trust: Use a SHA-1 hash of subjectPublicKeyInfo as CKA_ID by default

This is what's recommended by the spec, and allows stapled extensions
to hang off a predictable CKA_ID.

https://bugs.freedesktop.org/show_bug.cgi?id=62329

1 files changed, 31 insertions, 0 deletions

diff --git a/trust/tests/test-parser.c b/trust/tests/test-parser.c
index 3ad89da..a63d7a5 100644
--- a/trust/tests/test-parser.c
+++ b/trust/tests/test-parser.c
@@ -339,6 +339,36 @@ test_parse_anchor (CuTest *cu)
 	teardown (cu);
 }
 
+static void
+test_parse_thawte (CuTest *cu)
+{
+	CK_ATTRIBUTE *cert;
+	int ret;
+
+	CK_ATTRIBUTE expected[] = {
+		{ CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) },
+		{ CKA_CLASS, &certificate, sizeof (certificate) },
+		{ CKA_MODIFIABLE, &falsev, sizeof (falsev) },
+		{ CKA_TRUSTED, &falsev, sizeof (falsev) },
+		{ CKA_X_DISTRUSTED, &falsev, sizeof (falsev) },
+		{ CKA_INVALID },
+	};
+
+	setup (cu);
+
+	ret = p11_parse_file (test.parser, SRCDIR "/files/thawte.pem",
+	                      P11_PARSE_FLAG_NONE);
+	CuAssertIntEquals (cu, P11_PARSE_SUCCESS, ret);
+
+	/* Should have gotten certificate  */
+	CuAssertIntEquals (cu, 1, p11_index_size (test.index));
+
+	cert = parsed_attrs (certificate_match);
+	test_check_attrs (cu, expected, cert);
+
+	teardown (cu);
+}
+
 /* TODO: A certificate that uses generalTime needs testing */
 
 static void
@@ -393,6 +423,7 @@ main (void)
 	SUITE_ADD_TEST (suite, test_parse_openssl_trusted);
 	SUITE_ADD_TEST (suite, test_parse_openssl_distrusted);
 	SUITE_ADD_TEST (suite, test_parse_anchor);
+	SUITE_ADD_TEST (suite, test_parse_thawte);
 	SUITE_ADD_TEST (suite, test_parse_invalid_file);
 	SUITE_ADD_TEST (suite, test_parse_unrecognized);