From 03d280df9a73aca5cb6eabbcb97ef3ca4e1ae0e5 Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Thu, 9 Oct 2014 08:15:29 +0200
Subject: trust: Certificate CKA_ID is SubjectKeyIdentifier if possible

The PKCS#11 spec states that the CKA_ID should match the
SubjectKeyIdentifier if such an extension is present.

We delay the filling of CKA_ID until the builder phase of populating
attributes which allows us to have more control over how this works.

Note that we don't make CKA_ID reflect SubjectKeyIdentifier *attached*
extensions. The CKA_ID isn't supposed to change after object creation.
Making it dependent on attached extensions would be making promises
we cannot keep, since attached extensions can be added/removed at any
time.

This also means the CKA_ID of attached extensions and certificates
won't necessarily match up, but that was never promised, and not how
attached extensions should be matched to their certificate anyway.

Based on a patch and research done by David Woodhouse.

https://bugs.freedesktop.org/show_bug.cgi?id=84761
---
 trust/test-trust.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'trust/test-trust.c')

diff --git a/trust/test-trust.c b/trust/test-trust.c
index 20306e0..802007d 100644
--- a/trust/test-trust.c
+++ b/trust/test-trust.c
@@ -131,6 +131,8 @@ test_check_attrs_msg (const char *file,
 	CK_OBJECT_CLASS klass;
 	CK_ATTRIBUTE *attr;
 
+	assert (expected != NULL);
+
 	if (!p11_attrs_find_ulong (expected, CKA_CLASS, &klass))
 		klass = CKA_INVALID;
 
-- 
cgit v1.1