From 57697eda68a3343c2e54e5f8f3f4ce65a99383f5 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Wed, 31 Jan 2018 14:07:51 +0100 Subject: trust: Filter out duplicate extensions The trust policy module keeps all the objects in the database, while PKIX doesn't allow multiple extensions identified by the same OID can be attached to a certificate. Add a check to C_FindObjects to exclude any duplicates and only return the first matching object. It would be better if the module rejects such duplicates when loading, but it would make startup slower. https://bugzilla.redhat.com/show_bug.cgi?id=1141241 --- trust/test-module.c | 45 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) (limited to 'trust/test-module.c') diff --git a/trust/test-module.c b/trust/test-module.c index 1729b41..36fbfe4 100644 --- a/trust/test-module.c +++ b/trust/test-module.c @@ -623,13 +623,55 @@ test_find_certificates (void) CK_ULONG i; count = find_objects (match, sessions, objects, 16); - assert_num_eq (8, count); + assert_num_eq (9, count); for (i = 0; i < count; i++) check_certificate (sessions[i], objects[i]); } static void +test_find_extensions (void) +{ + CK_OBJECT_CLASS klass = CKO_X_CERTIFICATE_EXTENSION; + unsigned char spki[] = { + 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, + 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, + 0x89, 0x02, 0x81, 0x81, 0x00, 0xd1, 0xb5, 0x36, + 0xa3, 0x89, 0xee, 0xaa, 0x80, 0x2f, 0x53, 0xfd, + 0x12, 0x75, 0x3e, 0xf3, 0x7a, 0x9e, 0xd6, 0xaf, + 0xfa, 0xbc, 0x1c, 0x60, 0x10, 0x4b, 0x26, 0x81, + 0x13, 0x1a, 0x59, 0xe3, 0xfe, 0x45, 0x6c, 0x38, + 0x04, 0x39, 0x27, 0x46, 0x57, 0xfd, 0xd5, 0xbc, + 0x8d, 0x8a, 0x10, 0xb6, 0x3b, 0xd4, 0x0a, 0x81, + 0x5a, 0x45, 0x2f, 0xec, 0x3e, 0x81, 0xf0, 0xd9, + 0x4e, 0x4f, 0x97, 0xdf, 0x4b, 0x32, 0x0f, 0x08, + 0xb1, 0x26, 0xa2, 0xbd, 0x69, 0x61, 0x5d, 0x66, + 0x39, 0x63, 0x2f, 0x10, 0x70, 0x35, 0xfb, 0x07, + 0x85, 0x0a, 0xff, 0x57, 0x12, 0xc1, 0xf4, 0x83, + 0x1d, 0xf9, 0xc6, 0xd3, 0xa4, 0xb6, 0x70, 0x2b, + 0x80, 0xa1, 0x40, 0x7f, 0x48, 0x4e, 0xd9, 0xad, + 0xeb, 0x80, 0xcc, 0xcf, 0x92, 0xc1, 0xd1, 0x83, + 0x64, 0x01, 0x23, 0x47, 0x8e, 0xbd, 0x31, 0x98, + 0x05, 0x6b, 0x6b, 0x7c, 0x37, 0x02, 0x03, 0x01, + 0x00, 0x01 + }; + + CK_ATTRIBUTE match[] = { + { CKA_CLASS, &klass, sizeof (klass) }, + { CKA_PUBLIC_KEY_INFO, spki, sizeof (spki) }, + { CKA_INVALID, } + }; + + CK_OBJECT_HANDLE objects[16]; + CK_SESSION_HANDLE sessions[16]; + CK_ULONG count; + + count = find_objects (match, sessions, objects, 16); + assert_num_eq (1, count); +} + +static void test_find_builtin (void) { CK_OBJECT_CLASS klass = CKO_NSS_BUILTIN_ROOT_LIST; @@ -1194,6 +1236,7 @@ main (int argc, p11_test (test_get_session_info, "/module/get_session_info"); p11_test (test_close_all_sessions, "/module/close_all_sessions"); p11_test (test_find_certificates, "/module/find_certificates"); + p11_test (test_find_extensions, "/module/find_extensions"); p11_test (test_find_builtin, "/module/find_builtin"); p11_test (test_lookup_invalid, "/module/lookup_invalid"); p11_test (test_remove_token, "/module/remove_token"); -- cgit v1.1