2459 + */ +static const unsigned char P11_OID_IPSEC_TUNNEL[] = + { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x06 }; + +/* + * 1.3.6.1.5.5.7.3.7: IPSec User + * + * Defined in RFC 2459 + */ +static const unsigned char P11_OID_IPSEC_USER[] = + { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x07 }; + +/* + * 1.3.6.1.5.5.7.3.8: Time Stamping + * + * Defined in RFC 2459 + */ +static const unsigned char P11_OID_TIME_STAMPING[] = + { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x08 }; + +/* + * 1.3.6.1.4.1.3319.6.10.16: Reserved key purpose + * + * An internally defined reserved/dummy key purpose + * + * This is used with ExtendedKeyUsage certificate extensions to + * be a place holder when no other purposes are defined. + * + * In theory such a certificate should be blacklisted. But in reality + * OpenSSL supports such empty sets of purposes. RFC 5280 requires at + * least one purpose in an ExtendedKeyUsage. + * + * This purpose should never be used or checked. + */ +static const unsigned char P11_OID_RESERVED_PURPOSE[] = + { 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x99, 0x77, 0x06, 0x0a, 0x10 }; +static const char P11_OID_RESERVED_PURPOSE_STR[] = + "1.3.6.1.4.1.3319.6.10.16"; + +#endif diff --git a/common/tests/Makefile.am b/common/tests/Makefile.am index ac2ab38..94c6556 100644 --- a/common/tests/Makefile.am +++ b/common/tests/Makefile.am @@ -36,12 +36,14 @@ LDADD += \ CHECK_PROGS += \ test-checksum \ test-pem \ + test-oid \ $(NULL) noinst_PROGRAMS += \ frob-ku \ frob-eku \ frob-cert \ + frob-oid \ $(NULL) endif # WITH_ASN1 diff --git a/common/tests/frob-ku.c b/common/tests/frob-ku.c index c0abd88..00d45c6 100644 --- a/common/tests/frob-ku.c +++ b/common/tests/frob-ku.c @@ -35,6 +35,8 @@ #include "config.h" #include "compat.h" +#include "oid.h" + #include #include @@ -50,18 +52,6 @@ exit (1); \ } } while (0) -enum { - KU_DIGITAL_SIGNATURE = 128, - KU_NON_REPUDIATION = 64, - KU_KEY_ENCIPHERMENT = 32, - KU_DATA_ENCIPHERMENT = 16, - KU_KEY_AGREEMENT = 8, - KU_KEY_CERT_SIGN = 4, - KU_CRL_SIGN = 2, - KU_ENCIPHER_ONLY = 1, - KU_DECIPHER_ONLY = 32768, -}; - int main (int argc, char *argv[]) @@ -78,19 +68,19 @@ main (int argc, for (i = 1; i < argc; i++) { if (strcmp (argv[i], "digital-signature") == 0) - usage |= KU_DIGITAL_SIGNATURE; + usage |= P11_KU_DIGITAL_SIGNATURE; else if (strcmp (argv[i], "non-repudiation") == 0) - usage |= KU_NON_REPUDIATION; + usage |= P11_KU_NON_REPUDIATION; else if (strcmp (argv[i], "key-encipherment") == 0) - usage |= KU_KEY_ENCIPHERMENT; + usage |= P11_KU_KEY_ENCIPHERMENT; else if (strcmp (argv[i], "data-encipherment") == 0) - usage |= KU_DATA_ENCIPHERMENT; + usage |= P11_KU_DATA_ENCIPHERMENT; else if (strcmp (argv[i], "key-agreement") == 0) - usage |= KU_KEY_AGREEMENT; + usage |= P11_KU_KEY_AGREEMENT; else if (strcmp (argv[i], "key-cert-sign") == 0) - usage |= KU_KEY_CERT_SIGN; + usage |= P11_KU_KEY_CERT_SIGN; else if (strcmp (argv[i], "crl-sign") == 0) - usage |= KU_CRL_SIGN; + usage |= P11_KU_CRL_SIGN; else { fprintf (stderr, "unsupported or unknown key usage: %s\n", argv[i]); return 2; diff --git a/common/tests/frob-oid.c b/common/tests/frob-oid.c new file mode 100644 index 0000000..b4c7658 --- /dev/null +++ b/common/tests/frob-oid.c @@ -0,0 +1,100 @@ +/* + * Copyright (c) 2012 Red Hat Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above + * copyright notice, this list of conditions and the + * following disclaimer. + * * Redistributions in binary form must reproduce the + * above copyright notice, this list of conditions and + * the following disclaimer in the documentation and/or + * other materials provided with the distribution. + * * The names of contributors to this software may not be + * used to endorse or promote products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Author: Stef Walter + */ + +#include "config.h" +#include "compat.h" + +#include + +#include +#include +#include +#include + +#include "pkix.asn.h" + +#define err_if_fail(ret, msg) \ + do { if ((ret) != ASN1_SUCCESS) { \ + fprintf (stderr, "%s: %s\n", msg, asn1_strerror (ret)); \ + exit (1); \ + } } while (0) +int +main (int argc, + char *argv[]) +{ + char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = { 0, }; + node_asn *definitions = NULL; + node_asn *oid = NULL; + char *buf; + int len; + int ret; + + if (argc != 2) { + fprintf (stderr, "usage: frob-oid 1.1.1\n"); + return 2; + } + + ret = asn1_array2tree (pkix_asn1_tab, &definitions, message); + if (ret != ASN1_SUCCESS) { + fprintf (stderr, "definitions: %s\n", message); + return 1; + } + + /* AttributeType is a OBJECT IDENTIFIER */ + ret = asn1_create_element (definitions, "PKIX1.AttributeType", &oid); + err_if_fail (ret, "AttributeType"); + + ret = asn1_write_value (oid, "", argv[1], strlen (argv[1])); + err_if_fail (ret, "asn1_write_value"); + + len = 0; + ret = asn1_der_coding (oid, "", NULL, &len, message); + assert (ret == ASN1_MEM_ERROR); + + buf = malloc (len); + assert (buf != NULL); + ret = asn1_der_coding (oid, "", buf, &len, message); + if (ret != ASN1_SUCCESS) { + fprintf (stderr, "asn1_der_coding: %s\n", message); + return 1; + } + + fwrite (buf, 1, len, stdout); + fflush (stdout); + + asn1_delete_structure (&oid); + asn1_delete_structure (&definitions); + + return 0; +} diff --git a/common/tests/test-oid.c b/common/tests/test-oid.c new file mode 100644 index 0000000..616512b --- /dev/null +++ b/common/tests/test-oid.c @@ -0,0 +1,133 @@ +/* + * Copyright (c) 2012 Red Hat Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above + * copyright notice, this list of conditions and the + * following disclaimer. + * * Redistributions in binary form must reproduce the + * above copyright notice, this list of conditions and + * the following disclaimer in the documentation and/or + * other materials provided with the distribution. + * * The names of contributors to this software may not be + * used to endorse or promote products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Author: Stef Walter + */ + +#include "config.h" +#include "CuTest.h" + +#include +#include +#include + +#include "debug.h" +#include "oid.h" + +#include + +#include "pkix.asn.h" + +static void +test_known_oids (CuTest *cu) +{ + char buffer[128]; + node_asn *definitions = NULL; + node_asn *node; + int ret; + int len; + int i; + + struct { + const unsigned char *oid; + size_t length; + const char *string; + } known_oids[] = { + { P11_OID_SUBJECT_KEY_IDENTIFIER, sizeof (P11_OID_SUBJECT_KEY_IDENTIFIER), "2.5.29.14", }, + { P11_OID_KEY_USAGE, sizeof (P11_OID_KEY_USAGE), "2.5.29.15", }, + { P11_OID_BASIC_CONSTRAINTS, sizeof (P11_OID_BASIC_CONSTRAINTS), "2.5.29.19" }, + { P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE), "2.5.29.37" }, + { P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT), "1.3.6.1.4.1.3319.6.10.1" }, + { P11_OID_SERVER_AUTH, sizeof (P11_OID_SERVER_AUTH), "1.3.6.1.5.5.7.3.1", }, + { P11_OID_CLIENT_AUTH, sizeof (P11_OID_CLIENT_AUTH), "1.3.6.1.5.5.7.3.2", }, + { P11_OID_CODE_SIGNING, sizeof (P11_OID_CODE_SIGNING), "1.3.6.1.5.5.7.3.3", }, + { P11_OID_EMAIL_PROTECTION, sizeof (P11_OID_EMAIL_PROTECTION), "1.3.6.1.5.5.7.3.4", }, + { P11_OID_IPSEC_END_SYSTEM, sizeof (P11_OID_IPSEC_END_SYSTEM), "1.3.6.1.5.5.7.3.5", }, + { P11_OID_IPSEC_TUNNEL, sizeof (P11_OID_IPSEC_TUNNEL), "1.3.6.1.5.5.7.3.6", }, + { P11_OID_IPSEC_USER, sizeof (P11_OID_IPSEC_USER), "1.3.6.1.5.5.7.3.7" }, + { P11_OID_TIME_STAMPING, sizeof (P11_OID_TIME_STAMPING), "1.3.6.1.5.5.7.3.8" }, + { P11_OID_RESERVED_PURPOSE, sizeof (P11_OID_RESERVED_PURPOSE), "1.3.6.1.4.1.3319.6.10.16" }, + { NULL }, + }; + + ret = asn1_array2tree (pkix_asn1_tab, &definitions, NULL); + CuAssertTrue (cu, ret == ASN1_SUCCESS); + + for (i = 0; known_oids[i].oid != NULL; i++) { + + CuAssertTrue (cu, p11_oid_simple (known_oids[i].oid, known_oids[i].length)); + CuAssertIntEquals (cu, known_oids[i].length, p11_oid_length (known_oids[i].oid)); + CuAssertTrue (cu, p11_oid_equal (known_oids[i].oid, known_oids[i].oid)); + + if (i > 0) + CuAssertTrue (cu, !p11_oid_equal (known_oids[i].oid, known_oids[i - 1].oid)); + + /* AttributeType is a OBJECT IDENTIFIER */ + ret = asn1_create_element (definitions, "PKIX1.AttributeType", &node); + CuAssertTrue (cu, ret == ASN1_SUCCESS); + + ret = asn1_der_decoding (&node, known_oids[i].oid, known_oids[i].length, NULL); + CuAssertTrue (cu, ret == ASN1_SUCCESS); + + len = sizeof (buffer); + ret = asn1_read_value (node, "", buffer, &len); + CuAssertTrue (cu, ret == ASN1_SUCCESS); + + CuAssertStrEquals (cu, known_oids[i].string, buffer); + + asn1_delete_structure (&node); + } + + asn1_delete_structure (&definitions); +} + +int +main (void) +{ + CuString *output = CuStringNew (); + CuSuite* suite = CuSuiteNew (); + int ret; + + setenv ("P11_KIT_STRICT", "1", 1); + p11_debug_init (); + + SUITE_ADD_TEST (suite, test_known_oids); + + CuSuiteRun (suite); + CuSuiteSummary (suite, output); + CuSuiteDetails (suite, output); + printf ("%s\n", output->buffer); + ret = suite->failCount; + CuSuiteDelete (suite); + CuStringDelete (output); + + return ret; +} -- cgit v1.1