| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
* Support the TAP protocol
* Much cleaner without having to carry around state
* First class support for setup/teardown
* Port the common tests
* Wait on porting other tests until we've merged outstanding code
|
| |
|
|
|
|
|
|
|
| |
Support a new managed style module loading for PKCS#11 modules. This
allows us to better coordinate between multiple callers of the same
PKCS#11 modules and provide hooks into their behavior.
This meant redoing the public facing API. The old methods are now
deprecated, marked and documented as such.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The PKCS#11 specification does not note what timezone these dates
are in. In addition the time values are not represented in PKCS#11.
So don't reinterpret certificate dates, other than filling in the
century for dates that have a two digit year.
Lastly, these are low resolution optional fields so not being all
strict about timezones here is appropriate.
https://bugs.freedesktop.org/show_bug.cgi?id=62825
|
| |
|
|
|
|
|
|
| |
Sometimes NSS queries for trust objects using invalid serial numbers
that do not have their DER decoding. We fixed this earlier, but want
to make sure there are no corner cases, accidentally not matching
serial numbers that happen to start with the same bytes as a DER
TLV would.
|
| |
|
|
|
|
|
|
|
|
| |
Centralize the path handling code, so we can remove unixy assumptions
and have a chance of running on Windows. The current goal is to run
all the tests on Windows.
Includes some code from LRN <lrn1986@gmail.com>
https://bugs.freedesktop.org/show_bug.cgi?id=63062
|
| |
|
|
|
|
|
|
|
|
|
| |
Put library init/uninit code its into their own statically
linked library so that they don't get linked into the p11-kit
executable.
Refactor the message code so that the library initialization can
plug in its per thread message buffer.
https://bugs.freedesktop.org/show_bug.cgi?id=63046
|
| |
|
|
| |
Also remove some generated files from the po/ directory.
|
| |
|
|
|
|
|
| |
These don't contain the CKA_VALUE attribute for certificate data
but rather the CKA_X_CERTIFICATE_VALUE attribute.
https://bugs.freedesktop.org/show_bug.cgi?id=62896
|
| |
|
|
|
|
|
| |
Some callers erroneously call our C_Logout function, like NSS.
So return appropriate error codes in these cases.
https://bugs.freedesktop.org/show_bug.cgi?id=62874
|
| |
|
|
|
|
|
|
|
| |
Since CKA_START_DATE and CKA_END_DATE are the only places
where we want to parse out times, and these are optional, just
leave blank if the time overflows what libc can handle on
a 32-bit system.
https://bugs.freedesktop.org/show_bug.cgi?id=62825
|
| | |
|
| |
|
|
| |
These are things that showed up in valgrind while running the tests.
|
| |
|
|
|
| |
* make memcheck: Runs basic memory checking
* make leakcheck: Also runs leak checking
|
| |
|
|
|
|
|
|
| |
If duplicate certificates are present in a token, we warn about this,
and don't really recommend it. However we have predictable behavior
where blacklist is prefered to anchor is preferred to unknown trust.
https://bugs.freedesktop.org/show_bug.cgi?id=62548
|
| |
|
|
|
|
|
|
|
| |
The index now uses a sort of cross between a hash table and a bloom
filter internally to select matching items. This is needed for the
massive amount of lookups we want to do during loading.
In addition make p11_index_find() and p11_index_replace() easier
to use.
|
| |
|
|
|
|
|
|
| |
While it's true that we shouldn't be pritning out CKA_VALUE in
certain cases, like for keys, we obviously can do so for certificates.
We don't have keys anyway, but in the interest of being general
purpose use the class to determine whether CKA_VALUE can be printed
|
| |
|
|
|
|
|
|
|
|
|
| |
Add implementation of the murmur2 hash function, and start using
it for our dictionaries. Our implementation is incremental
like our other hash functions.
Also remove p11_oid_hash() which wasn't being used.
In addition fix several tests whose success was based on the
way that the dictionary hashed. This was a hidden testing bug.
|
| |
|
|
|
| |
We're going to be adding other hashes. Also build as part of a
different common library.
|
| |
|
|
|
|
|
|
| |
Try to determine which one is the system trust input token,
and which one is the default token by using datadir and sysconfdir
respectively.
https://bugs.freedesktop.org/show_bug.cgi?id=62534
|
| | |
|
| |
|
|
|
| |
Allow passing the number of attributes to print, which lets us use
this directly on templates passed in by callers of the PKCS#11 API.
|
| |
|
|
|
|
|
|
| |
Handle lookups for trust objects (by NSS) which expect CKA_SERIAL_NUMBER
attributes without appropriate DER encoding.
In addition allow creation of NSS trust objects as PKCS#11 session
objects, so that we can test this behavior.
|
| |
|
|
|
|
|
| |
In many cases certficates are distrusted by serial+issuer. Make sure
this works, and fix various cases where we weren't generating
compat NSS objects and compat trust assertions for these types
of input.
|
| |
|
|
|
|
|
|
| |
There was a class of bugs for looking up invalid or empty
attributes in the internal PKCS#11 attribute arrays.
* Refine what p11_attrs_find_valid() treats as valid
* Rename p11_attrs_is_empty() to p11_attrs_terminator() for clarity
|
| | |
|
| |
|
|
|
| |
Can run with two modules now so that it can compare tokens NSS
trust info.
|
| |
|
|
|
|
|
| |
This is documented in doc/internals/ subdirectory
Add tests for the format as well.
https://bugs.freedesktop.org/show_bug.cgi?id=62156
|
| |
|
|
|
|
|
| |
This is what's recommended by the spec, and allows stapled extensions
to hang off a predictable CKA_ID.
https://bugs.freedesktop.org/show_bug.cgi?id=62329
|
| |
|
|
|
|
|
|
|
|
|
| |
The builder completes the objects from the parsed data and takes
over the responsibilities that the parser and adapter previously
shared.
This is necessary to prepare for arbitrary data coming from
the p11-kit specific input files.
https://bugs.freedesktop.org/show_bug.cgi?id=62329
|
| |
|
|
|
|
|
|
|
|
| |
* The index holds PKCS#11 objects whether for the token or for the session.
* The index provides hook for a builder to expand or validate objects
being added to the index.
* In addition theres a change hook so that a builder can maintain state
between objects, such as the compat NSS trust objects.
https://bugs.freedesktop.org/show_bug.cgi?id=62329
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Each source directory or file configured into the module or passed
in as an initialization argument becomes its own token.
Previously there was one token that contained certificates from
all the configured paths.
* These tokens are clearly labeled in the token info as
to the directory or file that they represent.
* Update PKCS#11 module logic to deal with multiple tokens, validate
the slot ids and so on.
* The order in which the paths are configured will become the
order of trust priority. This is the same order in which they
are listed through 'p11-kit list-modules' and C_GetSlotList.
* Update the frob-token internal tool to only play with one path
* Adjust tests where necessary to reflect the new state of things
and add tests for modified trust module code
https://bugs.freedesktop.org/show_bug.cgi?id=61499
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Accept a single --with-trust-paths argument to ./configure
which cotnains all the input paths.
* The --with-system-anchors and --with-system-certificates
./configure arguments are no longer supported. Since they were
only present briefly, no provision is made for backwards
compatibility.
* Each input file is treated as containing anchors by default
unless an input certificate contains detailed trust information.
* The files in each input directory are not automatically treated
as anchors unless a certificate contains detailed trust information.
* The files in anchors/ subdirectory of each input directory are
automatically marked as anchors.
* The files in the blacklist/ subdirectory of each input directory
are automatically marked as blacklisted.
* Update tests and move around test certificates so we can
test these changes.
https://bugs.freedesktop.org/show_bug.cgi?id=62327
|
| |
|
|
|
| |
When bringing over the BSD base64 code, there was a regression.
In addition add some tests for the base64 stuff.
|
| |
|
|
|
| |
Add a simple tool to dump NSS style distrust attributes from
a module.
|
| |
|
|
|
| |
NSS had subtly changed the values of the distrust CK_TRUST codes
so update them to stay in sync.
|
| |
|
|
| |
This fixes hangs when running tests on windows
|
| | |
|
| |
|
|
| |
Since older operating systems don't support setenv()
|
| |
|
|
|
| |
* This is in cases where the certificate information does not
already have a friendly name or alias.
|
| |
|
|
|
|
| |
* Implement trust assertions for anchored and distrusted certs
* Pinned certificate trust assertions are not implemented yet
* Add an internal tool for pulling apart bits of certificates
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Fill in CKA_CERTIFICATE_CATEGORY properly for authorities
based on the presence of BasicConstraints and/or v1 certificates
* Fill in CKA_TRUSTED and CKA_X_DISTRUSTED based on whether the
parser is running for anchors or blacklist
* In addition support the concept of blacklisted certificates mixed
in with the anchors (without any purposes) since that's what exists
in the real world.
* We do this after the various hooks have had a chance to mess
with the certificate extensions and such.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Use stapled certificate extensions to represent loaded trust policy
* Build NSS trust objects from stapled certificate extensions
* Add further attribute debugging for NSS trust objects
* Use a custom certificate extension for the OpenSSL reject purpose data
* Use SubjectKeyIdentifier for OpenSSL keyid data
* Use ExtendedKeyUsage for OpenSSL trust purpose data
* Implement simple way to handle binary DER OIDs, using the DER TLV
length. DER OIDs are used in the CKA_OBJECT_ID value, and elsewhere.
* Split out the building of NSS trust objects from the main parser
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This tells NSS that this is a source of anchors.
|
| | |
|
| | |
|
|
|
This is based off the roots-store from gnome-keyring and loads
certificates from a root directory and exposes them as PKCS#11
objects.
|
