From 57697eda68a3343c2e54e5f8f3f4ce65a99383f5 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 31 Jan 2018 14:07:51 +0100
Subject: trust: Filter out duplicate extensions

The trust policy module keeps all the objects in the database, while
PKIX doesn't allow multiple extensions identified by the same OID can
be attached to a certificate.  Add a check to C_FindObjects to exclude
any duplicates and only return the first matching object.

It would be better if the module rejects such duplicates when loading,
but it would make startup slower.

https://bugzilla.redhat.com/show_bug.cgi?id=1141241
---
 trust/input/extensions.p11-kit | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 trust/input/extensions.p11-kit

(limited to 'trust/input/extensions.p11-kit')

diff --git a/trust/input/extensions.p11-kit b/trust/input/extensions.p11-kit
new file mode 100644
index 0000000..7a2fdb0
--- /dev/null
+++ b/trust/input/extensions.p11-kit
@@ -0,0 +1,23 @@
+[p11-kit-object-v1]
+class: x-certificate-extension
+label: "Example CA restriction for example.com and corp.example.com"
+object-id: 2.5.29.30
+value: "%30%2e%06%03%55%1d%1e%04%27%30%25%a0%23%30%0d%82%0b%65%78%61%6d%70%6c%65%2e%63%6f%6d%30%12%82%10%63%6f%72%70%2e%65%78%61%6d%70%6c%65%2e%63%6f%6d"
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRtTajie6qgC9T/RJ1PvN6ntav
++rwcYBBLJoETGlnj/kVsOAQ5J0ZX/dW8jYoQtjvUCoFaRS/sPoHw2U5Pl99LMg8I
+sSaivWlhXWY5Yy8QcDX7B4UK/1cSwfSDHfnG06S2cCuAoUB/SE7ZreuAzM+SwdGD
+ZAEjR469MZgFa2t8NwIDAQAB
+-----END PUBLIC KEY-----
+
+[p11-kit-object-v1]
+class: x-certificate-extension
+label: "Example CA restriction for example.com and corp.example.org"
+object-id: 2.5.29.30
+value: "%30%2e%06%03%55%1d%1e%04%27%30%25%a0%23%30%0d%82%0b%65%78%61%6d%70%6c%65%2e%63%6f%6d%30%12%82%10%63%6f%72%70%2e%65%78%61%6d%70%6c%65%2e%6f%72%67"
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRtTajie6qgC9T/RJ1PvN6ntav
++rwcYBBLJoETGlnj/kVsOAQ5J0ZX/dW8jYoQtjvUCoFaRS/sPoHw2U5Pl99LMg8I
+sSaivWlhXWY5Yy8QcDX7B4UK/1cSwfSDHfnG06S2cCuAoUB/SE7ZreuAzM+SwdGD
+ZAEjR469MZgFa2t8NwIDAQAB
+-----END PUBLIC KEY-----
-- 
cgit v1.1