From 03d280df9a73aca5cb6eabbcb97ef3ca4e1ae0e5 Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Thu, 9 Oct 2014 08:15:29 +0200 Subject: trust: Certificate CKA_ID is SubjectKeyIdentifier if possible The PKCS#11 spec states that the CKA_ID should match the SubjectKeyIdentifier if such an extension is present. We delay the filling of CKA_ID until the builder phase of populating attributes which allows us to have more control over how this works. Note that we don't make CKA_ID reflect SubjectKeyIdentifier *attached* extensions. The CKA_ID isn't supposed to change after object creation. Making it dependent on attached extensions would be making promises we cannot keep, since attached extensions can be added/removed at any time. This also means the CKA_ID of attached extensions and certificates won't necessarily match up, but that was never promised, and not how attached extensions should be matched to their certificate anyway. Based on a patch and research done by David Woodhouse. https://bugs.freedesktop.org/show_bug.cgi?id=84761 --- trust/test-builder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'trust/test-builder.c') diff --git a/trust/test-builder.c b/trust/test-builder.c index bf1eed1..5f4b823 100644 --- a/trust/test-builder.c +++ b/trust/test-builder.c @@ -160,7 +160,7 @@ test_build_certificate (void) { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, { CKA_LABEL, "the label", 9 }, - { CKA_ID, "\xf0""a\xd8?\x95\x8fMx\xb1G\xb3\x13""9\x97\x8e\xa9\xc2Q\xba\x9b", 20}, + { CKA_ID, "u\xa8q`L\x88\x13\xf0x\xd9\x89w\xb5m\xc5\x89\xdf\xbc\xb1z", 20}, { CKA_INVALID }, }; -- cgit v1.1