trust: Certificate CKA_ID is SubjectKeyIdentifier if possible

The PKCS#11 spec states that the CKA_ID should match the
SubjectKeyIdentifier if such an extension is present.

We delay the filling of CKA_ID until the builder phase of populating
attributes which allows us to have more control over how this works.

Note that we don't make CKA_ID reflect SubjectKeyIdentifier *attached*
extensions. The CKA_ID isn't supposed to change after object creation.
Making it dependent on attached extensions would be making promises
we cannot keep, since attached extensions can be added/removed at any
time.

This also means the CKA_ID of attached extensions and certificates
won't necessarily match up, but that was never promised, and not how
attached extensions should be matched to their certificate anyway.

Based on a patch and research done by David Woodhouse.

https://bugs.freedesktop.org/show_bug.cgi?id=84761

1 files changed, 0 insertions, 2 deletions

diff --git a/trust/test-parser.c b/trust/test-parser.c
index 201ed81..b5c2525 100644
--- a/trust/test-parser.c
+++ b/trust/test-parser.c
@@ -247,7 +247,6 @@ test_parse_openssl_trusted (void)
 		assert_ptr_not_null (object);
 
 		test_check_attrs (expected[i], object);
-		test_check_id (cert, object);
 	}
 }
 
@@ -329,7 +328,6 @@ test_parse_openssl_distrusted (void)
 		assert_ptr_not_null (object);
 
 		test_check_attrs (expected[i], object);
-		test_check_id (cert, object);
 	}
 }