From 6ecf586a1e31f2874c7b185f4f2061aa9e83c08a Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Fri, 8 Mar 2013 22:50:06 +0100 Subject: trust: Use the new NSS PKCS#11 extension codes NSS had subtly changed the values of the distrust CK_TRUST codes so update them to stay in sync. --- common/attrs.c | 76 +++++++++++++++++++++++------------------------ common/pkcs11x.h | 59 ++++++++++++++++++------------------ trust/adapter.c | 22 +++++++------- trust/tests/test-module.c | 4 +-- trust/tests/test-parser.c | 22 +++++++------- trust/token.c | 6 ++-- 6 files changed, 95 insertions(+), 94 deletions(-) diff --git a/common/attrs.c b/common/attrs.c index b123b07..759bb75 100644 --- a/common/attrs.c +++ b/common/attrs.c @@ -581,19 +581,19 @@ attribute_is_sensitive (const CK_ATTRIBUTE *attr) X (CKA_X_PEER) X (CKA_X_DISTRUSTED) X (CKA_X_CRITICAL) - X (CKA_NETSCAPE_URL) - X (CKA_NETSCAPE_EMAIL) - X (CKA_NETSCAPE_SMIME_INFO) - X (CKA_NETSCAPE_SMIME_TIMESTAMP) - X (CKA_NETSCAPE_PKCS8_SALT) - X (CKA_NETSCAPE_PASSWORD_CHECK) - X (CKA_NETSCAPE_EXPIRES) - X (CKA_NETSCAPE_KRL) - X (CKA_NETSCAPE_PQG_COUNTER) - X (CKA_NETSCAPE_PQG_SEED) - X (CKA_NETSCAPE_PQG_H) - X (CKA_NETSCAPE_PQG_SEED_BITS) - X (CKA_NETSCAPE_MODULE_SPEC) + X (CKA_NSS_URL) + X (CKA_NSS_EMAIL) + X (CKA_NSS_SMIME_INFO) + X (CKA_NSS_SMIME_TIMESTAMP) + X (CKA_NSS_PKCS8_SALT) + X (CKA_NSS_PASSWORD_CHECK) + X (CKA_NSS_EXPIRES) + X (CKA_NSS_KRL) + X (CKA_NSS_PQG_COUNTER) + X (CKA_NSS_PQG_SEED) + X (CKA_NSS_PQG_H) + X (CKA_NSS_PQG_SEED_BITS) + X (CKA_NSS_MODULE_SPEC) X (CKA_TRUST_DIGITAL_SIGNATURE) X (CKA_TRUST_NON_REPUDIATION) X (CKA_TRUST_KEY_ENCIPHERMENT) @@ -636,12 +636,12 @@ format_class (p11_buffer *buffer, X (CKO_MECHANISM) X (CKO_X_TRUST_ASSERTION) X (CKO_X_CERTIFICATE_EXTENSION) - X (CKO_NETSCAPE_CRL) - X (CKO_NETSCAPE_SMIME) - X (CKO_NETSCAPE_TRUST) - X (CKO_NETSCAPE_BUILTIN_ROOT_LIST) - X (CKO_NETSCAPE_NEWSLOT) - X (CKO_NETSCAPE_DELSLOT) + X (CKO_NSS_CRL) + X (CKO_NSS_SMIME) + X (CKO_NSS_TRUST) + X (CKO_NSS_BUILTIN_ROOT_LIST) + X (CKO_NSS_NEWSLOT) + X (CKO_NSS_DELSLOT) #undef X } @@ -704,7 +704,7 @@ format_key_type (p11_buffer *buffer, X (CKK_AES) X (CKK_BLOWFISH) X (CKK_TWOFISH) - X (CKK_NETSCAPE_PKCS8) + X (CKK_NSS_PKCS8) #undef X } @@ -741,11 +741,11 @@ format_trust_value (p11_buffer *buffer, switch (trust) { #define X(x) case x: string = #x; break; - X (CKT_NETSCAPE_TRUSTED) - X (CKT_NETSCAPE_TRUSTED_DELEGATOR) - X (CKT_NETSCAPE_UNTRUSTED) - X (CKT_NETSCAPE_MUST_VERIFY) - X (CKT_NETSCAPE_TRUST_UNKNOWN) + X (CKT_NSS_TRUSTED) + X (CKT_NSS_TRUSTED_DELEGATOR) + X (CKT_NSS_NOT_TRUSTED) + X (CKT_NSS_MUST_VERIFY_TRUST) + X (CKT_NSS_TRUST_UNKNOWN) } if (string != NULL) @@ -880,19 +880,19 @@ format_attribute_type (p11_buffer *buffer, X (CKA_X_PEER) X (CKA_X_DISTRUSTED) X (CKA_X_CRITICAL) - X (CKA_NETSCAPE_URL) - X (CKA_NETSCAPE_EMAIL) - X (CKA_NETSCAPE_SMIME_INFO) - X (CKA_NETSCAPE_SMIME_TIMESTAMP) - X (CKA_NETSCAPE_PKCS8_SALT) - X (CKA_NETSCAPE_PASSWORD_CHECK) - X (CKA_NETSCAPE_EXPIRES) - X (CKA_NETSCAPE_KRL) - X (CKA_NETSCAPE_PQG_COUNTER) - X (CKA_NETSCAPE_PQG_SEED) - X (CKA_NETSCAPE_PQG_H) - X (CKA_NETSCAPE_PQG_SEED_BITS) - X (CKA_NETSCAPE_MODULE_SPEC) + X (CKA_NSS_URL) + X (CKA_NSS_EMAIL) + X (CKA_NSS_SMIME_INFO) + X (CKA_NSS_SMIME_TIMESTAMP) + X (CKA_NSS_PKCS8_SALT) + X (CKA_NSS_PASSWORD_CHECK) + X (CKA_NSS_EXPIRES) + X (CKA_NSS_KRL) + X (CKA_NSS_PQG_COUNTER) + X (CKA_NSS_PQG_SEED) + X (CKA_NSS_PQG_H) + X (CKA_NSS_PQG_SEED_BITS) + X (CKA_NSS_MODULE_SPEC) X (CKA_TRUST_DIGITAL_SIGNATURE) X (CKA_TRUST_NON_REPUDIATION) X (CKA_TRUST_KEY_ENCIPHERMENT) diff --git a/common/pkcs11x.h b/common/pkcs11x.h index a1e5971..58be460 100644 --- a/common/pkcs11x.h +++ b/common/pkcs11x.h @@ -50,30 +50,30 @@ extern "C" { #ifdef CRYPTOKI_NSS_VENDOR_DEFINED /* Various NSS objects */ -#define CKO_NETSCAPE_CRL 0xce534351UL -#define CKO_NETSCAPE_SMIME 0xce534352UL -#define CKO_NETSCAPE_TRUST 0xce534353UL -#define CKO_NETSCAPE_BUILTIN_ROOT_LIST 0xce534354UL -#define CKO_NETSCAPE_NEWSLOT 0xce534355UL -#define CKO_NETSCAPE_DELSLOT 0xce534356UL +#define CKO_NSS_CRL 0xce534351UL +#define CKO_NSS_SMIME 0xce534352UL +#define CKO_NSS_TRUST 0xce534353UL +#define CKO_NSS_BUILTIN_ROOT_LIST 0xce534354UL +#define CKO_NSS_NEWSLOT 0xce534355UL +#define CKO_NSS_DELSLOT 0xce534356UL /* Various NSS key types */ -#define CKK_NETSCAPE_PKCS8 0xce534351UL +#define CKK_NSS_PKCS8 0xce534351UL /* Various NSS attributes */ -#define CKA_NETSCAPE_URL 0xce534351UL -#define CKA_NETSCAPE_EMAIL 0xce534352UL -#define CKA_NETSCAPE_SMIME_INFO 0xce534353UL -#define CKA_NETSCAPE_SMIME_TIMESTAMP 0xce534354UL -#define CKA_NETSCAPE_PKCS8_SALT 0xce534355UL -#define CKA_NETSCAPE_PASSWORD_CHECK 0xce534356UL -#define CKA_NETSCAPE_EXPIRES 0xce534357UL -#define CKA_NETSCAPE_KRL 0xce534358UL -#define CKA_NETSCAPE_PQG_COUNTER 0xce534364UL -#define CKA_NETSCAPE_PQG_SEED 0xce534365UL -#define CKA_NETSCAPE_PQG_H 0xce534366UL -#define CKA_NETSCAPE_PQG_SEED_BITS 0xce534367UL -#define CKA_NETSCAPE_MODULE_SPEC 0xce534368UL +#define CKA_NSS_URL 0xce534351UL +#define CKA_NSS_EMAIL 0xce534352UL +#define CKA_NSS_SMIME_INFO 0xce534353UL +#define CKA_NSS_SMIME_TIMESTAMP 0xce534354UL +#define CKA_NSS_PKCS8_SALT 0xce534355UL +#define CKA_NSS_PASSWORD_CHECK 0xce534356UL +#define CKA_NSS_EXPIRES 0xce534357UL +#define CKA_NSS_KRL 0xce534358UL +#define CKA_NSS_PQG_COUNTER 0xce534364UL +#define CKA_NSS_PQG_SEED 0xce534365UL +#define CKA_NSS_PQG_H 0xce534366UL +#define CKA_NSS_PQG_SEED_BITS 0xce534367UL +#define CKA_NSS_MODULE_SPEC 0xce534368UL /* NSS trust attributes */ #define CKA_TRUST_DIGITAL_SIGNATURE 0xce536351UL @@ -97,19 +97,20 @@ extern "C" { /* NSS trust values */ typedef CK_ULONG CK_TRUST; -#define CKT_NETSCAPE_TRUSTED 0xce534351UL -#define CKT_NETSCAPE_TRUSTED_DELEGATOR 0xce534352UL -#define CKT_NETSCAPE_UNTRUSTED 0xce534353UL -#define CKT_NETSCAPE_MUST_VERIFY 0xce534354UL -#define CKT_NETSCAPE_TRUST_UNKNOWN 0xce534355UL +#define CKT_NSS_TRUSTED 0xce534351UL +#define CKT_NSS_TRUSTED_DELEGATOR 0xce534352UL +#define CKT_NSS_MUST_VERIFY_TRUST 0xce534353UL +#define CKT_NSS_NOT_TRUSTED 0xce53435AUL +#define CKT_NSS_TRUST_UNKNOWN 0xce534355UL +#define CKT_NSS_VALID_DELEGATOR 0xce53435BUL /* NSS specific mechanisms */ -#define CKM_NETSCAPE_AES_KEY_WRAP 0xce534351UL -#define CKM_NETSCAPE_AES_KEY_WRAP_PAD 0xce534352UL +#define CKM_NSS_AES_KEY_WRAP 0xce534351UL +#define CKM_NSS_AES_KEY_WRAP_PAD 0xce534352UL /* NSS specific return values */ -#define CKR_NETSCAPE_CERTDB_FAILED 0xce534351UL -#define CKR_NETSCAPE_KEYDB_FAILED 0xce534352UL +#define CKR_NSS_CERTDB_FAILED 0xce534351UL +#define CKR_NSS_KEYDB_FAILED 0xce534352UL #endif /* CRYPTOKI_NSS_VENDOR_DEFINED */ diff --git a/trust/adapter.c b/trust/adapter.c index d17cb70..08e4c78 100644 --- a/trust/adapter.c +++ b/trust/adapter.c @@ -82,7 +82,7 @@ build_trust_object_ku (p11_parser *parser, defawlt = present; /* If blacklisted, don't even bother looking at extensions */ - if (present != CKT_NETSCAPE_UNTRUSTED) + if (present != CKT_NSS_NOT_TRUSTED) data = p11_parsing_get_extension (parser, parsing, P11_OID_KEY_USAGE, &length); if (data) { @@ -91,7 +91,7 @@ build_trust_object_ku (p11_parser *parser, * usages are to be set. If the extension was invalid, then * fail safe to none of the key usages. */ - defawlt = CKT_NETSCAPE_TRUST_UNKNOWN; + defawlt = CKT_NSS_TRUST_UNKNOWN; defs = p11_parser_get_asn1_defs (parser); if (!p11_x509_parse_key_usage (defs, data, length, &ku)) @@ -171,19 +171,19 @@ build_trust_object_eku (p11_parser *parser, return_val_if_reached (NULL); /* The neutral value is set if an purpose is not present */ - if (allow == CKT_NETSCAPE_UNTRUSTED) - neutral = CKT_NETSCAPE_UNTRUSTED; + if (allow == CKT_NSS_NOT_TRUSTED) + neutral = CKT_NSS_NOT_TRUSTED; /* If anything explicitly set, then neutral is unknown */ else if (purposes || rejects) - neutral = CKT_NETSCAPE_TRUST_UNKNOWN; + neutral = CKT_NSS_TRUST_UNKNOWN; /* Otherwise neutral will allow any purpose */ else neutral = allow; /* The value set if a purpose is explictly rejected */ - disallow = CKT_NETSCAPE_UNTRUSTED; + disallow = CKT_NSS_NOT_TRUSTED; for (i = 0; eku_attribute_map[i].type != CKA_INVALID; i++) { attrs[i].type = eku_attribute_map[i].type; @@ -218,7 +218,7 @@ build_nss_trust_object (p11_parser *parser, CK_ATTRIBUTE *object = NULL; CK_TRUST allow; - CK_OBJECT_CLASS vclass = CKO_NETSCAPE_TRUST; + CK_OBJECT_CLASS vclass = CKO_NSS_TRUST; CK_BYTE vsha1_hash[P11_CHECKSUM_SHA1_LENGTH]; CK_BYTE vmd5_hash[P11_CHECKSUM_MD5_LENGTH]; CK_BBOOL vfalse = CK_FALSE; @@ -270,13 +270,13 @@ build_nss_trust_object (p11_parser *parser, /* Calculate the default allow trust */ if (distrust) - allow = CKT_NETSCAPE_UNTRUSTED; + allow = CKT_NSS_NOT_TRUSTED; else if (trust && authority) - allow = CKT_NETSCAPE_TRUSTED_DELEGATOR; + allow = CKT_NSS_TRUSTED_DELEGATOR; else if (trust) - allow = CKT_NETSCAPE_TRUSTED; + allow = CKT_NSS_TRUSTED; else - allow = CKT_NETSCAPE_TRUST_UNKNOWN; + allow = CKT_NSS_TRUST_UNKNOWN; object = build_trust_object_ku (parser, parsing, object, allow); return_if_fail (object != NULL); diff --git a/trust/tests/test-module.c b/trust/tests/test-module.c index 2e085ba..2d0e488 100644 --- a/trust/tests/test-module.c +++ b/trust/tests/test-module.c @@ -192,7 +192,7 @@ static void check_has_trust_object (CuTest *cu, CK_ATTRIBUTE *cert) { - CK_OBJECT_CLASS trust_object = CKO_NETSCAPE_TRUST; + CK_OBJECT_CLASS trust_object = CKO_NSS_TRUST; CK_ATTRIBUTE klass = { CKA_CLASS, &trust_object, sizeof (trust_object) }; CK_OBJECT_HANDLE objects[2]; CK_ATTRIBUTE *match; @@ -314,7 +314,7 @@ test_find_certificates (CuTest *cu) static void test_find_builtin (CuTest *cu) { - CK_OBJECT_CLASS klass = CKO_NETSCAPE_BUILTIN_ROOT_LIST; + CK_OBJECT_CLASS klass = CKO_NSS_BUILTIN_ROOT_LIST; CK_BBOOL vtrue = CK_TRUE; CK_BBOOL vfalse = CK_FALSE; diff --git a/trust/tests/test-parser.c b/trust/tests/test-parser.c index 581ff5e..0f40748 100644 --- a/trust/tests/test-parser.c +++ b/trust/tests/test-parser.c @@ -154,11 +154,11 @@ test_parse_pem_certificate (CuTest *cu) static void test_parse_openssl_trusted (CuTest *cu) { - CK_TRUST trusted = CKT_NETSCAPE_TRUSTED_DELEGATOR; - CK_TRUST distrusted = CKT_NETSCAPE_UNTRUSTED; - CK_TRUST unknown = CKT_NETSCAPE_TRUST_UNKNOWN; + CK_TRUST trusted = CKT_NSS_TRUSTED_DELEGATOR; + CK_TRUST distrusted = CKT_NSS_NOT_TRUSTED; + CK_TRUST unknown = CKT_NSS_TRUST_UNKNOWN; CK_OBJECT_CLASS certificate_extension = CKO_X_CERTIFICATE_EXTENSION; - CK_OBJECT_CLASS trust_object = CKO_NETSCAPE_TRUST; + CK_OBJECT_CLASS trust_object = CKO_NSS_TRUST; CK_OBJECT_CLASS trust_assertion = CKO_X_TRUST_ASSERTION; CK_X_ASSERTION_TYPE anchored_certificate = CKT_X_ANCHORED_CERTIFICATE; CK_X_ASSERTION_TYPE distrusted_certificate = CKT_X_DISTRUSTED_CERTIFICATE; @@ -294,9 +294,9 @@ test_parse_openssl_trusted (CuTest *cu) static void test_parse_openssl_distrusted (CuTest *cu) { - CK_TRUST distrusted = CKT_NETSCAPE_UNTRUSTED; + CK_TRUST distrusted = CKT_NSS_NOT_TRUSTED; CK_OBJECT_CLASS certificate_extension = CKO_X_CERTIFICATE_EXTENSION; - CK_OBJECT_CLASS trust_object = CKO_NETSCAPE_TRUST; + CK_OBJECT_CLASS trust_object = CKO_NSS_TRUST; CK_OBJECT_CLASS klass = CKO_CERTIFICATE; CK_OBJECT_CLASS trust_assertion = CKO_X_TRUST_ASSERTION; CK_X_ASSERTION_TYPE distrusted_certificate = CKT_X_DISTRUSTED_CERTIFICATE; @@ -515,10 +515,10 @@ test_parse_openssl_distrusted (CuTest *cu) static void test_parse_with_key_usage (CuTest *cu) { - CK_TRUST trusted = CKT_NETSCAPE_TRUSTED; - CK_TRUST unknown = CKT_NETSCAPE_TRUST_UNKNOWN; + CK_TRUST trusted = CKT_NSS_TRUSTED; + CK_TRUST unknown = CKT_NSS_TRUST_UNKNOWN; CK_OBJECT_CLASS klass = CKO_CERTIFICATE; - CK_OBJECT_CLASS trust_object = CKO_NETSCAPE_TRUST; + CK_OBJECT_CLASS trust_object = CKO_NSS_TRUST; CK_BBOOL vtrue = CK_TRUE; CK_BBOOL vfalse = CK_FALSE; CK_CERTIFICATE_TYPE x509 = CKC_X_509; @@ -606,9 +606,9 @@ static void test_parse_anchor (CuTest *cu) { CK_BBOOL vtrue = CK_TRUE; - CK_OBJECT_CLASS trust_object = CKO_NETSCAPE_TRUST; + CK_OBJECT_CLASS trust_object = CKO_NSS_TRUST; CK_ATTRIBUTE trusted = { CKA_TRUSTED, &vtrue, sizeof (vtrue) }; - CK_TRUST delegator = CKT_NETSCAPE_TRUSTED_DELEGATOR; + CK_TRUST delegator = CKT_NSS_TRUSTED_DELEGATOR; CK_OBJECT_CLASS trust_assertion = CKO_X_TRUST_ASSERTION; CK_X_ASSERTION_TYPE anchored_certificate = CKT_X_ANCHORED_CERTIFICATE; diff --git a/trust/token.c b/trust/token.c index 46eea20..3c0de4c 100644 --- a/trust/token.c +++ b/trust/token.c @@ -214,9 +214,9 @@ loader_load_paths (p11_token *token, static int load_builtin_objects (p11_token *token) { - CK_OBJECT_CLASS builtin = CKO_NETSCAPE_BUILTIN_ROOT_LIST; - CK_OBJECT_CLASS nss_trust = CKO_NETSCAPE_TRUST; - CK_TRUST nss_not_trusted = CKT_NETSCAPE_UNTRUSTED; + CK_OBJECT_CLASS builtin = CKO_NSS_BUILTIN_ROOT_LIST; + CK_OBJECT_CLASS nss_trust = CKO_NSS_TRUST; + CK_TRUST nss_not_trusted = CKT_NSS_NOT_TRUSTED; CK_BBOOL vtrue = CK_TRUE; CK_BBOOL vfalse = CK_FALSE; -- cgit v1.1