diff options
| author | Stef Walter <stef@thewalter.net> | 2013-07-04 15:48:38 +0200 |
|---|---|---|
| committer | Stef Walter <stef@thewalter.net> | 2013-07-04 15:48:38 +0200 |
| commit | 7d4941715b5afc2ef8ea18716990d28965737c70 (patch) | |
| tree | 65b860118fbcf084b855e3e8d78c818b6b8fe765 | |
| parent | 2be55821c1ffab99b91c76c43c91dd95db1c21c7 (diff) | |
trust: Port to use CKA_PUBLIC_KEY_INFO and updated trust store spec
* Use the concepts and PKCS#11 objects described in the
recently updated (still work in progress) storing trust spec.
* Define our own CKA_X_PUBLIC_KEY_INFO define for now, since the
the CKA_PUBLIC_KEY_INFO isn't defined yet.
* Most notably, the association between certificates and stapled
extensions is by public key.
* Rework some of the tests to take into account the above.
| -rw-r--r-- | build/certs/Makefile.am | 19 | ||||
| -rw-r--r-- | common/attrs.c | 1 | ||||
| -rw-r--r-- | common/constants.c | 1 | ||||
| -rw-r--r-- | common/pkcs11x.h | 1 | ||||
| -rw-r--r-- | trust/builder.c | 118 | ||||
| -rw-r--r-- | trust/extract-info.c | 112 | ||||
| -rw-r--r-- | trust/extract-openssl.c | 37 | ||||
| -rw-r--r-- | trust/parser.c | 109 | ||||
| -rw-r--r-- | trust/tests/Makefile.am | 1 | ||||
| -rw-r--r-- | trust/tests/files/multiple.pem (renamed from trust/tests/files/cacert3-trusted-multiple.pem) | 53 | ||||
| -rw-r--r-- | trust/tests/files/verisign-v1.pem | 15 | ||||
| -rw-r--r-- | trust/tests/frob-eku.c | 1 | ||||
| -rw-r--r-- | trust/tests/frob-ext.c | 118 | ||||
| -rw-r--r-- | trust/tests/test-builder.c | 59 | ||||
| -rw-r--r-- | trust/tests/test-extract.c | 7 | ||||
| -rw-r--r-- | trust/tests/test-openssl.c | 33 | ||||
| -rw-r--r-- | trust/tests/test-parser.c | 30 | ||||
| -rw-r--r-- | trust/tests/test-trust.h | 62 |
18 files changed, 561 insertions, 216 deletions
diff --git a/build/certs/Makefile.am b/build/certs/Makefile.am index 4231591..031cba0 100644 --- a/build/certs/Makefile.am +++ b/build/certs/Makefile.am @@ -4,27 +4,28 @@ # distributed in the tarballs TRUST = $(top_srcdir)/trust/tests -TOOLS = $(top_srcdir)/tools/tests prepare-certs: cp -v cacert3.der $(TRUST)/input/anchors cp -v cacert3.der $(TRUST)/files - cp -v cacert3.der $(TOOLS)/files + cp -v cacert3.der $(TRUST)/files + openssl x509 -in cacert3.der -inform DER -out $(TRUST)/files/cacert3.pem openssl x509 -in cacert3.der -inform DER -out $(TRUST)/files/cacert3.pem - openssl x509 -in cacert3.der -inform DER -out $(TOOLS)/files/cacert3.pem - cat $(TOOLS)/files/cacert3.pem $(TOOLS)/files/cacert3.pem > $(TOOLS)/files/cacert3-twice.pem + cat $(TRUST)/files/cacert3.pem $(TRUST)/files/cacert3.pem > $(TRUST)/files/cacert3-twice.pem openssl x509 -in cacert3.der -inform DER -out $(TRUST)/files/cacert3-trusted.pem \ -addtrust serverAuth -addreject emailProtection \ -setalias "Custom Label" - cp $(TRUST)/files/cacert3-trusted.pem $(TOOLS)/files/cacert3-trusted-server-alias.pem - openssl x509 -in cacert3.der -inform DER -out $(TOOLS)/files/cacert3-trusted-alias.pem \ + cp $(TRUST)/files/cacert3-trusted.pem $(TRUST)/files/cacert3-trusted-server-alias.pem + openssl x509 -in cacert3.der -inform DER -out $(TRUST)/files/cacert3-trusted-alias.pem \ -setalias "Custom Label" - openssl x509 -in cacert3.der -inform DER -out $(TOOLS)/files/cacert3-distrust-all.pem \ + openssl x509 -in cacert3.der -inform DER -out $(TRUST)/files/cacert3-distrust-all.pem \ -addreject serverAuth -addreject clientAuth -addreject codeSigning \ -addreject emailProtection -addreject ipsecEndSystem -addreject ipsecTunnel \ -addreject ipsecUser -addreject timeStamping - cat $(TOOLS)/files/cacert3-trusted-server-alias.pem \ - $(TOOLS)/files/cacert3-trusted-alias.pem > $(TOOLS)/files/cacert3-trusted-multiple.pem + openssl x509 -in verisign-v1.der -inform DER -out $(TRUST)/files/verisign-v1.pem \ + -setalias "Custom Label" + cat $(TRUST)/files/cacert3-trusted-server-alias.pem \ + $(TRUST)/files/verisign-v1.pem > $(TRUST)/files/multiple.pem cp -v cacert-ca.der $(TRUST)/input cp -v cacert-ca.der $(TRUST)/files openssl x509 -in redhat-newca.der -inform DER -out $(TRUST)/files/distrusted.pem \ diff --git a/common/attrs.c b/common/attrs.c index 88906f4..8054e38 100644 --- a/common/attrs.c +++ b/common/attrs.c @@ -657,6 +657,7 @@ attribute_is_sensitive (const CK_ATTRIBUTE *attr, X (CKA_X_PEER) X (CKA_X_DISTRUSTED) X (CKA_X_CRITICAL) + X (CKA_X_PUBLIC_KEY_INFO) X (CKA_NSS_URL) X (CKA_NSS_EMAIL) X (CKA_NSS_SMIME_INFO) diff --git a/common/constants.c b/common/constants.c index 3ff93bd..ca956d3 100644 --- a/common/constants.c +++ b/common/constants.c @@ -175,6 +175,7 @@ const p11_constant p11_constant_types[] = { CT (CKA_X_PEER, "x-peer") CT (CKA_X_DISTRUSTED, "x-distrusted") CT (CKA_X_CRITICAL, "x-critical") + CT (CKA_X_PUBLIC_KEY_INFO, "x-public-key-info") { CKA_INVALID }, }; diff --git a/common/pkcs11x.h b/common/pkcs11x.h index dfb2a6c..d1c52c3 100644 --- a/common/pkcs11x.h +++ b/common/pkcs11x.h @@ -146,6 +146,7 @@ typedef CK_ULONG CK_X_ASSERTION_TYPE; #define CKO_X_CERTIFICATE_EXTENSION (CKO_X_VENDOR + 200) #define CKA_X_DISTRUSTED (CKA_X_VENDOR + 100) #define CKA_X_CRITICAL (CKA_X_VENDOR + 101) +#define CKA_X_PUBLIC_KEY_INFO (CKA_X_VENDOR + 102) #endif /* CRYPTOKI_X_VENDOR_DEFINED */ diff --git a/trust/builder.c b/trust/builder.c index ddca4c6..106968c 100644 --- a/trust/builder.c +++ b/trust/builder.c @@ -107,37 +107,38 @@ static unsigned char * lookup_extension (p11_builder *builder, p11_index *index, CK_ATTRIBUTE *cert, + CK_ATTRIBUTE *public_key, const unsigned char *oid, size_t *ext_len) { CK_OBJECT_CLASS klass = CKO_X_CERTIFICATE_EXTENSION; CK_OBJECT_HANDLE obj; CK_ATTRIBUTE *attrs; - unsigned char *ext; void *value; size_t length; node_asn *node; CK_ATTRIBUTE match[] = { - { CKA_ID, }, + { CKA_X_PUBLIC_KEY_INFO, }, { CKA_OBJECT_ID, (void *)oid, p11_oid_length (oid) }, { CKA_CLASS, &klass, sizeof (klass) }, { CKA_INVALID }, }; - /* Look for a stapled certificate extension */ - match[0].pValue = p11_attrs_find_value (cert, CKA_ID, &length); - if (match[0].pValue != NULL) { - match[0].ulValueLen = length; + if (public_key == NULL) + public_key = p11_attrs_find_valid (cert, CKA_X_PUBLIC_KEY_INFO); + /* Look for a stapled certificate extension */ + if (public_key != NULL) { + memcpy (match, public_key, sizeof (CK_ATTRIBUTE)); obj = p11_index_find (index, match, -1); attrs = p11_index_lookup (index, obj); if (attrs != NULL) { - value = p11_attrs_find_value (attrs, CKA_VALUE, ext_len); + value = p11_attrs_find_value (attrs, CKA_VALUE, &length); if (value != NULL) { - ext = memdup (value, *ext_len); - return_val_if_fail (ext != NULL, NULL); - return ext; + node = decode_or_get_asn1 (builder, "PKIX1.Extension", value, length); + return_val_if_fail (node != NULL, NULL); + return p11_asn1_read (node, "extnValue", ext_len); } } } @@ -146,7 +147,7 @@ lookup_extension (p11_builder *builder, value = p11_attrs_find_value (cert, CKA_VALUE, &length); if (value != NULL) { node = decode_or_get_asn1 (builder, "PKIX1.Certificate", value, length); - return_val_if_fail (node != NULL, false); + return_val_if_fail (node != NULL, NULL); return p11_x509_find_extension (node, oid, value, length, ext_len); } @@ -156,19 +157,14 @@ lookup_extension (p11_builder *builder, static CK_OBJECT_HANDLE * lookup_related (p11_index *index, CK_OBJECT_CLASS klass, - CK_ATTRIBUTE *id) + CK_ATTRIBUTE *attr) { CK_ATTRIBUTE match[] = { - { CKA_ID, }, + { attr->type, attr->pValue, attr->ulValueLen }, { CKA_CLASS, &klass, sizeof (klass) }, { CKA_INVALID } }; - return_val_if_fail (id != NULL, NULL); - - match[0].pValue = id->pValue; - match[0].ulValueLen = id->ulValueLen; - return p11_index_find_all (index, match, -1); } @@ -312,10 +308,23 @@ static bool type_der_cert (p11_builder *builder, CK_ATTRIBUTE *attr) { - /* AttributeType is an OBJECT ID */ return check_der_struct (builder, "PKIX1.Certificate", attr); } +static bool +type_der_key (p11_builder *builder, + CK_ATTRIBUTE *attr) +{ + return check_der_struct (builder, "PKIX1.SubjectPublicKeyInfo", attr); +} + +static bool +type_der_ext (p11_builder *builder, + CK_ATTRIBUTE *attr) +{ + return check_der_struct (builder, "PKIX1.Extension", attr); +} + #define COMMON_ATTRS \ { CKA_CLASS, REQUIRE | CREATE, type_ulong }, \ { CKA_TOKEN, CREATE | WANT, type_bool }, \ @@ -539,6 +548,7 @@ static bool calc_certificate_category (p11_builder *builder, p11_index *index, CK_ATTRIBUTE *cert, + CK_ATTRIBUTE *public_key, CK_ULONG *category) { unsigned char *ext; @@ -555,7 +565,7 @@ calc_certificate_category (p11_builder *builder, */ /* See if we have a basic constraints extension */ - ext = lookup_extension (builder, index, cert, P11_OID_BASIC_CONSTRAINTS, &ext_len); + ext = lookup_extension (builder, index, cert, public_key, P11_OID_BASIC_CONSTRAINTS, &ext_len); if (ext != NULL) { ret = p11_x509_parse_basic_constraints (builder->asn1_defs, ext, ext_len, &is_ca); free (ext); @@ -589,7 +599,8 @@ static CK_ATTRIBUTE * certificate_value_attrs (CK_ATTRIBUTE *attrs, node_asn *node, const unsigned char *der, - size_t der_len) + size_t der_len, + CK_ATTRIBUTE *public_key) { unsigned char checksum[P11_HASH_SHA1_LEN]; CK_BBOOL falsev = CK_FALSE; @@ -626,6 +637,10 @@ certificate_value_attrs (CK_ATTRIBUTE *attrs, if (!calc_date (node, "tbsCertificate.validity.notAfter", &endv)) end_date.ulValueLen = 0; + if (calc_element (node, der, der_len, "tbsCertificate.subjectPublicKeyInfo", public_key)) + public_key->type = CKA_X_PUBLIC_KEY_INFO; + else + public_key->type = CKA_INVALID; calc_element (node, der, der_len, "tbsCertificate.issuer.rdnSequence", &issuer); if (!calc_element (node, der, der_len, "tbsCertificate.subject.rdnSequence", &subject)) subject.type = CKA_INVALID; @@ -657,7 +672,7 @@ certificate_value_attrs (CK_ATTRIBUTE *attrs, attrs = p11_attrs_build (attrs, &trusted, &distrusted, &url, &hash_of_issuer_public_key, &hash_of_subject_public_key, &java_midp_security_domain, &check_value, &start_date, &end_date, &id, - &subject, &issuer, &serial_number, &label, + &subject, &issuer, &serial_number, &label, public_key, NULL); return_val_if_fail (attrs != NULL, NULL); @@ -672,6 +687,7 @@ certificate_populate (p11_builder *builder, { CK_ULONG categoryv = 0UL; CK_ATTRIBUTE *attrs = NULL; + CK_ATTRIBUTE public_key; node_asn *node = NULL; unsigned char *der = NULL; size_t der_len = 0; @@ -686,10 +702,10 @@ certificate_populate (p11_builder *builder, if (der != NULL) node = decode_or_get_asn1 (builder, "PKIX1.Certificate", der, der_len); - attrs = certificate_value_attrs (attrs, node, der, der_len); + attrs = certificate_value_attrs (attrs, node, der, der_len, &public_key); return_val_if_fail (attrs != NULL, NULL); - if (!calc_certificate_category (builder, index, cert, &categoryv)) + if (!calc_certificate_category (builder, index, cert, &public_key, &categoryv)) categoryv = 0; return p11_attrs_build (attrs, &category, &empty_value, NULL); @@ -745,6 +761,7 @@ const static builder_schema certificate_schema = { { CKA_HASH_OF_SUBJECT_PUBLIC_KEY, CREATE }, { CKA_HASH_OF_ISSUER_PUBLIC_KEY, CREATE }, { CKA_JAVA_MIDP_SECURITY_DOMAIN, CREATE, type_ulong }, + { CKA_X_PUBLIC_KEY_INFO, CREATE | WANT, type_der_key }, { CKA_INVALID }, }, certificate_populate, certificate_validate, }; @@ -754,16 +771,27 @@ extension_populate (p11_builder *builder, p11_index *index, CK_ATTRIBUTE *extension) { + CK_ATTRIBUTE object_id = { CKA_OBJECT_ID }; CK_ATTRIBUTE *attrs = NULL; + void *der; + size_t len; + node_asn *asn; attrs = common_populate (builder, index, extension); return_val_if_fail (attrs != NULL, NULL); - if (!p11_attrs_find_valid (extension, CKA_X_CRITICAL)) { - CK_BBOOL falsev = CK_FALSE; - CK_ATTRIBUTE critical = { CKA_X_CRITICAL, &falsev, sizeof (falsev) }; - attrs = p11_attrs_build (attrs, &critical, NULL); - return_val_if_fail (attrs != NULL, NULL); + /* Pull the object id out of the extension if not present */ + if (!p11_attrs_find_valid (attrs, CKA_OBJECT_ID)) { + der = p11_attrs_find_value (extension, CKA_VALUE, &len); + return_val_if_fail (der != NULL, NULL); + + asn = decode_or_get_asn1 (builder, "PKIX1.Extension", der, len); + return_val_if_fail (asn != NULL, NULL); + + if (calc_element (asn, der, len, "extnID", &object_id)) { + attrs = p11_attrs_build (attrs, &object_id, NULL); + return_val_if_fail (attrs != NULL, NULL); + } } return attrs; @@ -772,10 +800,10 @@ extension_populate (p11_builder *builder, const static builder_schema extension_schema = { NORMAL_BUILD, { COMMON_ATTRS, - { CKA_VALUE, REQUIRE | CREATE }, - { CKA_X_CRITICAL, WANT, type_bool }, - { CKA_OBJECT_ID, REQUIRE | CREATE, type_der_oid }, - { CKA_ID, CREATE | MODIFY | WANT }, + { CKA_VALUE, REQUIRE | CREATE, type_der_ext }, + { CKA_X_PUBLIC_KEY_INFO, REQUIRE | CREATE, type_der_key }, + { CKA_OBJECT_ID, CREATE | WANT, type_der_oid }, + { CKA_ID, CREATE | MODIFY }, { CKA_INVALID }, }, extension_populate, }; @@ -1175,7 +1203,7 @@ build_trust_object_ku (p11_builder *builder, /* If blacklisted, don't even bother looking at extensions */ if (present != CKT_NSS_NOT_TRUSTED) - data = lookup_extension (builder, index, cert, P11_OID_KEY_USAGE, &length); + data = lookup_extension (builder, index, cert, NULL, P11_OID_KEY_USAGE, &length); if (data) { /* @@ -1648,7 +1676,7 @@ replace_trust_and_assertions (p11_builder *builder, authority = CK_TRUE; if (!distrust) { - ext = lookup_extension (builder, index, cert, P11_OID_EXTENDED_KEY_USAGE, &ext_len); + ext = lookup_extension (builder, index, cert, NULL, P11_OID_EXTENDED_KEY_USAGE, &ext_len); if (ext != NULL) { purposes = p11_x509_parse_extended_key_usage (builder->asn1_defs, ext, ext_len); if (purposes == NULL) @@ -1656,7 +1684,7 @@ replace_trust_and_assertions (p11_builder *builder, free (ext); } - ext = lookup_extension (builder, index, cert, P11_OID_OPENSSL_REJECT, &ext_len); + ext = lookup_extension (builder, index, cert, NULL, P11_OID_OPENSSL_REJECT, &ext_len); if (ext != NULL) { rejects = p11_x509_parse_extended_key_usage (builder->asn1_defs, ext, ext_len); if (rejects == NULL) @@ -1734,14 +1762,14 @@ replace_compat_for_ext (p11_builder *builder, { CK_OBJECT_HANDLE *handles; - CK_ATTRIBUTE *id; + CK_ATTRIBUTE *public_key; int i; - id = p11_attrs_find_valid (attrs, CKA_ID); - if (id == NULL) + public_key = p11_attrs_find_valid (attrs, CKA_X_PUBLIC_KEY_INFO); + if (public_key == NULL) return; - handles = lookup_related (index, CKO_CERTIFICATE, id); + handles = lookup_related (index, CKO_CERTIFICATE, public_key); for (i = 0; handles && handles[i] != 0; i++) { attrs = p11_index_lookup (index, handles[i]); replace_trust_and_assertions (builder, index, attrs); @@ -1759,7 +1787,7 @@ update_related_category (p11_builder *builder, CK_ULONG categoryv = 0UL; CK_ATTRIBUTE *update; CK_ATTRIBUTE *cert; - CK_ATTRIBUTE *id; + CK_ATTRIBUTE *public_key; CK_RV rv; int i; @@ -1768,17 +1796,17 @@ update_related_category (p11_builder *builder, { CKA_INVALID, }, }; - id = p11_attrs_find_valid (attrs, CKA_ID); - if (id == NULL) + public_key = p11_attrs_find_valid (attrs, CKA_X_PUBLIC_KEY_INFO); + if (public_key == NULL) return; /* Find all other objects with this handle */ - handles = lookup_related (index, CKO_CERTIFICATE, id); + handles = lookup_related (index, CKO_CERTIFICATE, public_key); for (i = 0; handles && handles[i] != 0; i++) { cert = p11_index_lookup (index, handle); - if (calc_certificate_category (builder, index, cert, &categoryv)) { + if (calc_certificate_category (builder, index, cert, public_key, &categoryv)) { update = p11_attrs_build (NULL, &category, NULL); rv = p11_index_update (index, handles[i], update); return_if_fail (rv == CKR_OK); diff --git a/trust/extract-info.c b/trust/extract-info.c index f125b8a..63fd03e 100644 --- a/trust/extract-info.c +++ b/trust/extract-info.c @@ -50,10 +50,50 @@ #include <stdlib.h> #include <string.h> +static bool +load_stapled_extension (p11_dict *stapled, + p11_dict *asn1_defs, + const unsigned char *der, + size_t len) +{ + char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE]; + node_asn *ext; + char *oid; + int length; + int start; + int end; + int ret; + + ext = p11_asn1_decode (asn1_defs, "PKIX1.Extension", der, len, message); + if (ext == NULL) { + p11_message ("couldn't parse stapled certificate extension: %s", message); + return false; + } + + ret = asn1_der_decoding_startEnd (ext, der, len, "extnID", &start, &end); + return_val_if_fail (ret == ASN1_SUCCESS, false); + + /* Make sure it's a straightforward oid with certain assumptions */ + length = (end - start) + 1; + if (!p11_oid_simple (der + start, length)) { + p11_debug ("strange complex certificate extension object id"); + return false; + } + + oid = memdup (der + start, length); + return_val_if_fail (oid != NULL, false); + + if (!p11_dict_set (stapled, oid, ext)) + return_val_if_reached (false); + + return true; +} + static p11_dict * -load_stapled_extensions (CK_FUNCTION_LIST_PTR module, +load_stapled_extensions (p11_extract_info *ex, + CK_FUNCTION_LIST_PTR module, CK_SESSION_HANDLE session, - CK_ATTRIBUTE *id) + CK_ATTRIBUTE *spki) { CK_OBJECT_CLASS extension = CKO_X_CERTIFICATE_EXTENSION; CK_ATTRIBUTE *attrs; @@ -63,21 +103,18 @@ load_stapled_extensions (CK_FUNCTION_LIST_PTR module, CK_ATTRIBUTE match[] = { { CKA_CLASS, &extension, sizeof (extension) }, - { CKA_ID, id->pValue, id->ulValueLen }, + { CKA_X_PUBLIC_KEY_INFO, spki->pValue, spki->ulValueLen }, }; CK_ATTRIBUTE template[] = { - { CKA_OBJECT_ID, }, - { CKA_X_CRITICAL, }, { CKA_VALUE, }, }; - stapled = p11_dict_new (p11_attr_hash, - (p11_dict_equals)p11_attr_equal, - NULL, p11_attrs_free); + stapled = p11_dict_new (p11_oid_hash, p11_oid_equal, + free, p11_asn1_free); /* No ID to use, just short circuit */ - if (!id->pValue || !id->ulValueLen) + if (!spki->pValue || !spki->ulValueLen) return stapled; iter = p11_kit_iter_new (NULL, 0); @@ -87,16 +124,16 @@ load_stapled_extensions (CK_FUNCTION_LIST_PTR module, while (rv == CKR_OK) { rv = p11_kit_iter_next (iter); if (rv == CKR_OK) { - attrs = p11_attrs_buildn (NULL, template, 3); - rv = p11_kit_iter_load_attributes (iter, attrs, 3); - if (rv == CKR_OK || rv == CKR_ATTRIBUTE_TYPE_INVALID) { - /* CKA_OBJECT_ID is the first attribute, use it as the key */ - if (!p11_dict_set (stapled, attrs, attrs)) - return_val_if_reached (NULL); - rv = CKR_OK; - } else { - p11_attrs_free (attrs); + attrs = p11_attrs_buildn (NULL, template, 1); + rv = p11_kit_iter_load_attributes (iter, attrs, 1); + if (rv == CKR_OK) { + if (!load_stapled_extension (stapled, ex->asn1_defs, + attrs[0].pValue, + attrs[0].ulValueLen)) { + rv = CKR_GENERAL_ERROR; + } } + p11_attrs_free (attrs); } } @@ -113,33 +150,30 @@ load_stapled_extensions (CK_FUNCTION_LIST_PTR module, static bool extract_purposes (p11_extract_info *ex) { - CK_ATTRIBUTE oid = { CKA_OBJECT_ID, - (void *)P11_OID_EXTENDED_KEY_USAGE, - sizeof (P11_OID_EXTENDED_KEY_USAGE) }; - const unsigned char *ext = NULL; - unsigned char *alloc = NULL; - CK_ATTRIBUTE *attrs; - size_t ext_len; + node_asn *ext = NULL; + unsigned char *value = NULL; + size_t length; if (ex->stapled) { - attrs = p11_dict_get (ex->stapled, &oid); - if (attrs != NULL) - ext = p11_attrs_find_value (attrs, CKA_VALUE, &ext_len); + ext = p11_dict_get (ex->stapled, P11_OID_EXTENDED_KEY_USAGE); + if (ext != NULL) { + value = p11_asn1_read (ext, "extnValue", &length); + return_val_if_fail (value != NULL, false); + } } - if (ext == NULL && ex->cert_asn) { - alloc = p11_x509_find_extension (ex->cert_asn, P11_OID_EXTENDED_KEY_USAGE, - ex->cert_der, ex->cert_len, &ext_len); - ext = alloc; + if (value == NULL && ex->cert_asn) { + value = p11_x509_find_extension (ex->cert_asn, P11_OID_EXTENDED_KEY_USAGE, + ex->cert_der, ex->cert_len, &length); } /* No such extension, match anything */ - if (ext == NULL) + if (value == NULL) return true; - ex->purposes = p11_x509_parse_extended_key_usage (ex->asn1_defs, ext, ext_len); + ex->purposes = p11_x509_parse_extended_key_usage (ex->asn1_defs, value, length); - free (alloc); + free (value); return ex->purposes != NULL; } @@ -292,6 +326,7 @@ extract_info (P11KitIter *iter, { CKA_TRUSTED, }, { CKA_CERTIFICATE_CATEGORY }, { CKA_X_DISTRUSTED }, + { CKA_X_PUBLIC_KEY_INFO }, { CKA_INVALID, }, }; @@ -317,11 +352,10 @@ extract_info (P11KitIter *iter, if (!extract_certificate (iter, ex)) return false; - attr = p11_attrs_find_valid (ex->attrs, CKA_ID); + attr = p11_attrs_find_valid (ex->attrs, CKA_X_PUBLIC_KEY_INFO); if (attr) { - ex->stapled = load_stapled_extensions (p11_kit_iter_get_module (iter), - p11_kit_iter_get_session (iter), - attr); + ex->stapled = load_stapled_extensions (ex, p11_kit_iter_get_module (iter), + p11_kit_iter_get_session (iter), attr); if (!ex->stapled) return false; } diff --git a/trust/extract-openssl.c b/trust/extract-openssl.c index 312a779..b7603b0 100644 --- a/trust/extract-openssl.c +++ b/trust/extract-openssl.c @@ -106,20 +106,24 @@ load_usage_ext (p11_extract_info *ex, const unsigned char *ext_oid, p11_array **oids) { - CK_ATTRIBUTE attr = { CKA_OBJECT_ID, (void *)ext_oid, - p11_oid_length (ext_oid) }; - void *value; + unsigned char *value; + node_asn *ext = NULL; size_t length; - value = p11_attrs_find_value (p11_dict_get (ex->stapled, &attr), CKA_VALUE, &length); - if (value == NULL) { + if (ex->stapled) + ext = p11_dict_get (ex->stapled, ext_oid); + if (ext == NULL) { *oids = NULL; return true; } + value = p11_asn1_read (ext, "extnValue", &length); + return_val_if_fail (value != NULL, false); + *oids = p11_x509_parse_extended_key_usage (ex->asn1_defs, value, length); return_val_if_fail (*oids != NULL, false); + free (value); return true; } @@ -221,21 +225,22 @@ static bool write_keyid (p11_extract_info *ex, node_asn *asn) { - CK_ATTRIBUTE attr = { CKA_OBJECT_ID, - (void *)P11_OID_SUBJECT_KEY_IDENTIFIER, - sizeof (P11_OID_SUBJECT_KEY_IDENTIFIER) }; - CK_ATTRIBUTE *value; + unsigned char *value = NULL; + node_asn *ext = NULL; + size_t length = 0; int ret; - value = p11_attrs_find_valid (p11_dict_get (ex->stapled, &attr), CKA_VALUE); - if (value == NULL) { - ret = asn1_write_value (asn, "keyid", NULL, 0); - return_val_if_fail (ret == ASN1_SUCCESS, false); - } else { - ret = asn1_write_value (asn, "keyid", value->pValue, value->ulValueLen); - return_val_if_fail (ret == ASN1_SUCCESS, false); + if (ex->stapled) + ext = p11_dict_get (ex->stapled, P11_OID_SUBJECT_KEY_IDENTIFIER); + if (ext != NULL) { + value = p11_asn1_read (ext, "extnValue", &length); + return_val_if_fail (value != NULL, false); } + ret = asn1_write_value (asn, "keyid", value, length); + return_val_if_fail (ret == ASN1_SUCCESS, false); + free (value); + return true; } diff --git a/trust/parser.c b/trust/parser.c index 77e41bc..26d911b 100644 --- a/trust/parser.c +++ b/trust/parser.c @@ -200,44 +200,75 @@ parse_der_x509_certificate (p11_parser *parser, static CK_ATTRIBUTE * extension_attrs (p11_parser *parser, CK_ATTRIBUTE *id, + CK_ATTRIBUTE *public_key_info, + const char *oid_str, const unsigned char *oid_der, - CK_BBOOL vcritical, - const unsigned char *ext_der, - int ext_len) + bool critical, + const unsigned char *value, + int length) { CK_OBJECT_CLASS klassv = CKO_X_CERTIFICATE_EXTENSION; CK_BBOOL modifiablev = CK_FALSE; CK_ATTRIBUTE klass = { CKA_CLASS, &klassv, sizeof (klassv) }; CK_ATTRIBUTE modifiable = { CKA_MODIFIABLE, &modifiablev, sizeof (modifiablev) }; - CK_ATTRIBUTE critical = { CKA_X_CRITICAL, &vcritical, sizeof (vcritical) }; CK_ATTRIBUTE oid = { CKA_OBJECT_ID, (void *)oid_der, p11_oid_length (oid_der) }; - CK_ATTRIBUTE value = { CKA_VALUE, (void *)ext_der, ext_len }; - if (ext_der == NULL) - value.type = CKA_INVALID; + CK_ATTRIBUTE *attrs; + node_asn *dest; + unsigned char *der; + size_t len; + int ret; + + attrs = p11_attrs_build (NULL, id, public_key_info, &klass, &modifiable, &oid, NULL); + return_val_if_fail (attrs != NULL, NULL); + + dest = p11_asn1_create (parser->asn1_defs, "PKIX1.Extension"); + return_val_if_fail (dest != NULL, NULL); + + ret = asn1_write_value (dest, "extnID", oid_str, 1); + return_val_if_fail (ret == ASN1_SUCCESS, NULL); + + if (critical) + ret = asn1_write_value (dest, "critical", "TRUE", 1); + return_val_if_fail (ret == ASN1_SUCCESS, NULL); + + ret = asn1_write_value (dest, "extnValue", value, length); + return_val_if_fail (ret == ASN1_SUCCESS, NULL); + + der = p11_asn1_encode (dest, &len); + return_val_if_fail (der != NULL, NULL); - return p11_attrs_build (NULL, id, &klass, &modifiable, &oid, &critical, &value, NULL); + attrs = p11_attrs_take (attrs, CKA_VALUE, der, len); + return_val_if_fail (attrs != NULL, NULL); + + /* An opmitization so that the builder can get at this without parsing */ + p11_asn1_cache_take (parser->asn1_cache, dest, "PKIX1.Extension", der, len); + return attrs; } static CK_ATTRIBUTE * stapled_attrs (p11_parser *parser, CK_ATTRIBUTE *id, - const unsigned char *oid, - CK_BBOOL critical, + CK_ATTRIBUTE *public_key_info, + const char *oid_str, + const unsigned char *oid_der, + bool critical, node_asn *ext) { CK_ATTRIBUTE *attrs; unsigned char *der; size_t len; - attrs = extension_attrs (parser, id, oid, critical, NULL, 0); - return_val_if_fail (attrs != NULL, NULL); - der = p11_asn1_encode (ext, &len); return_val_if_fail (der != NULL, NULL); - return p11_attrs_take (attrs, CKA_VALUE, der, len); + attrs = extension_attrs (parser, id, public_key_info, oid_str, oid_der, + critical, der, len); + return_val_if_fail (attrs != NULL, NULL); + + free (der); + return attrs; } static p11_dict * @@ -270,8 +301,10 @@ load_seq_of_oid_str (node_asn *node, static CK_ATTRIBUTE * stapled_eku_attrs (p11_parser *parser, CK_ATTRIBUTE *id, - const unsigned char *oid, - CK_BBOOL critical, + CK_ATTRIBUTE *public_key_info, + const char *oid_str, + const unsigned char *oid_der, + bool critical, p11_dict *oid_strs) { CK_ATTRIBUTE *attrs; @@ -317,7 +350,7 @@ stapled_eku_attrs (p11_parser *parser, } - attrs = stapled_attrs (parser, id, oid, critical, dest); + attrs = stapled_attrs (parser, id, public_key_info, oid_str, oid_der, critical, dest); asn1_delete_structure (&dest); return attrs; @@ -327,6 +360,7 @@ static CK_ATTRIBUTE * build_openssl_extensions (p11_parser *parser, CK_ATTRIBUTE *cert, CK_ATTRIBUTE *id, + CK_ATTRIBUTE *public_key_info, node_asn *aux, const unsigned char *aux_der, size_t aux_len) @@ -379,7 +413,10 @@ build_openssl_extensions (p11_parser *parser, */ if (trust) { - attrs = stapled_eku_attrs (parser, id, P11_OID_EXTENDED_KEY_USAGE, CK_TRUE, trust); + attrs = stapled_eku_attrs (parser, id, public_key_info, + P11_OID_EXTENDED_KEY_USAGE_STR, + P11_OID_EXTENDED_KEY_USAGE, + true, trust); return_val_if_fail (attrs != NULL, NULL); sink_object (parser, attrs); } @@ -393,7 +430,10 @@ build_openssl_extensions (p11_parser *parser, */ if (reject && p11_dict_size (reject) > 0) { - attrs = stapled_eku_attrs (parser, id, P11_OID_OPENSSL_REJECT, CK_FALSE, reject); + attrs = stapled_eku_attrs (parser, id, public_key_info, + P11_OID_OPENSSL_REJECT_STR, + P11_OID_OPENSSL_REJECT, + false, reject); return_val_if_fail (attrs != NULL, NULL); sink_object (parser, attrs); } @@ -439,8 +479,10 @@ build_openssl_extensions (p11_parser *parser, return_val_if_fail (ret == ASN1_SUCCESS || ret == ASN1_ELEMENT_NOT_FOUND, NULL); if (ret == ASN1_SUCCESS) { - attrs = extension_attrs (parser, id, P11_OID_SUBJECT_KEY_IDENTIFIER, CK_FALSE, - aux_der + start, (end - start) + 1); + attrs = extension_attrs (parser, id, public_key_info, + P11_OID_SUBJECT_KEY_IDENTIFIER_STR, + P11_OID_SUBJECT_KEY_IDENTIFIER, + false, aux_der + start, (end - start) + 1); return_val_if_fail (attrs != NULL, NULL); sink_object (parser, attrs); } @@ -458,12 +500,15 @@ parse_openssl_trusted_certificate (p11_parser *parser, CK_ATTRIBUTE *attrs; CK_BYTE idv[ID_LENGTH]; CK_ATTRIBUTE id = { CKA_ID, idv, sizeof (idv) }; + CK_ATTRIBUTE public_key_info = { CKA_X_PUBLIC_KEY_INFO }; CK_ATTRIBUTE *value; char *label = NULL; node_asn *cert; node_asn *aux; ssize_t cert_len; - int len; + size_t len; + int start; + int end; int ret; /* @@ -497,23 +542,27 @@ parse_openssl_trusted_certificate (p11_parser *parser, /* Cache the parsed certificate ASN.1 for later use by the builder */ value = p11_attrs_find_valid (attrs, CKA_VALUE); return_val_if_fail (value != NULL, P11_PARSE_FAILURE); + + /* Pull out the subject public key info */ + ret = asn1_der_decoding_startEnd (cert, data, cert_len, + "tbsCertificate.subjectPublicKeyInfo", &start, &end); + return_val_if_fail (ret == ASN1_SUCCESS, P11_PARSE_FAILURE); + + public_key_info.pValue = (char *)data + start; + public_key_info.ulValueLen = (end - start) + 1; + p11_asn1_cache_take (parser->asn1_cache, cert, "PKIX1.Certificate", value->pValue, value->ulValueLen); /* Pull the label out of the CertAux */ len = 0; - ret = asn1_read_value (aux, "alias", NULL, &len); - if (ret != ASN1_ELEMENT_NOT_FOUND) { - return_val_if_fail (ret == ASN1_MEM_ERROR, P11_PARSE_FAILURE); - label = calloc (len + 1, 1); - return_val_if_fail (label != NULL, P11_PARSE_FAILURE); - ret = asn1_read_value (aux, "alias", label, &len); - return_val_if_fail (ret == ASN1_SUCCESS, P11_PARSE_FAILURE); + label = p11_asn1_read (aux, "alias", &len); + if (label != NULL) { attrs = p11_attrs_take (attrs, CKA_LABEL, label, strlen (label)); return_val_if_fail (attrs != NULL, P11_PARSE_FAILURE); } - attrs = build_openssl_extensions (parser, attrs, &id, aux, + attrs = build_openssl_extensions (parser, attrs, &id, &public_key_info, aux, data + cert_len, length - cert_len); return_val_if_fail (attrs != NULL, P11_PARSE_FAILURE); diff --git a/trust/tests/Makefile.am b/trust/tests/Makefile.am index 9d5b3ae..b0581cb 100644 --- a/trust/tests/Makefile.am +++ b/trust/tests/Makefile.am @@ -60,6 +60,7 @@ noinst_PROGRAMS = \ frob-cert \ frob-ku \ frob-eku \ + frob-ext \ frob-cert \ frob-oid \ $(CHECK_PROGS) diff --git a/trust/tests/files/cacert3-trusted-multiple.pem b/trust/tests/files/multiple.pem index e56a58f..d3e1775 100644 --- a/trust/tests/files/cacert3-trusted-multiple.pem +++ b/trust/tests/files/multiple.pem @@ -42,44 +42,17 @@ d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60 TGFiZWw= -----END TRUSTED CERTIFICATE----- -----BEGIN TRUSTED CERTIFICATE----- -MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv -b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ -Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y -dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU -MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 -Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN -AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a -iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1 -aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C -jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia -pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0 -FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt -XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL -oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 -R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp -rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/ -LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA -BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow -gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV -BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG -A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS -c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH -AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr -BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB -MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y -Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj -ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5 -b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D -QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc -7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH -Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4 -D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 -VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a -lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW -Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt -hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz -0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn -ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT -d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60 -4GGSt/M3mMS+lqO3ijAODAxDdXN0b20gTGFiZWw= +MIICPDCCAaUCED9pHoGc8JpK83P/uUii5N0wDQYJKoZIhvcNAQEFBQAwXzELMAkG +A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz +cyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 +MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV +BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmlt +YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQDlGb9to1ZhLZlIcfZn3rmN67eehoAKkQ76OCWvRoiC5XOooJskXQ0f +zGVuDLDQVoQYh5oGmxChc9+0WDlrbsH2FdWoqD+qEgaNMax/sDTXjzRniAnNFBHi +TkVWaR94AoDa3EeRKbs2yWNcxeDXLYd7obcysHswuiovMaruo2fa2wIDAQABMA0G +CSqGSIb3DQEBBQUAA4GBAFgVKTk8d6PaXCUDfGD67gmZPCcQcMgMCeazh88K4hiW +NWLMv5sneYlfycQJ9M61Hd8qveXbhpxoJeUwfLaJFf5n0a3hUKw8fGJLj7qE1xIV +Gx/KXQ/BUpQqEZnae88MNhPVNdwQGVnqlMEAv3WP2fr9dgTbYruQagPZRjXZ+Hxb +MA4MDEN1c3RvbSBMYWJlbA== -----END TRUSTED CERTIFICATE----- diff --git a/trust/tests/files/verisign-v1.pem b/trust/tests/files/verisign-v1.pem new file mode 100644 index 0000000..ace4da5 --- /dev/null +++ b/trust/tests/files/verisign-v1.pem @@ -0,0 +1,15 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIICPDCCAaUCED9pHoGc8JpK83P/uUii5N0wDQYJKoZIhvcNAQEFBQAwXzELMAkG +A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz +cyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 +MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV +BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmlt +YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQDlGb9to1ZhLZlIcfZn3rmN67eehoAKkQ76OCWvRoiC5XOooJskXQ0f +zGVuDLDQVoQYh5oGmxChc9+0WDlrbsH2FdWoqD+qEgaNMax/sDTXjzRniAnNFBHi +TkVWaR94AoDa3EeRKbs2yWNcxeDXLYd7obcysHswuiovMaruo2fa2wIDAQABMA0G +CSqGSIb3DQEBBQUAA4GBAFgVKTk8d6PaXCUDfGD67gmZPCcQcMgMCeazh88K4hiW +NWLMv5sneYlfycQJ9M61Hd8qveXbhpxoJeUwfLaJFf5n0a3hUKw8fGJLj7qE1xIV +Gx/KXQ/BUpQqEZnae88MNhPVNdwQGVnqlMEAv3WP2fr9dgTbYruQagPZRjXZ+Hxb +MA4MDEN1c3RvbSBMYWJlbA== +-----END TRUSTED CERTIFICATE----- diff --git a/trust/tests/frob-eku.c b/trust/tests/frob-eku.c index 42bf50b..5cc5829 100644 --- a/trust/tests/frob-eku.c +++ b/trust/tests/frob-eku.c @@ -94,6 +94,7 @@ main (int argc, fwrite (buf, 1, len, stdout); fflush (stdout); + free (buf); asn1_delete_structure (&ekus); asn1_delete_structure (&definitions); diff --git a/trust/tests/frob-ext.c b/trust/tests/frob-ext.c new file mode 100644 index 0000000..b1b5dd5 --- /dev/null +++ b/trust/tests/frob-ext.c @@ -0,0 +1,118 @@ +/* + * Copyright (c) 2013 Red Hat Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above + * copyright notice, this list of conditions and the + * following disclaimer. + * * Redistributions in binary form must reproduce the + * above copyright notice, this list of conditions and + * the following disclaimer in the documentation and/or + * other materials provided with the distribution. + * * The names of contributors to this software may not be + * used to endorse or promote products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Author: Stef Walter <stefw@gnome.org> + */ + +#include "config.h" +#include "compat.h" + +#include <libtasn1.h> + +#include <assert.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#include "pkix.asn.h" + +#define err_if_fail(ret, msg) \ + do { if ((ret) != ASN1_SUCCESS) { \ + fprintf (stderr, "%s: %s\n", msg, asn1_strerror (ret)); \ + exit (1); \ + } } while (0) + +int +main (int argc, + char *argv[]) +{ + char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = { 0, }; + node_asn *definitions = NULL; + node_asn *ext = NULL; + unsigned char input[1024]; + char *buf; + size_t size; + int len; + int ret; + + if (argc == 1 || argc > 3) { + fprintf (stderr, "usage: frob-ext 1.2.3 TRUE\n"); + return 2; + } + + size = fread (input, 1, sizeof (input), stdin); + if (ferror (stdin) || !feof (stdin)) { + fprintf (stderr, "bad input\n"); + return 1; + } + + ret = asn1_array2tree (pkix_asn1_tab, &definitions, message); + if (ret != ASN1_SUCCESS) { + fprintf (stderr, "definitions: %s\n", message); + return 1; + } + + + ret = asn1_create_element (definitions, "PKIX1.Extension", &ext); + err_if_fail (ret, "Extension"); + + ret = asn1_write_value (ext, "extnID", argv[1], 1); + err_if_fail (ret, "extnID"); + + if (argc == 3) { + ret = asn1_write_value (ext, "critical", argv[2], 1); + err_if_fail (ret, "critical"); + } + + ret = asn1_write_value (ext, "extnValue", input, size); + err_if_fail (ret, "extnValue"); + + len = 0; + ret = asn1_der_coding (ext, "", NULL, &len, message); + assert (ret == ASN1_MEM_ERROR); + + buf = malloc (len); + assert (buf != NULL); + ret = asn1_der_coding (ext, "", buf, &len, message); + if (ret != ASN1_SUCCESS) { + fprintf (stderr, "asn1_der_coding: %s\n", message); + return 1; + } + + fwrite (buf, 1, len, stdout); + fflush (stdout); + + free (buf); + asn1_delete_structure (&ext); + asn1_delete_structure (&definitions); + + return 0; +} diff --git a/trust/tests/test-builder.c b/trust/tests/test-builder.c index 09a2590..72ee151 100644 --- a/trust/tests/test-builder.c +++ b/trust/tests/test-builder.c @@ -294,6 +294,28 @@ static const unsigned char entrust_pretend_ca[] = { 0xbd, 0x4c, 0x45, 0x9e, 0x61, 0xba, 0xbf, 0x84, 0x81, 0x92, 0x03, 0xd1, 0xd2, 0x69, 0x7c, 0xc5, }; +static const unsigned char entrust_public_key[] = { + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, + 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, + 0x00, 0xad, 0x4d, 0x4b, 0xa9, 0x12, 0x86, 0xb2, 0xea, 0xa3, 0x20, 0x07, 0x15, 0x16, 0x64, 0x2a, + 0x2b, 0x4b, 0xd1, 0xbf, 0x0b, 0x4a, 0x4d, 0x8e, 0xed, 0x80, 0x76, 0xa5, 0x67, 0xb7, 0x78, 0x40, + 0xc0, 0x73, 0x42, 0xc8, 0x68, 0xc0, 0xdb, 0x53, 0x2b, 0xdd, 0x5e, 0xb8, 0x76, 0x98, 0x35, 0x93, + 0x8b, 0x1a, 0x9d, 0x7c, 0x13, 0x3a, 0x0e, 0x1f, 0x5b, 0xb7, 0x1e, 0xcf, 0xe5, 0x24, 0x14, 0x1e, + 0xb1, 0x81, 0xa9, 0x8d, 0x7d, 0xb8, 0xcc, 0x6b, 0x4b, 0x03, 0xf1, 0x02, 0x0c, 0xdc, 0xab, 0xa5, + 0x40, 0x24, 0x00, 0x7f, 0x74, 0x94, 0xa1, 0x9d, 0x08, 0x29, 0xb3, 0x88, 0x0b, 0xf5, 0x87, 0x77, + 0x9d, 0x55, 0xcd, 0xe4, 0xc3, 0x7e, 0xd7, 0x6a, 0x64, 0xab, 0x85, 0x14, 0x86, 0x95, 0x5b, 0x97, + 0x32, 0x50, 0x6f, 0x3d, 0xc8, 0xba, 0x66, 0x0c, 0xe3, 0xfc, 0xbd, 0xb8, 0x49, 0xc1, 0x76, 0x89, + 0x49, 0x19, 0xfd, 0xc0, 0xa8, 0xbd, 0x89, 0xa3, 0x67, 0x2f, 0xc6, 0x9f, 0xbc, 0x71, 0x19, 0x60, + 0xb8, 0x2d, 0xe9, 0x2c, 0xc9, 0x90, 0x76, 0x66, 0x7b, 0x94, 0xe2, 0xaf, 0x78, 0xd6, 0x65, 0x53, + 0x5d, 0x3c, 0xd6, 0x9c, 0xb2, 0xcf, 0x29, 0x03, 0xf9, 0x2f, 0xa4, 0x50, 0xb2, 0xd4, 0x48, 0xce, + 0x05, 0x32, 0x55, 0x8a, 0xfd, 0xb2, 0x64, 0x4c, 0x0e, 0xe4, 0x98, 0x07, 0x75, 0xdb, 0x7f, 0xdf, + 0xb9, 0x08, 0x55, 0x60, 0x85, 0x30, 0x29, 0xf9, 0x7b, 0x48, 0xa4, 0x69, 0x86, 0xe3, 0x35, 0x3f, + 0x1e, 0x86, 0x5d, 0x7a, 0x7a, 0x15, 0xbd, 0xef, 0x00, 0x8e, 0x15, 0x22, 0x54, 0x17, 0x00, 0x90, + 0x26, 0x93, 0xbc, 0x0e, 0x49, 0x68, 0x91, 0xbf, 0xf8, 0x47, 0xd3, 0x9d, 0x95, 0x42, 0xc1, 0x0e, + 0x4d, 0xdf, 0x6f, 0x26, 0xcf, 0xc3, 0x18, 0x21, 0x62, 0x66, 0x43, 0x70, 0xd6, 0xd5, 0xc0, 0x07, + 0xe1, 0x02, 0x03, 0x01, 0x00, 0x01, +}; + static void test_build_certificate_non_ca (void) { @@ -354,8 +376,8 @@ test_build_certificate_staple_ca (void) CK_ATTRIBUTE stapled[] = { { CKA_CLASS, &certificate_extension, sizeof (certificate_extension) }, { CKA_OBJECT_ID, (void *)P11_OID_BASIC_CONSTRAINTS, sizeof (P11_OID_BASIC_CONSTRAINTS) }, - { CKA_VALUE, "\x30\x03\x01\x01\xFF", 5 }, - { CKA_ID, "the id", 6 }, + { CKA_VALUE, "\x30\x0f\x06\x03\x55\x1d\x13\x01\x01\xff\x04\x05\x30\x03\x01\x01\xff", 17 }, + { CKA_X_PUBLIC_KEY_INFO, (void *)entrust_public_key, sizeof (entrust_public_key) }, { CKA_INVALID }, }; @@ -363,7 +385,6 @@ test_build_certificate_staple_ca (void) { CKA_CLASS, &certificate, sizeof (certificate) }, { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, { CKA_VALUE, (void *)entrust_pretend_ca, sizeof (entrust_pretend_ca) }, - { CKA_ID, "the id", 6 }, { CKA_INVALID }, }; @@ -445,8 +466,8 @@ test_build_extension (void) { CK_ATTRIBUTE input[] = { { CKA_CLASS, &certificate_extension, sizeof (certificate_extension) }, - { CKA_OBJECT_ID, "\x06\x03\x55\x1d\x50", 5 }, - { CKA_VALUE, "the value", 9 }, + { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, + { CKA_VALUE, "\x30\x11\x06\x03\x55\x1d\x50\x04\x0a\x74\x68\x65\x20\x76\x61\x6c\x75\x65\x0a", 19 }, { CKA_INVALID }, }; @@ -456,9 +477,9 @@ test_build_extension (void) { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, { CKA_PRIVATE, &falsev, sizeof (falsev) }, { CKA_OBJECT_ID, "\x06\x03\x55\x1d\x50", 5 }, - { CKA_VALUE, "the value", 9 }, + { CKA_VALUE, "\x30\x11\x06\x03\x55\x1d\x50\x04\x0a\x74\x68\x65\x20\x76\x61\x6c\x75\x65\x0a", 19 }, + { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, { CKA_LABEL, "", 0 }, - { CKA_X_CRITICAL, &falsev, sizeof (falsev) }, { CKA_INVALID }, }; @@ -1396,29 +1417,31 @@ test_changed_trusted_certificate (void) }; static unsigned char eku_server_and_client[] = { - 0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, - 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, + 0x30, 0x20, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, + 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, + 0x03, 0x02, }; CK_ATTRIBUTE eku_extension_server_and_client[] = { { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, + { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, { CKA_LABEL, "Custom Label", 12 }, - { CKA_X_CRITICAL, &truev, sizeof (truev) }, { CKA_VALUE, eku_server_and_client, sizeof (eku_server_and_client) }, { CKA_ID, "cacert3", 7 }, { CKA_INVALID }, }; static char eku_client_email[] = { + 0x30, 0x1a, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x99, 0x77, 0x06, 0x0a, 0x01, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04, }; static CK_ATTRIBUTE reject_extension_email[] = { { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) }, + { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, { CKA_LABEL, "Custom Label", 12 }, - { CKA_X_CRITICAL, &falsev, sizeof (falsev) }, { CKA_VALUE, eku_client_email, sizeof (eku_client_email) }, { CKA_ID, "cacert3", 7 }, { CKA_INVALID }, @@ -1535,8 +1558,8 @@ test_changed_distrust_value (void) CK_ATTRIBUTE eku_extension[] = { { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, - { CKA_X_CRITICAL, &truev, sizeof (truev) }, - { CKA_VALUE, "\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x10", 14 }, + { CKA_VALUE, "\x30\x18\x06\x03\x55\x1d\x25\x01\x01\xff\x04\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x10", 26 }, + { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, { CKA_ID, "cacert3", 7 }, { CKA_INVALID }, }; @@ -1544,8 +1567,8 @@ test_changed_distrust_value (void) CK_ATTRIBUTE reject_extension[] = { { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) }, - { CKA_X_CRITICAL, &falsev, sizeof (falsev) }, - { CKA_VALUE, "\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02", 12 }, + { CKA_VALUE, "\x30\x1a\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x01\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02", 28 }, + { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, { CKA_ID, "cacert3", 7 }, { CKA_INVALID }, }; @@ -1891,7 +1914,8 @@ test_changed_staple_ca (void) CK_ATTRIBUTE stapled[] = { { CKA_CLASS, &certificate_extension, sizeof (certificate_extension) }, { CKA_OBJECT_ID, (void *)P11_OID_BASIC_CONSTRAINTS, sizeof (P11_OID_BASIC_CONSTRAINTS) }, - { CKA_VALUE, "\x30\x03\x01\x01\xFF", 5 }, + { CKA_VALUE, "\x30\x0c\x06\x03\x55\x1d\x13\x04\x05\x30\x03\x01\x01\xff", 14 }, + { CKA_X_PUBLIC_KEY_INFO, (void *)entrust_public_key, sizeof (entrust_public_key) }, { CKA_ID, "the id", 6 }, { CKA_INVALID }, }; @@ -1938,7 +1962,8 @@ test_changed_staple_ku (void) CK_ATTRIBUTE stapled_ds_and_np[] = { { CKA_CLASS, &certificate_extension, sizeof (certificate_extension) }, { CKA_OBJECT_ID, (void *)P11_OID_KEY_USAGE, sizeof (P11_OID_KEY_USAGE) }, - { CKA_VALUE, "\x03\x03\x07\xc0\x00", 5 }, + { CKA_VALUE, "\x30\x0c\x06\x03\x55\x1d\x0f\x04\x05\x03\x03\x07\xc0\x00", 14 }, + { CKA_X_PUBLIC_KEY_INFO, (void *)entrust_public_key, sizeof (entrust_public_key) }, { CKA_ID, "the id", 6 }, { CKA_INVALID }, }; diff --git a/trust/tests/test-extract.c b/trust/tests/test-extract.c index ddb4a49..4fce711 100644 --- a/trust/tests/test-extract.c +++ b/trust/tests/test-extract.c @@ -183,6 +183,7 @@ static CK_ATTRIBUTE cacert3_trusted[] = { { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) }, { CKA_LABEL, "Cacert3 Here", 11 }, { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, + { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, { CKA_TRUSTED, &truev, sizeof (truev) }, { CKA_ID, "ID1", 3 }, { CKA_INVALID }, @@ -207,7 +208,8 @@ static CK_ATTRIBUTE extension_eku_server_client[] = { { CKA_CLASS, &extension_class, sizeof (extension_class) }, { CKA_ID, "ID1", 3 }, { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, - { CKA_VALUE, (void *)test_eku_server_and_client, sizeof (test_eku_server_and_client) }, + { CKA_VALUE, "\x30\x1d\x06\x03\x55\x1d\x25\x04\x16\x30\x14\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x01\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02", 31 }, + { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, { CKA_INVALID }, }; @@ -215,7 +217,8 @@ static CK_ATTRIBUTE extension_eku_invalid[] = { { CKA_CLASS, &extension_class, sizeof (extension_class) }, { CKA_ID, "ID1", 3 }, { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, - { CKA_VALUE, "invalid", 7 }, + { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, + { CKA_VALUE, "\x30\x0e\x06\x03\x55\x1d\x25\x04\x07\x69\x6e\x76\x61\x6c\x69\x64", 16 }, { CKA_INVALID }, }; diff --git a/trust/tests/test-openssl.c b/trust/tests/test-openssl.c index 2d41b92..1396102 100644 --- a/trust/tests/test-openssl.c +++ b/trust/tests/test-openssl.c @@ -113,6 +113,18 @@ static CK_ATTRIBUTE cacert3_authority_attrs[] = { { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) }, { CKA_LABEL, "Custom Label", 12 }, { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, + { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, + { CKA_TRUSTED, &vtrue, sizeof (vtrue) }, + { CKA_INVALID }, +}; + +static CK_ATTRIBUTE verisign_v1_attrs[] = { + { CKA_VALUE, (void *)verisign_v1_ca, sizeof (verisign_v1_ca) }, + { CKA_CLASS, &certificate_class, sizeof (certificate_class) }, + { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) }, + { CKA_LABEL, "Custom Label", 12 }, + { CKA_SUBJECT, (void *)verisign_v1_ca_subject, sizeof (verisign_v1_ca_subject) }, + { CKA_X_PUBLIC_KEY_INFO, (void *)verisign_v1_ca_public_key, sizeof (verisign_v1_ca_public_key) }, { CKA_TRUSTED, &vtrue, sizeof (vtrue) }, { CKA_INVALID }, }; @@ -120,14 +132,16 @@ static CK_ATTRIBUTE cacert3_authority_attrs[] = { static CK_ATTRIBUTE extension_eku_server[] = { { CKA_CLASS, &extension_class, sizeof (extension_class) }, { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, - { CKA_VALUE, (void *)test_eku_server, sizeof (test_eku_server) }, + { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, + { CKA_VALUE, "\x30\x13\x06\x03\x55\x1d\x25\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x01", 21 }, { CKA_INVALID }, }; static CK_ATTRIBUTE extension_reject_email[] = { { CKA_CLASS, &extension_class, sizeof (extension_class) }, { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) }, - { CKA_VALUE, (void *)test_eku_email, sizeof (test_eku_email) }, + { CKA_VALUE, "\x30\x1a\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x01\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x04", 28 }, + { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, { CKA_INVALID }, }; @@ -221,16 +235,16 @@ test_keyid (void) { CKA_CLASS, &certificate_class, sizeof (certificate_class) }, { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) }, { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, + { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, { CKA_TRUSTED, &vtrue, sizeof (vtrue) }, { CKA_INVALID }, }; - static unsigned char identifier[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 }; - static CK_ATTRIBUTE extension_subject_key_identifier[] = { { CKA_CLASS, &extension_class, sizeof (extension_class) }, { CKA_OBJECT_ID, (void *)P11_OID_SUBJECT_KEY_IDENTIFIER, sizeof (P11_OID_SUBJECT_KEY_IDENTIFIER) }, - { CKA_VALUE, identifier, sizeof (identifier) }, + { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, + { CKA_VALUE, "\x30\x0e\x06\x03\x55\x1d\x0e\x04\x07\x00\x01\x02\x03\x04\x05\x06", 16 }, { CKA_INVALID }, }; @@ -325,7 +339,7 @@ test_file_multiple (void) extension_reject_email, NULL); - setup_objects (cacert3_authority_attrs, + setup_objects (verisign_v1_attrs, NULL); p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL); @@ -338,9 +352,7 @@ test_file_multiple (void) ret = p11_extract_openssl_bundle (test.iter, &test.ex); assert_num_eq (true, ret); - test_check_file (test.directory, "extract.pem", - SRCDIR "/files/cacert3-trusted-multiple.pem"); - + test_check_file (test.directory, "extract.pem", SRCDIR "/files/multiple.pem"); free (test.ex.destination); } @@ -573,6 +585,7 @@ test_directory (void) extension_reject_email, NULL); + /* Accesses the above objects */ setup_objects (cacert3_authority_attrs, NULL); @@ -596,7 +609,7 @@ test_directory (void) test_check_file (test.directory, "Custom_Label.pem", SRCDIR "/files/cacert3-trusted-server-alias.pem"); test_check_file (test.directory, "Custom_Label.1.pem", - SRCDIR "/files/cacert3-trusted-alias.pem"); + SRCDIR "/files/cacert3-trusted-server-alias.pem"); #ifdef OS_UNIX test_check_symlink (test.directory, "e5662767.0", "Custom_Label.pem"); test_check_symlink (test.directory, "e5662767.1", "Custom_Label.1.pem"); diff --git a/trust/tests/test-parser.c b/trust/tests/test-parser.c index b8d31df..cc71d1d 100644 --- a/trust/tests/test-parser.c +++ b/trust/tests/test-parser.c @@ -197,16 +197,16 @@ test_parse_openssl_trusted (void) CK_ATTRIBUTE eku_extension[] = { { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, - { CKA_X_CRITICAL, &truev, sizeof (truev) }, - { CKA_VALUE, "\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x01", 12 }, + { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, + { CKA_VALUE, "\x30\x16\x06\x03\x55\x1d\x25\x01\x01\xff\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x01", 24 }, { CKA_INVALID }, }; CK_ATTRIBUTE reject_extension[] = { { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) }, - { CKA_X_CRITICAL, &falsev, sizeof (falsev) }, - { CKA_VALUE, "\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x04", 12 }, + { CKA_X_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, + { CKA_VALUE, "\x30\x1a\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x01\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x04", 28 }, { CKA_INVALID }, }; @@ -250,6 +250,20 @@ test_parse_openssl_trusted (void) static void test_parse_openssl_distrusted (void) { + static const char distrust_public_key[] = { + 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, + 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xdf, 0xc7, 0x0d, + 0x61, 0xa2, 0x2f, 0xc0, 0x5a, 0xad, 0x45, 0x83, 0x22, 0x33, 0x42, 0xea, 0xec, 0x42, 0x5e, 0xa6, + 0x0d, 0x42, 0x4c, 0x1c, 0x9a, 0x12, 0x0b, 0x5f, 0xe7, 0x25, 0xf9, 0x8b, 0x83, 0x0c, 0x0a, 0xc5, + 0x2f, 0x5a, 0x58, 0x56, 0xb8, 0xad, 0x87, 0x6d, 0xbc, 0x80, 0x5d, 0xdd, 0x49, 0x45, 0x39, 0x5f, + 0xb9, 0x08, 0x3a, 0x63, 0xe4, 0x92, 0x33, 0x61, 0x79, 0x19, 0x1b, 0x9d, 0xab, 0x3a, 0xd5, 0x7f, + 0xa7, 0x8b, 0x7f, 0x8a, 0x5a, 0xf6, 0xd7, 0xde, 0xaf, 0xa1, 0xe5, 0x53, 0x31, 0x29, 0x7d, 0x9c, + 0x03, 0x55, 0x3e, 0x47, 0x78, 0xcb, 0xb9, 0x7a, 0x98, 0x8c, 0x5f, 0x8d, 0xda, 0x09, 0x0f, 0xc8, + 0xfb, 0xf1, 0x7a, 0x80, 0xee, 0x12, 0x77, 0x0a, 0x00, 0x8b, 0x70, 0xfa, 0x62, 0xbf, 0xaf, 0xee, + 0x0b, 0x58, 0x16, 0xf9, 0x9c, 0x5c, 0xde, 0x93, 0xb8, 0x4f, 0xdf, 0x4d, 0x7b, 0x02, 0x03, 0x01, + 0x00, 0x01, + }; + CK_ATTRIBUTE distrust_cert[] = { { CKA_CLASS, &certificate, sizeof (certificate), }, { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, @@ -262,16 +276,16 @@ test_parse_openssl_distrusted (void) CK_ATTRIBUTE eku_extension[] = { { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, - { CKA_X_CRITICAL, &truev, sizeof (truev) }, - { CKA_VALUE, "\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x10", 14 }, + { CKA_X_PUBLIC_KEY_INFO, (void *)distrust_public_key, sizeof (distrust_public_key) }, + { CKA_VALUE, "\x30\x18\x06\x03\x55\x1d\x25\x01\x01\xff\x04\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x10", 26 }, { CKA_INVALID }, }; CK_ATTRIBUTE reject_extension[] = { { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) }, - { CKA_X_CRITICAL, &falsev, sizeof (falsev) }, - { CKA_VALUE, "\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02", 12 }, + { CKA_X_PUBLIC_KEY_INFO, (void *)distrust_public_key, sizeof (distrust_public_key) }, + { CKA_VALUE, "\x30\x1a\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x01\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02", 28 }, { CKA_INVALID }, }; diff --git a/trust/tests/test-trust.h b/trust/tests/test-trust.h index 4d2c5bf..b5aab5b 100644 --- a/trust/tests/test-trust.h +++ b/trust/tests/test-trust.h @@ -234,6 +234,44 @@ static const char test_cacert3_ca_serial[] = { 0x02, 0x03, 0x0a, 0x41, 0x8a, }; +static const char test_cacert3_ca_public_key[] = { + 0x30, 0x82, 0x02, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, + 0x01, 0x05, 0x00, 0x03, 0x82, 0x02, 0x0f, 0x00, 0x30, 0x82, 0x02, 0x0a, 0x02, 0x82, 0x02, 0x01, + 0x00, 0xab, 0x49, 0x35, 0x11, 0x48, 0x7c, 0xd2, 0x26, 0x7e, 0x53, 0x94, 0xcf, 0x43, 0xa9, 0xdd, + 0x28, 0xd7, 0x42, 0x2a, 0x8b, 0xf3, 0x87, 0x78, 0x19, 0x58, 0x7c, 0x0f, 0x9e, 0xda, 0x89, 0x7d, + 0xe1, 0xfb, 0xeb, 0x72, 0x90, 0x0d, 0x74, 0xa1, 0x96, 0x64, 0xab, 0x9f, 0xa0, 0x24, 0x99, 0x73, + 0xda, 0xe2, 0x55, 0x76, 0xc7, 0x17, 0x7b, 0xf5, 0x04, 0xac, 0x46, 0xb8, 0xc3, 0xbe, 0x7f, 0x64, + 0x8d, 0x10, 0x6c, 0x24, 0xf3, 0x61, 0x9c, 0xc0, 0xf2, 0x90, 0xfa, 0x51, 0xe6, 0xf5, 0x69, 0x01, + 0x63, 0xc3, 0x0f, 0x56, 0xe2, 0x4a, 0x42, 0xcf, 0xe2, 0x44, 0x8c, 0x25, 0x28, 0xa8, 0xc5, 0x79, + 0x09, 0x7d, 0x46, 0xb9, 0x8a, 0xf3, 0xe9, 0xf3, 0x34, 0x29, 0x08, 0x45, 0xe4, 0x1c, 0x9f, 0xcb, + 0x94, 0x04, 0x1c, 0x81, 0xa8, 0x14, 0xb3, 0x98, 0x65, 0xc4, 0x43, 0xec, 0x4e, 0x82, 0x8d, 0x09, + 0xd1, 0xbd, 0xaa, 0x5b, 0x8d, 0x92, 0xd0, 0xec, 0xde, 0x90, 0xc5, 0x7f, 0x0a, 0xc2, 0xe3, 0xeb, + 0xe6, 0x31, 0x5a, 0x5e, 0x74, 0x3e, 0x97, 0x33, 0x59, 0xe8, 0xc3, 0x03, 0x3d, 0x60, 0x33, 0xbf, + 0xf7, 0xd1, 0x6f, 0x47, 0xc4, 0xcd, 0xee, 0x62, 0x83, 0x52, 0x6e, 0x2e, 0x08, 0x9a, 0xa4, 0xd9, + 0x15, 0x18, 0x91, 0xa6, 0x85, 0x92, 0x47, 0xb0, 0xae, 0x48, 0xeb, 0x6d, 0xb7, 0x21, 0xec, 0x85, + 0x1a, 0x68, 0x72, 0x35, 0xab, 0xff, 0xf0, 0x10, 0x5d, 0xc0, 0xf4, 0x94, 0xa7, 0x6a, 0xd5, 0x3b, + 0x92, 0x7e, 0x4c, 0x90, 0x05, 0x7e, 0x93, 0xc1, 0x2c, 0x8b, 0xa4, 0x8e, 0x62, 0x74, 0x15, 0x71, + 0x6e, 0x0b, 0x71, 0x03, 0xea, 0xaf, 0x15, 0x38, 0x9a, 0xd4, 0xd2, 0x05, 0x72, 0x6f, 0x8c, 0xf9, + 0x2b, 0xeb, 0x5a, 0x72, 0x25, 0xf9, 0x39, 0x46, 0xe3, 0x72, 0x1b, 0x3e, 0x04, 0xc3, 0x64, 0x27, + 0x22, 0x10, 0x2a, 0x8a, 0x4f, 0x58, 0xa7, 0x03, 0xad, 0xbe, 0xb4, 0x2e, 0x13, 0xed, 0x5d, 0xaa, + 0x48, 0xd7, 0xd5, 0x7d, 0xd4, 0x2a, 0x7b, 0x5c, 0xfa, 0x46, 0x04, 0x50, 0xe4, 0xcc, 0x0e, 0x42, + 0x5b, 0x8c, 0xed, 0xdb, 0xf2, 0xcf, 0xfc, 0x96, 0x93, 0xe0, 0xdb, 0x11, 0x36, 0x54, 0x62, 0x34, + 0x38, 0x8f, 0x0c, 0x60, 0x9b, 0x3b, 0x97, 0x56, 0x38, 0xad, 0xf3, 0xd2, 0x5b, 0x8b, 0xa0, 0x5b, + 0xea, 0x4e, 0x96, 0xb8, 0x7c, 0xd7, 0xd5, 0xa0, 0x86, 0x70, 0x40, 0xd3, 0x91, 0x29, 0xb7, 0xa2, + 0x3c, 0xad, 0xf5, 0x8c, 0xbb, 0xcf, 0x1a, 0x92, 0x8a, 0xe4, 0x34, 0x7b, 0xc0, 0xd8, 0x6c, 0x5f, + 0xe9, 0x0a, 0xc2, 0xc3, 0xa7, 0x20, 0x9a, 0x5a, 0xdf, 0x2c, 0x5d, 0x52, 0x5c, 0xba, 0x47, 0xd5, + 0x9b, 0xef, 0x24, 0x28, 0x70, 0x38, 0x20, 0x2f, 0xd5, 0x7f, 0x29, 0xc0, 0xb2, 0x41, 0x03, 0x68, + 0x92, 0xcc, 0xe0, 0x9c, 0xcc, 0x97, 0x4b, 0x45, 0xef, 0x3a, 0x10, 0x0a, 0xab, 0x70, 0x3a, 0x98, + 0x95, 0x70, 0xad, 0x35, 0xb1, 0xea, 0x85, 0x2b, 0xa4, 0x1c, 0x80, 0x21, 0x31, 0xa9, 0xae, 0x60, + 0x7a, 0x80, 0x26, 0x48, 0x00, 0xb8, 0x01, 0xc0, 0x93, 0x63, 0x55, 0x22, 0x91, 0x3c, 0x56, 0xe7, + 0xaf, 0xdb, 0x3a, 0x25, 0xf3, 0x8f, 0x31, 0x54, 0xea, 0x26, 0x8b, 0x81, 0x59, 0xf9, 0xa1, 0xd1, + 0x53, 0x11, 0xc5, 0x7b, 0x9d, 0x03, 0xf6, 0x74, 0x11, 0xe0, 0x6d, 0xb1, 0x2c, 0x3f, 0x2c, 0x86, + 0x91, 0x99, 0x71, 0x9a, 0xa6, 0x77, 0x8b, 0x34, 0x60, 0xd1, 0x14, 0xb4, 0x2c, 0xac, 0x9d, 0xaf, + 0x8c, 0x10, 0xd3, 0x9f, 0xc4, 0x6a, 0xf8, 0x6f, 0x13, 0xfc, 0x73, 0x59, 0xf7, 0x66, 0x42, 0x74, + 0x1e, 0x8a, 0xe3, 0xf8, 0xdc, 0xd2, 0x6f, 0x98, 0x9c, 0xcb, 0x47, 0x98, 0x95, 0x40, 0x05, 0xfb, + 0xe9, 0x02, 0x03, 0x01, 0x00, 0x01, +}; + static const unsigned char verisign_v1_ca[] = { 0x30, 0x82, 0x02, 0x3c, 0x30, 0x82, 0x01, 0xa5, 0x02, 0x10, 0x3f, 0x69, 0x1e, 0x81, 0x9c, 0xf0, 0x9a, 0x4a, 0xf3, 0x73, 0xff, 0xb9, 0x48, 0xa2, 0xe4, 0xdd, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, @@ -273,6 +311,30 @@ static const unsigned char verisign_v1_ca[] = { 0xfd, 0x76, 0x04, 0xdb, 0x62, 0xbb, 0x90, 0x6a, 0x03, 0xd9, 0x46, 0x35, 0xd9, 0xf8, 0x7c, 0x5b, }; +static const unsigned char verisign_v1_ca_subject[] = { + 0x30, 0x5f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, + 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, + 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x37, 0x30, 0x35, 0x06, 0x03, 0x55, 0x04, + 0x0b, 0x13, 0x2e, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x20, 0x31, 0x20, 0x50, 0x75, 0x62, 0x6c, 0x69, + 0x63, 0x20, 0x50, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, + 0x79, +}; + +static const unsigned char verisign_v1_ca_public_key[] = { + 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, + 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xe5, 0x19, 0xbf, + 0x6d, 0xa3, 0x56, 0x61, 0x2d, 0x99, 0x48, 0x71, 0xf6, 0x67, 0xde, 0xb9, 0x8d, 0xeb, 0xb7, 0x9e, + 0x86, 0x80, 0x0a, 0x91, 0x0e, 0xfa, 0x38, 0x25, 0xaf, 0x46, 0x88, 0x82, 0xe5, 0x73, 0xa8, 0xa0, + 0x9b, 0x24, 0x5d, 0x0d, 0x1f, 0xcc, 0x65, 0x6e, 0x0c, 0xb0, 0xd0, 0x56, 0x84, 0x18, 0x87, 0x9a, + 0x06, 0x9b, 0x10, 0xa1, 0x73, 0xdf, 0xb4, 0x58, 0x39, 0x6b, 0x6e, 0xc1, 0xf6, 0x15, 0xd5, 0xa8, + 0xa8, 0x3f, 0xaa, 0x12, 0x06, 0x8d, 0x31, 0xac, 0x7f, 0xb0, 0x34, 0xd7, 0x8f, 0x34, 0x67, 0x88, + 0x09, 0xcd, 0x14, 0x11, 0xe2, 0x4e, 0x45, 0x56, 0x69, 0x1f, 0x78, 0x02, 0x80, 0xda, 0xdc, 0x47, + 0x91, 0x29, 0xbb, 0x36, 0xc9, 0x63, 0x5c, 0xc5, 0xe0, 0xd7, 0x2d, 0x87, 0x7b, 0xa1, 0xb7, 0x32, + 0xb0, 0x7b, 0x30, 0xba, 0x2a, 0x2f, 0x31, 0xaa, 0xee, 0xa3, 0x67, 0xda, 0xdb, 0x02, 0x03, 0x01, + 0x00, 0x01, +}; + static const char test_text[] = "This is the file text"; static const char test_eku_server_and_client[] = { |