diff options
Diffstat (limited to 'trust')
114 files changed, 0 insertions, 29656 deletions
diff --git a/trust/Makefile.am b/trust/Makefile.am deleted file mode 100644 index cc91bce..0000000 --- a/trust/Makefile.am +++ /dev/null @@ -1,295 +0,0 @@ - -noinst_LTLIBRARIES += \ - libtrust-testable.la \ - libtrust-data.la - -libtrust_data_la_SOURCES = \ - trust/asn1.c trust/asn1.h \ - trust/basic.asn trust/basic.asn.h \ - trust/base64.c trust/base64.h \ - trust/pem.c trust/pem.h \ - trust/pkix.asn trust/pkix.asn.h \ - trust/oid.c trust/oid.h \ - trust/openssl.asn trust/openssl.asn.h \ - trust/utf8.c trust/utf8.h \ - trust/x509.c trust/x509.h \ - $(NULL) - -libtrust_data_la_CFLAGS = \ - $(LIBTASN1_CFLAGS) - -libtrust_data_la_LIBADD = \ - $(LIBTASN1_LIBS) \ - $(NULL) - -TRUST_SRCS = \ - trust/builder.c trust/builder.h \ - trust/digest.c trust/digest.h \ - trust/index.c trust/index.h \ - trust/parser.c trust/parser.h \ - trust/persist.c trust/persist.h \ - trust/module.c trust/module.h \ - trust/save.c trust/save.h \ - trust/session.c trust/session.h \ - trust/token.c trust/token.h \ - trust/types.h \ - $(NULL) - -configdir = $(p11_package_config_modules) -config_DATA = trust/p11-kit-trust.module - -moduledir = $(p11_module_path) -module_LTLIBRARIES = \ - p11-kit-trust.la - -p11_kit_trust_la_CFLAGS = \ - $(LIBTASN1_CFLAGS) - -p11_kit_trust_la_LIBADD = \ - libtrust-data.la \ - libp11-library.la \ - libp11-common.la \ - $(LIBTASN1_LIBS) \ - $(HASH_LIBS) \ - $(NULL) - -p11_kit_trust_la_LDFLAGS = \ - -no-undefined -module -avoid-version \ - -version-info $(P11KIT_LT_RELEASE) \ - -export-symbols-regex 'C_GetFunctionList' \ - $(NULL) - -p11_kit_trust_la_SOURCES = $(TRUST_SRCS) - -libtrust_testable_la_LDFLAGS = \ - -no-undefined - -libtrust_testable_la_SOURCES = $(TRUST_SRCS) - -libtrust_testable_la_CFLAGS = \ - $(LIBTASN1_CFLAGS) - -libtrust_testable_la_LIBADD = \ - $(LIBTASN1_LIBS) - -bin_PROGRAMS += trust/trust - -trust_trust_LDADD = \ - libtrust-data.la \ - libp11-kit.la \ - libp11-common.la \ - libp11-tool.la \ - $(LTLIBINTL) \ - $(LIBTASN1_LIBS) \ - $(HASH_LIBS) \ - $(NULL) - -trust_trust_CFLAGS = \ - -DP11_KIT_FUTURE_UNSTABLE_API \ - $(LIBTASN1_CFLAGS) \ - $(NULL) - -trust_trust_SOURCES = \ - trust/anchor.c trust/anchor.h \ - trust/parser.c trust/parser.h \ - trust/persist.c trust/persist.h \ - trust/digest.c trust/digest.h \ - trust/enumerate.c trust/enumerate.h \ - trust/extract.c trust/extract.h \ - trust/extract-jks.c \ - trust/extract-openssl.c \ - trust/extract-pem.c \ - trust/extract-cer.c \ - trust/list.c trust/list.h \ - trust/openssl.asn trust/openssl.asn.h \ - trust/save.c trust/save.h \ - trust/trust.c \ - $(NULL) - -externaldir = $(privatedir) -external_SCRIPTS = \ - trust/trust-extract-compat - -EXTRA_DIST += \ - trust/p11-kit-trust.module - -asn: - asn1Parser -o $(srcdir)/trust/pkix.asn.h $(srcdir)/trust/pkix.asn - asn1Parser -o $(srcdir)/trust/openssl.asn.h $(srcdir)/trust/openssl.asn - asn1Parser -o $(srcdir)/trust/basic.asn.h $(srcdir)/trust/basic.asn - -# Tests ---------------------------------------------------------------- - -trust_CFLAGS = \ - $(LIBTASN1_CFLAGS) \ - $(NULL) - -trust_LIBS = \ - libtrust-testable.la \ - libtrust-data.la \ - libtrust-test.la \ - libp11-kit.la \ - libp11-library.la \ - libp11-test.la \ - libp11-common.la \ - $(LIBTASN1_LIBS) \ - $(HASH_LIBS) \ - $(NULL) - -noinst_LTLIBRARIES += \ - libtrust-test.la - -libtrust_test_la_SOURCES = \ - trust/test-trust.c trust/test-trust.h \ - trust/digest.c \ - $(NULL) - -CHECK_PROGS += \ - test-digest \ - test-asn1 \ - test-base64 \ - test-pem \ - test-oid \ - test-utf8 \ - test-x509 \ - test-persist \ - test-index \ - test-parser \ - test-builder \ - test-token \ - test-module \ - test-save \ - test-enumerate \ - test-cer \ - test-bundle \ - test-openssl \ - $(NULL) - -test_asn1_SOURCES = trust/test-asn1.c -test_asn1_LDADD = $(trust_LIBS) -test_asn1_CFLAGS = $(trust_CFLAGS) - -test_base64_SOURCES = trust/test-base64.c -test_base64_LDADD = $(trust_LIBS) -test_base64_CFLAGS = $(trust_CFLAGS) - -test_builder_SOURCES = trust/test-builder.c -test_builder_LDADD = $(trust_LIBS) -test_builder_CFLAGS = $(trust_CFLAGS) - -test_bundle_SOURCES = trust/test-bundle.c -test_bundle_LDADD = $(trust_LIBS) -test_bundle_CFLAGS = $(trust_CFLAGS) - -test_cer_SOURCES = trust/test-cer.c -test_cer_LDADD = $(trust_LIBS) -test_cer_CFLAGS = $(trust_CFLAGS) - -test_digest_SOURCES = trust/test-digest.c -test_digest_LDADD = $(trust_LIBS) -test_digest_CFLAGS = $(trust_CFLAGS) - -test_enumerate_SOURCES = trust/test-enumerate.c -test_enumerate_LDADD = $(trust_LIBS) -test_enumerate_CFLAGS = $(trust_CFLAGS) - -test_index_SOURCES = trust/test-index.c -test_index_LDADD = $(trust_LIBS) -test_index_CFLAGS = $(trust_CFLAGS) - -test_module_SOURCES = trust/test-module.c -test_module_LDADD = $(trust_LIBS) -test_module_CFLAGS = $(trust_CFLAGS) - -test_oid_SOURCES = trust/test-oid.c -test_oid_LDADD = $(trust_LIBS) -test_oid_CFLAGS = $(trust_CFLAGS) - -test_openssl_SOURCES = trust/test-openssl.c -test_openssl_LDADD = $(trust_LIBS) -test_openssl_CFLAGS = $(trust_CFLAGS) - -test_parser_SOURCES = trust/test-parser.c -test_parser_LDADD = $(trust_LIBS) -test_parser_CFLAGS = $(trust_CFLAGS) - -test_pem_SOURCES = trust/test-pem.c -test_pem_LDADD = $(trust_LIBS) - -test_persist_SOURCES = trust/test-persist.c -test_persist_LDADD = $(trust_LIBS) - -test_save_SOURCES = trust/test-save.c -test_save_LDADD = $(trust_LIBS) - -test_token_SOURCES = trust/test-token.c -test_token_LDADD = $(trust_LIBS) -test_token_CFLAGS = $(trust_CFLAGS) - -test_utf8_SOURCES = trust/test-utf8.c -test_utf8_LDADD = $(trust_LIBS) - -test_x509_SOURCES = trust/test-x509.c -test_x509_LDADD = $(trust_LIBS) -test_x509_CFLAGS = $(trust_CFLAGS) - -noinst_PROGRAMS += \ - frob-pow \ - frob-token \ - frob-nss-trust \ - frob-cert \ - frob-bc \ - frob-ku \ - frob-eku \ - frob-ext \ - frob-oid \ - $(NULL) - -frob_bc_SOURCES = trust/frob-bc.c -frob_bc_LDADD = $(trust_LIBS) -frob_bc_CFLAGS = $(trust_CFLAGS) - -frob_cert_SOURCES = trust/frob-cert.c -frob_cert_LDADD = $(trust_LIBS) -frob_cert_CFLAGS = $(trust_CFLAGS) - -frob_eku_SOURCES = trust/frob-eku.c -frob_eku_LDADD = $(trust_LIBS) -frob_eku_CFLAGS = $(trust_CFLAGS) - -frob_ext_SOURCES = trust/frob-ext.c -frob_ext_LDADD = $(trust_LIBS) -frob_ext_CFLAGS = $(trust_CFLAGS) - -frob_ku_SOURCES = trust/frob-ku.c -frob_ku_LDADD = $(trust_LIBS) -frob_ku_CFLAGS = $(trust_CFLAGS) - -frob_nss_trust_SOURCES = trust/frob-nss-trust.c -frob_nss_trust_LDADD = \ - libp11-common.la \ - libp11-kit.la \ - $(HASH_LIBS) \ - $(NULL) - -frob_oid_SOURCES = trust/frob-oid.c -frob_oid_LDADD = $(trust_LIBS) -frob_oid_CFLAGS = $(trust_CFLAGS) - -frob_pow_SOURCES = trust/frob-pow.c -frob_pow_LDADD = $(trust_LIBS) -frob_pow_CFLAGS = $(trust_CFLAGS) - -frob_token_SOURCES = trust/frob-token.c -frob_token_LDADD = $(trust_LIBS) -frob_token_CFLAGS = $(trust_CFLAGS) - -noinst_SCRIPTS += trust/test-extract - -installcheck-local: - sh $(builddir)/trust/test-extract - -EXTRA_DIST += \ - trust/input \ - trust/fixtures \ - $(NULL) diff --git a/trust/anchor.c b/trust/anchor.c deleted file mode 100644 index baa1aeb..0000000 --- a/trust/anchor.c +++ /dev/null @@ -1,660 +0,0 @@ -/* - * Copyright (c) 2013, Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#define P11_DEBUG_FLAG P11_DEBUG_TOOL - -#include "anchor.h" -#include "attrs.h" -#include "debug.h" -#include "constants.h" -#include "extract.h" -#include "message.h" -#include "parser.h" -#include "tool.h" - -#include "p11-kit/iter.h" -#include "p11-kit/p11-kit.h" - -#include <assert.h> -#include <getopt.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -static p11_parser * -create_arg_file_parser (void) -{ - p11_parser *parser; - - parser = p11_parser_new (NULL); - return_val_if_fail (parser != NULL, NULL); - - p11_parser_formats (parser, - p11_parser_format_x509, - p11_parser_format_pem, - NULL); - - return parser; -} - -static bool -iter_match_anchor (p11_kit_iter *iter, - CK_ATTRIBUTE *attrs) -{ - CK_ATTRIBUTE *attr; - - attr = p11_attrs_find_valid (attrs, CKA_CLASS); - if (attr == NULL) - return false; - - p11_kit_iter_add_filter (iter, attr, 1); - - attr = p11_attrs_find_valid (attrs, CKA_VALUE); - if (attr == NULL) - return false; - - p11_kit_iter_add_filter (iter, attr, 1); - return true; -} - -static p11_array * -uris_or_files_to_iters (int argc, - char *argv[], - int behavior) -{ - int flags = P11_KIT_URI_FOR_OBJECT_ON_TOKEN_AND_MODULE; - p11_parser *parser = NULL; - p11_array *iters; - p11_array *parsed; - p11_kit_uri *uri; - p11_kit_iter *iter; - int ret; - int i, j; - - iters = p11_array_new ((p11_destroyer)p11_kit_iter_free); - return_val_if_fail (iters != NULL, NULL); - - for (i = 0; i < argc; i++) { - - /* A PKCS#11 URI */ - if (strncmp (argv[i], "pkcs11:", 7) == 0) { - uri = p11_kit_uri_new (); - if (p11_kit_uri_parse (argv[i], flags, uri) != P11_KIT_URI_OK) { - p11_message ("invalid PKCS#11 uri: %s", argv[i]); - p11_kit_uri_free (uri); - break; - } - - iter = p11_kit_iter_new (uri, behavior); - return_val_if_fail (iter != NULL, NULL); - p11_kit_uri_free (uri); - - if (!p11_array_push (iters, iter)) - return_val_if_reached (NULL); - - } else { - if (parser == NULL) - parser = create_arg_file_parser (); - - ret = p11_parse_file (parser, argv[i], NULL, P11_PARSE_FLAG_ANCHOR); - switch (ret) { - case P11_PARSE_SUCCESS: - p11_debug ("parsed file: %s", argv[i]); - break; - case P11_PARSE_UNRECOGNIZED: - p11_message ("unrecognized file format: %s", argv[i]); - break; - default: - p11_message ("failed to parse file: %s", argv[i]); - break; - } - - if (ret != P11_PARSE_SUCCESS) - break; - - parsed = p11_parser_parsed (parser); - for (j = 0; j < parsed->num; j++) { - iter = p11_kit_iter_new (NULL, behavior); - return_val_if_fail (iter != NULL, NULL); - - iter_match_anchor (iter, parsed->elem[j]); - if (!p11_array_push (iters, iter)) - return_val_if_reached (NULL); - } - } - } - - if (parser) - p11_parser_free (parser); - - if (argc != i) { - p11_array_free (iters); - return NULL; - } - - return iters; -} - -static p11_array * -files_to_attrs (int argc, - char *argv[]) -{ - p11_parser *parser; - p11_array *parsed; - p11_array *array; - int ret = P11_PARSE_SUCCESS; - int i, j; - - array = p11_array_new (p11_attrs_free); - return_val_if_fail (array != NULL, NULL); - - parser = create_arg_file_parser (); - return_val_if_fail (parser != NULL, NULL); - - for (i = 0; i < argc; i++) { - ret = p11_parse_file (parser, argv[i], NULL, P11_PARSE_FLAG_ANCHOR); - switch (ret) { - case P11_PARSE_SUCCESS: - p11_debug ("parsed file: %s", argv[i]); - break; - case P11_PARSE_UNRECOGNIZED: - p11_message ("unrecognized file format: %s", argv[i]); - break; - default: - p11_message ("failed to parse file: %s", argv[i]); - break; - } - - if (ret != P11_PARSE_SUCCESS) - break; - - parsed = p11_parser_parsed (parser); - for (j = 0; j < parsed->num; j++) { - if (!p11_array_push (array, parsed->elem[j])) - return_val_if_reached (NULL); - parsed->elem[j] = NULL; - } - } - - p11_parser_free (parser); - - if (ret == P11_PARSE_SUCCESS) - return array; - - p11_array_free (array); - return NULL; - -} - -static CK_SESSION_HANDLE -session_for_store_on_module (const char *name, - CK_FUNCTION_LIST *module, - bool *found_read_only) -{ - CK_SESSION_HANDLE session = 0; - CK_SLOT_ID *slots = NULL; - CK_TOKEN_INFO info; - CK_ULONG count; - CK_ULONG i; - CK_RV rv; - - rv = p11_kit_module_initialize (module); - if (rv != CKR_OK) { - p11_message ("%s: couldn't initialize: %s", name, p11_kit_message ()); - return 0UL; - } - - rv = (module->C_GetSlotList) (CK_TRUE, NULL, &count); - if (rv == CKR_OK) { - slots = calloc (count, sizeof (CK_ULONG)); - return_val_if_fail (slots != NULL, 0UL); - rv = (module->C_GetSlotList) (CK_TRUE, slots, &count); - } - if (rv != CKR_OK) { - p11_message ("%s: couldn't enumerate slots: %s", name, p11_kit_strerror (rv)); - free (slots); - return 0UL; - } - - for (i = 0; session == 0 && i < count; i++) { - rv = (module->C_GetTokenInfo) (slots[i], &info); - if (rv != CKR_OK) { - p11_message ("%s: couldn't get token info: %s", name, p11_kit_strerror (rv)); - continue; - } - - if (info.flags & CKF_WRITE_PROTECTED) { - *found_read_only = true; - continue; - } - - rv = (module->C_OpenSession) (slots[i], CKF_SERIAL_SESSION | CKF_RW_SESSION, - NULL, NULL, &session); - if (rv != CKR_OK) { - p11_message ("%s: couldn't open session: %s", name, p11_kit_strerror (rv)); - session = 0; - } - - p11_debug ("opened writable session on: %s", name); - } - - free (slots); - - if (session == 0UL) - p11_kit_module_finalize (module); - - return session; -} - -static CK_SESSION_HANDLE -session_for_store (CK_FUNCTION_LIST **module) -{ - CK_SESSION_HANDLE session = 0UL; - CK_FUNCTION_LIST **modules; - bool found_read_only = false; - char *name; - int i; - - modules = p11_kit_modules_load (NULL, P11_KIT_MODULE_TRUSTED); - if (modules == NULL) - return 0; - - for (i = 0; modules[i] != NULL; i++) { - if (session == 0UL) { - name = p11_kit_module_get_name (modules[i]); - session = session_for_store_on_module (name, modules[i], - &found_read_only); - - if (session != 0UL) { - *module = modules[i]; - modules[i] = NULL; - } - - free (name); - } - - if (modules[i]) - p11_kit_module_release (modules[i]); - } - - if (session == 0UL) { - if (found_read_only) - p11_message ("no configured writable location to store anchors"); - else - p11_message ("no configured location to store anchors"); - } - - free (modules); - return session; -} - -static bool -create_anchor (CK_FUNCTION_LIST *module, - CK_SESSION_HANDLE session, - CK_ATTRIBUTE *attrs) -{ - CK_BBOOL truev = CK_TRUE; - CK_OBJECT_HANDLE object; - char *string; - CK_RV rv; - - CK_ATTRIBUTE basics[] = { - { CKA_TOKEN, &truev, sizeof (truev) }, - { CKA_TRUSTED, &truev, sizeof (truev) }, - { CKA_INVALID, }, - }; - - attrs = p11_attrs_merge (attrs, p11_attrs_dup (basics), true); - p11_attrs_remove (attrs, CKA_MODIFIABLE); - - if (p11_debugging) { - string = p11_attrs_to_string (attrs, -1); - p11_debug ("storing: %s", string); - free (string); - } - - rv = (module->C_CreateObject) (session, attrs, - p11_attrs_count (attrs), &object); - - p11_attrs_free (attrs); - - if (rv != CKR_OK) { - p11_message ("couldn't create object: %s", p11_kit_strerror (rv)); - return false; - } - - return true; -} - -static bool -modify_anchor (CK_FUNCTION_LIST *module, - CK_SESSION_HANDLE session, - CK_OBJECT_HANDLE object, - CK_ATTRIBUTE *attrs) -{ - CK_BBOOL truev = CK_TRUE; - CK_ATTRIBUTE *changes; - CK_ATTRIBUTE *label; - char *string; - CK_RV rv; - - CK_ATTRIBUTE trusted = { CKA_TRUSTED, &truev, sizeof (truev) }; - - label = p11_attrs_find_valid (attrs, CKA_LABEL); - changes = p11_attrs_build (NULL, &trusted, label, NULL); - return_val_if_fail (attrs != NULL, FALSE); - - /* Don't need the attributes anymore */ - p11_attrs_free (attrs); - - if (p11_debugging) { - string = p11_attrs_to_string (changes, -1); - p11_debug ("setting: %s", string); - free (string); - } - - rv = (module->C_SetAttributeValue) (session, object, changes, - p11_attrs_count (changes)); - - p11_attrs_free (changes); - - if (rv != CKR_OK) { - p11_message ("couldn't create object: %s", p11_kit_strerror (rv)); - return false; - } - - return true; -} - -static CK_OBJECT_HANDLE -find_anchor (CK_FUNCTION_LIST *module, - CK_SESSION_HANDLE session, - CK_ATTRIBUTE *attrs) -{ - CK_OBJECT_HANDLE object = 0UL; - CK_ATTRIBUTE *attr; - p11_kit_iter *iter; - - attr = p11_attrs_find_valid (attrs, CKA_CLASS); - return_val_if_fail (attr != NULL, 0); - - iter = p11_kit_iter_new (NULL, 0); - return_val_if_fail (iter != NULL, 0); - - if (iter_match_anchor (iter, attrs)) { - p11_kit_iter_begin_with (iter, module, 0, session); - if (p11_kit_iter_next (iter) == CKR_OK) - object = p11_kit_iter_get_object (iter); - } - - p11_kit_iter_free (iter); - - return object; -} - -static int -anchor_store (int argc, - char *argv[], - bool *changed) -{ - CK_ATTRIBUTE *attrs; - CK_FUNCTION_LIST *module = NULL; - CK_SESSION_HANDLE session; - CK_OBJECT_HANDLE object; - p11_array *anchors; - int ret; - int i; - - anchors = files_to_attrs (argc, argv); - if (anchors == NULL) - return 1; - - if (anchors->num == 0) { - p11_message ("specify at least one anchor input file"); - p11_array_free (anchors); - return 2; - } - - session = session_for_store (&module); - if (session == 0UL) { - p11_array_free (anchors); - return 1; - } - - for (i = 0, ret = 0; i < anchors->num; i++) { - attrs = anchors->elem[i]; - anchors->elem[i] = NULL; - - object = find_anchor (module, session, attrs); - if (object == 0) { - p11_debug ("don't yet have this anchor"); - if (create_anchor (module, session, attrs)) { - *changed = true; - } else { - ret = 1; - break; - } - } else { - p11_debug ("already have this anchor"); - if (modify_anchor (module, session, object, attrs)) { - *changed = true; - } else { - ret = 1; - break; - } - } - } - - p11_array_free (anchors); - p11_kit_module_finalize (module); - p11_kit_module_release (module); - - return ret; -} - -static const char * -description_for_object_at_iter (p11_kit_iter *iter) -{ - CK_OBJECT_CLASS klass; - CK_ATTRIBUTE attrs[] = { - { CKA_CLASS, &klass, sizeof (klass) }, - { CKA_INVALID }, - }; - - const char *desc = "object"; - CK_RV rv; - - rv = p11_kit_iter_load_attributes (iter, attrs, 1); - if (rv == CKR_OK) - desc = p11_constant_nick (p11_constant_classes, klass); - - return desc; -} - -static bool -remove_all (p11_kit_iter *iter, - bool *changed) -{ - const char *desc; - CK_RV rv; - - while ((rv = p11_kit_iter_next (iter)) == CKR_OK) { - desc = description_for_object_at_iter (iter); - p11_debug ("removing %s: %lu", desc, p11_kit_iter_get_object (iter)); - rv = p11_kit_iter_destroy_object (iter); - switch (rv) { - case CKR_OK: - *changed = true; - /* fall through */ - case CKR_OBJECT_HANDLE_INVALID: - continue; - case CKR_TOKEN_WRITE_PROTECTED: - case CKR_SESSION_READ_ONLY: - case CKR_ATTRIBUTE_READ_ONLY: - p11_message ("couldn't remove read-only %s", desc); - continue; - default: - p11_message ("couldn't remove %s: %s", desc, - p11_kit_strerror (rv)); - break; - } - } - - return (rv == CKR_CANCEL); -} - -static int -anchor_remove (int argc, - char *argv[], - bool *changed) -{ - CK_FUNCTION_LIST **modules; - p11_array *iters; - p11_kit_iter *iter; - int ret = 0; - int i; - - iters = uris_or_files_to_iters (argc, argv, P11_KIT_ITER_WANT_WRITABLE); - return_val_if_fail (iters != NULL, 1); - - if (iters->num == 0) { - p11_message ("at least one file or uri must be specified"); - p11_array_free (iters); - return 2; - } - - modules = p11_kit_modules_load_and_initialize (P11_KIT_MODULE_TRUSTED); - if (modules == NULL) - ret = 1; - - for (i = 0; ret == 0 && i < iters->num; i++) { - iter = iters->elem[i]; - - p11_kit_iter_begin (iter, modules); - if (!remove_all (iter, changed)) - ret = 1; - } - - p11_array_free (iters); - p11_kit_modules_finalize_and_release (modules); - - return ret; -} - -int -p11_trust_anchor (int argc, - char **argv) -{ - bool changed = false; - int action = 0; - int opt; - int ret; - - enum { - opt_verbose = 'v', - opt_quiet = 'q', - opt_help = 'h', - - opt_store = 's', - opt_remove = 'r', - }; - - struct option options[] = { - { "store", no_argument, NULL, opt_store }, - { "remove", no_argument, NULL, opt_remove }, - { "verbose", no_argument, NULL, opt_verbose }, - { "quiet", no_argument, NULL, opt_quiet }, - { "help", no_argument, NULL, opt_help }, - { 0 }, - }; - - p11_tool_desc usages[] = { - { 0, "usage: trust anchor --store <file> ..." }, - { opt_verbose, "show verbose debug output", }, - { opt_quiet, "suppress command output", }, - { 0 }, - }; - - while ((opt = p11_tool_getopt (argc, argv, options)) != -1) { - switch (opt) { - case opt_store: - case opt_remove: - if (action == 0) { - action = opt; - } else { - p11_message ("an action was already specified"); - return 2; - } - break; - case opt_verbose: - case opt_quiet: - break; - case opt_help: - p11_tool_usage (usages, options); - return 0; - case '?': - p11_tool_usage (usages, options); - return 2; - default: - assert_not_reached (); - break; - } - }; - - argc -= optind; - argv += optind; - - if (action == 0) - action = opt_store; - - /* Store is different, and only accepts files */ - if (action == opt_store) - ret = anchor_store (argc, argv, &changed); - - else if (action == opt_remove) - ret = anchor_remove (argc, argv, &changed); - - else - assert_not_reached (); - - /* Extract the compat bundles after modification */ - if (ret == 0 && changed) { - char *args[] = { argv[0], NULL }; - ret = p11_trust_extract_compat (1, args); - } - - return ret; -} diff --git a/trust/anchor.h b/trust/anchor.h deleted file mode 100644 index 7b08682..0000000 --- a/trust/anchor.h +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Copyright (c) 2013, Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#ifndef P11_ANCHOR_H_ -#define P11_ANCHOR_H_ - -int p11_trust_anchor (int argc, - char **argv); - -#endif /* P11_ANCHOR_H_ */ diff --git a/trust/asn1.c b/trust/asn1.c deleted file mode 100644 index dd1812d..0000000 --- a/trust/asn1.c +++ /dev/null @@ -1,374 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#include "asn1.h" -#define P11_DEBUG_FLAG P11_DEBUG_TRUST -#include "debug.h" -#include "oid.h" - -#include "openssl.asn.h" -#include "pkix.asn.h" - -#include <assert.h> -#include <stdlib.h> -#include <string.h> - -static void -free_asn1_def (void *data) -{ - node_asn *def = data; - asn1_delete_structure (&def); -} - -struct { - const ASN1_ARRAY_TYPE* tab; - const char *prefix; - int prefix_len; -} asn1_tabs[] = { - { pkix_asn1_tab, "PKIX1.", 6 }, - { openssl_asn1_tab, "OPENSSL.", 8 }, - { NULL, }, -}; - -p11_dict * -p11_asn1_defs_load (void) -{ - char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = { 0, }; - node_asn *def; - p11_dict *defs; - int ret; - int i; - - defs = p11_dict_new (p11_dict_str_hash, p11_dict_str_equal, NULL, free_asn1_def); - - for (i = 0; asn1_tabs[i].tab != NULL; i++) { - - def = NULL; - ret = asn1_array2tree (asn1_tabs[i].tab, &def, message); - if (ret != ASN1_SUCCESS) { - p11_debug_precond ("failed to load %s* definitions: %s: %s\n", - asn1_tabs[i].prefix, asn1_strerror (ret), message); - return NULL; - } - - if (!p11_dict_set (defs, (void *)asn1_tabs[i].prefix, def)) - return_val_if_reached (NULL); - } - - return defs; -} - -static node_asn * -lookup_def (p11_dict *asn1_defs, - const char *struct_name) -{ - int i; - - for (i = 0; asn1_tabs[i].tab != NULL; i++) { - if (strncmp (struct_name, asn1_tabs[i].prefix, asn1_tabs[i].prefix_len) == 0) - return p11_dict_get (asn1_defs, asn1_tabs[i].prefix); - } - - p11_debug_precond ("unknown prefix for element: %s\n", struct_name); - return NULL; -} - -node_asn * -p11_asn1_create (p11_dict *asn1_defs, - const char *struct_name) -{ - node_asn *def; - node_asn *asn; - int ret; - - return_val_if_fail (asn1_defs != NULL, NULL); - - def = lookup_def (asn1_defs, struct_name); - return_val_if_fail (def != NULL, NULL); - - ret = asn1_create_element (def, struct_name, &asn); - if (ret != ASN1_SUCCESS) { - p11_debug_precond ("failed to create element %s: %s\n", - struct_name, asn1_strerror (ret)); - return NULL; - } - - return asn; -} - -node_asn * -p11_asn1_decode (p11_dict *asn1_defs, - const char *struct_name, - const unsigned char *der, - size_t der_len, - char *message) -{ - char msg[ASN1_MAX_ERROR_DESCRIPTION_SIZE]; - node_asn *asn = NULL; - int ret; - - return_val_if_fail (asn1_defs != NULL, NULL); - - asn = p11_asn1_create (asn1_defs, struct_name); - return_val_if_fail (asn != NULL, NULL); - - /* asn1_der_decoding destroys the element if fails */ - ret = asn1_der_decoding (&asn, der, der_len, message ? message : msg); - - if (ret != ASN1_SUCCESS) { - /* If caller passed in a message buffer, assume they're logging */ - if (!message) { - p11_debug ("couldn't parse %s: %s: %s", - struct_name, asn1_strerror (ret), msg); - } - return NULL; - } - - return asn; -} - -unsigned char * -p11_asn1_encode (node_asn *asn, - size_t *der_len) -{ - char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE]; - unsigned char *der; - int len; - int ret; - - return_val_if_fail (der_len != NULL, NULL); - - len = 0; - ret = asn1_der_coding (asn, "", NULL, &len, message); - return_val_if_fail (ret != ASN1_SUCCESS, NULL); - - if (ret == ASN1_MEM_ERROR) { - der = malloc (len); - return_val_if_fail (der != NULL, NULL); - - ret = asn1_der_coding (asn, "", der, &len, message); - } - - if (ret != ASN1_SUCCESS) { - p11_debug_precond ("failed to encode: %s\n", message); - return NULL; - } - - if (der_len) - *der_len = len; - return der; -} - -void * -p11_asn1_read (node_asn *asn, - const char *field, - size_t *length) -{ - unsigned char *value; - int len; - int ret; - - return_val_if_fail (asn != NULL, NULL); - return_val_if_fail (field != NULL, NULL); - return_val_if_fail (length != NULL, NULL); - - len = 0; - ret = asn1_read_value (asn, field, NULL, &len); - if (ret == ASN1_ELEMENT_NOT_FOUND) - return NULL; - - return_val_if_fail (ret == ASN1_MEM_ERROR, NULL); - - value = malloc (len + 1); - return_val_if_fail (value != NULL, NULL); - - ret = asn1_read_value (asn, field, value, &len); - return_val_if_fail (ret == ASN1_SUCCESS, NULL); - - /* Courtesy zero terminated */ - value[len] = '\0'; - - *length = len; - return value; -} - -void -p11_asn1_free (void *asn) -{ - node_asn *node = asn; - if (node != NULL) - asn1_delete_structure (&node); -} - -ssize_t -p11_asn1_tlv_length (const unsigned char *data, - size_t length) -{ - unsigned char cls; - int counter = 0; - int cb, len; - unsigned long tag; - - if (asn1_get_tag_der (data, length, &cls, &cb, &tag) == ASN1_SUCCESS) { - counter += cb; - len = asn1_get_length_der (data + cb, length - cb, &cb); - counter += cb; - if (len >= 0) { - len += counter; - if (length >= len) - return len; - } - } - - return -1; -} - -typedef struct { - node_asn *node; - char *struct_name; - size_t length; -} asn1_item; - -static void -free_asn1_item (void *data) -{ - asn1_item *item = data; - free (item->struct_name); - asn1_delete_structure (&item->node); - free (item); -} - -struct _p11_asn1_cache { - p11_dict *defs; - p11_dict *items; -}; - -p11_asn1_cache * -p11_asn1_cache_new (void) -{ - p11_asn1_cache *cache; - - cache = calloc (1, sizeof (p11_asn1_cache)); - return_val_if_fail (cache != NULL, NULL); - - cache->defs = p11_asn1_defs_load (); - return_val_if_fail (cache->defs != NULL, NULL); - - cache->items = p11_dict_new (p11_dict_direct_hash, p11_dict_direct_equal, - NULL, free_asn1_item); - return_val_if_fail (cache->items != NULL, NULL); - - return cache; -} - -node_asn * -p11_asn1_cache_get (p11_asn1_cache *cache, - const char *struct_name, - const unsigned char *der, - size_t der_len) -{ - asn1_item *item; - - if (cache == NULL) - return NULL; - - return_val_if_fail (struct_name != NULL, NULL); - return_val_if_fail (der != NULL, NULL); - - item = p11_dict_get (cache->items, der); - if (item != NULL) { - return_val_if_fail (item->length == der_len, NULL); - return_val_if_fail (strcmp (item->struct_name, struct_name) == 0, NULL); - return item->node; - } - - return NULL; -} - -void -p11_asn1_cache_take (p11_asn1_cache *cache, - node_asn *node, - const char *struct_name, - const unsigned char *der, - size_t der_len) -{ - asn1_item *item; - - if (cache == NULL) { - asn1_delete_structure (&node); - return; - } - - return_if_fail (struct_name != NULL); - return_if_fail (der != NULL); - return_if_fail (der_len != 0); - - item = calloc (1, sizeof (asn1_item)); - return_if_fail (item != NULL); - - item->length = der_len; - item->node = node; - item->struct_name = strdup (struct_name); - return_if_fail (item->struct_name != NULL); - - if (!p11_dict_set (cache->items, (void *)der, item)) - return_if_reached (); -} - -void -p11_asn1_cache_flush (p11_asn1_cache *cache) -{ - if (cache == NULL) - return; - p11_dict_clear (cache->items); -} - -p11_dict * -p11_asn1_cache_defs (p11_asn1_cache *cache) -{ - return_val_if_fail (cache != NULL, NULL); - return cache->defs; -} - -void -p11_asn1_cache_free (p11_asn1_cache *cache) -{ - if (!cache) - return; - p11_dict_free (cache->items); - p11_dict_free (cache->defs); - free (cache); -} diff --git a/trust/asn1.h b/trust/asn1.h deleted file mode 100644 index a5f9caf..0000000 --- a/trust/asn1.h +++ /dev/null @@ -1,86 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include <libtasn1.h> - -#include "dict.h" - -#ifndef P11_ASN1_H_ -#define P11_ASN1_H_ - -typedef struct _p11_asn1_cache p11_asn1_cache; - -p11_dict * p11_asn1_defs_load (void); - -node_asn * p11_asn1_decode (p11_dict *asn1_defs, - const char *struct_name, - const unsigned char *der, - size_t der_len, - char *message); - -node_asn * p11_asn1_create (p11_dict *asn1_defs, - const char *struct_name); - -unsigned char * p11_asn1_encode (node_asn *asn, - size_t *der_len); - -void * p11_asn1_read (node_asn *asn, - const char *field, - size_t *length); - -void p11_asn1_free (void *asn); - -ssize_t p11_asn1_tlv_length (const unsigned char *data, - size_t length); - -p11_asn1_cache * p11_asn1_cache_new (void); - -p11_dict * p11_asn1_cache_defs (p11_asn1_cache *cache); - -node_asn * p11_asn1_cache_get (p11_asn1_cache *cache, - const char *struct_name, - const unsigned char *der, - size_t der_len); - -void p11_asn1_cache_take (p11_asn1_cache *cache, - node_asn *node, - const char *struct_name, - const unsigned char *der, - size_t der_len); - -void p11_asn1_cache_flush (p11_asn1_cache *cache); - -void p11_asn1_cache_free (p11_asn1_cache *cache); - -#endif /* P11_ASN1_H_ */ diff --git a/trust/base64.c b/trust/base64.c deleted file mode 100644 index a9eb966..0000000 --- a/trust/base64.c +++ /dev/null @@ -1,251 +0,0 @@ -/* - * Copyright (c) 1996, 1998 by Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE - * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL - * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR - * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS - * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS - * SOFTWARE. - */ - -/* - * Portions Copyright (c) 1995 by International Business Machines, Inc. - * - * International Business Machines, Inc. (hereinafter called IBM) grants - * permission under its copyrights to use, copy, modify, and distribute this - * Software with or without fee, provided that the above copyright notice and - * all paragraphs of this notice appear in all copies, and that the name of IBM - * not be used in connection with the marketing of any product incorporating - * the Software or modifications thereof, without specific, written prior - * permission. - * - * To the extent it has a right to do so, IBM grants an immunity from suit - * under its patents, if any, for the use, sale or manufacture of products to - * the extent that such products are used for performing Domain Name System - * dynamic updates in TCP/IP networks by means of the Software. No immunity is - * granted for any product per se or for any other function of any product. - * - * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES, - * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE. IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL, - * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING - * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN - * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. - */ - -#include "config.h" - -#include "base64.h" - -#include <assert.h> -#include <ctype.h> -#include <stdlib.h> -#include <string.h> - -static const char Base64[] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; - -static const char Pad64 = '='; - -/* skips all whitespace anywhere. - converts characters, four at a time, starting at (or after) - src from base - 64 numbers into three 8 bit bytes in the target area. - it returns the number of data bytes stored at the target, or -1 on error. - */ - -int -p11_b64_pton (const char *src, - size_t length, - unsigned char *target, - size_t targsize) -{ - int tarindex, state, ch; - char *pos; - const char *end; - - state = 0; - tarindex = 0; - end = src + length; - - /* We can't rely on the null terminator */ - #define next_char(src, end) \ - (((src) == (end)) ? '\0': *(src)++) - - while ((ch = next_char (src, end)) != '\0') { - if (isspace ((unsigned char) ch)) /* Skip whitespace anywhere. */ - continue; - - if (ch == Pad64) - break; - - pos = strchr (Base64, ch); - if (pos == 0) /* A non-base64 character. */ - return (-1); - - switch (state) { - case 0: - if (target) { - if ((size_t)tarindex >= targsize) - return (-1); - target[tarindex] = (pos - Base64) << 2; - } - state = 1; - break; - case 1: - if (target) { - if ((size_t) tarindex + 1 >= targsize) - return (-1); - target[tarindex] |= (pos - Base64) >> 4; - target[tarindex + 1] = ((pos - Base64) & 0x0f) - << 4; - } - tarindex++; - state = 2; - break; - case 2: - if (target) { - if ((size_t) tarindex + 1 >= targsize) - return (-1); - target[tarindex] |= (pos - Base64) >> 2; - target[tarindex + 1] = ((pos - Base64) & 0x03) - << 6; - } - tarindex++; - state = 3; - break; - case 3: - if (target) { - if ((size_t) tarindex >= targsize) - return (-1); - target[tarindex] |= (pos - Base64); - } - tarindex++; - state = 0; - break; - default: - abort(); - } - } - - /* - * We are done decoding Base-64 chars. Let's see if we ended - * on a byte boundary, and/or with erroneous trailing characters. - */ - - if (ch == Pad64) { /* We got a pad char. */ - ch = next_char (src, end); /* Skip it, get next. */ - switch (state) { - case 0: /* Invalid = in first position */ - case 1: /* Invalid = in second position */ - return (-1); - - case 2: /* Valid, means one byte of info */ - /* Skip any number of spaces. */ - for ((void) NULL; ch != '\0'; ch = next_char (src, end)) - if (!isspace((unsigned char) ch)) - break; - /* Make sure there is another trailing = sign. */ - if (ch != Pad64) - return (-1); - ch = next_char (src, end); /* Skip the = */ - /* Fall through to "single trailing =" case. */ - /* FALLTHROUGH */ - - case 3: /* Valid, means two bytes of info */ - /* - * We know this char is an =. Is there anything but - * whitespace after it? - */ - for ((void)NULL; src != end; ch = next_char (src, end)) - if (!isspace((unsigned char) ch)) - return (-1); - - /* - * Now make sure for cases 2 and 3 that the "extra" - * bits that slopped past the last full byte were - * zeros. If we don't check them, they become a - * subliminal channel. - */ - if (target && target[tarindex] != 0) - return (-1); - } - } else { - /* - * We ended by seeing the end of the string. Make sure we - * have no partial bytes lying around. - */ - if (state != 0) - return (-1); - } - - return (tarindex); -} - -int -p11_b64_ntop (const unsigned char *src, - size_t srclength, - char *target, - size_t targsize, - int breakl) -{ - size_t len = 0; - unsigned char input[3]; - unsigned char output[4]; - size_t i; - - while (srclength > 0) { - if (2 < srclength) { - input[0] = *src++; - input[1] = *src++; - input[2] = *src++; - srclength -= 3; - - output[0] = input[0] >> 2; - output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4); - output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6); - output[3] = input[2] & 0x3f; - - } else if (0 != srclength) { - /* Get what's left. */ - input[0] = input[1] = input[2] = '\0'; - for (i = 0; i < srclength; i++) - input[i] = *src++; - - output[0] = input[0] >> 2; - output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4); - if (srclength == 1) - output[2] = 255; - else - output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6); - output[3] = 255; - - srclength = 0; - } - - for (i = 0; i < 4; i++) { - if (breakl && len % (breakl + 1) == 0) { - assert (len + 1 < targsize); - target[len++] = '\n'; - } - - assert(output[i] == 255 || output[i] < 64); - assert (len + 1 < targsize); - - if (output[i] == 255) - target[len++] = Pad64; - else - target[len++] = Base64[output[i]]; - } - } - - assert (len < targsize); - target[len] = '\0'; /* Returned value doesn't count \0. */ - return len; -} diff --git a/trust/base64.h b/trust/base64.h deleted file mode 100644 index cc27afd..0000000 --- a/trust/base64.h +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (c) 1996, 1998 by Internet Software Consortium. - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE - * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL - * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR - * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS - * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS - * SOFTWARE. - */ - -/* - * Portions Copyright (c) 1995 by International Business Machines, Inc. - * - * International Business Machines, Inc. (hereinafter called IBM) grants - * permission under its copyrights to use, copy, modify, and distribute this - * Software with or without fee, provided that the above copyright notice and - * all paragraphs of this notice appear in all copies, and that the name of IBM - * not be used in connection with the marketing of any product incorporating - * the Software or modifications thereof, without specific, written prior - * permission. - * - * To the extent it has a right to do so, IBM grants an immunity from suit - * under its patents, if any, for the use, sale or manufacture of products to - * the extent that such products are used for performing Domain Name System - * dynamic updates in TCP/IP networks by means of the Software. No immunity is - * granted for any product per se or for any other function of any product. - * - * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES, - * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE. IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL, - * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING - * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN - * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. - */ - -#ifndef P11_BASE64_H_ -#define P11_BASE64_H_ - -#include <sys/types.h> - -int p11_b64_pton (const char *src, - size_t length, - unsigned char *target, - size_t targsize); - -int p11_b64_ntop (const unsigned char *src, - size_t srclength, - char *target, - size_t targsize, - int breakl); - -#endif /* P11_BASE64_H_ */ diff --git a/trust/basic.asn b/trust/basic.asn deleted file mode 100644 index 3c79a4b..0000000 --- a/trust/basic.asn +++ /dev/null @@ -1,12 +0,0 @@ - -BASIC { } - -DEFINITIONS EXPLICIT TAGS ::= - -BEGIN - -Any ::= ANY - -ObjectIdentifier ::= OBJECT IDENTIFIER - -END
\ No newline at end of file diff --git a/trust/basic.asn.h b/trust/basic.asn.h deleted file mode 100644 index b63447b..0000000 --- a/trust/basic.asn.h +++ /dev/null @@ -1,13 +0,0 @@ -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include <libtasn1.h> - -const ASN1_ARRAY_TYPE basic_asn1_tab[] = { - { "BASIC", 536872976, NULL }, - { NULL, 1073741836, NULL }, - { "Any", 1073741837, NULL }, - { "ObjectIdentifier", 12, NULL }, - { NULL, 0, NULL } -}; diff --git a/trust/builder.c b/trust/builder.c deleted file mode 100644 index e0ce370..0000000 --- a/trust/builder.c +++ /dev/null @@ -1,1872 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#define P11_DEBUG_FLAG P11_DEBUG_TRUST - -#include "array.h" -#include "asn1.h" -#include "attrs.h" -#include "builder.h" -#include "constants.h" -#include "debug.h" -#include "digest.h" -#include "index.h" -#include "message.h" -#include "oid.h" -#include "pkcs11i.h" -#include "pkcs11x.h" -#include "utf8.h" -#include "x509.h" - -#include <assert.h> -#include <stdlib.h> -#include <string.h> - -struct _p11_builder { - p11_asn1_cache *asn1_cache; - p11_dict *asn1_defs; - int flags; -}; - -enum { - NONE = 0, - CREATE = 1 << 0, - MODIFY = 1 << 1, - REQUIRE = 1 << 2, - WANT = 1 << 3, -}; - -enum { - NORMAL_BUILD = 0, - GENERATED_CLASS = 1 << 0, -}; - -typedef struct { - int build_flags; - struct { - CK_ATTRIBUTE_TYPE type; - int flags; - bool (*validate) (p11_builder *, CK_ATTRIBUTE *); - } attrs[32]; - CK_ATTRIBUTE * (*populate) (p11_builder *, p11_index *, CK_ATTRIBUTE *); - CK_RV (*validate) (p11_builder *, CK_ATTRIBUTE *, CK_ATTRIBUTE *); -} builder_schema; - -static node_asn * -decode_or_get_asn1 (p11_builder *builder, - const char *struct_name, - const unsigned char *der, - size_t length) -{ - node_asn *node; - - node = p11_asn1_cache_get (builder->asn1_cache, struct_name, der, length); - if (node != NULL) - return node; - - node = p11_asn1_decode (builder->asn1_defs, struct_name, der, length, NULL); - if (node != NULL) - p11_asn1_cache_take (builder->asn1_cache, node, struct_name, der, length); - - return node; -} - -static unsigned char * -lookup_extension (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *cert, - CK_ATTRIBUTE *public_key, - const unsigned char *oid, - size_t *ext_len) -{ - CK_OBJECT_CLASS klass = CKO_X_CERTIFICATE_EXTENSION; - CK_OBJECT_HANDLE obj; - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *label; - void *value; - size_t length; - node_asn *node; - - CK_ATTRIBUTE match[] = { - { CKA_PUBLIC_KEY_INFO, }, - { CKA_OBJECT_ID, (void *)oid, p11_oid_length (oid) }, - { CKA_CLASS, &klass, sizeof (klass) }, - { CKA_INVALID }, - }; - - if (public_key == NULL || public_key->type == CKA_INVALID) - public_key = p11_attrs_find_valid (cert, CKA_PUBLIC_KEY_INFO); - - /* Look for an attached certificate extension */ - if (public_key != NULL) { - memcpy (match, public_key, sizeof (CK_ATTRIBUTE)); - obj = p11_index_find (index, match, -1); - attrs = p11_index_lookup (index, obj); - if (attrs != NULL) { - value = p11_attrs_find_value (attrs, CKA_VALUE, &length); - if (value != NULL) { - node = decode_or_get_asn1 (builder, "PKIX1.Extension", value, length); - if (node == NULL) { - label = p11_attrs_find_valid (attrs, CKA_LABEL); - if (label == NULL) - label = p11_attrs_find_valid (cert, CKA_LABEL); - p11_message ("%.*s: invalid certificate extension", - label ? (int)label->ulValueLen : 7, - label ? (char *)label->pValue : "unknown"); - return NULL; - } - return p11_asn1_read (node, "extnValue", ext_len); - } - } - } - - /* Couldn't find a parsed extension, so look in the current certificate */ - value = p11_attrs_find_value (cert, CKA_VALUE, &length); - if (value != NULL) { - node = decode_or_get_asn1 (builder, "PKIX1.Certificate", value, length); - return_val_if_fail (node != NULL, NULL); - return p11_x509_find_extension (node, oid, value, length, ext_len); - } - - return NULL; -} - -static CK_OBJECT_HANDLE * -lookup_related (p11_index *index, - CK_OBJECT_CLASS klass, - CK_ATTRIBUTE *attr) -{ - CK_ATTRIBUTE match[] = { - { attr->type, attr->pValue, attr->ulValueLen }, - { CKA_CLASS, &klass, sizeof (klass) }, - { CKA_INVALID } - }; - - return p11_index_find_all (index, match, -1); -} - -p11_builder * -p11_builder_new (int flags) -{ - p11_builder *builder; - - builder = calloc (1, sizeof (p11_builder)); - return_val_if_fail (builder != NULL, NULL); - - builder->asn1_cache = p11_asn1_cache_new (); - return_val_if_fail (builder->asn1_cache, NULL); - builder->asn1_defs = p11_asn1_cache_defs (builder->asn1_cache); - - builder->flags = flags; - return builder; -} - -static int -atoin (const char *p, - int digits) -{ - int ret = 0, base = 1; - while(--digits >= 0) { - if (p[digits] < '0' || p[digits] > '9') - return -1; - ret += (p[digits] - '0') * base; - base *= 10; - } - return ret; -} - -static bool -type_bool (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - return (attr->pValue != NULL && - sizeof (CK_BBOOL) == attr->ulValueLen); -} - -static bool -type_ulong (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - return (attr->pValue != NULL && - sizeof (CK_ULONG) == attr->ulValueLen); -} - -static bool -type_utf8 (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - if (attr->ulValueLen == 0) - return true; - if (attr->pValue == NULL) - return false; - return p11_utf8_validate (attr->pValue, attr->ulValueLen); -} - -static bool -type_date (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - CK_DATE *date; - struct tm tm; - struct tm two; - - if (attr->ulValueLen == 0) - return true; - if (attr->pValue == NULL || attr->ulValueLen != sizeof (CK_DATE)) - return false; - - date = attr->pValue; - memset (&tm, 0, sizeof (tm)); - tm.tm_year = atoin ((char *)date->year, 4) - 1900; - tm.tm_mon = atoin ((char *)date->month, 2); - tm.tm_mday = atoin ((char *)date->day, 2); - - if (tm.tm_year < 0 || tm.tm_mon <= 0 || tm.tm_mday <= 0) - return false; - - memcpy (&two, &tm, sizeof (tm)); - if (mktime (&two) < 0) - return false; - - /* If mktime changed anything, then bad date */ - if (tm.tm_year != two.tm_year || - tm.tm_mon != two.tm_mon || - tm.tm_mday != two.tm_mday) - return false; - - return true; -} - -static bool -check_der_struct (p11_builder *builder, - const char *struct_name, - CK_ATTRIBUTE *attr) -{ - node_asn *asn; - - if (attr->ulValueLen == 0) - return true; - if (attr->pValue == NULL) - return false; - - asn = p11_asn1_decode (builder->asn1_defs, struct_name, - attr->pValue, attr->ulValueLen, NULL); - - if (asn == NULL) - return false; - - asn1_delete_structure (&asn); - return true; -} - -static bool -type_der_name (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - return check_der_struct (builder, "PKIX1.Name", attr); -} - -static bool -type_der_serial (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - return check_der_struct (builder, "PKIX1.CertificateSerialNumber", attr); -} - -static bool -type_der_oid (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - /* AttributeType is an OBJECT ID */ - return check_der_struct (builder, "PKIX1.AttributeType", attr); -} - -static bool -type_der_cert (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - return check_der_struct (builder, "PKIX1.Certificate", attr); -} - -static bool -type_der_key (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - return check_der_struct (builder, "PKIX1.SubjectPublicKeyInfo", attr); -} - -static bool -type_der_ext (p11_builder *builder, - CK_ATTRIBUTE *attr) -{ - return check_der_struct (builder, "PKIX1.Extension", attr); -} - -#define COMMON_ATTRS \ - { CKA_CLASS, REQUIRE | CREATE, type_ulong }, \ - { CKA_TOKEN, CREATE | WANT, type_bool }, \ - { CKA_MODIFIABLE, CREATE | WANT, type_bool }, \ - { CKA_PRIVATE, CREATE, type_bool }, \ - { CKA_LABEL, CREATE | MODIFY | WANT, type_utf8 }, \ - { CKA_X_GENERATED, CREATE }, \ - { CKA_X_ORIGIN, NONE } \ - -static CK_ATTRIBUTE * -common_populate (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *unused) -{ - CK_BBOOL tokenv = CK_FALSE; - CK_BBOOL modifiablev = CK_TRUE; - CK_BBOOL privatev = CK_FALSE; - CK_BBOOL generatedv = CK_FALSE; - - CK_ATTRIBUTE token = { CKA_TOKEN, &tokenv, sizeof (tokenv), }; - CK_ATTRIBUTE privat = { CKA_PRIVATE, &privatev, sizeof (privatev) }; - CK_ATTRIBUTE modifiable = { CKA_MODIFIABLE, &modifiablev, sizeof (modifiablev) }; - CK_ATTRIBUTE generated = { CKA_X_GENERATED, &generatedv, sizeof (generatedv) }; - CK_ATTRIBUTE label = { CKA_LABEL, "", 0 }; - - if (builder->flags & P11_BUILDER_FLAG_TOKEN) { - tokenv = CK_TRUE; - modifiablev = CK_FALSE; - } - - return p11_attrs_build (NULL, &token, &privat, &modifiable, &label, &generated, NULL); -} - -static void -calc_check_value (const unsigned char *data, - size_t length, - CK_BYTE *check_value) -{ - unsigned char checksum[P11_DIGEST_SHA1_LEN]; - p11_digest_sha1 (checksum, data, length, NULL); - memcpy (check_value, checksum, 3); -} - -static int -century_for_two_digit_year (int year) -{ - time_t now; - struct tm tm; - int century, current; - - return_val_if_fail (year >= 0 && year <= 99, -1); - - /* Get the current year */ - now = time (NULL); - return_val_if_fail (now >= 0, -1); - if (!gmtime_r (&now, &tm)) - return_val_if_reached (-1); - - current = (tm.tm_year % 100); - century = (tm.tm_year + 1900) - current; - - /* - * Check if it's within 40 years before the - * current date. - */ - if (current < 40) { - if (year < current) - return century; - if (year > 100 - (40 - current)) - return century - 100; - } else { - if (year < current && year > (current - 40)) - return century; - } - - /* - * If it's after then adjust for overflows to - * the next century. - */ - if (year < current) - return century + 100; - else - return century; -} - -static bool -calc_date (node_asn *node, - const char *field, - CK_DATE *date) -{ - node_asn *choice; - char buf[64]; - int century; - char *sub; - int year; - int len; - int ret; - - if (!node) - return false; - - choice = asn1_find_node (node, field); - return_val_if_fail (choice != NULL, false); - - len = sizeof (buf) - 1; - ret = asn1_read_value (node, field, buf, &len); - return_val_if_fail (ret == ASN1_SUCCESS, false); - - sub = strconcat (field, ".", buf, NULL); - - /* - * So here we take a shortcut and just copy the date from the - * certificate into the CK_DATE. This doesn't take into account - * time zones. However the PKCS#11 spec does not say what timezone - * the dates are in. In the PKCS#11 value have a day resolution, - * and time zones aren't that critical. - */ - - if (strcmp (buf, "generalTime") == 0) { - len = sizeof (buf) - 1; - ret = asn1_read_value (node, sub, buf, &len); - return_val_if_fail (ret == ASN1_SUCCESS, false); - return_val_if_fail (len >= 8, false); - - /* Same as first 8 characters of date */ - memcpy (date, buf, 8); - - } else if (strcmp (buf, "utcTime") == 0) { - len = sizeof (buf) - 1; - ret = asn1_read_value (node, sub, buf, &len); - return_val_if_fail (ret == ASN1_SUCCESS, false); - return_val_if_fail (len >= 6, false); - - year = atoin (buf, 2); - return_val_if_fail (year >= 0, false); - - century = century_for_two_digit_year (year); - return_val_if_fail (century >= 0, false); - - snprintf ((char *)date->year, 3, "%02d", century); - memcpy (((char *)date) + 2, buf, 6); - - } else { - return_val_if_reached (false); - } - - free (sub); - return true; -} - -static bool -calc_element (node_asn *node, - const unsigned char *data, - size_t length, - const char *field, - CK_ATTRIBUTE *attr) -{ - int ret; - int start, end; - - if (!node) - return false; - - ret = asn1_der_decoding_startEnd (node, data, length, field, &start, &end); - return_val_if_fail (ret == ASN1_SUCCESS, false); - return_val_if_fail (end >= start, false); - - attr->pValue = (void *)(data + start); - attr->ulValueLen = (end - start) + 1; - return true; -} - -static bool -is_v1_x509_authority (p11_builder *builder, - CK_ATTRIBUTE *cert) -{ - CK_ATTRIBUTE subject; - CK_ATTRIBUTE issuer; - CK_ATTRIBUTE *value; - char buffer[16]; - node_asn *node; - int len; - int ret; - - value = p11_attrs_find_valid (cert, CKA_VALUE); - if (value == NULL) - return false; - - node = decode_or_get_asn1 (builder, "PKIX1.Certificate", - value->pValue, value->ulValueLen); - return_val_if_fail (node != NULL, false); - - len = sizeof (buffer); - ret = asn1_read_value (node, "tbsCertificate.version", buffer, &len); - - /* The default value */ - if (ret == ASN1_ELEMENT_NOT_FOUND) { - ret = ASN1_SUCCESS; - buffer[0] = 0; - len = 1; - } - - return_val_if_fail (ret == ASN1_SUCCESS, false); - - /* - * In X.509 version v1 is the integer zero. Two's complement - * integer, but zero is easy to read. - */ - if (len != 1 || buffer[0] != 0) - return false; - - /* Must be self-signed, ie: same subject and issuer */ - if (!calc_element (node, value->pValue, value->ulValueLen, "tbsCertificate.subject", &subject)) - return_val_if_reached (false); - if (!calc_element (node, value->pValue, value->ulValueLen, "tbsCertificate.issuer", &issuer)) - return_val_if_reached (false); - return p11_attr_match_value (&subject, issuer.pValue, issuer.ulValueLen); -} - -static bool -calc_certificate_category (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *cert, - CK_ATTRIBUTE *public_key, - CK_ULONG *category) -{ - CK_ATTRIBUTE *label; - unsigned char *ext; - size_t ext_len; - bool is_ca = 0; - bool ret; - - /* - * In the PKCS#11 spec: - * 0 = unspecified (default value) - * 1 = token user - * 2 = authority - * 3 = other entity - */ - - /* See if we have a basic constraints extension */ - ext = lookup_extension (builder, index, cert, public_key, P11_OID_BASIC_CONSTRAINTS, &ext_len); - if (ext != NULL) { - ret = p11_x509_parse_basic_constraints (builder->asn1_defs, ext, ext_len, &is_ca); - free (ext); - if (!ret) { - label = p11_attrs_find_valid (cert, CKA_LABEL); - p11_message ("%.*s: invalid basic constraints certificate extension", - label ? (int)label->ulValueLen : 7, - label ? (char *)label->pValue : "unknown"); - return false; - } - - } else if (is_v1_x509_authority (builder, cert)) { - /* - * If there is no basic constraints extension, and the CA version is - * v1, and is self-signed, then we assume this is a certificate authority. - * So we add a BasicConstraints attached certificate extension - */ - is_ca = 1; - - } else if (!p11_attrs_find_valid (cert, CKA_VALUE)) { - /* - * If we have no certificate value, then this is unknown - */ - *category = 0; - return true; - - } - - *category = is_ca ? 2 : 3; - return true; -} - -static CK_ATTRIBUTE * -certificate_value_attrs (p11_builder *builder, - CK_ATTRIBUTE *attrs, - node_asn *node, - const unsigned char *der, - size_t der_len, - CK_ATTRIBUTE *public_key) -{ - unsigned char checksum[P11_DIGEST_SHA1_LEN]; - unsigned char *keyid = NULL; - size_t keyid_len; - unsigned char *ext = NULL; - size_t ext_len; - CK_BBOOL falsev = CK_FALSE; - CK_ULONG zero = 0UL; - CK_BYTE checkv[3]; - CK_DATE startv; - CK_DATE endv; - char *labelv = NULL; - - CK_ATTRIBUTE trusted = { CKA_TRUSTED, &falsev, sizeof (falsev) }; - CK_ATTRIBUTE distrusted = { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }; - CK_ATTRIBUTE url = { CKA_URL, "", 0 }; - CK_ATTRIBUTE hash_of_subject_public_key = { CKA_HASH_OF_SUBJECT_PUBLIC_KEY, checksum, sizeof (checksum) }; - CK_ATTRIBUTE hash_of_issuer_public_key = { CKA_HASH_OF_ISSUER_PUBLIC_KEY, "", 0 }; - CK_ATTRIBUTE java_midp_security_domain = { CKA_JAVA_MIDP_SECURITY_DOMAIN, &zero, sizeof (zero) }; - CK_ATTRIBUTE check_value = { CKA_CHECK_VALUE, &checkv, sizeof (checkv) }; - CK_ATTRIBUTE start_date = { CKA_START_DATE, &startv, sizeof (startv) }; - CK_ATTRIBUTE end_date = { CKA_END_DATE, &endv, sizeof (endv) }; - CK_ATTRIBUTE subject = { CKA_SUBJECT, }; - CK_ATTRIBUTE issuer = { CKA_ISSUER, "", 0 }; - CK_ATTRIBUTE serial_number = { CKA_SERIAL_NUMBER, "", 0 }; - CK_ATTRIBUTE label = { CKA_LABEL }; - CK_ATTRIBUTE id = { CKA_ID, NULL, 0 }; - - return_val_if_fail (attrs != NULL, NULL); - - if (der == NULL) - check_value.type = CKA_INVALID; - else - calc_check_value (der, der_len, checkv); - - if (!calc_date (node, "tbsCertificate.validity.notBefore", &startv)) - start_date.ulValueLen = 0; - if (!calc_date (node, "tbsCertificate.validity.notAfter", &endv)) - end_date.ulValueLen = 0; - - if (calc_element (node, der, der_len, "tbsCertificate.subjectPublicKeyInfo", public_key)) - public_key->type = CKA_PUBLIC_KEY_INFO; - else - public_key->type = CKA_INVALID; - calc_element (node, der, der_len, "tbsCertificate.issuer.rdnSequence", &issuer); - if (!calc_element (node, der, der_len, "tbsCertificate.subject.rdnSequence", &subject)) - subject.type = CKA_INVALID; - calc_element (node, der, der_len, "tbsCertificate.serialNumber", &serial_number); - - /* Try to build a keyid from an extension */ - if (node) { - ext = p11_x509_find_extension (node, P11_OID_SUBJECT_KEY_IDENTIFIER, der, der_len, &ext_len); - if (ext) { - keyid = p11_x509_parse_subject_key_identifier (builder->asn1_defs, ext, - ext_len, &keyid_len); - id.pValue = keyid; - id.ulValueLen = keyid_len; - } - } - - if (!node || !p11_x509_hash_subject_public_key (node, der, der_len, checksum)) - hash_of_subject_public_key.ulValueLen = 0; - - if (id.pValue == NULL) { - id.pValue = hash_of_subject_public_key.pValue; - id.ulValueLen = hash_of_subject_public_key.ulValueLen; - } - - if (node) { - labelv = p11_x509_lookup_dn_name (node, "tbsCertificate.subject", - der, der_len, P11_OID_CN); - if (!labelv) - labelv = p11_x509_lookup_dn_name (node, "tbsCertificate.subject", - der, der_len, P11_OID_OU); - if (!labelv) - labelv = p11_x509_lookup_dn_name (node, "tbsCertificate.subject", - der, der_len, P11_OID_O); - } - - if (labelv) { - label.pValue = labelv; - label.ulValueLen = strlen (labelv); - } else { - label.type = CKA_INVALID; - } - - attrs = p11_attrs_build (attrs, &trusted, &distrusted, &url, &hash_of_issuer_public_key, - &hash_of_subject_public_key, &java_midp_security_domain, - &check_value, &start_date, &end_date, &id, - &subject, &issuer, &serial_number, &label, public_key, - NULL); - return_val_if_fail (attrs != NULL, NULL); - - free (ext); - free (keyid); - free (labelv); - return attrs; -} - -static CK_ATTRIBUTE * -certificate_populate (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *cert) -{ - CK_ULONG categoryv = 0UL; - CK_ATTRIBUTE *attrs = NULL; - CK_ATTRIBUTE public_key; - node_asn *node = NULL; - unsigned char *der = NULL; - size_t der_len = 0; - - CK_ATTRIBUTE category = { CKA_CERTIFICATE_CATEGORY, &categoryv, sizeof (categoryv) }; - CK_ATTRIBUTE empty_value = { CKA_VALUE, "", 0 }; - - attrs = common_populate (builder, index, cert); - return_val_if_fail (attrs != NULL, NULL); - - der = p11_attrs_find_value (cert, CKA_VALUE, &der_len); - if (der != NULL) - node = decode_or_get_asn1 (builder, "PKIX1.Certificate", der, der_len); - - attrs = certificate_value_attrs (builder, attrs, node, der, der_len, &public_key); - return_val_if_fail (attrs != NULL, NULL); - - if (!calc_certificate_category (builder, index, cert, &public_key, &categoryv)) - categoryv = 0; - - return p11_attrs_build (attrs, &category, &empty_value, NULL); -} - -static bool -have_attribute (CK_ATTRIBUTE *attrs1, - CK_ATTRIBUTE *attrs2, - CK_ATTRIBUTE_TYPE type) -{ - CK_ATTRIBUTE *attr; - - attr = p11_attrs_find (attrs1, type); - if (attr == NULL) - attr = p11_attrs_find (attrs2, type); - return attr != NULL && attr->ulValueLen > 0; -} - -static CK_RV -certificate_validate (p11_builder *builder, - CK_ATTRIBUTE *attrs, - CK_ATTRIBUTE *merge) -{ - /* - * In theory we should be validating that in the absence of CKA_VALUE - * various other fields must be set. However we do not enforce this - * because we want to be able to have certificates without a value - * but issuer and serial number, for blacklisting purposes. - */ - - if (have_attribute (attrs, merge, CKA_URL)) { - if (!have_attribute (attrs, merge, CKA_HASH_OF_SUBJECT_PUBLIC_KEY)) { - p11_message ("missing the CKA_HASH_OF_SUBJECT_PUBLIC_KEY attribute"); - return CKR_TEMPLATE_INCONSISTENT; - } - - if (!have_attribute (attrs, merge, CKA_HASH_OF_SUBJECT_PUBLIC_KEY)) { - p11_message ("missing the CKA_HASH_OF_ISSUER_PUBLIC_KEY attribute"); - return CKR_TEMPLATE_INCONSISTENT; - } - } - - return CKR_OK; -} - -const static builder_schema certificate_schema = { - NORMAL_BUILD, - { COMMON_ATTRS, - { CKA_CERTIFICATE_TYPE, REQUIRE | CREATE, type_ulong }, - { CKA_TRUSTED, CREATE | WANT, type_bool }, - { CKA_X_DISTRUSTED, CREATE | WANT, type_bool }, - { CKA_CERTIFICATE_CATEGORY, CREATE | WANT, type_ulong }, - { CKA_CHECK_VALUE, CREATE | WANT, }, - { CKA_START_DATE, CREATE | MODIFY | WANT, type_date }, - { CKA_END_DATE, CREATE | MODIFY | WANT, type_date }, - { CKA_SUBJECT, CREATE | WANT, type_der_name }, - { CKA_ID, CREATE | MODIFY | WANT }, - { CKA_ISSUER, CREATE | MODIFY | WANT, type_der_name }, - { CKA_SERIAL_NUMBER, CREATE | MODIFY | WANT, type_der_serial }, - { CKA_VALUE, CREATE, type_der_cert }, - { CKA_URL, CREATE, type_utf8 }, - { CKA_HASH_OF_SUBJECT_PUBLIC_KEY, CREATE }, - { CKA_HASH_OF_ISSUER_PUBLIC_KEY, CREATE }, - { CKA_JAVA_MIDP_SECURITY_DOMAIN, CREATE, type_ulong }, - { CKA_PUBLIC_KEY_INFO, WANT, type_der_key }, - { CKA_INVALID }, - }, certificate_populate, certificate_validate, -}; - -static CK_ATTRIBUTE * -extension_populate (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *extension) -{ - unsigned char checksum[P11_DIGEST_SHA1_LEN]; - CK_ATTRIBUTE object_id = { CKA_INVALID }; - CK_ATTRIBUTE id = { CKA_INVALID }; - CK_ATTRIBUTE *attrs = NULL; - - void *der; - size_t len; - node_asn *asn; - - attrs = common_populate (builder, index, extension); - return_val_if_fail (attrs != NULL, NULL); - - if (!p11_attrs_find_valid (attrs, CKA_ID)) { - der = p11_attrs_find_value (extension, CKA_PUBLIC_KEY_INFO, &len); - return_val_if_fail (der != NULL, NULL); - - p11_digest_sha1 (checksum, der, len, NULL); - id.pValue = checksum; - id.ulValueLen = sizeof (checksum); - id.type = CKA_ID; - } - - /* Pull the object id out of the extension if not present */ - if (!p11_attrs_find_valid (attrs, CKA_OBJECT_ID)) { - der = p11_attrs_find_value (extension, CKA_VALUE, &len); - return_val_if_fail (der != NULL, NULL); - - asn = decode_or_get_asn1 (builder, "PKIX1.Extension", der, len); - return_val_if_fail (asn != NULL, NULL); - - if (calc_element (asn, der, len, "extnID", &object_id)) - object_id.type = CKA_OBJECT_ID; - } - - attrs = p11_attrs_build (attrs, &object_id, &id, NULL); - return_val_if_fail (attrs != NULL, NULL); - - return attrs; -} - -const static builder_schema extension_schema = { - NORMAL_BUILD, - { COMMON_ATTRS, - { CKA_VALUE, REQUIRE | CREATE, type_der_ext }, - { CKA_PUBLIC_KEY_INFO, REQUIRE | CREATE, type_der_key }, - { CKA_OBJECT_ID, CREATE | WANT, type_der_oid }, - { CKA_ID, CREATE | MODIFY }, - { CKA_INVALID }, - }, extension_populate, -}; - -static CK_ATTRIBUTE * -data_populate (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *data) -{ - static const CK_ATTRIBUTE value = { CKA_VALUE, "", 0 }; - static const CK_ATTRIBUTE application = { CKA_APPLICATION, "", 0 }; - static const CK_ATTRIBUTE object_id = { CKA_OBJECT_ID, "", 0 }; - CK_ATTRIBUTE *attrs; - - attrs = common_populate (builder, index, data); - return_val_if_fail (attrs != NULL, NULL); - - return p11_attrs_build (attrs, &value, &application, &object_id, NULL); -} - -const static builder_schema data_schema = { - NORMAL_BUILD, - { COMMON_ATTRS, - { CKA_VALUE, CREATE | MODIFY | WANT }, - { CKA_APPLICATION, CREATE | MODIFY | WANT, type_utf8 }, - { CKA_OBJECT_ID, CREATE | MODIFY | WANT, type_der_oid }, - { CKA_INVALID }, - }, data_populate, -}; - -const static builder_schema trust_schema = { - GENERATED_CLASS, - { COMMON_ATTRS, - { CKA_CERT_SHA1_HASH, CREATE }, - { CKA_CERT_MD5_HASH, CREATE }, - { CKA_ISSUER, CREATE }, - { CKA_SUBJECT, CREATE }, - { CKA_SERIAL_NUMBER, CREATE }, - { CKA_TRUST_SERVER_AUTH, CREATE }, - { CKA_TRUST_CLIENT_AUTH, CREATE }, - { CKA_TRUST_EMAIL_PROTECTION, CREATE }, - { CKA_TRUST_CODE_SIGNING, CREATE }, - { CKA_TRUST_IPSEC_END_SYSTEM, CREATE }, - { CKA_TRUST_IPSEC_TUNNEL, CREATE }, - { CKA_TRUST_IPSEC_USER, CREATE }, - { CKA_TRUST_TIME_STAMPING, CREATE }, - { CKA_TRUST_DIGITAL_SIGNATURE, CREATE }, - { CKA_TRUST_NON_REPUDIATION, CREATE }, - { CKA_TRUST_KEY_ENCIPHERMENT, CREATE }, - { CKA_TRUST_DATA_ENCIPHERMENT, CREATE }, - { CKA_TRUST_KEY_AGREEMENT, CREATE }, - { CKA_TRUST_KEY_CERT_SIGN, CREATE }, - { CKA_TRUST_CRL_SIGN, CREATE }, - { CKA_TRUST_STEP_UP_APPROVED, CREATE }, - { CKA_ID, CREATE }, - { CKA_INVALID }, - }, common_populate -}; - -const static builder_schema assertion_schema = { - GENERATED_CLASS, - { COMMON_ATTRS, - { CKA_X_PURPOSE, REQUIRE | CREATE }, - { CKA_X_CERTIFICATE_VALUE, CREATE }, - { CKA_X_ASSERTION_TYPE, REQUIRE | CREATE }, - { CKA_ISSUER, CREATE }, - { CKA_SERIAL_NUMBER, CREATE }, - { CKA_X_PEER, CREATE }, - { CKA_ID, CREATE }, - { CKA_INVALID }, - }, common_populate -}; - -const static builder_schema builtin_schema = { - GENERATED_CLASS, - { COMMON_ATTRS, - { CKA_INVALID }, - }, common_populate -}; - -static const char * -value_name (const p11_constant *info, - CK_ATTRIBUTE_TYPE type) -{ - const char *name = p11_constant_name (info, type); - return name ? name : "unknown"; -} - -static const char * -type_name (CK_ATTRIBUTE_TYPE type) -{ - return value_name (p11_constant_types, type); -} - -static CK_RV -build_for_schema (p11_builder *builder, - p11_index *index, - const builder_schema *schema, - CK_ATTRIBUTE *attrs, - CK_ATTRIBUTE *merge, - CK_ATTRIBUTE **extra) -{ - CK_BBOOL modifiable; - CK_ATTRIBUTE *attr; - bool modifying; - bool creating; - bool populate; - bool loading; - bool found; - int flags; - int i, j; - CK_RV rv; - - populate = false; - - /* Signifies that data is being loaded */ - loading = p11_index_loading (index); - - /* Signifies that this is being created by a caller, instead of loaded */ - creating = (attrs == NULL && !loading); - - /* Item is being modified by a caller */ - modifying = (attrs != NULL && !loading); - - /* This item may not be modifiable */ - if (modifying) { - if (!p11_attrs_find_bool (attrs, CKA_MODIFIABLE, &modifiable) || !modifiable) { - p11_message ("the object is not modifiable"); - return CKR_ATTRIBUTE_READ_ONLY; - } - } - - if (creating && (builder->flags & P11_BUILDER_FLAG_TOKEN)) { - if (schema->build_flags & GENERATED_CLASS) { - p11_message ("objects of this type cannot be created"); - return CKR_TEMPLATE_INCONSISTENT; - } - } - - for (i = 0; merge[i].type != CKA_INVALID; i++) { - - /* Don't validate attribute if not changed */ - attr = p11_attrs_find (attrs, merge[i].type); - if (attr && p11_attr_equal (attr, merge + i)) - continue; - - found = false; - for (j = 0; schema->attrs[j].type != CKA_INVALID; j++) { - if (schema->attrs[j].type != merge[i].type) - continue; - - flags = schema->attrs[j].flags; - if (creating && !(flags & CREATE)) { - p11_message ("the %s attribute cannot be set", - type_name (schema->attrs[j].type)); - return CKR_ATTRIBUTE_READ_ONLY; - } - if (modifying && !(flags & MODIFY)) { - p11_message ("the %s attribute cannot be changed", - type_name (schema->attrs[j].type)); - return CKR_ATTRIBUTE_READ_ONLY; - } - if (!loading && schema->attrs[j].validate != NULL && - !schema->attrs[j].validate (builder, merge + i)) { - p11_message ("the %s attribute has an invalid value", - type_name (schema->attrs[j].type)); - return CKR_ATTRIBUTE_VALUE_INVALID; - } - found = true; - break; - } - - if (!found) { - p11_message ("the %s attribute is not valid for the object", - type_name (merge[i].type)); - return CKR_TEMPLATE_INCONSISTENT; - } - } - - if (attrs == NULL) { - for (j = 0; schema->attrs[j].type != CKA_INVALID; j++) { - flags = schema->attrs[j].flags; - found = false; - - if ((flags & REQUIRE) || (flags & WANT)) { - for (i = 0; merge[i].type != CKA_INVALID; i++) { - if (schema->attrs[j].type == merge[i].type) { - found = true; - break; - } - } - } - - if (!found) { - if (flags & REQUIRE) { - p11_message ("missing the %s attribute", - type_name (schema->attrs[j].type)); - return CKR_TEMPLATE_INCOMPLETE; - } else if (flags & WANT) { - populate = true; - } - } - } - } - - /* Validate the result, before committing to the change. */ - if (!loading && schema->validate) { - rv = (schema->validate) (builder, attrs, merge); - if (rv != CKR_OK) - return rv; - } - - if (populate && schema->populate) - *extra = schema->populate (builder, index, merge); - - return CKR_OK; -} - -CK_RV -p11_builder_build (void *bilder, - p11_index *index, - CK_ATTRIBUTE *attrs, - CK_ATTRIBUTE *merge, - CK_ATTRIBUTE **populate) -{ - p11_builder *builder = bilder; - CK_OBJECT_CLASS klass; - CK_CERTIFICATE_TYPE type; - CK_BBOOL token; - - return_val_if_fail (builder != NULL, CKR_GENERAL_ERROR); - return_val_if_fail (index != NULL, CKR_GENERAL_ERROR); - return_val_if_fail (merge != NULL, CKR_GENERAL_ERROR); - - if (!p11_attrs_find_ulong (attrs ? attrs : merge, CKA_CLASS, &klass)) { - p11_message ("no CKA_CLASS attribute found"); - return CKR_TEMPLATE_INCOMPLETE; - } - - if (!attrs && p11_attrs_find_bool (merge, CKA_TOKEN, &token)) { - if (token != ((builder->flags & P11_BUILDER_FLAG_TOKEN) ? CK_TRUE : CK_FALSE)) { - p11_message ("cannot create a %s object", token ? "token" : "non-token"); - return CKR_TEMPLATE_INCONSISTENT; - } - } - - switch (klass) { - case CKO_CERTIFICATE: - if (!p11_attrs_find_ulong (attrs ? attrs : merge, CKA_CERTIFICATE_TYPE, &type)) { - p11_message ("missing %s on object", type_name (CKA_CERTIFICATE_TYPE)); - return CKR_TEMPLATE_INCOMPLETE; - } else if (type == CKC_X_509) { - return build_for_schema (builder, index, &certificate_schema, attrs, merge, populate); - } else { - p11_message ("%s unsupported %s", value_name (p11_constant_certs, type), - type_name (CKA_CERTIFICATE_TYPE)); - return CKR_TEMPLATE_INCONSISTENT; - } - - case CKO_X_CERTIFICATE_EXTENSION: - return build_for_schema (builder, index, &extension_schema, attrs, merge, populate); - - case CKO_DATA: - return build_for_schema (builder, index, &data_schema, attrs, merge, populate); - - case CKO_NSS_TRUST: - return build_for_schema (builder, index, &trust_schema, attrs, merge, populate); - - case CKO_NSS_BUILTIN_ROOT_LIST: - return build_for_schema (builder, index, &builtin_schema, attrs, merge, populate); - - case CKO_X_TRUST_ASSERTION: - return build_for_schema (builder, index, &assertion_schema, attrs, merge, populate); - - default: - p11_message ("%s unsupported object class", - value_name (p11_constant_classes, klass)); - return CKR_TEMPLATE_INCONSISTENT; - } -} - -void -p11_builder_free (p11_builder *builder) -{ - return_if_fail (builder != NULL); - - p11_asn1_cache_free (builder->asn1_cache); - free (builder); -} - -p11_asn1_cache * -p11_builder_get_cache (p11_builder *builder) -{ - return_val_if_fail (builder != NULL, NULL); - return builder->asn1_cache; -} - -static CK_ATTRIBUTE * -build_trust_object_ku (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *cert, - CK_ATTRIBUTE *object, - CK_TRUST present) -{ - unsigned char *data = NULL; - unsigned int ku = 0; - size_t length; - CK_TRUST defawlt; - CK_ULONG i; - - struct { - CK_ATTRIBUTE_TYPE type; - unsigned int ku; - } ku_attribute_map[] = { - { CKA_TRUST_DIGITAL_SIGNATURE, P11_KU_DIGITAL_SIGNATURE }, - { CKA_TRUST_NON_REPUDIATION, P11_KU_NON_REPUDIATION }, - { CKA_TRUST_KEY_ENCIPHERMENT, P11_KU_KEY_ENCIPHERMENT }, - { CKA_TRUST_DATA_ENCIPHERMENT, P11_KU_DATA_ENCIPHERMENT }, - { CKA_TRUST_KEY_AGREEMENT, P11_KU_KEY_AGREEMENT }, - { CKA_TRUST_KEY_CERT_SIGN, P11_KU_KEY_CERT_SIGN }, - { CKA_TRUST_CRL_SIGN, P11_KU_CRL_SIGN }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE attrs[sizeof (ku_attribute_map)]; - - defawlt = present; - - /* If blacklisted, don't even bother looking at extensions */ - if (present != CKT_NSS_NOT_TRUSTED) - data = lookup_extension (builder, index, cert, NULL, P11_OID_KEY_USAGE, &length); - - if (data) { - /* - * If the certificate extension was missing, then *all* key - * usages are to be set. If the extension was invalid, then - * fail safe to none of the key usages. - */ - defawlt = CKT_NSS_TRUST_UNKNOWN; - - if (!p11_x509_parse_key_usage (builder->asn1_defs, data, length, &ku)) - p11_message ("invalid key usage certificate extension"); - free (data); - } - - for (i = 0; ku_attribute_map[i].type != CKA_INVALID; i++) { - attrs[i].type = ku_attribute_map[i].type; - if (data && (ku & ku_attribute_map[i].ku) == ku_attribute_map[i].ku) { - attrs[i].pValue = &present; - attrs[i].ulValueLen = sizeof (present); - } else { - attrs[i].pValue = &defawlt; - attrs[i].ulValueLen = sizeof (defawlt); - } - } - - return p11_attrs_buildn (object, attrs, i); -} - -static bool -strv_to_dict (const char **array, - p11_dict **dict) -{ - int i; - - if (!array) { - *dict = NULL; - return true; - } - - *dict = p11_dict_new (p11_dict_str_hash, p11_dict_str_equal, NULL, NULL); - return_val_if_fail (*dict != NULL, false); - - for (i = 0; array[i] != NULL; i++) { - if (!p11_dict_set (*dict, (void *)array[i], (void *)array[i])) - return_val_if_reached (false); - } - - return true; -} - -static CK_ATTRIBUTE * -build_trust_object_eku (CK_ATTRIBUTE *object, - CK_TRUST allow, - const char **purposes, - const char **rejects) -{ - p11_dict *dict_purp; - p11_dict *dict_rej; - CK_TRUST neutral; - CK_TRUST disallow; - CK_ULONG i; - - struct { - CK_ATTRIBUTE_TYPE type; - const char *oid; - } eku_attribute_map[] = { - { CKA_TRUST_SERVER_AUTH, P11_OID_SERVER_AUTH_STR }, - { CKA_TRUST_CLIENT_AUTH, P11_OID_CLIENT_AUTH_STR }, - { CKA_TRUST_CODE_SIGNING, P11_OID_CODE_SIGNING_STR }, - { CKA_TRUST_EMAIL_PROTECTION, P11_OID_EMAIL_PROTECTION_STR }, - { CKA_TRUST_IPSEC_END_SYSTEM, P11_OID_IPSEC_END_SYSTEM_STR }, - { CKA_TRUST_IPSEC_TUNNEL, P11_OID_IPSEC_TUNNEL_STR }, - { CKA_TRUST_IPSEC_USER, P11_OID_IPSEC_USER_STR }, - { CKA_TRUST_TIME_STAMPING, P11_OID_TIME_STAMPING_STR }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE attrs[sizeof (eku_attribute_map)]; - - if (!strv_to_dict (purposes, &dict_purp) || - !strv_to_dict (rejects, &dict_rej)) - return_val_if_reached (NULL); - - /* The neutral value is set if an purpose is not present */ - if (allow == CKT_NSS_NOT_TRUSTED) - neutral = CKT_NSS_NOT_TRUSTED; - - /* If anything explicitly set, then neutral is unknown */ - else if (purposes || rejects) - neutral = CKT_NSS_TRUST_UNKNOWN; - - /* Otherwise neutral will allow any purpose */ - else - neutral = allow; - - /* The value set if a purpose is explicitly rejected */ - disallow = CKT_NSS_NOT_TRUSTED; - - for (i = 0; eku_attribute_map[i].type != CKA_INVALID; i++) { - attrs[i].type = eku_attribute_map[i].type; - if (dict_rej && p11_dict_get (dict_rej, eku_attribute_map[i].oid)) { - attrs[i].pValue = &disallow; - attrs[i].ulValueLen = sizeof (disallow); - } else if (dict_purp && p11_dict_get (dict_purp, eku_attribute_map[i].oid)) { - attrs[i].pValue = &allow; - attrs[i].ulValueLen = sizeof (allow); - } else { - attrs[i].pValue = &neutral; - attrs[i].ulValueLen = sizeof (neutral); - } - } - - p11_dict_free (dict_purp); - p11_dict_free (dict_rej); - - return p11_attrs_buildn (object, attrs, i); -} - -static void -replace_nss_trust_object (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *cert, - CK_BBOOL trust, - CK_BBOOL distrust, - CK_BBOOL authority, - const char **purposes, - const char **rejects) -{ - CK_ATTRIBUTE *attrs = NULL; - CK_ATTRIBUTE *match = NULL; - CK_TRUST allow; - CK_RV rv; - - CK_OBJECT_CLASS klassv = CKO_NSS_TRUST; - CK_BYTE sha1v[P11_DIGEST_SHA1_LEN]; - CK_BYTE md5v[P11_DIGEST_MD5_LEN]; - CK_BBOOL generatedv = CK_FALSE; - CK_BBOOL falsev = CK_FALSE; - - CK_ATTRIBUTE klass = { CKA_CLASS, &klassv, sizeof (klassv) }; - CK_ATTRIBUTE modifiable = { CKA_MODIFIABLE, &falsev, sizeof (falsev) }; - CK_ATTRIBUTE generated = { CKA_X_GENERATED, &generatedv, sizeof (generatedv) }; - CK_ATTRIBUTE invalid = { CKA_INVALID, }; - - CK_ATTRIBUTE md5_hash = { CKA_CERT_MD5_HASH, md5v, sizeof (md5v) }; - CK_ATTRIBUTE sha1_hash = { CKA_CERT_SHA1_HASH, sha1v, sizeof (sha1v) }; - - CK_ATTRIBUTE step_up_approved = { CKA_TRUST_STEP_UP_APPROVED, &falsev, sizeof (falsev) }; - - CK_ATTRIBUTE_PTR label; - CK_ATTRIBUTE_PTR id; - CK_ATTRIBUTE_PTR subject; - CK_ATTRIBUTE_PTR issuer; - CK_ATTRIBUTE_PTR serial_number; - - p11_array *array; - void *value; - size_t length; - - issuer = p11_attrs_find_valid (cert, CKA_ISSUER); - serial_number = p11_attrs_find_valid (cert, CKA_SERIAL_NUMBER); - value = p11_attrs_find_value (cert, CKA_VALUE, &length); - - if (!issuer && !serial_number && !value) { - p11_debug ("can't generate nss trust object for certificate without issuer+serial or value"); - return; - } - - if (value == NULL) { - md5_hash.type = CKA_INVALID; - sha1_hash.type = CKA_INVALID; - } else { - p11_digest_md5 (md5v, value, length, NULL); - p11_digest_sha1 (sha1v, value, length, NULL); - } - if (!issuer) - issuer = &invalid; - if (!serial_number) - serial_number = &invalid; - - match = p11_attrs_build (NULL, issuer, serial_number, &sha1_hash, - &generated, &klass, NULL); - return_if_fail (match != NULL); - - /* If we find a non-generated object, then don't generate */ - if (p11_index_find (index, match, -1)) { - p11_debug ("not generating nss trust object because one already exists"); - attrs = NULL; - - } else { - generatedv = CK_TRUE; - match = p11_attrs_build (match, &generated, NULL); - return_if_fail (match != NULL); - - /* Copy all of the following attributes from certificate */ - id = p11_attrs_find_valid (cert, CKA_ID); - if (id == NULL) - id = &invalid; - subject = p11_attrs_find_valid (cert, CKA_SUBJECT); - if (subject == NULL) - subject = &invalid; - label = p11_attrs_find_valid (cert, CKA_LABEL); - if (label == NULL) - label = &invalid; - - attrs = p11_attrs_dup (match); - return_if_fail (attrs != NULL); - - attrs = p11_attrs_build (attrs, &klass, &modifiable, id, label, - subject, issuer, serial_number, - &md5_hash, &sha1_hash, &step_up_approved, NULL); - return_if_fail (attrs != NULL); - - /* Calculate the default allow trust */ - if (distrust) - allow = CKT_NSS_NOT_TRUSTED; - else if (trust && authority) - allow = CKT_NSS_TRUSTED_DELEGATOR; - else if (trust) - allow = CKT_NSS_TRUSTED; - else - allow = CKT_NSS_TRUST_UNKNOWN; - - attrs = build_trust_object_ku (builder, index, cert, attrs, allow); - return_if_fail (attrs != NULL); - - attrs = build_trust_object_eku (attrs, allow, purposes, rejects); - return_if_fail (attrs != NULL); - } - - /* Replace related generated object with this new one */ - array = p11_array_new (NULL); - p11_array_push (array, attrs); - rv = p11_index_replace_all (index, match, CKA_INVALID, array); - return_if_fail (rv == CKR_OK); - p11_array_free (array); - - p11_attrs_free (match); -} - -static void -build_assertions (p11_array *array, - CK_ATTRIBUTE *cert, - CK_X_ASSERTION_TYPE type, - const char **oids) -{ - CK_OBJECT_CLASS assertion = CKO_X_TRUST_ASSERTION; - CK_BBOOL truev = CK_TRUE; - CK_BBOOL falsev = CK_FALSE; - - CK_ATTRIBUTE klass = { CKA_CLASS, &assertion, sizeof (assertion) }; - CK_ATTRIBUTE private = { CKA_PRIVATE, &falsev, sizeof (falsev) }; - CK_ATTRIBUTE modifiable = { CKA_MODIFIABLE, &falsev, sizeof (falsev) }; - CK_ATTRIBUTE assertion_type = { CKA_X_ASSERTION_TYPE, &type, sizeof (type) }; - CK_ATTRIBUTE autogen = { CKA_X_GENERATED, &truev, sizeof (truev) }; - CK_ATTRIBUTE purpose = { CKA_X_PURPOSE, }; - CK_ATTRIBUTE invalid = { CKA_INVALID, }; - CK_ATTRIBUTE certificate_value = { CKA_X_CERTIFICATE_VALUE, }; - - CK_ATTRIBUTE *issuer; - CK_ATTRIBUTE *serial; - CK_ATTRIBUTE *value; - CK_ATTRIBUTE *label; - CK_ATTRIBUTE *id; - CK_ATTRIBUTE *attrs; - int i; - - if (type == CKT_X_DISTRUSTED_CERTIFICATE) { - certificate_value.type = CKA_INVALID; - issuer = p11_attrs_find_valid (cert, CKA_ISSUER); - serial = p11_attrs_find_valid (cert, CKA_SERIAL_NUMBER); - - if (!issuer || !serial) { - p11_debug ("not building negative trust assertion for certificate without serial or issuer"); - return; - } - - } else { - issuer = &invalid; - serial = &invalid; - value = p11_attrs_find_valid (cert, CKA_VALUE); - - if (value == NULL) { - p11_debug ("not building positive trust assertion for certificate without value"); - return; - } - - certificate_value.pValue = value->pValue; - certificate_value.ulValueLen = value->ulValueLen; - } - - label = p11_attrs_find (cert, CKA_LABEL); - if (label == NULL) - label = &invalid; - id = p11_attrs_find (cert, CKA_ID); - if (id == NULL) - id = &invalid; - - for (i = 0; oids[i] != NULL; i++) { - purpose.pValue = (void *)oids[i]; - purpose.ulValueLen = strlen (oids[i]); - - attrs = p11_attrs_build (NULL, &klass, &private, &modifiable, - id, label, &assertion_type, &purpose, - issuer, serial, &certificate_value, &autogen, NULL); - return_if_fail (attrs != NULL); - - if (!p11_array_push (array, attrs)) - return_if_reached (); - } -} - -static void -build_trust_assertions (p11_array *positives, - p11_array *negatives, - CK_ATTRIBUTE *cert, - CK_BBOOL trust, - CK_BBOOL distrust, - CK_BBOOL authority, - const char **purposes, - const char **rejects) -{ - const char *all_purposes[] = { - P11_OID_SERVER_AUTH_STR, - P11_OID_CLIENT_AUTH_STR, - P11_OID_CODE_SIGNING_STR, - P11_OID_EMAIL_PROTECTION_STR, - P11_OID_IPSEC_END_SYSTEM_STR, - P11_OID_IPSEC_TUNNEL_STR, - P11_OID_IPSEC_USER_STR, - P11_OID_TIME_STAMPING_STR, - NULL, - }; - - /* Build assertions for anything that's explicitly rejected */ - if (rejects && negatives) { - build_assertions (negatives, cert, CKT_X_DISTRUSTED_CERTIFICATE, rejects); - } - - if (distrust && negatives) { - /* - * Trust assertions are defficient in that they don't blacklist a certificate - * for any purposes. So we just have to go wild and write out a bunch of - * assertions for all our known purposes. - */ - build_assertions (negatives, cert, CKT_X_DISTRUSTED_CERTIFICATE, all_purposes); - } - - /* - * TODO: Build pinned certificate assertions. That is, trusted - * certificates where not an authority. - */ - - if (trust && authority && positives) { - if (purposes) { - /* If purposes explicitly set, then anchor for those purposes */ - build_assertions (positives, cert, CKT_X_ANCHORED_CERTIFICATE, purposes); - } else { - /* If purposes not-explicitly set, then anchor for all known */ - build_assertions (positives, cert, CKT_X_ANCHORED_CERTIFICATE, all_purposes); - } - } -} - -static void -replace_trust_assertions (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *cert, - CK_BBOOL trust, - CK_BBOOL distrust, - CK_BBOOL authority, - const char **purposes, - const char **rejects) -{ - CK_OBJECT_CLASS assertion = CKO_X_TRUST_ASSERTION; - CK_BBOOL generated = CK_TRUE; - p11_array *positives = NULL; - p11_array *negatives = NULL; - CK_ATTRIBUTE *value; - CK_ATTRIBUTE *issuer; - CK_ATTRIBUTE *serial; - CK_RV rv; - - CK_ATTRIBUTE match_positive[] = { - { CKA_X_CERTIFICATE_VALUE, }, - { CKA_CLASS, &assertion, sizeof (assertion) }, - { CKA_X_GENERATED, &generated, sizeof (generated) }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE match_negative[] = { - { CKA_ISSUER, }, - { CKA_SERIAL_NUMBER, }, - { CKA_CLASS, &assertion, sizeof (assertion) }, - { CKA_X_GENERATED, &generated, sizeof (generated) }, - { CKA_INVALID } - }; - - value = p11_attrs_find_valid (cert, CKA_VALUE); - if (value) { - positives = p11_array_new (NULL); - match_positive[0].pValue = value->pValue; - match_positive[0].ulValueLen = value->ulValueLen; - } - - issuer = p11_attrs_find_valid (cert, CKA_ISSUER); - serial = p11_attrs_find_valid (cert, CKA_SERIAL_NUMBER); - if (issuer && serial) { - negatives = p11_array_new (NULL); - memcpy (match_negative + 0, issuer, sizeof (CK_ATTRIBUTE)); - memcpy (match_negative + 1, serial, sizeof (CK_ATTRIBUTE)); - } - - build_trust_assertions (positives, negatives, cert, trust, distrust, - authority, purposes, rejects); - - if (positives) { - rv = p11_index_replace_all (index, match_positive, CKA_X_PURPOSE, positives); - return_if_fail (rv == CKR_OK); - p11_array_free (positives); - } - - if (negatives) { - rv = p11_index_replace_all (index, match_negative, CKA_X_PURPOSE, negatives); - return_if_fail (rv == CKR_OK); - p11_array_free (negatives); - } -} - -static void -remove_trust_and_assertions (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *attrs) -{ - replace_nss_trust_object (builder, index, attrs, - CK_FALSE, CK_FALSE, CK_FALSE, - NULL, NULL); - replace_trust_assertions (builder, index, attrs, - CK_FALSE, CK_FALSE, CK_FALSE, - NULL, NULL); -} - -static void -replace_trust_and_assertions (p11_builder *builder, - p11_index *index, - CK_ATTRIBUTE *cert) -{ - CK_BBOOL trust = CK_FALSE; - CK_BBOOL distrust = CK_FALSE; - CK_BBOOL authority = CK_FALSE; - p11_array *purposes = NULL; - p11_array *rejects = NULL; - const char **purposev; - const char **rejectv; - CK_ULONG category; - unsigned char *ext; - size_t ext_len; - - /* - * We look up all this information in advance, since it's used - * by the various adapter objects, and we don't have to parse - * it multiple times. - */ - - if (!p11_attrs_find_bool (cert, CKA_TRUSTED, &trust)) - trust = CK_FALSE; - if (!p11_attrs_find_bool (cert, CKA_X_DISTRUSTED, &distrust)) - distrust = CK_FALSE; - if (p11_attrs_find_ulong (cert, CKA_CERTIFICATE_CATEGORY, &category) && category == 2) - authority = CK_TRUE; - - if (!distrust) { - ext = lookup_extension (builder, index, cert, NULL, P11_OID_EXTENDED_KEY_USAGE, &ext_len); - if (ext != NULL) { - purposes = p11_x509_parse_extended_key_usage (builder->asn1_defs, ext, ext_len); - if (purposes == NULL) - p11_message ("invalid extended key usage certificate extension"); - free (ext); - } - - ext = lookup_extension (builder, index, cert, NULL, P11_OID_OPENSSL_REJECT, &ext_len); - if (ext != NULL) { - rejects = p11_x509_parse_extended_key_usage (builder->asn1_defs, ext, ext_len); - if (rejects == NULL) - p11_message ("invalid reject key usage certificate extension"); - free (ext); - } - } - - /* null-terminate these arrays and use as strv's */ - purposev = rejectv = NULL; - if (rejects) { - if (!p11_array_push (rejects, NULL)) - return_if_reached (); - rejectv = (const char **)rejects->elem; - } - if (purposes) { - if (!p11_array_push (purposes, NULL)) - return_if_reached (); - purposev = (const char **)purposes->elem; - } - - replace_nss_trust_object (builder, index, cert, trust, distrust, - authority, purposev, rejectv); - replace_trust_assertions (builder, index, cert, trust, distrust, - authority, purposev, rejectv); - - p11_array_free (purposes); - p11_array_free (rejects); -} - -static void -replace_compat_for_cert (p11_builder *builder, - p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *attrs) -{ - static const CK_OBJECT_CLASS certificate = CKO_CERTIFICATE; - static const CK_CERTIFICATE_TYPE x509 = CKC_X_509; - CK_ATTRIBUTE *value; - - CK_ATTRIBUTE match[] = { - { CKA_VALUE, }, - { CKA_CLASS, (void *)&certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, (void *)&x509, sizeof (x509) }, - { CKA_INVALID } - }; - - /* - * If this certificate is going away, then find duplicate. In this - * case all the trust assertions are recalculated with this new - * certificate in mind. - */ - if (handle == 0) { - value = p11_attrs_find_valid (attrs, CKA_VALUE); - if (value != NULL) { - match[0].pValue = value->pValue; - match[0].ulValueLen = value->ulValueLen; - handle = p11_index_find (index, match, -1); - } - if (handle != 0) - attrs = p11_index_lookup (index, handle); - } - - if (handle == 0) - remove_trust_and_assertions (builder, index, attrs); - else - replace_trust_and_assertions (builder, index, attrs); -} - -static void -replace_compat_for_ext (p11_builder *builder, - p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *attrs) -{ - - CK_OBJECT_HANDLE *handles; - CK_ATTRIBUTE *public_key; - int i; - - public_key = p11_attrs_find_valid (attrs, CKA_PUBLIC_KEY_INFO); - if (public_key == NULL) - return; - - handles = lookup_related (index, CKO_CERTIFICATE, public_key); - for (i = 0; handles && handles[i] != 0; i++) { - attrs = p11_index_lookup (index, handles[i]); - replace_trust_and_assertions (builder, index, attrs); - } - free (handles); -} - -static void -update_related_category (p11_builder *builder, - p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *attrs) -{ - CK_OBJECT_HANDLE *handles; - CK_ULONG categoryv = 0UL; - CK_ATTRIBUTE *update; - CK_ATTRIBUTE *cert; - CK_ATTRIBUTE *public_key; - CK_RV rv; - int i; - - CK_ATTRIBUTE category[] = { - { CKA_CERTIFICATE_CATEGORY, &categoryv, sizeof (categoryv) }, - { CKA_INVALID, }, - }; - - public_key = p11_attrs_find_valid (attrs, CKA_PUBLIC_KEY_INFO); - if (public_key == NULL) - return; - - /* Find all other objects with this handle */ - handles = lookup_related (index, CKO_CERTIFICATE, public_key); - - for (i = 0; handles && handles[i] != 0; i++) { - cert = p11_index_lookup (index, handle); - - if (calc_certificate_category (builder, index, cert, public_key, &categoryv)) { - update = p11_attrs_build (NULL, &category, NULL); - rv = p11_index_update (index, handles[i], update); - return_if_fail (rv == CKR_OK); - } - } - - free (handles); -} - -void -p11_builder_changed (void *bilder, - p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *attrs) -{ - static const CK_OBJECT_CLASS certificate = CKO_CERTIFICATE; - static const CK_OBJECT_CLASS extension = CKO_X_CERTIFICATE_EXTENSION; - static const CK_CERTIFICATE_TYPE x509 = CKC_X_509; - - static const CK_ATTRIBUTE match_cert[] = { - { CKA_CLASS, (void *)&certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, (void *)&x509, sizeof (x509) }, - { CKA_INVALID } - }; - - static const CK_ATTRIBUTE match_eku[] = { - { CKA_CLASS, (void *)&extension, sizeof (extension) }, - { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, - sizeof (P11_OID_EXTENDED_KEY_USAGE) }, - { CKA_INVALID } - }; - - static const CK_ATTRIBUTE match_ku[] = { - { CKA_CLASS, (void *)&extension, sizeof (extension) }, - { CKA_OBJECT_ID, (void *)P11_OID_KEY_USAGE, - sizeof (P11_OID_KEY_USAGE) }, - { CKA_INVALID } - }; - - static const CK_ATTRIBUTE match_bc[] = { - { CKA_CLASS, (void *)&extension, sizeof (extension) }, - { CKA_OBJECT_ID, (void *)P11_OID_BASIC_CONSTRAINTS, - sizeof (P11_OID_BASIC_CONSTRAINTS) }, - { CKA_INVALID } - }; - - p11_builder *builder = bilder; - - return_if_fail (builder != NULL); - return_if_fail (index != NULL); - return_if_fail (attrs != NULL); - - /* - * Treat these operations as loading, not modifying/creating, so we get - * around many of the rules that govern object creation - */ - p11_index_load (index); - - /* A certificate */ - if (p11_attrs_match (attrs, match_cert)) { - replace_compat_for_cert (builder, index, handle, attrs); - - /* An ExtendedKeyUsage extension */ - } else if (p11_attrs_match (attrs, match_eku) || - p11_attrs_match (attrs, match_ku)) { - replace_compat_for_ext (builder, index, handle, attrs); - - /* A BasicConstraints extension */ - } else if (p11_attrs_match (attrs, match_bc)) { - update_related_category (builder, index, handle, attrs); - } - - p11_index_finish (index); -} diff --git a/trust/builder.h b/trust/builder.h deleted file mode 100644 index ba130e1..0000000 --- a/trust/builder.h +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#ifndef P11_BUILDER_H_ -#define P11_BUILDER_H_ - -#include "asn1.h" -#include "dict.h" -#include "index.h" -#include "pkcs11.h" - -enum { - P11_BUILDER_FLAG_NONE = 0, - P11_BUILDER_FLAG_TOKEN = 1 << 1, -}; - -typedef struct _p11_builder p11_builder; - -p11_builder * p11_builder_new (int flags); - -void p11_builder_free (p11_builder *builder); - -CK_RV p11_builder_build (void *builder, - p11_index *index, - CK_ATTRIBUTE *attrs, - CK_ATTRIBUTE *merge, - CK_ATTRIBUTE **populate); - -void p11_builder_changed (void *builder, - p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *attrs); - -p11_asn1_cache * p11_builder_get_cache (p11_builder *builder); - -#endif /* P11_BUILDER_H_ */ diff --git a/trust/digest.c b/trust/digest.c deleted file mode 100644 index 5cac83a..0000000 --- a/trust/digest.c +++ /dev/null @@ -1,632 +0,0 @@ -/* - * Copyright (C) 2004, 2005, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") - * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/*! \file - * SHA-1 in C - * \author By Steve Reid <steve@edmweb.com> - * 100% Public Domain - * \verbatim - * Test Vectors - * "abc" - * A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D - * "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" - * 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1 - * A million repetitions of "a" - * 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F - * \endverbatim - */ - -#include "config.h" - -#include "digest.h" - -#include <assert.h> -#include <stdarg.h> -#include <stdint.h> -#include <string.h> - -#ifdef WITH_FREEBL - -/* - * NSS freebl3 has awkward headers not provided by appropriate packages - * in many cases. So put these defines here inline. freebl3 seems completely - * undocumented anyway. If you think this is a hack, then you guessed right. - * - * If you want a stable p11-kit without worries, use the builtin SHA1 and MD5 - * implementations. They're not used for crypto anyway. If you need p11-kit to - * tick the "doesn't implement own crypto" checkbox, then the you're signing - * up for this hack. - */ - -typedef enum { - HASH_AlgMD5 = 2, - HASH_AlgSHA1 = 3, -} HASH_HashType; - -typedef struct NSSLOWInitContextStr NSSLOWInitContext; -typedef struct NSSLOWHASHContextStr NSSLOWHASHContext; - -NSSLOWInitContext *NSSLOW_Init(void); -NSSLOWHASHContext *NSSLOWHASH_NewContext( - NSSLOWInitContext *initContext, - HASH_HashType hashType); -void NSSLOWHASH_Begin(NSSLOWHASHContext *context); -void NSSLOWHASH_Update(NSSLOWHASHContext *context, - const unsigned char *buf, - unsigned int len); -void NSSLOWHASH_End(NSSLOWHASHContext *context, - unsigned char *buf, - unsigned int *ret, unsigned int len); -void NSSLOWHASH_Destroy(NSSLOWHASHContext *context); - -#endif /* WITH_FREEBL3 */ - -#define SHA1_BLOCK_LENGTH 64U - -typedef struct { - uint32_t state[5]; - uint32_t count[2]; - unsigned char buffer[SHA1_BLOCK_LENGTH]; -} sha1_t; - -#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) - -/*@{*/ -/*! - * blk0() and blk() perform the initial expand. - * I got the idea of expanding during the round function from SSLeay - */ -#if !defined(WORDS_BIGENDIAN) -# define blk0(i) \ - (block->l[i] = (rol(block->l[i], 24) & 0xFF00FF00) \ - | (rol(block->l[i], 8) & 0x00FF00FF)) -#else -# define blk0(i) block->l[i] -#endif -#define blk(i) \ - (block->l[i & 15] = rol(block->l[(i + 13) & 15] \ - ^ block->l[(i + 8) & 15] \ - ^ block->l[(i + 2) & 15] \ - ^ block->l[i & 15], 1)) - -/*@}*/ -/*@{*/ -/*! - * (R0+R1), R2, R3, R4 are the different operations (rounds) used in SHA1 - */ -#define R0(v,w,x,y,z,i) \ - z += ((w & (x ^ y)) ^ y) + blk0(i) + 0x5A827999 + rol(v, 5); \ - w = rol(w, 30); -#define R1(v,w,x,y,z,i) \ - z += ((w & (x ^ y)) ^ y) + blk(i) + 0x5A827999 + rol(v, 5); \ - w = rol(w, 30); -#define R2(v,w,x,y,z,i) \ - z += (w ^ x ^ y) + blk(i) + 0x6ED9EBA1 + rol(v, 5); \ - w = rol(w, 30); -#define R3(v,w,x,y,z,i) \ - z += (((w | x) & y) | (w & x)) + blk(i) + 0x8F1BBCDC + rol(v, 5); \ - w = rol(w, 30); -#define R4(v,w,x,y,z,i) \ - z += (w ^ x ^ y) + blk(i) + 0xCA62C1D6 + rol(v, 5); \ - w = rol(w, 30); - -/*@}*/ - -typedef union { - unsigned char c[64]; - unsigned int l[16]; -} CHAR64LONG16; - -/*! - * Hash a single 512-bit block. This is the core of the algorithm. - */ -static void -transform_sha1 (uint32_t state[5], - const unsigned char buffer[64]) -{ - uint32_t a, b, c, d, e; - CHAR64LONG16 *block; - CHAR64LONG16 workspace; - - assert (buffer != NULL); - assert (state != NULL); - - block = &workspace; - (void)memcpy(block, buffer, 64); - - /* Copy context->state[] to working vars */ - a = state[0]; - b = state[1]; - c = state[2]; - d = state[3]; - e = state[4]; - - /* 4 rounds of 20 operations each. Loop unrolled. */ - R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); - R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); - R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); - R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); - R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); - R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); - R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); - R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); - R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); - R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); - R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); - R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); - R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); - R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); - R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); - R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); - R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); - R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); - R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); - R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); - - /* Add the working vars back into context.state[] */ - state[0] += a; - state[1] += b; - state[2] += c; - state[3] += d; - state[4] += e; - - /* Wipe variables */ - a = b = c = d = e = 0; - /* Avoid compiler warnings - POST(a); POST(b); POST(c); POST(d); POST(e); - */ -} - - -/*! - * isc_sha1_init - Initialize new context - */ -static void -sha1_init (sha1_t *context) -{ - assert (context != NULL); - - /* SHA1 initialization constants */ - context->state[0] = 0x67452301; - context->state[1] = 0xEFCDAB89; - context->state[2] = 0x98BADCFE; - context->state[3] = 0x10325476; - context->state[4] = 0xC3D2E1F0; - context->count[0] = 0; - context->count[1] = 0; -} - -static void -sha1_invalidate (sha1_t *context) -{ - memset (context, 0, sizeof (sha1_t)); -} - -/*! - * Run your data through this. - */ -static void -sha1_update(sha1_t *context, - const unsigned char *data, - unsigned int len) -{ - unsigned int i, j; - - assert (context != 0); - assert (data != 0); - - j = context->count[0]; - if ((context->count[0] += len << 3) < j) - context->count[1] += (len >> 29) + 1; - j = (j >> 3) & 63; - if ((j + len) > 63) { - (void)memcpy(&context->buffer[j], data, (i = 64 - j)); - transform_sha1 (context->state, context->buffer); - for (; i + 63 < len; i += 64) - transform_sha1 (context->state, &data[i]); - j = 0; - } else { - i = 0; - } - - (void)memcpy(&context->buffer[j], &data[i], len - i); -} - - -/*! - * Add padding and return the message digest. - */ - -static const unsigned char final_200 = 128; -static const unsigned char final_0 = 0; - -static void -sha1_final (sha1_t *context, - unsigned char *digest) -{ - unsigned int i; - unsigned char finalcount[8]; - - assert (digest != 0); - assert (context != 0); - - for (i = 0; i < 8; i++) { - /* Endian independent */ - finalcount[i] = (unsigned char) - ((context->count[(i >= 4 ? 0 : 1)] - >> ((3 - (i & 3)) * 8)) & 255); - } - - sha1_update(context, &final_200, 1); - while ((context->count[0] & 504) != 448) - sha1_update(context, &final_0, 1); - /* The next Update should cause a transform_sha1() */ - sha1_update(context, finalcount, 8); - - if (digest) { - for (i = 0; i < 20; i++) - digest[i] = (unsigned char) - ((context->state[i >> 2] - >> ((3 - (i & 3)) * 8)) & 255); - } - - memset (context, 0, sizeof (sha1_t)); -} - -#ifdef WITH_FREEBL - -static bool -nss_slow_hash (HASH_HashType type, - unsigned char *hash, - unsigned int hash_len, - const void *input, - size_t length, - va_list va) -{ - NSSLOWHASHContext *ctx; - unsigned int len; - - ctx = NSSLOWHASH_NewContext(NSSLOW_Init (), type); - if (ctx == NULL) - return false; - - NSSLOWHASH_Begin (ctx); - while (input != NULL) { - NSSLOWHASH_Update (ctx, input, length); - input = va_arg (va, const void *); - if (input) - length = va_arg (va, size_t); - } - NSSLOWHASH_End (ctx, hash, &len, hash_len); - assert (len == hash_len); - NSSLOWHASH_Destroy (ctx); - return true; -} - -#endif /* WITH_FREEBL */ - -void -p11_digest_sha1 (unsigned char *hash, - const void *input, - size_t length, - ...) -{ - va_list va; - sha1_t sha1; - -#ifdef WITH_FREEBL - bool ret; - - va_start (va, length); - ret = nss_slow_hash (HASH_AlgSHA1, hash, P11_DIGEST_SHA1_LEN, input, length, va); - va_end (va); - - if (ret) - return; -#endif - - sha1_init (&sha1); - - va_start (va, length); - while (input != NULL) { - sha1_update (&sha1, input, length); - input = va_arg (va, const void *); - if (input) - length = va_arg (va, size_t); - } - va_end (va); - - sha1_final (&sha1, hash); - sha1_invalidate (&sha1); -} - - -/*! \file - * This code implements the MD5 message-digest algorithm. - * The algorithm is due to Ron Rivest. This code was - * written by Colin Plumb in 1993, no copyright is claimed. - * This code is in the public domain; do with it what you wish. - * - * Equivalent code is available from RSA Data Security, Inc. - * This code has been tested against that, and is equivalent, - * except that you don't need to include two pages of legalese - * with every copy. - * - * To compute the message digest of a chunk of bytes, declare an - * MD5Context structure, pass it to MD5Init, call MD5Update as - * needed on buffers full of bytes, and then call MD5Final, which - * will fill a supplied 16-byte array with the digest. - */ - -typedef struct { - uint32_t buf[4]; - uint32_t bytes[2]; - uint32_t in[16]; -} md5_t; - -static void -byteSwap (uint32_t *buf, - unsigned words) -{ - unsigned char *p = (unsigned char *)buf; - - do { - *buf++ = (uint32_t)((unsigned)p[3] << 8 | p[2]) << 16 | - ((unsigned)p[1] << 8 | p[0]); - p += 4; - } while (--words); -} - -/*! - * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious - * initialization constants. - */ -static void -md5_init(md5_t *ctx) -{ - ctx->buf[0] = 0x67452301; - ctx->buf[1] = 0xefcdab89; - ctx->buf[2] = 0x98badcfe; - ctx->buf[3] = 0x10325476; - - ctx->bytes[0] = 0; - ctx->bytes[1] = 0; -} - -static void -md5_invalidate(md5_t *ctx) -{ - memset(ctx, 0, sizeof(md5_t)); -} - -/*@{*/ -/*! The four core functions - F1 is optimized somewhat */ - -/* #define F1(x, y, z) (x & y | ~x & z) */ -#define F1(x, y, z) (z ^ (x & (y ^ z))) -#define F2(x, y, z) F1(z, x, y) -#define F3(x, y, z) (x ^ y ^ z) -#define F4(x, y, z) (y ^ (x | ~z)) -/*@}*/ - -/*! This is the central step in the MD5 algorithm. */ -#define MD5STEP(f,w,x,y,z,in,s) \ - (w += f(x,y,z) + in, w = (w<<s | w>>(32-s)) + x) - -/*! - * The core of the MD5 algorithm, this alters an existing MD5 hash to - * reflect the addition of 16 longwords of new data. MD5Update blocks - * the data and converts bytes into longwords for this routine. - */ -static void -transform_md5 (uint32_t buf[4], - uint32_t const in[16]) -{ - register uint32_t a, b, c, d; - - a = buf[0]; - b = buf[1]; - c = buf[2]; - d = buf[3]; - - MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7); - MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12); - MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17); - MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22); - MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7); - MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12); - MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17); - MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22); - MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7); - MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12); - MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17); - MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22); - MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7); - MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12); - MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17); - MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22); - - MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5); - MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9); - MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14); - MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20); - MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5); - MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9); - MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14); - MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20); - MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5); - MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9); - MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14); - MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20); - MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5); - MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9); - MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14); - MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20); - - MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4); - MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11); - MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16); - MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23); - MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4); - MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11); - MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16); - MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23); - MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4); - MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11); - MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16); - MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23); - MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4); - MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11); - MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16); - MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23); - - MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6); - MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10); - MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15); - MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21); - MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6); - MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10); - MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15); - MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21); - MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6); - MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10); - MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15); - MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21); - MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6); - MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10); - MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15); - MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21); - - buf[0] += a; - buf[1] += b; - buf[2] += c; - buf[3] += d; -} - -/*! - * Update context to reflect the concatenation of another buffer full - * of bytes. - */ -static void -md5_update (md5_t *ctx, - const unsigned char *buf, - unsigned int len) -{ - uint32_t t; - - /* Update byte count */ - - t = ctx->bytes[0]; - if ((ctx->bytes[0] = t + len) < t) - ctx->bytes[1]++; /* Carry from low to high */ - - t = 64 - (t & 0x3f); /* Space available in ctx->in (at least 1) */ - if (t > len) { - memcpy((unsigned char *)ctx->in + 64 - t, buf, len); - return; - } - /* First chunk is an odd size */ - memcpy((unsigned char *)ctx->in + 64 - t, buf, t); - byteSwap(ctx->in, 16); - transform_md5 (ctx->buf, ctx->in); - buf += t; - len -= t; - - /* Process data in 64-byte chunks */ - while (len >= 64) { - memcpy(ctx->in, buf, 64); - byteSwap(ctx->in, 16); - transform_md5(ctx->buf, ctx->in); - buf += 64; - len -= 64; - } - - /* Handle any remaining bytes of data. */ - memcpy(ctx->in, buf, len); -} - -/*! - * Final wrapup - pad to 64-byte boundary with the bit pattern - * 1 0* (64-bit count of bits processed, MSB-first) - */ -static void -md5_final(md5_t *ctx, - unsigned char *digest) -{ - int count = ctx->bytes[0] & 0x3f; /* Number of bytes in ctx->in */ - unsigned char *p = (unsigned char *)ctx->in + count; - - /* Set the first char of padding to 0x80. There is always room. */ - *p++ = 0x80; - - /* Bytes of padding needed to make 56 bytes (-8..55) */ - count = 56 - 1 - count; - - if (count < 0) { /* Padding forces an extra block */ - memset(p, 0, count + 8); - byteSwap(ctx->in, 16); - transform_md5(ctx->buf, ctx->in); - p = (unsigned char *)ctx->in; - count = 56; - } - memset(p, 0, count); - byteSwap(ctx->in, 14); - - /* Append length in bits and transform */ - ctx->in[14] = ctx->bytes[0] << 3; - ctx->in[15] = ctx->bytes[1] << 3 | ctx->bytes[0] >> 29; - transform_md5(ctx->buf, ctx->in); - - byteSwap(ctx->buf, 4); - memcpy(digest, ctx->buf, 16); - memset(ctx, 0, sizeof(md5_t)); /* In case it's sensitive */ -} - -void -p11_digest_md5 (unsigned char *hash, - const void *input, - size_t length, - ...) -{ - va_list va; - md5_t md5; - -#ifdef WITH_FREEBL - bool ret; - - va_start (va, length); - ret = nss_slow_hash (HASH_AlgMD5, hash, P11_DIGEST_MD5_LEN, input, length, va); - va_end (va); - - if (ret) - return; -#endif - - md5_init (&md5); - - va_start (va, length); - while (input) { - md5_update (&md5, input, length); - input = va_arg (va, const void *); - if (input) - length = va_arg (va, size_t); - } - va_end (va); - - md5_final (&md5, hash); - md5_invalidate (&md5); -} diff --git a/trust/digest.h b/trust/digest.h deleted file mode 100644 index 82d48fe..0000000 --- a/trust/digest.h +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#ifndef P11_DIGEST_H_ -#define P11_DIGEST_H_ - -#include "compat.h" - -/* - * The SHA-1 and MD5 digests here are used for checksums in legacy - * protocols. We don't use them in cryptographic contexts at all. - * These particular algorithms would be poor choices for that. - */ - -#define P11_DIGEST_MD5_LEN 16 - -void p11_digest_md5 (unsigned char *hash, - const void *input, - size_t length, - ...) GNUC_NULL_TERMINATED; - -#define P11_DIGEST_SHA1_LEN 20 - -void p11_digest_sha1 (unsigned char *hash, - const void *input, - size_t length, - ...) GNUC_NULL_TERMINATED; - -#endif /* P11_DIGEST_H_ */ diff --git a/trust/enumerate.c b/trust/enumerate.c deleted file mode 100644 index dd3da3a..0000000 --- a/trust/enumerate.c +++ /dev/null @@ -1,743 +0,0 @@ -/* - * Copyright (c) 2013, Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#define P11_DEBUG_FLAG P11_DEBUG_TOOL - -#include "attrs.h" -#include "debug.h" -#include "oid.h" -#include "dict.h" -#include "extract.h" -#include "message.h" -#include "path.h" -#include "pkcs11.h" -#include "pkcs11x.h" -#include "x509.h" - -#include <stdlib.h> -#include <string.h> - -static bool -load_attached_extension (p11_dict *attached, - p11_dict *asn1_defs, - const unsigned char *der, - size_t len) -{ - char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE]; - node_asn *ext; - char *oid; - int length; - int start; - int end; - int ret; - - ext = p11_asn1_decode (asn1_defs, "PKIX1.Extension", der, len, message); - if (ext == NULL) { - p11_message ("couldn't parse attached certificate extension: %s", message); - return false; - } - - ret = asn1_der_decoding_startEnd (ext, der, len, "extnID", &start, &end); - return_val_if_fail (ret == ASN1_SUCCESS, false); - - /* Make sure it's a straightforward oid with certain assumptions */ - length = (end - start) + 1; - if (!p11_oid_simple (der + start, length)) { - p11_debug ("strange complex certificate extension object id"); - return false; - } - - oid = memdup (der + start, length); - return_val_if_fail (oid != NULL, false); - - if (!p11_dict_set (attached, oid, ext)) - return_val_if_reached (false); - - return true; -} - -static p11_dict * -load_attached_extensions (p11_enumerate *ex, - CK_ATTRIBUTE *spki) -{ - CK_OBJECT_CLASS extension = CKO_X_CERTIFICATE_EXTENSION; - CK_ATTRIBUTE *attrs; - P11KitIter *iter; - CK_RV rv = CKR_OK; - p11_dict *attached; - - CK_ATTRIBUTE match[] = { - { CKA_CLASS, &extension, sizeof (extension) }, - { CKA_PUBLIC_KEY_INFO, spki->pValue, spki->ulValueLen }, - }; - - CK_ATTRIBUTE template[] = { - { CKA_VALUE, }, - }; - - attached = p11_dict_new (p11_oid_hash, p11_oid_equal, - free, p11_asn1_free); - - /* No ID to use, just short circuit */ - if (!spki->pValue || !spki->ulValueLen) - return attached; - - iter = p11_kit_iter_new (NULL, 0); - p11_kit_iter_add_filter (iter, match, 2); - p11_kit_iter_begin_with (iter, p11_kit_iter_get_module (ex->iter), - 0, p11_kit_iter_get_session (ex->iter)); - - while (rv == CKR_OK) { - rv = p11_kit_iter_next (iter); - if (rv == CKR_OK) { - attrs = p11_attrs_buildn (NULL, template, 1); - rv = p11_kit_iter_load_attributes (iter, attrs, 1); - if (rv == CKR_OK) { - if (!load_attached_extension (attached, ex->asn1_defs, - attrs[0].pValue, - attrs[0].ulValueLen)) { - rv = CKR_GENERAL_ERROR; - } - } - p11_attrs_free (attrs); - } - } - - if (rv != CKR_OK && rv != CKR_CANCEL) { - p11_message ("couldn't load attached extensions for certificate: %s", p11_kit_strerror (rv)); - p11_dict_free (attached); - attached = NULL; - } - - p11_kit_iter_free (iter); - return attached; -} - -static bool -extract_purposes (p11_enumerate *ex) -{ - node_asn *ext = NULL; - unsigned char *value = NULL; - size_t length; - - if (ex->attached) { - ext = p11_dict_get (ex->attached, P11_OID_EXTENDED_KEY_USAGE); - if (ext != NULL) { - value = p11_asn1_read (ext, "extnValue", &length); - return_val_if_fail (value != NULL, false); - } - } - - if (value == NULL && ex->cert_asn) { - value = p11_x509_find_extension (ex->cert_asn, P11_OID_EXTENDED_KEY_USAGE, - ex->cert_der, ex->cert_len, &length); - } - - /* No such extension, match anything */ - if (value == NULL) - return true; - - ex->purposes = p11_x509_parse_extended_key_usage (ex->asn1_defs, value, length); - - free (value); - return ex->purposes != NULL; -} - -static bool -check_trust_flags (p11_enumerate *ex) -{ - CK_BBOOL trusted; - CK_BBOOL distrusted; - int flags = 0; - - /* If no extract trust flags, then just continue */ - if (!(ex->flags & (P11_ENUMERATE_ANCHORS | P11_ENUMERATE_BLACKLIST))) - return true; - - /* Is this a blacklisted directly? */ - if (p11_attrs_find_bool (ex->attrs, CKA_X_DISTRUSTED, &distrusted) && distrusted) - flags = P11_ENUMERATE_BLACKLIST; - - /* Is it blacklisted elsewhere? then prevent it from being an anchor */ - else if (p11_dict_get (ex->blacklist_public_key, ex->attrs) || - p11_dict_get (ex->blacklist_issuer_serial, ex->attrs)) - flags = 0; - - /* Otherwise it might be an anchor? */ - else if (p11_attrs_find_bool (ex->attrs, CKA_TRUSTED, &trusted) && trusted) - flags = P11_ENUMERATE_ANCHORS; - - /* Any of the flags can match */ - if (flags & ex->flags) - return true; - - return false; -} - -static bool -extract_certificate (p11_enumerate *ex) -{ - char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE]; - CK_ATTRIBUTE *attr; - - CK_ULONG type; - - /* Don't even bother with not X.509 certificates */ - if (!p11_attrs_find_ulong (ex->attrs, CKA_CERTIFICATE_TYPE, &type)) - type = (CK_ULONG)-1; - if (type != CKC_X_509) { - p11_debug ("skipping non X.509 certificate"); - return false; - } - - attr = p11_attrs_find_valid (ex->attrs, CKA_VALUE); - if (!attr || !attr->pValue) { - p11_debug ("skipping certificate without a value"); - return false; - } - - /* - * If collapsing and have already seen this certificate, and shouldn't - * process it even again during this extract procedure. - */ - if (ex->flags & P11_ENUMERATE_COLLAPSE) { - if (!ex->already_seen) { - ex->already_seen = p11_dict_new (p11_attr_hash, p11_attr_equal, - p11_attrs_free, NULL); - return_val_if_fail (ex->already_seen != NULL, true); - } - - if (p11_dict_get (ex->already_seen, attr)) - return false; - } - - if (!check_trust_flags (ex)) { - p11_debug ("skipping certificate that doesn't match trust flags"); - return false; - } - - if (ex->already_seen) { - if (!p11_dict_set (ex->already_seen, - p11_attrs_build (NULL, attr, NULL), "x")) - return_val_if_reached (true); - } - - ex->cert_der = attr->pValue; - ex->cert_len = attr->ulValueLen; - ex->cert_asn = p11_asn1_decode (ex->asn1_defs, "PKIX1.Certificate", - ex->cert_der, ex->cert_len, message); - - if (!ex->cert_asn) { - p11_message ("couldn't parse certificate: %s", message); - return false; - } - - return true; -} - -static bool -extract_info (p11_enumerate *ex) -{ - CK_ATTRIBUTE *attr; - CK_RV rv; - - static const CK_ATTRIBUTE attr_types[] = { - { CKA_ID, }, - { CKA_CLASS, }, - { CKA_CERTIFICATE_TYPE, }, - { CKA_LABEL, }, - { CKA_VALUE, }, - { CKA_SUBJECT, }, - { CKA_ISSUER, }, - { CKA_SERIAL_NUMBER, }, - { CKA_TRUSTED, }, - { CKA_CERTIFICATE_CATEGORY }, - { CKA_X_DISTRUSTED }, - { CKA_PUBLIC_KEY_INFO }, - { CKA_INVALID, }, - }; - - ex->attrs = p11_attrs_dup (attr_types); - rv = p11_kit_iter_load_attributes (ex->iter, ex->attrs, p11_attrs_count (ex->attrs)); - - /* The attributes couldn't be loaded */ - if (rv != CKR_OK && rv != CKR_ATTRIBUTE_TYPE_INVALID && rv != CKR_ATTRIBUTE_SENSITIVE) { - p11_message ("couldn't load attributes: %s", p11_kit_strerror (rv)); - return false; - } - - /* No class attribute, very strange, just skip */ - if (!p11_attrs_find_ulong (ex->attrs, CKA_CLASS, &ex->klass)) - return false; - - /* If a certificate then */ - if (ex->klass != CKO_CERTIFICATE) { - p11_message ("skipping non-certificate object"); - return false; - } - - if (!extract_certificate (ex)) - return false; - - attr = p11_attrs_find_valid (ex->attrs, CKA_PUBLIC_KEY_INFO); - if (attr) { - ex->attached = load_attached_extensions (ex, attr); - if (!ex->attached) - return false; - } - - if (!extract_purposes (ex)) - return false; - - return true; -} - -static void -extract_clear (p11_enumerate *ex) -{ - ex->klass = (CK_ULONG)-1; - - p11_attrs_free (ex->attrs); - ex->attrs = NULL; - - asn1_delete_structure (&ex->cert_asn); - ex->cert_der = NULL; - ex->cert_len = 0; - - p11_dict_free (ex->attached); - ex->attached = NULL; - - p11_array_free (ex->purposes); - ex->purposes = NULL; -} - -static CK_RV -on_iterate_load_filter (p11_kit_iter *iter, - CK_BBOOL *matches, - void *data) -{ - p11_enumerate *ex = data; - int i; - - extract_clear (ex); - - /* Try to load the certificate and extensions */ - if (!extract_info (ex)) { - *matches = CK_FALSE; - return CKR_OK; - } - - /* - * Limit to certain purposes. Note that the lack of purposes noted - * on the certificate means they match any purpose. This is the - * behavior of the ExtendedKeyUsage extension. - */ - if (ex->limit_to_purposes && ex->purposes) { - *matches = CK_FALSE; - for (i = 0; i < ex->purposes->num; i++) { - if (p11_dict_get (ex->limit_to_purposes, ex->purposes->elem[i])) { - *matches = CK_TRUE; - break; - } - } - } - - return CKR_OK; -} - -/* - * Various skip lookup tables, used for blacklists and collapsing - * duplicate entries. - * - * The dict hash/lookup callbacks are special cased - * so we can just pass in full attribute lists for lookup and only match - * the attributes we're interested in. - * - * Note that both p11_attr_hash and p11_attr_equal are NULL safe. - */ - -static bool -public_key_equal (const void *one, - const void *two) -{ - return p11_attr_equal (p11_attrs_find_valid ((CK_ATTRIBUTE *)one, CKA_PUBLIC_KEY_INFO), - p11_attrs_find_valid ((CK_ATTRIBUTE *)two, CKA_PUBLIC_KEY_INFO)); -} - -static unsigned int -public_key_hash (const void *data) -{ - return p11_attr_hash (p11_attrs_find_valid ((CK_ATTRIBUTE *)data, CKA_PUBLIC_KEY_INFO)); -} - -static bool -issuer_serial_equal (const void *one, - const void *two) -{ - return p11_attr_equal (p11_attrs_find_valid ((CK_ATTRIBUTE *)one, CKA_ISSUER), - p11_attrs_find_valid ((CK_ATTRIBUTE *)two, CKA_ISSUER)) && - p11_attr_equal (p11_attrs_find_valid ((CK_ATTRIBUTE *)one, CKA_SERIAL_NUMBER), - p11_attrs_find_valid ((CK_ATTRIBUTE *)two, CKA_SERIAL_NUMBER)); -} - -static unsigned int -issuer_serial_hash (const void *data) -{ - return p11_attr_hash (p11_attrs_find_valid ((CK_ATTRIBUTE *)data, CKA_ISSUER)) ^ - p11_attr_hash (p11_attrs_find_valid ((CK_ATTRIBUTE *)data, CKA_SERIAL_NUMBER)); -} - -static bool -blacklist_load (p11_enumerate *ex) -{ - p11_kit_iter *iter; - CK_BBOOL distrusted = CK_TRUE; - CK_RV rv = CKR_OK; - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *key; - CK_ATTRIBUTE *serial; - CK_ATTRIBUTE *issuer; - CK_ATTRIBUTE *public_key; - - CK_ATTRIBUTE match[] = { - { CKA_X_DISTRUSTED, &distrusted, sizeof (distrusted) }, - }; - - CK_ATTRIBUTE template[] = { - { CKA_SERIAL_NUMBER, }, - { CKA_PUBLIC_KEY_INFO, }, - { CKA_ISSUER, }, - }; - - iter = p11_kit_iter_new (ex->uri, 0); - p11_kit_iter_add_filter (iter, match, 1); - p11_kit_iter_begin (iter, ex->modules); - - attrs = p11_attrs_buildn (NULL, template, 3); - - while ((rv = p11_kit_iter_next (iter)) == CKR_OK) { - - /* - * Fail "safe" in that first failure doesn't cause ignoring - * the remainder of the blacklist. - */ - rv = p11_kit_iter_load_attributes (iter, attrs, 3); - if (rv != CKR_OK) { - p11_message ("couldn't load blacklist: %s", p11_kit_strerror (rv)); - continue; - } - - /* A blacklisted item with an issuer and serial number */ - issuer = p11_attrs_find_valid (attrs, CKA_ISSUER); - serial = p11_attrs_find_valid (attrs, CKA_SERIAL_NUMBER); - if (issuer != NULL && serial != NULL) { - key = p11_attrs_build (NULL, issuer, serial, NULL); - if (!key || !p11_dict_set (ex->blacklist_issuer_serial, key, "x")) - return_val_if_reached (false); - } - - /* A blacklisted item with a public key */ - public_key = p11_attrs_find_valid (attrs, CKA_PUBLIC_KEY_INFO); - if (public_key != NULL) { - key = p11_attrs_build (NULL, public_key, NULL); - if (!public_key || !p11_dict_set (ex->blacklist_public_key, key, "x")) - return_val_if_reached (false); - } - } - - p11_attrs_free (attrs); - p11_kit_iter_free (iter); - - if (rv == CKR_CANCEL) - return true; - - p11_message ("couldn't load blacklist: %s", p11_kit_strerror (rv)); - return false; -} - -void -p11_enumerate_init (p11_enumerate *ex) -{ - memset (ex, 0, sizeof (p11_enumerate)); - ex->asn1_defs = p11_asn1_defs_load (); - return_if_fail (ex->asn1_defs != NULL); - - ex->iter = p11_kit_iter_new (NULL, 0); - return_if_fail (ex->iter != NULL); - - ex->blacklist_public_key = p11_dict_new (public_key_hash, public_key_equal, - p11_attrs_free, NULL); - return_if_fail (ex->blacklist_public_key); - - ex->blacklist_issuer_serial = p11_dict_new (issuer_serial_hash, issuer_serial_equal, - p11_attrs_free, NULL); - return_if_fail (ex->blacklist_issuer_serial); - - p11_kit_iter_add_callback (ex->iter, on_iterate_load_filter, ex, NULL); -} - -void -p11_enumerate_cleanup (p11_enumerate *ex) -{ - extract_clear (ex); - - p11_dict_free (ex->limit_to_purposes); - ex->limit_to_purposes = NULL; - - p11_dict_free (ex->already_seen); - ex->already_seen = NULL; - p11_dict_free (ex->blacklist_public_key); - ex->blacklist_public_key = NULL; - p11_dict_free (ex->blacklist_issuer_serial); - ex->blacklist_issuer_serial = NULL; - - p11_dict_free (ex->asn1_defs); - ex->asn1_defs = NULL; - - p11_kit_iter_free (ex->iter); - ex->iter = NULL; - - if (ex->modules) { - p11_kit_modules_finalize_and_release (ex->modules); - ex->modules = NULL; - } - - if (ex->uri) { - p11_kit_uri_free (ex->uri); - ex->uri = NULL; - } -} - -bool -p11_enumerate_opt_filter (p11_enumerate *ex, - const char *option) -{ - CK_ATTRIBUTE *attrs; - int ret; - - CK_OBJECT_CLASS vcertificate = CKO_CERTIFICATE; - CK_ULONG vauthority = 2; - CK_CERTIFICATE_TYPE vx509 = CKC_X_509; - - CK_ATTRIBUTE certificate = { CKA_CLASS, &vcertificate, sizeof (vcertificate) }; - CK_ATTRIBUTE authority = { CKA_CERTIFICATE_CATEGORY, &vauthority, sizeof (vauthority) }; - CK_ATTRIBUTE x509= { CKA_CERTIFICATE_TYPE, &vx509, sizeof (vx509) }; - - if (strncmp (option, "pkcs11:", 7) == 0) { - if (ex->uri != NULL) { - p11_message ("a PKCS#11 URI has already been specified"); - return false; - } - - ex->uri = p11_kit_uri_new (); - ret = p11_kit_uri_parse (option, P11_KIT_URI_FOR_OBJECT_ON_TOKEN_AND_MODULE, ex->uri); - if (ret != P11_KIT_URI_OK) { - p11_message ("couldn't parse pkcs11 uri filter: %s", option); - return false; - } - - if (p11_kit_uri_any_unrecognized (ex->uri)) - p11_message ("uri contained unrecognized components, nothing will be extracted"); - - p11_kit_iter_set_uri (ex->iter, ex->uri); - ex->num_filters++; - return true; - } - - if (strcmp (option, "ca-anchors") == 0) { - attrs = p11_attrs_build (NULL, &certificate, &authority, &x509, NULL); - ex->flags |= P11_ENUMERATE_ANCHORS | P11_ENUMERATE_COLLAPSE; - - } else if (strcmp (option, "trust-policy") == 0) { - attrs = p11_attrs_build (NULL, &certificate, &x509, NULL); - ex->flags |= P11_ENUMERATE_ANCHORS | P11_ENUMERATE_BLACKLIST | P11_ENUMERATE_COLLAPSE; - - } else if (strcmp (option, "blacklist") == 0) { - attrs = p11_attrs_build (NULL, &certificate, &x509, NULL); - ex->flags |= P11_ENUMERATE_BLACKLIST | P11_ENUMERATE_COLLAPSE; - - } else if (strcmp (option, "certificates") == 0) { - attrs = p11_attrs_build (NULL, &certificate, &x509, NULL); - ex->flags |= P11_ENUMERATE_COLLAPSE; - - } else { - p11_message ("unsupported or unrecognized filter: %s", option); - return false; - } - - p11_kit_iter_add_filter (ex->iter, attrs, p11_attrs_count (attrs)); - ex->num_filters++; - return true; -} - -static int -is_valid_oid_rough (const char *string) -{ - size_t len; - - len = strlen (string); - - /* Rough check if a valid OID */ - return (strspn (string, "0123456789.") == len && - !strstr (string, "..") && string[0] != '\0' && string[0] != '.' && - string[len - 1] != '.'); -} - -bool -p11_enumerate_opt_purpose (p11_enumerate *ex, - const char *option) -{ - const char *oid; - char *value; - - if (strcmp (option, "server-auth") == 0) { - oid = P11_OID_SERVER_AUTH_STR; - } else if (strcmp (option, "client-auth") == 0) { - oid = P11_OID_CLIENT_AUTH_STR; - } else if (strcmp (option, "email-protection") == 0 || strcmp (option, "email") == 0) { - oid = P11_OID_EMAIL_PROTECTION_STR; - } else if (strcmp (option, "code-signing") == 0) { - oid = P11_OID_CODE_SIGNING_STR; - } else if (strcmp (option, "ipsec-end-system") == 0) { - oid = P11_OID_IPSEC_END_SYSTEM_STR; - } else if (strcmp (option, "ipsec-tunnel") == 0) { - oid = P11_OID_IPSEC_TUNNEL_STR; - } else if (strcmp (option, "ipsec-user") == 0) { - oid = P11_OID_IPSEC_USER_STR; - } else if (strcmp (option, "time-stamping") == 0) { - oid = P11_OID_TIME_STAMPING_STR; - } else if (is_valid_oid_rough (option)) { - oid = option; - } else { - p11_message ("unsupported or unregonized purpose: %s", option); - return false; - } - - if (!ex->limit_to_purposes) { - ex->limit_to_purposes = p11_dict_new (p11_dict_str_hash, p11_dict_str_equal, free, NULL); - return_val_if_fail (ex->limit_to_purposes != NULL, false); - } - - value = strdup (oid); - return_val_if_fail (value != NULL, false); - if (!p11_dict_set (ex->limit_to_purposes, value, value)) - return_val_if_reached (false); - - return true; -} - -bool -p11_enumerate_ready (p11_enumerate *ex, - const char *def_filter) -{ - if (def_filter && ex->num_filters == 0) { - if (!p11_enumerate_opt_filter (ex, def_filter)) - return_val_if_reached (false); - } - - /* - * We only "believe" the CKA_TRUSTED and CKA_X_DISTRUSTED attributes - * we get from modules explicitly marked as containing trust-policy. - */ - if (!ex->modules) - ex->modules = p11_kit_modules_load_and_initialize (P11_KIT_MODULE_TRUSTED); - if (!ex->modules) - return false; - if (ex->modules[0] == NULL) - p11_message ("no modules containing trust policy are registered"); - - /* - * If loading anchors, then the caller expects that the blacklist is - * "applied" and any anchors on the blacklist are taken out. This is - * for compatibility with software that does not support blacklists. - */ - if (ex->flags & P11_ENUMERATE_ANCHORS) { - if (!blacklist_load (ex)) - return false; - } - - p11_kit_iter_begin (ex->iter, ex->modules); - return true; -} - -static char * -extract_label (p11_enumerate *ex) -{ - CK_ATTRIBUTE *attr; - - /* Look for a label and just use that */ - attr = p11_attrs_find_valid (ex->attrs, CKA_LABEL); - if (attr && attr->pValue && attr->ulValueLen) - return strndup (attr->pValue, attr->ulValueLen); - - /* For extracting certificates */ - if (ex->klass == CKO_CERTIFICATE) - return strdup ("certificate"); - - return strdup ("unknown"); -} - -char * -p11_enumerate_filename (p11_enumerate *ex) -{ - char *label; - - label = extract_label (ex); - return_val_if_fail (label != NULL, NULL); - - p11_path_canon (label); - return label; -} - -char * -p11_enumerate_comment (p11_enumerate *ex, - bool first) -{ - char *comment; - char *label; - - if (!(ex->flags & P11_EXTRACT_COMMENT)) - return NULL; - - label = extract_label (ex); - if (!asprintf (&comment, "%s# %s\n", - first ? "" : "\n", - label ? label : "")) - return_val_if_reached (NULL); - - free (label); - return comment; -} diff --git a/trust/enumerate.h b/trust/enumerate.h deleted file mode 100644 index 411820a..0000000 --- a/trust/enumerate.h +++ /dev/null @@ -1,107 +0,0 @@ -/* - * Copyright (c) 2013, Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#ifndef P11_ENUMERATE_H_ -#define P11_ENUMERATE_H_ - -#include "array.h" -#include "asn1.h" -#include "dict.h" - -#include "p11-kit/iter.h" -#include "p11-kit/pkcs11.h" - -enum { - /* These overlap with the flags in save.h, so start higher */ - P11_ENUMERATE_ANCHORS = 1 << 21, - P11_ENUMERATE_BLACKLIST = 1 << 22, - P11_ENUMERATE_COLLAPSE = 1 << 23, -}; - -typedef struct { - CK_FUNCTION_LIST **modules; - p11_kit_iter *iter; - p11_kit_uri *uri; - - p11_dict *asn1_defs; - p11_dict *limit_to_purposes; - p11_dict *already_seen; - int num_filters; - int flags; - - p11_dict *blacklist_issuer_serial; - p11_dict *blacklist_public_key; - - /* - * Stuff below is parsed info for the current iteration. - * Currently this information is generally all relevant - * just for certificates. - */ - - CK_OBJECT_CLASS klass; - CK_ATTRIBUTE *attrs; - - /* Pre-parsed data for certificates */ - node_asn *cert_asn; - const unsigned char *cert_der; - size_t cert_len; - - /* DER OID -> CK_ATTRIBUTE list */ - p11_dict *attached; - - /* Set of OID purposes as strings */ - p11_array *purposes; -} p11_enumerate; - -char * p11_enumerate_filename (p11_enumerate *ex); - -char * p11_enumerate_comment (p11_enumerate *ex, - bool first); - -void p11_enumerate_init (p11_enumerate *ex); - -bool p11_enumerate_opt_filter (p11_enumerate *ex, - const char *option); - -bool p11_enumerate_opt_purpose (p11_enumerate *ex, - const char *option); - -bool p11_enumerate_ready (p11_enumerate *ex, - const char *def_filter); - -void p11_enumerate_cleanup (p11_enumerate *ex); - -#endif /* P11_ENUMERATE_H_ */ diff --git a/trust/extract-cer.c b/trust/extract-cer.c deleted file mode 100644 index b59be80..0000000 --- a/trust/extract-cer.c +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Copyright (c) 2013, Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#include "compat.h" -#include "debug.h" -#include "extract.h" -#include "message.h" -#include "save.h" - -#include <stdlib.h> - -bool -p11_extract_x509_file (p11_enumerate *ex, - const char *destination) -{ - bool found = false; - p11_save_file *file; - CK_RV rv; - - while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) { - if (found) { - p11_message ("multiple certificates found but could only write one to file"); - break; - } - - file = p11_save_open_file (destination, NULL, ex->flags); - if (!p11_save_write_and_finish (file, ex->cert_der, ex->cert_len)) - return false; - - /* Wrote something */ - found = true; - } - - if (rv != CKR_OK && rv != CKR_CANCEL) { - p11_message ("failed to find certificates: %s", p11_kit_strerror (rv)); - return false; - - /* Remember that an empty DER file is not a valid file, so complain if nothing */ - } else if (!found) { - p11_message ("no certificate found"); - return false; - } - - return true; -} - -bool -p11_extract_x509_directory (p11_enumerate *ex, - const char *destination) -{ - p11_save_file *file; - p11_save_dir *dir; - char *filename; - CK_RV rv; - bool ret; - - dir = p11_save_open_directory (destination, ex->flags); - if (dir == NULL) - return false; - - while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) { - filename = p11_enumerate_filename (ex); - return_val_if_fail (filename != NULL, -1); - - file = p11_save_open_file_in (dir, filename, ".cer"); - free (filename); - - if (!p11_save_write_and_finish (file, ex->cert_der, ex->cert_len)) { - p11_save_finish_directory (dir, false); - return false; - } - } - - if (rv != CKR_OK && rv != CKR_CANCEL) { - p11_message ("failed to find certificates: %s", p11_kit_strerror (rv)); - ret = false; - } else { - ret = true; - } - - p11_save_finish_directory (dir, ret); - return ret; -} diff --git a/trust/extract-jks.c b/trust/extract-jks.c deleted file mode 100644 index b409046..0000000 --- a/trust/extract-jks.c +++ /dev/null @@ -1,330 +0,0 @@ -/* - * Copyright (c) 2013, Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#include "attrs.h" -#include "buffer.h" -#include "compat.h" -#include "debug.h" -#include "extract.h" -#include "digest.h" -#include "message.h" -#include "save.h" - -#include <assert.h> -#include <ctype.h> -#include <stdlib.h> -#include <stdint.h> -#include <string.h> - -static void -encode_msb_short (unsigned char *data, - int16_t value) -{ - uint16_t v; - - /* At this point we only support positive numbers */ - assert (value >= 0); - assert (value < INT16_MAX); - - v = (uint16_t)value; - data[0] = (v >> 8) & 0xff; - data[1] = (v >> 0) & 0xff; -} - -static void -encode_msb_int (unsigned char *data, - int32_t value) -{ - uint32_t v; - - /* At this point we only support positive numbers */ - assert (value >= 0); - assert (value < INT32_MAX); - - v = (uint32_t)value; - data[0] = (v >> 24) & 0xff; - data[1] = (v >> 16) & 0xff; - data[2] = (v >> 8) & 0xff; - data[3] = (v >> 0) & 0xff; -} - -static void -encode_msb_long (unsigned char *data, - int64_t value) -{ - uint64_t v; - - /* At this point we only support positive numbers */ - assert (value >= 0); - assert (value < INT64_MAX); - - v = (uint64_t)value; - data[0] = (v >> 56) & 0xff; - data[1] = (v >> 48) & 0xff; - data[2] = (v >> 40) & 0xff; - data[3] = (v >> 32) & 0xff; - data[4] = (v >> 24) & 0xff; - data[5] = (v >> 16) & 0xff; - data[6] = (v >> 8) & 0xff; - data[7] = (v >> 0) & 0xff; -} - -static void -add_msb_int (p11_buffer *buffer, - int32_t value) -{ - unsigned char *data = p11_buffer_append (buffer, 4); - return_if_fail (data != NULL); - encode_msb_int (data, value); -} - -static void -add_msb_long (p11_buffer *buffer, - int64_t value) -{ - unsigned char *data = p11_buffer_append (buffer, 8); - return_if_fail (data != NULL); - encode_msb_long (data, value); -} - -static void -add_string (p11_buffer *buffer, - const char *string, - size_t length) -{ - unsigned char *data; - - if (length > INT16_MAX) { - p11_message ("truncating long string"); - length = INT16_MAX; - } - - data = p11_buffer_append (buffer, 2); - return_if_fail (data != NULL); - encode_msb_short (data, length); - p11_buffer_add (buffer, string, length); -} - -static void -convert_alias (const char *input, - size_t length, - p11_buffer *buf) -{ - char ch; - size_t i; - - /* - * Java requires that the aliases are 'converted'. For the basic java - * cacerts key store this is lower case. We just do this for ASCII, since - * we don't want to have to bring in unicode case rules. Since we're - * screwing around, we also take out spaces, to make these look like - * java aliases. - */ - - for (i = 0; i < length; i++) { - ch = input[i]; - if (!isspace (ch) && (ch & 0x80) == 0) { - ch = tolower (ch); - p11_buffer_add (buf, &ch, 1); - } - } -} - -static bool -add_alias (p11_buffer *buffer, - p11_dict *aliases, - CK_ATTRIBUTE *label) -{ - const char *input; - size_t input_len; - size_t length; - p11_buffer buf; - char num[32]; - char *alias; - int i; - - p11_buffer_init_null (&buf, 64); - - if (label && label->pValue) { - input = label->pValue; - input_len = label->ulValueLen; - } else { - input = "unlabeled"; - input_len = strlen (input); - } - - convert_alias (input, input_len, &buf); - - for (i = 0; i < INT32_MAX; i++) { - if (i > 0) { - snprintf (num, sizeof (num), "-%d", i); - p11_buffer_add (&buf, num, -1); - } - - return_val_if_fail (p11_buffer_ok (&buf), false); - if (!p11_dict_get (aliases, buf.data)) { - alias = p11_buffer_steal (&buf, &length); - if (!p11_dict_set (aliases, alias, alias)) - return_val_if_reached (false); - add_string (buffer, alias, length); - return true; - } - - p11_buffer_reset (&buf, 0); - } - - return false; -} - -static bool -prepare_jks_buffer (p11_enumerate *ex, - p11_buffer *buffer) -{ - const unsigned char magic[] = { 0xfe, 0xed, 0xfe, 0xed }; - const int version = 2; - size_t count_at; - unsigned char *digest; - CK_ATTRIBUTE *label; - p11_dict *aliases; - size_t length; - int64_t now; - int count; - CK_RV rv; - - enum { - private_key = 1, - trusted_cert = 2, - }; - - /* - * Documented in the java sources in the file: - * src/share/classes/sun/security/provider/JavaKeyStore.java - */ - - p11_buffer_add (buffer, magic, sizeof (magic)); - add_msb_int (buffer, version); - count_at = buffer->len; - p11_buffer_append (buffer, 4); - count = 0; - - /* - * We use the current time for each entry. Java expects the time - * when this was this certificate was added to the keystore, however - * we don't have that information. Java uses time in milliseconds - */ - now = time (NULL); - return_val_if_fail (now > 0, false); - now *= 1000; /* seconds to milliseconds */ - - /* - * The aliases in the output file need to be unique. We use a hash - * table to guarantee this. - */ - aliases = p11_dict_new (p11_dict_str_hash, p11_dict_str_equal, free, NULL); - return_val_if_fail (aliases != NULL, false); - - /* For every certificate */ - while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) { - count++; - - /* The type of entry */ - add_msb_int (buffer, trusted_cert); - - /* The alias */ - label = p11_attrs_find_valid (ex->attrs, CKA_LABEL); - if (!add_alias (buffer, aliases, label)) { - p11_message ("could not generate a certificate alias name"); - p11_dict_free (aliases); - return false; - } - - /* The creation date: current time */ - add_msb_long (buffer, now); - - /* The type of the certificate */ - add_string (buffer, "X.509", 5); - - /* The DER encoding of the certificate */ - add_msb_int (buffer, ex->cert_len); - p11_buffer_add (buffer, ex->cert_der, ex->cert_len); - } - - p11_dict_free (aliases); - - if (rv != CKR_OK && rv != CKR_CANCEL) { - p11_message ("failed to find certificates: %s", p11_kit_strerror (rv)); - return false; - } - - /* Place the count in the right place */ - encode_msb_int ((unsigned char *)buffer->data + count_at, count); - - /* - * Java keystore reinvents HMAC and uses it to try and "secure" the - * cacerts. We fill this in and use the default "changeit" string - * as the password for this keyed digest. - */ - length = buffer->len; - digest = p11_buffer_append (buffer, P11_DIGEST_SHA1_LEN); - return_val_if_fail (digest != NULL, false); - p11_digest_sha1 (digest, - "\000c\000h\000a\000n\000g\000e\000i\000t", (size_t)16, /* default password */ - "Mighty Aphrodite", (size_t)16, /* go figure */ - buffer->data, length, - NULL); - - return_val_if_fail (p11_buffer_ok (buffer), false); - return true; -} - -bool -p11_extract_jks_cacerts (p11_enumerate *ex, - const char *destination) -{ - p11_buffer buffer; - p11_save_file *file; - bool ret; - - p11_buffer_init (&buffer, 1024 * 10); - ret = prepare_jks_buffer (ex, &buffer); - if (ret) { - file = p11_save_open_file (destination, NULL, ex->flags); - ret = p11_save_write_and_finish (file, buffer.data, buffer.len); - } - - p11_buffer_uninit (&buffer); - return ret; -} diff --git a/trust/extract-openssl.c b/trust/extract-openssl.c deleted file mode 100644 index 3271339..0000000 --- a/trust/extract-openssl.c +++ /dev/null @@ -1,696 +0,0 @@ -/* - * Copyright (c) 2013, Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#include "asn1.h" -#include "attrs.h" -#include "buffer.h" -#include "compat.h" -#include "debug.h" -#include "dict.h" -#include "digest.h" -#include "extract.h" -#include "message.h" -#include "oid.h" -#include "path.h" -#include "pem.h" -#include "pkcs11.h" -#include "pkcs11x.h" -#include "save.h" -#include "utf8.h" -#include "x509.h" - -#include <assert.h> -#include <ctype.h> -#include <stdlib.h> -#include <string.h> - -/* These functions are declared with a global scope for testing */ - -void p11_openssl_canon_string (char *str, - size_t *len); - -bool p11_openssl_canon_string_der (p11_buffer *der); - -bool p11_openssl_canon_name_der (p11_dict *asn1_defs, - p11_buffer *der); - -static p11_array * -empty_usages (void) -{ - return p11_array_new (free); -} - -static bool -known_usages (p11_array *oids) -{ - char *string; - int i; - - static const char *const strings[] = { - P11_OID_SERVER_AUTH_STR, - P11_OID_CLIENT_AUTH_STR, - P11_OID_CODE_SIGNING_STR, - P11_OID_EMAIL_PROTECTION_STR, - P11_OID_IPSEC_END_SYSTEM_STR, - P11_OID_IPSEC_TUNNEL_STR, - P11_OID_IPSEC_USER_STR, - P11_OID_TIME_STAMPING_STR, - NULL, - }; - - for (i = 0; strings[i] != NULL; i++) { - string = strdup (strings[i]); - return_val_if_fail (string != NULL, false); - if (!p11_array_push (oids, string)) - return_val_if_reached (false); - } - - return true; -} - -static bool -load_usage_ext (p11_enumerate *ex, - const unsigned char *ext_oid, - p11_array **oids) -{ - unsigned char *value; - node_asn *ext = NULL; - size_t length; - - if (ex->attached) - ext = p11_dict_get (ex->attached, ext_oid); - if (ext == NULL) { - *oids = NULL; - return true; - } - - value = p11_asn1_read (ext, "extnValue", &length); - return_val_if_fail (value != NULL, false); - - *oids = p11_x509_parse_extended_key_usage (ex->asn1_defs, value, length); - return_val_if_fail (*oids != NULL, false); - - free (value); - return true; -} - -static bool -write_usages (node_asn *asn, - const char *field, - p11_array *oids) -{ - char *last; - int ret; - int i; - - /* - * No oids? Then doing this will make the entire optional - * field go away - */ - if (oids == NULL) { - ret = asn1_write_value (asn, field, NULL, 0); - return_val_if_fail (ret == ASN1_SUCCESS, false); - - } else { - if (asprintf (&last, "%s.?LAST", field) < 0) - return_val_if_reached (false); - for (i = 0; i < oids->num; i++) { - ret = asn1_write_value (asn, field, "NEW", 1); - return_val_if_fail (ret == ASN1_SUCCESS, false); - ret = asn1_write_value (asn, last, oids->elem[i], -1); - return_val_if_fail (ret == ASN1_SUCCESS, false); - } - - free (last); - } - - return true; -} - -static bool -write_trust_and_rejects (p11_enumerate *ex, - node_asn *asn) -{ - p11_array *trusts = NULL; - p11_array *rejects = NULL; - CK_BBOOL trust; - CK_BBOOL distrust; - - if (!p11_attrs_find_bool (ex->attrs, CKA_TRUSTED, &trust)) - trust = CK_FALSE; - if (!p11_attrs_find_bool (ex->attrs, CKA_X_DISTRUSTED, &distrust)) - distrust = CK_FALSE; - - if (!load_usage_ext (ex, P11_OID_OPENSSL_REJECT, &rejects)) - return_val_if_reached (false); - - if (distrust) { - - /* - * If this is on the blacklist then, make sure we have - * an empty trusts field and add as many things to rejects - * as possible. - */ - trusts = NULL; - - if (!rejects) - rejects = empty_usages (); - if (!known_usages (rejects)) - return_val_if_reached (false); - return_val_if_fail (rejects != NULL, false); - - } else if (trust) { - - /* - * If this is an anchor, then try and guarantee that there - * are some trust anchors. - */ - - if (!load_usage_ext (ex, P11_OID_EXTENDED_KEY_USAGE, &trusts)) - return_val_if_reached (false); - - } else { - - /* - * This is not an anchor, always put an empty trusts - * section, with possible rejects, loaded above - */ - - trusts = empty_usages (); - } - - if (!write_usages (asn, "trust", trusts) || - !write_usages (asn, "reject", rejects)) - return_val_if_reached (false); - - p11_array_free (trusts); - p11_array_free (rejects); - return true; -} - -static bool -write_keyid (p11_enumerate *ex, - node_asn *asn) -{ - unsigned char *value = NULL; - node_asn *ext = NULL; - size_t length = 0; - int ret; - - if (ex->attached) - ext = p11_dict_get (ex->attached, P11_OID_SUBJECT_KEY_IDENTIFIER); - if (ext != NULL) { - value = p11_asn1_read (ext, "extnValue", &length); - return_val_if_fail (value != NULL, false); - } - - ret = asn1_write_value (asn, "keyid", value, length); - return_val_if_fail (ret == ASN1_SUCCESS, false); - free (value); - - return true; -} - -static bool -write_alias (p11_enumerate *ex, - node_asn *asn) -{ - CK_ATTRIBUTE *label; - int ret; - - label = p11_attrs_find_valid (ex->attrs, CKA_LABEL); - if (label == NULL) { - ret = asn1_write_value (asn, "alias", NULL, 0); - return_val_if_fail (ret == ASN1_SUCCESS, false); - } else { - ret = asn1_write_value (asn, "alias", label->pValue, label->ulValueLen); - return_val_if_fail (ret == ASN1_SUCCESS, false); - } - - return true; -} - -static bool -write_other (p11_enumerate *ex, - node_asn *asn) -{ - int ret; - - ret = asn1_write_value (asn, "other", NULL, 0); - return_val_if_fail (ret == ASN1_SUCCESS, false); - - return true; -} - -static bool -prepare_pem_contents (p11_enumerate *ex, - p11_buffer *buffer) -{ - char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE]; - unsigned char *der; - node_asn *asn; - size_t offset; - int ret; - int len; - - p11_buffer_add (buffer, ex->cert_der, ex->cert_len); - - asn = p11_asn1_create (ex->asn1_defs, "OPENSSL.CertAux"); - return_val_if_fail (asn != NULL, false); - - if (!write_trust_and_rejects (ex, asn) || - !write_alias (ex, asn) || - !write_keyid (ex, asn) || - !write_other (ex, asn)) - return_val_if_reached (false); - - len = 0; - offset = buffer->len; - - ret = asn1_der_coding (asn, "", NULL, &len, message); - return_val_if_fail (ret == ASN1_MEM_ERROR, false); - - der = p11_buffer_append (buffer, len); - return_val_if_fail (der != NULL, false); - - ret = asn1_der_coding (asn, "", der, &len, message); - return_val_if_fail (ret == ASN1_SUCCESS, false); - - buffer->len = offset + len; - asn1_delete_structure (&asn); - return true; -} - -bool -p11_extract_openssl_bundle (p11_enumerate *ex, - const char *destination) -{ - p11_save_file *file; - p11_buffer output; - p11_buffer buf; - char *comment; - bool ret = true; - bool first; - CK_RV rv; - - file = p11_save_open_file (destination, NULL, ex->flags); - if (!file) - return false; - - first = true; - p11_buffer_init (&output, 0); - while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) { - p11_buffer_init (&buf, 1024); - if (!p11_buffer_reset (&output, 2048)) - return_val_if_reached (false); - - if (prepare_pem_contents (ex, &buf)) { - if (!p11_pem_write (buf.data, buf.len, "TRUSTED CERTIFICATE", &output)) - return_val_if_reached (false); - - comment = p11_enumerate_comment (ex, first); - first = false; - - ret = p11_save_write (file, comment, -1) && - p11_save_write (file, output.data, output.len); - - free (comment); - } - - p11_buffer_uninit (&buf); - - if (!ret) - break; - } - - p11_buffer_uninit (&output); - - if (rv != CKR_OK && rv != CKR_CANCEL) { - p11_message ("failed to find certificates: %s", p11_kit_strerror (rv)); - ret = false; - } - - /* - * This will produce an empty file (which is a valid PEM bundle) if no - * certificates were found. - */ - - if (!p11_save_finish_file (file, NULL, ret)) - ret = false; - return ret; -} - -void -p11_openssl_canon_string (char *str, - size_t *len) -{ - bool nsp; - bool sp; - char *in; - char *out; - char *end; - - /* - * Now that the string is UTF-8 here we convert the string to the - * OpenSSL canonical form. This is a bit odd and openssl specific. - * Basically they ignore any char over 127, do ascii tolower() stuff - * and collapse spaces based on isspace(). - */ - - for (in = out = str, end = out + *len, sp = false, nsp = false; in < end; in++) { - if (*in & 0x80 || !isspace (*in)) { - /* If there has been a space, then add one */ - if (sp) - *out++ = ' '; - *out++ = (*in & 0x80) ? *in : tolower (*in); - sp = false; - nsp = true; - /* If there has been a non-space, then note we should get one */ - } else if (nsp) { - nsp = false; - sp = true; - } - } - - if (out < end) - out[0] = 0; - *len = out - str; -} - -bool -p11_openssl_canon_string_der (p11_buffer *der) -{ - char *string; - size_t length; - int output_len; - int len_len; - bool unknown_string; - unsigned char *output; - int len; - - string = p11_x509_parse_directory_string (der->data, der->len, &unknown_string, &length); - - /* Just pass through all the non-string types */ - if (string == NULL) - return unknown_string; - - p11_openssl_canon_string (string, &length); - - asn1_length_der (length, NULL, &len_len); - output_len = 1 + len_len + length; - - if (!p11_buffer_reset (der, output_len)) - return_val_if_reached (false); - - output = der->data; - der->len = output_len; - - output[0] = 12; /* UTF8String */ - len = output_len - 1; - asn1_octet_der ((unsigned char *)string, length, output + 1, &len); - assert (len == output_len - 1); - - free (string); - return true; -} - -bool -p11_openssl_canon_name_der (p11_dict *asn1_defs, - p11_buffer *der) -{ - p11_buffer value; - char outer[64]; - char field[64]; - node_asn *name; - void *at; - int value_len; - bool failed; - size_t offset; - int ret; - int num; - int len; - int i, j; - - name = p11_asn1_decode (asn1_defs, "PKIX1.Name", der->data, der->len, NULL); - return_val_if_fail (name != NULL, false); - - ret = asn1_number_of_elements (name, "rdnSequence", &num); - return_val_if_fail (ret == ASN1_SUCCESS, false); - - p11_buffer_init (&value, 0); - p11_buffer_reset (der, 0); - - for (i = 1, failed = false; !failed && i < num + 1; i++) { - snprintf (outer, sizeof (outer), "rdnSequence.?%d", i); - for (j = 1; !failed; j++) { - snprintf (field, sizeof (field), "%s.?%d.value", outer, j); - - value_len = 0; - ret = asn1_read_value (name, field, NULL, &value_len); - if (ret == ASN1_ELEMENT_NOT_FOUND) - break; - - return_val_if_fail (ret == ASN1_MEM_ERROR, false); - - if (!p11_buffer_reset (&value, value_len)) - return_val_if_reached (false); - - ret = asn1_read_value (name, field, value.data, &value_len); - return_val_if_fail (ret == ASN1_SUCCESS, false); - value.len = value_len; - - if (p11_openssl_canon_string_der (&value)) { - ret = asn1_write_value (name, field, value.data, value.len); - return_val_if_fail (ret == ASN1_SUCCESS, false); - } else { - failed = true; - } - } - - /* - * Yes the OpenSSL canon strangeness, is a concatenation - * of all the RelativeDistinguishedName DER encodings, without - * an outside wrapper. - */ - if (!failed) { - len = -1; - ret = asn1_der_coding (name, outer, NULL, &len, NULL); - return_val_if_fail (ret == ASN1_MEM_ERROR, false); - - offset = der->len; - at = p11_buffer_append (der, len); - return_val_if_fail (at != NULL, false); - - ret = asn1_der_coding (name, outer, at, &len, NULL); - return_val_if_fail (ret == ASN1_SUCCESS, false); - der->len = offset + len; - } - } - - asn1_delete_structure (&name); - p11_buffer_uninit (&value); - return !failed; -} - -#ifdef OS_UNIX - -static char * -symlink_for_subject_hash (p11_enumerate *ex) -{ - unsigned char md[P11_DIGEST_SHA1_LEN]; - p11_buffer der; - CK_ATTRIBUTE *subject; - unsigned long hash; - char *linkname = NULL; - - subject = p11_attrs_find_valid (ex->attrs, CKA_SUBJECT); - if (!subject || !subject->pValue || !subject->ulValueLen) - return NULL; - - p11_buffer_init_full (&der, memdup (subject->pValue, subject->ulValueLen), - subject->ulValueLen, 0, realloc, free); - return_val_if_fail (der.data != NULL, NULL); - - if (p11_openssl_canon_name_der (ex->asn1_defs, &der)) { - p11_digest_sha1 (md, der.data, der.len, NULL); - - hash = ( - ((unsigned long)md[0] ) | ((unsigned long)md[1] << 8L) | - ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L) - ) & 0xffffffffL; - - if (asprintf (&linkname, "%08lx", hash) < 0) - return_val_if_reached (NULL); - } - - p11_buffer_uninit (&der); - return linkname; -} - -static char * -symlink_for_subject_old_hash (p11_enumerate *ex) -{ - unsigned char md[P11_DIGEST_MD5_LEN]; - CK_ATTRIBUTE *subject; - unsigned long hash; - char *linkname; - - subject = p11_attrs_find_valid (ex->attrs, CKA_SUBJECT); - if (!subject) - return NULL; - - p11_digest_md5 (md, subject->pValue, (size_t)subject->ulValueLen, NULL); - - hash = ( - ((unsigned long)md[0] ) | ((unsigned long)md[1] << 8L) | - ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L) - ) & 0xffffffffL; - - if (asprintf (&linkname, "%08lx", hash) < 0) - return_val_if_reached (NULL); - - return linkname; -} - -#endif /* OS_UNIX */ - -/* - * The OpenSSL style c_rehash stuff - * - * Different versions of openssl build these hashes differently - * so output both of them. Shouldn't cause confusion, because - * multiple certificates can hash to the same link anyway, - * and this is the reason for the trailing number after the dot. - * - * The trailing number is incremented p11_save_symlink_in() if it - * conflicts with something we've already written out. - * - * On Windows no symlinks. - */ -bool -p11_openssl_symlink (p11_enumerate *ex, - p11_save_dir *dir, - const char *filename) -{ - bool ret = true; -#ifdef OS_UNIX - char *linkname; - - linkname = symlink_for_subject_hash (ex); - if (linkname) { - ret = p11_save_symlink_in (dir, linkname, ".0", filename); - free (linkname); - } - - if (ret) { - linkname = symlink_for_subject_old_hash (ex); - if (linkname) { - ret = p11_save_symlink_in (dir, linkname, ".0", filename); - free (linkname); - } - } -#endif /* OS_UNIX */ - return ret; -} - -bool -p11_extract_openssl_directory (p11_enumerate *ex, - const char *destination) -{ - char *filename; - p11_save_file *file; - p11_save_dir *dir; - p11_buffer output; - p11_buffer buf; - bool ret = true; - char *path; - char *name; - CK_RV rv; - - dir = p11_save_open_directory (destination, ex->flags); - if (dir == NULL) - return false; - - p11_buffer_init (&buf, 0); - p11_buffer_init (&output, 0); - - while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) { - if (!p11_buffer_reset (&buf, 1024)) - return_val_if_reached (false); - if (!p11_buffer_reset (&output, 2048)) - return_val_if_reached (false); - - if (prepare_pem_contents (ex, &buf)) { - if (!p11_pem_write (buf.data, buf.len, "TRUSTED CERTIFICATE", &output)) - return_val_if_reached (false); - - name = p11_enumerate_filename (ex); - return_val_if_fail (name != NULL, false); - - filename = NULL; - path = NULL; - ret = false; - - file = p11_save_open_file_in (dir, name, ".pem"); - if (file != NULL) { - ret = p11_save_write (file, output.data, output.len); - if (!p11_save_finish_file (file, &path, ret)) - ret = false; - if (ret) - filename = p11_path_base (path); - } - ret = p11_openssl_symlink(ex, dir, filename); - - free (filename); - free (path); - free (name); - } - - if (!ret) - break; - } - - p11_buffer_uninit (&buf); - p11_buffer_uninit (&output); - - if (rv != CKR_OK && rv != CKR_CANCEL) { - p11_message ("failed to find certificates: %s", p11_kit_strerror (rv)); - ret = false; - } - - p11_save_finish_directory (dir, ret); - return ret; -} diff --git a/trust/extract-pem.c b/trust/extract-pem.c deleted file mode 100644 index a32d032..0000000 --- a/trust/extract-pem.c +++ /dev/null @@ -1,178 +0,0 @@ -/* - * Copyright (c) 2013, Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#define P11_DEBUG_FLAG P11_DEBUG_TOOL - -#include "compat.h" -#include "debug.h" -#include "extract.h" -#include "message.h" -#include "path.h" -#include "pem.h" -#include "save.h" - -#include <stdlib.h> - -bool -p11_extract_pem_bundle (p11_enumerate *ex, - const char *destination) -{ - char *comment; - p11_buffer buf; - p11_save_file *file; - bool ret = true; - bool first = true; - CK_RV rv; - - file = p11_save_open_file (destination, NULL, ex->flags); - if (!file) - return false; - - p11_buffer_init (&buf, 0); - while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) { - if (!p11_buffer_reset (&buf, 2048)) - return_val_if_reached (false); - - if (!p11_pem_write (ex->cert_der, ex->cert_len, "CERTIFICATE", &buf)) - return_val_if_reached (false); - - comment = p11_enumerate_comment (ex, first); - first = false; - - ret = p11_save_write (file, comment, -1) && - p11_save_write (file, buf.data, buf.len); - - free (comment); - - if (!ret) - break; - } - - p11_buffer_uninit (&buf); - - if (rv != CKR_OK && rv != CKR_CANCEL) { - p11_message ("failed to find certificates: %s", p11_kit_strerror (rv)); - ret = false; - } - - /* - * This will produce an empty file (which is a valid PEM bundle) if no - * certificates were found. - */ - - if (!p11_save_finish_file (file, NULL, ret)) - ret = false; - - return ret; -} - -static bool -extract_pem_directory (p11_enumerate *ex, - const char *destination, - bool hash) -{ - p11_save_file *file; - p11_save_dir *dir; - p11_buffer buf; - bool ret = true; - char *filename; - char *path; - char *name; - CK_RV rv; - - dir = p11_save_open_directory (destination, ex->flags); - if (dir == NULL) - return false; - - p11_buffer_init (&buf, 0); - while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) { - if (!p11_buffer_reset (&buf, 2048)) - return_val_if_reached (false); - - if (!p11_pem_write (ex->cert_der, ex->cert_len, "CERTIFICATE", &buf)) - return_val_if_reached (false); - - name = p11_enumerate_filename (ex); - return_val_if_fail (name != NULL, false); - - path = NULL; - - file = p11_save_open_file_in (dir, name, ".pem"); - ret = p11_save_write (file, buf.data, buf.len); - - if (!p11_save_finish_file (file, &path, ret)) - ret = false; - - if (ret && hash) { - filename = p11_path_base (path); - ret = p11_openssl_symlink(ex, dir, filename); - free (filename); - } - - free (path); - free (name); - if (!ret) - break; - } - - p11_buffer_uninit (&buf); - - if (rv != CKR_OK && rv != CKR_CANCEL) { - p11_message ("failed to find certificates: %s", p11_kit_strerror (rv)); - ret = false; - } - - p11_save_finish_directory (dir, ret); - return ret; -} - -bool -p11_extract_pem_directory (p11_enumerate *ex, - const char *destination) -{ - bool ret = true; - ret = extract_pem_directory (ex, destination, false); - return ret; -} - -bool -p11_extract_pem_directory_hash (p11_enumerate *ex, - const char *destination) -{ - bool ret = true; - ret = extract_pem_directory (ex, destination, true); - return ret; -} diff --git a/trust/extract.c b/trust/extract.c deleted file mode 100644 index 80b5e72..0000000 --- a/trust/extract.c +++ /dev/null @@ -1,322 +0,0 @@ -/* - * Copyright (c) 2013, Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#include "attrs.h" -#include "compat.h" -#include "debug.h" -#include "extract.h" -#include "message.h" -#include "oid.h" -#include "path.h" -#include "pkcs11x.h" -#include "save.h" -#include "tool.h" -#include "digest.h" - -#include "p11-kit/iter.h" -#include "p11-kit/pkcs11.h" - -#include <assert.h> -#include <ctype.h> -#include <errno.h> -#include <getopt.h> -#include <stdint.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -static bool -format_argument (const char *optarg, - p11_extract_func *func) -{ - int i; - - /* - * Certain formats do not support expressive trust information. - * So the caller should limit the supported purposes when asking - * for trust information. - */ - - static const struct { - const char *format; - p11_extract_func func; - } formats[] = { - { "x509-file", p11_extract_x509_file, }, - { "x509-directory", p11_extract_x509_directory, }, - { "pem-bundle", p11_extract_pem_bundle, }, - { "pem-directory", p11_extract_pem_directory }, - { "pem-directory-hash", p11_extract_pem_directory_hash }, - { "java-cacerts", p11_extract_jks_cacerts }, - { "openssl-bundle", p11_extract_openssl_bundle }, - { "openssl-directory", p11_extract_openssl_directory }, - { NULL }, - }; - - if (*func != NULL) { - p11_message ("a format was already specified"); - return false; - } - - for (i = 0; formats[i].format != NULL; i++) { - if (strcmp (optarg, formats[i].format) == 0) { - *func = formats[i].func; - break; - } - } - - if (*func == NULL) { - p11_message ("unsupported or unrecognized format: %s", optarg); - return false; - } - - return true; -} - -static bool -validate_filter_and_format (p11_enumerate *ex, - p11_extract_func func) -{ - int i; - - /* - * These are the extract functions that contain purpose information. - * If we're being asked to export anchors, and the extract function does - * not support, and the caller has not specified a purpose, then add a - * default purpose to limit to. - */ - - static p11_extract_func supports_trust_policy[] = { - p11_extract_openssl_bundle, - p11_extract_openssl_directory, - NULL - }; - - for (i = 0; supports_trust_policy[i] != NULL; i++) { - if (func == supports_trust_policy[i]) - return true; - } - - if ((ex->flags & P11_ENUMERATE_ANCHORS) && - (ex->flags & P11_ENUMERATE_BLACKLIST)) { - /* - * If we're extracting *both* anchors and blacklist, then we must have - * a format that can represent the different types of information. - */ - - p11_message ("format does not support trust policy"); - return false; - - } else if (ex->flags & P11_ENUMERATE_ANCHORS) { - - /* - * If we're extracting anchors, then we must have either limited the - * purposes, or have a format that can represent multiple purposes. - */ - - if (!ex->limit_to_purposes) { - p11_message ("format does not support multiple purposes, defaulting to 'server-auth'"); - p11_enumerate_opt_purpose (ex, "server-auth"); - } - } - - return true; -} - -int -p11_trust_extract (int argc, - char **argv) -{ - p11_extract_func format = NULL; - p11_enumerate ex; - int opt = 0; - int ret; - - enum { - opt_overwrite = 'f', - opt_verbose = 'v', - opt_quiet = 'q', - opt_help = 'h', - opt_filter = 1000, - opt_purpose, - opt_format, - opt_comment, - }; - - struct option options[] = { - { "filter", required_argument, NULL, opt_filter }, - { "format", required_argument, NULL, opt_format }, - { "purpose", required_argument, NULL, opt_purpose }, - { "overwrite", no_argument, NULL, opt_overwrite }, - { "comment", no_argument, NULL, opt_comment }, - { "verbose", no_argument, NULL, opt_verbose }, - { "quiet", no_argument, NULL, opt_quiet }, - { "help", no_argument, NULL, opt_help }, - { 0 }, - }; - - p11_tool_desc usages[] = { - { 0, "usage: trust extract --format=<output> <destination>" }, - { opt_filter, - "filter of what to export\n" - " ca-anchors certificate anchors (default)\n" - " blacklist blacklisted certificates\n" - " trust-policy anchors and blacklist\n" - " certificates all certificates\n" - " pkcs11:object=xx a PKCS#11 URI", - "what", - }, - { opt_format, - "format to extract to\n" - " x509-file DER X.509 certificate file\n" - " x509-directory directory of X.509 certificates\n" - " pem-bundle file containing multiple PEM blocks\n" - " pem-directory directory of PEM files\n" - " pem-directory-hash directory of PEM files with hash links\n" - " openssl-bundle OpenSSL specific PEM bundle\n" - " openssl-directory directory of OpenSSL specific files\n" - " java-cacerts java keystore cacerts file", - "type" - }, - { opt_purpose, - "limit to certificates usable for the purpose\n" - " server-auth for authenticating servers\n" - " client-auth for authenticating clients\n" - " email for email protection\n" - " code-signing for authenticating signed code\n" - " 1.2.3.4.5... an arbitrary object id", - "usage" - }, - { opt_overwrite, "overwrite output file or directory" }, - { opt_comment, "add comments to bundles if possible" }, - { opt_verbose, "show verbose debug output", }, - { opt_quiet, "suppress command output", }, - { 0 }, - }; - - p11_enumerate_init (&ex); - - while ((opt = p11_tool_getopt (argc, argv, options)) != -1) { - switch (opt) { - case opt_verbose: - case opt_quiet: - break; - - case opt_overwrite: - ex.flags |= P11_SAVE_OVERWRITE; - break; - case opt_comment: - ex.flags |= P11_EXTRACT_COMMENT; - break; - case opt_filter: - if (!p11_enumerate_opt_filter (&ex, optarg)) - exit (2); - break; - case opt_purpose: - if (!p11_enumerate_opt_purpose (&ex, optarg)) - exit (2); - break; - case opt_format: - if (!format_argument (optarg, &format)) - exit (2); - break; - case 'h': - p11_tool_usage (usages, options); - exit (0); - case '?': - exit (2); - default: - assert_not_reached (); - break; - } - } - - argc -= optind; - argv += optind; - - if (argc != 1) { - p11_message ("specify one destination file or directory"); - exit (2); - } - - if (!format) { - p11_message ("no output format specified"); - exit (2); - } - - if (!validate_filter_and_format (&ex, format)) - exit (1); - - if (!p11_enumerate_ready (&ex, "ca-anchors")) - exit (1); - - ret = (format) (&ex, argv[0]) ? 0 : 1; - - p11_enumerate_cleanup (&ex); - return ret; -} - -int -p11_trust_extract_compat (int argc, - char *argv[]) -{ - char *path = NULL; - int error; - - argv[argc] = NULL; - - /* - * For compatibility with people who deployed p11-kit 0.18.x - * before trust stuff was put into its own branch. - */ - path = p11_path_build (PRIVATEDIR, "p11-kit-extract-trust", NULL); - return_val_if_fail (path != NULL, 1); - execv (path, argv); - error = errno; - - if (error == ENOENT) { - free (path); - path = p11_path_build (PRIVATEDIR, "trust-extract-compat", NULL); - return_val_if_fail (path != NULL, 1); - execv (path, argv); - error = errno; - } - - /* At this point we have no command */ - p11_message_err (error, "could not run %s command", path); - - free (path); - return 2; -} diff --git a/trust/extract.h b/trust/extract.h deleted file mode 100644 index 2664ba0..0000000 --- a/trust/extract.h +++ /dev/null @@ -1,86 +0,0 @@ -/* - * Copyright (c) 2013, Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#ifndef P11_EXTRACT_H_ -#define P11_EXTRACT_H_ - -#include "enumerate.h" -#include "pkcs11.h" -#include "save.h" - -enum { - /* These overlap with the flags in save.h, so start higher */ - P11_EXTRACT_COMMENT = 1 << 10, -}; - -typedef bool (* p11_extract_func) (p11_enumerate *ex, - const char *destination); - -bool p11_extract_x509_file (p11_enumerate *ex, - const char *destination); - -bool p11_extract_x509_directory (p11_enumerate *ex, - const char *destination); - -bool p11_extract_pem_bundle (p11_enumerate *ex, - const char *destination); - -bool p11_extract_pem_directory (p11_enumerate *ex, - const char *destination); - -bool p11_extract_pem_directory_hash (p11_enumerate *ex, - const char *destination); - -bool p11_extract_jks_cacerts (p11_enumerate *ex, - const char *destination); - -bool p11_extract_openssl_bundle (p11_enumerate *ex, - const char *destination); - -bool p11_extract_openssl_directory (p11_enumerate *ex, - const char *destination); - -int p11_trust_extract (int argc, - char **argv); - -int p11_trust_extract_compat (int argc, - char *argv[]); - -/* from extract-openssl.c but also used in extract-pem.c */ -bool p11_openssl_symlink (p11_enumerate *ex, - p11_save_dir *dir, - const char *filename); -#endif /* P11_EXTRACT_H_ */ diff --git a/trust/fixtures/cacert-ca.der b/trust/fixtures/cacert-ca.der Binary files differdeleted file mode 100644 index 719b0ff..0000000 --- a/trust/fixtures/cacert-ca.der +++ /dev/null diff --git a/trust/fixtures/cacert3-distrust-all.pem b/trust/fixtures/cacert3-distrust-all.pem deleted file mode 100644 index ce5d887..0000000 --- a/trust/fixtures/cacert3-distrust-all.pem +++ /dev/null @@ -1,44 +0,0 @@ ------BEGIN TRUSTED CERTIFICATE----- -MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv -b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ -Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y -dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU -MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 -Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN -AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a -iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1 -aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C -jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia -pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0 -FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt -XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL -oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 -R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp -rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/ -LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA -BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow -gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV -BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG -A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS -c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH -AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr -BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB -MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y -Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj -ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5 -b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D -QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc -7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH -Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4 -D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 -VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a -lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW -Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt -hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz -0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn -ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT -d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60 -4GGSt/M3mMS+lqO3ijBSoFAGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMG -CCsGAQUFBwMEBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQcD -CA== ------END TRUSTED CERTIFICATE----- diff --git a/trust/fixtures/cacert3-distrusted-all.pem b/trust/fixtures/cacert3-distrusted-all.pem deleted file mode 100644 index 4a04a39..0000000 --- a/trust/fixtures/cacert3-distrusted-all.pem +++ /dev/null @@ -1,43 +0,0 @@ ------BEGIN TRUSTED CERTIFICATE----- -MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv -b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ -Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y -dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU -MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 -Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN -AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a -iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1 -aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C -jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia -pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0 -FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt -XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL -oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 -R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp -rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/ -LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA -BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow -gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV -BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG -A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS -c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH -AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr -BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB -MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y -Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj -ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5 -b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D -QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc -7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH -Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4 -D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 -VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a -lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW -Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt -hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz -0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn -ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT -d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60 -4GGSt/M3mMS+lqO3ijBIoEYGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMG -CCsGAQUFBwMFBggrBgEFBQcDBgYIKwYBBQUHAwcGCCsGAQUFBwMI ------END TRUSTED CERTIFICATE----- diff --git a/trust/fixtures/cacert3-not-trusted.pem b/trust/fixtures/cacert3-not-trusted.pem deleted file mode 100644 index eaa2e54..0000000 --- a/trust/fixtures/cacert3-not-trusted.pem +++ /dev/null @@ -1,42 +0,0 @@ ------BEGIN TRUSTED CERTIFICATE----- -MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv -b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ -Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y -dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU -MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 -Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN -AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a -iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1 -aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C -jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia -pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0 -FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt -XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL -oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 -R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp -rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/ -LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA -BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow -gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV -BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG -A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS -c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH -AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr -BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB -MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y -Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj -ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5 -b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D -QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc -7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH -Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4 -D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 -VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a -lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW -Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt -hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz -0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn -ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT -d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60 -4GGSt/M3mMS+lqO3ijACMAA= ------END TRUSTED CERTIFICATE----- diff --git a/trust/fixtures/cacert3-trusted-alias.pem b/trust/fixtures/cacert3-trusted-alias.pem deleted file mode 100644 index 44601ea..0000000 --- a/trust/fixtures/cacert3-trusted-alias.pem +++ /dev/null @@ -1,42 +0,0 @@ ------BEGIN TRUSTED CERTIFICATE----- -MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv -b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ -Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y -dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU -MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 -Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN -AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a -iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1 -aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C -jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia -pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0 -FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt -XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL -oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 -R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp -rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/ -LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA -BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow -gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV -BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG -A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS -c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH -AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr -BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB -MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y -Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj -ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5 -b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D -QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc -7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH -Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4 -D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 -VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a -lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW -Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt -hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz -0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn -ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT -d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60 -4GGSt/M3mMS+lqO3ijAODAxDdXN0b20gTGFiZWw= ------END TRUSTED CERTIFICATE----- diff --git a/trust/fixtures/cacert3-trusted-keyid.pem b/trust/fixtures/cacert3-trusted-keyid.pem deleted file mode 100644 index e652733..0000000 --- a/trust/fixtures/cacert3-trusted-keyid.pem +++ /dev/null @@ -1,42 +0,0 @@ ------BEGIN TRUSTED CERTIFICATE----- -MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv -b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ -Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y -dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU -MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 -Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN -AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a -iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1 -aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C -jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia -pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0 -FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt -XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL -oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 -R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp -rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/ -LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA -BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow -gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV -BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG -A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS -c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH -AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr -BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB -MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y -Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj -ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5 -b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D -QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc -7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH -Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4 -D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 -VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a -lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW -Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt -hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz -0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn -ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT -d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60 -4GGSt/M3mMS+lqO3ijAJBAcAAQIDBAUG ------END TRUSTED CERTIFICATE----- diff --git a/trust/fixtures/cacert3-trusted-server-alias.pem b/trust/fixtures/cacert3-trusted-server-alias.pem deleted file mode 100644 index 55593ec..0000000 --- a/trust/fixtures/cacert3-trusted-server-alias.pem +++ /dev/null @@ -1,43 +0,0 @@ ------BEGIN TRUSTED CERTIFICATE----- -MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv -b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ -Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y -dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU -MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 -Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN -AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a -iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1 -aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C -jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia -pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0 -FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt -XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL -oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 -R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp -rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/ -LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA -BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow -gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV -BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG -A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS -c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH -AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr -BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB -MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y -Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj -ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5 -b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D -QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc -7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH -Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4 -D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 -VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a -lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW -Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt -hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz -0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn -ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT -d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60 -4GGSt/M3mMS+lqO3ijAmMAoGCCsGAQUFBwMBoAoGCCsGAQUFBwMEDAxDdXN0b20g -TGFiZWw= ------END TRUSTED CERTIFICATE----- diff --git a/trust/fixtures/cacert3-trusted.pem b/trust/fixtures/cacert3-trusted.pem deleted file mode 100644 index 55593ec..0000000 --- a/trust/fixtures/cacert3-trusted.pem +++ /dev/null @@ -1,43 +0,0 @@ ------BEGIN TRUSTED CERTIFICATE----- -MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv -b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ -Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y -dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU -MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 -Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN -AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a -iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1 -aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C -jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia -pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0 -FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt -XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL -oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 -R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp -rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/ -LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA -BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow -gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV -BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG -A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS -c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH -AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr -BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB -MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y -Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj -ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5 -b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D -QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc -7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH -Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4 -D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 -VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a -lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW -Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt -hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz -0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn -ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT -d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60 -4GGSt/M3mMS+lqO3ijAmMAoGCCsGAQUFBwMBoAoGCCsGAQUFBwMEDAxDdXN0b20g -TGFiZWw= ------END TRUSTED CERTIFICATE----- diff --git a/trust/fixtures/cacert3-twice.pem b/trust/fixtures/cacert3-twice.pem deleted file mode 100644 index c73202d..0000000 --- a/trust/fixtures/cacert3-twice.pem +++ /dev/null @@ -1,84 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv -b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ -Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y -dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU -MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 -Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN -AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a -iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1 -aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C -jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia -pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0 -FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt -XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL -oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 -R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp -rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/ -LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA -BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow -gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV -BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG -A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS -c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH -AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr -BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB -MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y -Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj -ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5 -b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D -QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc -7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH -Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4 -D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 -VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a -lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW -Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt -hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz -0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn -ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT -d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60 -4GGSt/M3mMS+lqO3ig== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv -b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ -Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y -dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU -MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 -Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN -AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a -iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1 -aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C -jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia -pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0 -FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt -XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL -oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 -R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp -rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/ -LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA -BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow -gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV -BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG -A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS -c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH -AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr -BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB -MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y -Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj -ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5 -b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D -QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc -7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH -Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4 -D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 -VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a -lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW -Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt -hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz -0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn -ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT -d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60 -4GGSt/M3mMS+lqO3ig== ------END CERTIFICATE----- diff --git a/trust/fixtures/cacert3.der b/trust/fixtures/cacert3.der Binary files differdeleted file mode 100644 index 56f8c88..0000000 --- a/trust/fixtures/cacert3.der +++ /dev/null diff --git a/trust/fixtures/cacert3.pem b/trust/fixtures/cacert3.pem deleted file mode 100644 index 087ca0e..0000000 --- a/trust/fixtures/cacert3.pem +++ /dev/null @@ -1,42 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv -b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ -Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y -dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU -MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 -Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN -AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a -iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1 -aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C -jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia -pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0 -FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt -XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL -oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 -R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp -rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/ -LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA -BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow -gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV -BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG -A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS -c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH -AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr -BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB -MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y -Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj -ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5 -b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D -QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc -7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH -Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4 -D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 -VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a -lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW -Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt -hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz -0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn -ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT -d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60 -4GGSt/M3mMS+lqO3ig== ------END CERTIFICATE----- diff --git a/trust/fixtures/distrusted.pem b/trust/fixtures/distrusted.pem deleted file mode 100644 index 8de6ff0..0000000 --- a/trust/fixtures/distrusted.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN TRUSTED CERTIFICATE----- -MIIDsDCCAxmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBnTELMAkGA1UEBhMCVVMx -FzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHEwdSYWxlaWdoMRYwFAYD -VQQKEw1SZWQgSGF0LCBJbmMuMQswCQYDVQQLEwJJUzEWMBQGA1UEAxMNUmVkIEhh -dCBJUyBDQTEmMCQGCSqGSIb3DQEJARYXc3lzYWRtaW4tcmR1QHJlZGhhdC5jb20w -HhcNMDkwOTE2MTg0NTI1WhcNMTkwOTE0MTg0NTI1WjCBnTELMAkGA1UEBhMCVVMx -FzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHEwdSYWxlaWdoMRYwFAYD -VQQKEw1SZWQgSGF0LCBJbmMuMQswCQYDVQQLEwJJUzEWMBQGA1UEAxMNUmVkIEhh -dCBJUyBDQTEmMCQGCSqGSIb3DQEJARYXc3lzYWRtaW4tcmR1QHJlZGhhdC5jb20w -gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN/HDWGiL8BarUWDIjNC6uxCXqYN -QkwcmhILX+cl+YuDDArFL1pYVrith228gF3dSUU5X7kIOmPkkjNheRkbnas61X+n -i3+KWvbX3q+h5VMxKX2cA1U+R3jLuXqYjF+N2gkPyPvxeoDuEncKAItw+mK/r+4L -WBb5nFzek7hP3017AgMBAAGjgf0wgfowHQYDVR0OBBYEFA2sGXDtBKdeeKv+i6g0 -6yEmwVY1MIHKBgNVHSMEgcIwgb+AFA2sGXDtBKdeeKv+i6g06yEmwVY1oYGjpIGg -MIGdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xpbmExEDAOBgNV -BAcTB1JhbGVpZ2gxFjAUBgNVBAoTDVJlZCBIYXQsIEluYy4xCzAJBgNVBAsTAklT -MRYwFAYDVQQDEw1SZWQgSGF0IElTIENBMSYwJAYJKoZIhvcNAQkBFhdzeXNhZG1p -bi1yZHVAcmVkaGF0LmNvbYIBATAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA -A4GBAFBgO5y3JcPXH/goumNBW7rr8m9EFZmQyK5gT1Ljv5qaCSZwxkAomhriv04p -mb1y8yjrK5OY3WwgaRaAWRHp4/hn2HWaRvx3S+gwLM7p8V1pWnbSFJOXF3kbuC41 -voMIMqAFfHKidKN/yrjJg/1ahIjSt11lMUvRJ4TNT+pk5VnBMB+gCgYIKwYBBQUH -AwIMEVJlZCBIYXQgSXMgdGhlIENB ------END TRUSTED CERTIFICATE----- diff --git a/trust/fixtures/empty-file b/trust/fixtures/empty-file deleted file mode 100644 index e69de29..0000000 --- a/trust/fixtures/empty-file +++ /dev/null diff --git a/trust/fixtures/multiple.pem b/trust/fixtures/multiple.pem deleted file mode 100644 index d3e1775..0000000 --- a/trust/fixtures/multiple.pem +++ /dev/null @@ -1,58 +0,0 @@ ------BEGIN TRUSTED CERTIFICATE----- -MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv -b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ -Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y -dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU -MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0 -Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN -AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a -iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1 -aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C -jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia -pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0 -FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt -XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL -oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6 -R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp -rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/ -LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA -BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow -gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV -BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG -A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS -c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH -AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr -BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB -MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y -Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj -ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5 -b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D -QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc -7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH -Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4 -D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3 -VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a -lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW -Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt -hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz -0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn -ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT -d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60 -4GGSt/M3mMS+lqO3ijAmMAoGCCsGAQUFBwMBoAoGCCsGAQUFBwMEDAxDdXN0b20g -TGFiZWw= ------END TRUSTED CERTIFICATE----- ------BEGIN TRUSTED CERTIFICATE----- -MIICPDCCAaUCED9pHoGc8JpK83P/uUii5N0wDQYJKoZIhvcNAQEFBQAwXzELMAkG -A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz -cyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 -MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV -BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmlt -YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN -ADCBiQKBgQDlGb9to1ZhLZlIcfZn3rmN67eehoAKkQ76OCWvRoiC5XOooJskXQ0f -zGVuDLDQVoQYh5oGmxChc9+0WDlrbsH2FdWoqD+qEgaNMax/sDTXjzRniAnNFBHi -TkVWaR94AoDa3EeRKbs2yWNcxeDXLYd7obcysHswuiovMaruo2fa2wIDAQABMA0G -CSqGSIb3DQEBBQUAA4GBAFgVKTk8d6PaXCUDfGD67gmZPCcQcMgMCeazh88K4hiW -NWLMv5sneYlfycQJ9M61Hd8qveXbhpxoJeUwfLaJFf5n0a3hUKw8fGJLj7qE1xIV -Gx/KXQ/BUpQqEZnae88MNhPVNdwQGVnqlMEAv3WP2fr9dgTbYruQagPZRjXZ+Hxb -MA4MDEN1c3RvbSBMYWJlbA== ------END TRUSTED CERTIFICATE----- diff --git a/trust/fixtures/openssl-trust-no-trust.pem b/trust/fixtures/openssl-trust-no-trust.pem deleted file mode 100644 index 07e3917..0000000 --- a/trust/fixtures/openssl-trust-no-trust.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN TRUSTED CERTIFICATE----- -MIIEmTCCA4GgAwIBAgIQXSBhjowOuTRAk7mx2GOVtjANBgkqhkiG9w0BAQUFADBv -MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk -ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF -eHRlcm5hbCBDQSBSb290MB4XDTE0MDgwNTAwMDAwMFoXDTE1MTEwMTIzNTk1OVow -fzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug -Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSowKAYDVQQDEyFV -U0VSVHJ1c3QgTGVnYWN5IFNlY3VyZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDZTSA65ikwhvLphol2NE5oH5ZE99H51oJOpjie7stb -4Y4uvfJXgP3JP/yQc0S8j7tXW+UtHxQwdTb1f7zPVvR/gf+ukc3Y0mrLl/n3zZBq -RS3Eu6SFE2hXX+8puirK6vXMpASbY80A6/3tjd0jxnseVx02fx8Img1h21pscQJT -KML6jf2ru7PxjXRL3729zAaTYwmVwhB6nSWQMp0BwjlTsOAVa8fXdOWkIpvklP+E -kfstsxlDLZMPnBIJ5Ge5J3oyrXoqzEFYwG5ZX+44KxcinIn6buflVzX0Wu2SlZMt -+cwkP6UcPSe9IgNzzPXK86n03P7P6dBc0A+rh/yD/cipAgMBAAGjggEfMIIBGzAf -BgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73gJMtUGjAdBgNVHQ4EFgQUr6RAr58W -/qsx/fvVl4v1kaMkhhYwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8C -AQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBkGA1UdIAQSMBAwDgYM -KwYBBAGyMQECAQMEMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRy -dXN0LmNvbS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQp -MCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZI -hvcNAQEFBQADggEBAISuLWg4EWyDUWLAkcKYvMY7+qXFvTsJ5m5gbzADhiIasovz -xs4euxt54BYUTdKaBUv/j+zwKCnqKgQdPa8REtVJmFBCn2FmOrZAmQQMaxAy6ffP -hlhPLc3TrH7oW2qDfA2gnFxQNnUNbX5Ct9+m3JBcbyNOlx3zInW/AzXmXX/H+Zss -h/aO1iWWWZ3P6hAe727qWpt3GDTMgXevmofCCuXlnhOVU729SRqldhL23PKRt+ka -4bxNPZVxffiNfD4DT1Pt/lL9yl+T4RoBGwK3c066Zul4i1D+EcvRZ9AiT3fqzRQV -QK5mXegufx6Ib1V51rl+47X9kaDA8iaHSy+d9aA= ------END TRUSTED CERTIFICATE----- diff --git a/trust/fixtures/redhat-ca.der b/trust/fixtures/redhat-ca.der Binary files differdeleted file mode 100644 index affae24..0000000 --- a/trust/fixtures/redhat-ca.der +++ /dev/null diff --git a/trust/fixtures/self-signed-with-eku.der b/trust/fixtures/self-signed-with-eku.der Binary files differdeleted file mode 100644 index 33e0760..0000000 --- a/trust/fixtures/self-signed-with-eku.der +++ /dev/null diff --git a/trust/fixtures/self-signed-with-ku.der b/trust/fixtures/self-signed-with-ku.der Binary files differdeleted file mode 100644 index 51bb227..0000000 --- a/trust/fixtures/self-signed-with-ku.der +++ /dev/null diff --git a/trust/fixtures/simple-string b/trust/fixtures/simple-string deleted file mode 100644 index be13474..0000000 --- a/trust/fixtures/simple-string +++ /dev/null @@ -1 +0,0 @@ -The simple string is hairy
\ No newline at end of file diff --git a/trust/fixtures/testing-server.der b/trust/fixtures/testing-server.der Binary files differdeleted file mode 100644 index cf2de65..0000000 --- a/trust/fixtures/testing-server.der +++ /dev/null diff --git a/trust/fixtures/thawte.pem b/trust/fixtures/thawte.pem deleted file mode 100644 index 34af29e..0000000 --- a/trust/fixtures/thawte.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE-----
-MIIEKjCCAxKgAwIBAgIQYAGXt0an6rS0mtZLL/eQ+zANBgkqhkiG9w0BAQsFADCB
-rjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
-Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
-MDggdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAiBgNV
-BAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMzAeFw0wODA0MDIwMDAwMDBa
-Fw0zNzEyMDEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3Rl
-LCBJbmMuMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9u
-MTgwNgYDVQQLEy8oYykgMjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXpl
-ZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEcz
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsr8nLPvb2FvdeHsbnndm
-gcs+vHyu86YnmjSjaDFxODNi5PNxZnmxqWWjpYvVj2AtP0LMqmsywCPLLEHd5N/8
-YZzic7IilRFDGF/Eth9XbAoFWCLINkw6fKXRz4aviKdEAhN0cXMKQlkC+BsUa0Lf
-b1+6a4KinVvnSr0eAXLbS3ToO39/fR8EtCab4LRarEc9VbjXsCZSKAExQGbY2SS9
-9irY7CFJXJv2eul/VTV+lmuNk5Mny5K76qxAwJ/C+IDPXfRa3M50hqY+bAtTyr2S
-zhkGcuYMXDhpxwTWvGzOW/b3aJzcJRVIiKHpqfiYnODz1TEoYRFsZ5aNOZnLwkUk
-OQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
-HQ4EFgQUrWyqlGCc7eT/+j4KdCtjA/e2Wb8wDQYJKoZIhvcNAQELBQADggEBABpA
-2JVlrAmSicY59BDlqQ5mU1143vokkbvnRFHfxhY0Cu9qRFHqKweKA3rD6z8KLFIW
-oCtDuSWQP3CpMyVtRRooOyfPqsMpQhvfO0zAMzRbQYi/aytlryjvsvXDqmbOe1bu
-t8jLZ8HJnBoYuMTDSQPxYA5QzUbF83d597YV4Djbxy8ooAw/dyZ02SUS2jHaGh7c
-KUGRIjxpp7sC8rZcJwOJ9Abqm+RyguOhCcHpABnTPtRwa7pxpqpYrvS76Wy274fM
-m7v/OeZWYdMKp8RcTGB7BXcmer/YB1IsYvdwY9k5vG8cwnncdimvzsUsZAReiDZu
-MdRAGmI0Nj81Aa6sY6A=
------END CERTIFICATE-----
diff --git a/trust/fixtures/unrecognized-file.txt b/trust/fixtures/unrecognized-file.txt deleted file mode 100644 index 4d5bac3..0000000 --- a/trust/fixtures/unrecognized-file.txt +++ /dev/null @@ -1 +0,0 @@ -# This file is not recognized by the parser
\ No newline at end of file diff --git a/trust/fixtures/verisign-v1.der b/trust/fixtures/verisign-v1.der Binary files differdeleted file mode 100644 index bcd5ebb..0000000 --- a/trust/fixtures/verisign-v1.der +++ /dev/null diff --git a/trust/fixtures/verisign-v1.pem b/trust/fixtures/verisign-v1.pem deleted file mode 100644 index ace4da5..0000000 --- a/trust/fixtures/verisign-v1.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN TRUSTED CERTIFICATE----- -MIICPDCCAaUCED9pHoGc8JpK83P/uUii5N0wDQYJKoZIhvcNAQEFBQAwXzELMAkG -A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz -cyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 -MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV -BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmlt -YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN -ADCBiQKBgQDlGb9to1ZhLZlIcfZn3rmN67eehoAKkQ76OCWvRoiC5XOooJskXQ0f -zGVuDLDQVoQYh5oGmxChc9+0WDlrbsH2FdWoqD+qEgaNMax/sDTXjzRniAnNFBHi -TkVWaR94AoDa3EeRKbs2yWNcxeDXLYd7obcysHswuiovMaruo2fa2wIDAQABMA0G -CSqGSIb3DQEBBQUAA4GBAFgVKTk8d6PaXCUDfGD67gmZPCcQcMgMCeazh88K4hiW -NWLMv5sneYlfycQJ9M61Hd8qveXbhpxoJeUwfLaJFf5n0a3hUKw8fGJLj7qE1xIV -Gx/KXQ/BUpQqEZnae88MNhPVNdwQGVnqlMEAv3WP2fr9dgTbYruQagPZRjXZ+Hxb -MA4MDEN1c3RvbSBMYWJlbA== ------END TRUSTED CERTIFICATE----- diff --git a/trust/frob-bc.c b/trust/frob-bc.c deleted file mode 100644 index 41fbc58..0000000 --- a/trust/frob-bc.c +++ /dev/null @@ -1,102 +0,0 @@ -/* - * Copyright (c) 2013 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@gnome.org> - */ - -#include "config.h" -#include "compat.h" - -#include <libtasn1.h> - -#include <assert.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "pkix.asn.h" - -#define err_if_fail(ret, msg) \ - do { if ((ret) != ASN1_SUCCESS) { \ - fprintf (stderr, "%s: %s\n", msg, asn1_strerror (ret)); \ - exit (1); \ - } } while (0) - -int -main (int argc, - char *argv[]) -{ - char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = { 0, }; - node_asn *definitions = NULL; - node_asn *ext = NULL; - char *buf; - int len; - int ret; - - ret = asn1_array2tree (pkix_asn1_tab, &definitions, message); - if (ret != ASN1_SUCCESS) { - fprintf (stderr, "definitions: %s\n", message); - return 1; - } - - ret = asn1_create_element (definitions, "PKIX1.BasicConstraints", &ext); - err_if_fail (ret, "BasicConstraints"); - - if (argc > 1) { - ret = asn1_write_value (ext, "cA", argv[1], 1); - err_if_fail (ret, "cA"); - } - - ret = asn1_write_value (ext, "pathLenConstraint", NULL, 0); - err_if_fail (ret, "pathLenConstraint"); - - len = 0; - ret = asn1_der_coding (ext, "", NULL, &len, message); - assert (ret == ASN1_MEM_ERROR); - - buf = malloc (len); - assert (buf != NULL); - ret = asn1_der_coding (ext, "", buf, &len, message); - if (ret != ASN1_SUCCESS) { - fprintf (stderr, "asn1_der_coding: %s\n", message); - free (buf); - return 1; - } - - fwrite (buf, 1, len, stdout); - fflush (stdout); - - free (buf); - asn1_delete_structure (&ext); - asn1_delete_structure (&definitions); - - return 0; -} diff --git a/trust/frob-cert.c b/trust/frob-cert.c deleted file mode 100644 index c1bc45c..0000000 --- a/trust/frob-cert.c +++ /dev/null @@ -1,134 +0,0 @@ -/* - * Copyright (c) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@gnome.org> - */ - -#include "config.h" -#include "compat.h" - -#include <libtasn1.h> - -#include <sys/stat.h> -#include <sys/types.h> - -#include <assert.h> -#include <fcntl.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -#include "pkix.asn.h" - -#define err_if_fail(ret, msg) \ - do { if ((ret) != ASN1_SUCCESS) { \ - fprintf (stderr, "%s: %s\n", msg, asn1_strerror (ret)); \ - exit (1); \ - } } while (0) - -static ssize_t -tlv_length (const unsigned char *data, - size_t length) -{ - unsigned char cls; - int counter = 0; - int cb, len; - unsigned long tag; - - if (asn1_get_tag_der (data, length, &cls, &cb, &tag) == ASN1_SUCCESS) { - counter += cb; - len = asn1_get_length_der (data + cb, length - cb, &cb); - counter += cb; - if (len >= 0) { - len += counter; - if (length >= len) - return len; - } - } - - return -1; -} - -int -main (int argc, - char *argv[]) -{ - char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = { 0, }; - node_asn *definitions = NULL; - node_asn *cert = NULL; - p11_mmap *map; - void *data; - size_t size; - int start, end; - ssize_t len; - int ret; - - if (argc != 4) { - fprintf (stderr, "usage: frob-cert struct field filename\n"); - return 2; - } - - ret = asn1_array2tree (pkix_asn1_tab, &definitions, message); - if (ret != ASN1_SUCCESS) { - fprintf (stderr, "definitions: %s\n", message); - return 1; - } - - ret = asn1_create_element (definitions, argv[1], &cert); - err_if_fail (ret, "Certificate"); - - map = p11_mmap_open (argv[3], NULL, &data, &size); - if (map == NULL) { - fprintf (stderr, "couldn't open file: %s\n", argv[3]); - return 1; - } - - ret = asn1_der_decoding (&cert, data, size, message); - err_if_fail (ret, message); - - ret = asn1_der_decoding_startEnd (cert, data, size, argv[2], &start, &end); - err_if_fail (ret, "asn1_der_decoding_startEnd"); - - len = tlv_length ((unsigned char *)data + start, size - start); - assert (len >= 0); - - fprintf (stderr, "%lu %d %d %ld\n", (unsigned long)size, start, end, (long)len); - fwrite ((unsigned char *)data + start, 1, len, stdout); - fflush (stdout); - - p11_mmap_close (map); - - asn1_delete_structure (&cert); - asn1_delete_structure (&definitions); - - return 0; -} diff --git a/trust/frob-eku.c b/trust/frob-eku.c deleted file mode 100644 index f467b36..0000000 --- a/trust/frob-eku.c +++ /dev/null @@ -1,103 +0,0 @@ -/* - * Copyright (c) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@gnome.org> - */ - -#include "config.h" -#include "compat.h" - -#include <libtasn1.h> - -#include <assert.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "pkix.asn.h" - -#define err_if_fail(ret, msg) \ - do { if ((ret) != ASN1_SUCCESS) { \ - fprintf (stderr, "%s: %s\n", msg, asn1_strerror (ret)); \ - exit (1); \ - } } while (0) - -int -main (int argc, - char *argv[]) -{ - char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = { 0, }; - node_asn *definitions = NULL; - node_asn *ekus = NULL; - char *buf; - int len; - int ret; - int i; - - ret = asn1_array2tree (pkix_asn1_tab, &definitions, message); - if (ret != ASN1_SUCCESS) { - fprintf (stderr, "definitions: %s\n", message); - return 1; - } - - ret = asn1_create_element (definitions, "PKIX1.ExtKeyUsageSyntax", &ekus); - err_if_fail (ret, "ExtKeyUsageSyntax"); - - for (i = 1; i < argc; i++) { - ret = asn1_write_value (ekus, "", "NEW", 1); - err_if_fail (ret, "NEW"); - - ret = asn1_write_value (ekus, "?LAST", argv[i], strlen (argv[i])); - err_if_fail (ret, "asn1_write_value"); - } - - len = 0; - ret = asn1_der_coding (ekus, "", NULL, &len, message); - assert (ret == ASN1_MEM_ERROR); - - buf = malloc (len); - assert (buf != NULL); - ret = asn1_der_coding (ekus, "", buf, &len, message); - if (ret != ASN1_SUCCESS) { - fprintf (stderr, "asn1_der_coding: %s\n", message); - free (buf); - return 1; - } - - fwrite (buf, 1, len, stdout); - fflush (stdout); - - free (buf); - asn1_delete_structure (&ekus); - asn1_delete_structure (&definitions); - - return 0; -} diff --git a/trust/frob-ext.c b/trust/frob-ext.c deleted file mode 100644 index 2017205..0000000 --- a/trust/frob-ext.c +++ /dev/null @@ -1,119 +0,0 @@ -/* - * Copyright (c) 2013 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@gnome.org> - */ - -#include "config.h" -#include "compat.h" - -#include <libtasn1.h> - -#include <assert.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "pkix.asn.h" - -#define err_if_fail(ret, msg) \ - do { if ((ret) != ASN1_SUCCESS) { \ - fprintf (stderr, "%s: %s\n", msg, asn1_strerror (ret)); \ - exit (1); \ - } } while (0) - -int -main (int argc, - char *argv[]) -{ - char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = { 0, }; - node_asn *definitions = NULL; - node_asn *ext = NULL; - unsigned char input[1024]; - char *buf; - size_t size; - int len; - int ret; - - if (argc == 1 || argc > 3) { - fprintf (stderr, "usage: frob-ext 1.2.3 TRUE\n"); - return 2; - } - - size = fread (input, 1, sizeof (input), stdin); - if (ferror (stdin) || !feof (stdin)) { - fprintf (stderr, "bad input\n"); - return 1; - } - - ret = asn1_array2tree (pkix_asn1_tab, &definitions, message); - if (ret != ASN1_SUCCESS) { - fprintf (stderr, "definitions: %s\n", message); - return 1; - } - - - ret = asn1_create_element (definitions, "PKIX1.Extension", &ext); - err_if_fail (ret, "Extension"); - - ret = asn1_write_value (ext, "extnID", argv[1], 1); - err_if_fail (ret, "extnID"); - - if (argc == 3) { - ret = asn1_write_value (ext, "critical", argv[2], 1); - err_if_fail (ret, "critical"); - } - - ret = asn1_write_value (ext, "extnValue", input, size); - err_if_fail (ret, "extnValue"); - - len = 0; - ret = asn1_der_coding (ext, "", NULL, &len, message); - assert (ret == ASN1_MEM_ERROR); - - buf = malloc (len); - assert (buf != NULL); - ret = asn1_der_coding (ext, "", buf, &len, message); - if (ret != ASN1_SUCCESS) { - fprintf (stderr, "asn1_der_coding: %s\n", message); - free (buf); - return 1; - } - - fwrite (buf, 1, len, stdout); - fflush (stdout); - - free (buf); - asn1_delete_structure (&ext); - asn1_delete_structure (&definitions); - - return 0; -} diff --git a/trust/frob-ku.c b/trust/frob-ku.c deleted file mode 100644 index 99ac217..0000000 --- a/trust/frob-ku.c +++ /dev/null @@ -1,126 +0,0 @@ -/* - * Copyright (c) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@gnome.org> - */ - -#include "config.h" -#include "compat.h" - -#include "oid.h" - -#include <libtasn1.h> - -#include <assert.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "pkix.asn.h" - -#define err_if_fail(ret, msg) \ - do { if ((ret) != ASN1_SUCCESS) { \ - fprintf (stderr, "%s: %s\n", msg, asn1_strerror (ret)); \ - exit (1); \ - } } while (0) - -int -main (int argc, - char *argv[]) -{ - char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = { 0, }; - node_asn *definitions = NULL; - node_asn *ku = NULL; - unsigned int usage = 0; - char bits[2]; - char *buf; - int len; - int ret; - int i; - - for (i = 1; i < argc; i++) { - if (strcmp (argv[i], "digital-signature") == 0) - usage |= P11_KU_DIGITAL_SIGNATURE; - else if (strcmp (argv[i], "non-repudiation") == 0) - usage |= P11_KU_NON_REPUDIATION; - else if (strcmp (argv[i], "key-encipherment") == 0) - usage |= P11_KU_KEY_ENCIPHERMENT; - else if (strcmp (argv[i], "data-encipherment") == 0) - usage |= P11_KU_DATA_ENCIPHERMENT; - else if (strcmp (argv[i], "key-agreement") == 0) - usage |= P11_KU_KEY_AGREEMENT; - else if (strcmp (argv[i], "key-cert-sign") == 0) - usage |= P11_KU_KEY_CERT_SIGN; - else if (strcmp (argv[i], "crl-sign") == 0) - usage |= P11_KU_CRL_SIGN; - else { - fprintf (stderr, "unsupported or unknown key usage: %s\n", argv[i]); - return 2; - } - } - - ret = asn1_array2tree (pkix_asn1_tab, &definitions, message); - if (ret != ASN1_SUCCESS) { - fprintf (stderr, "definitions: %s\n", message); - return 1; - } - - ret = asn1_create_element (definitions, "PKIX1.KeyUsage", &ku); - err_if_fail (ret, "KeyUsage"); - - bits[0] = usage & 0xff; - bits[1] = (usage >> 8) & 0xff; - - ret = asn1_write_value (ku, "", bits, 9); - err_if_fail (ret, "asn1_write_value"); - - len = 0; - ret = asn1_der_coding (ku, "", NULL, &len, message); - assert (ret == ASN1_MEM_ERROR); - - buf = malloc (len); - assert (buf != NULL); - ret = asn1_der_coding (ku, "", buf, &len, message); - if (ret != ASN1_SUCCESS) { - fprintf (stderr, "asn1_der_coding: %s\n", message); - free (buf); - return 1; - } - - fwrite (buf, 1, len, stdout); - fflush (stdout); - free (buf); - - asn1_delete_structure (&ku); - asn1_delete_structure (&definitions); - - return 0; -} diff --git a/trust/frob-multi-init.c b/trust/frob-multi-init.c deleted file mode 100644 index d966540..0000000 --- a/trust/frob-multi-init.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * gcc -Wall -o frob-multi-init $(pkg-config p11-kit-1 --cflags --libs) -ldl frob-multi-init.c - */ - -#include <assert.h> -#include <dlfcn.h> -#include <stdio.h> - -#include <p11-kit/p11-kit.h> - -#define TRUST_SO "/usr/lib64/pkcs11/p11-kit-trust.so" - -int -main (void) -{ - CK_C_INITIALIZE_ARGS args = - { NULL, NULL, NULL, NULL, CKF_OS_LOCKING_OK, NULL, }; - CK_C_GetFunctionList C_GetFunctionList; - CK_SESSION_HANDLE session; - CK_FUNCTION_LIST *module; - CK_SLOT_ID slots[8]; - CK_SESSION_INFO info; - CK_ULONG count; - CK_RV rv; - void *dl; - - dl = dlopen (TRUST_SO, RTLD_LOCAL | RTLD_NOW); - if (dl == NULL) - fprintf (stderr, "%s\n", dlerror()); - assert (dl != NULL); - - C_GetFunctionList = dlsym (dl, "C_GetFunctionList"); - assert (C_GetFunctionList != NULL); - - rv = C_GetFunctionList (&module); - assert (rv == CKR_OK); - assert (module != NULL); - - rv = module->C_Initialize (&args); - assert (rv == CKR_OK); - - count = 8; - rv = module->C_GetSlotList (CK_TRUE, slots, &count); - assert (rv == CKR_OK); - assert (count > 1); - - rv = module->C_OpenSession (slots[0], CKF_SERIAL_SESSION, NULL, NULL, &session); - assert (rv == CKR_OK); - - rv = module->C_GetSessionInfo (session, &info); - assert (rv == CKR_OK); - - rv = p11_kit_initialize_registered (); - assert (rv == CKR_OK); - - rv = module->C_GetSessionInfo (session, &info); - if (rv == CKR_OK) { - printf ("no reinitialization bug\n"); - return 0; - - } else if (rv == CKR_SESSION_HANDLE_INVALID) { - printf ("reinitialization bug present\n"); - return 1; - - } else { - printf ("another error: %lu\n", rv); - return 1; - } -} diff --git a/trust/frob-nss-trust.c b/trust/frob-nss-trust.c deleted file mode 100644 index fd69573..0000000 --- a/trust/frob-nss-trust.c +++ /dev/null @@ -1,221 +0,0 @@ -/* - * Copyright (c) 2013 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#include "compat.h" -#include "attrs.h" -#include "debug.h" -#include "pkcs11x.h" - -#include "p11-kit/iter.h" -#include "p11-kit/p11-kit.h" - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -static void -dump_object (P11KitIter *iter, - CK_ATTRIBUTE *attrs) -{ - CK_ATTRIBUTE label = { CKA_LABEL, }; - CK_ATTRIBUTE *attr; - char *string; - char *name; - CK_RV rv; - - attr = p11_attrs_find_valid (attrs, CKA_LABEL); - if (!attr) { - rv = p11_kit_iter_load_attributes (iter, &label, 1); - if (rv == CKR_OK) - attr = &label; - } - - if (attr) - name = strndup (attr->pValue, attr->ulValueLen); - else - name = strdup ("unknown"); - - string = p11_attrs_to_string (attrs, -1); - printf ("\"%s\" = %s\n", name, string); - free (string); - - free (label.pValue); - free (name); -} - -static int -dump_trust_module (const char *path) -{ - CK_FUNCTION_LIST *module; - CK_OBJECT_CLASS nss_trust = CKO_NSS_TRUST; - CK_ATTRIBUTE match = - { CKA_CLASS, &nss_trust, sizeof (nss_trust) }; - P11KitIter *iter; - CK_ATTRIBUTE *attrs; - CK_RV rv; - - CK_ATTRIBUTE template[] = { - { CKA_CLASS,}, - { CKA_LABEL, }, - { CKA_CERT_MD5_HASH, }, - { CKA_CERT_SHA1_HASH }, - { CKA_ISSUER, }, - { CKA_SERIAL_NUMBER, }, - { CKA_TRUST_SERVER_AUTH, }, - { CKA_TRUST_EMAIL_PROTECTION, }, - { CKA_TRUST_CODE_SIGNING, }, - { CKA_TRUST_STEP_UP_APPROVED, }, - { CKA_INVALID, } - }; - - CK_ULONG count = p11_attrs_count (template); - - module = p11_kit_module_load (path, 0); - return_val_if_fail (module != NULL, 1); - - rv = p11_kit_module_initialize (module); - return_val_if_fail (rv == CKR_OK, 1); - - iter = p11_kit_iter_new (NULL, 0); - p11_kit_iter_add_filter (iter, &match, 1); - p11_kit_iter_begin_with (iter, module, 0, 0); - - while ((rv = p11_kit_iter_next (iter)) == CKR_OK) { - attrs = p11_attrs_dup (template); - rv = p11_kit_iter_load_attributes (iter, attrs, count); - return_val_if_fail (rv == CKR_OK || rv == CKR_ATTRIBUTE_VALUE_INVALID, 1); - p11_attrs_purge (attrs); - dump_object (iter, attrs); - p11_attrs_free (attrs); - } - - return_val_if_fail (rv == CKR_CANCEL, 1); - - p11_kit_module_finalize (module); - p11_kit_module_release (module); - - return 0; -} - -static int -compare_trust_modules (const char *path1, - const char *path2) -{ - CK_FUNCTION_LIST *module1; - CK_FUNCTION_LIST *module2; - CK_OBJECT_CLASS nss_trust = CKO_NSS_TRUST; - CK_ATTRIBUTE match = - { CKA_CLASS, &nss_trust, sizeof (nss_trust) }; - P11KitIter *iter; - P11KitIter *iter2; - CK_ATTRIBUTE *check; - CK_RV rv; - - CK_ATTRIBUTE template[] = { - { CKA_CLASS, }, - { CKA_ISSUER, }, - { CKA_SERIAL_NUMBER, }, - { CKA_CERT_MD5_HASH, }, - { CKA_CERT_SHA1_HASH }, - { CKA_TRUST_SERVER_AUTH, }, - { CKA_TRUST_EMAIL_PROTECTION, }, - { CKA_TRUST_CODE_SIGNING, }, - { CKA_TRUST_STEP_UP_APPROVED, }, - { CKA_INVALID, } - }; - - module1 = p11_kit_module_load (path1, 0); - return_val_if_fail (module1 != NULL, 1); - - rv = p11_kit_module_initialize (module1); - return_val_if_fail (rv == CKR_OK, 1); - - module2 = p11_kit_module_load (path2, 0); - return_val_if_fail (module2 != NULL, 1); - - rv = p11_kit_module_initialize (module2); - return_val_if_fail (rv == CKR_OK, 1); - - iter = p11_kit_iter_new (NULL, 0); - p11_kit_iter_add_filter (iter, &match, 1); - p11_kit_iter_begin_with (iter, module1, 0, 0); - - while ((rv = p11_kit_iter_next (iter)) == CKR_OK) { - check = p11_attrs_dup (template); - - rv = p11_kit_iter_load_attributes (iter, check, p11_attrs_count (check)); - return_val_if_fail (rv == CKR_OK || rv == CKR_ATTRIBUTE_TYPE_INVALID, 1); - - /* Go through and remove anything not found */ - p11_attrs_purge (check); - - /* Check that this object exists */ - iter2 = p11_kit_iter_new (NULL, 0); - p11_kit_iter_add_filter (iter2, check, p11_attrs_count (check)); - p11_kit_iter_begin_with (iter2, module2, 0, 0); - rv = p11_kit_iter_next (iter2); - p11_kit_iter_free (iter2); - - if (rv != CKR_OK) - dump_object (iter, check); - - p11_attrs_free (check); - } - - return_val_if_fail (rv == CKR_CANCEL, 1); - p11_kit_module_finalize (module1); - p11_kit_module_release (module1); - - p11_kit_module_finalize (module2); - p11_kit_module_release (module2); - - return 0; -} - -int -main (int argc, - char *argv[]) -{ - if (argc == 2) { - return dump_trust_module (argv[1]); - } else if (argc == 3) { - return compare_trust_modules (argv[1], argv[2]); - } else { - fprintf (stderr, "usage: frob-nss-trust module\n"); - fprintf (stderr, " frob-nss-trust module1 module2\n"); - return 2; - } -} diff --git a/trust/frob-oid.c b/trust/frob-oid.c deleted file mode 100644 index 5a2499a..0000000 --- a/trust/frob-oid.c +++ /dev/null @@ -1,102 +0,0 @@ -/* - * Copyright (c) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@gnome.org> - */ - -#include "config.h" -#include "compat.h" - -#include <libtasn1.h> - -#include <assert.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "pkix.asn.h" - -#define err_if_fail(ret, msg) \ - do { if ((ret) != ASN1_SUCCESS) { \ - fprintf (stderr, "%s: %s\n", msg, asn1_strerror (ret)); \ - exit (1); \ - } } while (0) -int -main (int argc, - char *argv[]) -{ - char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = { 0, }; - node_asn *definitions = NULL; - node_asn *oid = NULL; - char *buf; - int len; - int ret; - - if (argc != 2) { - fprintf (stderr, "usage: frob-oid 1.1.1\n"); - return 2; - } - - ret = asn1_array2tree (pkix_asn1_tab, &definitions, message); - if (ret != ASN1_SUCCESS) { - fprintf (stderr, "definitions: %s\n", message); - return 1; - } - - /* AttributeType is a OBJECT IDENTIFIER */ - ret = asn1_create_element (definitions, "PKIX1.AttributeType", &oid); - err_if_fail (ret, "AttributeType"); - - ret = asn1_write_value (oid, "", argv[1], strlen (argv[1])); - err_if_fail (ret, "asn1_write_value"); - - len = 0; - ret = asn1_der_coding (oid, "", NULL, &len, message); - assert (ret == ASN1_MEM_ERROR); - - buf = malloc (len); - assert (buf != NULL); - ret = asn1_der_coding (oid, "", buf, &len, message); - if (ret != ASN1_SUCCESS) { - fprintf (stderr, "asn1_der_coding: %s\n", message); - free (buf); - return 1; - } - - fwrite (buf, 1, len, stdout); - fflush (stdout); - free (buf); - - asn1_delete_structure (&oid); - asn1_delete_structure (&definitions); - - return 0; -} diff --git a/trust/frob-pow.c b/trust/frob-pow.c deleted file mode 100644 index f029b2a..0000000 --- a/trust/frob-pow.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 2013 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#include <stdio.h> - -static unsigned int -nearest_pow_2 (int num) -{ - unsigned int n = num ? 1 : 0; - while (n < num && n > 0) - n <<= 1; - return n; -} - -int -main (void) -{ - int i; - - for (i = 0; i < 40; i++) - printf ("nearest_pow_2 (%d) == %u\n", i, nearest_pow_2 (i)); - - return 0; -} diff --git a/trust/frob-token.c b/trust/frob-token.c deleted file mode 100644 index 5d57ec1..0000000 --- a/trust/frob-token.c +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright (c) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@gnome.org> - */ - -#include "config.h" -#include "compat.h" - -#include <stdio.h> - -#include "token.h" - -int -main (int argc, - char *argv[]) -{ - p11_token *token; - p11_index *index; - int count; - - if (argc != 2) { - fprintf (stderr, "usage: frob-token path\n"); - return 2; - } - - token = p11_token_new (1, argv[1], "Label"); - count = p11_token_load (token); - - printf ("%d files loaded\n", count); - index = p11_token_index (token); - printf ("%d objects loaded\n", p11_index_size (index)); - - p11_token_free (token); - return 0; -} diff --git a/trust/index.c b/trust/index.c deleted file mode 100644 index f4b6b4b..0000000 --- a/trust/index.c +++ /dev/null @@ -1,912 +0,0 @@ -/* - * Copyright (C) 2013 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "compat.h" - -#define P11_DEBUG_FLAG P11_DEBUG_TRUST - -#include "attrs.h" -#include "debug.h" -#include "dict.h" -#include "index.h" -#include "module.h" - -#include <assert.h> -#include <stdlib.h> -#include <string.h> - -/* - * The number of buckets we use for indexing, should end up as roughly - * equal to the expected number of unique attribute values * 0.75, - * prime if possible. Currently we don't expand the index, so this is - * just a good guess for general usage. - */ -#define NUM_BUCKETS 7919 - -/* - * The number of indexes to use when trying to find a matching object. - */ -#define MAX_SELECT 3 - -typedef struct { - CK_OBJECT_HANDLE *elem; - int num; -} index_bucket; - -struct _p11_index { - /* The list of objects by handle */ - p11_dict *objects; - - /* Used for indexing */ - index_bucket *buckets; - - /* Data passed to callbacks */ - void *data; - - /* Called to build an new/modified object */ - p11_index_build_cb build; - - /* Called after each object ready to be stored */ - p11_index_store_cb store; - - /* Called after an object has been removed */ - p11_index_remove_cb remove; - - /* Called after objects change */ - p11_index_notify_cb notify; - - /* Used for queueing changes, when in a batch */ - p11_dict *changes; - bool notifying; -}; - -typedef struct { - CK_OBJECT_HANDLE handle; - CK_ATTRIBUTE *attrs; -} index_object; - -static void -free_object (void *data) -{ - index_object *obj = data; - p11_attrs_free (obj->attrs); - free (obj); -} - -static CK_RV -default_build (void *data, - p11_index *index, - CK_ATTRIBUTE *attrs, - CK_ATTRIBUTE *merge, - CK_ATTRIBUTE **populate) -{ - return CKR_OK; -} - -static CK_RV -default_store (void *data, - p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE **attrs) -{ - return CKR_OK; -} - -static void -default_notify (void *data, - p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *attrs) -{ - -} - -static CK_RV -default_remove (void *data, - p11_index *index, - CK_ATTRIBUTE *attrs) -{ - return CKR_OK; -} - -p11_index * -p11_index_new (p11_index_build_cb build, - p11_index_store_cb store, - p11_index_remove_cb remove, - p11_index_notify_cb notify, - void *data) -{ - p11_index *index; - - index = calloc (1, sizeof (p11_index)); - return_val_if_fail (index != NULL, NULL); - - if (build == NULL) - build = default_build; - if (store == NULL) - store = default_store; - if (notify == NULL) - notify = default_notify; - if (remove == NULL) - remove = default_remove; - - index->build = build; - index->store = store; - index->notify = notify; - index->remove = remove; - index->data = data; - - index->objects = p11_dict_new (p11_dict_ulongptr_hash, - p11_dict_ulongptr_equal, - NULL, free_object); - return_val_if_fail (index->objects != NULL, NULL); - - index->buckets = calloc (NUM_BUCKETS, sizeof (index_bucket)); - return_val_if_fail (index->buckets != NULL, NULL); - - return index; -} - -void -p11_index_free (p11_index *index) -{ - int i; - - return_if_fail (index != NULL); - - p11_dict_free (index->objects); - p11_dict_free (index->changes); - for (i = 0; i < NUM_BUCKETS; i++) - free (index->buckets[i].elem); - free (index->buckets); - free (index); -} - -int -p11_index_size (p11_index *index) -{ - return_val_if_fail (index != NULL, -1); - return p11_dict_size (index->objects); -} - -static bool -is_indexable (p11_index *index, - CK_ATTRIBUTE_TYPE type) -{ - switch (type) { - case CKA_CLASS: - case CKA_VALUE: - case CKA_OBJECT_ID: - case CKA_ID: - case CKA_X_ORIGIN: - return true; - } - - return false; -} - -static unsigned int -alloc_size (int num) -{ - unsigned int n = num ? 1 : 0; - while (n < num && n > 0) - n <<= 1; - return n; -} - -static int -binary_search (CK_OBJECT_HANDLE *elem, - int low, - int high, - CK_OBJECT_HANDLE handle) -{ - int mid; - - if (low == high) - return low; - - mid = low + ((high - low) / 2); - if (handle > elem[mid]) - return binary_search (elem, mid + 1, high, handle); - else if (handle < elem[mid]) - return binary_search (elem, low, mid, handle); - - return mid; -} - - -static void -bucket_insert (index_bucket *bucket, - CK_OBJECT_HANDLE handle) -{ - unsigned int alloc; - int at = 0; - - if (bucket->elem) { - at = binary_search (bucket->elem, 0, bucket->num, handle); - if (at < bucket->num && bucket->elem[at] == handle) - return; - } - - alloc = alloc_size (bucket->num); - if (bucket->num + 1 > alloc) { - alloc = alloc ? alloc * 2 : 1; - return_if_fail (alloc != 0); - bucket->elem = realloc (bucket->elem, alloc * sizeof (CK_OBJECT_HANDLE)); - } - - return_if_fail (bucket->elem != NULL); - memmove (bucket->elem + at + 1, bucket->elem + at, - (bucket->num - at) * sizeof (CK_OBJECT_HANDLE)); - bucket->elem[at] = handle; - bucket->num++; -} - -static bool -bucket_push (index_bucket *bucket, - CK_OBJECT_HANDLE handle) -{ - unsigned int alloc; - - alloc = alloc_size (bucket->num); - if (bucket->num + 1 > alloc) { - alloc = alloc ? alloc * 2 : 1; - return_val_if_fail (alloc != 0, false); - bucket->elem = realloc (bucket->elem, alloc * sizeof (CK_OBJECT_HANDLE)); - } - - return_val_if_fail (bucket->elem != NULL, false); - bucket->elem[bucket->num++] = handle; - return true; -} - -static void -index_hash (p11_index *index, - index_object *obj) -{ - unsigned int hash; - int i; - - for (i = 0; !p11_attrs_terminator (obj->attrs + i); i++) { - if (is_indexable (index, obj->attrs[i].type)) { - hash = p11_attr_hash (obj->attrs + i); - bucket_insert (index->buckets + (hash % NUM_BUCKETS), obj->handle); - } - } -} - -static void -merge_attrs (CK_ATTRIBUTE *output, - CK_ULONG *noutput, - CK_ATTRIBUTE *merge, - CK_ULONG nmerge, - p11_array *to_free) -{ - CK_ULONG i; - - for (i = 0; i < nmerge; i++) { - /* Already have this attribute? */ - if (p11_attrs_findn (output, *noutput, merge[i].type)) { - p11_array_push (to_free, merge[i].pValue); - - } else { - memcpy (output + *noutput, merge + i, sizeof (CK_ATTRIBUTE)); - (*noutput)++; - } - } - - /* Freeing the array itself */ - p11_array_push (to_free, merge); -} - -static CK_RV -index_build (p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE **attrs, - CK_ATTRIBUTE *merge) -{ - CK_ATTRIBUTE *extra = NULL; - CK_ATTRIBUTE *built; - p11_array *stack = NULL; - CK_ULONG count; - CK_ULONG nattrs; - CK_ULONG nmerge; - CK_ULONG nextra; - CK_RV rv; - int i; - - rv = index->build (index->data, index, *attrs, merge, &extra); - if (rv != CKR_OK) - return rv; - - /* Short circuit when nothing to merge */ - if (*attrs == NULL && extra == NULL) { - built = merge; - stack = NULL; - - } else { - stack = p11_array_new (NULL); - nattrs = p11_attrs_count (*attrs); - nmerge = p11_attrs_count (merge); - nextra = p11_attrs_count (extra); - - /* Make a shallow copy of the combined attributes for validation */ - built = calloc (nmerge + nattrs + nextra + 1, sizeof (CK_ATTRIBUTE)); - return_val_if_fail (built != NULL, CKR_GENERAL_ERROR); - - count = nmerge; - memcpy (built, merge, sizeof (CK_ATTRIBUTE) * nmerge); - p11_array_push (stack, merge); - merge_attrs (built, &count, *attrs, nattrs, stack); - merge_attrs (built, &count, extra, nextra, stack); - - /* The terminator attribute */ - built[count].type = CKA_INVALID; - assert (p11_attrs_terminator (built + count)); - } - - rv = index->store (index->data, index, handle, &built); - - if (rv == CKR_OK) { - for (i = 0; stack && i < stack->num; i++) - free (stack->elem[i]); - *attrs = built; - } else { - p11_attrs_free (extra); - free (built); - } - - p11_array_free (stack); - return rv; -} - -static void -call_notify (p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *attrs) -{ - assert (index->notify); - - /* When attrs is NULL, means this is a modify */ - if (attrs == NULL) { - attrs = p11_index_lookup (index, handle); - if (attrs == NULL) - return; - - /* Otherwise a remove operation, handle not valid anymore */ - } else { - handle = 0; - } - - index->notifying = true; - index->notify (index->data, index, handle, attrs); - index->notifying = false; -} - -static void -index_notify (p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *removed) -{ - index_object *obj; - - if (!index->notify || index->notifying) { - p11_attrs_free (removed); - - } else if (!index->changes) { - call_notify (index, handle, removed); - p11_attrs_free (removed); - - } else { - obj = calloc (1, sizeof (index_object)); - return_if_fail (obj != NULL); - - obj->handle = handle; - obj->attrs = removed; - if (!p11_dict_set (index->changes, &obj->handle, obj)) - return_if_reached (); - } -} - -void -p11_index_load (p11_index *index) -{ - return_if_fail (index != NULL); - - if (index->changes) - return; - - index->changes = p11_dict_new (p11_dict_ulongptr_hash, - p11_dict_ulongptr_equal, - NULL, free_object); - return_if_fail (index->changes != NULL); -} - -void -p11_index_finish (p11_index *index) -{ - p11_dict *changes; - index_object *obj; - p11_dictiter iter; - - return_if_fail (index != NULL); - - if (!index->changes) - return; - - changes = index->changes; - index->changes = NULL; - - p11_dict_iterate (changes, &iter); - while (p11_dict_next (&iter, NULL, (void **)&obj)) { - index_notify (index, obj->handle, obj->attrs); - obj->attrs = NULL; - } - - p11_dict_free (changes); -} - -bool -p11_index_loading (p11_index *index) -{ - return_val_if_fail (index != NULL, false); - return index->changes ? true : false; -} - -CK_RV -p11_index_take (p11_index *index, - CK_ATTRIBUTE *attrs, - CK_OBJECT_HANDLE *handle) -{ - index_object *obj; - CK_RV rv; - - return_val_if_fail (index != NULL, CKR_GENERAL_ERROR); - return_val_if_fail (attrs != NULL, CKR_GENERAL_ERROR); - - obj = calloc (1, sizeof (index_object)); - return_val_if_fail (obj != NULL, CKR_HOST_MEMORY); - - obj->handle = p11_module_next_id (); - - rv = index_build (index, obj->handle, &obj->attrs, attrs); - if (rv != CKR_OK) { - p11_attrs_free (attrs); - free (obj); - return rv; - } - - return_val_if_fail (obj->attrs != NULL, CKR_GENERAL_ERROR); - - if (!p11_dict_set (index->objects, &obj->handle, obj)) - return_val_if_reached (CKR_HOST_MEMORY); - - index_hash (index, obj); - - if (handle) - *handle = obj->handle; - - index_notify (index, obj->handle, NULL); - return CKR_OK; -} - -CK_RV -p11_index_add (p11_index *index, - CK_ATTRIBUTE *attrs, - CK_ULONG count, - CK_OBJECT_HANDLE *handle) -{ - CK_ATTRIBUTE *copy; - - return_val_if_fail (index != NULL, CKR_GENERAL_ERROR); - return_val_if_fail (attrs == NULL || count > 0, CKR_ARGUMENTS_BAD); - - copy = p11_attrs_buildn (NULL, attrs, count); - return_val_if_fail (copy != NULL, CKR_HOST_MEMORY); - - return p11_index_take (index, copy, handle); -} - -CK_RV -p11_index_update (p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *update) -{ - index_object *obj; - CK_RV rv; - - return_val_if_fail (index != NULL, CKR_GENERAL_ERROR); - return_val_if_fail (update != NULL, CKR_GENERAL_ERROR); - - obj = p11_dict_get (index->objects, &handle); - if (obj == NULL) { - p11_attrs_free (update); - return CKR_OBJECT_HANDLE_INVALID; - } - - rv = index_build (index, obj->handle, &obj->attrs, update); - if (rv != CKR_OK) { - p11_attrs_free (update); - return rv; - } - - index_hash (index, obj); - index_notify (index, obj->handle, NULL); - - return CKR_OK; -} - -CK_RV -p11_index_set (p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *attrs, - CK_ULONG count) -{ - CK_ATTRIBUTE *update; - index_object *obj; - - return_val_if_fail (index != NULL, CKR_GENERAL_ERROR); - - obj = p11_dict_get (index->objects, &handle); - if (obj == NULL) - return CKR_OBJECT_HANDLE_INVALID; - - update = p11_attrs_buildn (NULL, attrs, count); - return_val_if_fail (update != NULL, CKR_HOST_MEMORY); - - return p11_index_update (index, handle, update); -} - -CK_RV -p11_index_remove (p11_index *index, - CK_OBJECT_HANDLE handle) -{ - index_object *obj; - CK_RV rv; - - return_val_if_fail (index != NULL, CKR_GENERAL_ERROR); - - if (!p11_dict_steal (index->objects, &handle, NULL, (void **)&obj)) - return CKR_OBJECT_HANDLE_INVALID; - - rv = (index->remove) (index->data, index, obj->attrs); - - /* If the writer failed the remove, then add it back */ - if (rv != CKR_OK) { - if (!p11_dict_set (index->objects, &obj->handle, obj)) - return_val_if_reached (CKR_HOST_MEMORY); - return rv; - } - - /* This takes ownership of the attributes */ - index_notify (index, handle, obj->attrs); - obj->attrs = NULL; - free_object (obj); - - return CKR_OK; -} - -static CK_RV -index_replacev (p11_index *index, - CK_OBJECT_HANDLE *handles, - CK_ATTRIBUTE_TYPE key, - CK_ATTRIBUTE **replace, - CK_ULONG replacen) -{ - index_object *obj; - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *attr; - bool handled = false; - CK_RV rv; - int i, j; - - for (i = 0; handles && handles[i] != 0; i++) { - obj = p11_dict_get (index->objects, handles + i); - if (obj == NULL) - continue; - - handled = false; - attr = p11_attrs_find (obj->attrs, key); - - /* The match doesn't have the key, so remove it */ - if (attr != NULL) { - for (j = 0; j < replacen; j++) { - if (!replace[j]) - continue; - if (p11_attrs_matchn (replace[j], attr, 1)) { - attrs = NULL; - rv = index_build (index, obj->handle, &attrs, replace[j]); - if (rv != CKR_OK) - return rv; - p11_attrs_free (obj->attrs); - obj->attrs = attrs; - replace[j] = NULL; - handled = true; - index_hash (index, obj); - index_notify (index, obj->handle, NULL); - break; - } - } - } - - if (!handled) { - rv = p11_index_remove (index, handles[i]); - if (rv != CKR_OK) - return rv; - } - } - - for (j = 0; j < replacen; j++) { - if (!replace[j]) - continue; - attrs = replace[j]; - replace[j] = NULL; - rv = p11_index_take (index, attrs, NULL); - if (rv != CKR_OK) - return rv; - } - - return CKR_OK; -} - -CK_RV -p11_index_replace (p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *replace) -{ - CK_OBJECT_HANDLE handles[] = { handle, 0 }; - return_val_if_fail (index != NULL, CKR_GENERAL_ERROR); - return index_replacev (index, handles, CKA_INVALID, - &replace, replace ? 1 : 0); -} - -CK_RV -p11_index_replace_all (p11_index *index, - CK_ATTRIBUTE *match, - CK_ATTRIBUTE_TYPE key, - p11_array *replace) -{ - CK_OBJECT_HANDLE *handles; - CK_RV rv; - int i; - - return_val_if_fail (index != NULL, CKR_GENERAL_ERROR); - - handles = p11_index_find_all (index, match, -1); - - rv = index_replacev (index, handles, key, - replace ? (CK_ATTRIBUTE **)replace->elem : NULL, - replace ? replace->num : 0); - - if (rv == CKR_OK) { - if (replace) - p11_array_clear (replace); - } else { - for (i = 0; replace && i < replace->num; i++) { - if (!replace->elem[i]) { - p11_array_remove (replace, i); - i--; - } - } - } - - free (handles); - return rv; -} - -CK_ATTRIBUTE * -p11_index_lookup (p11_index *index, - CK_OBJECT_HANDLE handle) -{ - index_object *obj; - - return_val_if_fail (index != NULL, NULL); - - if (handle == CK_INVALID_HANDLE) - return NULL; - - obj = p11_dict_get (index->objects, &handle); - return obj ? obj->attrs : NULL; -} - -typedef bool (* index_sink) (p11_index *index, - index_object *obj, - CK_ATTRIBUTE *match, - CK_ULONG count, - void *data); - -static void -index_select (p11_index *index, - CK_ATTRIBUTE *match, - CK_ULONG count, - index_sink sink, - void *data) -{ - index_bucket *selected[MAX_SELECT]; - CK_OBJECT_HANDLE handle; - index_object *obj; - unsigned int hash; - p11_dictiter iter; - CK_ULONG n; - int num, at; - int i, j; - - /* First look for any matching buckets */ - for (n = 0, num = 0; n < count && num < MAX_SELECT; n++) { - if (is_indexable (index, match[n].type)) { - hash = p11_attr_hash (match + n); - selected[num] = index->buckets + (hash % NUM_BUCKETS); - - /* If any index is empty, then obviously no match */ - if (!selected[num]->num) - return; - - num++; - } - } - - /* Fall back on selecting all the items, if no index */ - if (num == 0) { - p11_dict_iterate (index->objects, &iter); - while (p11_dict_next (&iter, NULL, (void *)&obj)) { - if (!sink (index, obj, match, count, data)) - return; - } - return; - } - - for (i = 0; i < selected[0]->num; i++) { - /* A candidate match from first bucket */ - handle = selected[0]->elem[i]; - - /* Check if the candidate is in other buckets */ - for (j = 1; j < num; j++) { - assert (selected[j]->elem); /* checked above */ - at = binary_search (selected[j]->elem, 0, selected[j]->num, handle); - if (at >= selected[j]->num || selected[j]->elem[at] != handle) { - handle = 0; - break; - } - } - - /* Matched all the buckets, now actually match attrs */ - if (handle != 0) { - obj = p11_dict_get (index->objects, &handle); - if (obj != NULL) { - if (!sink (index, obj, match, count, data)) - return; - } - } - } -} - -static bool -sink_one_match (p11_index *index, - index_object *obj, - CK_ATTRIBUTE *match, - CK_ULONG count, - void *data) -{ - CK_OBJECT_HANDLE *result = data; - - if (p11_attrs_matchn (obj->attrs, match, count)) { - *result = obj->handle; - return false; - } - - return true; -} - -CK_OBJECT_HANDLE -p11_index_find (p11_index *index, - CK_ATTRIBUTE *match, - int count) -{ - CK_OBJECT_HANDLE handle = 0UL; - - return_val_if_fail (index != NULL, 0UL); - - if (count < 0) - count = p11_attrs_count (match); - - index_select (index, match, count, sink_one_match, &handle); - return handle; -} - -static bool -sink_if_match (p11_index *index, - index_object *obj, - CK_ATTRIBUTE *match, - CK_ULONG count, - void *data) -{ - index_bucket *handles = data; - - if (p11_attrs_matchn (obj->attrs, match, count)) - bucket_push (handles, obj->handle); - return true; -} - -CK_OBJECT_HANDLE * -p11_index_find_all (p11_index *index, - CK_ATTRIBUTE *match, - int count) -{ - index_bucket handles = { NULL, 0 }; - - return_val_if_fail (index != NULL, NULL); - - if (count < 0) - count = p11_attrs_count (match); - - index_select (index, match, count, sink_if_match, &handles); - - /* Null terminate */ - bucket_push (&handles, 0UL); - return handles.elem; -} - -static bool -sink_any (p11_index *index, - index_object *obj, - CK_ATTRIBUTE *match, - CK_ULONG count, - void *data) -{ - index_bucket *handles = data; - bucket_push (handles, obj->handle); - return true; -} - -CK_OBJECT_HANDLE * -p11_index_snapshot (p11_index *index, - p11_index *base, - CK_ATTRIBUTE *attrs, - CK_ULONG count) -{ - index_bucket handles = { NULL, 0 }; - - return_val_if_fail (index != NULL, NULL); - - if (count < (CK_ULONG)0UL) - count = p11_attrs_count (attrs); - - index_select (index, attrs, count, sink_any, &handles); - if (base) - index_select (base, attrs, count, sink_any, &handles); - - /* Null terminate */ - bucket_push (&handles, 0UL); - return handles.elem; -} diff --git a/trust/index.h b/trust/index.h deleted file mode 100644 index 3ae24a1..0000000 --- a/trust/index.h +++ /dev/null @@ -1,127 +0,0 @@ -/* - * Copyright (C) 2013 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#ifndef P11_INDEX_H_ -#define P11_INDEX_H_ - -#include "array.h" -#include "compat.h" -#include "pkcs11.h" -#include "types.h" - -typedef struct _p11_index p11_index; - -typedef CK_RV (* p11_index_build_cb) (void *data, - p11_index *index, - CK_ATTRIBUTE *attrs, - CK_ATTRIBUTE *merge, - CK_ATTRIBUTE **populate); - -typedef CK_RV (* p11_index_store_cb) (void *data, - p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE **attrs); - -typedef CK_RV (* p11_index_remove_cb) (void *data, - p11_index *index, - CK_ATTRIBUTE *attrs); - -typedef void (* p11_index_notify_cb) (void *data, - p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *attrs); - -p11_index * p11_index_new (p11_index_build_cb build, - p11_index_store_cb store, - p11_index_remove_cb remove, - p11_index_notify_cb notify, - void *data); - -void p11_index_free (p11_index *index); - -int p11_index_size (p11_index *index); - -void p11_index_load (p11_index *index); - -void p11_index_finish (p11_index *index); - -bool p11_index_loading (p11_index *index); - -CK_RV p11_index_take (p11_index *index, - CK_ATTRIBUTE *attrs, - CK_OBJECT_HANDLE *handle); - -CK_RV p11_index_add (p11_index *index, - CK_ATTRIBUTE *attrs, - CK_ULONG count, - CK_OBJECT_HANDLE *handle); - -CK_RV p11_index_set (p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *attrs, - CK_ULONG count); - -CK_RV p11_index_update (p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *attrs); - -CK_RV p11_index_replace (p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *replace); - -CK_RV p11_index_replace_all (p11_index *index, - CK_ATTRIBUTE *match, - CK_ATTRIBUTE_TYPE key, - p11_array *replace); - -CK_RV p11_index_remove (p11_index *index, - CK_OBJECT_HANDLE handle); - -CK_ATTRIBUTE * p11_index_lookup (p11_index *index, - CK_OBJECT_HANDLE handle); - -CK_OBJECT_HANDLE p11_index_find (p11_index *index, - CK_ATTRIBUTE *match, - int count); - -CK_OBJECT_HANDLE * p11_index_find_all (p11_index *index, - CK_ATTRIBUTE *match, - int count); - -CK_OBJECT_HANDLE * p11_index_snapshot (p11_index *index, - p11_index *base, - CK_ATTRIBUTE *attrs, - CK_ULONG count); - -#endif /* P11_INDEX_H_ */ diff --git a/trust/input/anchors/cacert3.der b/trust/input/anchors/cacert3.der Binary files differdeleted file mode 100644 index 56f8c88..0000000 --- a/trust/input/anchors/cacert3.der +++ /dev/null diff --git a/trust/input/anchors/testing-ca.der b/trust/input/anchors/testing-ca.der Binary files differdeleted file mode 100644 index d3f70ea..0000000 --- a/trust/input/anchors/testing-ca.der +++ /dev/null diff --git a/trust/input/blacklist/self-server.der b/trust/input/blacklist/self-server.der Binary files differdeleted file mode 100644 index 68fe9af..0000000 --- a/trust/input/blacklist/self-server.der +++ /dev/null diff --git a/trust/input/cacert-ca.der b/trust/input/cacert-ca.der Binary files differdeleted file mode 100644 index 719b0ff..0000000 --- a/trust/input/cacert-ca.der +++ /dev/null diff --git a/trust/input/distrusted.pem b/trust/input/distrusted.pem deleted file mode 100644 index 8de6ff0..0000000 --- a/trust/input/distrusted.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN TRUSTED CERTIFICATE----- -MIIDsDCCAxmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBnTELMAkGA1UEBhMCVVMx -FzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHEwdSYWxlaWdoMRYwFAYD -VQQKEw1SZWQgSGF0LCBJbmMuMQswCQYDVQQLEwJJUzEWMBQGA1UEAxMNUmVkIEhh -dCBJUyBDQTEmMCQGCSqGSIb3DQEJARYXc3lzYWRtaW4tcmR1QHJlZGhhdC5jb20w -HhcNMDkwOTE2MTg0NTI1WhcNMTkwOTE0MTg0NTI1WjCBnTELMAkGA1UEBhMCVVMx -FzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHEwdSYWxlaWdoMRYwFAYD -VQQKEw1SZWQgSGF0LCBJbmMuMQswCQYDVQQLEwJJUzEWMBQGA1UEAxMNUmVkIEhh -dCBJUyBDQTEmMCQGCSqGSIb3DQEJARYXc3lzYWRtaW4tcmR1QHJlZGhhdC5jb20w -gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN/HDWGiL8BarUWDIjNC6uxCXqYN -QkwcmhILX+cl+YuDDArFL1pYVrith228gF3dSUU5X7kIOmPkkjNheRkbnas61X+n -i3+KWvbX3q+h5VMxKX2cA1U+R3jLuXqYjF+N2gkPyPvxeoDuEncKAItw+mK/r+4L -WBb5nFzek7hP3017AgMBAAGjgf0wgfowHQYDVR0OBBYEFA2sGXDtBKdeeKv+i6g0 -6yEmwVY1MIHKBgNVHSMEgcIwgb+AFA2sGXDtBKdeeKv+i6g06yEmwVY1oYGjpIGg -MIGdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xpbmExEDAOBgNV -BAcTB1JhbGVpZ2gxFjAUBgNVBAoTDVJlZCBIYXQsIEluYy4xCzAJBgNVBAsTAklT -MRYwFAYDVQQDEw1SZWQgSGF0IElTIENBMSYwJAYJKoZIhvcNAQkBFhdzeXNhZG1p -bi1yZHVAcmVkaGF0LmNvbYIBATAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA -A4GBAFBgO5y3JcPXH/goumNBW7rr8m9EFZmQyK5gT1Ljv5qaCSZwxkAomhriv04p -mb1y8yjrK5OY3WwgaRaAWRHp4/hn2HWaRvx3S+gwLM7p8V1pWnbSFJOXF3kbuC41 -voMIMqAFfHKidKN/yrjJg/1ahIjSt11lMUvRJ4TNT+pk5VnBMB+gCgYIKwYBBQUH -AwIMEVJlZCBIYXQgSXMgdGhlIENB ------END TRUSTED CERTIFICATE----- diff --git a/trust/input/verisign-v1.p11-kit b/trust/input/verisign-v1.p11-kit deleted file mode 100644 index eaa080d..0000000 --- a/trust/input/verisign-v1.p11-kit +++ /dev/null @@ -1,17 +0,0 @@ -[p11-kit-object-v1] -trusted: true - ------BEGIN CERTIFICATE----- -MIICPDCCAaUCED9pHoGc8JpK83P/uUii5N0wDQYJKoZIhvcNAQEFBQAwXzELMAkG -A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz -cyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 -MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV -BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmlt -YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN -ADCBiQKBgQDlGb9to1ZhLZlIcfZn3rmN67eehoAKkQ76OCWvRoiC5XOooJskXQ0f -zGVuDLDQVoQYh5oGmxChc9+0WDlrbsH2FdWoqD+qEgaNMax/sDTXjzRniAnNFBHi -TkVWaR94AoDa3EeRKbs2yWNcxeDXLYd7obcysHswuiovMaruo2fa2wIDAQABMA0G -CSqGSIb3DQEBBQUAA4GBAFgVKTk8d6PaXCUDfGD67gmZPCcQcMgMCeazh88K4hiW -NWLMv5sneYlfycQJ9M61Hd8qveXbhpxoJeUwfLaJFf5n0a3hUKw8fGJLj7qE1xIV -Gx/KXQ/BUpQqEZnae88MNhPVNdwQGVnqlMEAv3WP2fr9dgTbYruQagPZRjXZ+Hxb ------END CERTIFICATE----- diff --git a/trust/list.c b/trust/list.c deleted file mode 100644 index 12120e5..0000000 --- a/trust/list.c +++ /dev/null @@ -1,260 +0,0 @@ -/* - * Copyright (c) 2013, Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#define P11_DEBUG_FLAG P11_DEBUG_TOOL - -#include "attrs.h" -#include "constants.h" -#include "debug.h" -#include "enumerate.h" -#include "list.h" -#include "message.h" -#include "pkcs11x.h" -#include "tool.h" -#include "url.h" - -#include "p11-kit/iter.h" - -#include <assert.h> -#include <stdlib.h> -#include <string.h> - -static char * -format_uri (p11_enumerate *ex, - int flags) -{ - CK_ATTRIBUTE *attr; - p11_kit_uri *uri; - char *string; - - uri = p11_kit_uri_new (); - - memcpy (p11_kit_uri_get_token_info (uri), - p11_kit_iter_get_token (ex->iter), - sizeof (CK_TOKEN_INFO)); - - attr = p11_attrs_find (ex->attrs, CKA_CLASS); - if (attr != NULL) - p11_kit_uri_set_attribute (uri, attr); - attr = p11_attrs_find (ex->attrs, CKA_ID); - if (attr != NULL) - p11_kit_uri_set_attribute (uri, attr); - - if (p11_kit_uri_format (uri, flags, &string) != P11_KIT_URI_OK) - string = NULL; - - p11_kit_uri_free (uri); - return string; -} - -static bool -list_iterate (p11_enumerate *ex, - bool details) -{ - unsigned char *bytes; - CK_OBJECT_HANDLE object; - CK_ATTRIBUTE *attr; - CK_ULONG klass; - CK_ULONG category; - CK_BBOOL val; - p11_buffer buf; - CK_RV rv; - const char *nick; - char *string; - int flags; - - flags = P11_KIT_URI_FOR_OBJECT; - if (details) - flags |= P11_KIT_URI_FOR_OBJECT_ON_TOKEN; - - while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) { - if (p11_debugging) { - object = p11_kit_iter_get_object (ex->iter); - p11_debug ("handle: %lu", object); - - string = p11_attrs_to_string (ex->attrs, -1); - p11_debug ("attrs: %s", string); - free (string); - } - - string = format_uri (ex, flags); - if (string == NULL) { - p11_message ("skipping object, couldn't build uri"); - continue; - } - - printf ("%s\n", string); - free (string); - - if (p11_attrs_find_ulong (ex->attrs, CKA_CLASS, &klass)) { - nick = p11_constant_nick (p11_constant_classes, klass); - if (nick != NULL) - printf (" type: %s\n", nick); - } - - attr = p11_attrs_find_valid (ex->attrs, CKA_LABEL); - if (attr && attr->pValue && attr->ulValueLen) { - string = strndup (attr->pValue, attr->ulValueLen); - printf (" label: %s\n", string); - free (string); - } - - if (p11_attrs_find_bool (ex->attrs, CKA_X_DISTRUSTED, &val) && val) - printf (" trust: blacklisted\n"); - else if (p11_attrs_find_bool (ex->attrs, CKA_TRUSTED, &val) && val) - printf (" trust: anchor\n"); - else - printf (" trust: unspecified\n"); - - if (p11_attrs_find_ulong (ex->attrs, CKA_CERTIFICATE_CATEGORY, &category)) { - nick = p11_constant_nick (p11_constant_categories, category); - if (nick != NULL) - printf (" category: %s\n", nick); - } - - if (details) { - attr = p11_attrs_find_valid (ex->attrs, CKA_PUBLIC_KEY_INFO); - if (attr) { - p11_buffer_init (&buf, 1024); - bytes = attr->pValue; - p11_url_encode (bytes, bytes + attr->ulValueLen, "", &buf); - printf (" public-key-info: %.*s\n", (int)buf.len, (char *)buf.data); - p11_buffer_uninit (&buf); - } - } - - printf ("\n"); - } - - return (rv == CKR_CANCEL); -} - -int -p11_trust_list (int argc, - char **argv) -{ - p11_enumerate ex; - bool details = false; - int opt = 0; - int ret; - - enum { - opt_verbose = 'v', - opt_quiet = 'q', - opt_help = 'h', - opt_filter = 1000, - opt_purpose, - opt_details, - }; - - struct option options[] = { - { "filter", required_argument, NULL, opt_filter }, - { "purpose", required_argument, NULL, opt_purpose }, - { "details", no_argument, NULL, opt_details }, - { "verbose", no_argument, NULL, opt_verbose }, - { "quiet", no_argument, NULL, opt_quiet }, - { "help", no_argument, NULL, opt_help }, - { 0 }, - }; - - p11_tool_desc usages[] = { - { 0, "usage: trust list --filter=<what>" }, - { opt_filter, - "filter of what to export\n" - " ca-anchors certificate anchors\n" - " blacklist blacklisted certificates\n" - " trust-policy anchors and blacklist (default)\n" - " certificates all certificates\n" - " pkcs11:object=xx a PKCS#11 URI", - "what", - }, - { opt_purpose, - "limit to certificates usable for the purpose\n" - " server-auth for authenticating servers\n" - " client-auth for authenticating clients\n" - " email for email protection\n" - " code-signing for authenticating signed code\n" - " 1.2.3.4.5... an arbitrary object id", - "usage" - }, - { opt_verbose, "show verbose debug output", }, - { opt_quiet, "suppress command output", }, - { 0 }, - }; - - p11_enumerate_init (&ex); - - while ((opt = p11_tool_getopt (argc, argv, options)) != -1) { - switch (opt) { - case opt_verbose: - case opt_quiet: - break; - - case opt_filter: - if (!p11_enumerate_opt_filter (&ex, optarg)) - exit (2); - break; - case opt_purpose: - if (!p11_enumerate_opt_purpose (&ex, optarg)) - exit (2); - break; - case opt_details: - details = true; - break; - case 'h': - p11_tool_usage (usages, options); - exit (0); - case '?': - exit (2); - default: - assert_not_reached (); - break; - } - } - - if (argc - optind != 0) { - p11_message ("extra arguments passed to command"); - exit (2); - } - - if (!p11_enumerate_ready (&ex, "trust-policy")) - exit (1); - - ret = list_iterate (&ex, details) ? 0 : 1; - - p11_enumerate_cleanup (&ex); - return ret; -} diff --git a/trust/list.h b/trust/list.h deleted file mode 100644 index ea3cd08..0000000 --- a/trust/list.h +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Copyright (c) 2013, Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#ifndef P11_LIST_H_ -#define P11_LIST_H_ - -int p11_trust_list (int argc, - char **argv); - -#endif /* P11_LIST_H_ */ diff --git a/trust/module.c b/trust/module.c deleted file mode 100644 index 7fce465..0000000 --- a/trust/module.c +++ /dev/null @@ -1,1837 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#define CRYPTOKI_EXPORTS - -#include "argv.h" -#include "array.h" -#include "attrs.h" -#define P11_DEBUG_FLAG P11_DEBUG_TRUST -#include "debug.h" -#include "dict.h" -#include "library.h" -#include "message.h" -#include "module.h" -#include "parser.h" -#include "path.h" -#include "pkcs11.h" -#include "pkcs11x.h" -#include "session.h" -#include "token.h" - -#include <assert.h> -#include <ctype.h> -#include <stdlib.h> -#include <string.h> - -#define MANUFACTURER_ID "PKCS#11 Kit " -#define LIBRARY_DESCRIPTION "PKCS#11 Kit Trust Module " -#define TOKEN_MODEL "p11-kit-trust " -#define TOKEN_SERIAL_NUMBER "1 " - -/* Initial slot id: non-zero and non-one */ -#define BASE_SLOT_ID 18UL - -static struct _Shared { - int initialized; - p11_dict *sessions; - p11_array *tokens; - char *paths; -} gl = { 0, NULL, NULL, NULL }; - -/* Used during FindObjects */ -typedef struct _FindObjects { - CK_ATTRIBUTE *match; - CK_OBJECT_HANDLE *snapshot; - CK_ULONG iterator; -} FindObjects; - -static CK_FUNCTION_LIST sys_function_list; - -static void -find_objects_free (void *data) -{ - FindObjects *find = data; - p11_attrs_free (find->match); - free (find->snapshot); - free (find); -} - -static CK_RV -lookup_session (CK_SESSION_HANDLE handle, - p11_session **session) -{ - p11_session *sess; - - if (!gl.sessions) - return CKR_CRYPTOKI_NOT_INITIALIZED; - - sess = p11_dict_get (gl.sessions, &handle); - if (!sess) - return CKR_SESSION_HANDLE_INVALID; - - if (sess && session) - *session = sess; - return CKR_OK; -} - -static CK_ATTRIBUTE * -lookup_object_inlock (p11_session *session, - CK_OBJECT_HANDLE handle, - p11_index **index) -{ - CK_ATTRIBUTE *attrs; - - assert (session != NULL); - - attrs = p11_index_lookup (session->index, handle); - if (attrs) { - if (index) - *index = session->index; - return attrs; - } - - attrs = p11_index_lookup (p11_token_index (session->token), handle); - if (attrs) { - if (index) - *index = p11_token_index (session->token); - return attrs; - } - - return NULL; -} - -static CK_RV -check_index_writable (p11_session *session, - p11_index *index) -{ - if (index == p11_token_index (session->token)) { - if (!p11_token_is_writable (session->token)) - return CKR_TOKEN_WRITE_PROTECTED; - else if (!session->read_write) - return CKR_SESSION_READ_ONLY; - } - - return CKR_OK; -} - -static CK_RV -lookup_slot_inlock (CK_SLOT_ID id, - p11_token **token) -{ - /* - * These are invalid inputs, that well behaved callers should - * not produce, so have them fail precondations - */ - - return_val_if_fail (gl.tokens != NULL, - CKR_CRYPTOKI_NOT_INITIALIZED); - - return_val_if_fail (id >= BASE_SLOT_ID && id - BASE_SLOT_ID < gl.tokens->num, - CKR_SLOT_ID_INVALID); - - if (token) - *token = gl.tokens->elem[id - BASE_SLOT_ID]; - return CKR_OK; -} - -static bool -check_slot (CK_SLOT_ID id) -{ - bool ret; - - p11_lock (); - ret = lookup_slot_inlock (id, NULL) == CKR_OK; - p11_unlock (); - - return ret; -} - -static bool -create_tokens_inlock (p11_array *tokens, - const char *paths) -{ - /* - * TRANSLATORS: These label strings are used in PKCS#11 URIs and - * unfortunately cannot be marked translatable. If localization is - * desired they should be translated in GUI applications. These - * strings will not change arbitrarily. - */ - - struct { - const char *prefix; - const char *label; - } labels[] = { - { "~/", "User Trust" }, - { DATA_DIR, "Default Trust" }, - { SYSCONFDIR, "System Trust" }, - { NULL }, - }; - - p11_token *token; - p11_token *check; - CK_SLOT_ID slot; - const char *path; - const char *label; - char *alloc; - char *remaining; - char *base; - char *pos; - int i; - - p11_debug ("using paths: %s", paths); - - alloc = remaining = strdup (paths); - return_val_if_fail (remaining != NULL, false); - - while (remaining) { - path = remaining; - pos = strchr (remaining, P11_PATH_SEP_C); - if (pos == NULL) { - remaining = NULL; - } else { - pos[0] = '\0'; - remaining = pos + 1; - } - - if (path[0] != '\0') { - /* The slot for the new token */ - slot = BASE_SLOT_ID + tokens->num; - - label = NULL; - base = NULL; - - /* Claim the various labels based on prefix */ - for (i = 0; label == NULL && labels[i].prefix != NULL; i++) { - if (strncmp (path, labels[i].prefix, strlen (labels[i].prefix)) == 0) { - label = labels[i].label; - labels[i].label = NULL; - } - } - - /* Didn't find a label above, then make one based on the path */ - if (!label) { - label = base = p11_path_base (path); - return_val_if_fail (base != NULL, false); - } - - token = p11_token_new (slot, path, label); - return_val_if_fail (token != NULL, false); - - if (!p11_array_push (tokens, token)) - return_val_if_reached (false); - - free (base); - assert (lookup_slot_inlock (slot, &check) == CKR_OK && check == token); - } - } - - free (alloc); - return true; -} - -static void -parse_argument (char *arg, - void *unused) -{ - char *value; - - value = arg + strcspn (arg, ":="); - if (!*value) - value = NULL; - else - *(value++) = 0; - - if (strcmp (arg, "paths") == 0) { - free (gl.paths); - gl.paths = value ? strdup (value) : NULL; - - } else { - p11_message ("unrecognized module argument: %s", arg); - } -} - -static CK_RV -sys_C_Finalize (CK_VOID_PTR reserved) -{ - CK_RV rv = CKR_OK; - - p11_debug ("in"); - - /* WARNING: This function must be reentrant */ - - if (reserved) { - rv = CKR_ARGUMENTS_BAD; - - } else { - p11_lock (); - - if (gl.initialized == 0) { - p11_debug ("trust module is not initialized"); - rv = CKR_CRYPTOKI_NOT_INITIALIZED; - - } else if (gl.initialized == 1) { - p11_debug ("doing finalization"); - - free (gl.paths); - gl.paths = NULL; - - p11_dict_free (gl.sessions); - gl.sessions = NULL; - - p11_array_free (gl.tokens); - gl.tokens = NULL; - - rv = CKR_OK; - gl.initialized = 0; - - } else { - gl.initialized--; - p11_debug ("trust module still initialized %d times", gl.initialized); - } - - p11_unlock (); - } - - p11_debug ("out: 0x%lx", rv); - return rv; -} - -static CK_RV -sys_C_Initialize (CK_VOID_PTR init_args) -{ - static const CK_C_INITIALIZE_ARGS def_args = - { NULL, NULL, NULL, NULL, CKF_OS_LOCKING_OK, NULL, }; - const CK_C_INITIALIZE_ARGS *args = NULL; - int supplied_ok; - CK_RV rv; - - p11_library_init_once (); - - /* WARNING: This function must be reentrant */ - - p11_debug ("in"); - - p11_lock (); - - rv = CKR_OK; - - args = init_args; - if (args == NULL) - args = &def_args; - - /* ALL supplied function pointers need to have the value either NULL or non-NULL. */ - supplied_ok = (args->CreateMutex == NULL && args->DestroyMutex == NULL && - args->LockMutex == NULL && args->UnlockMutex == NULL) || - (args->CreateMutex != NULL && args->DestroyMutex != NULL && - args->LockMutex != NULL && args->UnlockMutex != NULL); - if (!supplied_ok) { - p11_message ("invalid set of mutex calls supplied"); - rv = CKR_ARGUMENTS_BAD; - } - - /* - * When the CKF_OS_LOCKING_OK flag isn't set return an error. - * We must be able to use our pthread functionality. - */ - if (!(args->flags & CKF_OS_LOCKING_OK)) { - p11_message ("can't do without os locking"); - rv = CKR_CANT_LOCK; - } - - if (rv == CKR_OK && gl.initialized != 0) { - p11_debug ("trust module already initialized %d times", - gl.initialized); - - /* - * We support setting the socket path and other arguments from from the - * pReserved pointer, similar to how NSS PKCS#11 components are initialized. - */ - } else if (rv == CKR_OK) { - p11_debug ("doing initialization"); - - if (args->pReserved) - p11_argv_parse ((const char*)args->pReserved, parse_argument, NULL); - - gl.sessions = p11_dict_new (p11_dict_ulongptr_hash, - p11_dict_ulongptr_equal, - NULL, p11_session_free); - - gl.tokens = p11_array_new ((p11_destroyer)p11_token_free); - if (gl.tokens && !create_tokens_inlock (gl.tokens, gl.paths ? gl.paths : TRUST_PATHS)) - gl.tokens = NULL; - - if (gl.sessions == NULL || gl.tokens == NULL) { - warn_if_reached (); - rv = CKR_GENERAL_ERROR; - } - } - - gl.initialized++; - - p11_unlock (); - - if (rv != CKR_OK) - sys_C_Finalize (NULL); - - p11_debug ("out: 0x%lx", rv); - return rv; -} - -static CK_RV -sys_C_GetInfo (CK_INFO_PTR info) -{ - CK_RV rv = CKR_OK; - - p11_library_init_once (); - - p11_debug ("in"); - - return_val_if_fail (info != NULL, CKR_ARGUMENTS_BAD); - - p11_lock (); - - if (!gl.sessions) - rv = CKR_CRYPTOKI_NOT_INITIALIZED; - - p11_unlock (); - - if (rv == CKR_OK) { - memset (info, 0, sizeof (*info)); - info->cryptokiVersion.major = CRYPTOKI_VERSION_MAJOR; - info->cryptokiVersion.minor = CRYPTOKI_VERSION_MINOR; - info->libraryVersion.major = PACKAGE_MAJOR; - info->libraryVersion.minor = PACKAGE_MINOR; - info->flags = 0; - strncpy ((char*)info->manufacturerID, MANUFACTURER_ID, 32); - strncpy ((char*)info->libraryDescription, LIBRARY_DESCRIPTION, 32); - } - - p11_debug ("out: 0x%lx", rv); - - return rv; -} - -static CK_RV -sys_C_GetFunctionList (CK_FUNCTION_LIST_PTR_PTR list) -{ - /* Can be called before C_Initialize */ - return_val_if_fail (list != NULL, CKR_ARGUMENTS_BAD); - - *list = &sys_function_list; - return CKR_OK; -} - -static CK_RV -sys_C_GetSlotList (CK_BBOOL token_present, - CK_SLOT_ID_PTR slot_list, - CK_ULONG_PTR count) -{ - CK_RV rv = CKR_OK; - int i; - - return_val_if_fail (count != NULL, CKR_ARGUMENTS_BAD); - - p11_debug ("in"); - - p11_lock (); - - if (!gl.sessions) - rv = CKR_CRYPTOKI_NOT_INITIALIZED; - - p11_unlock (); - - if (rv != CKR_OK) { - /* already failed */ - - } else if (!slot_list) { - *count = gl.tokens->num; - rv = CKR_OK; - - } else if (*count < gl.tokens->num) { - *count = gl.tokens->num; - rv = CKR_BUFFER_TOO_SMALL; - - } else { - for (i = 0; i < gl.tokens->num; i++) - slot_list[i] = BASE_SLOT_ID + i; - *count = gl.tokens->num; - rv = CKR_OK; - } - - p11_debug ("out: 0x%lx", rv); - - return rv; -} - -static CK_RV -sys_C_GetSlotInfo (CK_SLOT_ID id, - CK_SLOT_INFO_PTR info) -{ - CK_RV rv = CKR_OK; - p11_token *token; - const char *path; - size_t length; - - return_val_if_fail (info != NULL, CKR_ARGUMENTS_BAD); - - p11_debug ("in"); - p11_lock (); - - rv = lookup_slot_inlock (id, &token); - if (rv == CKR_OK) { - memset (info, 0, sizeof (*info)); - info->firmwareVersion.major = 0; - info->firmwareVersion.minor = 0; - info->hardwareVersion.major = PACKAGE_MAJOR; - info->hardwareVersion.minor = PACKAGE_MINOR; - info->flags = CKF_TOKEN_PRESENT; - strncpy ((char*)info->manufacturerID, MANUFACTURER_ID, 32); - - /* If too long, copy the first 64 characters into buffer */ - path = p11_token_get_path (token); - length = strlen (path); - if (length > sizeof (info->slotDescription)) - length = sizeof (info->slotDescription); - memset (info->slotDescription, ' ', sizeof (info->slotDescription)); - memcpy (info->slotDescription, path, length); - } - - p11_unlock (); - p11_debug ("out: 0x%lx", rv); - - return rv; -} - -static CK_RV -sys_C_GetTokenInfo (CK_SLOT_ID id, - CK_TOKEN_INFO_PTR info) -{ - CK_RV rv = CKR_OK; - p11_token *token; - const char *label; - size_t length; - - return_val_if_fail (info != NULL, CKR_ARGUMENTS_BAD); - - p11_debug ("in"); - - p11_lock (); - - rv = lookup_slot_inlock (id, &token); - if (rv == CKR_OK) { - memset (info, 0, sizeof (*info)); - info->firmwareVersion.major = 0; - info->firmwareVersion.minor = 0; - info->hardwareVersion.major = PACKAGE_MAJOR; - info->hardwareVersion.minor = PACKAGE_MINOR; - info->flags = CKF_TOKEN_INITIALIZED; - strncpy ((char*)info->manufacturerID, MANUFACTURER_ID, 32); - strncpy ((char*)info->model, TOKEN_MODEL, 16); - strncpy ((char*)info->serialNumber, TOKEN_SERIAL_NUMBER, 16); - info->ulMaxSessionCount = CK_EFFECTIVELY_INFINITE; - info->ulSessionCount = CK_UNAVAILABLE_INFORMATION; - info->ulMaxRwSessionCount = 0; - info->ulRwSessionCount = CK_UNAVAILABLE_INFORMATION; - info->ulMaxPinLen = 0; - info->ulMinPinLen = 0; - info->ulTotalPublicMemory = CK_UNAVAILABLE_INFORMATION; - info->ulFreePublicMemory = CK_UNAVAILABLE_INFORMATION; - info->ulTotalPrivateMemory = CK_UNAVAILABLE_INFORMATION; - info->ulFreePrivateMemory = CK_UNAVAILABLE_INFORMATION; - - /* If too long, copy the first 32 characters into buffer */ - label = p11_token_get_label (token); - length = strlen (label); - if (length > sizeof (info->label)) - length = sizeof (info->label); - memset (info->label, ' ', sizeof (info->label)); - memcpy (info->label, label, length); - - if (!p11_token_is_writable (token)) - info->flags |= CKF_WRITE_PROTECTED; - } - - p11_unlock (); - p11_debug ("out: 0x%lx", rv); - - return rv; -} - -static CK_RV -sys_C_GetMechanismList (CK_SLOT_ID id, - CK_MECHANISM_TYPE_PTR mechanism_list, - CK_ULONG_PTR count) -{ - CK_RV rv = CKR_OK; - - return_val_if_fail (count != NULL, CKR_ARGUMENTS_BAD); - - p11_debug ("in"); - - *count = 0; - - p11_debug ("out: 0x%lx", rv); - return rv; -} - -static CK_RV -sys_C_GetMechanismInfo (CK_SLOT_ID id, - CK_MECHANISM_TYPE type, - CK_MECHANISM_INFO_PTR info) -{ - return_val_if_fail (info != NULL, CKR_ARGUMENTS_BAD); - return_val_if_fail (check_slot (id), CKR_SLOT_ID_INVALID); - return_val_if_reached (CKR_MECHANISM_INVALID); -} - -static CK_RV -sys_C_InitToken (CK_SLOT_ID id, - CK_UTF8CHAR_PTR pin, - CK_ULONG pin_len, - CK_UTF8CHAR_PTR label) -{ - p11_debug ("not supported"); - return CKR_FUNCTION_NOT_SUPPORTED; -} - -static CK_RV -sys_C_WaitForSlotEvent (CK_FLAGS flags, - CK_SLOT_ID_PTR slot, - CK_VOID_PTR reserved) -{ - p11_debug ("not supported"); - return CKR_FUNCTION_NOT_SUPPORTED; -} - -static CK_RV -sys_C_OpenSession (CK_SLOT_ID id, - CK_FLAGS flags, - CK_VOID_PTR user_data, - CK_NOTIFY callback, - CK_SESSION_HANDLE_PTR handle) -{ - p11_session *session; - p11_token *token; - CK_RV rv = CKR_OK; - - return_val_if_fail (check_slot (id), CKR_SLOT_ID_INVALID); - return_val_if_fail (handle != NULL, CKR_ARGUMENTS_BAD); - - p11_debug ("in"); - - p11_lock (); - - rv = lookup_slot_inlock (id, &token); - if (rv != CKR_OK) { - /* fail below */; - - } else if (!(flags & CKF_SERIAL_SESSION)) { - rv = CKR_SESSION_PARALLEL_NOT_SUPPORTED; - - } else if ((flags & CKF_RW_SESSION) && - !p11_token_is_writable (token)) { - rv = CKR_TOKEN_WRITE_PROTECTED; - - } else { - session = p11_session_new (token); - if (p11_dict_set (gl.sessions, &session->handle, session)) { - rv = CKR_OK; - if (flags & CKF_RW_SESSION) - session->read_write = true; - *handle = session->handle; - p11_debug ("session: %lu", *handle); - } else { - warn_if_reached (); - rv = CKR_GENERAL_ERROR; - } - } - - p11_unlock (); - - p11_debug ("out: 0x%lx", rv); - - return rv; -} - -static CK_RV -sys_C_CloseSession (CK_SESSION_HANDLE handle) -{ - CK_RV rv = CKR_OK; - - p11_debug ("in"); - - p11_lock (); - - if (!gl.sessions) { - rv = CKR_CRYPTOKI_NOT_INITIALIZED; - - } else if (p11_dict_remove (gl.sessions, &handle)) { - rv = CKR_OK; - - } else { - rv = CKR_SESSION_HANDLE_INVALID; - } - - p11_unlock (); - - p11_debug ("out: 0x%lx", rv); - - return rv; -} - -static CK_RV -sys_C_CloseAllSessions (CK_SLOT_ID id) -{ - CK_SESSION_HANDLE *handle; - p11_session *session; - p11_token *token; - p11_dictiter iter; - CK_RV rv; - - p11_debug ("in"); - - p11_lock (); - - rv = lookup_slot_inlock (id, &token); - if (rv == CKR_OK) { - p11_dict_iterate (gl.sessions, &iter); - while (p11_dict_next (&iter, (void **)&handle, (void **)&session)) { - if (session->token == token) - p11_dict_remove (gl.sessions, handle); - } - } - - p11_unlock (); - - p11_debug ("out: 0x%lx", rv); - - return rv; -} - -static CK_RV -sys_C_GetFunctionStatus (CK_SESSION_HANDLE handle) -{ - return CKR_SESSION_PARALLEL_NOT_SUPPORTED; -} - -static CK_RV -sys_C_CancelFunction (CK_SESSION_HANDLE handle) -{ - return CKR_SESSION_PARALLEL_NOT_SUPPORTED; -} - -static CK_RV -sys_C_GetSessionInfo (CK_SESSION_HANDLE handle, - CK_SESSION_INFO_PTR info) -{ - p11_session *session; - CK_RV rv; - - return_val_if_fail (info != NULL, CKR_ARGUMENTS_BAD); - - p11_debug ("in"); - - p11_lock (); - - rv = lookup_session (handle, &session); - if (rv == CKR_OK) { - info->flags = CKF_SERIAL_SESSION; - info->state = CKS_RO_PUBLIC_SESSION; - info->slotID = p11_token_get_slot (session->token); - info->ulDeviceError = 0; - } - - - p11_unlock (); - - p11_debug ("out: 0x%lx", rv); - - return rv; -} - -static CK_RV -sys_C_InitPIN (CK_SESSION_HANDLE handle, - CK_UTF8CHAR_PTR pin, - CK_ULONG pin_len) -{ - p11_debug ("not supported"); - return CKR_FUNCTION_NOT_SUPPORTED; -} - -static CK_RV -sys_C_SetPIN (CK_SESSION_HANDLE handle, - CK_UTF8CHAR_PTR old_pin, - CK_ULONG old_pin_len, - CK_UTF8CHAR_PTR new_pin, - CK_ULONG new_pin_len) -{ - p11_debug ("not supported"); - return CKR_FUNCTION_NOT_SUPPORTED; -} - -static CK_RV -sys_C_GetOperationState (CK_SESSION_HANDLE handle, - CK_BYTE_PTR operation_state, - CK_ULONG_PTR operation_state_len) -{ - p11_debug ("not supported"); - return CKR_FUNCTION_NOT_SUPPORTED; -} - -static CK_RV -sys_C_SetOperationState (CK_SESSION_HANDLE handle, - CK_BYTE_PTR operation_state, - CK_ULONG operation_state_len, - CK_OBJECT_HANDLE encryption_key, - CK_OBJECT_HANDLE authentication_key) -{ - p11_debug ("not supported"); - return CKR_FUNCTION_NOT_SUPPORTED; -} - -static CK_RV -sys_C_Login (CK_SESSION_HANDLE handle, - CK_USER_TYPE user_type, - CK_UTF8CHAR_PTR pin, - CK_ULONG pin_len) -{ - CK_RV rv; - - p11_debug ("in"); - - p11_lock (); - - rv = lookup_session (handle, NULL); - if (rv == CKR_OK) - rv = CKR_USER_TYPE_INVALID; - - p11_unlock (); - - p11_debug ("out: 0x%lx", rv); - - return rv; -} - -static CK_RV -sys_C_Logout (CK_SESSION_HANDLE handle) -{ - CK_RV rv; - - p11_debug ("in"); - - p11_lock (); - - rv = lookup_session (handle, NULL); - if (rv == CKR_OK) - rv = CKR_USER_NOT_LOGGED_IN; - - p11_unlock (); - - p11_debug ("out: 0x%lx", rv); - - return rv; -} - -static CK_RV -sys_C_CreateObject (CK_SESSION_HANDLE handle, - CK_ATTRIBUTE_PTR template, - CK_ULONG count, - CK_OBJECT_HANDLE_PTR new_object) -{ - p11_session *session; - p11_index *index; - CK_BBOOL val; - CK_RV rv; - - return_val_if_fail (new_object != NULL, CKR_ARGUMENTS_BAD); - - p11_debug ("in"); - - p11_lock (); - - rv = lookup_session (handle, &session); - if (rv == CKR_OK) { - if (p11_attrs_findn_bool (template, count, CKA_TOKEN, &val) && val) - index = p11_token_index (session->token); - else - index = session->index; - rv = check_index_writable (session, index); - } - - if (rv == CKR_OK) - rv = p11_index_add (index, template, count, new_object); - - p11_unlock (); - - p11_debug ("out: 0x%lx", rv); - - return rv; -} - -static CK_RV -sys_C_CopyObject (CK_SESSION_HANDLE handle, - CK_OBJECT_HANDLE object, - CK_ATTRIBUTE_PTR template, - CK_ULONG count, - CK_OBJECT_HANDLE_PTR new_object) -{ - CK_BBOOL vfalse = CK_FALSE; - CK_ATTRIBUTE token = { CKA_TOKEN, &vfalse, sizeof (vfalse) }; - p11_session *session; - CK_ATTRIBUTE *original; - CK_ATTRIBUTE *attrs; - p11_index *index; - CK_BBOOL val; - CK_RV rv; - - return_val_if_fail (new_object != NULL, CKR_ARGUMENTS_BAD); - - p11_debug ("in"); - - p11_lock (); - - rv = lookup_session (handle, &session); - if (rv == CKR_OK) { - original = lookup_object_inlock (session, object, &index); - if (original == NULL) - rv = CKR_OBJECT_HANDLE_INVALID; - } - - if (rv == CKR_OK) { - if (p11_attrs_findn_bool (template, count, CKA_TOKEN, &val)) - index = val ? p11_token_index (session->token) : session->index; - rv = check_index_writable (session, index); - } - - if (rv == CKR_OK) { - attrs = p11_attrs_dup (original); - attrs = p11_attrs_buildn (attrs, template, count); - attrs = p11_attrs_build (attrs, &token, NULL); - rv = p11_index_take (index, attrs, new_object); - } - - p11_unlock (); - - p11_debug ("out: 0x%lx", rv); - - return rv; -} - -static CK_RV -sys_C_DestroyObject (CK_SESSION_HANDLE handle, - CK_OBJECT_HANDLE object) -{ - p11_session *session; - CK_ATTRIBUTE *attrs; - p11_index *index; - CK_BBOOL val; - CK_RV rv; - - p11_debug ("in"); - - p11_lock (); - - rv = lookup_session (handle, &session); - if (rv == CKR_OK) { - attrs = lookup_object_inlock (session, object, &index); - if (attrs == NULL) - rv = CKR_OBJECT_HANDLE_INVALID; - else - rv = check_index_writable (session, index); - - if (rv == CKR_OK && p11_attrs_find_bool (attrs, CKA_MODIFIABLE, &val) && !val) { - /* TODO: This should be replaced with CKR_ACTION_PROHIBITED */ - rv = CKR_ATTRIBUTE_READ_ONLY; - } - - if (rv == CKR_OK) - rv = p11_index_remove (index, object); - } - - p11_unlock (); - - p11_debug ("out: 0x%lx", rv); - - return rv; -} - -static CK_RV -sys_C_GetObjectSize (CK_SESSION_HANDLE handle, - CK_OBJECT_HANDLE object, - CK_ULONG_PTR size) -{ - p11_session *session; - CK_RV rv; - - return_val_if_fail (size != NULL, CKR_ARGUMENTS_BAD); - - p11_debug ("in"); - - p11_lock (); - - rv = lookup_session (handle, &session); - if (rv == CKR_OK) { - if (lookup_object_inlock (session, object, NULL)) { - *size = CK_UNAVAILABLE_INFORMATION; - rv = CKR_OK; - } else { - rv = CKR_OBJECT_HANDLE_INVALID; - } - } - - p11_unlock (); - - p11_debug ("out: 0x%lx", rv); - - return rv; -} - -static CK_RV -sys_C_GetAttributeValue (CK_SESSION_HANDLE handle, - CK_OBJECT_HANDLE object, - CK_ATTRIBUTE_PTR template, - CK_ULONG count) -{ - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *result; - CK_ATTRIBUTE *attr; - p11_session *session; - char *string; - CK_ULONG i; - CK_RV rv; - - p11_debug ("in: %lu, %lu", handle, object); - - p11_lock (); - - rv = lookup_session (handle, &session); - if (rv == CKR_OK) { - attrs = lookup_object_inlock (session, object, NULL); - if (attrs == NULL) - rv = CKR_OBJECT_HANDLE_INVALID; - } - - if (rv == CKR_OK) { - for (i = 0; i < count; i++) { - result = template + i; - attr = p11_attrs_find (attrs, result->type); - if (!attr) { - result->ulValueLen = (CK_ULONG)-1; - rv = CKR_ATTRIBUTE_TYPE_INVALID; - continue; - } - - if (!result->pValue) { - result->ulValueLen = attr->ulValueLen; - continue; - } - - if (result->ulValueLen >= attr->ulValueLen) { - memcpy (result->pValue, attr->pValue, attr->ulValueLen); - result->ulValueLen = attr->ulValueLen; - continue; - } - - result->ulValueLen = (CK_ULONG)-1; - rv = CKR_BUFFER_TOO_SMALL; - } - } - - p11_unlock (); - - if (p11_debugging) { - string = p11_attrs_to_string (template, count); - p11_debug ("out: 0x%lx %s", rv, string); - free (string); - } - - return rv; -} - -static CK_RV -sys_C_SetAttributeValue (CK_SESSION_HANDLE handle, - CK_OBJECT_HANDLE object, - CK_ATTRIBUTE_PTR template, - CK_ULONG count) -{ - p11_session *session; - CK_ATTRIBUTE *attrs; - p11_index *index; - CK_BBOOL val; - CK_RV rv; - - p11_debug ("in"); - - p11_lock (); - - rv = lookup_session (handle, &session); - if (rv == CKR_OK) { - attrs = lookup_object_inlock (session, object, &index); - if (attrs == NULL) { - rv = CKR_OBJECT_HANDLE_INVALID; - } else if (p11_attrs_find_bool (attrs, CKA_MODIFIABLE, &val) && !val) { - /* TODO: This should be replaced with CKR_ACTION_PROHIBITED */ - rv = CKR_ATTRIBUTE_READ_ONLY; - } - - if (rv == CKR_OK) - rv = check_index_writable (session, index); - - /* Reload the item if applicable */ - if (rv == CKR_OK && index == p11_token_index (session->token)) { - if (p11_token_reload (session->token, attrs)) { - attrs = p11_index_lookup (index, object); - if (p11_attrs_find_bool (attrs, CKA_MODIFIABLE, &val) && !val) { - /* TODO: This should be replaced with CKR_ACTION_PROHIBITED */ - rv = CKR_ATTRIBUTE_READ_ONLY; - } - } - } - - if (rv == CKR_OK) - rv = p11_index_set (index, object, template, count); - } - - p11_unlock (); - - p11_debug ("out: 0x%lx", rv); - - return rv; -} - -static CK_RV -sys_C_FindObjectsInit (CK_SESSION_HANDLE handle, - CK_ATTRIBUTE_PTR template, - CK_ULONG count) -{ - p11_index *indices[2] = { NULL, NULL }; - CK_BBOOL want_token_objects; - CK_BBOOL want_session_objects; - CK_BBOOL token; - FindObjects *find; - p11_session *session; - char *string; - CK_RV rv; - int n = 0; - - if (p11_debugging) { - string = p11_attrs_to_string (template, count); - p11_debug ("in: %lu, %s", handle, string); - free (string); - } - - p11_lock (); - - /* Are we searching for token objects? */ - if (p11_attrs_findn_bool (template, count, CKA_TOKEN, &token)) { - want_token_objects = token; - want_session_objects = !token; - } else { - want_token_objects = CK_TRUE; - want_session_objects = CK_TRUE; - } - - rv = lookup_session (handle, &session); - - /* Refresh from disk if this session hasn't yet */ - if (rv == CKR_OK) { - if (want_session_objects) - indices[n++] = session->index; - if (want_token_objects) { - if (!session->loaded) - p11_token_load (session->token); - session->loaded = CK_TRUE; - indices[n++] = p11_token_index (session->token); - } - - find = calloc (1, sizeof (FindObjects)); - warn_if_fail (find != NULL); - - /* Make a snapshot of what we're matching */ - if (find) { - find->match = p11_attrs_buildn (NULL, template, count); - warn_if_fail (find->match != NULL); - - /* Build a session snapshot of all objects */ - find->iterator = 0; - find->snapshot = p11_index_snapshot (indices[0], indices[1], template, count); - warn_if_fail (find->snapshot != NULL); - } - - if (!find || !find->snapshot || !find->match) - rv = CKR_HOST_MEMORY; - else - p11_session_set_operation (session, find_objects_free, find); - } - - p11_unlock (); - - p11_debug ("out: 0x%lx", rv); - - return rv; -} - -static bool -match_for_broken_nss_serial_number_lookups (CK_ATTRIBUTE *attr, - CK_ATTRIBUTE *match) -{ - unsigned char der[32]; - unsigned char *val_val; - size_t der_len; - size_t val_len; - int len_len; - - if (!match->pValue || !match->ulValueLen || - match->ulValueLen == CKA_INVALID || - attr->ulValueLen == CKA_INVALID) - return false; - - der_len = sizeof (der); - der[0] = ASN1_TAG_INTEGER | ASN1_CLASS_UNIVERSAL; - len_len = der_len - 1; - asn1_length_der (match->ulValueLen, der + 1, &len_len); - assert (len_len < (der_len - 1)); - der_len = 1 + len_len; - - val_val = attr->pValue; - val_len = attr->ulValueLen; - - if (der_len + match->ulValueLen != val_len) - return false; - - if (memcmp (der, val_val, der_len) != 0 || - memcmp (match->pValue, val_val + der_len, match->ulValueLen) != 0) - return false; - - p11_debug ("worked around serial number lookup that's not DER encoded"); - return true; -} - -static bool -find_objects_match (CK_ATTRIBUTE *attrs, - CK_ATTRIBUTE *match) -{ - CK_OBJECT_CLASS klass; - CK_ATTRIBUTE *attr; - - for (; !p11_attrs_terminator (match); match++) { - attr = p11_attrs_find ((CK_ATTRIBUTE *)attrs, match->type); - if (!attr) - return false; - if (p11_attr_equal (attr, match)) - continue; - - /* - * WORKAROUND: NSS calls us asking for CKA_SERIAL_NUMBER items that are - * not DER encoded. It shouldn't be doing this. We never return any certificate - * serial numbers that are not DER encoded. - * - * So work around the issue here while the NSS guys fix this issue. - * This code should be removed in future versions. - */ - - if (attr->type == CKA_SERIAL_NUMBER && - p11_attrs_find_ulong (attrs, CKA_CLASS, &klass) && - klass == CKO_NSS_TRUST) { - if (match_for_broken_nss_serial_number_lookups (attr, match)) - continue; - } - - return false; - } - - return true; -} - -static CK_RV -sys_C_FindObjects (CK_SESSION_HANDLE handle, - CK_OBJECT_HANDLE_PTR objects, - CK_ULONG max_count, - CK_ULONG_PTR count) -{ - CK_OBJECT_HANDLE object; - CK_ATTRIBUTE *attrs; - FindObjects *find = NULL; - p11_session *session; - CK_ULONG matched; - p11_index *index; - CK_RV rv; - - return_val_if_fail (count != NULL, CKR_ARGUMENTS_BAD); - - p11_debug ("in: %lu, %lu", handle, max_count); - - p11_lock (); - - rv = lookup_session (handle, &session); - if (rv == CKR_OK) { - if (session->cleanup != find_objects_free) - rv = CKR_OPERATION_NOT_INITIALIZED; - find = session->operation; - } - - if (rv == CKR_OK) { - matched = 0; - while (matched < max_count) { - object = find->snapshot[find->iterator]; - if (!object) - break; - - find->iterator++; - - attrs = lookup_object_inlock (session, object, &index); - if (attrs == NULL) - continue; - - if (find_objects_match (attrs, find->match)) { - objects[matched] = object; - matched++; - } - } - - *count = matched; - } - - p11_unlock (); - - p11_debug ("out: 0x%lx, %lu", handle, *count); - - return rv; -} - -static CK_RV -sys_C_FindObjectsFinal (CK_SESSION_HANDLE handle) -{ - p11_session *session; - CK_RV rv; - - p11_debug ("in"); - - p11_lock (); - - rv = lookup_session (handle, &session); - if (rv == CKR_OK) { - if (session->cleanup != find_objects_free) - rv = CKR_OPERATION_NOT_INITIALIZED; - else - p11_session_set_operation (session, NULL, NULL); - } - - p11_unlock (); - - p11_debug ("out: 0x%lx", rv); - - return rv; -} - -static CK_RV -sys_C_EncryptInit (CK_SESSION_HANDLE handle, - CK_MECHANISM_PTR mechanism, - CK_OBJECT_HANDLE key) -{ - return_val_if_reached (CKR_MECHANISM_INVALID); -} - -static CK_RV -sys_C_Encrypt (CK_SESSION_HANDLE handle, - CK_BYTE_PTR data, - CK_ULONG data_len, - CK_BYTE_PTR encrypted_data, - CK_ULONG_PTR encrypted_data_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_EncryptUpdate (CK_SESSION_HANDLE handle, - CK_BYTE_PTR part, - CK_ULONG part_len, - CK_BYTE_PTR encrypted_part, - CK_ULONG_PTR encrypted_part_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_EncryptFinal (CK_SESSION_HANDLE handle, - CK_BYTE_PTR last_part, - CK_ULONG_PTR last_part_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_DecryptInit (CK_SESSION_HANDLE handle, - CK_MECHANISM_PTR mechanism, - CK_OBJECT_HANDLE key) -{ - return_val_if_reached (CKR_MECHANISM_INVALID); -} - -static CK_RV -sys_C_Decrypt (CK_SESSION_HANDLE handle, - CK_BYTE_PTR enc_data, - CK_ULONG enc_data_len, - CK_BYTE_PTR data, - CK_ULONG_PTR data_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_DecryptUpdate (CK_SESSION_HANDLE handle, - CK_BYTE_PTR enc_part, - CK_ULONG enc_part_len, - CK_BYTE_PTR part, - CK_ULONG_PTR part_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_DecryptFinal (CK_SESSION_HANDLE handle, - CK_BYTE_PTR last_part, - CK_ULONG_PTR last_part_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_DigestInit (CK_SESSION_HANDLE handle, - CK_MECHANISM_PTR mechanism) -{ - return_val_if_reached (CKR_MECHANISM_INVALID); -} - -static CK_RV -sys_C_Digest (CK_SESSION_HANDLE handle, - CK_BYTE_PTR data, - CK_ULONG data_len, - CK_BYTE_PTR digest, - CK_ULONG_PTR digest_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_DigestUpdate (CK_SESSION_HANDLE handle, - CK_BYTE_PTR part, - CK_ULONG part_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_DigestKey (CK_SESSION_HANDLE handle, - CK_OBJECT_HANDLE key) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_DigestFinal (CK_SESSION_HANDLE handle, - CK_BYTE_PTR digest, - CK_ULONG_PTR digest_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_SignInit (CK_SESSION_HANDLE handle, - CK_MECHANISM_PTR mechanism, - CK_OBJECT_HANDLE key) -{ - return_val_if_reached (CKR_MECHANISM_INVALID); -} - -static CK_RV -sys_C_Sign (CK_SESSION_HANDLE handle, - CK_BYTE_PTR data, - CK_ULONG data_len, - CK_BYTE_PTR signature, - CK_ULONG_PTR signature_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_SignUpdate (CK_SESSION_HANDLE handle, - CK_BYTE_PTR part, - CK_ULONG part_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_SignFinal (CK_SESSION_HANDLE handle, - CK_BYTE_PTR signature, - CK_ULONG_PTR signature_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_SignRecoverInit (CK_SESSION_HANDLE handle, - CK_MECHANISM_PTR mechanism, - CK_OBJECT_HANDLE key) -{ - return_val_if_reached (CKR_MECHANISM_INVALID); -} - -static CK_RV -sys_C_SignRecover (CK_SESSION_HANDLE handle, - CK_BYTE_PTR data, - CK_ULONG data_len, - CK_BYTE_PTR signature, - CK_ULONG_PTR signature_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_VerifyInit (CK_SESSION_HANDLE handle, - CK_MECHANISM_PTR mechanism, - CK_OBJECT_HANDLE key) -{ - return_val_if_reached (CKR_MECHANISM_INVALID); -} - -static CK_RV -sys_C_Verify (CK_SESSION_HANDLE handle, - CK_BYTE_PTR data, - CK_ULONG data_len, - CK_BYTE_PTR signature, - CK_ULONG signature_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_VerifyUpdate (CK_SESSION_HANDLE handle, - CK_BYTE_PTR part, - CK_ULONG part_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_VerifyFinal (CK_SESSION_HANDLE handle, - CK_BYTE_PTR signature, - CK_ULONG signature_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_VerifyRecoverInit (CK_SESSION_HANDLE handle, - CK_MECHANISM_PTR mechanism, - CK_OBJECT_HANDLE key) -{ - return_val_if_reached (CKR_MECHANISM_INVALID); -} - -static CK_RV -sys_C_VerifyRecover (CK_SESSION_HANDLE handle, - CK_BYTE_PTR signature, - CK_ULONG signature_len, - CK_BYTE_PTR data, - CK_ULONG_PTR data_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_DigestEncryptUpdate (CK_SESSION_HANDLE handle, - CK_BYTE_PTR part, - CK_ULONG part_len, - CK_BYTE_PTR enc_part, - CK_ULONG_PTR enc_part_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_DecryptDigestUpdate (CK_SESSION_HANDLE handle, - CK_BYTE_PTR enc_part, - CK_ULONG enc_part_len, - CK_BYTE_PTR part, - CK_ULONG_PTR part_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_SignEncryptUpdate (CK_SESSION_HANDLE handle, - CK_BYTE_PTR part, - CK_ULONG part_len, - CK_BYTE_PTR enc_part, - CK_ULONG_PTR enc_part_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_DecryptVerifyUpdate (CK_SESSION_HANDLE handle, - CK_BYTE_PTR enc_part, - CK_ULONG enc_part_len, - CK_BYTE_PTR part, - CK_ULONG_PTR part_len) -{ - return_val_if_reached (CKR_OPERATION_NOT_INITIALIZED); -} - -static CK_RV -sys_C_GenerateKey (CK_SESSION_HANDLE handle, - CK_MECHANISM_PTR mechanism, - CK_ATTRIBUTE_PTR template, - CK_ULONG count, - CK_OBJECT_HANDLE_PTR key) -{ - return_val_if_reached (CKR_MECHANISM_INVALID); -} - -static CK_RV -sys_C_GenerateKeyPair (CK_SESSION_HANDLE handle, - CK_MECHANISM_PTR mechanism, - CK_ATTRIBUTE_PTR pub_template, - CK_ULONG pub_count, - CK_ATTRIBUTE_PTR priv_template, - CK_ULONG priv_count, - CK_OBJECT_HANDLE_PTR pub_key, - CK_OBJECT_HANDLE_PTR priv_key) -{ - return_val_if_reached (CKR_MECHANISM_INVALID); -} - -static CK_RV -sys_C_WrapKey (CK_SESSION_HANDLE handle, - CK_MECHANISM_PTR mechanism, - CK_OBJECT_HANDLE wrapping_key, - CK_OBJECT_HANDLE key, - CK_BYTE_PTR wrapped_key, - CK_ULONG_PTR wrapped_key_len) -{ - return_val_if_reached (CKR_MECHANISM_INVALID); -} - -static CK_RV -sys_C_UnwrapKey (CK_SESSION_HANDLE handle, - CK_MECHANISM_PTR mechanism, - CK_OBJECT_HANDLE unwrapping_key, - CK_BYTE_PTR wrapped_key, - CK_ULONG wrapped_key_len, - CK_ATTRIBUTE_PTR template, - CK_ULONG count, - CK_OBJECT_HANDLE_PTR key) -{ - return_val_if_reached (CKR_MECHANISM_INVALID); -} - -static CK_RV -sys_C_DeriveKey (CK_SESSION_HANDLE handle, - CK_MECHANISM_PTR mechanism, - CK_OBJECT_HANDLE base_key, - CK_ATTRIBUTE_PTR template, - CK_ULONG count, - CK_OBJECT_HANDLE_PTR key) -{ - return_val_if_reached (CKR_MECHANISM_INVALID); -} - -static CK_RV -sys_C_SeedRandom (CK_SESSION_HANDLE handle, - CK_BYTE_PTR seed, - CK_ULONG seed_len) -{ - return_val_if_reached (CKR_RANDOM_NO_RNG); -} - -static CK_RV -sys_C_GenerateRandom (CK_SESSION_HANDLE handle, - CK_BYTE_PTR random_data, - CK_ULONG random_len) -{ - return_val_if_reached (CKR_RANDOM_NO_RNG); -} - -/* -------------------------------------------------------------------- - * MODULE ENTRY POINT - */ - -static CK_FUNCTION_LIST sys_function_list = { - { CRYPTOKI_VERSION_MAJOR, CRYPTOKI_VERSION_MINOR }, /* version */ - sys_C_Initialize, - sys_C_Finalize, - sys_C_GetInfo, - sys_C_GetFunctionList, - sys_C_GetSlotList, - sys_C_GetSlotInfo, - sys_C_GetTokenInfo, - sys_C_GetMechanismList, - sys_C_GetMechanismInfo, - sys_C_InitToken, - sys_C_InitPIN, - sys_C_SetPIN, - sys_C_OpenSession, - sys_C_CloseSession, - sys_C_CloseAllSessions, - sys_C_GetSessionInfo, - sys_C_GetOperationState, - sys_C_SetOperationState, - sys_C_Login, - sys_C_Logout, - sys_C_CreateObject, - sys_C_CopyObject, - sys_C_DestroyObject, - sys_C_GetObjectSize, - sys_C_GetAttributeValue, - sys_C_SetAttributeValue, - sys_C_FindObjectsInit, - sys_C_FindObjects, - sys_C_FindObjectsFinal, - sys_C_EncryptInit, - sys_C_Encrypt, - sys_C_EncryptUpdate, - sys_C_EncryptFinal, - sys_C_DecryptInit, - sys_C_Decrypt, - sys_C_DecryptUpdate, - sys_C_DecryptFinal, - sys_C_DigestInit, - sys_C_Digest, - sys_C_DigestUpdate, - sys_C_DigestKey, - sys_C_DigestFinal, - sys_C_SignInit, - sys_C_Sign, - sys_C_SignUpdate, - sys_C_SignFinal, - sys_C_SignRecoverInit, - sys_C_SignRecover, - sys_C_VerifyInit, - sys_C_Verify, - sys_C_VerifyUpdate, - sys_C_VerifyFinal, - sys_C_VerifyRecoverInit, - sys_C_VerifyRecover, - sys_C_DigestEncryptUpdate, - sys_C_DecryptDigestUpdate, - sys_C_SignEncryptUpdate, - sys_C_DecryptVerifyUpdate, - sys_C_GenerateKey, - sys_C_GenerateKeyPair, - sys_C_WrapKey, - sys_C_UnwrapKey, - sys_C_DeriveKey, - sys_C_SeedRandom, - sys_C_GenerateRandom, - sys_C_GetFunctionStatus, - sys_C_CancelFunction, - sys_C_WaitForSlotEvent -}; - -#ifdef OS_WIN32 -__declspec(dllexport) -#endif - -CK_RV -C_GetFunctionList (CK_FUNCTION_LIST_PTR_PTR list) -{ - p11_library_init_once (); - return sys_C_GetFunctionList (list); -} - -CK_ULONG -p11_module_next_id (void) -{ - static CK_ULONG unique = 0x10; - return (unique)++; -} - -#ifdef OS_UNIX - -void p11_trust_module_init (void); - -void p11_trust_module_fini (void); - -#ifdef __GNUC__ -__attribute__((constructor)) -#endif -void -p11_trust_module_init (void) -{ - p11_library_init_once (); -} - -#ifdef __GNUC__ -__attribute__((destructor)) -#endif -void -p11_trust_module_fini (void) -{ - p11_library_uninit (); -} - -#endif /* OS_UNIX */ - -#ifdef OS_WIN32 - -BOOL WINAPI DllMain (HINSTANCE, DWORD, LPVOID); - -BOOL WINAPI -DllMain (HINSTANCE instance, - DWORD reason, - LPVOID reserved) -{ - switch (reason) { - case DLL_PROCESS_ATTACH: - p11_library_init (); - break; - case DLL_THREAD_DETACH: - p11_library_thread_cleanup (); - break; - case DLL_PROCESS_DETACH: - p11_library_uninit (); - break; - default: - break; - } - - return TRUE; -} - -#endif /* OS_WIN32 */ diff --git a/trust/module.h b/trust/module.h deleted file mode 100644 index 13b928a..0000000 --- a/trust/module.h +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "pkcs11.h" - -#ifndef P11_MODULE_H_ -#define P11_MODULE_H_ - -CK_ULONG p11_module_next_id (void); - -#endif /* P11_MODULE_H_ */ diff --git a/trust/oid.c b/trust/oid.c deleted file mode 100644 index dff4148..0000000 --- a/trust/oid.c +++ /dev/null @@ -1,96 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#include "hash.h" -#include "oid.h" - -#include <assert.h> -#include <stdlib.h> -#include <stdint.h> -#include <string.h> - -/* - * We deal with OIDs a lot in their DER form. These have the - * advantage of having the length encoded in their second byte, - * at least for all the OIDs we're interested in. - * - * The goal here is to avoid carrying around extra length - * information about DER encoded OIDs. - */ - -bool -p11_oid_simple (const unsigned char *oid, - int len) -{ - return (oid != NULL && - len > 3 && /* minimum length */ - oid[0] == 0x06 && /* simple encoding */ - (oid[1] & 128) == 0 && /* short form length */ - (size_t)oid[1] == len - 2); /* matches length */ -} - -unsigned int -p11_oid_hash (const void *oid) -{ - uint32_t hash; - int len; - - len = p11_oid_length (oid); - p11_hash_murmur3 (&hash, oid, len, NULL); - return hash; -} - -bool -p11_oid_equal (const void *oid_one, - const void *oid_two) -{ - int len_one; - int len_two; - - len_one = p11_oid_length (oid_one); - len_two = p11_oid_length (oid_two); - - return (len_one == len_two && - memcmp (oid_one, oid_two, len_one) == 0); -} - -int -p11_oid_length (const unsigned char *oid) -{ - assert (oid[0] == 0x06); - assert ((oid[1] & 128) == 0); - return (int)oid[1] + 2; -} diff --git a/trust/oid.h b/trust/oid.h deleted file mode 100644 index cf510fe..0000000 --- a/trust/oid.h +++ /dev/null @@ -1,236 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#ifndef P11_OIDS_H_ -#define P11_OIDS_H_ - -#include "compat.h" - -bool p11_oid_simple (const unsigned char *oid, - int len); - -unsigned int p11_oid_hash (const void *oid); - -bool p11_oid_equal (const void *oid_one, - const void *oid_two); - -int p11_oid_length (const unsigned char *oid); - -/* - * 2.5.4.3: CN or commonName - */ -static const unsigned char P11_OID_CN[] = - { 0x06, 0x03, 0x55, 0x04, 0x03, }; - -/* - * 2.5.4.10: O or organization - */ -static const unsigned char P11_OID_O[] = - { 0x06, 0x03, 0x55, 0x04, 0x0a, }; - -/* - * 2.5.4.11: OU or organizationalUnit - */ -static const unsigned char P11_OID_OU[] = - { 0x06, 0x03, 0x55, 0x04, 0x0b, }; - -/* - * Our support of certificate extensions and so on is not limited to what is - * listed here. This is simply the OIDs used by the parsing code that generates - * backwards compatible PKCS#11 objects for NSS and the like. - */ - -/* - * 2.5.29.14: SubjectKeyIdentifier - */ -static const unsigned char P11_OID_SUBJECT_KEY_IDENTIFIER[] = - { 0x06, 0x03, 0x55, 0x1d, 0x0e }; -static const char P11_OID_SUBJECT_KEY_IDENTIFIER_STR[] = "2.5.29.14"; - -/* - * 2.5.29.15: KeyUsage - * - * Defined in RFC 5280 - */ -static const unsigned char P11_OID_KEY_USAGE[] = - { 0x06, 0x03, 0x55, 0x1d, 0x0f }; -static const char P11_OID_KEY_USAGE_STR[] = { "2.5.29.15" }; - -enum { - P11_KU_DIGITAL_SIGNATURE = 128, - P11_KU_NON_REPUDIATION = 64, - P11_KU_KEY_ENCIPHERMENT = 32, - P11_KU_DATA_ENCIPHERMENT = 16, - P11_KU_KEY_AGREEMENT = 8, - P11_KU_KEY_CERT_SIGN = 4, - P11_KU_CRL_SIGN = 2, - P11_KU_ENCIPHER_ONLY = 1, - P11_KU_DECIPHER_ONLY = 32768, -}; - -/* - * 2.5.29.19: BasicConstraints - * - * Defined in RFC 5280 - */ -static const unsigned char P11_OID_BASIC_CONSTRAINTS[] = - { 0x06, 0x03, 0x55, 0x1d, 0x13 }; -static const char P11_OID_BASIC_CONSTRAINTS_STR[] = "2.5.29.19"; - -/* - * 2.5.29.37: ExtendedKeyUsage - * - * Defined in RFC 5280 - */ -static const unsigned char P11_OID_EXTENDED_KEY_USAGE[] = - { 0x06, 0x03, 0x55, 0x1d, 0x25 }; -static const char P11_OID_EXTENDED_KEY_USAGE_STR[] = "2.5.29.37"; - -/* - * 1.3.6.1.4.1.3319.6.10.1: OpenSSL reject extension - * - * An internally defined certificate extension. - * - * OpenSSL contains a list of OID extended key usages to reject. - * The normal X.509 model is to only *include* the extended key - * usages that are to be allowed (ie: a whitelist). It's not clear - * exactly how valid and useful the reject per extended key usage - * model is. - * - * However in order to parse openssl trust policy information and - * be able to write it back out in the same way, we define a custom - * certificate extension to store it. - * - * It is not expected (or supported) for others outside of p11-kit - * to read this information at this point. - * - * This extension is never marked critical. It is not necessary to - * respect information in this certificate extension given that the - * ExtendedKeyUsage extension carries the same information as a - * whitelist. - */ -static const unsigned char P11_OID_OPENSSL_REJECT[] = - { 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x99, 0x77, 0x06, 0x0a, 0x01 }; -static const char P11_OID_OPENSSL_REJECT_STR[] = "1.3.6.1.4.1.3319.6.10.1"; - -/* - * 1.3.6.1.5.5.7.3.1: Server Auth - * - * Defined in RFC 5280 - */ -static const unsigned char P11_OID_SERVER_AUTH[] = - { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01 }; -static const char P11_OID_SERVER_AUTH_STR[] = "1.3.6.1.5.5.7.3.1"; - -/* - * 1.3.6.1.5.5.7.3.2: Client Auth - * - * Defined in RFC 5280 - */ -static const unsigned char P11_OID_CLIENT_AUTH[] = - { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02 }; -static const char P11_OID_CLIENT_AUTH_STR[] = "1.3.6.1.5.5.7.3.2"; - -/* - * 1.3.6.1.5.5.7.3.3: Code Signing - * - * Defined in RFC 5280 - */ -static const unsigned char P11_OID_CODE_SIGNING[] = - { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03 }; -static const char P11_OID_CODE_SIGNING_STR[] = "1.3.6.1.5.5.7.3.3"; - -/* - * 1.3.6.1.5.5.7.3.4: Email Protection - * - * Defined in RFC 5280 - */ -static const unsigned char P11_OID_EMAIL_PROTECTION[] = - { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04 }; -static const char P11_OID_EMAIL_PROTECTION_STR[] = "1.3.6.1.5.5.7.3.4"; - -/* - * 1.3.6.1.5.5.7.3.5: IPSec End System - * - * Defined in RFC 2459 - */ -static const unsigned char P11_OID_IPSEC_END_SYSTEM[] = - { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x05 }; -static const char P11_OID_IPSEC_END_SYSTEM_STR[] = "1.3.6.1.5.5.7.3.5"; - -/* - * 1.3.6.1.5.5.7.3.6: IPSec Tunnel - * - * Defined in RFC 2459 - */ -static const unsigned char P11_OID_IPSEC_TUNNEL[] = - { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x06 }; -static const char P11_OID_IPSEC_TUNNEL_STR[] = "1.3.6.1.5.5.7.3.6"; - -/* - * 1.3.6.1.5.5.7.3.7: IPSec User - * - * Defined in RFC 2459 - */ -static const unsigned char P11_OID_IPSEC_USER[] = - { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x07 }; -static const char P11_OID_IPSEC_USER_STR[] = "1.3.6.1.5.5.7.3.7"; - -/* - * 1.3.6.1.5.5.7.3.8: Time Stamping - * - * Defined in RFC 2459 - */ -static const unsigned char P11_OID_TIME_STAMPING[] = - { 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x08 }; -static const char P11_OID_TIME_STAMPING_STR[] = "1.3.6.1.5.5.7.3.8"; -/* - * 1.3.6.1.4.1.3319.6.10.16: Reserved key purpose - * - * An internally defined reserved/dummy key purpose - * - * This is used with ExtendedKeyUsage certificate extensions to - * be a place holder when no other purposes are defined. - * - * In theory such a certificate should be blacklisted. But in reality - * many implementations use such empty sets of purposes. RFC 5280 requires - * at least one purpose in an ExtendedKeyUsage. - * - * Obviously this purpose should never be checked against. - */ -static const unsigned char P11_OID_RESERVED_PURPOSE[] = - { 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x99, 0x77, 0x06, 0x0a, 0x10 }; -static const char P11_OID_RESERVED_PURPOSE_STR[] = "1.3.6.1.4.1.3319.6.10.16"; - -#endif diff --git a/trust/openssl.asn b/trust/openssl.asn deleted file mode 100644 index c1f452b..0000000 --- a/trust/openssl.asn +++ /dev/null @@ -1,28 +0,0 @@ - -OPENSSL { } - -DEFINITIONS IMPLICIT TAGS ::= - -BEGIN - --- This module contains structures specific to OpenSSL - -CertAux ::= SEQUENCE { - trust SEQUENCE OF OBJECT IDENTIFIER OPTIONAL, - reject [0] SEQUENCE OF OBJECT IDENTIFIER OPTIONAL, - alias UTF8String OPTIONAL, - keyid OCTET STRING OPTIONAL, - other [1] SEQUENCE OF AlgorithmIdentifier OPTIONAL -} - --- Dependencies brought in from other modules - -AlgorithmIdentifier ::= SEQUENCE { - algorithm OBJECT IDENTIFIER, - parameters ANY DEFINED BY algorithm OPTIONAL -} - -UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING - -- The content of this type conforms to RFC 2279. - -END diff --git a/trust/openssl.asn.h b/trust/openssl.asn.h deleted file mode 100644 index 4e6b240..0000000 --- a/trust/openssl.asn.h +++ /dev/null @@ -1,28 +0,0 @@ -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include <libtasn1.h> - -const ASN1_ARRAY_TYPE openssl_asn1_tab[] = { - { "OPENSSL", 536875024, NULL }, - { NULL, 1073741836, NULL }, - { "CertAux", 1610612741, NULL }, - { "trust", 1610629131, NULL }, - { NULL, 12, NULL }, - { "reject", 1610637323, NULL }, - { NULL, 1073745928, "0"}, - { NULL, 12, NULL }, - { "alias", 1073758210, "UTF8String"}, - { "keyid", 1073758215, NULL }, - { "other", 536895499, NULL }, - { NULL, 1073745928, "1"}, - { NULL, 2, "AlgorithmIdentifier"}, - { "AlgorithmIdentifier", 1610612741, NULL }, - { "algorithm", 1073741836, NULL }, - { "parameters", 541081613, NULL }, - { "algorithm", 1, NULL }, - { "UTF8String", 536879111, NULL }, - { NULL, 4360, "12"}, - { NULL, 0, NULL } -}; diff --git a/trust/p11-kit-trust.module b/trust/p11-kit-trust.module deleted file mode 100644 index 2f53ef6..0000000 --- a/trust/p11-kit-trust.module +++ /dev/null @@ -1,17 +0,0 @@ -# See pkcs11.conf(5) to understand this file - -# This is a module config for the 'included' p11-kit trust module -module: p11-kit-trust.so - -# This setting affects the order that trust policy and other information -# is looked up when going across various modules. Other trust policy modules -# need to specify the priority where they slot into things. -priority: 1 - -# Mark this module as a viable source of trust policy information -trust-policy: yes - -# This is for drop-in compatibility with glib-networking and gcr. Those -# projects used this non-standard attribute to denote slots to use to -# retrieve trust information. -x-trust-lookup: pkcs11:library-description=PKCS%2311%20Kit%20Trust%20Module diff --git a/trust/parser.c b/trust/parser.c deleted file mode 100644 index 41513d4..0000000 --- a/trust/parser.c +++ /dev/null @@ -1,762 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#include "array.h" -#include "asn1.h" -#include "attrs.h" -#define P11_DEBUG_FLAG P11_DEBUG_TRUST -#include "debug.h" -#include "dict.h" -#include "digest.h" -#include "message.h" -#include "module.h" -#include "oid.h" -#include "parser.h" -#include "path.h" -#include "pem.h" -#include "pkcs11x.h" -#include "persist.h" -#include "x509.h" - -#include <libtasn1.h> - -#include <sys/types.h> -#include <sys/stat.h> - -#include <assert.h> -#include <errno.h> -#include <fcntl.h> -#include <stdarg.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -struct _p11_parser { - p11_asn1_cache *asn1_cache; - p11_dict *asn1_defs; - bool asn1_owned; - p11_persist *persist; - char *basename; - p11_array *parsed; - p11_array *formats; - int flags; -}; - -#define ID_LENGTH P11_DIGEST_SHA1_LEN - -typedef int (* parser_func) (p11_parser *parser, - const unsigned char *data, - size_t length); - -static CK_ATTRIBUTE * -populate_trust (p11_parser *parser, - CK_ATTRIBUTE *attrs) -{ - CK_BBOOL trustedv; - CK_BBOOL distrustv; - - CK_ATTRIBUTE trusted = { CKA_TRUSTED, &trustedv, sizeof (trustedv) }; - CK_ATTRIBUTE distrust = { CKA_X_DISTRUSTED, &distrustv, sizeof (distrustv) }; - - /* - * If we're are parsing an anchor location, then warn about any ditsrusted - * certificates there, but don't go ahead and automatically make them - * trusted anchors. - */ - if (parser->flags & P11_PARSE_FLAG_ANCHOR) { - if (p11_attrs_find_bool (attrs, CKA_X_DISTRUSTED, &distrustv) && distrustv) { - p11_message ("certificate with distrust in location for anchors: %s", parser->basename); - return attrs; - - } - - trustedv = CK_TRUE; - distrustv = CK_FALSE; - - /* - * If we're parsing a blacklist location, then force all certificates to - * be blacklisted, regardless of whether they contain anchor information. - */ - } else if (parser->flags & P11_PARSE_FLAG_BLACKLIST) { - if (p11_attrs_find_bool (attrs, CKA_TRUSTED, &trustedv) && trustedv) - p11_message ("overriding trust for anchor in blacklist: %s", parser->basename); - - trustedv = CK_FALSE; - distrustv = CK_TRUE; - - /* - * If the location doesn't have a flag, then fill in trust attributes - * if they are missing: neither an anchor or blacklist. - */ - } else { - trustedv = CK_FALSE; - distrustv = CK_FALSE; - - if (p11_attrs_find_valid (attrs, CKA_TRUSTED)) - trusted.type = CKA_INVALID; - if (p11_attrs_find_valid (attrs, CKA_X_DISTRUSTED)) - distrust.type = CKA_INVALID; - } - - return p11_attrs_build (attrs, &trusted, &distrust, NULL); -} - -static void -sink_object (p11_parser *parser, - CK_ATTRIBUTE *attrs) -{ - CK_OBJECT_CLASS klass; - - if (p11_attrs_find_ulong (attrs, CKA_CLASS, &klass) && - klass == CKO_CERTIFICATE) { - attrs = populate_trust (parser, attrs); - return_if_fail (attrs != NULL); - } - - if (!p11_array_push (parser->parsed, attrs)) - return_if_reached (); -} - -static CK_ATTRIBUTE * -certificate_attrs (p11_parser *parser, - const unsigned char *der, - size_t der_len) -{ - CK_OBJECT_CLASS klassv = CKO_CERTIFICATE; - CK_CERTIFICATE_TYPE x509 = CKC_X_509; - CK_BBOOL modifiablev = CK_FALSE; - - CK_ATTRIBUTE modifiable = { CKA_MODIFIABLE, &modifiablev, sizeof (modifiablev) }; - CK_ATTRIBUTE klass = { CKA_CLASS, &klassv, sizeof (klassv) }; - CK_ATTRIBUTE certificate_type = { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }; - CK_ATTRIBUTE value = { CKA_VALUE, (void *)der, der_len }; - - return p11_attrs_build (NULL, &klass, &modifiable, &certificate_type, &value, NULL); -} - -int -p11_parser_format_x509 (p11_parser *parser, - const unsigned char *data, - size_t length) -{ - char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE]; - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *value; - node_asn *cert; - - cert = p11_asn1_decode (parser->asn1_defs, "PKIX1.Certificate", data, length, message); - if (cert == NULL) - return P11_PARSE_UNRECOGNIZED; - - attrs = certificate_attrs (parser, data, length); - return_val_if_fail (attrs != NULL, P11_PARSE_FAILURE); - - value = p11_attrs_find_valid (attrs, CKA_VALUE); - return_val_if_fail (value != NULL, P11_PARSE_FAILURE); - p11_asn1_cache_take (parser->asn1_cache, cert, "PKIX1.Certificate", - value->pValue, value->ulValueLen); - - sink_object (parser, attrs); - return P11_PARSE_SUCCESS; -} - -static CK_ATTRIBUTE * -extension_attrs (p11_parser *parser, - CK_ATTRIBUTE *public_key_info, - const char *oid_str, - const unsigned char *oid_der, - bool critical, - const unsigned char *value, - int length) -{ - CK_OBJECT_CLASS klassv = CKO_X_CERTIFICATE_EXTENSION; - CK_BBOOL modifiablev = CK_FALSE; - - CK_ATTRIBUTE klass = { CKA_CLASS, &klassv, sizeof (klassv) }; - CK_ATTRIBUTE modifiable = { CKA_MODIFIABLE, &modifiablev, sizeof (modifiablev) }; - CK_ATTRIBUTE oid = { CKA_OBJECT_ID, (void *)oid_der, p11_oid_length (oid_der) }; - - CK_ATTRIBUTE *attrs; - node_asn *dest; - unsigned char *der; - size_t len; - int ret; - - attrs = p11_attrs_build (NULL, public_key_info, &klass, &modifiable, &oid, NULL); - return_val_if_fail (attrs != NULL, NULL); - - dest = p11_asn1_create (parser->asn1_defs, "PKIX1.Extension"); - return_val_if_fail (dest != NULL, NULL); - - ret = asn1_write_value (dest, "extnID", oid_str, 1); - return_val_if_fail (ret == ASN1_SUCCESS, NULL); - - if (critical) - ret = asn1_write_value (dest, "critical", "TRUE", 1); - return_val_if_fail (ret == ASN1_SUCCESS, NULL); - - ret = asn1_write_value (dest, "extnValue", value, length); - return_val_if_fail (ret == ASN1_SUCCESS, NULL); - - der = p11_asn1_encode (dest, &len); - return_val_if_fail (der != NULL, NULL); - - attrs = p11_attrs_take (attrs, CKA_VALUE, der, len); - return_val_if_fail (attrs != NULL, NULL); - - /* An opmitization so that the builder can get at this without parsing */ - p11_asn1_cache_take (parser->asn1_cache, dest, "PKIX1.Extension", der, len); - return attrs; -} - -static CK_ATTRIBUTE * -attached_attrs (p11_parser *parser, - CK_ATTRIBUTE *public_key_info, - const char *oid_str, - const unsigned char *oid_der, - bool critical, - node_asn *ext) -{ - CK_ATTRIBUTE *attrs; - unsigned char *der; - size_t len; - - der = p11_asn1_encode (ext, &len); - return_val_if_fail (der != NULL, NULL); - - attrs = extension_attrs (parser, public_key_info, oid_str, oid_der, - critical, der, len); - return_val_if_fail (attrs != NULL, NULL); - - free (der); - return attrs; -} - -static p11_dict * -load_seq_of_oid_str (node_asn *node, - const char *seqof) -{ - p11_dict *oids; - char field[128]; - char *oid; - size_t len; - int i; - - oids = p11_dict_new (p11_dict_str_hash, p11_dict_str_equal, free, NULL); - - for (i = 1; ; i++) { - if (snprintf (field, sizeof (field), "%s.?%u", seqof, i) < 0) - return_val_if_reached (NULL); - - oid = p11_asn1_read (node, field, &len); - if (oid == NULL) - break; - - if (!p11_dict_set (oids, oid, oid)) - return_val_if_reached (NULL); - } - - return oids; -} - -static CK_ATTRIBUTE * -attached_eku_attrs (p11_parser *parser, - CK_ATTRIBUTE *public_key_info, - const char *oid_str, - const unsigned char *oid_der, - bool critical, - p11_dict *oid_strs) -{ - CK_ATTRIBUTE *attrs; - p11_dictiter iter; - node_asn *dest; - int count = 0; - void *value; - int ret; - - dest = p11_asn1_create (parser->asn1_defs, "PKIX1.ExtKeyUsageSyntax"); - return_val_if_fail (dest != NULL, NULL); - - p11_dict_iterate (oid_strs, &iter); - while (p11_dict_next (&iter, NULL, &value)) { - ret = asn1_write_value (dest, "", "NEW", 1); - return_val_if_fail (ret == ASN1_SUCCESS, NULL); - - ret = asn1_write_value (dest, "?LAST", value, -1); - return_val_if_fail (ret == ASN1_SUCCESS, NULL); - - count++; - } - - /* - * If no oids have been written, then we have to put in a reserved - * value, due to the way that ExtendedKeyUsage is defined in RFC 5280. - * There must be at least one purpose. This is important since *not* - * having an ExtendedKeyUsage is very different than having one without - * certain usages. - * - * We account for this in p11_parse_extended_key_usage(). However for - * most callers this should not matter, as they only check whether a - * given purpose is present, and don't make assumptions about ones - * that they don't know about. - */ - - if (count == 0) { - ret = asn1_write_value (dest, "", "NEW", 1); - return_val_if_fail (ret == ASN1_SUCCESS, NULL); - - ret = asn1_write_value (dest, "?LAST", P11_OID_RESERVED_PURPOSE_STR, -1); - return_val_if_fail (ret == ASN1_SUCCESS, NULL); - } - - - attrs = attached_attrs (parser, public_key_info, oid_str, oid_der, critical, dest); - asn1_delete_structure (&dest); - - return attrs; -} - -static CK_ATTRIBUTE * -build_openssl_extensions (p11_parser *parser, - CK_ATTRIBUTE *cert, - CK_ATTRIBUTE *public_key_info, - node_asn *aux, - const unsigned char *aux_der, - size_t aux_len) -{ - CK_BBOOL trusted = CK_FALSE; - CK_BBOOL distrust = CK_FALSE; - - CK_ATTRIBUTE trust_attrs[] = { - { CKA_TRUSTED, &trusted, sizeof (trusted) }, - { CKA_X_DISTRUSTED, &distrust, sizeof (distrust) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - p11_dict *trust = NULL; - p11_dict *reject = NULL; - p11_dictiter iter; - void *key; - int start; - int end; - int ret; - int num; - - /* - * This will load an empty list if there is no OPTIONAL trust field. - * OpenSSL assumes that for a TRUSTED CERTIFICATE a missing trust field - * is identical to untrusted for all purposes. - * - * This is different from ExtendedKeyUsage, where a missing certificate - * extension means that it is trusted for all purposes. - */ - trust = load_seq_of_oid_str (aux, "trust"); - - ret = asn1_number_of_elements (aux, "reject", &num); - return_val_if_fail (ret == ASN1_SUCCESS || ret == ASN1_ELEMENT_NOT_FOUND, NULL); - if (ret == ASN1_SUCCESS) - reject = load_seq_of_oid_str (aux, "reject"); - - /* Remove all rejected oids from the trust set */ - if (trust && reject) { - p11_dict_iterate (reject, &iter); - while (p11_dict_next (&iter, &key, NULL)) - p11_dict_remove (trust, key); - } - - /* - * The trust field (or lack of it) becomes a standard ExtKeyUsageSyntax. - * - * critical: require that this is enforced - */ - - if (trust) { - attrs = attached_eku_attrs (parser, public_key_info, - P11_OID_EXTENDED_KEY_USAGE_STR, - P11_OID_EXTENDED_KEY_USAGE, - true, trust); - return_val_if_fail (attrs != NULL, NULL); - sink_object (parser, attrs); - } - - /* - * For the reject field we use a custom defined extension. We track this - * for completeness, although the above ExtendedKeyUsage extension handles - * this data fine. See oid.h for more details. It uses ExtKeyUsageSyntax structure. - * - * non-critical: non-standard, and also covered by trusts - */ - - if (reject && p11_dict_size (reject) > 0) { - attrs = attached_eku_attrs (parser, public_key_info, - P11_OID_OPENSSL_REJECT_STR, - P11_OID_OPENSSL_REJECT, - false, reject); - return_val_if_fail (attrs != NULL, NULL); - sink_object (parser, attrs); - } - - /* - * OpenSSL model blacklists as anchors with all purposes being removed/rejected, - * we account for that here. If there is an ExtendedKeyUsage without any - * useful purposes, then treat like a blacklist. - */ - if (trust && p11_dict_size (trust) == 0) { - trusted = CK_FALSE; - distrust = CK_TRUE; - - /* - * Otherwise a 'TRUSTED CERTIFICATE' in an input directory is enough to - * mark this as a trusted certificate. - */ - } else if (trust && p11_dict_size (trust) > 0) { - trusted = CK_TRUE; - distrust = CK_FALSE; - } - - /* - * OpenSSL model blacklists as anchors with all purposes being removed/rejected, - * we account for that here. If there is an ExtendedKeyUsage without any - * useful purposes, then treat like a blacklist. - */ - - cert = p11_attrs_merge (cert, p11_attrs_dup (trust_attrs), true); - return_val_if_fail (cert != NULL, NULL); - - p11_dict_free (trust); - p11_dict_free (reject); - - /* - * For the keyid field we use the SubjectKeyIdentifier extension. It - * is already in the correct form, an OCTET STRING. - * - * non-critical: as recommended in RFC 5280 - */ - - ret = asn1_der_decoding_startEnd (aux, aux_der, aux_len, "keyid", &start, &end); - return_val_if_fail (ret == ASN1_SUCCESS || ret == ASN1_ELEMENT_NOT_FOUND, NULL); - - if (ret == ASN1_SUCCESS) { - attrs = extension_attrs (parser, public_key_info, - P11_OID_SUBJECT_KEY_IDENTIFIER_STR, - P11_OID_SUBJECT_KEY_IDENTIFIER, - false, aux_der + start, (end - start) + 1); - return_val_if_fail (attrs != NULL, NULL); - sink_object (parser, attrs); - } - - - return cert; -} - -static int -parse_openssl_trusted_certificate (p11_parser *parser, - const unsigned char *data, - size_t length) -{ - char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE]; - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE public_key_info = { CKA_PUBLIC_KEY_INFO }; - CK_ATTRIBUTE *value; - char *label = NULL; - node_asn *cert; - node_asn *aux = NULL; - ssize_t cert_len; - size_t len; - int start; - int end; - int ret; - - /* - * This OpenSSL format is weird. It's just two DER structures - * placed end to end without any wrapping SEQ. So calculate the - * length of the first DER TLV we see and try to parse that as - * the X.509 certificate. - */ - - cert_len = p11_asn1_tlv_length (data, length); - if (cert_len <= 0) - return P11_PARSE_UNRECOGNIZED; - - cert = p11_asn1_decode (parser->asn1_defs, "PKIX1.Certificate", data, cert_len, message); - if (cert == NULL) - return P11_PARSE_UNRECOGNIZED; - - /* OpenSSL sometimes outputs TRUSTED CERTIFICATE format without the CertAux supplement */ - if (cert_len < length) { - aux = p11_asn1_decode (parser->asn1_defs, "OPENSSL.CertAux", data + cert_len, - length - cert_len, message); - if (aux == NULL) { - asn1_delete_structure (&cert); - return P11_PARSE_UNRECOGNIZED; - } - } - - attrs = certificate_attrs (parser, data, cert_len); - return_val_if_fail (attrs != NULL, P11_PARSE_FAILURE); - - /* Cache the parsed certificate ASN.1 for later use by the builder */ - value = p11_attrs_find_valid (attrs, CKA_VALUE); - return_val_if_fail (value != NULL, P11_PARSE_FAILURE); - - /* Pull out the subject public key info */ - ret = asn1_der_decoding_startEnd (cert, data, cert_len, - "tbsCertificate.subjectPublicKeyInfo", &start, &end); - return_val_if_fail (ret == ASN1_SUCCESS, P11_PARSE_FAILURE); - - public_key_info.pValue = (char *)data + start; - public_key_info.ulValueLen = (end - start) + 1; - - p11_asn1_cache_take (parser->asn1_cache, cert, "PKIX1.Certificate", - value->pValue, value->ulValueLen); - - /* Pull the label out of the CertAux */ - if (aux) { - len = 0; - label = p11_asn1_read (aux, "alias", &len); - if (label != NULL) { - attrs = p11_attrs_take (attrs, CKA_LABEL, label, strlen (label)); - return_val_if_fail (attrs != NULL, P11_PARSE_FAILURE); - } - - attrs = build_openssl_extensions (parser, attrs, &public_key_info, aux, - data + cert_len, length - cert_len); - return_val_if_fail (attrs != NULL, P11_PARSE_FAILURE); - } - - sink_object (parser, attrs); - asn1_delete_structure (&aux); - - return P11_PARSE_SUCCESS; -} - -static void -on_pem_block (const char *type, - const unsigned char *contents, - size_t length, - void *user_data) -{ - p11_parser *parser = user_data; - int ret; - - if (strcmp (type, "CERTIFICATE") == 0) { - ret = p11_parser_format_x509 (parser, contents, length); - - } else if (strcmp (type, "TRUSTED CERTIFICATE") == 0) { - ret = parse_openssl_trusted_certificate (parser, contents, length); - - } else { - p11_debug ("Saw unsupported or unrecognized PEM block of type %s", type); - ret = P11_PARSE_SUCCESS; - } - - if (ret != P11_PARSE_SUCCESS) - p11_message ("Couldn't parse PEM block of type %s", type); -} - -int -p11_parser_format_pem (p11_parser *parser, - const unsigned char *data, - size_t length) -{ - int num; - - num = p11_pem_parse ((const char *)data, length, on_pem_block, parser); - - if (num == 0) - return P11_PARSE_UNRECOGNIZED; - - return P11_PARSE_SUCCESS; -} - -int -p11_parser_format_persist (p11_parser *parser, - const unsigned char *data, - size_t length) -{ - CK_BBOOL modifiablev = CK_TRUE; - CK_ATTRIBUTE *attrs; - p11_array *objects; - bool ret; - int i; - - CK_ATTRIBUTE modifiable = { CKA_MODIFIABLE, &modifiablev, sizeof (modifiablev) }; - - if (!p11_persist_magic (data, length)) - return P11_PARSE_UNRECOGNIZED; - - if (!parser->persist) { - parser->persist = p11_persist_new (); - return_val_if_fail (parser->persist != NULL, P11_PARSE_UNRECOGNIZED); - } - - objects = p11_array_new (NULL); - return_val_if_fail (objects != NULL, P11_PARSE_FAILURE); - - ret = p11_persist_read (parser->persist, parser->basename, data, length, objects); - if (ret) { - for (i = 0; i < objects->num; i++) { - attrs = p11_attrs_build (objects->elem[i], &modifiable, NULL); - sink_object (parser, attrs); - } - } - - p11_array_free (objects); - return ret ? P11_PARSE_SUCCESS : P11_PARSE_FAILURE; -} - -p11_parser * -p11_parser_new (p11_asn1_cache *asn1_cache) -{ - p11_parser parser = { 0, }; - - if (asn1_cache == NULL) { - parser.asn1_owned = true; - parser.asn1_defs = p11_asn1_defs_load (); - } else { - parser.asn1_defs = p11_asn1_cache_defs (asn1_cache); - parser.asn1_cache = asn1_cache; - parser.asn1_owned = false; - } - - parser.parsed = p11_array_new (p11_attrs_free); - return_val_if_fail (parser.parsed != NULL, NULL); - - return memdup (&parser, sizeof (parser)); -} - -void -p11_parser_free (p11_parser *parser) -{ - return_if_fail (parser != NULL); - p11_persist_free (parser->persist); - p11_array_free (parser->parsed); - p11_array_free (parser->formats); - if (parser->asn1_owned) - p11_dict_free (parser->asn1_defs); - free (parser); -} - -p11_array * -p11_parser_parsed (p11_parser *parser) -{ - return_val_if_fail (parser != NULL, NULL); - return parser->parsed; -} - -void -p11_parser_formats (p11_parser *parser, - ...) -{ - p11_array *formats; - parser_func func; - va_list va; - - formats = p11_array_new (NULL); - return_if_fail (formats != NULL); - - va_start (va, parser); - for (;;) { - func = va_arg (va, parser_func); - if (func == NULL) - break; - if (!p11_array_push (formats, func)) - return_if_reached (); - } - va_end (va); - - p11_array_free (parser->formats); - parser->formats = formats; -} - -int -p11_parse_memory (p11_parser *parser, - const char *filename, - int flags, - const unsigned char *data, - size_t length) -{ - int ret = P11_PARSE_UNRECOGNIZED; - char *base; - int i; - - return_val_if_fail (parser != NULL, P11_PARSE_FAILURE); - return_val_if_fail (filename != NULL, P11_PARSE_FAILURE); - return_val_if_fail (parser->formats != NULL, P11_PARSE_FAILURE); - - p11_array_clear (parser->parsed); - base = p11_path_base (filename); - parser->basename = base; - parser->flags = flags; - - for (i = 0; ret == P11_PARSE_UNRECOGNIZED && i < parser->formats->num; i++) - ret = ((parser_func)parser->formats->elem[i]) (parser, data, length); - - p11_asn1_cache_flush (parser->asn1_cache); - - free (base); - parser->basename = NULL; - parser->flags = 0; - - return ret; -} - -int -p11_parse_file (p11_parser *parser, - const char *filename, - struct stat *sb, - int flags) -{ - p11_mmap *map; - void *data; - size_t size; - int ret; - - return_val_if_fail (parser != NULL, P11_PARSE_FAILURE); - return_val_if_fail (filename != NULL, P11_PARSE_FAILURE); - - map = p11_mmap_open (filename, sb, &data, &size); - if (map == NULL) { - p11_message_err (errno, "couldn't open and map file: %s", filename); - return P11_PARSE_FAILURE; - } - - ret = p11_parse_memory (parser, filename, flags, data, size); - - p11_mmap_close (map); - return ret; -} diff --git a/trust/parser.h b/trust/parser.h deleted file mode 100644 index b177844..0000000 --- a/trust/parser.h +++ /dev/null @@ -1,89 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "asn1.h" -#include "array.h" -#include "compat.h" -#include "dict.h" - -#ifndef P11_PARSER_H_ -#define P11_PARSER_H_ - -enum { - P11_PARSE_FLAG_NONE = 0, - P11_PARSE_FLAG_ANCHOR = 1 << 0, - P11_PARSE_FLAG_BLACKLIST = 1 << 1, -}; - -enum { - P11_PARSE_FAILURE = -1, - P11_PARSE_UNRECOGNIZED = 0, - P11_PARSE_SUCCESS = 1, -}; - -typedef struct _p11_parser p11_parser; - -p11_parser * p11_parser_new (p11_asn1_cache *asn1_cache); - -void p11_parser_free (p11_parser *parser); - -int p11_parse_memory (p11_parser *parser, - const char *filename, - int flags, - const unsigned char *data, - size_t length); - -int p11_parse_file (p11_parser *parser, - const char *filename, - struct stat *sb, - int flags); - -p11_array * p11_parser_parsed (p11_parser *parser); - -void p11_parser_formats (p11_parser *parser, - ...) GNUC_NULL_TERMINATED; - -int p11_parser_format_persist (p11_parser *parser, - const unsigned char *data, - size_t length); - -int p11_parser_format_pem (p11_parser *parser, - const unsigned char *data, - size_t length); - -int p11_parser_format_x509 (p11_parser *parser, - const unsigned char *data, - size_t length); - -#endif /* P11_PARSER_H_ */ diff --git a/trust/pem.c b/trust/pem.c deleted file mode 100644 index ce4f554..0000000 --- a/trust/pem.c +++ /dev/null @@ -1,288 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#include "compat.h" -#include "base64.h" -#include "buffer.h" -#include "debug.h" -#include "pem.h" - -#include <assert.h> -#include <ctype.h> -#include <stdlib.h> -#include <string.h> - -#define ARMOR_SUFF "-----" -#define ARMOR_SUFF_L 5 -#define ARMOR_PREF_BEGIN "-----BEGIN " -#define ARMOR_PREF_BEGIN_L 11 -#define ARMOR_PREF_END "-----END " -#define ARMOR_PREF_END_L 9 - -enum { - NONE = 0, - TRUSTED_CERTIFICATE, - CERTIFICATE -}; - -static const char * -pem_find_begin (const char *data, - size_t n_data, - char **type) -{ - const char *pref, *suff; - - /* Look for a prefix */ - pref = strnstr ((char *)data, ARMOR_PREF_BEGIN, n_data); - if (!pref) - return NULL; - - n_data -= (pref - data) + ARMOR_PREF_BEGIN_L; - data = pref + ARMOR_PREF_BEGIN_L; - - /* Look for the end of that begin */ - suff = strnstr ((char *)data, ARMOR_SUFF, n_data); - if (!suff) - return NULL; - - /* Make sure on the same line */ - if (memchr (pref, '\n', suff - pref)) - return NULL; - - if (type) { - pref += ARMOR_PREF_BEGIN_L; - assert (suff > pref); - *type = strndup (pref, suff - pref); - return_val_if_fail (*type != NULL, NULL); - } - - /* The byte after this ---BEGIN--- */ - return suff + ARMOR_SUFF_L; -} - -static const char * -pem_find_end (const char *data, - size_t n_data, - const char *type) -{ - const char *pref; - size_t n_type; - - /* Look for a prefix */ - pref = strnstr (data, ARMOR_PREF_END, n_data); - if (!pref) - return NULL; - - n_data -= (pref - data) + ARMOR_PREF_END_L; - data = pref + ARMOR_PREF_END_L; - - /* Next comes the type string */ - n_type = strlen (type); - if (n_type > n_data || strncmp ((char *)data, type, n_type) != 0) - return NULL; - - n_data -= n_type; - data += n_type; - - /* Next comes the suffix */ - if (ARMOR_SUFF_L > n_data || strncmp ((char *)data, ARMOR_SUFF, ARMOR_SUFF_L) != 0) - return NULL; - - /* The end of the data */ - return pref; -} - -static unsigned char * -pem_parse_block (const char *data, - size_t n_data, - size_t *n_decoded) -{ - const char *x, *hbeg, *hend; - const char *p, *end; - unsigned char *decoded; - size_t length; - int ret; - - assert (data != NULL); - assert (n_data != 0); - assert (n_decoded != NULL); - - p = data; - end = p + n_data; - - hbeg = hend = NULL; - - /* Try and find a pair of blank lines with only white space between */ - while (hend == NULL) { - x = memchr (p, '\n', end - p); - if (!x) - break; - ++x; - while (isspace (*x)) { - /* Found a second line, with only spaces between */ - if (*x == '\n') { - hbeg = data; - hend = x; - break; - /* Found a space between two lines */ - } else { - ++x; - } - } - - /* Try next line */ - p = x; - } - - /* Headers found? */ - if (hbeg && hend) { - data = hend; - n_data = end - data; - } - - length = (n_data * 3) / 4 + 1; - decoded = malloc (length); - return_val_if_fail (decoded != NULL, 0); - - ret = p11_b64_pton (data, n_data, decoded, length); - if (ret < 0) { - free (decoded); - return NULL; - } - - /* No need to parse headers for our use cases */ - - *n_decoded = ret; - return decoded; -} - -unsigned int -p11_pem_parse (const char *data, - size_t n_data, - p11_pem_sink sink, - void *user_data) -{ - const char *beg, *end; - unsigned int nfound = 0; - unsigned char *decoded = NULL; - size_t n_decoded = 0; - char *type; - - assert (data != NULL); - - while (n_data > 0) { - - /* This returns the first character after the PEM BEGIN header */ - beg = pem_find_begin (data, n_data, &type); - if (beg == NULL) - break; - - assert (type != NULL); - - /* This returns the character position before the PEM END header */ - end = pem_find_end (beg, n_data - (beg - data), type); - if (end == NULL) { - free (type); - break; - } - - if (beg != end) { - decoded = pem_parse_block (beg, end - beg, &n_decoded); - if (decoded) { - if (sink != NULL) - (sink) (type, decoded, n_decoded, user_data); - ++nfound; - free (decoded); - } - } - - free (type); - - /* Try for another block */ - end += ARMOR_SUFF_L; - n_data -= (const char *)end - (const char *)data; - data = end; - } - - return nfound; -} - -bool -p11_pem_write (const unsigned char *contents, - size_t length, - const char *type, - p11_buffer *buf) -{ - size_t estimate; - size_t prefix; - char *target; - int len; - - return_val_if_fail (contents || !length, false); - return_val_if_fail (type, false); - return_val_if_fail (buf, false); - - /* Estimate from base64 data. Algorithm from Glib reference */ - estimate = length * 4 / 3 + 7; - estimate += estimate / 64 + 1; - - p11_buffer_add (buf, ARMOR_PREF_BEGIN, ARMOR_PREF_BEGIN_L); - p11_buffer_add (buf, type, -1); - p11_buffer_add (buf, ARMOR_SUFF, ARMOR_SUFF_L); - - prefix = buf->len; - target = p11_buffer_append (buf, estimate); - return_val_if_fail (target != NULL, NULL); - - /* - * OpenSSL is absolutely certain that it wants its PEM base64 - * lines to be 64 characters in len. - */ - - len = p11_b64_ntop (contents, length, target, estimate, 64); - - assert (len > 0); - assert (len <= estimate); - buf->len = prefix + len; - - p11_buffer_add (buf, "\n", 1); - p11_buffer_add (buf, ARMOR_PREF_END, ARMOR_PREF_END_L); - p11_buffer_add (buf, type, -1); - p11_buffer_add (buf, ARMOR_SUFF, ARMOR_SUFF_L); - p11_buffer_add (buf, "\n", 1); - - return p11_buffer_ok (buf); -} diff --git a/trust/pem.h b/trust/pem.h deleted file mode 100644 index 7e4ce63..0000000 --- a/trust/pem.h +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#ifndef P11_PEM_H_ -#define P11_PEM_H_ - -#include "buffer.h" -#include "compat.h" - -#include <sys/types.h> - -typedef void (*p11_pem_sink) (const char *type, - const unsigned char *contents, - size_t length, - void *user_data); - -unsigned int p11_pem_parse (const char *input, - size_t length, - p11_pem_sink sink, - void *user_data); - -bool p11_pem_write (const unsigned char *contents, - size_t length, - const char *type, - p11_buffer *buf); - -#endif /* P11_PEM_H_ */ diff --git a/trust/persist.c b/trust/persist.c deleted file mode 100644 index ae76342..0000000 --- a/trust/persist.c +++ /dev/null @@ -1,768 +0,0 @@ -/* - * Copyright (C) 2013 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#include "asn1.h" -#include "attrs.h" -#include "constants.h" -#include "debug.h" -#include "lexer.h" -#include "message.h" -#include "pem.h" -#include "persist.h" -#include "pkcs11.h" -#include "pkcs11i.h" -#include "pkcs11x.h" -#include "types.h" -#include "url.h" - -#include "basic.asn.h" - -#include <libtasn1.h> - -#include <assert.h> -#include <stdlib.h> -#include <string.h> - -#define PERSIST_HEADER "p11-kit-object-v1" - -struct _p11_persist { - p11_dict *constants; - node_asn *asn1_defs; -}; - -bool -p11_persist_magic (const unsigned char *data, - size_t length) -{ - return (strnstr ((char *)data, "[" PERSIST_HEADER "]", length) != NULL); -} - -p11_persist * -p11_persist_new (void) -{ - p11_persist *persist; - - persist = calloc (1, sizeof (p11_persist)); - return_val_if_fail (persist != NULL, NULL); - - persist->constants = p11_constant_reverse (true); - return_val_if_fail (persist->constants != NULL, NULL); - - return persist; -} - -void -p11_persist_free (p11_persist *persist) -{ - if (!persist) - return; - p11_dict_free (persist->constants); - asn1_delete_structure (&persist->asn1_defs); - free (persist); -} - -struct constant { - CK_ULONG value; - const char *string; -}; - -static bool -parse_string (p11_lexer *lexer, - CK_ATTRIBUTE *attr) -{ - const char *value; - const char *end; - size_t length; - unsigned char *data; - - value = lexer->tok.field.value; - end = value + strlen (value); - - /* Not a string/binary value */ - if (value == end || value[0] != '\"' || *(end - 1) != '\"') - return false; - - /* Note that we don't skip whitespace when decoding, as you might in other URLs */ - data = p11_url_decode (value + 1, end - 1, "", &length); - if (data == NULL) { - p11_lexer_msg(lexer, "bad encoding of attribute value"); - return false; - } - - attr->pValue = data; - attr->ulValueLen = length; - return true; -} - -static void -format_string (CK_ATTRIBUTE *attr, - p11_buffer *buf) -{ - const unsigned char *value; - - assert (attr->ulValueLen != CK_UNAVAILABLE_INFORMATION); - - p11_buffer_add (buf, "\"", 1); - value = attr->pValue; - p11_url_encode (value, value + attr->ulValueLen, P11_URL_VERBATIM, buf); - p11_buffer_add (buf, "\"", 1); -} - -static bool -parse_bool (p11_lexer *lexer, - CK_ATTRIBUTE *attr) -{ - const char *value = lexer->tok.field.value; - CK_BBOOL boolean; - - if (strcmp (value, "true") == 0) { - boolean = CK_TRUE; - - } else if (strcmp (value, "false") == 0) { - boolean = CK_FALSE; - - } else { - /* Not a valid boolean value */ - return false; - } - - attr->pValue = memdup (&boolean, sizeof (boolean)); - return_val_if_fail (attr != NULL, FALSE); - attr->ulValueLen = sizeof (boolean); - return true; -} - -static bool -format_bool (CK_ATTRIBUTE *attr, - p11_buffer *buf) -{ - const CK_BBOOL *value; - - if (attr->ulValueLen != sizeof (CK_BBOOL)) - return false; - - switch (attr->type) { - case CKA_TOKEN: - case CKA_PRIVATE: - case CKA_TRUSTED: - case CKA_SENSITIVE: - case CKA_ENCRYPT: - case CKA_DECRYPT: - case CKA_WRAP: - case CKA_UNWRAP: - case CKA_SIGN: - case CKA_SIGN_RECOVER: - case CKA_VERIFY: - case CKA_VERIFY_RECOVER: - case CKA_DERIVE: - case CKA_EXTRACTABLE: - case CKA_LOCAL: - case CKA_NEVER_EXTRACTABLE: - case CKA_ALWAYS_SENSITIVE: - case CKA_MODIFIABLE: - case CKA_SECONDARY_AUTH: - case CKA_ALWAYS_AUTHENTICATE: - case CKA_WRAP_WITH_TRUSTED: - case CKA_RESET_ON_INIT: - case CKA_HAS_RESET: - case CKA_COLOR: - case CKA_X_DISTRUSTED: - break; - default: - return false; - } - - value = attr->pValue; - if (*value == CK_TRUE) - p11_buffer_add (buf, "true", -1); - else if (*value == CK_FALSE) - p11_buffer_add (buf, "false", -1); - else - return false; - - return true; -} - -static bool -parse_ulong (p11_lexer *lexer, - CK_ATTRIBUTE *attr) -{ - unsigned long value; - char *end; - - end = NULL; - value = strtoul (lexer->tok.field.value, &end, 10); - - /* Not a valid number value */ - if (!end || *end != '\0') - return false; - - attr->pValue = memdup (&value, sizeof (CK_ULONG)); - return_val_if_fail (attr->pValue != NULL, false); - attr->ulValueLen = sizeof (CK_ULONG); - return true; -} - -static bool -format_ulong (CK_ATTRIBUTE *attr, - p11_buffer *buf) -{ - char string[sizeof (CK_ULONG) * 4]; - const CK_ULONG *value; - - if (attr->ulValueLen != sizeof (CK_ULONG)) - return false; - - switch (attr->type) { - case CKA_CERTIFICATE_CATEGORY: - case CKA_CERTIFICATE_TYPE: - case CKA_CLASS: - case CKA_JAVA_MIDP_SECURITY_DOMAIN: - case CKA_KEY_GEN_MECHANISM: - case CKA_KEY_TYPE: - case CKA_MECHANISM_TYPE: - case CKA_MODULUS_BITS: - case CKA_PRIME_BITS: - case CKA_SUB_PRIME_BITS: - case CKA_VALUE_BITS: - case CKA_VALUE_LEN: - case CKA_TRUST_DIGITAL_SIGNATURE: - case CKA_TRUST_NON_REPUDIATION: - case CKA_TRUST_KEY_ENCIPHERMENT: - case CKA_TRUST_DATA_ENCIPHERMENT: - case CKA_TRUST_KEY_AGREEMENT: - case CKA_TRUST_KEY_CERT_SIGN: - case CKA_TRUST_CRL_SIGN: - case CKA_TRUST_SERVER_AUTH: - case CKA_TRUST_CLIENT_AUTH: - case CKA_TRUST_CODE_SIGNING: - case CKA_TRUST_EMAIL_PROTECTION: - case CKA_TRUST_IPSEC_END_SYSTEM: - case CKA_TRUST_IPSEC_TUNNEL: - case CKA_TRUST_IPSEC_USER: - case CKA_TRUST_TIME_STAMPING: - case CKA_TRUST_STEP_UP_APPROVED: - case CKA_X_ASSERTION_TYPE: - case CKA_AUTH_PIN_FLAGS: - case CKA_HW_FEATURE_TYPE: - case CKA_PIXEL_X: - case CKA_PIXEL_Y: - case CKA_RESOLUTION: - case CKA_CHAR_ROWS: - case CKA_CHAR_COLUMNS: - case CKA_BITS_PER_PIXEL: - break; - default: - return false; - } - - value = attr->pValue; - snprintf (string, sizeof (string), "%lu", *value); - - p11_buffer_add (buf, string, -1); - return true; -} - -static bool -parse_constant (p11_persist *persist, - p11_lexer *lexer, - CK_ATTRIBUTE *attr) -{ - CK_ULONG value; - - value = p11_constant_resolve (persist->constants, lexer->tok.field.value); - - /* Not a valid constant */ - if (value == CKA_INVALID) - return false; - - attr->pValue = memdup (&value, sizeof (CK_ULONG)); - return_val_if_fail (attr->pValue != NULL, false); - attr->ulValueLen = sizeof (CK_ULONG); - return true; -} - -static bool -format_constant (CK_ATTRIBUTE *attr, - p11_buffer *buf) -{ - const p11_constant *table; - const CK_ULONG *value; - const char *nick; - - if (attr->ulValueLen != sizeof (CK_ULONG)) - return false; - - switch (attr->type) { - case CKA_TRUST_DIGITAL_SIGNATURE: - case CKA_TRUST_NON_REPUDIATION: - case CKA_TRUST_KEY_ENCIPHERMENT: - case CKA_TRUST_DATA_ENCIPHERMENT: - case CKA_TRUST_KEY_AGREEMENT: - case CKA_TRUST_KEY_CERT_SIGN: - case CKA_TRUST_CRL_SIGN: - case CKA_TRUST_SERVER_AUTH: - case CKA_TRUST_CLIENT_AUTH: - case CKA_TRUST_CODE_SIGNING: - case CKA_TRUST_EMAIL_PROTECTION: - case CKA_TRUST_IPSEC_END_SYSTEM: - case CKA_TRUST_IPSEC_TUNNEL: - case CKA_TRUST_IPSEC_USER: - case CKA_TRUST_TIME_STAMPING: - table = p11_constant_trusts; - break; - case CKA_CLASS: - table = p11_constant_classes; - break; - case CKA_CERTIFICATE_TYPE: - table = p11_constant_certs; - break; - case CKA_KEY_TYPE: - table = p11_constant_keys; - break; - case CKA_X_ASSERTION_TYPE: - table = p11_constant_asserts; - break; - case CKA_CERTIFICATE_CATEGORY: - table = p11_constant_categories; - break; - case CKA_KEY_GEN_MECHANISM: - case CKA_MECHANISM_TYPE: - table = p11_constant_mechanisms; - break; - default: - table = NULL; - }; - - if (!table) - return false; - - value = attr->pValue; - nick = p11_constant_nick (table, *value); - - if (!nick) - return false; - - p11_buffer_add (buf, nick, -1); - return true; -} - -static bool -parse_oid (p11_persist *persist, - p11_lexer *lexer, - CK_ATTRIBUTE *attr) -{ - char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = { 0, }; - node_asn *asn; - size_t length; - char *value; - int ret; - - value = lexer->tok.field.value; - length = strlen (value); - - /* Not an OID value? */ - if (length < 4 || - strchr (value, '.') == NULL || - strspn (value, "0123456790.") != length || - strstr (value, "..") != NULL || - value[0] == '.' || value[0] == '0' || - value[length - 1] == '.' || - strchr (value, '.') == strrchr (value, '.')) { - return false; - } - - if (!persist->asn1_defs) { - ret = asn1_array2tree (basic_asn1_tab, &persist->asn1_defs, message); - if (ret != ASN1_SUCCESS) { - p11_debug_precond ("failed to load BASIC definitions: %s: %s\n", - asn1_strerror (ret), message); - return false; - } - } - - ret = asn1_create_element (persist->asn1_defs, "BASIC.ObjectIdentifier", &asn); - if (ret != ASN1_SUCCESS) { - p11_debug_precond ("failed to create ObjectIdentifier element: %s\n", - asn1_strerror (ret)); - return false; - } - - ret = asn1_write_value (asn, "", value, 1); - if (ret == ASN1_VALUE_NOT_VALID) { - p11_lexer_msg (lexer, "invalid oid value"); - asn1_delete_structure (&asn); - return false; - } - return_val_if_fail (ret == ASN1_SUCCESS, false); - - attr->pValue = p11_asn1_encode (asn, &length); - return_val_if_fail (attr->pValue != NULL, false); - attr->ulValueLen = length; - - asn1_delete_structure (&asn); - return true; -} - -static bool -format_oid (p11_persist *persist, - CK_ATTRIBUTE *attr, - p11_buffer *buf) -{ - char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = { 0, }; - node_asn *asn; - char *data; - size_t len; - int ret; - - if (attr->type != CKA_OBJECT_ID || attr->ulValueLen == 0) - return false; - - if (!persist->asn1_defs) { - ret = asn1_array2tree (basic_asn1_tab, &persist->asn1_defs, message); - if (ret != ASN1_SUCCESS) { - p11_debug_precond ("failed to load BASIC definitions: %s: %s\n", - asn1_strerror (ret), message); - return false; - } - } - - ret = asn1_create_element (persist->asn1_defs, "BASIC.ObjectIdentifier", &asn); - if (ret != ASN1_SUCCESS) { - p11_debug_precond ("failed to create ObjectIdentifier element: %s\n", - asn1_strerror (ret)); - return false; - } - - ret = asn1_der_decoding (&asn, attr->pValue, attr->ulValueLen, message); - if (ret != ASN1_SUCCESS) { - p11_message ("invalid oid value: %s", message); - return false; - } - - data = p11_asn1_read (asn, "", &len); - return_val_if_fail (data != NULL, false); - - asn1_delete_structure (&asn); - - p11_buffer_add (buf, data, len - 1); - free (data); - - return true; -} - -static bool -parse_value (p11_persist *persist, - p11_lexer *lexer, - CK_ATTRIBUTE *attr) -{ - return parse_constant (persist, lexer, attr) || - parse_string (lexer, attr) || - parse_bool (lexer, attr) || - parse_ulong (lexer, attr) || - parse_oid (persist, lexer, attr); -} - -static void -format_value (p11_persist *persist, - CK_ATTRIBUTE *attr, - p11_buffer *buf) -{ - assert (attr->ulValueLen != CK_UNAVAILABLE_INFORMATION); - - if (format_bool (attr, buf) || - format_constant (attr, buf) || - format_ulong (attr, buf) || - format_oid (persist, attr, buf)) - return; - - /* Everything else as string */ - format_string (attr, buf); -} - -static bool -field_to_attribute (p11_persist *persist, - p11_lexer *lexer, - CK_ATTRIBUTE **attrs) -{ - CK_ATTRIBUTE attr = { 0, }; - char *end; - - end = NULL; - attr.type = strtoul (lexer->tok.field.name, &end, 10); - - /* Not a valid number value, probably a constant */ - if (!end || *end != '\0') { - attr.type = p11_constant_resolve (persist->constants, lexer->tok.field.name); - if (attr.type == CKA_INVALID || !p11_constant_name (p11_constant_types, attr.type)) { - p11_lexer_msg (lexer, "invalid or unsupported attribute"); - return false; - } - } - - if (!parse_value (persist, lexer, &attr)) { - p11_lexer_msg (lexer, "invalid value"); - return false; - } - - *attrs = p11_attrs_take (*attrs, attr.type, - attr.pValue, attr.ulValueLen); - return true; -} - -static CK_ATTRIBUTE * -certificate_to_attributes (const unsigned char *der, - size_t length) -{ - CK_OBJECT_CLASS klassv = CKO_CERTIFICATE; - CK_CERTIFICATE_TYPE x509 = CKC_X_509; - - CK_ATTRIBUTE klass = { CKA_CLASS, &klassv, sizeof (klassv) }; - CK_ATTRIBUTE certificate_type = { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }; - CK_ATTRIBUTE value = { CKA_VALUE, (void *)der, length }; - - return p11_attrs_build (NULL, &klass, &certificate_type, &value, NULL); -} - -static CK_ATTRIBUTE * -public_key_to_attributes (const unsigned char *der, - size_t length) -{ - /* Eventually we might choose to contribute a class here ... */ - CK_ATTRIBUTE public_key = { CKA_PUBLIC_KEY_INFO, (void *)der, length }; - return p11_attrs_build (NULL, &public_key, NULL); -} - -typedef struct { - p11_lexer *lexer; - CK_ATTRIBUTE *attrs; - bool result; -} parse_block; - -static void -on_pem_block (const char *type, - const unsigned char *contents, - size_t length, - void *user_data) -{ - parse_block *pb = user_data; - CK_ATTRIBUTE *attrs; - - if (strcmp (type, "CERTIFICATE") == 0) { - attrs = certificate_to_attributes (contents, length); - pb->attrs = p11_attrs_merge (pb->attrs, attrs, false); - pb->result = true; - - } else if (strcmp (type, "PUBLIC KEY") == 0) { - attrs = public_key_to_attributes (contents, length); - pb->attrs = p11_attrs_merge (pb->attrs, attrs, false); - pb->result = true; - - } else { - p11_lexer_msg (pb->lexer, "unsupported pem block in store"); - pb->result = false; - } -} - -static bool -pem_to_attributes (p11_lexer *lexer, - CK_ATTRIBUTE **attrs) -{ - parse_block pb = { lexer, *attrs, false }; - unsigned int count; - - count = p11_pem_parse (lexer->tok.pem.begin, - lexer->tok.pem.length, - on_pem_block, &pb); - - if (count == 0) { - p11_lexer_msg (lexer, "invalid pem block"); - return false; - } - - /* The lexer should have only matched one block */ - return_val_if_fail (count == 1, false); - *attrs = pb.attrs; - return pb.result; -} - -bool -p11_persist_read (p11_persist *persist, - const char *filename, - const unsigned char *data, - size_t length, - p11_array *objects) -{ - p11_lexer lexer; - CK_ATTRIBUTE *attrs; - bool failed; - bool skip; - - return_val_if_fail (persist != NULL, false); - return_val_if_fail (objects != NULL, false); - - skip = false; - attrs = NULL; - failed = false; - - p11_lexer_init (&lexer, filename, (const char *)data, length); - while (p11_lexer_next (&lexer, &failed)) { - switch (lexer.tok_type) { - case TOK_SECTION: - if (attrs && !p11_array_push (objects, attrs)) - return_val_if_reached (false); - attrs = NULL; - if (strcmp (lexer.tok.section.name, PERSIST_HEADER) != 0) { - p11_lexer_msg (&lexer, "unrecognized or invalid section header"); - skip = true; - } else { - attrs = p11_attrs_build (NULL, NULL); - return_val_if_fail (attrs != NULL, false); - skip = false; - } - failed = false; - break; - case TOK_FIELD: - if (skip) { - failed = false; - } else if (!attrs) { - p11_lexer_msg (&lexer, "attribute before p11-kit section header"); - failed = true; - } else { - failed = !field_to_attribute (persist, &lexer, &attrs); - } - break; - case TOK_PEM: - if (skip) { - failed = false; - } else if (!attrs) { - p11_lexer_msg (&lexer, "pem block before p11-kit section header"); - failed = true; - } else { - failed = !pem_to_attributes (&lexer, &attrs); - } - break; - } - - if (failed) - break; - } - - if (attrs && !p11_array_push (objects, attrs)) - return_val_if_reached (false); - attrs = NULL; - - p11_lexer_done (&lexer); - return !failed; -} - -static CK_ATTRIBUTE * -find_certificate_value (CK_ATTRIBUTE *attrs) -{ - CK_OBJECT_CLASS klass; - CK_CERTIFICATE_TYPE type; - - if (!p11_attrs_find_ulong (attrs, CKA_CLASS, &klass) || - klass != CKO_CERTIFICATE) - return NULL; - if (!p11_attrs_find_ulong (attrs, CKA_CERTIFICATE_TYPE, &type) || - type != CKC_X_509) - return NULL; - return p11_attrs_find_valid (attrs, CKA_VALUE); -} - -bool -p11_persist_write (p11_persist *persist, - CK_ATTRIBUTE *attrs, - p11_buffer *buf) -{ - char string[sizeof (CK_ULONG) * 4]; - CK_ATTRIBUTE *cert_value; - CK_ATTRIBUTE *spki_value; - const char *nick; - int i; - - cert_value = find_certificate_value (attrs); - spki_value = p11_attrs_find_valid (attrs, CKA_PUBLIC_KEY_INFO); - - p11_buffer_add (buf, "[" PERSIST_HEADER "]\n", -1); - - for (i = 0; !p11_attrs_terminator (attrs + i); i++) { - - /* These are written later? */ - if (cert_value != NULL && - (attrs[i].type == CKA_CLASS || - attrs[i].type == CKA_CERTIFICATE_TYPE || - attrs[i].type == CKA_VALUE)) - continue; - - /* These are written later? */ - if (spki_value != NULL && - attrs[i].type == CKA_PUBLIC_KEY_INFO) - continue; - - /* These are never written */ - if (attrs[i].type == CKA_TOKEN || - attrs[i].type == CKA_X_ORIGIN || - attrs[i].type == CKA_X_GENERATED) - continue; - - if (attrs[i].ulValueLen == CK_UNAVAILABLE_INFORMATION) - continue; - - nick = p11_constant_nick (p11_constant_types, attrs[i].type); - if (nick == NULL) { - snprintf (string, sizeof (string), "%lu", attrs[i].type); - nick = string; - } - - p11_buffer_add (buf, nick, -1); - p11_buffer_add (buf, ": ", 2); - format_value (persist, attrs + i, buf); - p11_buffer_add (buf, "\n", 1); - } - - if (cert_value != NULL) { - if (!p11_pem_write (cert_value->pValue, cert_value->ulValueLen, "CERTIFICATE", buf)) - return_val_if_reached (false); - } else if (spki_value != NULL) { - if (!p11_pem_write (spki_value->pValue, spki_value->ulValueLen, "PUBLIC KEY", buf)) - return_val_if_reached (false); - } - - p11_buffer_add (buf, "\n", 1); - return p11_buffer_ok (buf); -} diff --git a/trust/persist.h b/trust/persist.h deleted file mode 100644 index 0ef142c..0000000 --- a/trust/persist.h +++ /dev/null @@ -1,63 +0,0 @@ -/* - * Copyright (C) 2013 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#ifndef P11_PERSIST_H_ -#define P11_PERSIST_H_ - -#include "array.h" -#include "compat.h" -#include "dict.h" - -#include <sys/types.h> - -typedef struct _p11_persist p11_persist; - -p11_persist * p11_persist_new (void); - -bool p11_persist_magic (const unsigned char *data, - size_t length); - -bool p11_persist_read (p11_persist *persist, - const char *filename, - const unsigned char *data, - size_t length, - p11_array *objects); - -bool p11_persist_write (p11_persist *persist, - CK_ATTRIBUTE *object, - p11_buffer *buf); - -void p11_persist_free (p11_persist *persist); - -#endif /* P11_PERSIST_H_ */ diff --git a/trust/pkix.asn b/trust/pkix.asn deleted file mode 100644 index 38bb028..0000000 --- a/trust/pkix.asn +++ /dev/null @@ -1,566 +0,0 @@ - -PKIX1 { } - -DEFINITIONS IMPLICIT TAGS ::= - -BEGIN - --- This contains both PKIX1Implicit88 and RFC2630 ASN.1 modules. - -id-pkix OBJECT IDENTIFIER ::= - { iso(1) identified-organization(3) dod(6) internet(1) - security(5) mechanisms(5) pkix(7) } - --- ISO arc for standard certificate and CRL extensions - --- authority key identifier OID and syntax - -AuthorityKeyIdentifier ::= SEQUENCE { - keyIdentifier [0] KeyIdentifier OPTIONAL, - authorityCertIssuer [1] GeneralNames OPTIONAL, - authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } - -- authorityCertIssuer and authorityCertSerialNumber shall both - -- be present or both be absgent - -KeyIdentifier ::= OCTET STRING - --- subject key identifier OID and syntax - -SubjectKeyIdentifier ::= KeyIdentifier - --- key usage extension OID and syntax - -KeyUsage ::= BIT STRING - --- Directory string type -- - -DirectoryString ::= CHOICE { - teletexString TeletexString (SIZE (1..MAX)), - printableString PrintableString (SIZE (1..MAX)), - universalString UniversalString (SIZE (1..MAX)), - utf8String UTF8String (SIZE (1..MAX)), - bmpString BMPString (SIZE(1..MAX)), - -- IA5String is added here to handle old UID encoded as ia5String -- - -- See tests/userid/ for more information. It shouldn't be here, -- - -- so if it causes problems, considering dropping it. -- - ia5String IA5String (SIZE(1..MAX)) } - -SubjectAltName ::= GeneralNames - -GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName - -GeneralName ::= CHOICE { - otherName [0] AnotherName, - rfc822Name [1] IA5String, - dNSName [2] IA5String, - x400Address [3] ANY, --- Changed to work with the libtasn1 parser. - directoryName [4] EXPLICIT RDNSequence, --Name, - ediPartyName [5] ANY, --EDIPartyName replaced by ANY to save memory - uniformResourceIdentifier [6] IA5String, - iPAddress [7] OCTET STRING, - registeredID [8] OBJECT IDENTIFIER } - --- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as --- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax - -AnotherName ::= SEQUENCE { - type-id OBJECT IDENTIFIER, - value [0] EXPLICIT ANY DEFINED BY type-id } - --- issuer alternative name extension OID and syntax - -IssuerAltName ::= GeneralNames - --- basic constraints extension OID and syntax - -BasicConstraints ::= SEQUENCE { - cA BOOLEAN DEFAULT FALSE, - pathLenConstraint INTEGER (0..MAX) OPTIONAL } - --- CRL distribution points extension OID and syntax - -CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint - -DistributionPoint ::= SEQUENCE { - distributionPoint [0] EXPLICIT DistributionPointName OPTIONAL, - reasons [1] ReasonFlags OPTIONAL, - cRLIssuer [2] GeneralNames OPTIONAL -} - -DistributionPointName ::= CHOICE { - fullName [0] GeneralNames, - nameRelativeToCRLIssuer [1] RelativeDistinguishedName -} - -ReasonFlags ::= BIT STRING - --- extended key usage extension OID and syntax - -ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId - -KeyPurposeId ::= OBJECT IDENTIFIER - --- CRL number extension OID and syntax - -CRLNumber ::= INTEGER (0..MAX) - --- certificate issuer CRL entry extension OID and syntax - -CertificateIssuer ::= GeneralNames - --- -------------------------------------- --- EXPLICIT --- -------------------------------------- - --- UNIVERSAL Types defined in '93 and '98 ASN.1 --- but required by this specification - -NumericString ::= [UNIVERSAL 18] IMPLICIT OCTET STRING - -IA5String ::= [UNIVERSAL 22] IMPLICIT OCTET STRING - -TeletexString ::= [UNIVERSAL 20] IMPLICIT OCTET STRING - -PrintableString ::= [UNIVERSAL 19] IMPLICIT OCTET STRING - -UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING - -- UniversalString is defined in ASN.1:1993 - -BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING - -- BMPString is the subtype of UniversalString and models - -- the Basic Multilingual Plane of ISO/IEC/ITU 10646-1 - -UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING - -- The content of this type conforms to RFC 2279. - - --- attribute data types -- - -Attribute ::= SEQUENCE { - type AttributeType, - values SET OF AttributeValue - -- at least one value is required -- -} - -AttributeType ::= OBJECT IDENTIFIER - -AttributeValue ::= ANY DEFINED BY type - -AttributeTypeAndValue ::= SEQUENCE { - type AttributeType, - value AttributeValue } - --- suggested naming attributes: Definition of the following --- information object set may be augmented to meet local --- requirements. Note that deleting members of the set may --- prevent interoperability with conforming implementations. --- presented in pairs: the AttributeType followed by the --- type definition for the corresponding AttributeValue - --- Arc for standard naming attributes -id-at OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4} - --- Attributes of type NameDirectoryString - --- gnutls: Note that the Object ID (id-at*) is being set just before the --- actual definition. This is done in order for asn1_find_structure_from_oid --- to work (locate structure from OID). --- Maybe this is inefficient and memory consuming. Should we replace with --- a table that maps OIDs to structures? - -PostalAddress ::= SEQUENCE OF DirectoryString - - -- Legacy attributes - -emailAddress AttributeType ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 1 } - -Pkcs9email ::= IA5String (SIZE (1..ub-emailaddress-length)) - --- naming data types -- - -Name ::= CHOICE { -- only one possibility for now -- - rdnSequence RDNSequence } - -RDNSequence ::= SEQUENCE OF RelativeDistinguishedName - -DistinguishedName ::= RDNSequence - -RelativeDistinguishedName ::= - SET SIZE (1 .. MAX) OF AttributeTypeAndValue - - - --- -------------------------------------------------------- --- certificate and CRL specific structures begin here --- -------------------------------------------------------- - -Certificate ::= SEQUENCE { - tbsCertificate TBSCertificate, - signatureAlgorithm AlgorithmIdentifier, - signature BIT STRING } - -TBSCertificate ::= SEQUENCE { - version [0] EXPLICIT Version DEFAULT v1, - serialNumber CertificateSerialNumber, - signature AlgorithmIdentifier, - issuer Name, - validity Validity, - subject Name, - subjectPublicKeyInfo SubjectPublicKeyInfo, - issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, - -- If present, version shall be v2 or v3 - subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, - -- If present, version shall be v2 or v3 - extensions [3] EXPLICIT Extensions OPTIONAL - -- If present, version shall be v3 -- -} - -Version ::= INTEGER { v1(0), v2(1), v3(2) } - -CertificateSerialNumber ::= INTEGER - -Validity ::= SEQUENCE { - notBefore Time, - notAfter Time } - -Time ::= CHOICE { - utcTime UTCTime, - generalTime GeneralizedTime } - -UniqueIdentifier ::= BIT STRING - -SubjectPublicKeyInfo ::= SEQUENCE { - algorithm AlgorithmIdentifier, - subjectPublicKey BIT STRING } - -Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension - -Extension ::= SEQUENCE { - extnID OBJECT IDENTIFIER, - critical BOOLEAN DEFAULT FALSE, - extnValue OCTET STRING } - - --- ------------------------------------------ --- CRL structures --- ------------------------------------------ - -CertificateList ::= SEQUENCE { - tbsCertList TBSCertList, - signatureAlgorithm AlgorithmIdentifier, - signature BIT STRING } - -TBSCertList ::= SEQUENCE { - version Version OPTIONAL, - -- if present, shall be v2 - signature AlgorithmIdentifier, - issuer Name, - thisUpdate Time, - nextUpdate Time OPTIONAL, - revokedCertificates SEQUENCE OF SEQUENCE { - userCertificate CertificateSerialNumber, - revocationDate Time, - crlEntryExtensions Extensions OPTIONAL - -- if present, shall be v2 - } OPTIONAL, - crlExtensions [0] EXPLICIT Extensions OPTIONAL - -- if present, shall be v2 -- -} - --- Version, Time, CertificateSerialNumber, and Extensions were --- defined earlier for use in the certificate structure - -AlgorithmIdentifier ::= SEQUENCE { - algorithm OBJECT IDENTIFIER, - parameters ANY DEFINED BY algorithm OPTIONAL } - -- contains a value of the type - -- registered for use with the - -- algorithm object identifier value - --- Algorithm OIDs and parameter structures - -Dss-Sig-Value ::= SEQUENCE { - r INTEGER, - s INTEGER -} - -DomainParameters ::= SEQUENCE { - p INTEGER, -- odd prime, p=jq +1 - g INTEGER, -- generator, g - q INTEGER, -- factor of p-1 - j INTEGER OPTIONAL, -- subgroup factor, j>= 2 - validationParms ValidationParms OPTIONAL } - -ValidationParms ::= SEQUENCE { - seed BIT STRING, - pgenCounter INTEGER } - -Dss-Parms ::= SEQUENCE { - p INTEGER, - q INTEGER, - g INTEGER } - --- x400 address syntax starts here --- OR Names - -CountryName ::= [APPLICATION 1] CHOICE { - x121-dcc-code NumericString - (SIZE (ub-country-name-numeric-length)), - iso-3166-alpha2-code PrintableString - (SIZE (ub-country-name-alpha-length)) } - -OrganizationName ::= PrintableString - (SIZE (1..ub-organization-name-length)) --- see also teletex-organization-name - -NumericUserIdentifier ::= NumericString - (SIZE (1..ub-numeric-user-id-length)) - --- see also teletex-personal-name - -OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units) - OF OrganizationalUnitName --- see also teletex-organizational-unit-names - -OrganizationalUnitName ::= PrintableString (SIZE - (1..ub-organizational-unit-name-length)) - --- Extension types and attribute values --- - -CommonName ::= PrintableString - --- END of PKIX1Implicit88 - - --- BEGIN of RFC2630 - --- Cryptographic Message Syntax - -pkcs-7-ContentInfo ::= SEQUENCE { - contentType pkcs-7-ContentType, - content [0] EXPLICIT ANY DEFINED BY contentType } - -pkcs-7-DigestInfo ::= SEQUENCE { - digestAlgorithm pkcs-7-DigestAlgorithmIdentifier, - digest pkcs-7-Digest -} - -pkcs-7-Digest ::= OCTET STRING - -pkcs-7-ContentType ::= OBJECT IDENTIFIER - -pkcs-7-SignedData ::= SEQUENCE { - version pkcs-7-CMSVersion, - digestAlgorithms pkcs-7-DigestAlgorithmIdentifiers, - encapContentInfo pkcs-7-EncapsulatedContentInfo, - certificates [0] IMPLICIT pkcs-7-CertificateSet OPTIONAL, - crls [1] IMPLICIT pkcs-7-CertificateRevocationLists OPTIONAL, - signerInfos pkcs-7-SignerInfos -} - -pkcs-7-CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4) } - -pkcs-7-DigestAlgorithmIdentifiers ::= SET OF pkcs-7-DigestAlgorithmIdentifier - -pkcs-7-DigestAlgorithmIdentifier ::= AlgorithmIdentifier - -pkcs-7-EncapsulatedContentInfo ::= SEQUENCE { - eContentType pkcs-7-ContentType, - eContent [0] EXPLICIT OCTET STRING OPTIONAL } - --- We don't use CertificateList here since we only want --- to read the raw data. -pkcs-7-CertificateRevocationLists ::= SET OF ANY - -pkcs-7-CertificateChoices ::= CHOICE { --- Although the paper uses Certificate type, we --- don't use it since, we don't need to parse it. --- We only need to read and store it. - certificate ANY -} - -pkcs-7-CertificateSet ::= SET OF pkcs-7-CertificateChoices - -pkcs-7-SignerInfos ::= SET OF ANY -- this is not correct but we don't use it - -- anyway - - --- BEGIN of RFC2986 - --- Certificate requests -pkcs-10-CertificationRequestInfo ::= SEQUENCE { - version INTEGER { v1(0) }, - subject Name, - subjectPKInfo SubjectPublicKeyInfo, - attributes [0] Attributes -} - -Attributes ::= SET OF Attribute - -pkcs-10-CertificationRequest ::= SEQUENCE { - certificationRequestInfo pkcs-10-CertificationRequestInfo, - signatureAlgorithm AlgorithmIdentifier, - signature BIT STRING -} - --- stuff from PKCS#9 - -pkcs-9-at-challengePassword OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 7} - -pkcs-9-challengePassword ::= CHOICE { - printableString PrintableString, - utf8String UTF8String } - -pkcs-9-localKeyId ::= OCTET STRING - --- PKCS #8 stuff - --- Private-key information syntax - -pkcs-8-PrivateKeyInfo ::= SEQUENCE { - version pkcs-8-Version, - privateKeyAlgorithm AlgorithmIdentifier, - privateKey pkcs-8-PrivateKey, - attributes [0] Attributes OPTIONAL } - -pkcs-8-Version ::= INTEGER {v1(0)} - -pkcs-8-PrivateKey ::= OCTET STRING - -pkcs-8-Attributes ::= SET OF Attribute - --- Encrypted private-key information syntax - -pkcs-8-EncryptedPrivateKeyInfo ::= SEQUENCE { - encryptionAlgorithm AlgorithmIdentifier, - encryptedData pkcs-8-EncryptedData -} - -pkcs-8-EncryptedData ::= OCTET STRING - --- PKCS #5 stuff - -pkcs-5-des-EDE3-CBC-params ::= OCTET STRING (SIZE(8)) -pkcs-5-aes128-CBC-params ::= OCTET STRING (SIZE(16)) -pkcs-5-aes192-CBC-params ::= OCTET STRING (SIZE(16)) -pkcs-5-aes256-CBC-params ::= OCTET STRING (SIZE(16)) - -pkcs-5-PBES2-params ::= SEQUENCE { - keyDerivationFunc AlgorithmIdentifier, - encryptionScheme AlgorithmIdentifier } - --- PBKDF2 - --- pkcs-5-algid-hmacWithSHA1 AlgorithmIdentifier ::= --- {algorithm pkcs-5-id-hmacWithSHA1, parameters NULL : NULL} - -pkcs-5-PBKDF2-params ::= SEQUENCE { - salt CHOICE { - specified OCTET STRING, - otherSource AlgorithmIdentifier - }, - iterationCount INTEGER (1..MAX), - keyLength INTEGER (1..MAX) OPTIONAL, - prf AlgorithmIdentifier OPTIONAL -- DEFAULT pkcs-5-id-hmacWithSHA1 -} - --- PKCS #12 stuff - -pkcs-12-PFX ::= SEQUENCE { - version INTEGER {v3(3)}, - authSafe pkcs-7-ContentInfo, - macData pkcs-12-MacData OPTIONAL -} - -pkcs-12-PbeParams ::= SEQUENCE { - salt OCTET STRING, - iterations INTEGER -} - -pkcs-12-MacData ::= SEQUENCE { - mac pkcs-7-DigestInfo, - macSalt OCTET STRING, - iterations INTEGER DEFAULT 1 --- Note: The default is for historical reasons and its use is --- deprecated. A higher value, like 1024 is recommended. -} - -pkcs-12-AuthenticatedSafe ::= SEQUENCE OF pkcs-7-ContentInfo - -- Data if unencrypted - -- EncryptedData if password-encrypted - -- EnvelopedData if public key-encrypted - -pkcs-12-SafeContents ::= SEQUENCE OF pkcs-12-SafeBag - -pkcs-12-SafeBag ::= SEQUENCE { - bagId OBJECT IDENTIFIER, - bagValue [0] EXPLICIT ANY DEFINED BY badId, - bagAttributes SET OF pkcs-12-PKCS12Attribute OPTIONAL -} - --- Bag types - -pkcs-12-KeyBag ::= pkcs-8-PrivateKeyInfo - --- Shrouded KeyBag - -pkcs-12-PKCS8ShroudedKeyBag ::= pkcs-8-EncryptedPrivateKeyInfo - --- CertBag - -pkcs-12-CertBag ::= SEQUENCE { - certId OBJECT IDENTIFIER, - certValue [0] EXPLICIT ANY DEFINED BY certId -} - --- x509Certificate BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-certTypes 1}} --- DER-encoded X.509 certificate stored in OCTET STRING - -pkcs-12-CRLBag ::= SEQUENCE { - crlId OBJECT IDENTIFIER, - crlValue [0] EXPLICIT ANY DEFINED BY crlId -} - -pkcs-12-SecretBag ::= SEQUENCE { - secretTypeId OBJECT IDENTIFIER, - secretValue [0] EXPLICIT ANY DEFINED BY secretTypeId -} - --- x509CRL BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-crlTypes 1}} --- DER-encoded X.509 CRL stored in OCTET STRING - -pkcs-12-PKCS12Attribute ::= Attribute - --- PKCS #7 stuff (needed in PKCS 12) - -pkcs-7-Data ::= OCTET STRING - -pkcs-7-EncryptedData ::= SEQUENCE { - version pkcs-7-CMSVersion, - encryptedContentInfo pkcs-7-EncryptedContentInfo, - unprotectedAttrs [1] IMPLICIT pkcs-7-UnprotectedAttributes OPTIONAL } - -pkcs-7-EncryptedContentInfo ::= SEQUENCE { - contentType pkcs-7-ContentType, - contentEncryptionAlgorithm pkcs-7-ContentEncryptionAlgorithmIdentifier, - encryptedContent [0] IMPLICIT pkcs-7-EncryptedContent OPTIONAL } - -pkcs-7-ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier - -pkcs-7-EncryptedContent ::= OCTET STRING - -pkcs-7-UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute - --- rfc3820 - -ProxyCertInfo ::= SEQUENCE { - pCPathLenConstraint INTEGER (0..MAX) OPTIONAL, - proxyPolicy ProxyPolicy } - -ProxyPolicy ::= SEQUENCE { - policyLanguage OBJECT IDENTIFIER, - policy OCTET STRING OPTIONAL } - -END diff --git a/trust/pkix.asn.h b/trust/pkix.asn.h deleted file mode 100644 index d5d5cc4..0000000 --- a/trust/pkix.asn.h +++ /dev/null @@ -1,408 +0,0 @@ -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include <libtasn1.h> - -const ASN1_ARRAY_TYPE pkix_asn1_tab[] = { - { "PKIX1", 536875024, NULL }, - { NULL, 1073741836, NULL }, - { "id-pkix", 1879048204, NULL }, - { "iso", 1073741825, "1"}, - { "identified-organization", 1073741825, "3"}, - { "dod", 1073741825, "6"}, - { "internet", 1073741825, "1"}, - { "security", 1073741825, "5"}, - { "mechanisms", 1073741825, "5"}, - { "pkix", 1, "7"}, - { "AuthorityKeyIdentifier", 1610612741, NULL }, - { "keyIdentifier", 1610637314, "KeyIdentifier"}, - { NULL, 4104, "0"}, - { "authorityCertIssuer", 1610637314, "GeneralNames"}, - { NULL, 4104, "1"}, - { "authorityCertSerialNumber", 536895490, "CertificateSerialNumber"}, - { NULL, 4104, "2"}, - { "KeyIdentifier", 1073741831, NULL }, - { "SubjectKeyIdentifier", 1073741826, "KeyIdentifier"}, - { "KeyUsage", 1073741830, NULL }, - { "DirectoryString", 1610612754, NULL }, - { "teletexString", 1612709890, "TeletexString"}, - { "MAX", 524298, "1"}, - { "printableString", 1612709890, "PrintableString"}, - { "MAX", 524298, "1"}, - { "universalString", 1612709890, "UniversalString"}, - { "MAX", 524298, "1"}, - { "utf8String", 1612709890, "UTF8String"}, - { "MAX", 524298, "1"}, - { "bmpString", 1612709890, "BMPString"}, - { "MAX", 524298, "1"}, - { "ia5String", 538968066, "IA5String"}, - { "MAX", 524298, "1"}, - { "SubjectAltName", 1073741826, "GeneralNames"}, - { "GeneralNames", 1612709899, NULL }, - { "MAX", 1074266122, "1"}, - { NULL, 2, "GeneralName"}, - { "GeneralName", 1610612754, NULL }, - { "otherName", 1610620930, "AnotherName"}, - { NULL, 4104, "0"}, - { "rfc822Name", 1610620930, "IA5String"}, - { NULL, 4104, "1"}, - { "dNSName", 1610620930, "IA5String"}, - { NULL, 4104, "2"}, - { "x400Address", 1610620941, NULL }, - { NULL, 4104, "3"}, - { "directoryName", 1610620930, "RDNSequence"}, - { NULL, 2056, "4"}, - { "ediPartyName", 1610620941, NULL }, - { NULL, 4104, "5"}, - { "uniformResourceIdentifier", 1610620930, "IA5String"}, - { NULL, 4104, "6"}, - { "iPAddress", 1610620935, NULL }, - { NULL, 4104, "7"}, - { "registeredID", 536879116, NULL }, - { NULL, 4104, "8"}, - { "AnotherName", 1610612741, NULL }, - { "type-id", 1073741836, NULL }, - { "value", 541073421, NULL }, - { NULL, 1073743880, "0"}, - { "type-id", 1, NULL }, - { "IssuerAltName", 1073741826, "GeneralNames"}, - { "BasicConstraints", 1610612741, NULL }, - { "cA", 1610645508, NULL }, - { NULL, 131081, NULL }, - { "pathLenConstraint", 537411587, NULL }, - { "0", 10, "MAX"}, - { "CRLDistributionPoints", 1612709899, NULL }, - { "MAX", 1074266122, "1"}, - { NULL, 2, "DistributionPoint"}, - { "DistributionPoint", 1610612741, NULL }, - { "distributionPoint", 1610637314, "DistributionPointName"}, - { NULL, 2056, "0"}, - { "reasons", 1610637314, "ReasonFlags"}, - { NULL, 4104, "1"}, - { "cRLIssuer", 536895490, "GeneralNames"}, - { NULL, 4104, "2"}, - { "DistributionPointName", 1610612754, NULL }, - { "fullName", 1610620930, "GeneralNames"}, - { NULL, 4104, "0"}, - { "nameRelativeToCRLIssuer", 536879106, "RelativeDistinguishedName"}, - { NULL, 4104, "1"}, - { "ReasonFlags", 1073741830, NULL }, - { "ExtKeyUsageSyntax", 1612709899, NULL }, - { "MAX", 1074266122, "1"}, - { NULL, 2, "KeyPurposeId"}, - { "KeyPurposeId", 1073741836, NULL }, - { "CRLNumber", 1611137027, NULL }, - { "0", 10, "MAX"}, - { "CertificateIssuer", 1073741826, "GeneralNames"}, - { "NumericString", 1610620935, NULL }, - { NULL, 4360, "18"}, - { "IA5String", 1610620935, NULL }, - { NULL, 4360, "22"}, - { "TeletexString", 1610620935, NULL }, - { NULL, 4360, "20"}, - { "PrintableString", 1610620935, NULL }, - { NULL, 4360, "19"}, - { "UniversalString", 1610620935, NULL }, - { NULL, 4360, "28"}, - { "BMPString", 1610620935, NULL }, - { NULL, 4360, "30"}, - { "UTF8String", 1610620935, NULL }, - { NULL, 4360, "12"}, - { "Attribute", 1610612741, NULL }, - { "type", 1073741826, "AttributeType"}, - { "values", 536870927, NULL }, - { NULL, 2, "AttributeValue"}, - { "AttributeType", 1073741836, NULL }, - { "AttributeValue", 1614807053, NULL }, - { "type", 1, NULL }, - { "AttributeTypeAndValue", 1610612741, NULL }, - { "type", 1073741826, "AttributeType"}, - { "value", 2, "AttributeValue"}, - { "id-at", 1879048204, NULL }, - { "joint-iso-ccitt", 1073741825, "2"}, - { "ds", 1073741825, "5"}, - { NULL, 1, "4"}, - { "PostalAddress", 1610612747, NULL }, - { NULL, 2, "DirectoryString"}, - { "emailAddress", 1880096780, "AttributeType"}, - { "iso", 1073741825, "1"}, - { "member-body", 1073741825, "2"}, - { "us", 1073741825, "840"}, - { "rsadsi", 1073741825, "113549"}, - { "pkcs", 1073741825, "1"}, - { NULL, 1073741825, "9"}, - { NULL, 1, "1"}, - { "Pkcs9email", 1612709890, "IA5String"}, - { "ub-emailaddress-length", 524298, "1"}, - { "Name", 1610612754, NULL }, - { "rdnSequence", 2, "RDNSequence"}, - { "RDNSequence", 1610612747, NULL }, - { NULL, 2, "RelativeDistinguishedName"}, - { "DistinguishedName", 1073741826, "RDNSequence"}, - { "RelativeDistinguishedName", 1612709903, NULL }, - { "MAX", 1074266122, "1"}, - { NULL, 2, "AttributeTypeAndValue"}, - { "Certificate", 1610612741, NULL }, - { "tbsCertificate", 1073741826, "TBSCertificate"}, - { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, - { "signature", 6, NULL }, - { "TBSCertificate", 1610612741, NULL }, - { "version", 1610653698, "Version"}, - { NULL, 1073741833, "v1"}, - { NULL, 2056, "0"}, - { "serialNumber", 1073741826, "CertificateSerialNumber"}, - { "signature", 1073741826, "AlgorithmIdentifier"}, - { "issuer", 1073741826, "Name"}, - { "validity", 1073741826, "Validity"}, - { "subject", 1073741826, "Name"}, - { "subjectPublicKeyInfo", 1073741826, "SubjectPublicKeyInfo"}, - { "issuerUniqueID", 1610637314, "UniqueIdentifier"}, - { NULL, 4104, "1"}, - { "subjectUniqueID", 1610637314, "UniqueIdentifier"}, - { NULL, 4104, "2"}, - { "extensions", 536895490, "Extensions"}, - { NULL, 2056, "3"}, - { "Version", 1610874883, NULL }, - { "v1", 1073741825, "0"}, - { "v2", 1073741825, "1"}, - { "v3", 1, "2"}, - { "CertificateSerialNumber", 1073741827, NULL }, - { "Validity", 1610612741, NULL }, - { "notBefore", 1073741826, "Time"}, - { "notAfter", 2, "Time"}, - { "Time", 1610612754, NULL }, - { "utcTime", 1090519057, NULL }, - { "generalTime", 8388625, NULL }, - { "UniqueIdentifier", 1073741830, NULL }, - { "SubjectPublicKeyInfo", 1610612741, NULL }, - { "algorithm", 1073741826, "AlgorithmIdentifier"}, - { "subjectPublicKey", 6, NULL }, - { "Extensions", 1612709899, NULL }, - { "MAX", 1074266122, "1"}, - { NULL, 2, "Extension"}, - { "Extension", 1610612741, NULL }, - { "extnID", 1073741836, NULL }, - { "critical", 1610645508, NULL }, - { NULL, 131081, NULL }, - { "extnValue", 7, NULL }, - { "CertificateList", 1610612741, NULL }, - { "tbsCertList", 1073741826, "TBSCertList"}, - { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, - { "signature", 6, NULL }, - { "TBSCertList", 1610612741, NULL }, - { "version", 1073758210, "Version"}, - { "signature", 1073741826, "AlgorithmIdentifier"}, - { "issuer", 1073741826, "Name"}, - { "thisUpdate", 1073741826, "Time"}, - { "nextUpdate", 1073758210, "Time"}, - { "revokedCertificates", 1610629131, NULL }, - { NULL, 536870917, NULL }, - { "userCertificate", 1073741826, "CertificateSerialNumber"}, - { "revocationDate", 1073741826, "Time"}, - { "crlEntryExtensions", 16386, "Extensions"}, - { "crlExtensions", 536895490, "Extensions"}, - { NULL, 2056, "0"}, - { "AlgorithmIdentifier", 1610612741, NULL }, - { "algorithm", 1073741836, NULL }, - { "parameters", 541081613, NULL }, - { "algorithm", 1, NULL }, - { "Dss-Sig-Value", 1610612741, NULL }, - { "r", 1073741827, NULL }, - { "s", 3, NULL }, - { "DomainParameters", 1610612741, NULL }, - { "p", 1073741827, NULL }, - { "g", 1073741827, NULL }, - { "q", 1073741827, NULL }, - { "j", 1073758211, NULL }, - { "validationParms", 16386, "ValidationParms"}, - { "ValidationParms", 1610612741, NULL }, - { "seed", 1073741830, NULL }, - { "pgenCounter", 3, NULL }, - { "Dss-Parms", 1610612741, NULL }, - { "p", 1073741827, NULL }, - { "q", 1073741827, NULL }, - { "g", 3, NULL }, - { "CountryName", 1610620946, NULL }, - { NULL, 1073746952, "1"}, - { "x121-dcc-code", 1612709890, "NumericString"}, - { NULL, 1048586, "ub-country-name-numeric-length"}, - { "iso-3166-alpha2-code", 538968066, "PrintableString"}, - { NULL, 1048586, "ub-country-name-alpha-length"}, - { "OrganizationName", 1612709890, "PrintableString"}, - { "ub-organization-name-length", 524298, "1"}, - { "NumericUserIdentifier", 1612709890, "NumericString"}, - { "ub-numeric-user-id-length", 524298, "1"}, - { "OrganizationalUnitNames", 1612709899, NULL }, - { "ub-organizational-units", 1074266122, "1"}, - { NULL, 2, "OrganizationalUnitName"}, - { "OrganizationalUnitName", 1612709890, "PrintableString"}, - { "ub-organizational-unit-name-length", 524298, "1"}, - { "CommonName", 1073741826, "PrintableString"}, - { "pkcs-7-ContentInfo", 1610612741, NULL }, - { "contentType", 1073741826, "pkcs-7-ContentType"}, - { "content", 541073421, NULL }, - { NULL, 1073743880, "0"}, - { "contentType", 1, NULL }, - { "pkcs-7-DigestInfo", 1610612741, NULL }, - { "digestAlgorithm", 1073741826, "pkcs-7-DigestAlgorithmIdentifier"}, - { "digest", 2, "pkcs-7-Digest"}, - { "pkcs-7-Digest", 1073741831, NULL }, - { "pkcs-7-ContentType", 1073741836, NULL }, - { "pkcs-7-SignedData", 1610612741, NULL }, - { "version", 1073741826, "pkcs-7-CMSVersion"}, - { "digestAlgorithms", 1073741826, "pkcs-7-DigestAlgorithmIdentifiers"}, - { "encapContentInfo", 1073741826, "pkcs-7-EncapsulatedContentInfo"}, - { "certificates", 1610637314, "pkcs-7-CertificateSet"}, - { NULL, 4104, "0"}, - { "crls", 1610637314, "pkcs-7-CertificateRevocationLists"}, - { NULL, 4104, "1"}, - { "signerInfos", 2, "pkcs-7-SignerInfos"}, - { "pkcs-7-CMSVersion", 1610874883, NULL }, - { "v0", 1073741825, "0"}, - { "v1", 1073741825, "1"}, - { "v2", 1073741825, "2"}, - { "v3", 1073741825, "3"}, - { "v4", 1, "4"}, - { "pkcs-7-DigestAlgorithmIdentifiers", 1610612751, NULL }, - { NULL, 2, "pkcs-7-DigestAlgorithmIdentifier"}, - { "pkcs-7-DigestAlgorithmIdentifier", 1073741826, "AlgorithmIdentifier"}, - { "pkcs-7-EncapsulatedContentInfo", 1610612741, NULL }, - { "eContentType", 1073741826, "pkcs-7-ContentType"}, - { "eContent", 536895495, NULL }, - { NULL, 2056, "0"}, - { "pkcs-7-CertificateRevocationLists", 1610612751, NULL }, - { NULL, 13, NULL }, - { "pkcs-7-CertificateChoices", 1610612754, NULL }, - { "certificate", 13, NULL }, - { "pkcs-7-CertificateSet", 1610612751, NULL }, - { NULL, 2, "pkcs-7-CertificateChoices"}, - { "pkcs-7-SignerInfos", 1610612751, NULL }, - { NULL, 13, NULL }, - { "pkcs-10-CertificationRequestInfo", 1610612741, NULL }, - { "version", 1610874883, NULL }, - { "v1", 1, "0"}, - { "subject", 1073741826, "Name"}, - { "subjectPKInfo", 1073741826, "SubjectPublicKeyInfo"}, - { "attributes", 536879106, "Attributes"}, - { NULL, 4104, "0"}, - { "Attributes", 1610612751, NULL }, - { NULL, 2, "Attribute"}, - { "pkcs-10-CertificationRequest", 1610612741, NULL }, - { "certificationRequestInfo", 1073741826, "pkcs-10-CertificationRequestInfo"}, - { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, - { "signature", 6, NULL }, - { "pkcs-9-at-challengePassword", 1879048204, NULL }, - { "iso", 1073741825, "1"}, - { "member-body", 1073741825, "2"}, - { "us", 1073741825, "840"}, - { "rsadsi", 1073741825, "113549"}, - { "pkcs", 1073741825, "1"}, - { NULL, 1073741825, "9"}, - { NULL, 1, "7"}, - { "pkcs-9-challengePassword", 1610612754, NULL }, - { "printableString", 1073741826, "PrintableString"}, - { "utf8String", 2, "UTF8String"}, - { "pkcs-9-localKeyId", 1073741831, NULL }, - { "pkcs-8-PrivateKeyInfo", 1610612741, NULL }, - { "version", 1073741826, "pkcs-8-Version"}, - { "privateKeyAlgorithm", 1073741826, "AlgorithmIdentifier"}, - { "privateKey", 1073741826, "pkcs-8-PrivateKey"}, - { "attributes", 536895490, "Attributes"}, - { NULL, 4104, "0"}, - { "pkcs-8-Version", 1610874883, NULL }, - { "v1", 1, "0"}, - { "pkcs-8-PrivateKey", 1073741831, NULL }, - { "pkcs-8-Attributes", 1610612751, NULL }, - { NULL, 2, "Attribute"}, - { "pkcs-8-EncryptedPrivateKeyInfo", 1610612741, NULL }, - { "encryptionAlgorithm", 1073741826, "AlgorithmIdentifier"}, - { "encryptedData", 2, "pkcs-8-EncryptedData"}, - { "pkcs-8-EncryptedData", 1073741831, NULL }, - { "pkcs-5-des-EDE3-CBC-params", 1612709895, NULL }, - { NULL, 1048586, "8"}, - { "pkcs-5-aes128-CBC-params", 1612709895, NULL }, - { NULL, 1048586, "16"}, - { "pkcs-5-aes192-CBC-params", 1612709895, NULL }, - { NULL, 1048586, "16"}, - { "pkcs-5-aes256-CBC-params", 1612709895, NULL }, - { NULL, 1048586, "16"}, - { "pkcs-5-PBES2-params", 1610612741, NULL }, - { "keyDerivationFunc", 1073741826, "AlgorithmIdentifier"}, - { "encryptionScheme", 2, "AlgorithmIdentifier"}, - { "pkcs-5-PBKDF2-params", 1610612741, NULL }, - { "salt", 1610612754, NULL }, - { "specified", 1073741831, NULL }, - { "otherSource", 2, "AlgorithmIdentifier"}, - { "iterationCount", 1611137027, NULL }, - { "1", 10, "MAX"}, - { "keyLength", 1611153411, NULL }, - { "1", 10, "MAX"}, - { "prf", 16386, "AlgorithmIdentifier"}, - { "pkcs-12-PFX", 1610612741, NULL }, - { "version", 1610874883, NULL }, - { "v3", 1, "3"}, - { "authSafe", 1073741826, "pkcs-7-ContentInfo"}, - { "macData", 16386, "pkcs-12-MacData"}, - { "pkcs-12-PbeParams", 1610612741, NULL }, - { "salt", 1073741831, NULL }, - { "iterations", 3, NULL }, - { "pkcs-12-MacData", 1610612741, NULL }, - { "mac", 1073741826, "pkcs-7-DigestInfo"}, - { "macSalt", 1073741831, NULL }, - { "iterations", 536903683, NULL }, - { NULL, 9, "1"}, - { "pkcs-12-AuthenticatedSafe", 1610612747, NULL }, - { NULL, 2, "pkcs-7-ContentInfo"}, - { "pkcs-12-SafeContents", 1610612747, NULL }, - { NULL, 2, "pkcs-12-SafeBag"}, - { "pkcs-12-SafeBag", 1610612741, NULL }, - { "bagId", 1073741836, NULL }, - { "bagValue", 1614815245, NULL }, - { NULL, 1073743880, "0"}, - { "badId", 1, NULL }, - { "bagAttributes", 536887311, NULL }, - { NULL, 2, "pkcs-12-PKCS12Attribute"}, - { "pkcs-12-KeyBag", 1073741826, "pkcs-8-PrivateKeyInfo"}, - { "pkcs-12-PKCS8ShroudedKeyBag", 1073741826, "pkcs-8-EncryptedPrivateKeyInfo"}, - { "pkcs-12-CertBag", 1610612741, NULL }, - { "certId", 1073741836, NULL }, - { "certValue", 541073421, NULL }, - { NULL, 1073743880, "0"}, - { "certId", 1, NULL }, - { "pkcs-12-CRLBag", 1610612741, NULL }, - { "crlId", 1073741836, NULL }, - { "crlValue", 541073421, NULL }, - { NULL, 1073743880, "0"}, - { "crlId", 1, NULL }, - { "pkcs-12-SecretBag", 1610612741, NULL }, - { "secretTypeId", 1073741836, NULL }, - { "secretValue", 541073421, NULL }, - { NULL, 1073743880, "0"}, - { "secretTypeId", 1, NULL }, - { "pkcs-12-PKCS12Attribute", 1073741826, "Attribute"}, - { "pkcs-7-Data", 1073741831, NULL }, - { "pkcs-7-EncryptedData", 1610612741, NULL }, - { "version", 1073741826, "pkcs-7-CMSVersion"}, - { "encryptedContentInfo", 1073741826, "pkcs-7-EncryptedContentInfo"}, - { "unprotectedAttrs", 536895490, "pkcs-7-UnprotectedAttributes"}, - { NULL, 4104, "1"}, - { "pkcs-7-EncryptedContentInfo", 1610612741, NULL }, - { "contentType", 1073741826, "pkcs-7-ContentType"}, - { "contentEncryptionAlgorithm", 1073741826, "pkcs-7-ContentEncryptionAlgorithmIdentifier"}, - { "encryptedContent", 536895490, "pkcs-7-EncryptedContent"}, - { NULL, 4104, "0"}, - { "pkcs-7-ContentEncryptionAlgorithmIdentifier", 1073741826, "AlgorithmIdentifier"}, - { "pkcs-7-EncryptedContent", 1073741831, NULL }, - { "pkcs-7-UnprotectedAttributes", 1612709903, NULL }, - { "MAX", 1074266122, "1"}, - { NULL, 2, "Attribute"}, - { "ProxyCertInfo", 1610612741, NULL }, - { "pCPathLenConstraint", 1611153411, NULL }, - { "0", 10, "MAX"}, - { "proxyPolicy", 2, "ProxyPolicy"}, - { "ProxyPolicy", 536870917, NULL }, - { "policyLanguage", 1073741836, NULL }, - { "policy", 16391, NULL }, - { NULL, 0, NULL } -}; diff --git a/trust/save.c b/trust/save.c deleted file mode 100644 index 66c9050..0000000 --- a/trust/save.c +++ /dev/null @@ -1,593 +0,0 @@ -/* - * Copyright (c) 2013, Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#include "buffer.h" -#include "debug.h" -#include "dict.h" -#include "message.h" -#include "save.h" - -#include <sys/stat.h> - -#include <assert.h> -#include <dirent.h> -#include <errno.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -struct _p11_save_file { - char *bare; - char *extension; - char *temp; - int fd; - int flags; -}; - -struct _p11_save_dir { - p11_dict *cache; - char *path; - int flags; -}; - -static char * make_unique_name (const char *bare, - const char *extension, - int (*check) (void *, char *), - void *data); - -bool -p11_save_write_and_finish (p11_save_file *file, - const void *data, - ssize_t length) -{ - bool ret; - - if (!file) - return false; - - ret = p11_save_write (file, data, length); - if (!p11_save_finish_file (file, NULL, ret)) - ret = false; - - return ret; -} - -p11_save_file * -p11_save_open_file (const char *path, - const char *extension, - int flags) -{ - p11_save_file *file; - char *temp; - int fd; - - return_val_if_fail (path != NULL, NULL); - - if (extension == NULL) - extension = ""; - - if (asprintf (&temp, "%s%s.XXXXXX", path, extension) < 0) - return_val_if_reached (NULL); - - fd = mkstemp (temp); - if (fd < 0) { - p11_message_err (errno, "couldn't create file: %s%s", path, extension); - free (temp); - return NULL; - } - - file = calloc (1, sizeof (p11_save_file)); - return_val_if_fail (file != NULL, NULL); - file->temp = temp; - file->bare = strdup (path); - return_val_if_fail (file->bare != NULL, NULL); - file->extension = strdup (extension); - return_val_if_fail (file->extension != NULL, NULL); - file->flags = flags; - file->fd = fd; - - return file; -} - -bool -p11_save_write (p11_save_file *file, - const void *data, - ssize_t length) -{ - const unsigned char *buf = data; - ssize_t written = 0; - ssize_t res; - - if (!file) - return false; - - /* Automatically calculate length */ - if (length < 0) { - if (!data) - return true; - length = strlen (data); - } - - while (written < length) { - res = write (file->fd, buf + written, length - written); - if (res <= 0) { - if (errno == EAGAIN || errno == EINTR) - continue; - p11_message_err (errno, "couldn't write to file: %s", file->temp); - return false; - } else { - written += res; - } - } - - return true; -} - -static void -filo_free (p11_save_file *file) -{ - free (file->temp); - free (file->bare); - free (file->extension); - free (file); -} - -#ifdef OS_UNIX - -static int -on_unique_try_link (void *data, - char *path) -{ - p11_save_file *file = data; - - if (link (file->temp, path) < 0) { - if (errno == EEXIST) - return 0; /* Continue trying other names */ - p11_message_err (errno, "couldn't complete writing of file: %s", path); - return -1; - } - - return 1; /* All done */ -} - -#else /* OS_WIN32 */ - -static int -on_unique_try_rename (void *data, - char *path) -{ - p11_save_file *file = data; - - if (rename (file->temp, path) < 0) { - if (errno == EEXIST) - return 0; /* Continue trying other names */ - p11_message ("couldn't complete writing of file: %s", path); - return -1; - } - - return 1; /* All done */ -} - -#endif /* OS_WIN32 */ - -bool -p11_save_finish_file (p11_save_file *file, - char **path_out, - bool commit) -{ - bool ret = true; - char *path; - - if (!file) - return false; - - if (!commit) { - close (file->fd); - unlink (file->temp); - filo_free (file); - return true; - } - - if (asprintf (&path, "%s%s", file->bare, file->extension) < 0) - return_val_if_reached (false); - - if (close (file->fd) < 0) { - p11_message_err (errno, "couldn't write file: %s", file->temp); - ret = false; - -#ifdef OS_UNIX - /* Set the mode of the file, readable by everyone, but not writable */ - } else if (chmod (file->temp, S_IRUSR | S_IRGRP | S_IROTH) < 0) { - p11_message_err (errno, "couldn't set file permissions: %s", file->temp); - ret = false; - - /* Atomically rename the tempfile over the filename */ - } else if (file->flags & P11_SAVE_OVERWRITE) { - if (rename (file->temp, path) < 0) { - p11_message_err (errno, "couldn't complete writing file: %s", path); - ret = false; - } else { - unlink (file->temp); - } - - /* Create a unique name if requested unique file name */ - } else if (file->flags & P11_SAVE_UNIQUE) { - free (path); - path = make_unique_name (file->bare, file->extension, - on_unique_try_link, file); - if (!path) - ret = false; - unlink (file->temp); - - /* When not overwriting, link will fail if filename exists. */ - } else { - if (link (file->temp, path) < 0) { - p11_message_err (errno, "couldn't complete writing of file: %s", path); - ret = false; - } - unlink (file->temp); - -#else /* OS_WIN32 */ - - /* Windows does not do atomic renames, so delete original file first */ - } else { - /* Create a unique name if requested unique file name */ - if (file->flags & P11_SAVE_UNIQUE) { - free (path); - path = make_unique_name (file->bare, file->extension, - on_unique_try_rename, file); - if (!path) - ret = false; - - } else if ((file->flags & P11_SAVE_OVERWRITE) && - unlink (path) < 0 && errno != ENOENT) { - p11_message_err (errno, "couldn't remove original file: %s", path); - ret = false; - } - - if (ret == true && - rename (file->temp, path) < 0) { - p11_message_err (errno, "couldn't complete writing file: %s", path); - ret = false; - } - - unlink (file->temp); - -#endif /* OS_WIN32 */ - } - - if (ret && path_out) { - *path_out = path; - path = NULL; - } - - free (path); - filo_free (file); - return ret; -} - -p11_save_dir * -p11_save_open_directory (const char *path, - int flags) -{ -#ifdef OS_UNIX - struct stat sb; -#endif - p11_save_dir *dir; - - return_val_if_fail (path != NULL, NULL); - -#ifdef OS_UNIX - /* We update the permissions when we finish writing */ - if (mkdir (path, S_IRWXU) < 0) { -#else /* OS_WIN32 */ - if (mkdir (path) < 0) { -#endif - /* Some random error, report it */ - if (errno != EEXIST) { - p11_message_err (errno, "couldn't create directory: %s", path); - - /* The directory exists and we're not overwriting */ - } else if (!(flags & P11_SAVE_OVERWRITE)) { - p11_message ("directory already exists: %s", path); - return NULL; - } -#ifdef OS_UNIX - /* - * If the directory exists on unix, we may have restricted - * the directory permissions to read-only. We have to change - * them back to writable in order for things to work. - */ - if (stat (path, &sb) >= 0) { - if ((sb.st_mode & S_IRWXU) != S_IRWXU && - chmod (path, S_IRWXU | sb.st_mode) < 0) { - p11_message_err (errno, "couldn't make directory writable: %s", path); - return NULL; - } - } -#endif /* OS_UNIX */ - } - - dir = calloc (1, sizeof (p11_save_dir)); - return_val_if_fail (dir != NULL, NULL); - - dir->path = strdup (path); - return_val_if_fail (dir->path != NULL, NULL); - - dir->cache = p11_dict_new (p11_dict_str_hash, p11_dict_str_equal, free, NULL); - return_val_if_fail (dir->cache != NULL, NULL); - - dir->flags = flags; - return dir; -} - -static char * -make_unique_name (const char *bare, - const char *extension, - int (*check) (void *, char *), - void *data) -{ - char unique[16]; - p11_buffer buf; - int ret; - int i; - - assert (bare != NULL); - assert (check != NULL); - - p11_buffer_init_null (&buf, 0); - - for (i = 0; true; i++) { - - p11_buffer_reset (&buf, 64); - - switch (i) { - - /* - * For the first iteration, just build the filename as - * provided by the caller. - */ - case 0: - p11_buffer_add (&buf, bare, -1); - break; - - /* - * On later iterations we try to add a numeric .N suffix - * before the extension, so the resulting file might look - * like filename.1.ext. - * - * As a special case if the extension is already '.0' then - * just just keep incerementing that. - */ - case 1: - if (extension && strcmp (extension, ".0") == 0) - extension = NULL; - /* fall through */ - - default: - p11_buffer_add (&buf, bare, -1); - snprintf (unique, sizeof (unique), ".%d", i); - p11_buffer_add (&buf, unique, -1); - break; - } - - if (extension) - p11_buffer_add (&buf, extension, -1); - - return_val_if_fail (p11_buffer_ok (&buf), NULL); - - ret = check (data, buf.data); - if (ret < 0) - return NULL; - else if (ret > 0) - return p11_buffer_steal (&buf, NULL); - } - - assert_not_reached (); -} - -static int -on_unique_check_dir (void *data, - char *name) -{ - p11_save_dir *dir = data; - - if (!p11_dict_get (dir->cache, name)) - return 1; - - return 0; /* Keep looking */ -} - -p11_save_file * -p11_save_open_file_in (p11_save_dir *dir, - const char *basename, - const char *extension) -{ - p11_save_file *file = NULL; - char *name; - char *path; - - return_val_if_fail (dir != NULL, NULL); - return_val_if_fail (basename != NULL, NULL); - - name = make_unique_name (basename, extension, on_unique_check_dir, dir); - return_val_if_fail (name != NULL, NULL); - - if (asprintf (&path, "%s/%s", dir->path, name) < 0) - return_val_if_reached (NULL); - - file = p11_save_open_file (path, NULL, dir->flags); - - if (file) { - if (!p11_dict_set (dir->cache, name, name)) - return_val_if_reached (NULL); - name = NULL; - } - - free (name); - free (path); - - return file; -} - -#ifdef OS_UNIX - -bool -p11_save_symlink_in (p11_save_dir *dir, - const char *linkname, - const char *extension, - const char *destination) -{ - char *name; - char *path; - bool ret; - - return_val_if_fail (dir != NULL, false); - return_val_if_fail (linkname != NULL, false); - return_val_if_fail (destination != NULL, false); - - name = make_unique_name (linkname, extension, on_unique_check_dir, dir); - return_val_if_fail (name != NULL, false); - - if (asprintf (&path, "%s/%s", dir->path, name) < 0) - return_val_if_reached (false); - - unlink (path); - - if (symlink (destination, path) < 0) { - p11_message_err (errno, "couldn't create symlink: %s", path); - ret = false; - } else { - if (!p11_dict_set (dir->cache, name, name)) - return_val_if_reached (false); - name = NULL; - ret = true; - } - - free (path); - free (name); - - return ret; -} - -#endif /* OS_UNIX */ - -static bool -cleanup_directory (const char *directory, - p11_dict *cache) -{ - struct dirent *dp; - struct stat st; - p11_dict *remove; - p11_dictiter iter; - char *path; - DIR *dir; - bool ret; - - /* First we load all the modules */ - dir = opendir (directory); - if (!dir) { - p11_message_err (errno, "couldn't list directory: %s", directory); - return false; - } - - remove = p11_dict_new (p11_dict_str_hash, p11_dict_str_equal, free, NULL); - - while ((dp = readdir (dir)) != NULL) { - if (p11_dict_get (cache, dp->d_name)) - continue; - - if (asprintf (&path, "%s/%s", directory, dp->d_name) < 0) - return_val_if_reached (false); - - - if (stat (path, &st) >= 0 && !S_ISDIR (st.st_mode)) { - if (!p11_dict_set (remove, path, path)) - return_val_if_reached (false); - } else { - free (path); - } - } - - closedir (dir); - - ret = true; - - /* Remove all the files still in the cache */ - p11_dict_iterate (remove, &iter); - while (p11_dict_next (&iter, (void **)&path, NULL)) { - if (unlink (path) < 0 && errno != ENOENT) { - p11_message_err (errno, "couldn't remove file: %s", path); - ret = false; - break; - } - } - - p11_dict_free (remove); - - return ret; -} - -bool -p11_save_finish_directory (p11_save_dir *dir, - bool commit) -{ - bool ret = true; - - if (!dir) - return false; - - if (commit) { - if (dir->flags & P11_SAVE_OVERWRITE) - ret = cleanup_directory (dir->path, dir->cache); - -#ifdef OS_UNIX - /* Try to set the mode of the directory to readable */ - if (ret && chmod (dir->path, S_IRUSR | S_IXUSR | S_IRGRP | - S_IXGRP | S_IROTH | S_IXOTH) < 0) { - p11_message_err (errno, "couldn't set directory permissions: %s", dir->path); - ret = false; - } -#endif /* OS_UNIX */ - } - - p11_dict_free (dir->cache); - free (dir->path); - free (dir); - - return ret; -} diff --git a/trust/save.h b/trust/save.h deleted file mode 100644 index 81f1044..0000000 --- a/trust/save.h +++ /dev/null @@ -1,85 +0,0 @@ -/* - * Copyright (c) 2013, Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#ifndef P11_SAVE_H_ -#define P11_SAVE_H_ - -#include "compat.h" - -enum { - P11_SAVE_OVERWRITE = 1 << 0, - P11_SAVE_UNIQUE = 1 << 1, -}; - -typedef struct _p11_save_file p11_save_file; -typedef struct _p11_save_dir p11_save_dir; - -p11_save_file * p11_save_open_file (const char *path, - const char *extension, - int flags); - -bool p11_save_write (p11_save_file *file, - const void *data, - ssize_t length); - -bool p11_save_write_and_finish (p11_save_file *file, - const void *data, - ssize_t length); - -bool p11_save_finish_file (p11_save_file *file, - char **path, - bool commit); - -const char * p11_save_file_name (p11_save_file *file); - -p11_save_dir * p11_save_open_directory (const char *path, - int flags); - -p11_save_file * p11_save_open_file_in (p11_save_dir *directory, - const char *basename, - const char *extension); - -#ifdef OS_UNIX - -bool p11_save_symlink_in (p11_save_dir *dir, - const char *linkname, - const char *extension, - const char *destination); - -#endif /* OS_UNIX */ - -bool p11_save_finish_directory (p11_save_dir *dir, - bool commit); - -#endif /* P11_SAVE_H_ */ diff --git a/trust/session.c b/trust/session.c deleted file mode 100644 index b93a5c3..0000000 --- a/trust/session.c +++ /dev/null @@ -1,97 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#include "attrs.h" -#define P11_DEBUG_FLAG P11_DEBUG_TRUST -#include "debug.h" -#include "dict.h" -#include "message.h" -#include "pkcs11.h" -#include "module.h" -#include "session.h" - -#include <assert.h> -#include <ctype.h> -#include <stdlib.h> -#include <string.h> - -p11_session * -p11_session_new (p11_token *token) -{ - p11_session *session; - - session = calloc (1, sizeof (p11_session)); - return_val_if_fail (session != NULL, NULL); - - session->handle = p11_module_next_id (); - - session->builder = p11_builder_new (P11_BUILDER_FLAG_NONE); - return_val_if_fail (session->builder, NULL); - - session->index = p11_index_new (p11_builder_build, NULL, NULL, - p11_builder_changed, - session->builder); - return_val_if_fail (session->index != NULL, NULL); - - session->token = token; - - return session; -} - -void -p11_session_free (void *data) -{ - p11_session *session = data; - - p11_session_set_operation (session, NULL, NULL); - p11_builder_free (session->builder); - p11_index_free (session->index); - - free (session); -} - -void -p11_session_set_operation (p11_session *session, - p11_session_cleanup cleanup, - void *operation) -{ - assert (session != NULL); - - if (session->cleanup) - (session->cleanup) (session->operation); - session->cleanup = cleanup; - session->operation = operation; -} diff --git a/trust/session.h b/trust/session.h deleted file mode 100644 index ec394b1..0000000 --- a/trust/session.h +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "builder.h" -#include "index.h" -#include "pkcs11.h" -#include "token.h" - -#ifndef P11_SESSION_H_ -#define P11_SESSION_H_ - -typedef void (* p11_session_cleanup) (void *data); - -typedef struct { - CK_SESSION_HANDLE handle; - p11_index *index; - p11_builder *builder; - p11_token *token; - CK_BBOOL loaded; - bool read_write; - - /* Used by various operations */ - p11_session_cleanup cleanup; - void *operation; -} p11_session; - -p11_session * p11_session_new (p11_token *token); - -void p11_session_free (void *data); - -void p11_session_set_operation (p11_session *session, - p11_session_cleanup cleanup, - void *operation); - -#endif /* P11_SESSION_H_ */ diff --git a/trust/test-asn1.c b/trust/test-asn1.c deleted file mode 100644 index df75dfd..0000000 --- a/trust/test-asn1.c +++ /dev/null @@ -1,164 +0,0 @@ -/* - * Copyright (c) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@gnome.org> - */ - -#include "config.h" -#include "test.h" - -#include "asn1.h" -#include "debug.h" -#include "oid.h" -#include "x509.h" - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> - -struct { - p11_dict *asn1_defs; -} test; - -static void -setup (void *unused) -{ - test.asn1_defs = p11_asn1_defs_load (); - assert_ptr_not_null (test.asn1_defs); -} - -static void -teardown (void *unused) -{ - p11_dict_free (test.asn1_defs); - memset (&test, 0, sizeof (test)); -} - -static void -test_tlv_length (void) -{ - struct { - const char *der; - size_t der_len; - int expected; - } tlv_lengths[] = { - { "\x01\x01\x00", 3, 3 }, - { "\x01\x01\x00\x01\x02", 5, 3 }, - { "\x01\x05\x00", 3, -1 }, - { NULL } - }; - - int length; - int i; - - for (i = 0; tlv_lengths[i].der != NULL; i++) { - length = p11_asn1_tlv_length ((const unsigned char *)tlv_lengths[i].der, tlv_lengths[i].der_len); - assert_num_eq (tlv_lengths[i].expected, length); - } -} - -static const unsigned char test_eku_server_and_client[] = { - 0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, - 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, -}; - -static void -test_asn1_cache (void) -{ - p11_asn1_cache *cache; - p11_dict *defs; - node_asn *asn; - node_asn *check; - - cache = p11_asn1_cache_new (); - assert_ptr_not_null (cache); - - defs = p11_asn1_cache_defs (cache); - assert_ptr_not_null (defs); - - asn = p11_asn1_decode (defs, "PKIX1.ExtKeyUsageSyntax", - test_eku_server_and_client, - sizeof (test_eku_server_and_client), NULL); - assert_ptr_not_null (defs); - - /* Place the parsed data in the cache */ - p11_asn1_cache_take (cache, asn, "PKIX1.ExtKeyUsageSyntax", - test_eku_server_and_client, - sizeof (test_eku_server_and_client)); - - /* Get it back out */ - check = p11_asn1_cache_get (cache, "PKIX1.ExtKeyUsageSyntax", - test_eku_server_and_client, - sizeof (test_eku_server_and_client)); - assert_ptr_eq (asn, check); - - /* Flush should remove it */ - p11_asn1_cache_flush (cache); - check = p11_asn1_cache_get (cache, "PKIX1.ExtKeyUsageSyntax", - test_eku_server_and_client, - sizeof (test_eku_server_and_client)); - assert_ptr_eq (NULL, check); - - p11_asn1_cache_free (cache); -} - -static void -test_asn1_free (void) -{ - p11_dict *defs; - node_asn *asn; - - defs = p11_asn1_defs_load (); - assert_ptr_not_null (defs); - - asn = p11_asn1_decode (defs, "PKIX1.ExtKeyUsageSyntax", - test_eku_server_and_client, - sizeof (test_eku_server_and_client), NULL); - assert_ptr_not_null (asn); - - p11_asn1_free (asn); - p11_asn1_free (NULL); - p11_dict_free (defs); -} - -int -main (int argc, - char *argv[]) -{ - p11_fixture (setup, teardown); - p11_test (test_tlv_length, "/asn1/tlv_length"); - - p11_fixture (NULL, NULL); - p11_test (test_asn1_cache, "/asn1/asn1_cache"); - p11_test (test_asn1_free, "/asn1/free"); - - return p11_test_run (argc, argv); -} diff --git a/trust/test-base64.c b/trust/test-base64.c deleted file mode 100644 index ce303e8..0000000 --- a/trust/test-base64.c +++ /dev/null @@ -1,204 +0,0 @@ -/* - * Copyright (c) 2013 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" -#include "test.h" - -#include "base64.h" -#include "debug.h" -#include "message.h" - -#include <assert.h> -#include <string.h> -#include <stdio.h> -#include <stdlib.h> - -static void -check_decode_msg (const char *file, - int line, - const char *function, - const char *input, - ssize_t input_len, - const unsigned char *expected, - ssize_t expected_len) -{ - unsigned char decoded[8192]; - int length; - - if (input_len < 0) - input_len = strlen (input); - if (expected_len < 0) - expected_len = strlen ((char *)expected); - length = p11_b64_pton (input, input_len, decoded, sizeof (decoded)); - - if (expected == NULL) { - if (length >= 0) - p11_test_fail (file, line, function, "decoding should have failed"); - - } else { - if (length < 0) - p11_test_fail (file, line, function, "decoding failed"); - if (expected_len != length) - p11_test_fail (file, line, function, "wrong length: (%lu != %lu)", - (unsigned long)expected_len, (unsigned long)length); - if (memcmp (decoded, expected, length) != 0) - p11_test_fail (file, line, function, "decoded wrong"); - } -} - -#define check_decode_success(input, input_len, expected, expected_len) \ - check_decode_msg (__FILE__, __LINE__, __FUNCTION__, input, input_len, expected, expected_len) - -#define check_decode_failure(input, input_len) \ - check_decode_msg (__FILE__, __LINE__, __FUNCTION__, input, input_len, NULL, 0) - -static void -test_decode_simple (void) -{ - check_decode_success ("", 0, (unsigned char *)"", 0); - check_decode_success ("MQ==", 0, (unsigned char *)"1", 0); - check_decode_success ("YmxhaAo=", -1, (unsigned char *)"blah\n", -1); - check_decode_success ("bGVlbGEK", -1, (unsigned char *)"leela\n", -1); - check_decode_success ("bGVlbG9vCg==", -1, (unsigned char *)"leeloo\n", -1); -} - -static void -test_decode_thawte (void) -{ - const char *input = - "MIIEKjCCAxKgAwIBAgIQYAGXt0an6rS0mtZLL/eQ+zANBgkqhkiG9w0BAQsFADCB" - "rjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf" - "Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw" - "MDggdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAiBgNV" - "BAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMzAeFw0wODA0MDIwMDAwMDBa" - "Fw0zNzEyMDEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3Rl" - "LCBJbmMuMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9u" - "MTgwNgYDVQQLEy8oYykgMjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXpl" - "ZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEcz" - "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsr8nLPvb2FvdeHsbnndm" - "gcs+vHyu86YnmjSjaDFxODNi5PNxZnmxqWWjpYvVj2AtP0LMqmsywCPLLEHd5N/8" - "YZzic7IilRFDGF/Eth9XbAoFWCLINkw6fKXRz4aviKdEAhN0cXMKQlkC+BsUa0Lf" - "b1+6a4KinVvnSr0eAXLbS3ToO39/fR8EtCab4LRarEc9VbjXsCZSKAExQGbY2SS9" - "9irY7CFJXJv2eul/VTV+lmuNk5Mny5K76qxAwJ/C+IDPXfRa3M50hqY+bAtTyr2S" - "zhkGcuYMXDhpxwTWvGzOW/b3aJzcJRVIiKHpqfiYnODz1TEoYRFsZ5aNOZnLwkUk" - "OQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV" - "HQ4EFgQUrWyqlGCc7eT/+j4KdCtjA/e2Wb8wDQYJKoZIhvcNAQELBQADggEBABpA" - "2JVlrAmSicY59BDlqQ5mU1143vokkbvnRFHfxhY0Cu9qRFHqKweKA3rD6z8KLFIW" - "oCtDuSWQP3CpMyVtRRooOyfPqsMpQhvfO0zAMzRbQYi/aytlryjvsvXDqmbOe1bu" - "t8jLZ8HJnBoYuMTDSQPxYA5QzUbF83d597YV4Djbxy8ooAw/dyZ02SUS2jHaGh7c" - "KUGRIjxpp7sC8rZcJwOJ9Abqm+RyguOhCcHpABnTPtRwa7pxpqpYrvS76Wy274fM" - "m7v/OeZWYdMKp8RcTGB7BXcmer/YB1IsYvdwY9k5vG8cwnncdimvzsUsZAReiDZu" - "MdRAGmI0Nj81Aa6sY6A="; - - const unsigned char output[] = { - 0x30, 0x82, 0x04, 0x2a, 0x30, 0x82, 0x03, 0x12, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x60, - 0x01, 0x97, 0xb7, 0x46, 0xa7, 0xea, 0xb4, 0xb4, 0x9a, 0xd6, 0x4b, 0x2f, 0xf7, 0x90, 0xfb, 0x30, - 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, - 0xae, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x15, - 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0c, 0x74, 0x68, 0x61, 0x77, 0x74, 0x65, 0x2c, - 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x28, 0x30, 0x26, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1f, - 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x53, 0x65, - 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x20, 0x44, 0x69, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x31, - 0x38, 0x30, 0x36, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x2f, 0x28, 0x63, 0x29, 0x20, 0x32, 0x30, - 0x30, 0x38, 0x20, 0x74, 0x68, 0x61, 0x77, 0x74, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x20, - 0x2d, 0x20, 0x46, 0x6f, 0x72, 0x20, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, - 0x20, 0x75, 0x73, 0x65, 0x20, 0x6f, 0x6e, 0x6c, 0x79, 0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, - 0x04, 0x03, 0x13, 0x1b, 0x74, 0x68, 0x61, 0x77, 0x74, 0x65, 0x20, 0x50, 0x72, 0x69, 0x6d, 0x61, - 0x72, 0x79, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x20, 0x2d, 0x20, 0x47, 0x33, 0x30, - 0x1e, 0x17, 0x0d, 0x30, 0x38, 0x30, 0x34, 0x30, 0x32, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, - 0x17, 0x0d, 0x33, 0x37, 0x31, 0x32, 0x30, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, - 0x81, 0xae, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, - 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0c, 0x74, 0x68, 0x61, 0x77, 0x74, 0x65, - 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x28, 0x30, 0x26, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, - 0x1f, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x53, - 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x20, 0x44, 0x69, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, - 0x31, 0x38, 0x30, 0x36, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x2f, 0x28, 0x63, 0x29, 0x20, 0x32, - 0x30, 0x30, 0x38, 0x20, 0x74, 0x68, 0x61, 0x77, 0x74, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, - 0x20, 0x2d, 0x20, 0x46, 0x6f, 0x72, 0x20, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, - 0x64, 0x20, 0x75, 0x73, 0x65, 0x20, 0x6f, 0x6e, 0x6c, 0x79, 0x31, 0x24, 0x30, 0x22, 0x06, 0x03, - 0x55, 0x04, 0x03, 0x13, 0x1b, 0x74, 0x68, 0x61, 0x77, 0x74, 0x65, 0x20, 0x50, 0x72, 0x69, 0x6d, - 0x61, 0x72, 0x79, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x20, 0x2d, 0x20, 0x47, 0x33, - 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, - 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, - 0x00, 0xb2, 0xbf, 0x27, 0x2c, 0xfb, 0xdb, 0xd8, 0x5b, 0xdd, 0x78, 0x7b, 0x1b, 0x9e, 0x77, 0x66, - 0x81, 0xcb, 0x3e, 0xbc, 0x7c, 0xae, 0xf3, 0xa6, 0x27, 0x9a, 0x34, 0xa3, 0x68, 0x31, 0x71, 0x38, - 0x33, 0x62, 0xe4, 0xf3, 0x71, 0x66, 0x79, 0xb1, 0xa9, 0x65, 0xa3, 0xa5, 0x8b, 0xd5, 0x8f, 0x60, - 0x2d, 0x3f, 0x42, 0xcc, 0xaa, 0x6b, 0x32, 0xc0, 0x23, 0xcb, 0x2c, 0x41, 0xdd, 0xe4, 0xdf, 0xfc, - 0x61, 0x9c, 0xe2, 0x73, 0xb2, 0x22, 0x95, 0x11, 0x43, 0x18, 0x5f, 0xc4, 0xb6, 0x1f, 0x57, 0x6c, - 0x0a, 0x05, 0x58, 0x22, 0xc8, 0x36, 0x4c, 0x3a, 0x7c, 0xa5, 0xd1, 0xcf, 0x86, 0xaf, 0x88, 0xa7, - 0x44, 0x02, 0x13, 0x74, 0x71, 0x73, 0x0a, 0x42, 0x59, 0x02, 0xf8, 0x1b, 0x14, 0x6b, 0x42, 0xdf, - 0x6f, 0x5f, 0xba, 0x6b, 0x82, 0xa2, 0x9d, 0x5b, 0xe7, 0x4a, 0xbd, 0x1e, 0x01, 0x72, 0xdb, 0x4b, - 0x74, 0xe8, 0x3b, 0x7f, 0x7f, 0x7d, 0x1f, 0x04, 0xb4, 0x26, 0x9b, 0xe0, 0xb4, 0x5a, 0xac, 0x47, - 0x3d, 0x55, 0xb8, 0xd7, 0xb0, 0x26, 0x52, 0x28, 0x01, 0x31, 0x40, 0x66, 0xd8, 0xd9, 0x24, 0xbd, - 0xf6, 0x2a, 0xd8, 0xec, 0x21, 0x49, 0x5c, 0x9b, 0xf6, 0x7a, 0xe9, 0x7f, 0x55, 0x35, 0x7e, 0x96, - 0x6b, 0x8d, 0x93, 0x93, 0x27, 0xcb, 0x92, 0xbb, 0xea, 0xac, 0x40, 0xc0, 0x9f, 0xc2, 0xf8, 0x80, - 0xcf, 0x5d, 0xf4, 0x5a, 0xdc, 0xce, 0x74, 0x86, 0xa6, 0x3e, 0x6c, 0x0b, 0x53, 0xca, 0xbd, 0x92, - 0xce, 0x19, 0x06, 0x72, 0xe6, 0x0c, 0x5c, 0x38, 0x69, 0xc7, 0x04, 0xd6, 0xbc, 0x6c, 0xce, 0x5b, - 0xf6, 0xf7, 0x68, 0x9c, 0xdc, 0x25, 0x15, 0x48, 0x88, 0xa1, 0xe9, 0xa9, 0xf8, 0x98, 0x9c, 0xe0, - 0xf3, 0xd5, 0x31, 0x28, 0x61, 0x11, 0x6c, 0x67, 0x96, 0x8d, 0x39, 0x99, 0xcb, 0xc2, 0x45, 0x24, - 0x39, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x42, 0x30, 0x40, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, - 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0e, 0x06, 0x03, 0x55, - 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x1d, 0x06, 0x03, 0x55, - 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xad, 0x6c, 0xaa, 0x94, 0x60, 0x9c, 0xed, 0xe4, 0xff, 0xfa, - 0x3e, 0x0a, 0x74, 0x2b, 0x63, 0x03, 0xf7, 0xb6, 0x59, 0xbf, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, - 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x1a, 0x40, - 0xd8, 0x95, 0x65, 0xac, 0x09, 0x92, 0x89, 0xc6, 0x39, 0xf4, 0x10, 0xe5, 0xa9, 0x0e, 0x66, 0x53, - 0x5d, 0x78, 0xde, 0xfa, 0x24, 0x91, 0xbb, 0xe7, 0x44, 0x51, 0xdf, 0xc6, 0x16, 0x34, 0x0a, 0xef, - 0x6a, 0x44, 0x51, 0xea, 0x2b, 0x07, 0x8a, 0x03, 0x7a, 0xc3, 0xeb, 0x3f, 0x0a, 0x2c, 0x52, 0x16, - 0xa0, 0x2b, 0x43, 0xb9, 0x25, 0x90, 0x3f, 0x70, 0xa9, 0x33, 0x25, 0x6d, 0x45, 0x1a, 0x28, 0x3b, - 0x27, 0xcf, 0xaa, 0xc3, 0x29, 0x42, 0x1b, 0xdf, 0x3b, 0x4c, 0xc0, 0x33, 0x34, 0x5b, 0x41, 0x88, - 0xbf, 0x6b, 0x2b, 0x65, 0xaf, 0x28, 0xef, 0xb2, 0xf5, 0xc3, 0xaa, 0x66, 0xce, 0x7b, 0x56, 0xee, - 0xb7, 0xc8, 0xcb, 0x67, 0xc1, 0xc9, 0x9c, 0x1a, 0x18, 0xb8, 0xc4, 0xc3, 0x49, 0x03, 0xf1, 0x60, - 0x0e, 0x50, 0xcd, 0x46, 0xc5, 0xf3, 0x77, 0x79, 0xf7, 0xb6, 0x15, 0xe0, 0x38, 0xdb, 0xc7, 0x2f, - 0x28, 0xa0, 0x0c, 0x3f, 0x77, 0x26, 0x74, 0xd9, 0x25, 0x12, 0xda, 0x31, 0xda, 0x1a, 0x1e, 0xdc, - 0x29, 0x41, 0x91, 0x22, 0x3c, 0x69, 0xa7, 0xbb, 0x02, 0xf2, 0xb6, 0x5c, 0x27, 0x03, 0x89, 0xf4, - 0x06, 0xea, 0x9b, 0xe4, 0x72, 0x82, 0xe3, 0xa1, 0x09, 0xc1, 0xe9, 0x00, 0x19, 0xd3, 0x3e, 0xd4, - 0x70, 0x6b, 0xba, 0x71, 0xa6, 0xaa, 0x58, 0xae, 0xf4, 0xbb, 0xe9, 0x6c, 0xb6, 0xef, 0x87, 0xcc, - 0x9b, 0xbb, 0xff, 0x39, 0xe6, 0x56, 0x61, 0xd3, 0x0a, 0xa7, 0xc4, 0x5c, 0x4c, 0x60, 0x7b, 0x05, - 0x77, 0x26, 0x7a, 0xbf, 0xd8, 0x07, 0x52, 0x2c, 0x62, 0xf7, 0x70, 0x63, 0xd9, 0x39, 0xbc, 0x6f, - 0x1c, 0xc2, 0x79, 0xdc, 0x76, 0x29, 0xaf, 0xce, 0xc5, 0x2c, 0x64, 0x04, 0x5e, 0x88, 0x36, 0x6e, - 0x31, 0xd4, 0x40, 0x1a, 0x62, 0x34, 0x36, 0x3f, 0x35, 0x01, 0xae, 0xac, 0x63, 0xa0, - }; - - check_decode_success (input, -1, output, sizeof (output)); -} - -int -main (int argc, - char *argv[]) -{ - p11_test (test_decode_simple, "/base64/decode-simple"); - p11_test (test_decode_thawte, "/base64/decode-thawte"); - return p11_test_run (argc, argv); -} diff --git a/trust/test-builder.c b/trust/test-builder.c deleted file mode 100644 index 5f4b823..0000000 --- a/trust/test-builder.c +++ /dev/null @@ -1,2237 +0,0 @@ -/* - * Copyright (c) 2013 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@gnome.org> - */ - -#include "config.h" -#include "test.h" -#include "test-trust.h" - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> - -#include "attrs.h" -#include "builder.h" -#include "debug.h" -#include "digest.h" -#include "index.h" -#include "message.h" -#include "oid.h" -#include "pkcs11i.h" -#include "pkcs11x.h" - -struct { - p11_builder *builder; - p11_index *index; -} test; - -static CK_TRUST trusted = CKT_NSS_TRUSTED; -static CK_TRUST trusted_delegator = CKT_NSS_TRUSTED_DELEGATOR; -static CK_TRUST not_trusted = CKT_NSS_NOT_TRUSTED; -static CK_TRUST trust_unknown = CKT_NSS_TRUST_UNKNOWN; -static CK_OBJECT_CLASS certificate = CKO_CERTIFICATE; -static CK_OBJECT_CLASS data = CKO_DATA; -static CK_OBJECT_CLASS certificate_extension = CKO_X_CERTIFICATE_EXTENSION; -static CK_OBJECT_CLASS nss_trust = CKO_NSS_TRUST; -static CK_OBJECT_CLASS trust_assertion = CKO_X_TRUST_ASSERTION; -static CK_X_ASSERTION_TYPE anchored_certificate = CKT_X_ANCHORED_CERTIFICATE; -static CK_X_ASSERTION_TYPE distrusted_certificate = CKT_X_DISTRUSTED_CERTIFICATE; -static CK_CERTIFICATE_TYPE x509 = CKC_X_509; -static CK_ULONG certificate_authority = 2; -static CK_ULONG other_entity = 3; -static CK_BBOOL truev = CK_TRUE; -static CK_BBOOL falsev = CK_FALSE; - -static void -setup (void *unused) -{ - test.builder = p11_builder_new (P11_BUILDER_FLAG_TOKEN); - assert_ptr_not_null (test.builder); - - test.index = p11_index_new (p11_builder_build, NULL, NULL, p11_builder_changed, test.builder); - assert_ptr_not_null (test.index); -} - -static void -teardown (void *unused) -{ - p11_builder_free (test.builder); - p11_index_free (test.index); - memset (&test, 0, sizeof (test)); -} - -static void -test_get_cache (void) -{ - p11_asn1_cache *cache; - - cache = p11_builder_get_cache (test.builder); - assert_ptr_eq (NULL, p11_asn1_cache_get (cache, "blah", (unsigned char *)"blah", 4)); -} - -static void -test_build_data (void) -{ - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_VALUE, "the value", 9 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE check[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_TOKEN, &truev, sizeof (truev) }, - { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, - { CKA_PRIVATE, &falsev, sizeof (falsev) }, - { CKA_LABEL, "", 0 }, - { CKA_VALUE, "the value", 9 }, - { CKA_APPLICATION, "", 0 }, - { CKA_OBJECT_ID, "", 0 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *merge; - CK_ATTRIBUTE *extra; - CK_RV rv; - - attrs = NULL; - extra = NULL; - merge = p11_attrs_dup (input); - rv = p11_builder_build (test.builder, test.index, attrs, merge, &extra); - assert_num_eq (CKR_OK, rv); - - attrs = p11_attrs_merge (attrs, merge, true); - attrs = p11_attrs_merge (attrs, extra, false); - - test_check_attrs (check, attrs); - p11_attrs_free (attrs); -} - -static void -test_build_certificate (void) -{ - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_LABEL, "the label", 9 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE expected[] = { - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_CERTIFICATE_CATEGORY, &certificate_authority, sizeof (certificate_authority) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_CHECK_VALUE, "\xad\x7c\x3f", 3 }, - { CKA_START_DATE, "20110523", 8 }, - { CKA_END_DATE, "20210520", 8, }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_LABEL, "the label", 9 }, - { CKA_ID, "u\xa8q`L\x88\x13\xf0x\xd9\x89w\xb5m\xc5\x89\xdf\xbc\xb1z", 20}, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *merge; - CK_ATTRIBUTE *extra; - CK_RV rv; - - attrs = NULL; - extra = NULL; - merge = p11_attrs_dup (input); - rv = p11_builder_build (test.builder, test.index, attrs, merge, &extra); - assert_num_eq (CKR_OK, rv); - - attrs = p11_attrs_merge (attrs, merge, true); - attrs = p11_attrs_merge (attrs, extra, false); - - test_check_attrs (expected, attrs); - p11_attrs_free (attrs); -} - -static void -test_build_certificate_empty (void) -{ - unsigned char checksum[P11_DIGEST_SHA1_LEN]; - CK_ULONG domain = 0; - CK_ULONG category = 0; - - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_URL, "http://blah", 11 }, - { CKA_HASH_OF_ISSUER_PUBLIC_KEY, checksum, sizeof (checksum) }, - { CKA_HASH_OF_SUBJECT_PUBLIC_KEY, checksum, sizeof (checksum) }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_LABEL, "the label", 9 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE expected[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) }, - { CKA_VALUE, "", 0 }, - { CKA_START_DATE, "", 0 }, - { CKA_END_DATE, "", 0, }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_ISSUER, "", 0 }, - { CKA_SERIAL_NUMBER, "", 0 }, - { CKA_HASH_OF_ISSUER_PUBLIC_KEY, checksum, sizeof (checksum) }, - { CKA_HASH_OF_SUBJECT_PUBLIC_KEY, checksum, sizeof (checksum) }, - { CKA_LABEL, "the label", 9 }, - { CKA_JAVA_MIDP_SECURITY_DOMAIN, &domain, sizeof (domain) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *merge; - CK_ATTRIBUTE *extra; - CK_RV rv; - - p11_digest_sha1 (checksum, test_cacert3_ca_der, sizeof (test_cacert3_ca_der), NULL); - - attrs = NULL; - extra = NULL; - merge = p11_attrs_dup (input); - rv = p11_builder_build (test.builder, test.index, attrs, merge, &extra); - assert_num_eq (CKR_OK, rv); - - attrs = p11_attrs_merge (attrs, merge, true); - attrs = p11_attrs_merge (attrs, extra, false); - - test_check_attrs (expected, attrs); - p11_attrs_free (attrs); -} - -static const unsigned char entrust_pretend_ca[] = { - 0x30, 0x82, 0x04, 0x5c, 0x30, 0x82, 0x03, 0x44, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x04, 0x38, - 0x63, 0xb9, 0x66, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, - 0x05, 0x00, 0x30, 0x81, 0xb4, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b, - 0x45, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x31, 0x40, 0x30, 0x3e, 0x06, - 0x03, 0x55, 0x04, 0x0b, 0x14, 0x37, 0x77, 0x77, 0x77, 0x2e, 0x65, 0x6e, 0x74, 0x72, 0x75, 0x73, - 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x2f, 0x43, 0x50, 0x53, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x20, 0x69, - 0x6e, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x20, 0x62, 0x79, 0x20, 0x72, 0x65, 0x66, 0x2e, 0x20, 0x28, - 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x73, 0x20, 0x6c, 0x69, 0x61, 0x62, 0x2e, 0x29, 0x31, 0x25, 0x30, - 0x23, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1c, 0x28, 0x63, 0x29, 0x20, 0x31, 0x39, 0x39, 0x39, - 0x20, 0x45, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x20, 0x4c, 0x69, 0x6d, - 0x69, 0x74, 0x65, 0x64, 0x31, 0x33, 0x30, 0x31, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x2a, 0x45, - 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, - 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, - 0x74, 0x79, 0x20, 0x28, 0x32, 0x30, 0x34, 0x38, 0x29, 0x30, 0x1e, 0x17, 0x0d, 0x39, 0x39, 0x31, - 0x32, 0x32, 0x34, 0x31, 0x37, 0x35, 0x30, 0x35, 0x31, 0x5a, 0x17, 0x0d, 0x31, 0x39, 0x31, 0x32, - 0x32, 0x34, 0x31, 0x38, 0x32, 0x30, 0x35, 0x31, 0x5a, 0x30, 0x81, 0xb4, 0x31, 0x14, 0x30, 0x12, - 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b, 0x45, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, - 0x65, 0x74, 0x31, 0x40, 0x30, 0x3e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x14, 0x37, 0x77, 0x77, 0x77, - 0x2e, 0x65, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x2f, 0x43, 0x50, 0x53, - 0x5f, 0x32, 0x30, 0x34, 0x38, 0x20, 0x69, 0x6e, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x20, 0x62, 0x79, - 0x20, 0x72, 0x65, 0x66, 0x2e, 0x20, 0x28, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x73, 0x20, 0x6c, 0x69, - 0x61, 0x62, 0x2e, 0x29, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1c, 0x28, - 0x63, 0x29, 0x20, 0x31, 0x39, 0x39, 0x39, 0x20, 0x45, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, - 0x6e, 0x65, 0x74, 0x20, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x65, 0x64, 0x31, 0x33, 0x30, 0x31, 0x06, - 0x03, 0x55, 0x04, 0x03, 0x13, 0x2a, 0x45, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65, - 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, - 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x28, 0x32, 0x30, 0x34, 0x38, 0x29, - 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, - 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, - 0x00, 0xad, 0x4d, 0x4b, 0xa9, 0x12, 0x86, 0xb2, 0xea, 0xa3, 0x20, 0x07, 0x15, 0x16, 0x64, 0x2a, - 0x2b, 0x4b, 0xd1, 0xbf, 0x0b, 0x4a, 0x4d, 0x8e, 0xed, 0x80, 0x76, 0xa5, 0x67, 0xb7, 0x78, 0x40, - 0xc0, 0x73, 0x42, 0xc8, 0x68, 0xc0, 0xdb, 0x53, 0x2b, 0xdd, 0x5e, 0xb8, 0x76, 0x98, 0x35, 0x93, - 0x8b, 0x1a, 0x9d, 0x7c, 0x13, 0x3a, 0x0e, 0x1f, 0x5b, 0xb7, 0x1e, 0xcf, 0xe5, 0x24, 0x14, 0x1e, - 0xb1, 0x81, 0xa9, 0x8d, 0x7d, 0xb8, 0xcc, 0x6b, 0x4b, 0x03, 0xf1, 0x02, 0x0c, 0xdc, 0xab, 0xa5, - 0x40, 0x24, 0x00, 0x7f, 0x74, 0x94, 0xa1, 0x9d, 0x08, 0x29, 0xb3, 0x88, 0x0b, 0xf5, 0x87, 0x77, - 0x9d, 0x55, 0xcd, 0xe4, 0xc3, 0x7e, 0xd7, 0x6a, 0x64, 0xab, 0x85, 0x14, 0x86, 0x95, 0x5b, 0x97, - 0x32, 0x50, 0x6f, 0x3d, 0xc8, 0xba, 0x66, 0x0c, 0xe3, 0xfc, 0xbd, 0xb8, 0x49, 0xc1, 0x76, 0x89, - 0x49, 0x19, 0xfd, 0xc0, 0xa8, 0xbd, 0x89, 0xa3, 0x67, 0x2f, 0xc6, 0x9f, 0xbc, 0x71, 0x19, 0x60, - 0xb8, 0x2d, 0xe9, 0x2c, 0xc9, 0x90, 0x76, 0x66, 0x7b, 0x94, 0xe2, 0xaf, 0x78, 0xd6, 0x65, 0x53, - 0x5d, 0x3c, 0xd6, 0x9c, 0xb2, 0xcf, 0x29, 0x03, 0xf9, 0x2f, 0xa4, 0x50, 0xb2, 0xd4, 0x48, 0xce, - 0x05, 0x32, 0x55, 0x8a, 0xfd, 0xb2, 0x64, 0x4c, 0x0e, 0xe4, 0x98, 0x07, 0x75, 0xdb, 0x7f, 0xdf, - 0xb9, 0x08, 0x55, 0x60, 0x85, 0x30, 0x29, 0xf9, 0x7b, 0x48, 0xa4, 0x69, 0x86, 0xe3, 0x35, 0x3f, - 0x1e, 0x86, 0x5d, 0x7a, 0x7a, 0x15, 0xbd, 0xef, 0x00, 0x8e, 0x15, 0x22, 0x54, 0x17, 0x00, 0x90, - 0x26, 0x93, 0xbc, 0x0e, 0x49, 0x68, 0x91, 0xbf, 0xf8, 0x47, 0xd3, 0x9d, 0x95, 0x42, 0xc1, 0x0e, - 0x4d, 0xdf, 0x6f, 0x26, 0xcf, 0xc3, 0x18, 0x21, 0x62, 0x66, 0x43, 0x70, 0xd6, 0xd5, 0xc0, 0x07, - 0xe1, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x74, 0x30, 0x72, 0x30, 0x11, 0x06, 0x09, 0x60, 0x86, - 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x01, 0x04, 0x04, 0x03, 0x02, 0x00, 0x07, 0x30, 0x1f, 0x06, - 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x55, 0xe4, 0x81, 0xd1, 0x11, 0x80, - 0xbe, 0xd8, 0x89, 0xb9, 0x08, 0xa3, 0x31, 0xf9, 0xa1, 0x24, 0x09, 0x16, 0xb9, 0x70, 0x30, 0x1d, - 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x55, 0xe4, 0x81, 0xd1, 0x11, 0x80, 0xbe, - 0xd8, 0x89, 0xb9, 0x08, 0xa3, 0x31, 0xf9, 0xa1, 0x24, 0x09, 0x16, 0xb9, 0x70, 0x30, 0x1d, 0x06, - 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf6, 0x7d, 0x07, 0x41, 0x00, 0x04, 0x10, 0x30, 0x0e, 0x1b, 0x08, - 0x56, 0x35, 0x2e, 0x30, 0x3a, 0x34, 0x2e, 0x30, 0x03, 0x02, 0x04, 0x90, 0x30, 0x0d, 0x06, 0x09, - 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, - 0x59, 0x47, 0xac, 0x21, 0x84, 0x8a, 0x17, 0xc9, 0x9c, 0x89, 0x53, 0x1e, 0xba, 0x80, 0x85, 0x1a, - 0xc6, 0x3c, 0x4e, 0x3e, 0xb1, 0x9c, 0xb6, 0x7c, 0xc6, 0x92, 0x5d, 0x18, 0x64, 0x02, 0xe3, 0xd3, - 0x06, 0x08, 0x11, 0x61, 0x7c, 0x63, 0xe3, 0x2b, 0x9d, 0x31, 0x03, 0x70, 0x76, 0xd2, 0xa3, 0x28, - 0xa0, 0xf4, 0xbb, 0x9a, 0x63, 0x73, 0xed, 0x6d, 0xe5, 0x2a, 0xdb, 0xed, 0x14, 0xa9, 0x2b, 0xc6, - 0x36, 0x11, 0xd0, 0x2b, 0xeb, 0x07, 0x8b, 0xa5, 0xda, 0x9e, 0x5c, 0x19, 0x9d, 0x56, 0x12, 0xf5, - 0x54, 0x29, 0xc8, 0x05, 0xed, 0xb2, 0x12, 0x2a, 0x8d, 0xf4, 0x03, 0x1b, 0xff, 0xe7, 0x92, 0x10, - 0x87, 0xb0, 0x3a, 0xb5, 0xc3, 0x9d, 0x05, 0x37, 0x12, 0xa3, 0xc7, 0xf4, 0x15, 0xb9, 0xd5, 0xa4, - 0x39, 0x16, 0x9b, 0x53, 0x3a, 0x23, 0x91, 0xf1, 0xa8, 0x82, 0xa2, 0x6a, 0x88, 0x68, 0xc1, 0x79, - 0x02, 0x22, 0xbc, 0xaa, 0xa6, 0xd6, 0xae, 0xdf, 0xb0, 0x14, 0x5f, 0xb8, 0x87, 0xd0, 0xdd, 0x7c, - 0x7f, 0x7b, 0xff, 0xaf, 0x1c, 0xcf, 0xe6, 0xdb, 0x07, 0xad, 0x5e, 0xdb, 0x85, 0x9d, 0xd0, 0x2b, - 0x0d, 0x33, 0xdb, 0x04, 0xd1, 0xe6, 0x49, 0x40, 0x13, 0x2b, 0x76, 0xfb, 0x3e, 0xe9, 0x9c, 0x89, - 0x0f, 0x15, 0xce, 0x18, 0xb0, 0x85, 0x78, 0x21, 0x4f, 0x6b, 0x4f, 0x0e, 0xfa, 0x36, 0x67, 0xcd, - 0x07, 0xf2, 0xff, 0x08, 0xd0, 0xe2, 0xde, 0xd9, 0xbf, 0x2a, 0xaf, 0xb8, 0x87, 0x86, 0x21, 0x3c, - 0x04, 0xca, 0xb7, 0x94, 0x68, 0x7f, 0xcf, 0x3c, 0xe9, 0x98, 0xd7, 0x38, 0xff, 0xec, 0xc0, 0xd9, - 0x50, 0xf0, 0x2e, 0x4b, 0x58, 0xae, 0x46, 0x6f, 0xd0, 0x2e, 0xc3, 0x60, 0xda, 0x72, 0x55, 0x72, - 0xbd, 0x4c, 0x45, 0x9e, 0x61, 0xba, 0xbf, 0x84, 0x81, 0x92, 0x03, 0xd1, 0xd2, 0x69, 0x7c, 0xc5, -}; - -static const unsigned char entrust_public_key[] = { - 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, - 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, - 0x00, 0xad, 0x4d, 0x4b, 0xa9, 0x12, 0x86, 0xb2, 0xea, 0xa3, 0x20, 0x07, 0x15, 0x16, 0x64, 0x2a, - 0x2b, 0x4b, 0xd1, 0xbf, 0x0b, 0x4a, 0x4d, 0x8e, 0xed, 0x80, 0x76, 0xa5, 0x67, 0xb7, 0x78, 0x40, - 0xc0, 0x73, 0x42, 0xc8, 0x68, 0xc0, 0xdb, 0x53, 0x2b, 0xdd, 0x5e, 0xb8, 0x76, 0x98, 0x35, 0x93, - 0x8b, 0x1a, 0x9d, 0x7c, 0x13, 0x3a, 0x0e, 0x1f, 0x5b, 0xb7, 0x1e, 0xcf, 0xe5, 0x24, 0x14, 0x1e, - 0xb1, 0x81, 0xa9, 0x8d, 0x7d, 0xb8, 0xcc, 0x6b, 0x4b, 0x03, 0xf1, 0x02, 0x0c, 0xdc, 0xab, 0xa5, - 0x40, 0x24, 0x00, 0x7f, 0x74, 0x94, 0xa1, 0x9d, 0x08, 0x29, 0xb3, 0x88, 0x0b, 0xf5, 0x87, 0x77, - 0x9d, 0x55, 0xcd, 0xe4, 0xc3, 0x7e, 0xd7, 0x6a, 0x64, 0xab, 0x85, 0x14, 0x86, 0x95, 0x5b, 0x97, - 0x32, 0x50, 0x6f, 0x3d, 0xc8, 0xba, 0x66, 0x0c, 0xe3, 0xfc, 0xbd, 0xb8, 0x49, 0xc1, 0x76, 0x89, - 0x49, 0x19, 0xfd, 0xc0, 0xa8, 0xbd, 0x89, 0xa3, 0x67, 0x2f, 0xc6, 0x9f, 0xbc, 0x71, 0x19, 0x60, - 0xb8, 0x2d, 0xe9, 0x2c, 0xc9, 0x90, 0x76, 0x66, 0x7b, 0x94, 0xe2, 0xaf, 0x78, 0xd6, 0x65, 0x53, - 0x5d, 0x3c, 0xd6, 0x9c, 0xb2, 0xcf, 0x29, 0x03, 0xf9, 0x2f, 0xa4, 0x50, 0xb2, 0xd4, 0x48, 0xce, - 0x05, 0x32, 0x55, 0x8a, 0xfd, 0xb2, 0x64, 0x4c, 0x0e, 0xe4, 0x98, 0x07, 0x75, 0xdb, 0x7f, 0xdf, - 0xb9, 0x08, 0x55, 0x60, 0x85, 0x30, 0x29, 0xf9, 0x7b, 0x48, 0xa4, 0x69, 0x86, 0xe3, 0x35, 0x3f, - 0x1e, 0x86, 0x5d, 0x7a, 0x7a, 0x15, 0xbd, 0xef, 0x00, 0x8e, 0x15, 0x22, 0x54, 0x17, 0x00, 0x90, - 0x26, 0x93, 0xbc, 0x0e, 0x49, 0x68, 0x91, 0xbf, 0xf8, 0x47, 0xd3, 0x9d, 0x95, 0x42, 0xc1, 0x0e, - 0x4d, 0xdf, 0x6f, 0x26, 0xcf, 0xc3, 0x18, 0x21, 0x62, 0x66, 0x43, 0x70, 0xd6, 0xd5, 0xc0, 0x07, - 0xe1, 0x02, 0x03, 0x01, 0x00, 0x01, -}; - -static void -test_build_certificate_non_ca (void) -{ - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_VALUE, (void *)entrust_pretend_ca, sizeof (entrust_pretend_ca) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE expected[] = { - { CKA_CERTIFICATE_CATEGORY, &other_entity, sizeof (other_entity) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *extra; - CK_RV rv; - - attrs = NULL; - extra = NULL; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - attrs = p11_attrs_merge (attrs, p11_attrs_dup (input), true); - attrs = p11_attrs_merge (attrs, extra, false); - - test_check_attrs (expected, attrs); - p11_attrs_free (attrs); -} - -static void -test_build_certificate_v1_ca (void) -{ - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_VALUE, (void *)verisign_v1_ca, sizeof (verisign_v1_ca) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE expected[] = { - { CKA_CERTIFICATE_CATEGORY, &certificate_authority, sizeof (certificate_authority) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *extra; - CK_RV rv; - - attrs = NULL; - extra = NULL; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - attrs = p11_attrs_merge (attrs, p11_attrs_dup (input), true); - attrs = p11_attrs_merge (attrs, extra, false); - - test_check_attrs (expected, attrs); - p11_attrs_free (attrs); -} - -static void -test_build_certificate_staple_ca (void) -{ - CK_ULONG category = 2; /* CA */ - - CK_ATTRIBUTE attached[] = { - { CKA_CLASS, &certificate_extension, sizeof (certificate_extension) }, - { CKA_OBJECT_ID, (void *)P11_OID_BASIC_CONSTRAINTS, sizeof (P11_OID_BASIC_CONSTRAINTS) }, - { CKA_VALUE, "\x30\x0f\x06\x03\x55\x1d\x13\x01\x01\xff\x04\x05\x30\x03\x01\x01\xff", 17 }, - { CKA_PUBLIC_KEY_INFO, (void *)entrust_public_key, sizeof (entrust_public_key) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_VALUE, (void *)entrust_pretend_ca, sizeof (entrust_pretend_ca) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE expected[] = { - { CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *extra; - CK_RV rv; - - /* Adding the attached extension *first*, and then the certificate */ - - /* Add a attached certificate */ - rv = p11_index_add (test.index, attached, 4, NULL); - assert_num_eq (CKR_OK, rv); - - attrs = NULL; - extra = NULL; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - attrs = p11_attrs_merge (attrs, p11_attrs_dup (input), true); - attrs = p11_attrs_merge (attrs, extra, false); - - /* - * Even though the certificate is not a valid CA, the presence of the - * attached certificate extension transforms it into a CA. - */ - test_check_attrs (expected, attrs); - p11_attrs_free (attrs); -} - -static void -test_build_certificate_staple_ca_backwards (void) -{ - CK_ULONG category = 2; /* CA */ - - CK_ATTRIBUTE attached[] = { - { CKA_CLASS, &certificate_extension, sizeof (certificate_extension) }, - { CKA_OBJECT_ID, (void *)P11_OID_BASIC_CONSTRAINTS, sizeof (P11_OID_BASIC_CONSTRAINTS) }, - { CKA_VALUE, "\x30\x0f\x06\x03\x55\x1d\x13\x01\x01\xff\x04\x05\x30\x03\x01\x01\xff", 17 }, - { CKA_PUBLIC_KEY_INFO, (void *)entrust_public_key, sizeof (entrust_public_key) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_VALUE, (void *)entrust_pretend_ca, sizeof (entrust_pretend_ca) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE expected[] = { - { CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) }, - { CKA_INVALID }, - }; - - CK_RV rv; - CK_ATTRIBUTE *attrs; - CK_OBJECT_HANDLE handle; - - /* Adding the certificate *first*, and then the attached extension */ - - rv = p11_index_add (test.index, input, 4, &handle); - assert_num_eq (CKR_OK, rv); - - /* Add a attached certificate */ - rv = p11_index_add (test.index, attached, 4, NULL); - assert_num_eq (CKR_OK, rv); - - /* - * Even though the certificate is not a valid CA, the presence of the - * attached certificate extension transforms it into a CA. - */ - attrs = p11_index_lookup (test.index, handle); - test_check_attrs (expected, attrs); -} - -static void -test_build_certificate_no_type (void) -{ - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *merge; - CK_ATTRIBUTE *extra; - CK_RV rv; - - p11_message_quiet (); - - attrs = NULL; - extra = NULL; - merge = p11_attrs_dup (input); - rv = p11_builder_build (test.builder, test.index, attrs, merge, &extra); - assert_num_eq (CKR_TEMPLATE_INCOMPLETE, rv); - p11_attrs_free (merge); - - p11_message_loud (); -} - -static void -test_build_certificate_bad_type (void) -{ - CK_CERTIFICATE_TYPE type = CKC_WTLS; - - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &type, sizeof (type) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *merge; - CK_ATTRIBUTE *extra; - CK_RV rv; - - p11_message_quiet (); - - attrs = NULL; - merge = p11_attrs_dup (input); - rv = p11_builder_build (test.builder, test.index, attrs, merge, &extra); - assert_num_eq (CKR_TEMPLATE_INCONSISTENT, rv); - p11_attrs_free (merge); - - p11_message_loud (); -} - -static void -test_build_extension (void) -{ - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &certificate_extension, sizeof (certificate_extension) }, - { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, - { CKA_VALUE, "\x30\x11\x06\x03\x55\x1d\x50\x04\x0a\x74\x68\x65\x20\x76\x61\x6c\x75\x65\x0a", 19 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE check[] = { - { CKA_CLASS, &certificate_extension, sizeof (certificate_extension) }, - { CKA_TOKEN, &truev, sizeof (truev) }, - { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, - { CKA_PRIVATE, &falsev, sizeof (falsev) }, - { CKA_OBJECT_ID, "\x06\x03\x55\x1d\x50", 5 }, - { CKA_VALUE, "\x30\x11\x06\x03\x55\x1d\x50\x04\x0a\x74\x68\x65\x20\x76\x61\x6c\x75\x65\x0a", 19 }, - { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, - { CKA_LABEL, "", 0 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *extra; - CK_RV rv; - - attrs = NULL; - extra = NULL; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - attrs = p11_attrs_merge (attrs, p11_attrs_dup (input), true); - attrs = p11_attrs_merge (attrs, extra, false); - - test_check_attrs (check, attrs); - p11_attrs_free (attrs); -} - -/* This certificate has and end date in 2067 */ -static const unsigned char cert_distant_end_date[] = { - 0x30, 0x82, 0x01, 0x6a, 0x30, 0x82, 0x01, 0x14, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x02, 0x03, - 0xe7, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, - 0x30, 0x28, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x1d, 0x66, 0x61, 0x72, - 0x2d, 0x69, 0x6e, 0x2d, 0x74, 0x68, 0x65, 0x2d, 0x66, 0x75, 0x74, 0x75, 0x72, 0x65, 0x2e, 0x65, - 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x20, 0x17, 0x0d, 0x31, 0x33, - 0x30, 0x33, 0x32, 0x37, 0x31, 0x36, 0x34, 0x39, 0x33, 0x33, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x36, - 0x37, 0x31, 0x32, 0x32, 0x39, 0x31, 0x36, 0x34, 0x39, 0x33, 0x33, 0x5a, 0x30, 0x28, 0x31, 0x26, - 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x1d, 0x66, 0x61, 0x72, 0x2d, 0x69, 0x6e, 0x2d, - 0x74, 0x68, 0x65, 0x2d, 0x66, 0x75, 0x74, 0x75, 0x72, 0x65, 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70, - 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x5c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, - 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x4b, 0x00, 0x30, 0x48, 0x02, 0x41, 0x00, 0xe2, - 0x2d, 0x35, 0x70, 0x75, 0xc0, 0x07, 0x56, 0x40, 0x7d, 0x63, 0xbc, 0xd2, 0x60, 0xb3, 0xcf, 0xb8, - 0x3d, 0x27, 0x6e, 0x10, 0xcd, 0x42, 0x50, 0x51, 0x9d, 0x79, 0x30, 0x79, 0x5a, 0xe3, 0xc3, 0x51, - 0x38, 0x85, 0x4c, 0xb4, 0x91, 0xd9, 0xe6, 0x8d, 0x69, 0x6a, 0xd4, 0x9c, 0x1c, 0x49, 0xc2, 0x25, - 0x2a, 0xc9, 0x2b, 0xf2, 0xf4, 0x8e, 0x8a, 0x3f, 0x8b, 0x4c, 0x97, 0xc3, 0x16, 0x96, 0x99, 0x02, - 0x03, 0x01, 0x00, 0x01, 0xa3, 0x26, 0x30, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, - 0x1b, 0x30, 0x19, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x06, 0x08, 0x2b, - 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04, 0x06, 0x03, 0x2a, 0x03, 0x04, 0x30, 0x0d, 0x06, 0x09, - 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x41, 0x00, 0xc2, 0x83, - 0x27, 0x32, 0x80, 0x74, 0x73, 0xe2, 0xa3, 0x92, 0xaa, 0x7c, 0xd8, 0x50, 0xf4, 0x61, 0x50, 0xb1, - 0x63, 0x9e, 0x29, 0xef, 0x38, 0x1d, 0xc0, 0x55, 0x20, 0x0f, 0x7e, 0xe9, 0x1f, 0xa1, 0x54, 0x1a, - 0x5f, 0x8c, 0x26, 0x1b, 0x66, 0x96, 0x0e, 0x64, 0x52, 0x1c, 0x00, 0x96, 0xfb, 0x81, 0x77, 0xa2, - 0x3a, 0x1d, 0x49, 0x0c, 0x03, 0xd5, 0x19, 0xf2, 0x6a, 0x01, 0x29, 0x31, 0xfb, 0xf5, -}; - -static void -test_build_distant_end_date (void) -{ - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_VALUE, (void *)cert_distant_end_date, sizeof (cert_distant_end_date) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE expected[] = { - { CKA_END_DATE, "20671229", 8 }, - { CKA_START_DATE, "20130327", 8 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *extra; - CK_RV rv; - - attrs = NULL; - extra = NULL; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - attrs = p11_attrs_merge (attrs, p11_attrs_dup (input), true); - attrs = p11_attrs_merge (attrs, extra, false); - - test_check_attrs (expected, attrs); - p11_attrs_free (attrs); -} - -static void -test_valid_bool (void) -{ - CK_ATTRIBUTE *attrs = NULL; - CK_ATTRIBUTE *extra = NULL; - CK_BBOOL value = CK_TRUE; - CK_RV rv; - - CK_ATTRIBUTE input[] = { - { CKA_PRIVATE, &value, sizeof (value) }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_INVALID }, - }; - - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - p11_attrs_free (extra); -} - -static void -test_invalid_bool (void) -{ - CK_ATTRIBUTE *attrs = NULL; - CK_ATTRIBUTE *extra = NULL; - CK_RV rv; - - CK_ATTRIBUTE input[] = { - { CKA_PRIVATE, NULL, 0 }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_INVALID }, - }; - - p11_message_quiet (); - - input[0].pValue = "123"; - input[0].ulValueLen = 3; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv); - - - input[0].pValue = NULL; - input[0].ulValueLen = sizeof (CK_BBOOL); - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv); - - p11_message_loud (); -} - -static void -test_valid_ulong (void) -{ - CK_ATTRIBUTE *attrs = NULL; - CK_ATTRIBUTE *extra = NULL; - CK_ULONG value = 2; - CK_RV rv; - - CK_ATTRIBUTE input[] = { - { CKA_CERTIFICATE_CATEGORY, &value, sizeof (value) }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_INVALID }, - }; - - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - p11_attrs_free (extra); -} - -static void -test_invalid_ulong (void) -{ - CK_ATTRIBUTE *attrs = NULL; - CK_ATTRIBUTE *extra = NULL; - CK_RV rv; - - CK_ATTRIBUTE input[] = { - { CKA_CERTIFICATE_CATEGORY, NULL, 0 }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_INVALID }, - }; - - p11_message_quiet (); - - input[0].pValue = "123"; - input[0].ulValueLen = 3; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv); - - - input[0].pValue = NULL; - input[0].ulValueLen = sizeof (CK_ULONG); - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv); - - p11_message_loud (); -} - -static void -test_valid_utf8 (void) -{ - CK_ATTRIBUTE *attrs = NULL; - CK_ATTRIBUTE *extra = NULL; - CK_RV rv; - - CK_ATTRIBUTE input[] = { - { CKA_LABEL, NULL, 0 }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_INVALID }, - }; - - input[0].pValue = NULL; - input[0].ulValueLen = 0; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - p11_attrs_free (extra); -} - -static void -test_invalid_utf8 (void) -{ - CK_ATTRIBUTE *attrs = NULL; - CK_ATTRIBUTE *extra = NULL; - CK_RV rv; - - CK_ATTRIBUTE input[] = { - { CKA_LABEL, NULL, 0 }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_INVALID }, - }; - - p11_message_quiet (); - - input[0].pValue = "\xfex23"; - input[0].ulValueLen = 4; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv); - - - input[0].pValue = NULL; - input[0].ulValueLen = 4; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv); - - p11_message_loud (); -} - -static void -test_valid_dates (void) -{ - CK_ATTRIBUTE *attrs = NULL; - CK_ATTRIBUTE *extra = NULL; - CK_DATE date; - CK_RV rv; - - CK_ATTRIBUTE input[] = { - { CKA_START_DATE, &date, sizeof (CK_DATE) }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_INVALID }, - }; - - memcpy (date.year, "2000", sizeof (date.year)); - memcpy (date.month, "10", sizeof (date.month)); - memcpy (date.day, "10", sizeof (date.day)); - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - p11_attrs_free (extra); - p11_attrs_free (attrs); - attrs = NULL; - - input[0].ulValueLen = 0; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - p11_attrs_free (extra); - p11_attrs_free (attrs); -} - -static void -test_invalid_dates (void) -{ - CK_ATTRIBUTE *attrs = NULL; - CK_ATTRIBUTE *extra = NULL; - CK_DATE date; - CK_RV rv; - - CK_ATTRIBUTE input[] = { - { CKA_START_DATE, &date, sizeof (CK_DATE) }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_INVALID }, - }; - - p11_message_quiet (); - - memcpy (date.year, "AAAA", sizeof (date.year)); - memcpy (date.month, "BB", sizeof (date.month)); - memcpy (date.day, "CC", sizeof (date.day)); - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv); - - memcpy (date.year, "2000", sizeof (date.year)); - memcpy (date.month, "15", sizeof (date.month)); - memcpy (date.day, "80", sizeof (date.day)); - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv); - - input[0].pValue = NULL; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv); - - p11_message_loud (); -} - -static void -test_valid_name (void) -{ - CK_ATTRIBUTE *attrs = NULL; - CK_ATTRIBUTE *extra = NULL; - CK_RV rv; - - CK_ATTRIBUTE input[] = { - { CKA_SUBJECT, NULL, 0 }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_INVALID }, - }; - - input[0].pValue = NULL; - input[0].ulValueLen = 0; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - p11_attrs_free (extra); - p11_attrs_free (attrs); - attrs = NULL; - - input[0].pValue = (void *)test_cacert3_ca_issuer; - input[0].ulValueLen = sizeof (test_cacert3_ca_issuer); - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - p11_attrs_free (extra); - p11_attrs_free (attrs); -} - -static void -test_invalid_name (void) -{ - CK_ATTRIBUTE *attrs = NULL; - CK_ATTRIBUTE *extra = NULL; - CK_RV rv; - - CK_ATTRIBUTE input[] = { - { CKA_SUBJECT, NULL, 0 }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_INVALID }, - }; - - p11_message_quiet (); - - input[0].pValue = "blah"; - input[0].ulValueLen = 4; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv); - - input[0].pValue = NULL; - input[0].ulValueLen = 4; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv); - - p11_message_loud (); -} - -static void -test_valid_serial (void) -{ - CK_ATTRIBUTE *attrs = NULL; - CK_ATTRIBUTE *extra = NULL; - CK_RV rv; - - CK_ATTRIBUTE input[] = { - { CKA_SERIAL_NUMBER, NULL, 0 }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_INVALID }, - }; - - input[0].pValue = NULL; - input[0].ulValueLen = 0; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - p11_attrs_free (extra); - attrs = NULL; - - input[0].pValue = (void *)test_cacert3_ca_serial; - input[0].ulValueLen = sizeof (test_cacert3_ca_serial); - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - p11_attrs_free (extra); -} - -static void -test_invalid_serial (void) -{ - CK_ATTRIBUTE *attrs = NULL; - CK_ATTRIBUTE *extra = NULL; - CK_RV rv; - - CK_ATTRIBUTE input[] = { - { CKA_SERIAL_NUMBER, NULL, 0 }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_INVALID }, - }; - - p11_message_quiet (); - - input[0].pValue = "blah"; - input[0].ulValueLen = 4; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv); - - input[0].pValue = (void *)test_cacert3_ca_subject; - input[0].ulValueLen = sizeof (test_cacert3_ca_subject); - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv); - - input[0].pValue = NULL; - input[0].ulValueLen = 4; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv); - - p11_message_loud (); -} - -static void -test_valid_cert (void) -{ - CK_ATTRIBUTE *attrs = NULL; - CK_ATTRIBUTE *extra = NULL; - CK_RV rv; - - CK_ATTRIBUTE input[] = { - { CKA_VALUE, NULL, 0 }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_INVALID }, - }; - - input[0].pValue = NULL; - input[0].ulValueLen = 0; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - p11_attrs_free (extra); - attrs = NULL; - - input[0].pValue = (void *)test_cacert3_ca_der; - input[0].ulValueLen = sizeof (test_cacert3_ca_der); - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - p11_attrs_free (extra); -} - -static void -test_invalid_cert (void) -{ - CK_ATTRIBUTE *attrs = NULL; - CK_ATTRIBUTE *extra = NULL; - CK_RV rv; - - CK_ATTRIBUTE input[] = { - { CKA_VALUE, NULL, 0 }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_INVALID }, - }; - - p11_message_quiet (); - - input[0].pValue = "blah"; - input[0].ulValueLen = 4; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv); - - input[0].pValue = (void *)test_cacert3_ca_subject; - input[0].ulValueLen = sizeof (test_cacert3_ca_subject); - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv); - - input[0].pValue = NULL; - input[0].ulValueLen = 4; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_ATTRIBUTE_VALUE_INVALID, rv); - - p11_message_loud (); -} - -static void -test_invalid_schema (void) -{ - CK_ATTRIBUTE *attrs = NULL; - CK_ATTRIBUTE *extra = NULL; - CK_RV rv; - - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_URL, "http://blah", 11 }, - { CKA_INVALID }, - }; - - p11_message_quiet (); - - /* Missing CKA_HASH_OF_SUBJECT_PUBLIC_KEY and CKA_HASH_OF_ISSUER_PUBLIC_KEY */ - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_TEMPLATE_INCONSISTENT, rv); - - p11_message_loud (); -} - -static void -test_create_not_settable (void) -{ - /* - * CKA_PUBLIC_KEY_INFO cannot be created/modified - */ - - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_PUBLIC_KEY_INFO, (void *)verisign_v1_ca_public_key, sizeof (verisign_v1_ca_public_key) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *merge; - CK_ATTRIBUTE *extra; - CK_RV rv; - - p11_message_quiet (); - - attrs = NULL; - merge = p11_attrs_dup (input); - rv = p11_builder_build (test.builder, test.index, attrs, merge, &extra); - assert_num_eq (CKR_ATTRIBUTE_READ_ONLY, rv); - p11_attrs_free (merge); - - p11_message_loud (); - - p11_attrs_free (attrs); -} - -static void -test_create_but_loadable (void) -{ - /* - * CKA_PUBLIC_KEY_INFO cannot be set on creation, but can be set if we're - * loading from our store. This is signified by batching. - */ - - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_PUBLIC_KEY_INFO, (void *)verisign_v1_ca_public_key, sizeof (verisign_v1_ca_public_key) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *extra; - CK_RV rv; - - p11_index_load (test.index); - - attrs = NULL; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - p11_index_finish (test.index); - - attrs = p11_attrs_merge (attrs, p11_attrs_dup (input), true); - attrs = p11_attrs_merge (attrs, extra, false); - - test_check_attrs (input, attrs); - p11_attrs_free (attrs); -} - -static void -test_create_unsupported (void) -{ - CK_OBJECT_CLASS klass = CKO_PRIVATE_KEY; - - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &klass, sizeof (klass) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *merge; - CK_ATTRIBUTE *extra; - CK_RV rv; - - p11_message_quiet (); - - attrs = NULL; - extra = NULL; - merge = p11_attrs_dup (input); - rv = p11_builder_build (test.builder, test.index, attrs, merge, &extra); - assert_num_eq (CKR_TEMPLATE_INCONSISTENT, rv); - p11_attrs_free (merge); - - p11_message_loud (); -} - -static void -test_create_generated (void) -{ - CK_OBJECT_CLASS klass = CKO_NSS_TRUST; - - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &klass, sizeof (klass) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *merge; - CK_ATTRIBUTE *extra; - CK_RV rv; - - p11_message_quiet (); - - attrs = NULL; - extra = NULL; - merge = p11_attrs_dup (input); - rv = p11_builder_build (test.builder, test.index, attrs, merge, &extra); - assert_num_eq (CKR_TEMPLATE_INCONSISTENT, rv); - p11_attrs_free (merge); - - p11_message_loud (); -} - -static void -test_create_bad_attribute (void) -{ - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_VALUE, "the value", 9 }, - { CKA_COLOR, "blue", 4 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *merge; - CK_ATTRIBUTE *extra; - CK_RV rv; - - p11_message_quiet (); - - attrs = NULL; - extra = NULL; - merge = p11_attrs_dup (input); - rv = p11_builder_build (test.builder, test.index, attrs, merge, &extra); - assert_num_eq (CKR_TEMPLATE_INCONSISTENT, rv); - p11_attrs_free (merge); - - p11_message_loud (); -} - -static void -test_create_missing_attribute (void) -{ - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &certificate_extension, sizeof (certificate_extension) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *merge; - CK_ATTRIBUTE *extra; - CK_RV rv; - - p11_message_quiet (); - - attrs = NULL; - extra = NULL; - merge = p11_attrs_dup (input); - rv = p11_builder_build (test.builder, test.index, attrs, merge, &extra); - assert_num_eq (CKR_TEMPLATE_INCOMPLETE, rv); - p11_attrs_free (merge); - - p11_message_loud (); -} - -static void -test_create_no_class (void) -{ - CK_ATTRIBUTE input[] = { - { CKA_VALUE, "the value", 9 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *merge; - CK_ATTRIBUTE *extra; - CK_RV rv; - - p11_message_quiet (); - - attrs = NULL; - extra = NULL; - merge = p11_attrs_dup (input); - rv = p11_builder_build (test.builder, test.index, attrs, merge, &extra); - assert_num_eq (CKR_TEMPLATE_INCOMPLETE, rv); - p11_attrs_free (merge); - - p11_message_loud (); -} - -static void -test_create_token_mismatch (void) -{ - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_TOKEN, &falsev, sizeof (falsev) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *merge; - CK_ATTRIBUTE *extra; - CK_RV rv; - - p11_message_quiet (); - - attrs = NULL; - extra = NULL; - merge = p11_attrs_dup (input); - rv = p11_builder_build (test.builder, test.index, attrs, merge, &extra); - assert_num_eq (CKR_TEMPLATE_INCONSISTENT, rv); - p11_attrs_free (merge); - - p11_message_loud (); -} - -static void -test_modify_success (void) -{ - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_MODIFIABLE, &truev, sizeof (truev) }, - { CKA_VALUE, "the value", 9 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE modify[] = { - { CKA_VALUE, "new value long", 14 }, - { CKA_LABEL, "new label", 9 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE expected[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_MODIFIABLE, &truev, sizeof (truev) }, - { CKA_VALUE, "new value long", 14 }, - { CKA_LABEL, "new label", 9 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *extra; - CK_RV rv; - - attrs = NULL; - extra = NULL; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - attrs = p11_attrs_merge (attrs, p11_attrs_dup (input), true); - attrs = p11_attrs_merge (attrs, extra, false); - - extra = NULL; - rv = p11_builder_build (test.builder, test.index, attrs, modify, &extra); - assert_num_eq (CKR_OK, rv); - - attrs = p11_attrs_merge (attrs, p11_attrs_dup (modify), true); - attrs = p11_attrs_merge (attrs, extra, false); - - test_check_attrs (expected, attrs); - p11_attrs_free (attrs); -} - -static void -test_modify_read_only (void) -{ - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_MODIFIABLE, &truev, sizeof (truev) }, - { CKA_VALUE, "the value", 9 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE modify[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *merge; - CK_ATTRIBUTE *extra; - CK_RV rv; - - attrs = NULL; - extra = NULL; - merge = p11_attrs_dup (input); - rv = p11_builder_build (test.builder, test.index, attrs, merge, &extra); - assert_num_eq (CKR_OK, rv); - - attrs = p11_attrs_merge (attrs, merge, true); - attrs = p11_attrs_merge (attrs, extra, false); - - p11_message_quiet (); - - extra = NULL; - merge = p11_attrs_dup (modify); - rv = p11_builder_build (test.builder, test.index, attrs, merge, &extra); - assert_num_eq (CKR_ATTRIBUTE_READ_ONLY, rv); - p11_attrs_free (merge); - - p11_message_loud (); - - p11_attrs_free (attrs); -} - -static void -test_modify_unchanged (void) -{ - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_MODIFIABLE, &truev, sizeof (truev) }, - { CKA_VALUE, "the value", 9 }, - { CKA_INVALID }, - }; - - /* - * Although CKA_CLASS is read-only, changing to same value - * shouldn't fail - */ - - CK_ATTRIBUTE modify[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_VALUE, "the other", 9 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE expected[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_VALUE, "the other", 9 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *extra; - CK_RV rv; - - attrs = NULL; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - attrs = p11_attrs_merge (attrs, p11_attrs_dup (input), true); - attrs = p11_attrs_merge (attrs, extra, false); - - extra = NULL; - rv = p11_builder_build (test.builder, test.index, attrs, modify, &extra); - assert_num_eq (CKR_OK, rv); - - attrs = p11_attrs_merge (attrs, p11_attrs_dup (modify), true); - attrs = p11_attrs_merge (attrs, extra, false); - - test_check_attrs (expected, attrs); - p11_attrs_free (attrs); -} - -static void -test_modify_not_modifiable (void) -{ - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, - { CKA_VALUE, "the value", 9 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE modify[] = { - { CKA_VALUE, "the value", 9 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *merge; - CK_ATTRIBUTE *extra; - CK_RV rv; - - attrs = NULL; - extra = NULL; - rv = p11_builder_build (test.builder, test.index, attrs, input, &extra); - assert_num_eq (CKR_OK, rv); - - attrs = p11_attrs_merge (attrs, p11_attrs_dup (input), true); - attrs = p11_attrs_merge (attrs, extra, false); - - p11_message_quiet (); - - extra = NULL; - merge = p11_attrs_dup (modify); - rv = p11_builder_build (test.builder, test.index, attrs, merge, &extra); - assert_num_eq (CKR_ATTRIBUTE_READ_ONLY, rv); - p11_attrs_free (merge); - - p11_message_loud (); - - p11_attrs_free (attrs); -} - -static CK_ATTRIBUTE cacert3_assert_distrust_server[] = { - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_X_PURPOSE, (void *)P11_OID_SERVER_AUTH_STR, sizeof (P11_OID_SERVER_AUTH_STR) - 1 }, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, -}; - -static CK_ATTRIBUTE cacert3_assert_distrust_client[] = { - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_X_PURPOSE, (void *)P11_OID_CLIENT_AUTH_STR, sizeof (P11_OID_CLIENT_AUTH_STR) - 1}, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, -}; - -static CK_ATTRIBUTE cacert3_assert_distrust_code[] = { - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_X_PURPOSE, (void *)P11_OID_CODE_SIGNING_STR, sizeof (P11_OID_CODE_SIGNING_STR) - 1}, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, -}; - -static CK_ATTRIBUTE cacert3_assert_distrust_email[] = { - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_X_PURPOSE, (void *)P11_OID_EMAIL_PROTECTION_STR, sizeof (P11_OID_EMAIL_PROTECTION_STR) - 1}, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, -}; - -static CK_ATTRIBUTE cacert3_assert_distrust_system[] = { - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_X_PURPOSE, (void *)P11_OID_IPSEC_END_SYSTEM_STR, sizeof (P11_OID_IPSEC_END_SYSTEM_STR) - 1}, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, -}; - -static CK_ATTRIBUTE cacert3_assert_distrust_tunnel[] = { - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_X_PURPOSE, (void *)P11_OID_IPSEC_TUNNEL_STR, sizeof (P11_OID_IPSEC_TUNNEL_STR) - 1}, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, -}; - -static CK_ATTRIBUTE cacert3_assert_distrust_user[] = { - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_X_PURPOSE, (void *)P11_OID_IPSEC_USER_STR, sizeof (P11_OID_IPSEC_USER_STR) - 1}, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, -}; - -static CK_ATTRIBUTE cacert3_assert_distrust_time[] = { - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_X_PURPOSE, (void *)P11_OID_TIME_STAMPING_STR, sizeof (P11_OID_TIME_STAMPING_STR) - 1}, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, -}; - -static void -test_changed_trusted_certificate (void) -{ - static CK_ATTRIBUTE cacert3_trusted_certificate[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_CERTIFICATE_CATEGORY, &certificate_authority, sizeof (certificate_authority) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_CHECK_VALUE, "\xad\x7c\x3f", 3 }, - { CKA_START_DATE, "20110523", 8 }, - { CKA_END_DATE, "20210520", 8, }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_TRUSTED, &truev, sizeof (truev) }, - { CKA_ID, "cacert3", 7 }, - { CKA_LABEL, "Custom Label", 12 }, - { CKA_INVALID }, - }; - - static unsigned char eku_server_and_client[] = { - 0x30, 0x20, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, - 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, - 0x03, 0x02, - }; - - CK_ATTRIBUTE eku_extension_server_and_client[] = { - { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, - { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, - { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, - { CKA_LABEL, "Custom Label", 12 }, - { CKA_VALUE, eku_server_and_client, sizeof (eku_server_and_client) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, - }; - - static char eku_client_email[] = { - 0x30, 0x1a, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x99, 0x77, 0x06, 0x0a, 0x01, 0x04, 0x0c, - 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04, - }; - - static CK_ATTRIBUTE reject_extension_email[] = { - { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, - { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) }, - { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, - { CKA_LABEL, "Custom Label", 12 }, - { CKA_VALUE, eku_client_email, sizeof (eku_client_email) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, - }; - - static CK_ATTRIBUTE nss_trust_server_and_client_distrust_email[] = { - { CKA_CLASS, &nss_trust, sizeof (nss_trust), }, - { CKA_ID, "cacert3", 7 }, - { CKA_CERT_SHA1_HASH, "\xad\x7c\x3f\x64\xfc\x44\x39\xfe\xf4\xe9\x0b\xe8\xf4\x7c\x6c\xfa\x8a\xad\xfd\xce", 20 }, - { CKA_CERT_MD5_HASH, "\xf7\x25\x12\x82\x4e\x67\xb5\xd0\x8d\x92\xb7\x7c\x0b\x86\x7a\x42", 16 }, - { CKA_LABEL, "Custom Label", 12 }, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_TRUST_SERVER_AUTH, &trusted_delegator, sizeof (trusted_delegator) }, - { CKA_TRUST_CLIENT_AUTH, &trusted_delegator, sizeof (trusted_delegator) }, - { CKA_TRUST_EMAIL_PROTECTION, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_CODE_SIGNING, &trust_unknown, sizeof (trust_unknown) }, - { CKA_TRUST_IPSEC_END_SYSTEM, &trust_unknown, sizeof (trust_unknown) }, - { CKA_TRUST_IPSEC_TUNNEL, &trust_unknown, sizeof (trust_unknown) }, - { CKA_TRUST_IPSEC_USER, &trust_unknown, sizeof (trust_unknown) }, - { CKA_TRUST_TIME_STAMPING, &trust_unknown, sizeof (trust_unknown) }, - { CKA_TRUST_DIGITAL_SIGNATURE, &trusted_delegator, sizeof (trusted_delegator) }, - { CKA_TRUST_NON_REPUDIATION, &trusted_delegator, sizeof (trusted_delegator) }, - { CKA_TRUST_KEY_ENCIPHERMENT, &trusted_delegator, sizeof (trusted_delegator) }, - { CKA_TRUST_DATA_ENCIPHERMENT, &trusted_delegator, sizeof (trusted_delegator) }, - { CKA_TRUST_KEY_AGREEMENT, &trusted_delegator, sizeof (trusted_delegator) }, - { CKA_TRUST_KEY_CERT_SIGN, &trusted_delegator, sizeof (trusted_delegator) }, - { CKA_TRUST_CRL_SIGN, &trusted_delegator, sizeof (trusted_delegator) }, - { CKA_INVALID, } - }; - - static CK_ATTRIBUTE server_anchor_assertion[] = { - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_X_PURPOSE, (void *)P11_OID_SERVER_AUTH_STR, sizeof (P11_OID_SERVER_AUTH_STR) - 1 }, - { CKA_LABEL, "Custom Label", 12 }, - { CKA_X_CERTIFICATE_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, - }; - - static CK_ATTRIBUTE client_anchor_assertion[] = { - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_X_PURPOSE, (void *)P11_OID_CLIENT_AUTH_STR, sizeof (P11_OID_CLIENT_AUTH_STR) - 1 }, - { CKA_LABEL, "Custom Label", 12 }, - { CKA_X_CERTIFICATE_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, - }; - - /* - * We should get an NSS trust object and various assertions here. - * The first two attributes of each object are enough to look it up, - * and then we check the rest of the attributes match. - */ - - CK_ATTRIBUTE *expected[] = { - nss_trust_server_and_client_distrust_email, - cacert3_assert_distrust_email, - server_anchor_assertion, - client_anchor_assertion, - NULL, - }; - - CK_OBJECT_HANDLE handle; - CK_ATTRIBUTE *attrs; - CK_RV rv; - int i; - - /* - * A trusted cetrificate, trusted for server and client purposes, - * and explicitly rejects the email and timestamping purposes. - */ - p11_index_load (test.index); - rv = p11_index_take (test.index, p11_attrs_dup (cacert3_trusted_certificate), NULL); - assert_num_eq (CKR_OK, rv); - rv = p11_index_take (test.index, p11_attrs_dup (eku_extension_server_and_client), NULL); - assert_num_eq (CKR_OK, rv); - rv = p11_index_take (test.index, p11_attrs_dup (reject_extension_email), NULL); - assert_num_eq (CKR_OK, rv); - p11_index_finish (test.index); - - - /* The other objects */ - for (i = 0; expected[i]; i++) { - handle = p11_index_find (test.index, expected[i], 2); - assert (handle != 0); - - attrs = p11_index_lookup (test.index, handle); - assert_ptr_not_null (attrs); - - test_check_attrs (expected[i], attrs); - } -} - -static void -test_changed_distrust_value (void) -{ - CK_ATTRIBUTE distrust_cert[] = { - { CKA_CLASS, &certificate, sizeof (certificate), }, - { CKA_CERTIFICATE_CATEGORY, &certificate_authority, sizeof (certificate_authority) }, - { CKA_PRIVATE, &falsev, sizeof (falsev) }, - { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_TRUSTED, &falsev, sizeof (falsev) }, - { CKA_X_DISTRUSTED, &truev, sizeof (truev) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE eku_extension[] = { - { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, - { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, - { CKA_VALUE, "\x30\x18\x06\x03\x55\x1d\x25\x01\x01\xff\x04\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x10", 26 }, - { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE reject_extension[] = { - { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, - { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) }, - { CKA_VALUE, "\x30\x1a\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x01\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02", 28 }, - { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE nss_trust_nothing[] = { - { CKA_CLASS, &nss_trust, sizeof (nss_trust), }, - { CKA_ID, "cacert3", 7 }, - { CKA_CERT_SHA1_HASH, "\xad\x7c\x3f\x64\xfc\x44\x39\xfe\xf4\xe9\x0b\xe8\xf4\x7c\x6c\xfa\x8a\xad\xfd\xce", 20 }, - { CKA_CERT_MD5_HASH, "\xf7\x25\x12\x82\x4e\x67\xb5\xd0\x8d\x92\xb7\x7c\x0b\x86\x7a\x42", 16 }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_TRUST_SERVER_AUTH, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_CLIENT_AUTH, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_EMAIL_PROTECTION, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_CODE_SIGNING, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_IPSEC_END_SYSTEM, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_IPSEC_TUNNEL, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_IPSEC_USER, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_TIME_STAMPING, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_DIGITAL_SIGNATURE, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_NON_REPUDIATION, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_KEY_ENCIPHERMENT, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_DATA_ENCIPHERMENT, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_KEY_AGREEMENT, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_KEY_CERT_SIGN, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_CRL_SIGN, ¬_trusted, sizeof (not_trusted) }, - { CKA_INVALID, } - }; - - /* - * We should get an NSS trust object and various assertions here. - * The first two attributes of each object are enough to look it up, - * and then we check the rest of the attributes match. - */ - - CK_ATTRIBUTE *expected[] = { - nss_trust_nothing, - cacert3_assert_distrust_server, - cacert3_assert_distrust_client, - cacert3_assert_distrust_code, - cacert3_assert_distrust_email, - cacert3_assert_distrust_system, - cacert3_assert_distrust_tunnel, - cacert3_assert_distrust_user, - cacert3_assert_distrust_time, - NULL - }; - - CK_OBJECT_HANDLE handle; - CK_ATTRIBUTE *attrs; - CK_RV rv; - int i; - - /* - * A distrusted certificate with a value, plus some extra - * extensions (which should be ignored). - */ - p11_index_load (test.index); - rv = p11_index_take (test.index, p11_attrs_dup (distrust_cert), NULL); - assert_num_eq (CKR_OK, rv); - rv = p11_index_take (test.index, p11_attrs_dup (eku_extension), NULL); - assert_num_eq (CKR_OK, rv); - rv = p11_index_take (test.index, p11_attrs_dup (reject_extension), NULL); - assert_num_eq (CKR_OK, rv); - p11_index_finish (test.index); - - /* The other objects */ - for (i = 0; expected[i]; i++) { - handle = p11_index_find (test.index, expected[i], 2); - assert (handle != 0); - - attrs = p11_index_lookup (test.index, handle); - assert_ptr_not_null (attrs); - - test_check_attrs (expected[i], attrs); - } -} - -static void -test_changed_distrust_serial (void) -{ - CK_ATTRIBUTE distrust_cert[] = { - { CKA_CLASS, &certificate, sizeof (certificate), }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_TRUSTED, &falsev, sizeof (falsev) }, - { CKA_X_DISTRUSTED, &truev, sizeof (truev) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE nss_trust_distrust[] = { - { CKA_CLASS, &nss_trust, sizeof (nss_trust), }, - { CKA_ID, "cacert3", 7 }, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_TRUST_SERVER_AUTH, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_CLIENT_AUTH, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_EMAIL_PROTECTION, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_CODE_SIGNING, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_IPSEC_END_SYSTEM, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_IPSEC_TUNNEL, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_IPSEC_USER, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_TIME_STAMPING, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_DIGITAL_SIGNATURE, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_NON_REPUDIATION, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_KEY_ENCIPHERMENT, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_DATA_ENCIPHERMENT, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_KEY_AGREEMENT, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_KEY_CERT_SIGN, ¬_trusted, sizeof (not_trusted) }, - { CKA_TRUST_CRL_SIGN, ¬_trusted, sizeof (not_trusted) }, - { CKA_INVALID, } - }; - - /* - * We should get an NSS trust object and various assertions here. - * The first two attributes of each object are enough to look it up, - * and then we check the rest of the attributes match. - */ - - CK_ATTRIBUTE *expected[] = { - nss_trust_distrust, - cacert3_assert_distrust_server, - cacert3_assert_distrust_client, - cacert3_assert_distrust_code, - cacert3_assert_distrust_email, - cacert3_assert_distrust_system, - cacert3_assert_distrust_tunnel, - cacert3_assert_distrust_user, - cacert3_assert_distrust_time, - NULL - }; - - CK_OBJECT_HANDLE handle; - CK_ATTRIBUTE *attrs; - CK_RV rv; - int i; - - /* - * A distrusted certificate without a value. - */ - p11_index_load (test.index); - rv = p11_index_take (test.index, p11_attrs_dup (distrust_cert), NULL); - assert_num_eq (CKR_OK, rv); - p11_index_finish (test.index); - - for (i = 0; expected[i]; i++) { - handle = p11_index_find (test.index, expected[i], 2); - assert (handle != 0); - attrs = p11_index_lookup (test.index, handle); - assert_ptr_not_null (attrs); - test_check_attrs (expected[i], attrs); - } -} - -static void -test_changed_dup_certificates (void) -{ - static CK_ATTRIBUTE trusted_cert[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_CERTIFICATE_CATEGORY, &certificate_authority, sizeof (certificate_authority) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_TRUSTED, &truev, sizeof (truev) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, - }; - - static CK_ATTRIBUTE distrust_cert[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_CERTIFICATE_CATEGORY, &certificate_authority, sizeof (certificate_authority) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_DISTRUSTED, &truev, sizeof (truev) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, - }; - - static CK_ATTRIBUTE trusted_nss[] = { - { CKA_CLASS, &nss_trust, sizeof (nss_trust), }, - { CKA_CERT_SHA1_HASH, "\xad\x7c\x3f\x64\xfc\x44\x39\xfe\xf4\xe9\x0b\xe8\xf4\x7c\x6c\xfa\x8a\xad\xfd\xce", 20 }, - { CKA_TRUST_SERVER_AUTH, &trusted_delegator, sizeof (trusted_delegator) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID, } - }; - - static CK_ATTRIBUTE distrust_nss[] = { - { CKA_CLASS, &nss_trust, sizeof (nss_trust), }, - { CKA_CERT_SHA1_HASH, "\xad\x7c\x3f\x64\xfc\x44\x39\xfe\xf4\xe9\x0b\xe8\xf4\x7c\x6c\xfa\x8a\xad\xfd\xce", 20 }, - { CKA_TRUST_SERVER_AUTH, ¬_trusted, sizeof (not_trusted) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID, } - }; - - static CK_ATTRIBUTE unknown_nss[] = { - { CKA_CLASS, &nss_trust, sizeof (nss_trust), }, - { CKA_CERT_SHA1_HASH, "\xad\x7c\x3f\x64\xfc\x44\x39\xfe\xf4\xe9\x0b\xe8\xf4\x7c\x6c\xfa\x8a\xad\xfd\xce", 20 }, - { CKA_TRUST_SERVER_AUTH, &trust_unknown, sizeof (trust_unknown) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID, } - }; - - static CK_ATTRIBUTE match_nss[] = { - { CKA_CLASS, &nss_trust, sizeof (nss_trust), }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID, } - }; - - static CK_ATTRIBUTE anchor_assertion[] = { - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_X_PURPOSE, (void *)P11_OID_SERVER_AUTH_STR, sizeof (P11_OID_SERVER_AUTH_STR) - 1 }, - { CKA_X_CERTIFICATE_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, - }; - - static CK_ATTRIBUTE distrust_assertion[] = { - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_X_PURPOSE, (void *)P11_OID_SERVER_AUTH_STR, sizeof (P11_OID_SERVER_AUTH_STR) - 1 }, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_X_ASSERTION_TYPE, &distrusted_certificate, sizeof (distrusted_certificate) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID }, - }; - - static CK_ATTRIBUTE match_assertion[] = { - { CKA_CLASS, &trust_assertion, sizeof (trust_assertion) }, - { CKA_ID, "cacert3", 7 }, - { CKA_INVALID, } - }; - - CK_OBJECT_HANDLE handle1; - CK_OBJECT_HANDLE handle2; - CK_OBJECT_HANDLE handle; - CK_RV rv; - - /* - * A trusted certificate, should create trutsed nss trust - * and anchor assertions - */ - p11_index_load (test.index); - rv = p11_index_take (test.index, p11_attrs_dup (trusted_cert), &handle1); - assert_num_eq (CKR_OK, rv); - p11_index_finish (test.index); - - handle = p11_index_find (test.index, match_nss, -1); - assert (handle != 0); - handle = p11_index_find (test.index, match_assertion, -1); - assert (handle != 0); - handle = p11_index_find (test.index, trusted_nss, -1); - assert (handle != 0); - handle = p11_index_find (test.index, anchor_assertion, -1); - assert (handle != 0); - - /* Now we add a distrusted certificate, should update the objects */ - p11_index_load (test.index); - rv = p11_index_take (test.index, p11_attrs_dup (distrust_cert), &handle2); - assert_num_eq (CKR_OK, rv); - p11_index_finish (test.index); - - handle = p11_index_find (test.index, trusted_nss, -1); - assert (handle == 0); - handle = p11_index_find (test.index, distrust_nss, -1); - assert (handle != 0); - handle = p11_index_find (test.index, anchor_assertion, -1); - assert (handle == 0); - handle = p11_index_find (test.index, distrust_assertion, -1); - assert (handle != 0); - - /* Now remove the trusted cetrificate, should update again */ - rv = p11_index_remove (test.index, handle2); - assert_num_eq (CKR_OK, rv); - - handle = p11_index_find (test.index, trusted_nss, -1); - assert (handle != 0); - handle = p11_index_find (test.index, distrust_nss, -1); - assert (handle == 0); - handle = p11_index_find (test.index, anchor_assertion, -1); - assert (handle != 0); - handle = p11_index_find (test.index, distrust_assertion, -1); - assert (handle == 0); - - /* Now remove the original certificate, unknown nss and no assertions */ - rv = p11_index_remove (test.index, handle1); - assert_num_eq (CKR_OK, rv); - - handle = p11_index_find (test.index, unknown_nss, -1); - assert (handle != 0); - handle = p11_index_find (test.index, match_assertion, -1); - assert (handle == 0); -} - -static void -test_changed_without_id (void) -{ - static CK_ATTRIBUTE trusted_without_id[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_CERTIFICATE_CATEGORY, &certificate_authority, sizeof (certificate_authority) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_TRUSTED, &truev, sizeof (truev) }, - { CKA_ID, NULL, 0, }, - { CKA_INVALID }, - }; - - CK_OBJECT_CLASS klass = 0; - CK_ATTRIBUTE match[] = { - { CKA_CLASS, &klass, sizeof (klass) }, - { CKA_INVALID }, - }; - - /* - * A cetrificate without a CKA_ID that's created should still - * automatically create compat objects. - */ - - CK_OBJECT_HANDLE handle; - CK_RV rv; - - p11_index_load (test.index); - rv = p11_index_take (test.index, p11_attrs_dup (trusted_without_id), NULL); - assert_num_eq (CKR_OK, rv); - p11_index_finish (test.index); - - klass = CKO_NSS_TRUST; - handle = p11_index_find (test.index, match, -1); - assert (handle != 0); - - klass = CKO_X_TRUST_ASSERTION; - handle = p11_index_find (test.index, match, -1); - assert (handle != 0); -} - -static void -test_changed_staple_ca (void) -{ - CK_ULONG category = 0; - - CK_ATTRIBUTE attached[] = { - { CKA_CLASS, &certificate_extension, sizeof (certificate_extension) }, - { CKA_OBJECT_ID, (void *)P11_OID_BASIC_CONSTRAINTS, sizeof (P11_OID_BASIC_CONSTRAINTS) }, - { CKA_VALUE, "\x30\x0c\x06\x03\x55\x1d\x13\x04\x05\x30\x03\x01\x01\xff", 14 }, - { CKA_PUBLIC_KEY_INFO, (void *)entrust_public_key, sizeof (entrust_public_key) }, - { CKA_ID, "the id", 6 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_VALUE, (void *)entrust_pretend_ca, sizeof (entrust_pretend_ca) }, - { CKA_ID, "the id", 6 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE match[] = { - { CKA_VALUE, (void *)entrust_pretend_ca, sizeof (entrust_pretend_ca) }, - { CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_RV rv; - - attrs = NULL; - rv = p11_index_take (test.index, p11_attrs_dup (input), NULL); - assert_num_eq (CKR_OK, rv); - - /* Not a CA at this point, until we staple */ - category = 0; - assert (p11_index_find (test.index, match, -1) == 0); - - /* Add a attached basic constraint */ - rv = p11_index_add (test.index, attached, 4, NULL); - assert_num_eq (CKR_OK, rv); - - /* Now should be a CA */ - category = 2; - assert (p11_index_find (test.index, match, -1) != 0); - - p11_attrs_free (attrs); -} - -static void -test_changed_staple_ku (void) -{ - CK_ATTRIBUTE attached_ds_and_np[] = { - { CKA_CLASS, &certificate_extension, sizeof (certificate_extension) }, - { CKA_OBJECT_ID, (void *)P11_OID_KEY_USAGE, sizeof (P11_OID_KEY_USAGE) }, - { CKA_VALUE, "\x30\x0c\x06\x03\x55\x1d\x0f\x04\x05\x03\x03\x07\xc0\x00", 14 }, - { CKA_PUBLIC_KEY_INFO, (void *)entrust_public_key, sizeof (entrust_public_key) }, - { CKA_ID, "the id", 6 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE input[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_VALUE, (void *)entrust_pretend_ca, sizeof (entrust_pretend_ca) }, - { CKA_TRUSTED, &truev, sizeof (truev) }, - { CKA_ID, "the id", 6 }, - { CKA_INVALID }, - }; - - static CK_ATTRIBUTE nss_trust_ds_and_np[] = { - { CKA_CLASS, &nss_trust, sizeof (nss_trust), }, - { CKA_ID, "the id", 6 }, - { CKA_TRUST_SERVER_AUTH, &trusted, sizeof (trusted) }, - { CKA_TRUST_CLIENT_AUTH, &trusted, sizeof (trusted) }, - { CKA_TRUST_EMAIL_PROTECTION, &trusted, sizeof (trusted) }, - { CKA_TRUST_CODE_SIGNING, &trusted, sizeof (trusted) }, - { CKA_TRUST_IPSEC_END_SYSTEM, &trusted, sizeof (trusted) }, - { CKA_TRUST_IPSEC_TUNNEL, &trusted, sizeof (trusted) }, - { CKA_TRUST_IPSEC_USER, &trusted, sizeof (trusted) }, - { CKA_TRUST_TIME_STAMPING, &trusted, sizeof (trusted) }, - { CKA_TRUST_DIGITAL_SIGNATURE, &trusted, sizeof (trusted) }, - { CKA_TRUST_NON_REPUDIATION, &trusted, sizeof (trusted) }, - { CKA_TRUST_KEY_ENCIPHERMENT, &trust_unknown, sizeof (trust_unknown) }, - { CKA_TRUST_DATA_ENCIPHERMENT, &trust_unknown, sizeof (trust_unknown) }, - { CKA_TRUST_KEY_AGREEMENT, &trust_unknown, sizeof (trust_unknown) }, - { CKA_TRUST_KEY_CERT_SIGN, &trust_unknown, sizeof (trust_unknown) }, - { CKA_TRUST_CRL_SIGN, &trust_unknown, sizeof (trust_unknown) }, - { CKA_INVALID, } - }; - - CK_OBJECT_HANDLE handle; - CK_ATTRIBUTE *attrs; - CK_RV rv; - - p11_index_load (test.index); - rv = p11_index_take (test.index, p11_attrs_dup (input), NULL); - assert_num_eq (CKR_OK, rv); - rv = p11_index_take (test.index, p11_attrs_dup (attached_ds_and_np), NULL); - assert_num_eq (CKR_OK, rv); - p11_index_finish (test.index); - - handle = p11_index_find (test.index, nss_trust_ds_and_np, 2); - assert (handle != 0); - - attrs = p11_index_lookup (test.index, handle); - test_check_attrs (nss_trust_ds_and_np, attrs); -} - -int -main (int argc, - char *argv[]) -{ - p11_fixture (setup, teardown); - p11_test (test_get_cache, "/builder/get_cache"); - p11_test (test_build_data, "/builder/build_data"); - p11_test (test_build_certificate, "/builder/build_certificate"); - p11_test (test_build_certificate_empty, "/builder/build_certificate_empty"); - p11_test (test_build_certificate_non_ca, "/builder/build_certificate_non_ca"); - p11_test (test_build_certificate_v1_ca, "/builder/build_certificate_v1_ca"); - p11_test (test_build_certificate_staple_ca, "/builder/build_certificate_staple_ca"); - p11_test (test_build_certificate_staple_ca_backwards, "/builder/build-certificate-staple-ca-backwards"); - p11_test (test_build_certificate_no_type, "/builder/build_certificate_no_type"); - p11_test (test_build_certificate_bad_type, "/builder/build_certificate_bad_type"); - p11_test (test_build_extension, "/builder/build_extension"); - p11_test (test_build_distant_end_date, "/builder/build_distant_end_date"); - - p11_test (test_valid_bool, "/builder/valid-bool"); - p11_test (test_valid_ulong, "/builder/valid-ulong"); - p11_test (test_valid_utf8, "/builder/valid-utf8"); - p11_test (test_valid_dates, "/builder/valid-date"); - p11_test (test_valid_name, "/builder/valid-name"); - p11_test (test_valid_serial, "/builder/valid-serial"); - p11_test (test_valid_cert, "/builder/valid-cert"); - p11_test (test_invalid_bool, "/builder/invalid-bool"); - p11_test (test_invalid_ulong, "/builder/invalid-ulong"); - p11_test (test_invalid_utf8, "/builder/invalid-utf8"); - p11_test (test_invalid_dates, "/builder/invalid-date"); - p11_test (test_invalid_name, "/builder/invalid-name"); - p11_test (test_invalid_serial, "/builder/invalid-serial"); - p11_test (test_invalid_cert, "/builder/invalid-cert"); - p11_test (test_invalid_schema, "/builder/invalid-schema"); - - p11_test (test_create_not_settable, "/builder/create_not_settable"); - p11_test (test_create_but_loadable, "/builder/create_but_loadable"); - p11_test (test_create_unsupported, "/builder/create_unsupported"); - p11_test (test_create_generated, "/builder/create_generated"); - p11_test (test_create_bad_attribute, "/builder/create_bad_attribute"); - p11_test (test_create_missing_attribute, "/builder/create_missing_attribute"); - p11_test (test_create_no_class, "/builder/create_no_class"); - p11_test (test_create_token_mismatch, "/builder/create_token_mismatch"); - p11_test (test_modify_success, "/builder/modify_success"); - p11_test (test_modify_read_only, "/builder/modify_read_only"); - p11_test (test_modify_unchanged, "/builder/modify_unchanged"); - p11_test (test_modify_not_modifiable, "/builder/modify_not_modifiable"); - - p11_test (test_changed_trusted_certificate, "/builder/changed_trusted_certificate"); - p11_test (test_changed_distrust_value, "/builder/changed_distrust_value"); - p11_test (test_changed_distrust_serial, "/builder/changed_distrust_serial"); - p11_test (test_changed_without_id, "/builder/changed_without_id"); - p11_test (test_changed_staple_ca, "/builder/changed_staple_ca"); - p11_test (test_changed_staple_ku, "/builder/changed_staple_ku"); - p11_test (test_changed_dup_certificates, "/builder/changed_dup_certificates"); - return p11_test_run (argc, argv); -} diff --git a/trust/test-bundle.c b/trust/test-bundle.c deleted file mode 100644 index 3af7277..0000000 --- a/trust/test-bundle.c +++ /dev/null @@ -1,272 +0,0 @@ -/* - * Copyright (c) 2011, Collabora Ltd. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@collabora.co.uk> - */ - -#define P11_KIT_DISABLE_DEPRECATED - -#include "config.h" - -#include "test-trust.h" - -#include "attrs.h" -#include "compat.h" -#include "debug.h" -#include "dict.h" -#include "extract.h" -#include "message.h" -#include "mock.h" -#include "path.h" -#include "pkcs11.h" -#include "pkcs11x.h" -#include "oid.h" -#include "test.h" - -#include <assert.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -struct { - CK_FUNCTION_LIST module; - p11_enumerate ex; - char *directory; -} test; - -static void -setup (void *unused) -{ - CK_RV rv; - - mock_module_reset (); - memcpy (&test.module, &mock_module, sizeof (CK_FUNCTION_LIST)); - rv = test.module.C_Initialize (NULL); - assert_num_eq (CKR_OK, rv); - - p11_enumerate_init (&test.ex); - - test.directory = p11_test_directory ("test-extract"); -} - -static void -teardown (void *unused) -{ - CK_RV rv; - - if (rmdir (test.directory) < 0) - assert_not_reached (); - free (test.directory); - - p11_enumerate_cleanup (&test.ex); - - rv = test.module.C_Finalize (NULL); - assert_num_eq (CKR_OK, rv); -} - -static CK_OBJECT_CLASS certificate_class = CKO_CERTIFICATE; -static CK_CERTIFICATE_TYPE x509_type = CKC_X_509; - -static CK_ATTRIBUTE cacert3_authority_attrs[] = { - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_CLASS, &certificate_class, sizeof (certificate_class) }, - { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) }, - { CKA_LABEL, "Cacert3 Here", 12 }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_ID, "ID1", 3 }, - { CKA_INVALID }, -}; - -static CK_ATTRIBUTE certificate_filter[] = { - { CKA_CLASS, &certificate_class, sizeof (certificate_class) }, - { CKA_INVALID }, -}; - -static void -test_file (void) -{ - char *destination; - bool ret; - - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_authority_attrs); - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - if (asprintf (&destination, "%s/%s", test.directory, "extract.pem") < 0) - assert_not_reached (); - - ret = p11_extract_pem_bundle (&test.ex, destination); - assert_num_eq (true, ret); - - test_check_file (test.directory, "extract.pem", SRCDIR "/trust/fixtures/cacert3.pem"); - - free (destination); -} - -static void -test_file_multiple (void) -{ - char *destination; - bool ret; - - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_authority_attrs); - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_authority_attrs); - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - if (asprintf (&destination, "%s/%s", test.directory, "extract.pem") < 0) - assert_not_reached (); - - ret = p11_extract_pem_bundle (&test.ex, destination); - assert_num_eq (true, ret); - - test_check_file (test.directory, "extract.pem", SRCDIR "/trust/fixtures/cacert3-twice.pem"); - - free (destination); -} - -static void -test_file_without (void) -{ - char *destination; - bool ret; - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - if (asprintf (&destination, "%s/%s", test.directory, "extract.pem") < 0) - assert_not_reached (); - - ret = p11_extract_pem_bundle (&test.ex, destination); - assert_num_eq (true, ret); - - test_check_data (test.directory, "extract.pem", "", 0); - - free (destination); -} - -static void -test_directory (void) -{ - bool ret; - - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_authority_attrs); - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_authority_attrs); - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - /* Yes, this is a race, and why you shouldn't build software as root */ - if (rmdir (test.directory) < 0) - assert_not_reached (); - - ret = p11_extract_pem_directory (&test.ex, test.directory); - assert_num_eq (true, ret); - - test_check_directory (test.directory, ("Cacert3_Here.pem", "Cacert3_Here.1.pem", NULL)); - test_check_file (test.directory, "Cacert3_Here.pem", SRCDIR "/trust/fixtures/cacert3.pem"); - test_check_file (test.directory, "Cacert3_Here.1.pem", SRCDIR "/trust/fixtures/cacert3.pem"); -} - -static void -test_directory_empty (void) -{ - bool ret; - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - /* Yes, this is a race, and why you shouldn't build software as root */ - if (rmdir (test.directory) < 0) - assert_not_reached (); - - ret = p11_extract_pem_directory (&test.ex, test.directory); - assert_num_eq (true, ret); - - test_check_directory (test.directory, (NULL, NULL)); -} - -static void -test_directory_hash (void) -{ - bool ret; - - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_authority_attrs); - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_authority_attrs); - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - /* Yes, this is a race, and why you shouldn't build software as root */ - if (rmdir (test.directory) < 0) - assert_not_reached (); - - ret = p11_extract_pem_directory_hash (&test.ex, test.directory); - assert_num_eq (true, ret); - - test_check_directory (test.directory, ("Cacert3_Here.pem", "Cacert3_Here.1.pem", -#ifdef OS_UNIX - "e5662767.1", "e5662767.0", "590d426f.1", "590d426f.0", -#endif - NULL)); - test_check_file (test.directory, "Cacert3_Here.pem", SRCDIR "/trust/fixtures/cacert3.pem"); - test_check_file (test.directory, "Cacert3_Here.1.pem", SRCDIR "/trust/fixtures/cacert3.pem"); -#ifdef OS_UNIX - test_check_symlink (test.directory, "e5662767.0", "Cacert3_Here.pem"); - test_check_symlink (test.directory, "e5662767.1", "Cacert3_Here.1.pem"); - test_check_symlink (test.directory, "590d426f.0", "Cacert3_Here.pem"); - test_check_symlink (test.directory, "590d426f.1", "Cacert3_Here.1.pem"); -#endif -} - -int -main (int argc, - char *argv[]) -{ - mock_module_init (); - - p11_fixture (setup, teardown); - p11_test (test_file, "/pem/test_file"); - p11_test (test_file_multiple, "/pem/test_file_multiple"); - p11_test (test_file_without, "/pem/test_file_without"); - p11_test (test_directory, "/pem/test_directory"); - p11_test (test_directory_empty, "/pem/test_directory_empty"); - p11_test (test_directory_hash, "/pem/test_directory_hash"); - return p11_test_run (argc, argv); -} - -#include "enumerate.c" -#include "extract-pem.c" -#include "extract-openssl.c" -#include "save.c" diff --git a/trust/test-cer.c b/trust/test-cer.c deleted file mode 100644 index 422b528..0000000 --- a/trust/test-cer.c +++ /dev/null @@ -1,247 +0,0 @@ -/* - * Copyright (c) 2011, Collabora Ltd. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@collabora.co.uk> - */ - -#define P11_KIT_DISABLE_DEPRECATED - -#include "config.h" - -#include "test-trust.h" - -#include "attrs.h" -#include "compat.h" -#include "debug.h" -#include "dict.h" -#include "extract.h" -#include "message.h" -#include "mock.h" -#include "path.h" -#include "pkcs11.h" -#include "pkcs11x.h" -#include "oid.h" -#include "test.h" - -#include <assert.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -struct { - CK_FUNCTION_LIST module; - p11_enumerate ex; - char *directory; -} test; - -static void -setup (void *unused) -{ - CK_RV rv; - - mock_module_reset (); - memcpy (&test.module, &mock_module, sizeof (CK_FUNCTION_LIST)); - rv = test.module.C_Initialize (NULL); - assert_num_eq (CKR_OK, rv); - - p11_enumerate_init (&test.ex); - - test.directory = p11_test_directory ("test-extract"); -} - -static void -teardown (void *unused) -{ - CK_RV rv; - - if (rmdir (test.directory) < 0) - assert_fail ("rmdir() failed", test.directory); - free (test.directory); - - p11_enumerate_cleanup (&test.ex); - - rv = test.module.C_Finalize (NULL); - assert_num_eq (CKR_OK, rv); -} - -static CK_OBJECT_CLASS certificate_class = CKO_CERTIFICATE; -static CK_CERTIFICATE_TYPE x509_type = CKC_X_509; - -static CK_ATTRIBUTE cacert3_authority_attrs[] = { - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_CLASS, &certificate_class, sizeof (certificate_class) }, - { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) }, - { CKA_LABEL, "Cacert3 Here", 12 }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_ID, "ID1", 3 }, - { CKA_INVALID }, -}; - -static CK_ATTRIBUTE certificate_filter[] = { - { CKA_CLASS, &certificate_class, sizeof (certificate_class) }, - { CKA_INVALID }, -}; - -static void -test_file (void) -{ - char *destination; - bool ret; - - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_authority_attrs); - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - if (asprintf (&destination, "%s/%s", test.directory, "extract.cer") < 0) - assert_not_reached (); - - ret = p11_extract_x509_file (&test.ex, destination); - assert_num_eq (true, ret); - - test_check_file (test.directory, "extract.cer", SRCDIR "/trust/fixtures/cacert3.der"); - - free (destination); -} - -static void -test_file_multiple (void) -{ - char *destination; - bool ret; - - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_authority_attrs); - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_authority_attrs); - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - if (asprintf (&destination, "%s/%s", test.directory, "extract.cer") < 0) - assert_not_reached (); - - p11_message_quiet (); - - ret = p11_extract_x509_file (&test.ex, destination); - assert_num_eq (true, ret); - - assert (strstr (p11_message_last (), "multiple certificates") != NULL); - - p11_message_loud (); - - test_check_file (test.directory, "extract.cer", SRCDIR "/trust/fixtures/cacert3.der"); - - free (destination); -} - -static void -test_file_without (void) -{ - char *destination; - bool ret; - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - if (asprintf (&destination, "%s/%s", test.directory, "extract.cer") < 0) - assert_not_reached (); - - p11_message_quiet (); - - ret = p11_extract_x509_file (&test.ex, destination); - assert_num_eq (false, ret); - - assert (strstr (p11_message_last (), "no certificate") != NULL); - - p11_message_loud (); - - free (destination); -} - -static void -test_directory (void) -{ - bool ret; - - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_authority_attrs); - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_authority_attrs); - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - /* Yes, this is a race, and why you shouldn't build software as root */ - if (rmdir (test.directory) < 0) - assert_not_reached (); - - ret = p11_extract_x509_directory (&test.ex, test.directory); - assert_num_eq (true, ret); - - test_check_directory (test.directory, ("Cacert3_Here.cer", "Cacert3_Here.1.cer", NULL)); - test_check_file (test.directory, "Cacert3_Here.cer", SRCDIR "/trust/fixtures/cacert3.der"); - test_check_file (test.directory, "Cacert3_Here.1.cer", SRCDIR "/trust/fixtures/cacert3.der"); -} - -static void -test_directory_empty (void) -{ - bool ret; - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - /* Yes, this is a race, and why you shouldn't build software as root */ - if (rmdir (test.directory) < 0) - assert_not_reached (); - - ret = p11_extract_x509_directory (&test.ex, test.directory); - assert_num_eq (true, ret); - - test_check_directory (test.directory, (NULL, NULL)); -} - -int -main (int argc, - char *argv[]) -{ - mock_module_init (); - - p11_fixture (setup, teardown); - p11_test (test_file, "/x509/test_file"); - p11_test (test_file_multiple, "/x509/test_file_multiple"); - p11_test (test_file_without, "/x509/test_file_without"); - p11_test (test_directory, "/x509/test_directory"); - p11_test (test_directory_empty, "/x509/test_directory_empty"); - return p11_test_run (argc, argv); -} - -#include "enumerate.c" -#include "extract-cer.c" -#include "save.c" diff --git a/trust/test-digest.c b/trust/test-digest.c deleted file mode 100644 index f2cb669..0000000 --- a/trust/test-digest.c +++ /dev/null @@ -1,143 +0,0 @@ -/* - * Copyright (c) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@gnome.org> - */ - -#include "config.h" -#include "test.h" - -#include <assert.h> -#include <stdint.h> -#include <stdlib.h> -#include <stdio.h> -#include <string.h> - -#include "digest.h" - -const char *sha1_input[] = { - "abc", - "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", - NULL -}; - -const char *sha1_checksum[] = { - "\xA9\x99\x3E\x36\x47\x06\x81\x6A\xBA\x3E\x25\x71\x78\x50\xC2\x6C\x9C\xD0\xD8\x9D", - "\x84\x98\x3E\x44\x1C\x3B\xD2\x6E\xBA\xAE\x4A\xA1\xF9\x51\x29\xE5\xE5\x46\x70\xF1", - NULL -}; - -static void -test_sha1 (void) -{ - unsigned char checksum[P11_DIGEST_SHA1_LEN]; - size_t len; - int i; - - for (i = 0; sha1_input[i] != NULL; i++) { - memset (checksum, 0, sizeof (checksum)); - len = strlen (sha1_input[i]); - - p11_digest_sha1 (checksum, sha1_input[i], len, NULL); - assert (memcmp (sha1_checksum[i], checksum, P11_DIGEST_SHA1_LEN) == 0); - - if (len > 6) { - p11_digest_sha1 (checksum, sha1_input[i], 6, sha1_input[i] + 6, len - 6, NULL); - assert (memcmp (sha1_checksum[i], checksum, P11_DIGEST_SHA1_LEN) == 0); - } - } -} - -static void -test_sha1_long (void) -{ - unsigned char checksum[P11_DIGEST_SHA1_LEN]; - char *expected = "\x34\xAA\x97\x3C\xD4\xC4\xDA\xA4\xF6\x1E\xEB\x2B\xDB\xAD\x27\x31\x65\x34\x01\x6F"; - char *input; - - input = malloc (1000000); - assert (input != NULL); - memset (input, 'a', 1000000); - - p11_digest_sha1 (checksum, input, 1000000, NULL); - assert (memcmp (expected, checksum, P11_DIGEST_SHA1_LEN) == 0); - - free (input); -} - -const char *md5_input[] = { - "", - "a", - "abc", - "message digest", - "abcdefghijklmnopqrstuvwxyz", - NULL -}; - -const char *md5_checksum[] = { - "\xd4\x1d\x8c\xd9\x8f\x00\xb2\x04\xe9\x80\x09\x98\xec\xf8\x42\x7e", - "\x0c\xc1\x75\xb9\xc0\xf1\xb6\xa8\x31\xc3\x99\xe2\x69\x77\x26\x61", - "\x90\x01\x50\x98\x3c\xd2\x4f\xb0\xd6\x96\x3f\x7d\x28\xe1\x7f\x72", - "\xf9\x6b\x69\x7d\x7c\xb7\x93\x8d\x52\x5a\x2f\x31\xaa\xf1\x61\xd0", - "\xc3\xfc\xd3\xd7\x61\x92\xe4\x00\x7d\xfb\x49\x6c\xca\x67\xe1\x3b", - NULL -}; - -static void -test_md5 (void) -{ - unsigned char checksum[P11_DIGEST_MD5_LEN]; - size_t len; - int i; - - for (i = 0; md5_input[i] != NULL; i++) { - memset (checksum, 0, sizeof (checksum)); - len = strlen (md5_input[i]); - - p11_digest_md5 (checksum, md5_input[i], len, NULL); - assert (memcmp (md5_checksum[i], checksum, P11_DIGEST_MD5_LEN) == 0); - - if (len > 5) { - p11_digest_md5 (checksum, md5_input[i], 5, md5_input[i] + 5, len - 5, NULL); - assert (memcmp (md5_checksum[i], checksum, P11_DIGEST_MD5_LEN) == 0); - } - } -} - -int -main (int argc, - char *argv[]) -{ - p11_test (test_sha1, "/digest/sha1"); - p11_test (test_sha1_long, "/digest/sha1-long"); - p11_test (test_md5, "/digest/md5"); - return p11_test_run (argc, argv); -} diff --git a/trust/test-enumerate.c b/trust/test-enumerate.c deleted file mode 100644 index 424437e..0000000 --- a/trust/test-enumerate.c +++ /dev/null @@ -1,538 +0,0 @@ -/* - * Copyright (c) 2011, Collabora Ltd. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@collabora.co.uk> - */ - -#define P11_KIT_DISABLE_DEPRECATED - -#include "config.h" - -#include "test-trust.h" - -#include "attrs.h" -#include "compat.h" -#include "debug.h" -#include "dict.h" -#include "extract.h" -#include "message.h" -#include "mock.h" -#include "pkcs11.h" -#include "pkcs11x.h" -#include "oid.h" -#include "test.h" - -#include <stdlib.h> -#include <string.h> - - -static void -test_file_name_for_label (void) -{ - CK_ATTRIBUTE label = { CKA_LABEL, "The Label!", 10 }; - p11_enumerate ex; - char *name; - - p11_enumerate_init (&ex); - - ex.attrs = p11_attrs_build (NULL, &label, NULL); - - name = p11_enumerate_filename (&ex); - assert_str_eq ("The_Label_", name); - free (name); - - p11_enumerate_cleanup (&ex); -} - -static void -test_file_name_for_class (void) -{ - p11_enumerate ex; - char *name; - - p11_enumerate_init (&ex); - - ex.klass = CKO_CERTIFICATE; - - name = p11_enumerate_filename (&ex); - assert_str_eq ("certificate", name); - free (name); - - ex.klass = CKO_DATA; - - name = p11_enumerate_filename (&ex); - assert_str_eq ("unknown", name); - free (name); - - p11_enumerate_cleanup (&ex); -} - -static void -test_comment_for_label (void) -{ - CK_ATTRIBUTE label = { CKA_LABEL, "The Label!", 10 }; - p11_enumerate ex; - char *comment; - - p11_enumerate_init (&ex); - - ex.flags = P11_EXTRACT_COMMENT; - ex.attrs = p11_attrs_build (NULL, &label, NULL); - - comment = p11_enumerate_comment (&ex, true); - assert_str_eq ("# The Label!\n", comment); - free (comment); - - comment = p11_enumerate_comment (&ex, false); - assert_str_eq ("\n# The Label!\n", comment); - free (comment); - - p11_enumerate_cleanup (&ex); -} - -static void -test_comment_not_enabled (void) -{ - CK_ATTRIBUTE label = { CKA_LABEL, "The Label!", 10 }; - p11_enumerate ex; - char *comment; - - p11_enumerate_init (&ex); - - ex.attrs = p11_attrs_build (NULL, &label, NULL); - - comment = p11_enumerate_comment (&ex, true); - assert_ptr_eq (NULL, comment); - - comment = p11_enumerate_comment (&ex, false); - assert_ptr_eq (NULL, comment); - - p11_enumerate_cleanup (&ex); -} - -struct { - CK_FUNCTION_LIST module; - CK_FUNCTION_LIST_PTR modules[2]; - p11_enumerate ex; -} test; - -static void -setup (void *unused) -{ - CK_RV rv; - - mock_module_reset (); - memcpy (&test.module, &mock_module, sizeof (CK_FUNCTION_LIST)); - - rv = test.module.C_Initialize (NULL); - assert_num_eq (CKR_OK, rv); - - p11_enumerate_init (&test.ex); - - /* Prefill the modules */ - test.modules[0] = &test.module; - test.modules[1] = NULL; - test.ex.modules = test.modules; -} - -static void -teardown (void *unused) -{ - CK_RV rv; - - /* Don't free the modules */ - test.ex.modules = NULL; - - p11_enumerate_cleanup (&test.ex); - - rv = test.module.C_Finalize (NULL); - assert_num_eq (CKR_OK, rv); -} - -static CK_OBJECT_CLASS certificate_class = CKO_CERTIFICATE; -static CK_OBJECT_CLASS public_key_class = CKO_PUBLIC_KEY; -static CK_OBJECT_CLASS extension_class = CKO_X_CERTIFICATE_EXTENSION; -static CK_CERTIFICATE_TYPE x509_type = CKC_X_509; -static CK_BBOOL truev = CK_TRUE; - -static CK_ATTRIBUTE cacert3_trusted[] = { - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_CLASS, &certificate_class, sizeof (certificate_class) }, - { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) }, - { CKA_LABEL, "Cacert3 Here", 11 }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, - { CKA_TRUSTED, &truev, sizeof (truev) }, - { CKA_ID, "ID1", 3 }, - { CKA_INVALID }, -}; - -static CK_ATTRIBUTE cacert3_distrusted[] = { - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_CLASS, &certificate_class, sizeof (certificate_class) }, - { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) }, - { CKA_LABEL, "Another CaCert", 11 }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_X_DISTRUSTED, &truev, sizeof (truev) }, - { CKA_INVALID }, -}; - -static CK_ATTRIBUTE cacert3_distrusted_by_key[] = { - { CKA_CLASS, &public_key_class, sizeof (public_key_class) }, - { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, - { CKA_X_DISTRUSTED, &truev, sizeof (truev) }, - { CKA_INVALID }, -}; - -static CK_ATTRIBUTE certificate_filter[] = { - { CKA_CLASS, &certificate_class, sizeof (certificate_class) }, - { CKA_INVALID }, -}; - -static CK_ATTRIBUTE extension_eku_server_client[] = { - { CKA_CLASS, &extension_class, sizeof (extension_class) }, - { CKA_ID, "ID1", 3 }, - { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, - { CKA_VALUE, "\x30\x1d\x06\x03\x55\x1d\x25\x04\x16\x30\x14\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x01\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02", 31 }, - { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, - { CKA_INVALID }, -}; - -static CK_ATTRIBUTE extension_eku_invalid[] = { - { CKA_CLASS, &extension_class, sizeof (extension_class) }, - { CKA_ID, "ID1", 3 }, - { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, - { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, - { CKA_VALUE, "\x30\x0e\x06\x03\x55\x1d\x25\x04\x07\x69\x6e\x76\x61\x6c\x69\x64", 16 }, - { CKA_INVALID }, -}; - -static void -test_info_simple_certificate (void) -{ - void *value; - size_t length; - CK_RV rv; - - assert_ptr_not_null (test.ex.asn1_defs); - - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_trusted); - mock_module_add_object (MOCK_SLOT_ONE_ID, extension_eku_server_client); - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_enumerate_ready (&test.ex, NULL); - - rv = p11_kit_iter_next (test.ex.iter); - assert_num_eq (CKR_OK, rv); - - assert_num_eq (CKO_CERTIFICATE, test.ex.klass); - assert_ptr_not_null (test.ex.attrs); - value = p11_attrs_find_value (test.ex.attrs, CKA_VALUE, &length); - assert_ptr_not_null (value); - assert (memcmp (value, test_cacert3_ca_der, length) == 0); - assert_ptr_not_null (test.ex.cert_der); - assert (memcmp (test.ex.cert_der, test_cacert3_ca_der, test.ex.cert_len) == 0); - assert_ptr_not_null (test.ex.cert_asn); - - rv = p11_kit_iter_next (test.ex.iter); - assert_num_eq (CKR_CANCEL, rv); -} - -static void -test_info_limit_purposes (void) -{ - CK_RV rv; - - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_trusted); - mock_module_add_object (MOCK_SLOT_ONE_ID, extension_eku_server_client); - - /* This should not match the above, with the attached certificat ext */ - assert_ptr_eq (NULL, test.ex.limit_to_purposes); - p11_enumerate_opt_purpose (&test.ex, "1.1.1"); - assert_ptr_not_null (test.ex.limit_to_purposes); - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_enumerate_ready (&test.ex, NULL); - - rv = p11_kit_iter_next (test.ex.iter); - assert_num_eq (CKR_CANCEL, rv); -} - -static void -test_info_invalid_purposes (void) -{ - CK_RV rv; - - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_trusted); - mock_module_add_object (MOCK_SLOT_ONE_ID, extension_eku_invalid); - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_enumerate_ready (&test.ex, NULL); - - p11_kit_be_quiet (); - - /* No results due to invalid purpose on certificate */ - rv = p11_kit_iter_next (test.ex.iter); - assert_num_eq (CKR_CANCEL, rv); - - p11_kit_be_loud (); -} - -static void -test_info_skip_non_certificate (void) -{ - CK_RV rv; - - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_trusted); - - p11_enumerate_ready (&test.ex, NULL); - - p11_message_quiet (); - - rv = p11_kit_iter_next (test.ex.iter); - assert_num_eq (CKR_OK, rv); - - assert_num_eq (CKO_CERTIFICATE, test.ex.klass); - - rv = p11_kit_iter_next (test.ex.iter); - assert_num_eq (CKR_CANCEL, rv); - - p11_message_loud (); -} - -static void -test_limit_to_purpose_match (void) -{ - CK_RV rv; - - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_trusted); - mock_module_add_object (MOCK_SLOT_ONE_ID, extension_eku_server_client); - - p11_enumerate_opt_purpose (&test.ex, P11_OID_SERVER_AUTH_STR); - p11_enumerate_ready (&test.ex, NULL); - - p11_message_quiet (); - - rv = p11_kit_iter_next (test.ex.iter); - assert_num_eq (CKR_OK, rv); - - p11_message_loud (); -} - -static void -test_limit_to_purpose_no_match (void) -{ - CK_RV rv; - - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_trusted); - mock_module_add_object (MOCK_SLOT_ONE_ID, extension_eku_server_client); - - p11_enumerate_opt_purpose (&test.ex, "3.3.3.3"); - p11_enumerate_ready (&test.ex, NULL); - - p11_message_quiet (); - - rv = p11_kit_iter_next (test.ex.iter); - assert_num_eq (CKR_CANCEL, rv); - - p11_message_loud (); -} - -static void -test_duplicate_extract (void) -{ - CK_ATTRIBUTE certificate = { CKA_CLASS, &certificate_class, sizeof (certificate_class) }; - CK_RV rv; - - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_trusted); - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_distrusted); - - p11_kit_iter_add_filter (test.ex.iter, &certificate, 1); - p11_enumerate_ready (&test.ex, NULL); - - rv = p11_kit_iter_next (test.ex.iter); - assert_num_eq (CKR_OK, rv); - - rv = p11_kit_iter_next (test.ex.iter); - assert_num_eq (CKR_OK, rv); - - rv = p11_kit_iter_next (test.ex.iter); - assert_num_eq (CKR_CANCEL, rv); -} - -static void -test_duplicate_distrusted (void) -{ - CK_ATTRIBUTE certificate = { CKA_CLASS, &certificate_class, sizeof (certificate_class) }; - CK_ATTRIBUTE attrs[] = { - { CKA_X_DISTRUSTED, NULL, 0 }, - }; - - CK_BBOOL val; - CK_RV rv; - - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_distrusted); - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_trusted); - - test.ex.flags = P11_ENUMERATE_COLLAPSE; - p11_kit_iter_add_filter (test.ex.iter, &certificate, 1); - p11_enumerate_ready (&test.ex, NULL); - - rv = p11_kit_iter_next (test.ex.iter); - assert_num_eq (CKR_OK, rv); - - rv = p11_kit_iter_load_attributes (test.ex.iter, attrs, 1); - assert_num_eq (CKR_OK, rv); - assert (p11_attrs_findn_bool (attrs, 1, CKA_X_DISTRUSTED, &val)); - assert_num_eq (val, CK_TRUE); - free (attrs[0].pValue); - - rv = p11_kit_iter_next (test.ex.iter); - assert_num_eq (CKR_CANCEL, rv); -} - -static void -test_trusted_match (void) -{ - CK_ATTRIBUTE certificate = { CKA_CLASS, &certificate_class, sizeof (certificate_class) }; - CK_RV rv; - - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_trusted); - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_distrusted); - - test.ex.flags = P11_ENUMERATE_ANCHORS; - p11_kit_iter_add_filter (test.ex.iter, &certificate, 1); - p11_enumerate_ready (&test.ex, NULL); - - rv = p11_kit_iter_next (test.ex.iter); - assert_num_eq (CKR_CANCEL, rv); -} - -static void -test_distrust_match (void) -{ - CK_ATTRIBUTE certificate = { CKA_CLASS, &certificate_class, sizeof (certificate_class) }; - CK_BBOOL boolv; - CK_RV rv; - - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_trusted); - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_distrusted); - - test.ex.flags = P11_ENUMERATE_BLACKLIST; - p11_kit_iter_add_filter (test.ex.iter, &certificate, 1); - p11_enumerate_ready (&test.ex, NULL); - - rv = p11_kit_iter_next (test.ex.iter); - assert_num_eq (CKR_OK, rv); - - if (!p11_attrs_find_bool (test.ex.attrs, CKA_X_DISTRUSTED, &boolv)) - boolv = CK_FALSE; - assert_num_eq (CK_TRUE, boolv); - - rv = p11_kit_iter_next (test.ex.iter); - assert_num_eq (CKR_CANCEL, rv); -} - -static void -test_override_by_issuer_serial (void) -{ - CK_ATTRIBUTE certificate = { CKA_CLASS, &certificate_class, sizeof (certificate_class) }; - CK_BBOOL distrusted = CK_FALSE; - CK_RV rv; - - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_trusted); - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_distrusted); - - test.ex.flags = P11_ENUMERATE_ANCHORS | P11_ENUMERATE_BLACKLIST; - p11_kit_iter_add_filter (test.ex.iter, &certificate, 1); - p11_enumerate_ready (&test.ex, NULL); - - rv = p11_kit_iter_next (test.ex.iter); - assert_num_eq (CKR_OK, rv); - - assert (p11_attrs_find_bool (test.ex.attrs, CKA_X_DISTRUSTED, &distrusted)); - assert_num_eq (CK_TRUE, distrusted); - - rv = p11_kit_iter_next (test.ex.iter); - assert_num_eq (CKR_CANCEL, rv); -} - -static void -test_override_by_public_key (void) -{ - CK_ATTRIBUTE certificate = { CKA_CLASS, &certificate_class, sizeof (certificate_class) }; - CK_RV rv; - - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_trusted); - mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_distrusted_by_key); - - test.ex.flags = P11_ENUMERATE_ANCHORS | P11_ENUMERATE_BLACKLIST; - p11_kit_iter_add_filter (test.ex.iter, &certificate, 1); - p11_enumerate_ready (&test.ex, NULL); - - /* No results returned, because distrust is not a cert */ - rv = p11_kit_iter_next (test.ex.iter); - assert_num_eq (CKR_CANCEL, rv); -} - -int -main (int argc, - char *argv[]) -{ - mock_module_init (); - - p11_test (test_file_name_for_label, "/extract/test_file_name_for_label"); - p11_test (test_file_name_for_class, "/extract/test_file_name_for_class"); - p11_test (test_comment_for_label, "/extract/test_comment_for_label"); - p11_test (test_comment_not_enabled, "/extract/test_comment_not_enabled"); - - p11_fixture (setup, teardown); - p11_test (test_info_simple_certificate, "/extract/test_info_simple_certificate"); - p11_test (test_info_limit_purposes, "/extract/test_info_limit_purposes"); - p11_test (test_info_invalid_purposes, "/extract/test_info_invalid_purposes"); - p11_test (test_info_skip_non_certificate, "/extract/test_info_skip_non_certificate"); - p11_test (test_limit_to_purpose_match, "/extract/test_limit_to_purpose_match"); - p11_test (test_limit_to_purpose_no_match, "/extract/test_limit_to_purpose_no_match"); - p11_test (test_duplicate_extract, "/extract/test_duplicate_extract"); - p11_test (test_duplicate_distrusted, "/extract/test-duplicate-distrusted"); - p11_test (test_trusted_match, "/extract/test_trusted_match"); - p11_test (test_distrust_match, "/extract/test_distrust_match"); - p11_test (test_override_by_issuer_serial, "/extract/override-by-issuer-and-serial"); - p11_test (test_override_by_public_key, "/extract/override-by-public-key"); - - return p11_test_run (argc, argv); -} - -#include "enumerate.c" diff --git a/trust/test-extract.in b/trust/test-extract.in deleted file mode 100644 index 59f6cd6..0000000 --- a/trust/test-extract.in +++ /dev/null @@ -1,189 +0,0 @@ -#!/bin/sh - -set -euf - -# ----------------------------------------------------------------------------- -# Basic fundamentals - -prefix=@prefix@ -exec_prefix=@exec_prefix@ -datarootdir=@datarootdir@ -datadir=@datadir@ -sysconfdir=@sysconfdir@ -libdir=@libdir@ -privatedir=@privatedir@ -with_trust_paths=@with_trust_paths@ -script=$(basename $0) - -# ----------------------------------------------------------------------------- -# Testing - -warning() -{ - echo "$script: $@" >&2 -} - -assert_fail() -{ - warning $@ - exit 1 -} - -assert_contains() -{ - if ! grep -qF $2 $1; then - assert_fail "$1 does not contain $2" - fi -} - -assert_not_contains() -{ - if grep -qF $2 $1; then - assert_fail "$1 contains $2" - fi -} - -teardown() -{ - for x in $TD; do - if [ -d $x ]; then - rmdir $x - elif [ -f $x ]; then - rm $x - fi - done - TD="" -} - -teardown_dirty() -{ - echo "not ok $TEST_NUMBER $TEST_NAME" - teardown -} - -openssl_quiet() -( - command='/Generating a|-----|^[.+]+$|writing new private key/d' - exec 3>&1 - openssl $@ 2>&1 >&3 3>&- | sed -r "$command" 3>&- -) - -skip() -{ - TEST_SKIP=yes - echo "ok $TEST_NUMBER # skip $TEST_NAME: $@" -} - -setup() -{ - # Parse the trust paths - oldifs="$IFS" - IFS=: - set $with_trust_paths - IFS="$oldifs" - - if [ ! -d $1 ]; then - skip "$1 is not a directory" - return - fi - - SOURCE_1=$1 - if [ $# -lt 2 ]; then - warning "certain tests neutered if only 1 trust path: $with_trust_paths" - SOURCE_2=$1 - else - SOURCE_2=$2 - fi - - # Make a temporary directory - dir=$(mktemp -d) - cd $dir - CLEANUP="$dir $TD" - - # Generate a unique identifier - CERT_1_CN=test_$(dd if=/dev/urandom count=40 bs=1 status=none | base64 | tr -d '+/=') - CERT_2_CN=test_$(dd if=/dev/urandom count=40 bs=1 status=none | base64 | tr -d '+/=') - CERT_3_CN=test_$(dd if=/dev/urandom count=40 bs=1 status=none | base64 | tr -d '+/=') - - # Generate relevant certificates - openssl_quiet req -x509 -newkey rsa:512 -keyout /dev/null -days 3 -nodes \ - -out cert_1.pem -subj /CN=$CERT_1_CN - openssl_quiet req -x509 -newkey rsa:512 -keyout /dev/null -days 3 -nodes \ - -out cert_2.pem -subj /CN=$CERT_2_CN - openssl_quiet req -x509 -newkey rsa:512 -keyout /dev/null -days 3 -nodes \ - -out cert_3.pem -subj /CN=$CERT_3_CN - - TD="cert_1.pem cert_2.pem cert_3.pem $TD" - - mkdir -p $SOURCE_1/anchors - cp cert_1.pem $SOURCE_1/anchors/ - - mkdir -p $SOURCE_2/anchors - cp cert_2.pem $SOURCE_2/anchors/ - cp cert_3.pem $SOURCE_2/anchors/ - - TD="$SOURCE_1/anchors/cert_1.pem $SOURCE_2/anchors/cert_2.pem $SOURCE_2/anchors/cert_3.pem $TD" -} - -run() -{ - TOTAL=0 - for TEST_NAME in $@; do - TOTAL=$(expr $TOTAL + 1) - done - - echo "1..$TOTAL" - - TEST_NUMBER=0 - for TEST_NAME in $@; do - TEST_NUMBER=$(expr $TEST_NUMBER + 1) - ( - trap teardown_dirty EXIT - trap "teardown_dirty; exit 127" INT TERM - TD="" - - TEST_SKIP=no - setup - - if [ $TEST_SKIP != "yes" ]; then - $TEST_NAME - fi - if [ $TEST_SKIP != "yes" ]; then - echo "ok $TEST_NUMBER $TEST_NAME" - fi - - trap - EXIT - teardown - ) - done -} - -# ----------------------------------------------------------------------------- -# Main tests - -test_extract() -{ - trust extract --filter=ca-anchors --format=pem-bundle \ - --purpose=server-auth --comment \ - extract-test.pem - - assert_contains extract-test.pem $CERT_1_CN - assert_contains extract-test.pem $CERT_2_CN - assert_contains extract-test.pem $CERT_3_CN -} - -test_blacklist() -{ - mkdir -p $SOURCE_1/blacklist - cp cert_3.pem $SOURCE_1/blacklist - TD="$SOURCE_1/blacklist/cert_3.pem $TD" - - trust extract --filter=ca-anchors --format=pem-bundle \ - --purpose=server-auth --comment \ - blacklist-test.pem - - assert_contains blacklist-test.pem $CERT_1_CN - assert_not_contains blacklist-test.pem $CERT_3_CN -} - -run test_extract test_blacklist diff --git a/trust/test-index.c b/trust/test-index.c deleted file mode 100644 index fc861b2..0000000 --- a/trust/test-index.c +++ /dev/null @@ -1,1144 +0,0 @@ -/* - * Copyright (c) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@gnome.org> - */ - -#include "config.h" -#include "test.h" -#include "test-trust.h" - -#include <stdarg.h> -#include <stdlib.h> -#include <stdio.h> -#include <string.h> - -#include "attrs.h" -#include "debug.h" -#include "index.h" -#include "message.h" - -struct { - p11_index *index; -} test; - -static void -setup (void *unused) -{ - test.index = p11_index_new (NULL, NULL, NULL, NULL, NULL); - assert_ptr_not_null (test.index); -} - -static void -teardown (void *unused) -{ - p11_index_free (test.index); - memset (&test, 0, sizeof (test)); -} - -static void -test_take_lookup (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *check; - CK_OBJECT_HANDLE handle; - CK_RV rv; - - attrs = p11_attrs_dup (original); - rv = p11_index_take (test.index, attrs, &handle); - assert (rv == CKR_OK); - - check = p11_index_lookup (test.index, handle); - test_check_attrs (original, check); - - check = p11_index_lookup (test.index, 1UL); - assert_ptr_eq (NULL, check); - - check = p11_index_lookup (test.index, 0UL); - assert_ptr_eq (NULL, check); -} - -static void -test_add_lookup (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE *check; - CK_OBJECT_HANDLE handle; - CK_RV rv; - - rv = p11_index_add (test.index, original, 2, &handle); - assert (rv == CKR_OK); - - check = p11_index_lookup (test.index, handle); - test_check_attrs (original, check); -} - -static void -test_size (void) -{ - static CK_ATTRIBUTE original[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - }; - - CK_RV rv; - - rv = p11_index_add (test.index, original, 2, NULL); - assert (rv == CKR_OK); - - rv = p11_index_add (test.index, original, 2, NULL); - assert (rv == CKR_OK); - - rv = p11_index_add (test.index, original, 2, NULL); - assert (rv == CKR_OK); - - assert_num_eq (3, p11_index_size (test.index)); -} - -static int -compar_ulong (const void *one, - const void *two) -{ - const CK_ULONG *u1 = one; - const CK_ULONG *u2 = two; - - if (*u1 == *u2) - return 0; - if (*u1 < *u2) - return -1; - return 1; -} - -static void -test_snapshot (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - }; - - static const int NUM = 16; - CK_OBJECT_HANDLE expected[NUM]; - CK_OBJECT_HANDLE *snapshot; - int i; - - for (i = 0; i < NUM; i++) - p11_index_add (test.index, original, 2, expected + i); - - snapshot = p11_index_snapshot (test.index, NULL, NULL, 0); - assert_ptr_not_null (snapshot); - - for (i = 0; i < NUM; i++) - assert (snapshot[i] != 0); - assert (snapshot[NUM] == 0); - - qsort (snapshot, NUM, sizeof (CK_OBJECT_HANDLE), compar_ulong); - - for (i = 0; i < NUM; i++) - assert_num_eq (expected[i], snapshot[i]); - - free (snapshot); -} - -static void -test_snapshot_base (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - }; - - static const int NUM = 16; - CK_OBJECT_HANDLE expected[NUM]; - CK_OBJECT_HANDLE *snapshot; - CK_RV rv; - int i; - - for (i = 0; i < NUM; i++) { - rv = p11_index_add (test.index, original, 2, expected + i); - assert (rv == CKR_OK); - } - - snapshot = p11_index_snapshot (test.index, test.index, NULL, 0); - assert_ptr_not_null (snapshot); - - for (i = 0; i < NUM * 2; i++) - assert (snapshot[i] != 0); - assert (snapshot[NUM * 2] == 0); - - qsort (snapshot, NUM * 2, sizeof (CK_OBJECT_HANDLE), compar_ulong); - - for (i = 0; i < NUM * 2; i++) - assert_num_eq (expected[i / 2], snapshot[i]); - - free (snapshot); -} - -static void -test_remove (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *check; - CK_OBJECT_HANDLE handle; - CK_RV rv; - - attrs = p11_attrs_dup (original); - rv = p11_index_take (test.index, attrs, &handle); - assert (rv == CKR_OK); - - check = p11_index_lookup (test.index, handle); - assert_ptr_eq (attrs, check); - - rv = p11_index_remove (test.index, 1UL); - assert (rv == CKR_OBJECT_HANDLE_INVALID); - - rv = p11_index_remove (test.index, handle); - assert (rv == CKR_OK); - - check = p11_index_lookup (test.index, handle); - assert_ptr_eq (NULL, check); -} - -static void -test_set (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE change = { CKA_LABEL, "naay", 4 }; - - CK_ATTRIBUTE changed[] = { - { CKA_LABEL, "naay", 4 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *check; - CK_OBJECT_HANDLE handle; - CK_RV rv; - - attrs = p11_attrs_dup (original); - rv = p11_index_take (test.index, attrs, &handle); - assert (rv == CKR_OK); - - check = p11_index_lookup (test.index, handle); - test_check_attrs (original, check); - - rv = p11_index_set (test.index, handle, &change, 1); - assert (rv == CKR_OK); - - check = p11_index_lookup (test.index, handle); - test_check_attrs (changed, check); - - rv = p11_index_set (test.index, 1UL, &change, 1); - assert (rv == CKR_OBJECT_HANDLE_INVALID); -} - -static void -test_update (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE change = { CKA_LABEL, "naay", 4 }; - - CK_ATTRIBUTE changed[] = { - { CKA_LABEL, "naay", 4 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE *check; - CK_OBJECT_HANDLE handle; - CK_RV rv; - - attrs = p11_attrs_dup (original); - rv = p11_index_take (test.index, attrs, &handle); - assert (rv == CKR_OK); - - check = p11_index_lookup (test.index, handle); - test_check_attrs (original, check); - - attrs = p11_attrs_build (NULL, &change, NULL); - rv = p11_index_update (test.index, handle, attrs); - assert (rv == CKR_OK); - - check = p11_index_lookup (test.index, handle); - test_check_attrs (changed, check); - - attrs = p11_attrs_build (NULL, &change, NULL); - rv = p11_index_update (test.index, 1L, attrs); - assert (rv == CKR_OBJECT_HANDLE_INVALID); -} - -static void -test_find (void) -{ - CK_ATTRIBUTE first[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "one", 3 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE second[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "two", 3 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE third[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "three", 5 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE match3[] = { - { CKA_VALUE, "three", 5 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE match_any[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE match_none[] = { - { CKA_VALUE, "blonononon", 10 }, - { CKA_LABEL, "yay", 3 }, - { CKA_INVALID } - }; - - CK_OBJECT_HANDLE check; - CK_OBJECT_HANDLE one; - CK_OBJECT_HANDLE two; - CK_OBJECT_HANDLE three; - - p11_index_add (test.index, first, 2, &one); - p11_index_add (test.index, second, 2, &two); - p11_index_add (test.index, third, 2, &three); - - check = p11_index_find (test.index, match3, -1); - assert_num_eq (three, check); - - check = p11_index_find (test.index, match3, 1); - assert_num_eq (three, check); - - check = p11_index_find (test.index, match_any, -1); - assert (check == one || check == two || check == three); - - check = p11_index_find (test.index, match_any, 1); - assert (check == one || check == two || check == three); - - check = p11_index_find (test.index, match_none, -1); - assert_num_eq (0, check); - - check = p11_index_find (test.index, match_none, 2); - assert_num_eq (0, check); -} - -static bool -handles_are (CK_OBJECT_HANDLE *handles, - ...) -{ - CK_OBJECT_HANDLE handle; - bool matched = true; - int count; - int num; - va_list va; - int i; - - if (!handles) - return false; - - /* Count number of handles */ - for (num = 0; handles[num]; num++); - - va_start (va, handles); - - for (count = 0; matched; count++) { - handle = va_arg (va, CK_OBJECT_HANDLE); - if (handle == 0) - break; - - for (i = 0; handles[i]; i++) { - if (handle == handles[i]) - break; - } - - if (handles[i] != handle) - matched = false; - } - - va_end (va); - - return matched && (count == num); -} - -static void -test_find_all (void) -{ - CK_ATTRIBUTE first[] = { - { CKA_LABEL, "odd", 3 }, - { CKA_VALUE, "one", 3 }, - { CKA_APPLICATION, "test", 4 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE second[] = { - { CKA_LABEL, "even", 4 }, - { CKA_VALUE, "two", 3 }, - { CKA_APPLICATION, "test", 4 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE third[] = { - { CKA_LABEL, "odd", 3 }, - { CKA_VALUE, "three", 5 }, - { CKA_APPLICATION, "test", 4 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE match_odd[] = { - { CKA_LABEL, "odd", 3 }, - { CKA_APPLICATION, "test", 4 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE match_3[] = { - { CKA_VALUE, "three", 5 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE match_any[] = { - { CKA_INVALID } - }; - - CK_ATTRIBUTE match_none[] = { - { CKA_VALUE, "blonononon", 10 }, - { CKA_LABEL, "yay", 3 }, - { CKA_INVALID } - }; - - CK_OBJECT_HANDLE *check; - CK_OBJECT_HANDLE one; - CK_OBJECT_HANDLE two; - CK_OBJECT_HANDLE three; - - p11_index_add (test.index, first, 3, &one); - p11_index_add (test.index, second, 3, &two); - p11_index_add (test.index, third, 3, &three); - - check = p11_index_find_all (test.index, match_3, -1); - assert (handles_are (check, three, 0UL)); - free (check); - - check = p11_index_find_all (test.index, match_none, -1); - assert (handles_are (check, 0UL)); - free (check); - - check = p11_index_find_all (test.index, match_odd, -1); - assert (handles_are (check, one, three, 0UL)); - free (check); - - check = p11_index_find_all (test.index, match_any, -1); - assert (handles_are (check, one, two, three, 0UL)); - free (check); - - check = p11_index_find_all (test.index, match_none, -1); - assert_ptr_not_null (check); - assert_num_eq (0, check[0]); - free (check); - - /* A double check of this method */ - one = 0UL; - check = &one; - assert (!handles_are (check, 29292929, 0UL)); - assert (!handles_are (NULL, 0UL)); -} - -static void -test_find_realloc (void) -{ - CK_ATTRIBUTE attrs[] = { - { CKA_LABEL, "odd", 3 }, - { CKA_VALUE, "one", 3 }, - { CKA_APPLICATION, "test", 4 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE match[] = { - { CKA_INVALID } - }; - - CK_OBJECT_HANDLE *check; - int i; - - for (i = 0; i < 1000; i++) - p11_index_add (test.index, attrs, 3, NULL); - - check = p11_index_find_all (test.index, match, -1); - assert_ptr_not_null (check); - - for (i = 0; i < 1000; i++) - assert (check[i] != 0); - assert_num_eq (0, check[1000]); - - free (check); -} - -static void -test_replace_all (void) -{ - CK_ATTRIBUTE first[] = { - { CKA_LABEL, "odd", 3 }, - { CKA_VALUE, "one", 3 }, - { CKA_APPLICATION, "test", 4 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE second[] = { - { CKA_LABEL, "even", 4 }, - { CKA_VALUE, "two", 3 }, - { CKA_APPLICATION, "test", 4 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE third[] = { - { CKA_LABEL, "odd", 3 }, - { CKA_VALUE, "three", 5 }, - { CKA_APPLICATION, "test", 4 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE fifth[] = { - { CKA_LABEL, "odd", 3 }, - { CKA_VALUE, "five", 4 }, - { CKA_APPLICATION, "test", 4 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE match[] = { - { CKA_LABEL, "odd", 3 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE eins[] = { - { CKA_LABEL, "odd", 3 }, - { CKA_VALUE, "one", 3 }, - { CKA_APPLICATION, "replace", 7 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE sieben[] = { - { CKA_LABEL, "odd", 3 }, - { CKA_VALUE, "seven", 5 }, - { CKA_APPLICATION, "replace", 7 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE neun[] = { - { CKA_LABEL, "odd", 3 }, - { CKA_VALUE, "nine", 4 }, - { CKA_APPLICATION, "replace", 7 }, - { CKA_INVALID } - }; - - CK_OBJECT_HANDLE check; - CK_OBJECT_HANDLE one; - CK_OBJECT_HANDLE two; - CK_OBJECT_HANDLE three; - CK_OBJECT_HANDLE five; - p11_array *array; - CK_RV rv; - - p11_index_add (test.index, first, 3, &one); - assert (one != 0); - p11_index_add (test.index, second, 3, &two); - assert (two != 0); - p11_index_add (test.index, third, 3, &three); - assert (three != 0); - p11_index_add (test.index, fifth, 3, &five); - assert (five != 0); - - array = p11_array_new (p11_attrs_free); - p11_array_push (array, p11_attrs_buildn (NULL, eins, 3)); - p11_array_push (array, p11_attrs_buildn (NULL, sieben, 3)); - p11_array_push (array, p11_attrs_buildn (NULL, neun, 3)); - - rv = p11_index_replace_all (test.index, match, CKA_VALUE, array); - assert (rv == CKR_OK); - - assert_num_eq (0, array->num); - p11_array_free (array); - - /* eins should have replaced one */ - check = p11_index_find (test.index, eins, -1); - assert_num_eq (one, check); - - /* two should still be around */ - check = p11_index_find (test.index, second, -1); - assert_num_eq (two, check); - - /* three should have been removed */ - check = p11_index_find (test.index, third, -1); - assert_num_eq (0, check); - - /* five should have been removed */ - check = p11_index_find (test.index, fifth, -1); - assert_num_eq (0, check); - - /* sieben should have been added */ - check = p11_index_find (test.index, sieben, -1); - assert (check != one && check != two && check != three && check != five); - - /* neun should have been added */ - check = p11_index_find (test.index, neun, -1); - assert (check != one && check != two && check != three && check != five); - - assert_num_eq (4, p11_index_size (test.index)); -} - -static CK_RV -on_index_build_fail (void *data, - p11_index *index, - CK_ATTRIBUTE *attrs, - CK_ATTRIBUTE *merge, - CK_ATTRIBUTE **populate) -{ - CK_ATTRIBUTE *match = data; - - if (p11_attrs_match (merge, match)) - return CKR_FUNCTION_FAILED; - - return CKR_OK; -} - -static void -test_replace_all_build_fails (void) -{ - CK_ATTRIBUTE replace[] = { - { CKA_LABEL, "odd", 3 }, - { CKA_VALUE, "one", 3 }, - { CKA_APPLICATION, "test", 4 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE match[] = { - { CKA_LABEL, "odd", 3 }, - { CKA_INVALID } - }; - - p11_array *array; - p11_index *index; - CK_RV rv; - - index = p11_index_new (on_index_build_fail, NULL, NULL, NULL, &match); - assert_ptr_not_null (index); - - array = p11_array_new (p11_attrs_free); - if (!p11_array_push (array, p11_attrs_dup (replace))) - assert_not_reached (); - - rv = p11_index_replace_all (index, NULL, CKA_INVALID, array); - assert_num_eq (rv, CKR_FUNCTION_FAILED); - - p11_array_free (array); - p11_index_free (index); -} - - -static CK_RV -on_build_populate (void *data, - p11_index *index, - CK_ATTRIBUTE *attrs, - CK_ATTRIBUTE *merge, - CK_ATTRIBUTE **populate) -{ - CK_ATTRIBUTE more[] = { - { CKA_APPLICATION, "vigorous", 8 }, - { CKA_LABEL, "naay", 4 }, - }; - - assert_str_eq (data, "blah"); - assert_ptr_not_null (index); - assert_ptr_not_null (merge); - - *populate = p11_attrs_buildn (*populate, more, 2); - return CKR_OK; -} - -static void -test_build_populate (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - - }; - - CK_ATTRIBUTE after[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_APPLICATION, "vigorous", 8 }, - { CKA_INVALID } - }; - - CK_OBJECT_HANDLE handle; - CK_ATTRIBUTE *check; - p11_index *index; - CK_RV rv; - - index = p11_index_new (on_build_populate, NULL, NULL, NULL, "blah"); - assert_ptr_not_null (index); - - rv = p11_index_add (index, original, 2, &handle); - assert (rv == CKR_OK); - - check = p11_index_lookup (index, handle); - assert_ptr_not_null (check); - - test_check_attrs (after, check); - - rv = p11_index_set (index, handle, original, 2); - assert (rv == CKR_OK); - - check = p11_index_lookup (index, handle); - assert_ptr_not_null (check); - - test_check_attrs (after, check); - - p11_index_free (index); -} - -static CK_RV -on_build_fail (void *data, - p11_index *index, - CK_ATTRIBUTE *attrs, - CK_ATTRIBUTE *merge, - CK_ATTRIBUTE **populate) -{ - CK_ATTRIBUTE check[] = { - { CKA_LABEL, "nay", 3 }, - { CKA_INVALID } - }; - - assert_str_eq (data, "testo"); - assert_ptr_not_null (merge); - - if (p11_attrs_match (merge, check)) - return CKR_DEVICE_ERROR; - - return CKR_OK; -} - - -static void -test_build_fail (void) -{ - CK_ATTRIBUTE okay[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE fails[] = { - { CKA_LABEL, "nay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - }; - - CK_OBJECT_HANDLE handle; - p11_index *index; - CK_RV rv; - - index = p11_index_new (on_build_fail, NULL, NULL, NULL, "testo"); - assert_ptr_not_null (index); - - rv = p11_index_add (index, okay, 2, &handle); - assert (rv == CKR_OK); - - rv = p11_index_add (index, fails, 2, NULL); - assert (rv == CKR_DEVICE_ERROR); - - rv = p11_index_set (index, handle, fails, 2); - assert (rv == CKR_DEVICE_ERROR); - - rv = p11_index_set (index, handle, okay, 2); - assert (rv == CKR_OK); - - p11_index_free (index); -} - -static int on_change_called = 0; -static bool on_change_removing = false; -static bool on_change_batching = false; - -static void -on_change_check (void *data, - p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *attrs) -{ - CK_ATTRIBUTE check[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - - }; - - assert_str_eq (data, "change-check"); - assert_ptr_not_null (index); - assert_ptr_not_null (attrs); - - if (!on_change_batching) { - if (on_change_removing) - assert_num_eq (0, handle); - else - assert (handle != 0); - } - - test_check_attrs (check, attrs); - on_change_called++; -} - -static void -test_change_called (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - - }; - - CK_OBJECT_HANDLE handle; - p11_index *index; - CK_RV rv; - - index = p11_index_new (NULL, NULL, NULL, on_change_check, "change-check"); - assert_ptr_not_null (index); - - on_change_removing = false; - on_change_called = 0; - - rv = p11_index_add (index, original, 2, NULL); - assert (rv == CKR_OK); - - assert_num_eq (1, on_change_called); - - rv = p11_index_add (index, original, 2, NULL); - assert (rv == CKR_OK); - - assert_num_eq (2, on_change_called); - - rv = p11_index_add (index, original, 2, &handle); - assert (rv == CKR_OK); - - assert_num_eq (3, on_change_called); - - on_change_removing = true; - - rv = p11_index_remove (index, handle); - assert (rv == CKR_OK); - - assert_num_eq (4, on_change_called); - - p11_index_free (index); -} - -static void -test_change_batch (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - - }; - - CK_OBJECT_HANDLE handle; - p11_index *index; - CK_RV rv; - - index = p11_index_new (NULL, NULL, NULL, on_change_check, "change-check"); - assert_ptr_not_null (index); - - on_change_batching = true; - on_change_called = 0; - - p11_index_load (index); - - assert (p11_index_loading (index)); - - rv = p11_index_add (index, original, 2, NULL); - assert (rv == CKR_OK); - - assert_num_eq (0, on_change_called); - - rv = p11_index_add (index, original, 2, NULL); - assert (rv == CKR_OK); - - assert_num_eq (0, on_change_called); - - rv = p11_index_add (index, original, 2, &handle); - assert (rv == CKR_OK); - - assert_num_eq (0, on_change_called); - - /* Nested batch is a noop */ - p11_index_load (index); - - rv = p11_index_remove (index, handle); - assert (rv == CKR_OK); - - assert_num_eq (0, on_change_called); - - /* - * Batch finishes when first finish call is called, - * even when batches are nested - */ - p11_index_finish (index); - - assert (!p11_index_loading (index)); - - /* - * Only three calls, because later operations on the - * same handle override the earlier one. - */ - assert_num_eq (3, on_change_called); - - /* This is a noop */ - p11_index_finish (index); - - assert (!p11_index_loading (index)); - - p11_index_free (index); -} - -static void -on_change_nested (void *data, - p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *attrs) -{ - CK_RV rv; - - CK_ATTRIBUTE second[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - - }; - - assert_str_eq (data, "change-nested"); - on_change_called++; - - /* A nested call */ - rv = p11_index_add (index, second, 2, NULL); - assert (rv == CKR_OK); -} - -static void -test_change_nested (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - - }; - - p11_index *index; - CK_RV rv; - - index = p11_index_new (NULL, NULL, NULL, on_change_nested, "change-nested"); - assert_ptr_not_null (index); - - on_change_called = 0; - rv = p11_index_add (index, original, 2, NULL); - assert (rv == CKR_OK); - assert_num_eq (1, on_change_called); - - - on_change_called = 0; - p11_index_load (index); - rv = p11_index_add (index, original, 2, NULL); - assert (rv == CKR_OK); - p11_index_finish (index); - assert_num_eq (1, on_change_called); - - p11_index_free (index); -} - -static CK_RV -on_remove_callback (void *data, - p11_index *index, - CK_ATTRIBUTE *attrs) -{ - int *removed = data; - assert_ptr_not_null (removed); - assert_num_eq (*removed, 0); - *removed = 1; - return CKR_OK; -} - -static void -test_remove_callback (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - - }; - - CK_OBJECT_HANDLE handle; - p11_index *index; - int removed = 0; - CK_RV rv; - - index = p11_index_new (NULL, NULL, on_remove_callback, NULL, &removed); - assert_ptr_not_null (index); - - rv = p11_index_add (index, original, 2, &handle); - assert_num_eq (rv, CKR_OK); - - assert_ptr_not_null (p11_index_lookup (index, handle)); - - rv = p11_index_remove (index, handle); - assert_num_eq (rv, CKR_OK); - - assert_num_eq (removed, 1); - assert_ptr_eq (p11_index_lookup (index, handle), NULL); - - p11_index_free (index); -} - -static CK_RV -on_remove_fail (void *data, - p11_index *index, - CK_ATTRIBUTE *attrs) -{ - assert_str_eq (data, "remove-fail"); - return CKR_DEVICE_REMOVED; -} - -static void -test_remove_fail (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - - }; - - CK_OBJECT_HANDLE handle; - p11_index *index; - CK_RV rv; - - index = p11_index_new (NULL, NULL, on_remove_fail, NULL, "remove-fail"); - assert_ptr_not_null (index); - - rv = p11_index_add (index, original, 2, &handle); - assert (rv == CKR_OK); - - assert_ptr_not_null (p11_index_lookup (index, handle)); - - rv = p11_index_remove (index, handle); - assert_num_eq (rv, CKR_DEVICE_REMOVED); - - assert_ptr_not_null (p11_index_lookup (index, handle)); - - p11_index_free (index); -} - -int -main (int argc, - char *argv[]) -{ - p11_message_quiet (); - - p11_fixture (setup, teardown); - p11_test (test_add_lookup, "/index/add_lookup"); - p11_test (test_take_lookup, "/index/take_lookup"); - p11_test (test_size, "/index/size"); - p11_test (test_remove, "/index/remove"); - p11_test (test_snapshot, "/index/snapshot"); - p11_test (test_snapshot_base, "/index/snapshot_base"); - p11_test (test_set, "/index/set"); - p11_test (test_update, "/index/update"); - p11_test (test_find, "/index/find"); - p11_test (test_find_all, "/index/find_all"); - p11_test (test_find_realloc, "/index/find_realloc"); - p11_test (test_replace_all, "/index/replace_all"); - - p11_fixture (NULL, NULL); - p11_test (test_build_populate, "/index/build_populate"); - p11_test (test_build_fail, "/index/build_fail"); - p11_test (test_change_called, "/index/change_called"); - p11_test (test_change_batch, "/index/change_batch"); - p11_test (test_change_nested, "/index/change_nested"); - p11_test (test_replace_all_build_fails, "/index/replace-all-build-fails"); - p11_test (test_remove_callback, "/index/remove-callback"); - p11_test (test_remove_fail, "/index/remove-fail"); - - return p11_test_run (argc, argv); -} diff --git a/trust/test-module.c b/trust/test-module.c deleted file mode 100644 index 1729b41..0000000 --- a/trust/test-module.c +++ /dev/null @@ -1,1218 +0,0 @@ -/* - * Copyright (c) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@gnome.org> - */ - -#define CRYPTOKI_EXPORTS - -#include "config.h" -#include "test.h" -#include "test-trust.h" - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> - -#include "attrs.h" -#include "digest.h" -#include "library.h" -#include "path.h" -#include "parser.h" -#include "pkcs11x.h" -#include "token.h" - -#include <assert.h> - -/* - * This is the number of input paths. Should match the - * paths below near : - * - * paths='%s' - */ -#define NUM_SLOTS 3 - -static CK_OBJECT_CLASS data = CKO_DATA; -static CK_BBOOL vtrue = CK_TRUE; -static CK_BBOOL vfalse = CK_FALSE; - -struct { - CK_FUNCTION_LIST *module; - CK_SLOT_ID slots[NUM_SLOTS]; - char *directory; - p11_asn1_cache *cache; - p11_parser *parser; -} test; - -static void -setup (void *unused) -{ - CK_C_INITIALIZE_ARGS args; - const char *paths; - char *arguments; - CK_ULONG count; - CK_RV rv; - - memset (&test, 0, sizeof (test)); - - /* This is the entry point of the trust module, linked to this test */ - rv = C_GetFunctionList (&test.module); - assert (rv == CKR_OK); - - memset (&args, 0, sizeof (args)); - paths = SRCDIR "/trust/input" P11_PATH_SEP \ - SRCDIR "/trust/fixtures/self-signed-with-ku.der" P11_PATH_SEP \ - SRCDIR "/trust/fixtures/thawte.pem"; - if (asprintf (&arguments, "paths='%s'", paths) < 0) - assert (false && "not reached"); - args.pReserved = arguments; - args.flags = CKF_OS_LOCKING_OK; - - rv = test.module->C_Initialize (&args); - assert (rv == CKR_OK); - - free (arguments); - - count = NUM_SLOTS; - rv = test.module->C_GetSlotList (CK_TRUE, test.slots, &count); - assert (rv == CKR_OK); - assert (count == NUM_SLOTS); -} - -static void -teardown (void *unused) -{ - CK_RV rv; - - if (test.parser) - p11_parser_free (test.parser); - p11_asn1_cache_free (test.cache); - - rv = test.module->C_Finalize (NULL); - assert (rv == CKR_OK); - - free (test.directory); - - memset (&test, 0, sizeof (test)); -} - -static void -setup_writable (void *unused) -{ - CK_C_INITIALIZE_ARGS args; - char *arguments; - CK_ULONG count; - CK_RV rv; - - memset (&test, 0, sizeof (test)); - - /* This is the entry point of the trust module, linked to this test */ - rv = C_GetFunctionList (&test.module); - assert (rv == CKR_OK); - - test.directory = p11_test_directory ("test-module"); - - memset (&args, 0, sizeof (args)); - if (asprintf (&arguments, "paths='%s'", test.directory) < 0) - assert (false && "not reached"); - args.pReserved = arguments; - args.flags = CKF_OS_LOCKING_OK; - - rv = test.module->C_Initialize (&args); - assert (rv == CKR_OK); - - free (arguments); - - count = 1; - rv = test.module->C_GetSlotList (CK_TRUE, test.slots, &count); - assert_num_eq (rv, CKR_OK); - assert_num_eq (count, 1); - - test.cache = p11_asn1_cache_new (); - test.parser = p11_parser_new (test.cache); - p11_parser_formats (test.parser, p11_parser_format_persist, NULL); -} - -static void -test_get_slot_list (void) -{ - CK_SLOT_ID slots[NUM_SLOTS]; - CK_ULONG count; - CK_RV rv; - int i; - - rv = test.module->C_GetSlotList (TRUE, NULL, &count); - assert_num_eq (CKR_OK, rv); - assert_num_eq (NUM_SLOTS, count); - - count = 1; - rv = test.module->C_GetSlotList (TRUE, slots, &count); - assert_num_eq (CKR_BUFFER_TOO_SMALL, rv); - assert_num_eq (NUM_SLOTS, count); - - count = NUM_SLOTS; - memset (slots, 0, sizeof (slots)); - rv = test.module->C_GetSlotList (TRUE, slots, &count); - assert_num_eq (CKR_OK, rv); - assert_num_eq (NUM_SLOTS, count); - - for (i = 0; i < NUM_SLOTS; i++) - assert (slots[i] != 0); -} - -static void -test_null_initialize (void) -{ - CK_FUNCTION_LIST *module; - CK_RV rv; - - /* This is the entry point of the trust module, linked to this test */ - rv = C_GetFunctionList (&module); - assert_num_eq (rv, CKR_OK); - - rv = module->C_Initialize (NULL); - assert_num_eq (rv, CKR_OK); - - rv = module->C_Finalize (NULL); - assert_num_eq (CKR_OK, rv); -} - -static void -test_multi_initialize (void) -{ - static CK_C_INITIALIZE_ARGS args = - { NULL, NULL, NULL, NULL, CKF_OS_LOCKING_OK, NULL, }; - CK_FUNCTION_LIST *module; - CK_SESSION_HANDLE session; - CK_SLOT_ID slots[8]; - CK_SESSION_INFO info; - CK_ULONG count; - CK_RV rv; - - /* This is the entry point of the trust module, linked to this test */ - rv = C_GetFunctionList (&module); - assert_num_eq (rv, CKR_OK); - - args.pReserved = "paths='" SYSCONFDIR "/trust/input'"; - rv = module->C_Initialize (&args); - assert_num_eq (rv, CKR_OK); - - count = 8; - rv = module->C_GetSlotList (CK_TRUE, slots, &count); - assert_num_eq (rv, CKR_OK); - assert_num_cmp (count, ==, 1); - - rv = module->C_OpenSession (slots[0], CKF_SERIAL_SESSION, NULL, NULL, &session); - assert_num_eq (rv, CKR_OK); - - rv = module->C_GetSessionInfo (session, &info); - assert_num_eq (rv, CKR_OK); - assert_num_eq (info.slotID, slots[0]); - - rv = module->C_Initialize (&args); - assert_num_eq (rv, CKR_OK); - - rv = module->C_GetSessionInfo (session, &info); - assert_num_eq (rv, CKR_OK); - assert_num_eq (info.slotID, slots[0]); - - rv = module->C_Finalize (NULL); - assert_num_eq (CKR_OK, rv); - - rv = module->C_Finalize (NULL); - assert_num_eq (CKR_OK, rv); - - rv = module->C_Finalize (NULL); - assert_num_eq (CKR_CRYPTOKI_NOT_INITIALIZED, rv); -} - -static void -test_get_slot_info (void) -{ - CK_SLOT_ID slots[NUM_SLOTS]; - CK_SLOT_INFO info; - char description[64]; - CK_ULONG count; - size_t length; - CK_RV rv; - int i; - - /* These are the paths passed in in setup() */ - const char *paths[] = { - SRCDIR "/trust/input", - SRCDIR "/trust/fixtures/self-signed-with-ku.der", - SRCDIR "/trust/fixtures/thawte.pem" - }; - - count = NUM_SLOTS; - rv = test.module->C_GetSlotList (TRUE, slots, &count); - assert_num_eq (CKR_OK, rv); - assert_num_eq (NUM_SLOTS, count); - - for (i = 0; i < NUM_SLOTS; i++) { - rv = test.module->C_GetSlotInfo (slots[i], &info); - assert_num_eq (CKR_OK, rv); - - memset (description, ' ', sizeof (description)); - length = strlen(paths[i]); - if (length > sizeof (description)) - length = sizeof (description); - memcpy (description, paths[i], length); - assert (memcmp (info.slotDescription, description, sizeof (description)) == 0); - } -} - -static void -test_get_token_info (void) -{ - CK_C_INITIALIZE_ARGS args; - CK_FUNCTION_LIST *module; - CK_SLOT_ID slots[NUM_SLOTS]; - CK_TOKEN_INFO info; - char label[32]; - CK_ULONG count; - CK_RV rv; - int i; - - /* These are the paths passed in in setup() */ - const char *labels[] = { - "System Trust", - "Default Trust", - "the-basename", - }; - - /* This is the entry point of the trust module, linked to this test */ - rv = C_GetFunctionList (&module); - assert (rv == CKR_OK); - - memset (&args, 0, sizeof (args)); - args.pReserved = "paths='" \ - SYSCONFDIR "/trust/input" P11_PATH_SEP \ - DATA_DIR "/trust/fixtures/blah" P11_PATH_SEP \ - "/some/other/path/the-basename'"; - args.flags = CKF_OS_LOCKING_OK; - - rv = module->C_Initialize (&args); - assert (rv == CKR_OK); - - count = NUM_SLOTS; - rv = module->C_GetSlotList (CK_TRUE, slots, &count); - assert (rv == CKR_OK); - assert (count == NUM_SLOTS); - - for (i = 0; i < NUM_SLOTS; i++) { - rv = module->C_GetTokenInfo (slots[i], &info); - assert_num_eq (CKR_OK, rv); - - memset (label, ' ', sizeof (label)); - memcpy (label, labels[i], strlen (labels[i])); - assert (memcmp (info.label, label, sizeof (label)) == 0); - } - - rv = module->C_Finalize (NULL); - assert_num_eq (CKR_OK, rv); -} - -static void -test_get_session_info (void) -{ - CK_SLOT_ID slots[NUM_SLOTS]; - CK_SESSION_HANDLE sessions[NUM_SLOTS]; - CK_SESSION_INFO info; - CK_ULONG count; - CK_RV rv; - int i; - - count = NUM_SLOTS; - rv = test.module->C_GetSlotList (TRUE, slots, &count); - assert_num_eq (CKR_OK, rv); - assert_num_eq (NUM_SLOTS, count); - - /* Open two sessions with each token */ - for (i = 0; i < NUM_SLOTS; i++) { - rv = test.module->C_OpenSession (slots[i], CKF_SERIAL_SESSION, NULL, NULL, &sessions[i]); - assert_num_eq (CKR_OK, rv); - - rv = test.module->C_GetSessionInfo (sessions[i], &info); - assert_num_eq (CKR_OK, rv); - - assert_num_eq (slots[i], info.slotID); - assert_num_eq (CKF_SERIAL_SESSION, info.flags); - } -} - -static void -test_close_all_sessions (void) -{ - CK_SLOT_ID slots[NUM_SLOTS]; - CK_SESSION_HANDLE sessions[NUM_SLOTS][2]; - CK_SESSION_INFO info; - CK_ULONG count; - CK_RV rv; - int i; - - count = NUM_SLOTS; - rv = test.module->C_GetSlotList (TRUE, slots, &count); - assert_num_eq (CKR_OK, rv); - assert_num_eq (NUM_SLOTS, count); - - /* Open two sessions with each token */ - for (i = 0; i < NUM_SLOTS; i++) { - rv = test.module->C_OpenSession (slots[i], CKF_SERIAL_SESSION, NULL, NULL, &sessions[i][0]); - assert_num_eq (CKR_OK, rv); - - rv = test.module->C_GetSessionInfo (sessions[i][0], &info); - assert_num_eq (CKR_OK, rv); - - rv = test.module->C_OpenSession (slots[i], CKF_SERIAL_SESSION, NULL, NULL, &sessions[i][1]); - assert_num_eq (CKR_OK, rv); - - rv = test.module->C_GetSessionInfo (sessions[i][0], &info); - assert_num_eq (CKR_OK, rv); - } - - /* Close all the sessions on the first token */ - rv = test.module->C_CloseAllSessions (slots[0]); - assert_num_eq (CKR_OK, rv); - - /* Those sessions should be closed */ - rv = test.module->C_GetSessionInfo (sessions[0][0], &info); - assert_num_eq (CKR_SESSION_HANDLE_INVALID, rv); - rv = test.module->C_GetSessionInfo (sessions[0][1], &info); - assert_num_eq (CKR_SESSION_HANDLE_INVALID, rv); - - /* Other sessions should still be open */ - for (i = 1; i < NUM_SLOTS; i++) { - rv = test.module->C_GetSessionInfo (sessions[i][0], &info); - assert_num_eq (CKR_OK, rv); - rv = test.module->C_GetSessionInfo (sessions[i][0], &info); - assert_num_eq (CKR_OK, rv); - } -} - -static CK_ULONG -find_objects (CK_ATTRIBUTE *match, - CK_OBJECT_HANDLE *sessions, - CK_OBJECT_HANDLE *objects, - CK_ULONG max_objects) -{ - CK_SESSION_HANDLE session; - CK_RV rv; - CK_ULONG found; - CK_ULONG count; - int i, j; - - found = 0; - for (i = 0; i < NUM_SLOTS; i++) { - rv = test.module->C_OpenSession (test.slots[i], CKF_SERIAL_SESSION, NULL, NULL, &session); - assert (rv == CKR_OK); - - rv = test.module->C_FindObjectsInit (session, match, p11_attrs_count (match)); - assert (rv == CKR_OK); - rv = test.module->C_FindObjects (session, objects + found, max_objects - found, &count); - assert (rv == CKR_OK); - rv = test.module->C_FindObjectsFinal (session); - assert (rv == CKR_OK); - - for (j = found ; j < found + count; j++) - sessions[j] = session; - found += count; - } - - assert (found < max_objects); - return found; -} - -static void -check_trust_object_equiv (CK_SESSION_HANDLE session, - CK_OBJECT_HANDLE trust, - CK_ATTRIBUTE *cert) -{ - unsigned char subject[1024]; - unsigned char issuer[1024]; - unsigned char serial[128]; - CK_BBOOL private; - CK_BBOOL token; - CK_RV rv; - - /* The following attributes should be equivalent to the certificate */ - CK_ATTRIBUTE equiv[] = { - { CKA_TOKEN, &token, sizeof (token) }, - { CKA_PRIVATE, &private, sizeof (private) }, - { CKA_ISSUER, issuer, sizeof (issuer) }, - { CKA_SUBJECT, subject, sizeof (subject) }, - { CKA_SERIAL_NUMBER, serial, sizeof (serial) }, - { CKA_INVALID, }, - }; - - rv = test.module->C_GetAttributeValue (session, trust, equiv, 5); - assert_num_eq (CKR_OK, rv); - - test_check_attrs (equiv, cert); -} - -static void -check_trust_object_hashes (CK_SESSION_HANDLE session, - CK_OBJECT_HANDLE trust, - CK_ATTRIBUTE *cert) -{ - unsigned char sha1[P11_DIGEST_SHA1_LEN]; - unsigned char md5[P11_DIGEST_MD5_LEN]; - unsigned char check[128]; - CK_ATTRIBUTE *value; - CK_RV rv; - - CK_ATTRIBUTE hashes[] = { - { CKA_CERT_SHA1_HASH, sha1, sizeof (sha1) }, - { CKA_CERT_MD5_HASH, md5, sizeof (md5) }, - { CKA_INVALID, }, - }; - - rv = test.module->C_GetAttributeValue (session, trust, hashes, 2); - assert (rv == CKR_OK); - - value = p11_attrs_find_valid (cert, CKA_VALUE); - assert_ptr_not_null (value); - - p11_digest_md5 (check, value->pValue, value->ulValueLen, NULL); - assert (memcmp (md5, check, sizeof (md5)) == 0); - - p11_digest_sha1 (check, value->pValue, value->ulValueLen, NULL); - assert (memcmp (sha1, check, sizeof (sha1)) == 0); -} - -static void -check_has_trust_object (CK_ATTRIBUTE *cert) -{ - CK_OBJECT_CLASS trust_object = CKO_NSS_TRUST; - CK_ATTRIBUTE klass = { CKA_CLASS, &trust_object, sizeof (trust_object) }; - CK_OBJECT_HANDLE objects[2]; - CK_SESSION_HANDLE sessions[2]; - CK_ATTRIBUTE *match; - CK_ATTRIBUTE *attr; - CK_ULONG count; - - attr = p11_attrs_find_valid (cert, CKA_ID); - assert_ptr_not_null (attr); - - match = p11_attrs_build (NULL, &klass, attr, NULL); - count = find_objects (match, sessions, objects, 2); - assert_num_eq (1, count); - - check_trust_object_equiv (sessions[0], objects[0], cert); - check_trust_object_hashes (sessions[0], objects[0], cert); - - p11_attrs_free (match); -} - -static void -check_certificate (CK_SESSION_HANDLE session, - CK_OBJECT_HANDLE handle) -{ - unsigned char label[4096]= { 0, }; - CK_OBJECT_CLASS klass; - unsigned char value[4096]; - unsigned char subject[1024]; - unsigned char issuer[1024]; - unsigned char serial[128]; - unsigned char id[128]; - CK_CERTIFICATE_TYPE type; - CK_BYTE check[3]; - CK_DATE start; - CK_DATE end; - CK_ULONG category; - CK_BBOOL private; - CK_BBOOL token; - CK_RV rv; - - CK_ATTRIBUTE attrs[] = { - { CKA_CLASS, &klass, sizeof (klass) }, - { CKA_TOKEN, &token, sizeof (token) }, - { CKA_PRIVATE, &private, sizeof (private) }, - { CKA_VALUE, value, sizeof (value) }, - { CKA_ISSUER, issuer, sizeof (issuer) }, - { CKA_SUBJECT, subject, sizeof (subject) }, - { CKA_CERTIFICATE_TYPE, &type, sizeof (type) }, - { CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) }, - { CKA_START_DATE, &start, sizeof (start) }, - { CKA_END_DATE, &end, sizeof (end) }, - { CKA_SERIAL_NUMBER, serial, sizeof (serial) }, - { CKA_CHECK_VALUE, check, sizeof (check) }, - { CKA_ID, id, sizeof (id) }, - { CKA_LABEL, label, sizeof (label) }, - { CKA_INVALID, }, - }; - - /* Note that we don't pass the CKA_INVALID attribute in */ - rv = test.module->C_GetAttributeValue (session, handle, attrs, 14); - assert_num_eq (rv, CKR_OK); - - /* If this is the cacert3 certificate, check its values */ - if (memcmp (value, test_cacert3_ca_der, sizeof (test_cacert3_ca_der)) == 0) { - CK_BBOOL trusted; - CK_BBOOL vtrue = CK_TRUE; - - CK_ATTRIBUTE anchor[] = { - { CKA_TRUSTED, &trusted, sizeof (trusted) }, - { CKA_INVALID, }, - }; - - CK_ATTRIBUTE check[] = { - { CKA_TRUSTED, &vtrue, sizeof (vtrue) }, - { CKA_INVALID, }, - }; - - test_check_cacert3_ca (attrs, NULL); - - /* Get anchor specific attributes */ - rv = test.module->C_GetAttributeValue (session, handle, anchor, 1); - assert (rv == CKR_OK); - - /* It lives in the trusted directory */ - test_check_attrs (check, anchor); - - /* Other certificates, we can't check the values */ - } else { - test_check_object (attrs, CKO_CERTIFICATE, NULL); - } - - check_has_trust_object (attrs); -} - -static void -test_find_certificates (void) -{ - CK_OBJECT_CLASS klass = CKO_CERTIFICATE; - - CK_ATTRIBUTE match[] = { - { CKA_CLASS, &klass, sizeof (klass) }, - { CKA_INVALID, } - }; - - CK_OBJECT_HANDLE objects[16]; - CK_SESSION_HANDLE sessions[16]; - CK_ULONG count; - CK_ULONG i; - - count = find_objects (match, sessions, objects, 16); - assert_num_eq (8, count); - - for (i = 0; i < count; i++) - check_certificate (sessions[i], objects[i]); -} - -static void -test_find_builtin (void) -{ - CK_OBJECT_CLASS klass = CKO_NSS_BUILTIN_ROOT_LIST; - - CK_ATTRIBUTE match[] = { - { CKA_CLASS, &klass, sizeof (klass) }, - { CKA_TOKEN, &vtrue, sizeof (vtrue) }, - { CKA_PRIVATE, &vfalse, sizeof (vfalse) }, - { CKA_MODIFIABLE, &vfalse, sizeof (vfalse) }, - { CKA_INVALID, } - }; - - CK_OBJECT_HANDLE objects[16]; - CK_SESSION_HANDLE sessions[16]; - CK_ULONG count; - - /* One per token */ - count = find_objects (match, sessions, objects, 16); - assert_num_eq (NUM_SLOTS, count); -} - -static void -test_session_object (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - }; - - CK_SESSION_HANDLE session; - CK_OBJECT_HANDLE handle; - CK_ULONG size; - CK_RV rv; - - rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION, NULL, NULL, &session); - assert (rv == CKR_OK); - - rv = test.module->C_CreateObject (session, original, 2, &handle); - assert (rv == CKR_OK); - - rv = test.module->C_GetObjectSize (session, handle, &size); - assert (rv == CKR_OK); -} - -static void -test_session_find (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - }; - - CK_SESSION_HANDLE session; - CK_OBJECT_HANDLE handle; - CK_OBJECT_HANDLE check; - CK_ULONG count; - CK_RV rv; - - rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION, NULL, NULL, &session); - assert_num_eq (CKR_OK, rv); - - rv = test.module->C_CreateObject (session, original, 2, &handle); - assert_num_eq (CKR_OK, rv); - - rv = test.module->C_FindObjectsInit (session, original, 2); - assert_num_eq (CKR_OK, rv); - - rv = test.module->C_FindObjects (session, &check, 1, &count); - assert_num_eq (CKR_OK, rv); - assert_num_eq (1, count); - assert_num_eq (handle, check); - - rv = test.module->C_FindObjectsFinal (session); - assert_num_eq (CKR_OK, rv); -} - -static void -test_session_find_no_attr (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE match[] = { - { CKA_COLOR, "blah", 4 }, - { CKA_INVALID } - }; - - CK_SESSION_HANDLE session; - CK_OBJECT_HANDLE handle; - CK_OBJECT_HANDLE check; - CK_ULONG count; - CK_RV rv; - - rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION, NULL, NULL, &session); - assert_num_eq (CKR_OK, rv); - - rv = test.module->C_CreateObject (session, original, 3, &handle); - assert_num_eq (CKR_OK, rv); - - rv = test.module->C_FindObjectsInit (session, match, 1); - assert_num_eq (CKR_OK, rv); - rv = test.module->C_FindObjects (session, &check, 1, &count); - assert_num_eq (CKR_OK, rv); - assert_num_eq (0, count); - rv = test.module->C_FindObjectsFinal (session); - assert_num_eq (CKR_OK, rv); -} - -static void -test_lookup_invalid (void) -{ - CK_SESSION_HANDLE session; - CK_ULONG size; - CK_RV rv; - - rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION, NULL, NULL, &session); - assert (rv == CKR_OK); - - rv = test.module->C_GetObjectSize (session, 88888, &size); - assert (rv == CKR_OBJECT_HANDLE_INVALID); -} - -static void -test_remove_token (void) -{ - CK_SESSION_HANDLE session; - CK_OBJECT_HANDLE handle; - CK_ULONG count; - CK_RV rv; - - rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION, NULL, NULL, &session); - assert_num_eq (rv, CKR_OK); - - rv = test.module->C_FindObjectsInit (session, NULL, 0); - assert_num_eq (rv, CKR_OK); - - rv = test.module->C_FindObjects (session, &handle, 1, &count); - assert_num_eq (rv, CKR_OK); - assert_num_eq (1, count); - - rv = test.module->C_DestroyObject (session, handle); - if (rv != CKR_TOKEN_WRITE_PROTECTED) - assert_num_eq (rv, CKR_SESSION_READ_ONLY); -} - -static void -test_setattr_token (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - }; - - CK_SESSION_HANDLE session; - CK_OBJECT_HANDLE handle; - CK_ULONG count; - CK_RV rv; - - rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION, NULL, NULL, &session); - assert_num_eq (rv, CKR_OK); - - rv = test.module->C_FindObjectsInit (session, NULL, 0); - assert_num_eq (rv, CKR_OK); - - rv = test.module->C_FindObjects (session, &handle, 1, &count); - assert_num_eq (rv, CKR_OK); - assert_num_eq (1, count); - - rv = test.module->C_SetAttributeValue (session, handle, original, 2); - if (rv != CKR_TOKEN_WRITE_PROTECTED) - assert_num_eq (rv, CKR_ATTRIBUTE_READ_ONLY); -} - -static void -test_session_copy (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - }; - - CK_SESSION_HANDLE session; - CK_OBJECT_HANDLE handle; - CK_OBJECT_HANDLE copy; - CK_ULONG size; - CK_RV rv; - - rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION, NULL, NULL, &session); - assert_num_eq (CKR_OK, rv); - - rv = test.module->C_CreateObject (session, original, 2, &handle); - assert_num_eq (CKR_OK, rv); - - rv = test.module->C_CopyObject (session, handle, original, 2, ©); - assert_num_eq (CKR_OK, rv); - - rv = test.module->C_GetObjectSize (session, copy, &size); - assert_num_eq (CKR_OK, rv); -} - -static void -test_session_setattr (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - }; - - CK_SESSION_HANDLE session; - CK_OBJECT_HANDLE handle; - CK_RV rv; - - rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION, NULL, NULL, &session); - assert (rv == CKR_OK); - - rv = test.module->C_CreateObject (session, original, 2, &handle); - assert (rv == CKR_OK); - - rv = test.module->C_SetAttributeValue (session, handle, original, 2); - assert (rv == CKR_OK); -} - -static void -test_session_remove (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_INVALID } - }; - - CK_SESSION_HANDLE session; - CK_OBJECT_HANDLE handle; - CK_RV rv; - - rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION, NULL, NULL, &session); - assert (rv == CKR_OK); - - rv = test.module->C_CreateObject (session, original, 2, &handle); - assert (rv == CKR_OK); - - rv = test.module->C_DestroyObject (session, handle); - assert (rv == CKR_OK); - - rv = test.module->C_DestroyObject (session, handle); - assert (rv == CKR_OBJECT_HANDLE_INVALID); -} - -static void -test_find_serial_der_decoded (void) -{ - CK_OBJECT_CLASS nss_trust = CKO_NSS_TRUST; - - CK_ATTRIBUTE object[] = { - { CKA_CLASS, &nss_trust, sizeof (nss_trust) }, - { CKA_SERIAL_NUMBER, "\x02\x03\x01\x02\x03", 5 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE match_decoded[] = { - { CKA_CLASS, &nss_trust, sizeof (nss_trust) }, - { CKA_SERIAL_NUMBER, "\x01\x02\x03", 3 }, - { CKA_INVALID } - }; - - CK_SESSION_HANDLE session; - CK_OBJECT_HANDLE handle; - CK_OBJECT_HANDLE check; - CK_ULONG count; - CK_RV rv; - - /* - * WORKAROUND: NSS calls us asking for CKA_SERIAL_NUMBER items that are - * not DER encoded. It shouldn't be doing this. We never return any certificate - * serial numbers that are not DER encoded. - * - * So work around the issue here while the NSS guys fix this issue. - * This code should be removed in future versions. - * - * See work_around_broken_nss_serial_number_lookups(). - */ - - rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION, NULL, NULL, &session); - assert_num_eq (CKR_OK, rv); - - rv = test.module->C_CreateObject (session, object, 2, &handle); - assert_num_eq (CKR_OK, rv); - - /* Do a standard find for the same object */ - rv = test.module->C_FindObjectsInit (session, object, 2); - assert_num_eq (CKR_OK, rv); - rv = test.module->C_FindObjects (session, &check, 1, &count); - assert_num_eq (CKR_OK, rv); - assert_num_eq (1, count); - assert_num_eq (handle, check); - rv = test.module->C_FindObjectsFinal (session); - assert_num_eq (CKR_OK, rv); - - /* Do a find for the serial number decoded */ - rv = test.module->C_FindObjectsInit (session, match_decoded, 2); - assert_num_eq (CKR_OK, rv); - rv = test.module->C_FindObjects (session, &check, 1, &count); - assert_num_eq (CKR_OK, rv); - assert_num_eq (1, count); - assert_num_eq (handle, check); - rv = test.module->C_FindObjectsFinal (session); - assert_num_eq (CKR_OK, rv); -} - -static void -test_find_serial_der_mismatch (void) -{ - CK_OBJECT_CLASS nss_trust = CKO_NSS_TRUST; - - CK_ATTRIBUTE object[] = { - { CKA_CLASS, &nss_trust, sizeof (nss_trust) }, - { CKA_SERIAL_NUMBER, "\x02\x03\x01\x02\x03", 5 }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE match[] = { - { CKA_SERIAL_NUMBER, NULL, 0 }, - { CKA_CLASS, &nss_trust, sizeof (nss_trust) }, - { CKA_INVALID } - }; - - CK_SESSION_HANDLE session; - CK_OBJECT_HANDLE handle; - CK_OBJECT_HANDLE check; - CK_ULONG count; - CK_RV rv; - - rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION, NULL, NULL, &session); - assert_num_eq (CKR_OK, rv); - - rv = test.module->C_CreateObject (session, object, 2, &handle); - assert_num_eq (CKR_OK, rv); - - /* Do a find with a null serial number, no match */ - rv = test.module->C_FindObjectsInit (session, match, 2); - assert_num_eq (CKR_OK, rv); - rv = test.module->C_FindObjects (session, &check, 1, &count); - assert_num_eq (CKR_OK, rv); - assert_num_eq (0, count); - rv = test.module->C_FindObjectsFinal (session); - assert_num_eq (CKR_OK, rv); - - /* Do a find with a wrong length, no match */ - match[0].pValue = "at"; - match[0].ulValueLen = 2; - rv = test.module->C_FindObjectsInit (session, match, 2); - assert_num_eq (CKR_OK, rv); - rv = test.module->C_FindObjects (session, &check, 1, &count); - assert_num_eq (CKR_OK, rv); - assert_num_eq (0, count); - rv = test.module->C_FindObjectsFinal (session); - assert_num_eq (CKR_OK, rv); - - /* Do a find with a right length, wrong value, no match */ - match[0].pValue = "one"; - match[0].ulValueLen = 3; - rv = test.module->C_FindObjectsInit (session, match, 2); - assert_num_eq (CKR_OK, rv); - rv = test.module->C_FindObjects (session, &check, 1, &count); - assert_num_eq (CKR_OK, rv); - assert_num_eq (0, count); - rv = test.module->C_FindObjectsFinal (session); - assert_num_eq (CKR_OK, rv); -} - -static void -test_login_logout (void) -{ - CK_SESSION_HANDLE session; - CK_RV rv; - - rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION, NULL, NULL, &session); - assert (rv == CKR_OK); - - /* Just testing our stubs for now */ - - rv = test.module->C_Login (session, CKU_USER, NULL, 0); - assert (rv == CKR_USER_TYPE_INVALID); - - rv = test.module->C_Logout (session); - assert (rv == CKR_USER_NOT_LOGGED_IN); -} - -static void -test_token_writable (void) -{ - CK_TOKEN_INFO info; - CK_RV rv; - - rv = test.module->C_GetTokenInfo (test.slots[0], &info); - - assert_num_eq (rv, CKR_OK); - assert_num_eq (info.flags & CKF_WRITE_PROTECTED, 0); -} - -static void -test_session_read_only_create (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_TOKEN, &vtrue, sizeof (vtrue) }, - { CKA_INVALID } - }; - - CK_SESSION_HANDLE session; - CK_OBJECT_HANDLE handle; - CK_RV rv; - - /* Read-only session */ - rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION, - NULL, NULL, &session); - assert (rv == CKR_OK); - - /* Create a token object */ - rv = test.module->C_CreateObject (session, original, 4, &handle); - assert_num_eq (rv, CKR_SESSION_READ_ONLY); -} - -static void -test_create_and_write (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_TOKEN, &vtrue, sizeof (vtrue) }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE expected[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "eight", 5 }, - { CKA_APPLICATION, "", 0 }, - { CKA_OBJECT_ID, "", 0 }, - { CKA_INVALID } - }; - - CK_SESSION_HANDLE session; - CK_OBJECT_HANDLE handle; - p11_array *parsed; - char *path; - CK_RV rv; - int ret; - - /* Read-only session */ - rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION | CKF_RW_SESSION, - NULL, NULL, &session); - assert_num_eq (rv, CKR_OK); - - /* Create a token object */ - rv = test.module->C_CreateObject (session, original, 4, &handle); - assert_num_eq (rv, CKR_OK); - - /* The expected file name */ - path = p11_path_build (test.directory, "yay.p11-kit", NULL); - p11_parser_formats (test.parser, p11_parser_format_persist, NULL); - ret = p11_parse_file (test.parser, path, NULL, 0); - assert_num_eq (ret, P11_PARSE_SUCCESS); - free (path); - - parsed = p11_parser_parsed (test.parser); - assert_num_eq (parsed->num, 1); - - test_check_attrs (expected, parsed->elem[0]); -} - -static void -test_modify_and_write (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_VALUE, "eight", 5 }, - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "yay", 3 }, - { CKA_TOKEN, &vtrue, sizeof (vtrue) }, - { CKA_MODIFIABLE, &vtrue, sizeof (vtrue) }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE expected[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "yay", 3 }, - { CKA_VALUE, "nine", 4 }, - { CKA_APPLICATION, "", 0 }, - { CKA_OBJECT_ID, "", 0 }, - { CKA_INVALID } - }; - - CK_SESSION_HANDLE session; - CK_OBJECT_HANDLE handle; - p11_array *parsed; - char *path; - CK_RV rv; - int ret; - - /* Read-only session */ - rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION | CKF_RW_SESSION, - NULL, NULL, &session); - assert_num_eq (rv, CKR_OK); - - /* Create a token object */ - rv = test.module->C_CreateObject (session, original, 5, &handle); - assert_num_eq (rv, CKR_OK); - - /* Now modify the object */ - original[0].pValue = "nine"; - original[0].ulValueLen = 4; - - rv = test.module->C_SetAttributeValue (session, handle, original, 5); - assert_num_eq (rv, CKR_OK); - - /* The expected file name */ - path = p11_path_build (test.directory, "yay.p11-kit", NULL); - ret = p11_parse_file (test.parser, path, NULL, 0); - assert_num_eq (ret, P11_PARSE_SUCCESS); - free (path); - - parsed = p11_parser_parsed (test.parser); - assert_num_eq (parsed->num, 1); - - test_check_attrs (expected, parsed->elem[0]); -} - -int -main (int argc, - char *argv[]) -{ - p11_library_init (); - - p11_fixture (setup, teardown); - p11_test (test_get_slot_list, "/module/get_slot_list"); - p11_test (test_get_slot_info, "/module/get_slot_info"); - - p11_fixture (NULL, NULL); - p11_test (test_null_initialize, "/module/initialize-null"); - p11_test (test_multi_initialize, "/module/initialize-multi"); - p11_test (test_get_token_info, "/module/get_token_info"); - - p11_fixture (setup, teardown); - p11_test (test_get_session_info, "/module/get_session_info"); - p11_test (test_close_all_sessions, "/module/close_all_sessions"); - p11_test (test_find_certificates, "/module/find_certificates"); - p11_test (test_find_builtin, "/module/find_builtin"); - p11_test (test_lookup_invalid, "/module/lookup_invalid"); - p11_test (test_remove_token, "/module/remove_token"); - p11_test (test_setattr_token, "/module/setattr_token"); - p11_test (test_session_object, "/module/session_object"); - p11_test (test_session_find, "/module/session_find"); - p11_test (test_session_find_no_attr, "/module/session_find_no_attr"); - p11_test (test_session_copy, "/module/session_copy"); - p11_test (test_session_remove, "/module/session_remove"); - p11_test (test_session_setattr, "/module/session_setattr"); - p11_test (test_find_serial_der_decoded, "/module/find_serial_der_decoded"); - p11_test (test_find_serial_der_mismatch, "/module/find_serial_der_mismatch"); - p11_test (test_login_logout, "/module/login_logout"); - - p11_fixture (setup_writable, teardown); - p11_test (test_token_writable, "/module/token-writable"); - p11_test (test_session_read_only_create, "/module/session-read-only-create"); - p11_test (test_create_and_write, "/module/create-and-write"); - p11_test (test_modify_and_write, "/module/modify-and-write"); - - return p11_test_run (argc, argv); -} diff --git a/trust/test-oid.c b/trust/test-oid.c deleted file mode 100644 index 0635d0a..0000000 --- a/trust/test-oid.c +++ /dev/null @@ -1,127 +0,0 @@ -/* - * Copyright (c) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@gnome.org> - */ - -#include "config.h" -#include "test.h" - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> - -#include "debug.h" -#include "oid.h" - -#include <libtasn1.h> - -#include "pkix.asn.h" - -static void -test_known_oids (void) -{ - char buffer[128]; - node_asn *definitions = NULL; - node_asn *node; - int ret; - int len; - int i; - - struct { - const unsigned char *oid; - size_t length; - const char *string; - } known_oids[] = { - { P11_OID_SUBJECT_KEY_IDENTIFIER, sizeof (P11_OID_SUBJECT_KEY_IDENTIFIER), P11_OID_SUBJECT_KEY_IDENTIFIER_STR, }, - { P11_OID_KEY_USAGE, sizeof (P11_OID_KEY_USAGE), P11_OID_KEY_USAGE_STR, }, - { P11_OID_BASIC_CONSTRAINTS, sizeof (P11_OID_BASIC_CONSTRAINTS), P11_OID_BASIC_CONSTRAINTS_STR }, - { P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE), P11_OID_EXTENDED_KEY_USAGE_STR }, - { P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT), P11_OID_OPENSSL_REJECT_STR }, - { P11_OID_SERVER_AUTH, sizeof (P11_OID_SERVER_AUTH), P11_OID_SERVER_AUTH_STR }, - { P11_OID_CLIENT_AUTH, sizeof (P11_OID_CLIENT_AUTH), P11_OID_CLIENT_AUTH_STR }, - { P11_OID_CODE_SIGNING, sizeof (P11_OID_CODE_SIGNING), P11_OID_CODE_SIGNING_STR }, - { P11_OID_EMAIL_PROTECTION, sizeof (P11_OID_EMAIL_PROTECTION), P11_OID_EMAIL_PROTECTION_STR }, - { P11_OID_IPSEC_END_SYSTEM, sizeof (P11_OID_IPSEC_END_SYSTEM), P11_OID_IPSEC_END_SYSTEM_STR }, - { P11_OID_IPSEC_TUNNEL, sizeof (P11_OID_IPSEC_TUNNEL), P11_OID_IPSEC_TUNNEL_STR }, - { P11_OID_IPSEC_USER, sizeof (P11_OID_IPSEC_USER), P11_OID_IPSEC_USER_STR }, - { P11_OID_TIME_STAMPING, sizeof (P11_OID_TIME_STAMPING), P11_OID_TIME_STAMPING_STR }, - { P11_OID_RESERVED_PURPOSE, sizeof (P11_OID_RESERVED_PURPOSE), P11_OID_RESERVED_PURPOSE_STR }, - { NULL }, - }; - - ret = asn1_array2tree (pkix_asn1_tab, &definitions, NULL); - assert (ret == ASN1_SUCCESS); - - for (i = 0; known_oids[i].oid != NULL; i++) { - - assert (p11_oid_simple (known_oids[i].oid, known_oids[i].length)); - assert_num_eq (known_oids[i].length, p11_oid_length (known_oids[i].oid)); - assert (p11_oid_equal (known_oids[i].oid, known_oids[i].oid)); - - if (i > 0) - assert (!p11_oid_equal (known_oids[i].oid, known_oids[i - 1].oid)); - - /* AttributeType is a OBJECT IDENTIFIER */ - ret = asn1_create_element (definitions, "PKIX1.AttributeType", &node); - assert (ret == ASN1_SUCCESS); - - ret = asn1_der_decoding (&node, known_oids[i].oid, known_oids[i].length, NULL); - assert (ret == ASN1_SUCCESS); - - len = sizeof (buffer); - ret = asn1_read_value (node, "", buffer, &len); - assert (ret == ASN1_SUCCESS); - - assert_str_eq (known_oids[i].string, buffer); - - asn1_delete_structure (&node); - } - - asn1_delete_structure (&definitions); -} - -static void -test_hash (void) -{ - assert_num_cmp (p11_oid_hash (P11_OID_CN), !=, 0); - assert_num_cmp (p11_oid_hash (P11_OID_CN), ==, p11_oid_hash (P11_OID_CN)); - assert_num_cmp (p11_oid_hash (P11_OID_CN), !=, p11_oid_hash (P11_OID_BASIC_CONSTRAINTS)); -} - -int -main (int argc, - char *argv[]) -{ - p11_test (test_known_oids, "/oids/known"); - p11_test (test_hash, "/oids/hash"); - return p11_test_run (argc, argv); -} diff --git a/trust/test-openssl.c b/trust/test-openssl.c deleted file mode 100644 index 3cba1ed..0000000 --- a/trust/test-openssl.c +++ /dev/null @@ -1,662 +0,0 @@ -/* - * Copyright (c) 2011, Collabora Ltd. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@collabora.co.uk> - */ - -#define P11_KIT_DISABLE_DEPRECATED - -#include "config.h" - -#include "test-trust.h" - -#include "attrs.h" -#include "buffer.h" -#include "compat.h" -#include "debug.h" -#include "dict.h" -#include "extract.h" -#include "message.h" -#include "mock.h" -#include "path.h" -#include "pkcs11.h" -#include "pkcs11x.h" -#include "oid.h" -#include "test.h" - -#include <stdarg.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -#define ELEMS(x) (sizeof (x) / sizeof (x[0])) - -struct { - CK_FUNCTION_LIST module; - p11_enumerate ex; - char *directory; -} test; - -static void -setup (void *unused) -{ - CK_RV rv; - - mock_module_reset (); - memcpy (&test.module, &mock_module, sizeof (CK_FUNCTION_LIST)); - rv = test.module.C_Initialize (NULL); - assert_num_eq (CKR_OK, rv); - - p11_enumerate_init (&test.ex); - - test.directory = p11_test_directory ("test-extract"); -} - -static void -teardown (void *unused) -{ - CK_RV rv; - - if (rmdir (test.directory) < 0) - assert_not_reached (); - free (test.directory); - - p11_enumerate_cleanup (&test.ex); - p11_kit_iter_free (test.ex.iter); - - rv = test.module.C_Finalize (NULL); - assert_num_eq (CKR_OK, rv); -} - -static CK_OBJECT_CLASS certificate_class = CKO_CERTIFICATE; -static CK_OBJECT_CLASS extension_class = CKO_X_CERTIFICATE_EXTENSION; -static CK_CERTIFICATE_TYPE x509_type = CKC_X_509; -static CK_BBOOL vtrue = CK_TRUE; - -static CK_ATTRIBUTE cacert3_authority_attrs[] = { - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_CLASS, &certificate_class, sizeof (certificate_class) }, - { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) }, - { CKA_LABEL, "Custom Label", 12 }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, - { CKA_TRUSTED, &vtrue, sizeof (vtrue) }, - { CKA_INVALID }, -}; - -static CK_ATTRIBUTE verisign_v1_attrs[] = { - { CKA_VALUE, (void *)verisign_v1_ca, sizeof (verisign_v1_ca) }, - { CKA_CLASS, &certificate_class, sizeof (certificate_class) }, - { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) }, - { CKA_LABEL, "Custom Label", 12 }, - { CKA_SUBJECT, (void *)verisign_v1_ca_subject, sizeof (verisign_v1_ca_subject) }, - { CKA_PUBLIC_KEY_INFO, (void *)verisign_v1_ca_public_key, sizeof (verisign_v1_ca_public_key) }, - { CKA_TRUSTED, &vtrue, sizeof (vtrue) }, - { CKA_INVALID }, -}; - -static CK_ATTRIBUTE extension_eku_server[] = { - { CKA_CLASS, &extension_class, sizeof (extension_class) }, - { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, - { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, - { CKA_VALUE, "\x30\x13\x06\x03\x55\x1d\x25\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x01", 21 }, - { CKA_INVALID }, -}; - -static CK_ATTRIBUTE extension_reject_email[] = { - { CKA_CLASS, &extension_class, sizeof (extension_class) }, - { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) }, - { CKA_VALUE, "\x30\x1a\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x01\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x04", 28 }, - { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, - { CKA_INVALID }, -}; - -static CK_ATTRIBUTE certificate_filter[] = { - { CKA_CLASS, &certificate_class, sizeof (certificate_class) }, - { CKA_INVALID }, -}; - -static void -setup_objects (const CK_ATTRIBUTE *attrs, - ...) GNUC_NULL_TERMINATED; - -static void -setup_objects (const CK_ATTRIBUTE *attrs, - ...) -{ - static CK_ULONG id_value = 8888; - - CK_ATTRIBUTE id = { CKA_ID, &id_value, sizeof (id_value) }; - CK_ATTRIBUTE *copy; - va_list va; - - va_start (va, attrs); - while (attrs != NULL) { - copy = p11_attrs_build (p11_attrs_dup (attrs), &id, NULL); - assert (copy != NULL); - mock_module_take_object (MOCK_SLOT_ONE_ID, copy); - attrs = va_arg (va, const CK_ATTRIBUTE *); - } - va_end (va); - - id_value++; -} - -static void -test_file (void) -{ - char *destination; - bool ret; - - setup_objects (cacert3_authority_attrs, - extension_eku_server, - extension_reject_email, - NULL); - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - if (asprintf (&destination, "%s/%s", test.directory, "extract.pem") < 0) - assert_not_reached (); - - ret = p11_extract_openssl_bundle (&test.ex, destination); - assert_num_eq (true, ret); - - test_check_file (test.directory, "extract.pem", - SRCDIR "/trust/fixtures/cacert3-trusted-server-alias.pem"); - - free (destination); -} - -static void -test_plain (void) -{ - char *destination; - bool ret; - - setup_objects (cacert3_authority_attrs, NULL); - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - if (asprintf (&destination, "%s/%s", test.directory, "extract.pem") < 0) - assert_not_reached (); - - ret = p11_extract_openssl_bundle (&test.ex, destination); - assert_num_eq (true, ret); - - test_check_file (test.directory, "extract.pem", - SRCDIR "/trust/fixtures/cacert3-trusted-alias.pem"); - - free (destination); -} - -static void -test_keyid (void) -{ - char *destination; - bool ret; - - static CK_ATTRIBUTE cacert3_plain[] = { - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_CLASS, &certificate_class, sizeof (certificate_class) }, - { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, - { CKA_TRUSTED, &vtrue, sizeof (vtrue) }, - { CKA_INVALID }, - }; - - static CK_ATTRIBUTE extension_subject_key_identifier[] = { - { CKA_CLASS, &extension_class, sizeof (extension_class) }, - { CKA_OBJECT_ID, (void *)P11_OID_SUBJECT_KEY_IDENTIFIER, sizeof (P11_OID_SUBJECT_KEY_IDENTIFIER) }, - { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, - { CKA_VALUE, "\x30\x0e\x06\x03\x55\x1d\x0e\x04\x07\x00\x01\x02\x03\x04\x05\x06", 16 }, - { CKA_INVALID }, - }; - - setup_objects (cacert3_plain, extension_subject_key_identifier, NULL); - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - if (asprintf (&destination, "%s/%s", test.directory, "extract.pem") < 0) - assert_not_reached (); - - ret = p11_extract_openssl_bundle (&test.ex, destination); - assert_num_eq (true, ret); - - test_check_file (test.directory, "extract.pem", - SRCDIR "/trust/fixtures/cacert3-trusted-keyid.pem"); - - free (destination); -} - -static void -test_not_authority (void) -{ - char *destination; - bool ret; - - static CK_ATTRIBUTE cacert3_not_trusted[] = { - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_CLASS, &certificate_class, sizeof (certificate_class) }, - { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_INVALID }, - }; - - setup_objects (cacert3_not_trusted, NULL); - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - if (asprintf (&destination, "%s/%s", test.directory, "extract.pem") < 0) - assert_not_reached (); - - ret = p11_extract_openssl_bundle (&test.ex, destination); - assert_num_eq (true, ret); - - test_check_file (test.directory, "extract.pem", - SRCDIR "/trust/fixtures/cacert3-not-trusted.pem"); - - free (destination); -} - -static void -test_distrust_all (void) -{ - char *destination; - bool ret; - - static CK_ATTRIBUTE cacert3_blacklist[] = { - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_CLASS, &certificate_class, sizeof (certificate_class) }, - { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_X_DISTRUSTED, &vtrue, sizeof (vtrue) }, - { CKA_INVALID }, - }; - - setup_objects (cacert3_blacklist, NULL); - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - if (asprintf (&destination, "%s/%s", test.directory, "extract.pem") < 0) - assert_not_reached (); - - ret = p11_extract_openssl_bundle (&test.ex, destination); - assert_num_eq (true, ret); - - test_check_file (test.directory, "extract.pem", - SRCDIR "/trust/fixtures/cacert3-distrust-all.pem"); - - free (destination); -} - -static void -test_file_multiple (void) -{ - char *destination; - bool ret; - - setup_objects (cacert3_authority_attrs, - extension_eku_server, - extension_reject_email, - NULL); - - setup_objects (verisign_v1_attrs, - NULL); - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - if (asprintf (&destination, "%s/%s", test.directory, "extract.pem") < 0) - assert_not_reached (); - - ret = p11_extract_openssl_bundle (&test.ex, destination); - assert_num_eq (true, ret); - - test_check_file (test.directory, "extract.pem", SRCDIR "/trust/fixtures/multiple.pem"); - free (destination); -} - -static void -test_file_without (void) -{ - char *destination; - bool ret; - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - if (asprintf (&destination, "%s/%s", test.directory, "extract.pem") < 0) - assert_not_reached (); - - ret = p11_extract_openssl_bundle (&test.ex, destination); - assert_num_eq (true, ret); - - test_check_data (test.directory, "extract.pem", "", 0); - - free (destination); -} - -/* From extract-openssl.c */ -void p11_openssl_canon_string (char *str, size_t *len); - -static void -test_canon_string (void) -{ - struct { - char *input; - int input_len; - char *output; - int output_len; - } fixtures[] = { - { "A test", -1, "a test", -1 }, - { " Strip spaces ", -1, "strip spaces", -1 }, - { " Collapse \n\t spaces", -1, "collapse spaces", -1 }, - { "Ignore non-ASCII \303\204", -1, "ignore non-ascii \303\204", -1 }, - { "no-space", -1, "no-space", -1 }, - }; - - char *str; - size_t len; - size_t out; - int i; - - for (i = 0; i < ELEMS (fixtures); i++) { - if (fixtures[i].input_len < 0) - len = strlen (fixtures[i].input); - else - len = fixtures[i].input_len; - str = strndup (fixtures[i].input, len); - - p11_openssl_canon_string (str, &len); - - if (fixtures[i].output_len < 0) - out = strlen (fixtures[i].output); - else - out = fixtures[i].output_len; - assert_num_eq (out, len); - assert_str_eq (fixtures[i].output, str); - - free (str); - } -} - -bool p11_openssl_canon_string_der (p11_buffer *der); - -static void -test_canon_string_der (void) -{ - struct { - unsigned char input[100]; - int input_len; - unsigned char output[100]; - int output_len; - } fixtures[] = { - /* UTF8String */ - { { 0x0c, 0x0f, 0xc3, 0x84, ' ', 'U', 'T', 'F', '8', ' ', 's', 't', 'r', 'i', 'n', 'g', ' ', }, 17, - { 0x0c, 0x0e, 0xc3, 0x84, ' ', 'u', 't', 'f', '8', ' ', 's', 't', 'r', 'i', 'n', 'g', }, 16, - }, - - /* NumericString */ - { { 0x12, 0x04, '0', '1', '2', '3', }, 6, - { 0x0c, 0x04, '0', '1', '2', '3' }, 6, - }, - - /* IA5String */ - { { 0x16, 0x04, ' ', 'A', 'B', ' ', }, 6, - { 0x0c, 0x02, 'a', 'b', }, 4, - }, - - /* TeletexString */ - { { 0x14, 0x07, 'A', ' ', ' ', 'n', 'i', 'c', 'e' }, 9, - { 0x0c, 0x06, 'a', ' ', 'n', 'i', 'c', 'e' }, 8, - }, - - /* PrintableString */ - { { 0x13, 0x07, 'A', ' ', ' ', 'n', 'i', 'c', 'e' }, 9, - { 0x0c, 0x06, 'a', ' ', 'n', 'i', 'c', 'e' }, 8, - }, - - /* No change, not a known string type */ - { { 0x05, 0x07, 'A', ' ', ' ', 'n', 'i', 'c', 'e' }, 9, - { 0x05, 0x07, 'A', ' ', ' ', 'n', 'i', 'c', 'e' }, 9 - }, - - /* UniversalString */ - { { 0x1c, 0x14, 0x00, 0x00, 0x00, 'F', 0x00, 0x00, 0x00, 'u', - 0x00, 0x00, 0x00, 'n', 0x00, 0x00, 0x00, ' ', 0x00, 0x01, 0x03, 0x19, }, 22, - { 0x0c, 0x08, 'f', 'u', 'n', ' ', 0xf0, 0x90, 0x8c, 0x99 }, 10, - }, - - /* BMPString */ - { { 0x1e, 0x0a, 0x00, 'V', 0x00, 0xF6, 0x00, 'g', 0x00, 'e', 0x00, 'l' }, 12, - { 0x0c, 0x06, 'v', 0xc3, 0xb6, 'g', 'e', 'l' }, 8, - }, - }; - - p11_buffer buf; - bool ret; - int i; - - for (i = 0; i < ELEMS (fixtures); i++) { - p11_buffer_init_full (&buf, memdup (fixtures[i].input, fixtures[i].input_len), - fixtures[i].input_len, 0, realloc, free); - - ret = p11_openssl_canon_string_der (&buf); - assert_num_eq (true, ret); - - assert_num_eq (fixtures[i].output_len, buf.len); - assert (memcmp (buf.data, fixtures[i].output, buf.len) == 0); - - p11_buffer_uninit (&buf); - } -} - -bool p11_openssl_canon_name_der (p11_dict *asn1_defs, - p11_buffer *der); - -static void -test_canon_name_der (void) -{ - struct { - unsigned char input[100]; - int input_len; - unsigned char output[100]; - int output_len; - } fixtures[] = { - { { '0', 'T', '1', 0x14, '0', 0x12, 0x06, 0x03, 'U', 0x04, 0x0a, - 0x13, 0x0b, 'C', 'A', 'c', 'e', 'r', 't', 0x20, 'I', 'n', - 'c', '.', '1', 0x1e, '0', 0x1c, 0x06, 0x03, 'U', 0x04, - 0x0b, 0x13, 0x15, 'h', 't', 't', 'p', ':', '/', '/', 'w', - 'w', 'w', '.', 'C', 'A', 'c', 'e', 'r', 't', '.', 'o', 'r', - 'g', '1', 0x1c, '0', 0x1a, 0x06, 0x03, 'U', 0x04, 0x03, 0x13, - 0x13, 'C', 'A', 'c', 'e', 'r', 't', 0x20, 'C', 'l', 'a', 's', - 's', 0x20, '3', 0x20, 'R', 'o', 'o', 't', }, 86, - { '1', 0x14, '0', 0x12, 0x06, 0x03, 'U', 0x04, 0x0a, - 0x0c, 0x0b, 'c', 'a', 'c', 'e', 'r', 't', 0x20, 'i', 'n', - 'c', '.', '1', 0x1e, '0', 0x1c, 0x06, 0x03, 'U', 0x04, - 0x0b, 0x0c, 0x15, 'h', 't', 't', 'p', ':', '/', '/', 'w', - 'w', 'w', '.', 'c', 'a', 'c', 'e', 'r', 't', '.', 'o', 'r', - 'g', '1', 0x1c, '0', 0x1a, 0x06, 0x03, 'U', 0x04, 0x03, 0x0c, - 0x13, 'c', 'a', 'c', 'e', 'r', 't', 0x20, 'c', 'l', 'a', 's', - 's', 0x20, '3', 0x20, 'r', 'o', 'o', 't', }, 84, - }, - { { '0', 0x00, }, 2, - { }, 0, - }, - }; - - p11_buffer buf; - p11_dict *asn1_defs; - bool ret; - int i; - - asn1_defs = p11_asn1_defs_load (); - - for (i = 0; i < ELEMS (fixtures); i++) { - p11_buffer_init_full (&buf, memdup (fixtures[i].input, fixtures[i].input_len), - fixtures[i].input_len, 0, realloc, free); - - ret = p11_openssl_canon_name_der (asn1_defs, &buf); - assert_num_eq (true, ret); - - assert_num_eq (fixtures[i].output_len, buf.len); - assert (memcmp (buf.data, fixtures[i].output, buf.len) == 0); - - p11_buffer_uninit (&buf); - } - - p11_dict_free (asn1_defs); -} - -static void -test_canon_string_der_fail (void) -{ - struct { - unsigned char input[100]; - int input_len; - } fixtures[] = { - { { 0x0c, 0x02, 0xc3, 0xc4 /* Invalid UTF-8 */ }, 4 }, - { { 0x1e, 0x01, 0x00 /* Invalid UCS2 */ }, 3 }, - { { 0x1c, 0x02, 0x00, 0x01 /* Invalid UCS4 */ }, 4 }, - }; - - p11_buffer buf; - bool ret; - int i; - - for (i = 0; i < ELEMS (fixtures); i++) { - p11_buffer_init_full (&buf, memdup (fixtures[i].input, fixtures[i].input_len), - fixtures[i].input_len, 0, realloc, free); - - ret = p11_openssl_canon_string_der (&buf); - assert_num_eq (false, ret); - - p11_buffer_uninit (&buf); - } -} - -static void -test_directory (void) -{ - bool ret; - - setup_objects (cacert3_authority_attrs, - extension_eku_server, - extension_reject_email, - NULL); - - /* Accesses the above objects */ - setup_objects (cacert3_authority_attrs, - NULL); - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - /* Yes, this is a race, and why you shouldn't build software as root */ - if (rmdir (test.directory) < 0) - assert_not_reached (); - - ret = p11_extract_openssl_directory (&test.ex, test.directory); - assert_num_eq (true, ret); - - test_check_directory (test.directory, ("Custom_Label.pem", "Custom_Label.1.pem", -#ifdef OS_UNIX - "e5662767.1", "e5662767.0", "590d426f.1", "590d426f.0", -#endif - NULL)); - test_check_file (test.directory, "Custom_Label.pem", - SRCDIR "/trust/fixtures/cacert3-trusted-server-alias.pem"); - test_check_file (test.directory, "Custom_Label.1.pem", - SRCDIR "/trust/fixtures/cacert3-trusted-server-alias.pem"); -#ifdef OS_UNIX - test_check_symlink (test.directory, "e5662767.0", "Custom_Label.pem"); - test_check_symlink (test.directory, "e5662767.1", "Custom_Label.1.pem"); - test_check_symlink (test.directory, "590d426f.0", "Custom_Label.pem"); - test_check_symlink (test.directory, "590d426f.1", "Custom_Label.1.pem"); -#endif -} - -static void -test_directory_empty (void) -{ - bool ret; - - p11_kit_iter_add_filter (test.ex.iter, certificate_filter, 1); - p11_kit_iter_begin_with (test.ex.iter, &test.module, 0, 0); - - /* Yes, this is a race, and why you shouldn't build software as root */ - if (rmdir (test.directory) < 0) - assert_not_reached (); - - ret = p11_extract_openssl_directory (&test.ex, test.directory); - assert_num_eq (true, ret); - - test_check_directory (test.directory, (NULL, NULL)); -} - -int -main (int argc, - char *argv[]) -{ - mock_module_init (); - - p11_fixture (setup, teardown); - p11_test (test_file, "/openssl/test_file"); - p11_test (test_plain, "/openssl/test_plain"); - p11_test (test_keyid, "/openssl/test_keyid"); - p11_test (test_not_authority, "/openssl/test_not_authority"); - p11_test (test_distrust_all, "/openssl/test_distrust_all"); - p11_test (test_file_multiple, "/openssl/test_file_multiple"); - p11_test (test_file_without, "/openssl/test_file_without"); - - p11_fixture (NULL, NULL); - p11_test (test_canon_string, "/openssl/test_canon_string"); - p11_test (test_canon_string_der, "/openssl/test_canon_string_der"); - p11_test (test_canon_string_der_fail, "/openssl/test_canon_string_der_fail"); - p11_test (test_canon_name_der, "/openssl/test_canon_name_der"); - - p11_fixture (setup, teardown); - p11_test (test_directory, "/openssl/test_directory"); - p11_test (test_directory_empty, "/openssl/test_directory_empty"); - - return p11_test_run (argc, argv); -} - -#include "enumerate.c" -#include "extract-openssl.c" -#include "save.c" diff --git a/trust/test-parser.c b/trust/test-parser.c deleted file mode 100644 index b5c2525..0000000 --- a/trust/test-parser.c +++ /dev/null @@ -1,567 +0,0 @@ -/* - * Copyright (c) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@gnome.org> - */ - -#include "config.h" -#include "test.h" -#include "test-trust.h" - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> - -#include "array.h" -#include "attrs.h" -#include "builder.h" -#include "debug.h" -#include "message.h" -#include "oid.h" -#include "parser.h" -#include "pkcs11x.h" - -struct { - p11_parser *parser; - p11_array *parsed; - p11_asn1_cache *cache; -} test; - -static void -setup (void *unused) -{ - test.cache = p11_asn1_cache_new (); - test.parser = p11_parser_new (test.cache); - assert_ptr_not_null (test.parser); - - test.parsed = p11_parser_parsed (test.parser); - assert_ptr_not_null (test.parsed); -} - -static void -teardown (void *unused) -{ - p11_parser_free (test.parser); - p11_asn1_cache_free (test.cache); - memset (&test, 0, sizeof (test)); -} - -static CK_OBJECT_CLASS certificate = CKO_CERTIFICATE; -static CK_OBJECT_CLASS certificate_extension = CKO_X_CERTIFICATE_EXTENSION; -static CK_BBOOL falsev = CK_FALSE; -static CK_BBOOL truev = CK_TRUE; -static CK_CERTIFICATE_TYPE x509 = CKC_X_509; - -static CK_ATTRIBUTE certificate_match[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_INVALID, }, -}; - -static CK_ATTRIBUTE * -parsed_attrs (CK_ATTRIBUTE *match, - int length) -{ - int i; - - if (length < 0) - length = p11_attrs_count (match); - for (i = 0; i < test.parsed->num; i++) { - if (p11_attrs_matchn (test.parsed->elem[i], match, length)) - return test.parsed->elem[i]; - } - - return NULL; -} - -static void -test_parse_der_certificate (void) -{ - CK_ATTRIBUTE *cert; - int ret; - - CK_ATTRIBUTE expected[] = { - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, - { CKA_TRUSTED, &falsev, sizeof (falsev) }, - { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, - { CKA_INVALID }, - }; - - p11_parser_formats (test.parser, p11_parser_format_x509, NULL); - ret = p11_parse_file (test.parser, SRCDIR "/trust/fixtures/cacert3.der", NULL, - P11_PARSE_FLAG_NONE); - assert_num_eq (P11_PARSE_SUCCESS, ret); - - /* Should have gotten certificate */ - assert_num_eq (1, test.parsed->num); - - cert = parsed_attrs (certificate_match, -1); - test_check_attrs (expected, cert); -} - -static void -test_parse_pem_certificate (void) -{ - CK_ATTRIBUTE *cert; - int ret; - - CK_ATTRIBUTE expected[] = { - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, - { CKA_TRUSTED, &falsev, sizeof (falsev) }, - { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, - { CKA_INVALID }, - }; - - p11_parser_formats (test.parser, p11_parser_format_pem, NULL); - ret = p11_parse_file (test.parser, SRCDIR "/trust/fixtures/cacert3.pem", NULL, - P11_PARSE_FLAG_NONE); - assert_num_eq (P11_PARSE_SUCCESS, ret); - - /* Should have gotten certificate */ - assert_num_eq (1, test.parsed->num); - - cert = parsed_attrs (certificate_match, -1); - test_check_attrs (expected, cert); -} - -static void -test_parse_p11_kit_persist (void) -{ - CK_ATTRIBUTE *cert; - int ret; - - CK_ATTRIBUTE expected[] = { - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_VALUE, (void *)verisign_v1_ca, sizeof (verisign_v1_ca) }, - { CKA_TRUSTED, &truev, sizeof (truev) }, - { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, - { CKA_INVALID }, - }; - - p11_parser_formats (test.parser, p11_parser_format_persist, NULL); - ret = p11_parse_file (test.parser, SRCDIR "/trust/input/verisign-v1.p11-kit", NULL, - P11_PARSE_FLAG_NONE); - assert_num_eq (P11_PARSE_SUCCESS, ret); - - /* Should have gotten certificate */ - assert_num_eq (1, test.parsed->num); - - cert = parsed_attrs (certificate_match, -1); - test_check_attrs (expected, cert); -} - -static void -test_parse_openssl_trusted (void) -{ - CK_ATTRIBUTE cacert3[] = { - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, - { CKA_TRUSTED, &truev, sizeof (truev) }, - { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE eku_extension[] = { - { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, - { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, - { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, - { CKA_VALUE, "\x30\x16\x06\x03\x55\x1d\x25\x01\x01\xff\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x01", 24 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE reject_extension[] = { - { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, - { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) }, - { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) }, - { CKA_VALUE, "\x30\x1a\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x01\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x04", 28 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *expected[] = { - cacert3, - eku_extension, - reject_extension, - NULL - }; - - CK_ATTRIBUTE *cert; - CK_ATTRIBUTE *object; - int ret; - int i; - - p11_parser_formats (test.parser, p11_parser_format_pem, NULL); - ret = p11_parse_file (test.parser, SRCDIR "/trust/fixtures/cacert3-trusted.pem", NULL, - P11_PARSE_FLAG_ANCHOR); - assert_num_eq (P11_PARSE_SUCCESS, ret); - - /* - * Should have gotten: - * - 1 certificate - * - 2 attached extensions - */ - assert_num_eq (3, test.parsed->num); - - /* The certificate */ - cert = parsed_attrs (certificate_match, -1); - test_check_attrs (expected[0], cert); - - /* The other objects */ - for (i = 1; expected[i]; i++) { - object = parsed_attrs (expected[i], 2); - assert_ptr_not_null (object); - - test_check_attrs (expected[i], object); - } -} - -static void -test_parse_openssl_distrusted (void) -{ - static const char distrust_public_key[] = { - 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, - 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xdf, 0xc7, 0x0d, - 0x61, 0xa2, 0x2f, 0xc0, 0x5a, 0xad, 0x45, 0x83, 0x22, 0x33, 0x42, 0xea, 0xec, 0x42, 0x5e, 0xa6, - 0x0d, 0x42, 0x4c, 0x1c, 0x9a, 0x12, 0x0b, 0x5f, 0xe7, 0x25, 0xf9, 0x8b, 0x83, 0x0c, 0x0a, 0xc5, - 0x2f, 0x5a, 0x58, 0x56, 0xb8, 0xad, 0x87, 0x6d, 0xbc, 0x80, 0x5d, 0xdd, 0x49, 0x45, 0x39, 0x5f, - 0xb9, 0x08, 0x3a, 0x63, 0xe4, 0x92, 0x33, 0x61, 0x79, 0x19, 0x1b, 0x9d, 0xab, 0x3a, 0xd5, 0x7f, - 0xa7, 0x8b, 0x7f, 0x8a, 0x5a, 0xf6, 0xd7, 0xde, 0xaf, 0xa1, 0xe5, 0x53, 0x31, 0x29, 0x7d, 0x9c, - 0x03, 0x55, 0x3e, 0x47, 0x78, 0xcb, 0xb9, 0x7a, 0x98, 0x8c, 0x5f, 0x8d, 0xda, 0x09, 0x0f, 0xc8, - 0xfb, 0xf1, 0x7a, 0x80, 0xee, 0x12, 0x77, 0x0a, 0x00, 0x8b, 0x70, 0xfa, 0x62, 0xbf, 0xaf, 0xee, - 0x0b, 0x58, 0x16, 0xf9, 0x9c, 0x5c, 0xde, 0x93, 0xb8, 0x4f, 0xdf, 0x4d, 0x7b, 0x02, 0x03, 0x01, - 0x00, 0x01, - }; - - CK_ATTRIBUTE distrust_cert[] = { - { CKA_CLASS, &certificate, sizeof (certificate), }, - { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_TRUSTED, &falsev, sizeof (falsev) }, - { CKA_X_DISTRUSTED, &truev, sizeof (truev) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE eku_extension[] = { - { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, - { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) }, - { CKA_PUBLIC_KEY_INFO, (void *)distrust_public_key, sizeof (distrust_public_key) }, - { CKA_VALUE, "\x30\x18\x06\x03\x55\x1d\x25\x01\x01\xff\x04\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x10", 26 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE reject_extension[] = { - { CKA_CLASS, &certificate_extension, sizeof (certificate_extension), }, - { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) }, - { CKA_PUBLIC_KEY_INFO, (void *)distrust_public_key, sizeof (distrust_public_key) }, - { CKA_VALUE, "\x30\x1a\x06\x0a\x2b\x06\x01\x04\x01\x99\x77\x06\x0a\x01\x04\x0c\x30\x0a\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02", 28 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *expected[] = { - distrust_cert, - eku_extension, - reject_extension, - NULL - }; - - CK_ATTRIBUTE *cert; - CK_ATTRIBUTE *object; - int ret; - int i; - - /* - * OpenSSL style is to litter the blacklist in with the anchors, - * so we parse this as an anchor, but expect it to be blacklisted - */ - p11_parser_formats (test.parser, p11_parser_format_pem, NULL); - ret = p11_parse_file (test.parser, SRCDIR "/trust/fixtures/distrusted.pem", NULL, - P11_PARSE_FLAG_ANCHOR); - assert_num_eq (P11_PARSE_SUCCESS, ret); - - /* - * Should have gotten: - * - 1 certificate - * - 2 attached extensions - */ - assert_num_eq (3, test.parsed->num); - cert = parsed_attrs (certificate_match, -1); - test_check_attrs (expected[0], cert); - - /* The other objects */ - for (i = 1; expected[i]; i++) { - object = parsed_attrs (expected[i], 2); - assert_ptr_not_null (object); - - test_check_attrs (expected[i], object); - } -} - -static void -test_openssl_trusted_no_trust (void) -{ - CK_ATTRIBUTE *cert; - int ret; - - char expected_value[] = { - 0x30, 0x82, 0x04, 0x99, 0x30, 0x82, 0x03, 0x81, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x5d, - 0x20, 0x61, 0x8e, 0x8c, 0x0e, 0xb9, 0x34, 0x40, 0x93, 0xb9, 0xb1, 0xd8, 0x63, 0x95, 0xb6, 0x30, - 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x6f, - 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x53, 0x45, 0x31, 0x14, 0x30, - 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b, 0x41, 0x64, 0x64, 0x54, 0x72, 0x75, 0x73, 0x74, - 0x20, 0x41, 0x42, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1d, 0x41, 0x64, - 0x64, 0x54, 0x72, 0x75, 0x73, 0x74, 0x20, 0x45, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x20, - 0x54, 0x54, 0x50, 0x20, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x31, 0x22, 0x30, 0x20, 0x06, - 0x03, 0x55, 0x04, 0x03, 0x13, 0x19, 0x41, 0x64, 0x64, 0x54, 0x72, 0x75, 0x73, 0x74, 0x20, 0x45, - 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x20, 0x43, 0x41, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, - 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x30, 0x38, 0x30, 0x35, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, - 0x17, 0x0d, 0x31, 0x35, 0x31, 0x31, 0x30, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, - 0x7f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x0b, - 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02, 0x55, 0x54, 0x31, 0x17, 0x30, 0x15, 0x06, - 0x03, 0x55, 0x04, 0x07, 0x13, 0x0e, 0x53, 0x61, 0x6c, 0x74, 0x20, 0x4c, 0x61, 0x6b, 0x65, 0x20, - 0x43, 0x69, 0x74, 0x79, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, 0x54, - 0x68, 0x65, 0x20, 0x55, 0x53, 0x45, 0x52, 0x54, 0x52, 0x55, 0x53, 0x54, 0x20, 0x4e, 0x65, 0x74, - 0x77, 0x6f, 0x72, 0x6b, 0x31, 0x2a, 0x30, 0x28, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x55, - 0x53, 0x45, 0x52, 0x54, 0x72, 0x75, 0x73, 0x74, 0x20, 0x4c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x20, - 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x41, - 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, - 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, - 0x00, 0xd9, 0x4d, 0x20, 0x3a, 0xe6, 0x29, 0x30, 0x86, 0xf2, 0xe9, 0x86, 0x89, 0x76, 0x34, 0x4e, - 0x68, 0x1f, 0x96, 0x44, 0xf7, 0xd1, 0xf9, 0xd6, 0x82, 0x4e, 0xa6, 0x38, 0x9e, 0xee, 0xcb, 0x5b, - 0xe1, 0x8e, 0x2e, 0xbd, 0xf2, 0x57, 0x80, 0xfd, 0xc9, 0x3f, 0xfc, 0x90, 0x73, 0x44, 0xbc, 0x8f, - 0xbb, 0x57, 0x5b, 0xe5, 0x2d, 0x1f, 0x14, 0x30, 0x75, 0x36, 0xf5, 0x7f, 0xbc, 0xcf, 0x56, 0xf4, - 0x7f, 0x81, 0xff, 0xae, 0x91, 0xcd, 0xd8, 0xd2, 0x6a, 0xcb, 0x97, 0xf9, 0xf7, 0xcd, 0x90, 0x6a, - 0x45, 0x2d, 0xc4, 0xbb, 0xa4, 0x85, 0x13, 0x68, 0x57, 0x5f, 0xef, 0x29, 0xba, 0x2a, 0xca, 0xea, - 0xf5, 0xcc, 0xa4, 0x04, 0x9b, 0x63, 0xcd, 0x00, 0xeb, 0xfd, 0xed, 0x8d, 0xdd, 0x23, 0xc6, 0x7b, - 0x1e, 0x57, 0x1d, 0x36, 0x7f, 0x1f, 0x08, 0x9a, 0x0d, 0x61, 0xdb, 0x5a, 0x6c, 0x71, 0x02, 0x53, - 0x28, 0xc2, 0xfa, 0x8d, 0xfd, 0xab, 0xbb, 0xb3, 0xf1, 0x8d, 0x74, 0x4b, 0xdf, 0xbd, 0xbd, 0xcc, - 0x06, 0x93, 0x63, 0x09, 0x95, 0xc2, 0x10, 0x7a, 0x9d, 0x25, 0x90, 0x32, 0x9d, 0x01, 0xc2, 0x39, - 0x53, 0xb0, 0xe0, 0x15, 0x6b, 0xc7, 0xd7, 0x74, 0xe5, 0xa4, 0x22, 0x9b, 0xe4, 0x94, 0xff, 0x84, - 0x91, 0xfb, 0x2d, 0xb3, 0x19, 0x43, 0x2d, 0x93, 0x0f, 0x9c, 0x12, 0x09, 0xe4, 0x67, 0xb9, 0x27, - 0x7a, 0x32, 0xad, 0x7a, 0x2a, 0xcc, 0x41, 0x58, 0xc0, 0x6e, 0x59, 0x5f, 0xee, 0x38, 0x2b, 0x17, - 0x22, 0x9c, 0x89, 0xfa, 0x6e, 0xe7, 0xe5, 0x57, 0x35, 0xf4, 0x5a, 0xed, 0x92, 0x95, 0x93, 0x2d, - 0xf9, 0xcc, 0x24, 0x3f, 0xa5, 0x1c, 0x3d, 0x27, 0xbd, 0x22, 0x03, 0x73, 0xcc, 0xf5, 0xca, 0xf3, - 0xa9, 0xf4, 0xdc, 0xfe, 0xcf, 0xe9, 0xd0, 0x5c, 0xd0, 0x0f, 0xab, 0x87, 0xfc, 0x83, 0xfd, 0xc8, - 0xa9, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x1f, 0x30, 0x82, 0x01, 0x1b, 0x30, 0x1f, - 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xad, 0xbd, 0x98, 0x7a, 0x34, - 0xb4, 0x26, 0xf7, 0xfa, 0xc4, 0x26, 0x54, 0xef, 0x03, 0xbd, 0xe0, 0x24, 0xcb, 0x54, 0x1a, 0x30, - 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xaf, 0xa4, 0x40, 0xaf, 0x9f, 0x16, - 0xfe, 0xab, 0x31, 0xfd, 0xfb, 0xd5, 0x97, 0x8b, 0xf5, 0x91, 0xa3, 0x24, 0x86, 0x16, 0x30, 0x0e, - 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x12, - 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x08, 0x30, 0x06, 0x01, 0x01, 0xff, 0x02, - 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2b, - 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, - 0x02, 0x30, 0x19, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x12, 0x30, 0x10, 0x30, 0x0e, 0x06, 0x0c, - 0x2b, 0x06, 0x01, 0x04, 0x01, 0xb2, 0x31, 0x01, 0x02, 0x01, 0x03, 0x04, 0x30, 0x44, 0x06, 0x03, - 0x55, 0x1d, 0x1f, 0x04, 0x3d, 0x30, 0x3b, 0x30, 0x39, 0xa0, 0x37, 0xa0, 0x35, 0x86, 0x33, 0x68, - 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x75, 0x73, 0x65, 0x72, 0x74, 0x72, - 0x75, 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x41, 0x64, 0x64, 0x54, 0x72, 0x75, 0x73, 0x74, - 0x45, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x43, 0x41, 0x52, 0x6f, 0x6f, 0x74, 0x2e, 0x63, - 0x72, 0x6c, 0x30, 0x35, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x29, - 0x30, 0x27, 0x30, 0x25, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x19, - 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x75, 0x73, 0x65, 0x72, - 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, - 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x84, 0xae, 0x2d, - 0x68, 0x38, 0x11, 0x6c, 0x83, 0x51, 0x62, 0xc0, 0x91, 0xc2, 0x98, 0xbc, 0xc6, 0x3b, 0xfa, 0xa5, - 0xc5, 0xbd, 0x3b, 0x09, 0xe6, 0x6e, 0x60, 0x6f, 0x30, 0x03, 0x86, 0x22, 0x1a, 0xb2, 0x8b, 0xf3, - 0xc6, 0xce, 0x1e, 0xbb, 0x1b, 0x79, 0xe0, 0x16, 0x14, 0x4d, 0xd2, 0x9a, 0x05, 0x4b, 0xff, 0x8f, - 0xec, 0xf0, 0x28, 0x29, 0xea, 0x2a, 0x04, 0x1d, 0x3d, 0xaf, 0x11, 0x12, 0xd5, 0x49, 0x98, 0x50, - 0x42, 0x9f, 0x61, 0x66, 0x3a, 0xb6, 0x40, 0x99, 0x04, 0x0c, 0x6b, 0x10, 0x32, 0xe9, 0xf7, 0xcf, - 0x86, 0x58, 0x4f, 0x2d, 0xcd, 0xd3, 0xac, 0x7e, 0xe8, 0x5b, 0x6a, 0x83, 0x7c, 0x0d, 0xa0, 0x9c, - 0x5c, 0x50, 0x36, 0x75, 0x0d, 0x6d, 0x7e, 0x42, 0xb7, 0xdf, 0xa6, 0xdc, 0x90, 0x5c, 0x6f, 0x23, - 0x4e, 0x97, 0x1d, 0xf3, 0x22, 0x75, 0xbf, 0x03, 0x35, 0xe6, 0x5d, 0x7f, 0xc7, 0xf9, 0x9b, 0x2c, - 0x87, 0xf6, 0x8e, 0xd6, 0x25, 0x96, 0x59, 0x9d, 0xcf, 0xea, 0x10, 0x1e, 0xef, 0x6e, 0xea, 0x5a, - 0x9b, 0x77, 0x18, 0x34, 0xcc, 0x81, 0x77, 0xaf, 0x9a, 0x87, 0xc2, 0x0a, 0xe5, 0xe5, 0x9e, 0x13, - 0x95, 0x53, 0xbd, 0xbd, 0x49, 0x1a, 0xa5, 0x76, 0x12, 0xf6, 0xdc, 0xf2, 0x91, 0xb7, 0xe9, 0x1a, - 0xe1, 0xbc, 0x4d, 0x3d, 0x95, 0x71, 0x7d, 0xf8, 0x8d, 0x7c, 0x3e, 0x03, 0x4f, 0x53, 0xed, 0xfe, - 0x52, 0xfd, 0xca, 0x5f, 0x93, 0xe1, 0x1a, 0x01, 0x1b, 0x02, 0xb7, 0x73, 0x4e, 0xba, 0x66, 0xe9, - 0x78, 0x8b, 0x50, 0xfe, 0x11, 0xcb, 0xd1, 0x67, 0xd0, 0x22, 0x4f, 0x77, 0xea, 0xcd, 0x14, 0x15, - 0x40, 0xae, 0x66, 0x5d, 0xe8, 0x2e, 0x7f, 0x1e, 0x88, 0x6f, 0x55, 0x79, 0xd6, 0xb9, 0x7e, 0xe3, - 0xb5, 0xfd, 0x91, 0xa0, 0xc0, 0xf2, 0x26, 0x87, 0x4b, 0x2f, 0x9d, 0xf5, 0xa0, - }; - - CK_ATTRIBUTE expected[] = { - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_TRUSTED, &falsev, sizeof (falsev) }, - { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, - { CKA_VALUE, expected_value, sizeof (expected_value) }, - { CKA_INVALID }, - }; - - p11_parser_formats (test.parser, p11_parser_format_pem, NULL); - ret = p11_parse_file (test.parser, SRCDIR "/trust/fixtures/openssl-trust-no-trust.pem", NULL, - P11_PARSE_FLAG_NONE); - assert_num_eq (P11_PARSE_SUCCESS, ret); - - /* Should have gotten certificate */ - assert_num_eq (1, test.parsed->num); - - cert = parsed_attrs (certificate_match, -1); - test_check_attrs (expected, cert); -} - -static void -test_parse_anchor (void) -{ - CK_ATTRIBUTE cacert3[] = { - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, - { CKA_TRUSTED, &truev, sizeof (truev) }, - { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *cert; - int ret; - - p11_parser_formats (test.parser, p11_parser_format_x509, NULL); - ret = p11_parse_file (test.parser, SRCDIR "/trust/fixtures/cacert3.der", NULL, - P11_PARSE_FLAG_ANCHOR); - assert_num_eq (P11_PARSE_SUCCESS, ret); - - /* - * Should have gotten: - * - 1 certificate - */ - assert_num_eq (1, test.parsed->num); - - cert = parsed_attrs (certificate_match, -1); - test_check_attrs (cacert3, cert); -} - -static void -test_parse_thawte (void) -{ - CK_ATTRIBUTE *cert; - int ret; - - CK_ATTRIBUTE expected[] = { - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, - { CKA_TRUSTED, &falsev, sizeof (falsev) }, - { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, - { CKA_INVALID }, - }; - - p11_parser_formats (test.parser, p11_parser_format_pem, NULL); - ret = p11_parse_file (test.parser, SRCDIR "/trust/fixtures/thawte.pem", NULL, - P11_PARSE_FLAG_NONE); - assert_num_eq (P11_PARSE_SUCCESS, ret); - - /* Should have gotten certificate */ - assert_num_eq (1, test.parsed->num); - - cert = parsed_attrs (certificate_match, -1); - test_check_attrs (expected, cert); -} - -/* TODO: A certificate that uses generalTime needs testing */ - -static void -test_parse_invalid_file (void) -{ - int ret; - - p11_message_quiet (); - - p11_parser_formats (test.parser, p11_parser_format_x509, NULL); - ret = p11_parse_file (test.parser, "/nonexistant", NULL, - P11_PARSE_FLAG_NONE); - assert_num_eq (P11_PARSE_FAILURE, ret); - - p11_message_loud (); -} - -static void -test_parse_unrecognized (void) -{ - int ret; - - p11_message_quiet (); - - p11_parser_formats (test.parser, p11_parser_format_x509, NULL); - ret = p11_parse_file (test.parser, SRCDIR "/trust/fixtures/unrecognized-file.txt", NULL, - P11_PARSE_FLAG_NONE); - assert_num_eq (P11_PARSE_UNRECOGNIZED, ret); - - p11_message_loud (); -} - -static void -test_parse_no_asn1_cache (void) -{ - p11_parser *parser; - int ret; - - parser = p11_parser_new (NULL); - assert_ptr_not_null (parser); - - p11_parser_formats (parser, p11_parser_format_x509, NULL); - ret = p11_parse_file (parser, SRCDIR "/trust/fixtures/cacert3.der", NULL, P11_PARSE_FLAG_NONE); - assert_num_eq (P11_PARSE_SUCCESS, ret); - - /* Should have gotten certificate */ - assert_num_eq (1, p11_parser_parsed (parser)->num); - - p11_parser_free (parser); -} - -int -main (int argc, - char *argv[]) -{ - p11_fixture (setup, teardown); - p11_test (test_parse_der_certificate, "/parser/parse_der_certificate"); - p11_test (test_parse_pem_certificate, "/parser/parse_pem_certificate"); - p11_test (test_parse_p11_kit_persist, "/parser/parse_p11_kit_persist"); - p11_test (test_parse_openssl_trusted, "/parser/parse_openssl_trusted"); - p11_test (test_parse_openssl_distrusted, "/parser/parse_openssl_distrusted"); - p11_test (test_openssl_trusted_no_trust, "/parser/openssl-trusted-no-trust"); - p11_test (test_parse_anchor, "/parser/parse_anchor"); - p11_test (test_parse_thawte, "/parser/parse_thawte"); - p11_test (test_parse_invalid_file, "/parser/parse_invalid_file"); - p11_test (test_parse_unrecognized, "/parser/parse_unrecognized"); - - p11_fixture (NULL, NULL); - p11_test (test_parse_no_asn1_cache, "/parser/null-asn1-cache"); - - return p11_test_run (argc, argv); -} diff --git a/trust/test-pem.c b/trust/test-pem.c deleted file mode 100644 index 0c7d60a..0000000 --- a/trust/test-pem.c +++ /dev/null @@ -1,341 +0,0 @@ -/* - * Copyright (c) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@gnome.org> - */ - -#include "config.h" -#include "test.h" - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> - -#include "compat.h" -#include "pem.h" - -struct { - const char *input; - struct { - const char *type; - const char *data; - unsigned int length; - } output[8]; -} success_fixtures[] = { - { - /* one block */ - "-----BEGIN BLOCK1-----\n" - "aYNNXqshlVxCdo8QfKeXh3GUzd/yn4LYIVgQrx4a\n" - "-----END BLOCK1-----", - { - { - "BLOCK1", - "\x69\x83\x4d\x5e\xab\x21\x95\x5c\x42\x76\x8f\x10\x7c\xa7\x97\x87" - "\x71\x94\xcd\xdf\xf2\x9f\x82\xd8\x21\x58\x10\xaf\x1e\x1a", - 30, - }, - { - NULL, - } - } - }, - - { - /* one block, with header */ - "-----BEGIN BLOCK1-----\n" - "Header1: value1 \n" - " Header2: value2\n" - "\n" - "aYNNXqshlVxCdo8QfKeXh3GUzd/yn4LYIVgQrx4a\n" - "-----END BLOCK1-----", - { - { - "BLOCK1", - "\x69\x83\x4d\x5e\xab\x21\x95\x5c\x42\x76\x8f\x10\x7c\xa7\x97\x87" - "\x71\x94\xcd\xdf\xf2\x9f\x82\xd8\x21\x58\x10\xaf\x1e\x1a", - 30, - }, - { - NULL, - } - } - }, - - { - /* two blocks, junk data */ - "-----BEGIN BLOCK1-----\n" - "aYNNXqshlVxCdo8QfKeXh3GUzd/yn4LYIVgQrx4a\n" - "-----END BLOCK1-----\n" - "blah blah\n" - "-----BEGIN TWO-----\n" - "oy5L157C671HyJMCf9FiK9prvPZfSch6V4EoUfylFoI1Bq6SbL53kg==\n" - "-----END TWO-----\n" - "trailing data", - { - { - "BLOCK1", - "\x69\x83\x4d\x5e\xab\x21\x95\x5c\x42\x76\x8f\x10\x7c\xa7\x97\x87" - "\x71\x94\xcd\xdf\xf2\x9f\x82\xd8\x21\x58\x10\xaf\x1e\x1a", - 30, - }, - { - "TWO", - "\xa3\x2e\x4b\xd7\x9e\xc2\xeb\xbd\x47\xc8\x93\x02\x7f\xd1\x62\x2b" - "\xda\x6b\xbc\xf6\x5f\x49\xc8\x7a\x57\x81\x28\x51\xfc\xa5\x16\x82" - "\x35\x06\xae\x92\x6c\xbe\x77\x92", - 40 - }, - { - NULL, - } - } - }, - - { - NULL, - } -}; - -typedef struct { - int input_index; - int output_index; - int parsed; -} Closure; - -static void -on_parse_pem_success (const char *type, - const unsigned char *contents, - size_t length, - void *user_data) -{ - Closure *cl = user_data; - - assert_num_eq (success_fixtures[cl->input_index].output[cl->output_index].length, length); - assert (memcmp (success_fixtures[cl->input_index].output[cl->output_index].data, contents, - success_fixtures[cl->input_index].output[cl->output_index].length) == 0); - - cl->output_index++; - cl->parsed++; -} - -static void -test_pem_success (void) -{ - Closure cl; - int ret; - int i; - int j; - - for (i = 0; success_fixtures[i].input != NULL; i++) { - cl.input_index = i; - cl.output_index = 0; - cl.parsed = 0; - - ret = p11_pem_parse (success_fixtures[i].input, strlen (success_fixtures[i].input), - on_parse_pem_success, &cl); - - assert (success_fixtures[i].output[cl.output_index].type == NULL); - - /* Count number of outputs, return from p11_pem_parse() should match */ - for (j = 0; success_fixtures[i].output[j].type != NULL; j++); - assert_num_eq (j, ret); - assert_num_eq (ret, cl.parsed); - } -} - -const char *failure_fixtures[] = { - /* too short at end of opening line */ - "-----BEGIN BLOCK1---\n" - "aYNNXqshlVxCdo8QfKeXh3GUzd/yn4LYIVgQrx4a\n" - "-----END BLOCK1-----", - - /* truncated */ - "-----BEGIN BLOCK1---", - - /* no ending */ - "-----BEGIN BLOCK1-----\n" - "aYNNXqshlVxCdo8QfKeXh3GUzd/yn4LYIVgQrx4a\n", - - /* wrong ending */ - "-----BEGIN BLOCK1-----\n" - "aYNNXqshlVxCdo8QfKeXh3GUzd/yn4LYIVgQrx4a\n" - "-----END BLOCK2-----", - - /* wrong ending */ - "-----BEGIN BLOCK1-----\n" - "aYNNXqshlVxCdo8QfKeXh3GUzd/yn4LYIVgQrx4a\n" - "-----END INVALID-----", - - /* too short at end of ending line */ - "-----BEGIN BLOCK1-----\n" - "aYNNXqshlVxCdo8QfKeXh3GUzd/yn4LYIVgQrx4a\n" - "-----END BLOCK1---", - - /* invalid base64 data */ - "-----BEGIN BLOCK1-----\n" - "!!!!NNXqshlVxCdo8QfKeXh3GUzd/yn4LYIVgQrx4a\n" - "-----END BLOCK1-----", - - NULL, -}; - -static void -on_parse_pem_failure (const char *type, - const unsigned char *contents, - size_t length, - void *user_data) -{ - assert (false && "not reached"); -} - -static void -test_pem_failure (void) -{ - int ret; - int i; - - for (i = 0; failure_fixtures[i] != NULL; i++) { - ret = p11_pem_parse (failure_fixtures[i], strlen (failure_fixtures[i]), - on_parse_pem_failure, NULL); - assert_num_eq (0, ret); - } -} - -typedef struct { - const char *input; - size_t length; - const char *type; - const char *output; -} WriteFixture; - -static WriteFixture write_fixtures[] = { - { - "\x69\x83\x4d\x5e\xab\x21\x95\x5c\x42\x76\x8f\x10\x7c\xa7\x97\x87" - "\x71\x94\xcd\xdf\xf2\x9f\x82\xd8\x21\x58\x10\xaf\x1e\x1a", - 30, "BLOCK1", - "-----BEGIN BLOCK1-----\n" - "aYNNXqshlVxCdo8QfKeXh3GUzd/yn4LYIVgQrx4a\n" - "-----END BLOCK1-----\n", - }, - { - "\x50\x31\x31\x2d\x4b\x49\x54\x0a\x0a\x50\x72\x6f\x76\x69\x64\x65" - "\x73\x20\x61\x20\x77\x61\x79\x20\x74\x6f\x20\x6c\x6f\x61\x64\x20" - "\x61\x6e\x64\x20\x65\x6e\x75\x6d\x65\x72\x61\x74\x65\x20\x50\x4b" - "\x43\x53\x23\x31\x31\x20\x6d\x6f\x64\x75\x6c\x65\x73\x2e\x20\x50" - "\x72\x6f\x76\x69\x64\x65\x73\x20\x61\x20\x73\x74\x61\x6e\x64\x61" - "\x72\x64\x0a\x63\x6f\x6e\x66\x69\x67\x75\x72\x61\x74\x69\x6f\x6e" - "\x20\x73\x65\x74\x75\x70\x20\x66\x6f\x72\x20\x69\x6e\x73\x74\x61" - "\x6c\x6c\x69\x6e\x67\x20\x50\x4b\x43\x53\x23\x31\x31\x20\x6d\x6f" - "\x64\x75\x6c\x65\x73\x20\x69\x6e\x20\x73\x75\x63\x68\x20\x61\x20" - "\x77\x61\x79\x20\x74\x68\x61\x74\x20\x74\x68\x65\x79\x27\x72\x65" - "\x0a\x64\x69\x73\x63\x6f\x76\x65\x72\x61\x62\x6c\x65\x2e\x0a\x0a" - "\x41\x6c\x73\x6f\x20\x73\x6f\x6c\x76\x65\x73\x20\x70\x72\x6f\x62" - "\x6c\x65\x6d\x73\x20\x77\x69\x74\x68\x20\x63\x6f\x6f\x72\x64\x69" - "\x6e\x61\x74\x69\x6e\x67\x20\x74\x68\x65\x20\x75\x73\x65\x20\x6f" - "\x66\x20\x50\x4b\x43\x53\x23\x31\x31\x20\x62\x79\x20\x64\x69\x66" - "\x66\x65\x72\x65\x6e\x74\x0a\x63\x6f\x6d\x70\x6f\x6e\x65\x6e\x74" - "\x73\x20\x6f\x72\x20\x6c\x69\x62\x72\x61\x72\x69\x65\x73\x20\x6c" - "\x69\x76\x69\x6e\x67\x20\x69\x6e\x20\x74\x68\x65\x20\x73\x61\x6d" - "\x65\x20\x70\x72\x6f\x63\x65\x73\x73\x2e\x0a", - 299, "LONG TYPE WITH SPACES", - "-----BEGIN LONG TYPE WITH SPACES-----\n" - "UDExLUtJVAoKUHJvdmlkZXMgYSB3YXkgdG8gbG9hZCBhbmQgZW51bWVyYXRlIFBL\n" - "Q1MjMTEgbW9kdWxlcy4gUHJvdmlkZXMgYSBzdGFuZGFyZApjb25maWd1cmF0aW9u\n" - "IHNldHVwIGZvciBpbnN0YWxsaW5nIFBLQ1MjMTEgbW9kdWxlcyBpbiBzdWNoIGEg\n" - "d2F5IHRoYXQgdGhleSdyZQpkaXNjb3ZlcmFibGUuCgpBbHNvIHNvbHZlcyBwcm9i\n" - "bGVtcyB3aXRoIGNvb3JkaW5hdGluZyB0aGUgdXNlIG9mIFBLQ1MjMTEgYnkgZGlm\n" - "ZmVyZW50CmNvbXBvbmVudHMgb3IgbGlicmFyaWVzIGxpdmluZyBpbiB0aGUgc2Ft\n" - "ZSBwcm9jZXNzLgo=\n" - "-----END LONG TYPE WITH SPACES-----\n" - }, - { - "\x69\x83\x4d\x5e\xab\x21\x95\x5c\x42\x76\x8f\x10\x7c\xa7\x97\x87" - "\x71\x94\xcd\xdf\xf2\x9f\x82\xd8\x21\x58\x10\xaf", - 28, "BLOCK1", - "-----BEGIN BLOCK1-----\n" - "aYNNXqshlVxCdo8QfKeXh3GUzd/yn4LYIVgQrw==\n" - "-----END BLOCK1-----\n", - }, - { - NULL, - } -}; - -static void -on_parse_written (const char *type, - const unsigned char *contents, - size_t length, - void *user_data) -{ - WriteFixture *fixture = user_data; - - assert_str_eq (fixture->type, type); - assert_num_eq (fixture->length, length); - assert (memcmp (contents, fixture->input, length) == 0); -} - -static void -test_pem_write (void) -{ - WriteFixture *fixture; - p11_buffer buf; - unsigned int count; - int i; - - for (i = 0; write_fixtures[i].input != NULL; i++) { - fixture = write_fixtures + i; - - if (!p11_buffer_init_null (&buf, 0)) - assert_not_reached (); - - if (!p11_pem_write ((unsigned char *)fixture->input, - fixture->length, - fixture->type, &buf)) - assert_not_reached (); - assert_str_eq (fixture->output, buf.data); - assert_num_eq (strlen (fixture->output), buf.len); - - count = p11_pem_parse (buf.data, buf.len, on_parse_written, fixture); - assert_num_eq (1, count); - - p11_buffer_uninit (&buf); - } -} - -int -main (int argc, - char *argv[]) -{ - p11_test (test_pem_success, "/pem/success"); - p11_test (test_pem_failure, "/pem/failure"); - p11_test (test_pem_write, "/pem/write"); - return p11_test_run (argc, argv); -} diff --git a/trust/test-persist.c b/trust/test-persist.c deleted file mode 100644 index 238a3c4..0000000 --- a/trust/test-persist.c +++ /dev/null @@ -1,635 +0,0 @@ -/* - * Copyright (c) 2013 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" -#include "test.h" -#include "test-trust.h" - -#include <stdarg.h> -#include <stdlib.h> -#include <stdio.h> -#include <string.h> - -#include "array.h" -#include "attrs.h" -#include "compat.h" -#include "debug.h" -#include "message.h" -#include "persist.h" -#include "pkcs11.h" -#include "pkcs11i.h" -#include "pkcs11x.h" - -static void -test_magic (void) -{ - const char *input = "[p11-kit-object-v1]\n" - "class: data\n" - "value: \"blah\"\n" - "application: \"test-persist\"\n"; - - const char *other = " " - "\n\n[p11-kit-object-v1]\n" - "class: data\n" - "value: \"blah\"\n" - "application: \"test-persist\"\n"; - - assert (p11_persist_magic ((unsigned char *)input, strlen (input))); - assert (!p11_persist_magic ((unsigned char *)input, 5)); - assert (p11_persist_magic ((unsigned char *)other, strlen (other))); - assert (!p11_persist_magic ((unsigned char *)"blah", 4)); -} - -static p11_array * -args_to_array (void *arg, - ...) GNUC_NULL_TERMINATED; - -static p11_array * -args_to_array (void *arg, - ...) -{ - p11_array *array = p11_array_new (NULL); - - va_list (va); - va_start (va, arg); - - while (arg != NULL) { - p11_array_push (array, arg); - arg = va_arg (va, void *); - } - - va_end (va); - - return array; -} - -static void -check_read_msg (const char *file, - int line, - const char *function, - const char *input, - p11_array *expected) -{ - p11_array *objects; - p11_persist *persist; - int i; - - persist = p11_persist_new (); - objects = p11_array_new (p11_attrs_free); - - if (p11_persist_read (persist, "test", (const unsigned char *)input, strlen (input), objects)) { - if (expected == NULL) - p11_test_fail (file, line, function, "decoding should have failed"); - for (i = 0; i < expected->num; i++) { - if (i >= objects->num) - p11_test_fail (file, line, function, "too few objects read"); - test_check_attrs_msg (file, line, function, expected->elem[i], objects->elem[i]); - } - if (i != objects->num) - p11_test_fail (file, line, function, "too many objects read"); - } else { - if (expected != NULL) - p11_test_fail (file, line, function, "decoding failed"); - } - - p11_array_free (objects); - p11_persist_free (persist); - p11_array_free (expected); -} - -static void -check_write_msg (const char *file, - int line, - const char *function, - const char *expected, - p11_array *input) -{ - p11_persist *persist; - p11_buffer buf; - int i; - - persist = p11_persist_new (); - p11_buffer_init_null (&buf, 0); - - for (i = 0; i < input->num; i++) { - if (!p11_persist_write (persist, input->elem[i], &buf)) - p11_test_fail (file, line, function, "persist write failed"); - } - - if (strcmp (buf.data, expected) != 0) { - p11_test_fail (file, line, function, "persist doesn't match: (\n%s----\n%s\n)", \ - expected, (char *)buf.data); - } - - p11_buffer_uninit (&buf); - p11_array_free (input); - p11_persist_free (persist); -} - -#define check_read_success(input, objs) \ - check_read_msg (__FILE__, __LINE__, __FUNCTION__, input, args_to_array objs) - -#define check_read_failure(input) \ - check_read_msg (__FILE__, __LINE__, __FUNCTION__, input, NULL) - -#define check_write_success(expected, inputs) \ - check_write_msg (__FILE__, __LINE__, __FUNCTION__, expected, args_to_array inputs) - -static CK_OBJECT_CLASS certificate = CKO_CERTIFICATE; -static CK_CERTIFICATE_TYPE x509 = CKC_X_509; -static CK_OBJECT_CLASS nss_trust = CKO_NSS_TRUST; -static CK_OBJECT_CLASS data = CKO_DATA; -static CK_BBOOL truev = CK_TRUE; -static CK_BBOOL falsev = CK_FALSE; - -static void -test_simple (void) -{ - const char *output = "[p11-kit-object-v1]\n" - "class: data\n" - "value: \"blah\"\n" - "application: \"test-persist\"\n\n"; - - CK_ATTRIBUTE attrs[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_VALUE, "blah", 4 }, - { CKA_APPLICATION, "test-persist", 12 }, - { CKA_INVALID }, - }; - - check_read_success (output, (attrs, NULL)); - check_write_success (output, (attrs, NULL)); -} - -static void -test_number (void) -{ - const char *output = "[p11-kit-object-v1]\n" - "class: data\n" - "value-len: 29202390\n" - "application: \"test-persist\"\n\n"; - - CK_ULONG value = 29202390; - - CK_ATTRIBUTE attrs[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_VALUE_LEN, &value, sizeof (value) }, - { CKA_APPLICATION, "test-persist", 12 }, - { CKA_INVALID }, - }; - - check_read_success (output, (attrs, NULL)); - check_write_success (output, (attrs, NULL)); -} - -static void -test_bool (void) -{ - const char *output = "[p11-kit-object-v1]\n" - "class: data\n" - "private: true\n" - "modifiable: false\n" - "application: \"test-persist\"\n\n"; - - CK_ATTRIBUTE attrs[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_PRIVATE, &truev, sizeof (truev) }, - { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, - { CKA_APPLICATION, "test-persist", 12 }, - { CKA_INVALID }, - }; - - check_read_success (output, (attrs, NULL)); - check_write_success (output, (attrs, NULL)); -} - -static void -test_oid (void) -{ - const char *output = "[p11-kit-object-v1]\n" - "class: data\n" - "object-id: 1.2.3.4\n\n"; - - CK_ATTRIBUTE attrs[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_OBJECT_ID, "\x06\x03*\x03\x04", 5 }, - { CKA_INVALID }, - }; - - check_read_success (output, (attrs, NULL)); - check_write_success (output, (attrs, NULL)); -} - -static void -test_constant (void) -{ - const char *output = "[p11-kit-object-v1]\n" - "class: data\n" - "certificate-type: x-509-attr-cert\n" - "key-type: rsa\n" - "x-assertion-type: x-pinned-certificate\n" - "certificate-category: authority\n" - "mechanism-type: rsa-pkcs-key-pair-gen\n" - "trust-server-auth: nss-trust-unknown\n\n"; - - CK_TRUST trust = CKT_NSS_TRUST_UNKNOWN; - CK_CERTIFICATE_TYPE type = CKC_X_509_ATTR_CERT; - CK_X_ASSERTION_TYPE ass = CKT_X_PINNED_CERTIFICATE; - CK_MECHANISM_TYPE mech = CKM_RSA_PKCS_KEY_PAIR_GEN; - CK_ULONG category = 2; - CK_KEY_TYPE key = CKK_RSA; - - CK_ATTRIBUTE attrs[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_CERTIFICATE_TYPE, &type, sizeof (type) }, - { CKA_KEY_TYPE, &key, sizeof (key) }, - { CKA_X_ASSERTION_TYPE, &ass, sizeof (ass) }, - { CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) }, - { CKA_MECHANISM_TYPE, &mech, sizeof (mech) }, - { CKA_TRUST_SERVER_AUTH, &trust, sizeof (trust) }, - { CKA_INVALID }, - }; - - check_read_success (output, (attrs, NULL)); - check_write_success (output, (attrs, NULL)); -} - -static void -test_unknown (void) -{ - const char *output = "[p11-kit-object-v1]\n" - "class: data\n" - "38383838: \"the-value-here\"\n\n"; - - CK_ATTRIBUTE attrs[] = { - { CKA_CLASS, &data, sizeof (data) }, - { 38383838, "the-value-here", 14 }, - { CKA_INVALID }, - }; - - check_read_success (output, (attrs, NULL)); - check_write_success (output, (attrs, NULL)); -} - -static void -test_multiple (void) -{ - const char *output = "[p11-kit-object-v1]\n" - "class: data\n" - "object-id: 1.2.3.4\n\n" - "[p11-kit-object-v1]\n" - "class: nss-trust\n" - "trust-server-auth: nss-trust-unknown\n\n"; - - CK_TRUST trust = CKT_NSS_TRUST_UNKNOWN; - - CK_ATTRIBUTE attrs1[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_OBJECT_ID, "\x06\x03*\x03\x04", 5 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE attrs2[] = { - { CKA_CLASS, &nss_trust, sizeof (nss_trust) }, - { CKA_TRUST_SERVER_AUTH, &trust, sizeof (trust) }, - { CKA_INVALID }, - }; - - check_read_success (output, (attrs1, attrs2, NULL)); - check_write_success (output, (attrs1, attrs2, NULL)); -} - -static void -test_pem_block (void) -{ - const char *output = "[p11-kit-object-v1]\n" - "id: \"292c92\"\n" - "trusted: true\n" - "-----BEGIN CERTIFICATE-----\n" - "MIICPDCCAaUCED9pHoGc8JpK83P/uUii5N0wDQYJKoZIhvcNAQEFBQAwXzELMAkG\n" - "A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz\n" - "cyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2\n" - "MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV\n" - "BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmlt\n" - "YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN\n" - "ADCBiQKBgQDlGb9to1ZhLZlIcfZn3rmN67eehoAKkQ76OCWvRoiC5XOooJskXQ0f\n" - "zGVuDLDQVoQYh5oGmxChc9+0WDlrbsH2FdWoqD+qEgaNMax/sDTXjzRniAnNFBHi\n" - "TkVWaR94AoDa3EeRKbs2yWNcxeDXLYd7obcysHswuiovMaruo2fa2wIDAQABMA0G\n" - "CSqGSIb3DQEBBQUAA4GBAFgVKTk8d6PaXCUDfGD67gmZPCcQcMgMCeazh88K4hiW\n" - "NWLMv5sneYlfycQJ9M61Hd8qveXbhpxoJeUwfLaJFf5n0a3hUKw8fGJLj7qE1xIV\n" - "Gx/KXQ/BUpQqEZnae88MNhPVNdwQGVnqlMEAv3WP2fr9dgTbYruQagPZRjXZ+Hxb\n" - "-----END CERTIFICATE-----\n" - "\n"; - - CK_ATTRIBUTE attrs[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_ID, "292c92", 6, }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_VALUE, (unsigned char *)&verisign_v1_ca, sizeof (verisign_v1_ca) }, - { CKA_TRUSTED, &truev, sizeof (truev) }, - { CKA_INVALID }, - }; - - check_read_success (output, (attrs, NULL)); - check_write_success (output, (attrs, NULL)); -} - -static void -test_pem_middle (void) -{ - const char *input = "[p11-kit-object-v1]\n" - "class: certificate\n" - "id: \"292c92\"\n" - "-----BEGIN CERTIFICATE-----\n" - "MIICPDCCAaUCED9pHoGc8JpK83P/uUii5N0wDQYJKoZIhvcNAQEFBQAwXzELMAkG\n" - "A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz\n" - "cyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2\n" - "MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV\n" - "BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmlt\n" - "YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN\n" - "ADCBiQKBgQDlGb9to1ZhLZlIcfZn3rmN67eehoAKkQ76OCWvRoiC5XOooJskXQ0f\n" - "zGVuDLDQVoQYh5oGmxChc9+0WDlrbsH2FdWoqD+qEgaNMax/sDTXjzRniAnNFBHi\n" - "TkVWaR94AoDa3EeRKbs2yWNcxeDXLYd7obcysHswuiovMaruo2fa2wIDAQABMA0G\n" - "CSqGSIb3DQEBBQUAA4GBAFgVKTk8d6PaXCUDfGD67gmZPCcQcMgMCeazh88K4hiW\n" - "NWLMv5sneYlfycQJ9M61Hd8qveXbhpxoJeUwfLaJFf5n0a3hUKw8fGJLj7qE1xIV\n" - "Gx/KXQ/BUpQqEZnae88MNhPVNdwQGVnqlMEAv3WP2fr9dgTbYruQagPZRjXZ+Hxb\n" - "-----END CERTIFICATE-----\n" - "\n" - "trusted: true"; - - CK_ATTRIBUTE expected[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_TRUSTED, &truev, sizeof (truev) }, - { CKA_VALUE, (unsigned char *)&verisign_v1_ca, sizeof (verisign_v1_ca) }, - { CKA_INVALID }, - }; - - check_read_success (input, (expected, NULL)); -} - -static void -test_pem_public_key (void) -{ - const char *output = "[p11-kit-object-v1]\n" - "id: \"292c92\"\n" - "-----BEGIN PUBLIC KEY-----\n" - "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAryQICCl6NZ5gDKrnSztO\n" - "3Hy8PEUcuyvg/ikC+VcIo2SFFSf18a3IMYldIugqqqZCs4/4uVW3sbdLs/6PfgdX\n" - "7O9D22ZiFWHPYA2k2N744MNiCD1UE+tJyllUhSblK48bn+v1oZHCM0nYQ2NqUkvS\n" - "j+hwUU3RiWl7x3D2s9wSdNt7XUtW05a/FXehsPSiJfKvHJJnGOX0BgTvkLnkAOTd\n" - "OrUZ/wK69Dzu4IvrN4vs9Nes8vbwPa/ddZEzGR0cQMt0JBkhk9kU/qwqUseP1QRJ\n" - "5I1jR4g8aYPL/ke9K35PxZWuDp3U0UPAZ3PjFAh+5T+fc7gzCs9dPzSHloruU+gl\n" - "FQIDAQAB\n" - "-----END PUBLIC KEY-----\n\n"; - - CK_ATTRIBUTE attrs[] = { - { CKA_ID, "292c92", 6, }, - { CKA_PUBLIC_KEY_INFO, (unsigned char *)&example_public_key, sizeof (example_public_key) }, - { CKA_INVALID }, - }; - - check_read_success (output, (attrs, NULL)); - check_write_success (output, (attrs, NULL)); -} - - -static void -test_pem_invalid (void) -{ - const char *input = "[p11-kit-object-v1]\n" - "class: certificate\n" - "-----BEGIN CERT-----\n" - "MIICPDCCAaUCED9pHoGc8JpK83P/uUii5N0wDQYJKoZIhvcNAQEFBQAwXzELMAkG\n" - "A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz\n" - "cyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2\n" - "MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV\n" - "BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmlt\n" - "YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN\n" - "ADCBiQKBgQDlGb9to1ZhLZlIcfZn3rmN67eehoAKkQ76OCWvRoiC5XOooJskXQ0f\n" - "zGVuDLDQVoQYh5oGmxChc9+0WDlrbsH2FdWoqD+qEgaNMax/sDTXjzRniAnNFBHi\n" - "TkVWaR94AoDa3EeRKbs2yWNcxeDXLYd7obcysHswuiovMaruo2fa2wIDAQABMA0G\n" - "CSqGSIb3DQEBBQUAA4GBAFgVKTk8d6PaXCUDfGD67gmZPCcQcMgMCeazh88K4hiW\n" - "NWLMv5sneYlfycQJ9M61Hd8qveXbhpxoJeUwfLaJFf5n0a3hUKw8fGJLj7qE1xIV\n" - "Gx/KXQ/BUpQqEZnae88MNhPVNdwQGVnqlMEAv3WP2fr9dgTbYruQagPZRjXZ+Hxb\n" - "-----END CERTIFICATEXXX-----\n"; - - p11_message_quiet (); - - check_read_failure (input); - - p11_message_loud (); -} - -static void -test_pem_unsupported (void) -{ - const char *input = "[p11-kit-object-v1]\n" - "class: certificate\n" - "-----BEGIN BLOCK1-----\n" - "aYNNXqshlVxCdo8QfKeXh3GUzd/yn4LYIVgQrx4a\n" - "-----END BLOCK1-----\n"; - - p11_message_quiet (); - - check_read_failure (input); - - p11_message_loud (); -} - -static void -test_pem_first (void) -{ - const char *input = "-----BEGIN BLOCK1-----\n" - "aYNNXqshlVxCdo8QfKeXh3GUzd/yn4LYIVgQrx4a\n" - "-----END BLOCK1-----\n" - "[p11-kit-object-v1]\n" - "class: certificate\n"; - - p11_message_quiet (); - - check_read_failure (input); - - p11_message_loud (); -} - -static void -test_skip_unknown (void) -{ - const char *input = "[version-2]\n" - "class: data\n" - "object-id: 1.2.3.4\n" - "-----BEGIN BLOCK1-----\n" - "aYNNXqshlVxCdo8QfKeXh3GUzd/yn4LYIVgQrx4a\n" - "-----END BLOCK1-----\n" - "[p11-kit-object-v1]\n" - "class: nss-trust\n" - "trust-server-auth: nss-trust-unknown"; - - CK_TRUST trust = CKT_NSS_TRUST_UNKNOWN; - - CK_ATTRIBUTE expected2[] = { - { CKA_CLASS, &nss_trust, sizeof (nss_trust) }, - { CKA_TRUST_SERVER_AUTH, &trust, sizeof (trust) }, - { CKA_INVALID }, - }; - - p11_message_quiet (); - - check_read_success (input, (expected2, NULL)); - - p11_message_loud (); -} - -static void -test_bad_value (void) -{ - const char *input = "[p11-kit-object-v1]\n" - "class: data\n" - "value: \"%38%\"\n"; - - p11_message_quiet (); - - check_read_failure (input); - - p11_message_loud (); -} - -static void -test_bad_oid (void) -{ - const char *input = "[p11-kit-object-v1]\n" - "class: data\n" - "object-id: 1.2"; - - p11_message_quiet (); - - check_read_failure (input); - - p11_message_loud (); -} - -static void -test_bad_field (void) -{ - const char *input = "[p11-kit-object-v1]\n" - "class: data\n" - "invalid-field: true"; - - p11_message_quiet (); - - check_read_failure (input); - - p11_message_loud (); -} - -static void -test_attribute_first (void) -{ - const char *input = "class: data\n" - "[p11-kit-object-v1]\n" - "invalid-field: true"; - - p11_message_quiet (); - - check_read_failure (input); - - p11_message_loud (); -} - -static void -test_not_boolean (void) -{ - const char *output = "[p11-kit-object-v1]\n" - "private: \"x\"\n\n"; - - CK_ATTRIBUTE attrs[] = { - { CKA_PRIVATE, "x", 1 }, - { CKA_INVALID }, - }; - - check_write_success (output, (attrs, NULL)); -} - -static void -test_not_ulong (void) -{ - char buffer[sizeof (CK_ULONG) + 1]; - char *output; - - CK_ATTRIBUTE attrs[] = { - { CKA_BITS_PER_PIXEL, "xx", 2 }, - { CKA_VALUE, buffer, sizeof (CK_ULONG) }, - { CKA_INVALID }, - }; - - memset (buffer, 'x', sizeof (buffer)); - buffer[sizeof (CK_ULONG)] = 0; - - if (asprintf (&output, "[p11-kit-object-v1]\n" - "bits-per-pixel: \"xx\"\n" - "value: \"%s\"\n\n", buffer) < 0) - assert_not_reached (); - - check_write_success (output, (attrs, NULL)); - free (output); -} - -int -main (int argc, - char *argv[]) -{ - p11_test (test_magic, "/persist/magic"); - p11_test (test_simple, "/persist/simple"); - p11_test (test_number, "/persist/number"); - p11_test (test_bool, "/persist/bool"); - p11_test (test_oid, "/persist/oid"); - p11_test (test_constant, "/persist/constant"); - p11_test (test_unknown, "/persist/unknown"); - p11_test (test_multiple, "/persist/multiple"); - p11_test (test_pem_block, "/persist/pem_block"); - p11_test (test_pem_middle, "/persist/pem-middle"); - p11_test (test_pem_public_key, "/persist/pem-public-key"); - p11_test (test_pem_invalid, "/persist/pem_invalid"); - p11_test (test_pem_unsupported, "/persist/pem_unsupported"); - p11_test (test_pem_first, "/persist/pem_first"); - p11_test (test_bad_value, "/persist/bad_value"); - p11_test (test_bad_oid, "/persist/bad_oid"); - p11_test (test_bad_field, "/persist/bad_field"); - p11_test (test_skip_unknown, "/persist/skip_unknown"); - p11_test (test_attribute_first, "/persist/attribute_first"); - p11_test (test_not_boolean, "/persist/not-boolean"); - p11_test (test_not_ulong, "/persist/not-ulong"); - return p11_test_run (argc, argv); -} diff --git a/trust/test-save.c b/trust/test-save.c deleted file mode 100644 index 1de798d..0000000 --- a/trust/test-save.c +++ /dev/null @@ -1,595 +0,0 @@ -/* - * Copyright (c) 2013, Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@collabora.co.uk> - */ - -#include "config.h" - -#include "test-trust.h" - -#include "attrs.h" -#include "compat.h" -#include "debug.h" -#include "dict.h" -#include "message.h" -#include "path.h" -#include "save.h" -#include "test.h" - -#include <sys/stat.h> -#include <sys/types.h> - -#include <dirent.h> -#include <errno.h> -#include <fcntl.h> -#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <unistd.h> - -struct { - char *directory; -} test; - -static void -setup (void *unused) -{ - test.directory = p11_test_directory ("test-extract"); -} - -static void -teardown (void *unused) -{ - if (rmdir (test.directory) < 0) - assert_fail ("rmdir() failed", strerror (errno)); - free (test.directory); -} - -static void -write_zero_file (const char *directory, - const char *name) -{ - char *filename; - int res; - int fd; - - if (asprintf (&filename, "%s/%s", directory, name) < 0) - assert_not_reached (); - - fd = open (filename, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); - assert (fd != -1); - res = close (fd); - assert (res >= 0); - - free (filename); -} - -static void -test_file_write (void) -{ - p11_save_file *file; - char *filename; - bool ret; - - if (asprintf (&filename, "%s/%s", test.directory, "extract-file") < 0) - assert_not_reached (); - - file = p11_save_open_file (filename, NULL, 0); - assert_ptr_not_null (file); - - ret = p11_save_write_and_finish (file, test_cacert3_ca_der, sizeof (test_cacert3_ca_der)); - assert_num_eq (true, ret); - free (filename); - - test_check_file (test.directory, "extract-file", SRCDIR "/trust/fixtures/cacert3.der"); -} - -static void -test_file_exists (void) -{ - p11_save_file *file; - char *filename; - - if (asprintf (&filename, "%s/%s", test.directory, "extract-file") < 0) - assert_not_reached (); - - write_zero_file (test.directory, "extract-file"); - - p11_message_quiet (); - - file = p11_save_open_file (filename, NULL, 0); - assert (file != NULL); - - if (p11_save_finish_file (file, NULL, true)) - assert_not_reached (); - - p11_message_loud (); - - unlink (filename); - free (filename); -} - -static void -test_file_bad_directory (void) -{ - p11_save_file *file; - char *filename; - - if (asprintf (&filename, "/non-existent/%s/%s", test.directory, "extract-file") < 0) - assert_not_reached (); - - p11_message_quiet (); - - file = p11_save_open_file (filename, NULL, 0); - assert (file == NULL); - - p11_message_loud (); - - free (filename); -} - -static void -test_file_overwrite (void) -{ - p11_save_file *file; - char *filename; - bool ret; - - if (asprintf (&filename, "%s/%s", test.directory, "extract-file") < 0) - assert_not_reached (); - - write_zero_file (test.directory, "extract-file"); - - file = p11_save_open_file (filename, NULL, P11_SAVE_OVERWRITE); - assert_ptr_not_null (file); - - ret = p11_save_write_and_finish (file, test_cacert3_ca_der, sizeof (test_cacert3_ca_der)); - assert_num_eq (true, ret); - free (filename); - - test_check_file (test.directory, "extract-file", SRCDIR "/trust/fixtures/cacert3.der"); -} - -static void -test_file_unique (void) -{ - p11_save_file *file; - char *filename; - bool ret; - - if (asprintf (&filename, "%s/%s", test.directory, "extract-file") < 0) - assert_not_reached (); - - write_zero_file (test.directory, "extract-file"); - - file = p11_save_open_file (filename, NULL, P11_SAVE_UNIQUE); - assert_ptr_not_null (file); - - ret = p11_save_write_and_finish (file, test_cacert3_ca_der, sizeof (test_cacert3_ca_der)); - assert_num_eq (true, ret); - free (filename); - - test_check_file (test.directory, "extract-file", SRCDIR "/trust/fixtures/empty-file"); - test_check_file (test.directory, "extract-file.1", SRCDIR "/trust/fixtures/cacert3.der"); -} - -static void -test_file_auto_empty (void) -{ - p11_save_file *file; - char *filename; - bool ret; - - if (asprintf (&filename, "%s/%s", test.directory, "extract-file") < 0) - assert_not_reached (); - - file = p11_save_open_file (filename, NULL, 0); - assert_ptr_not_null (file); - - ret = p11_save_write_and_finish (file, NULL, -1); - assert_num_eq (true, ret); - free (filename); - - test_check_file (test.directory, "extract-file", SRCDIR "/trust/fixtures/empty-file"); -} - -static void -test_file_auto_length (void) -{ - p11_save_file *file; - char *filename; - bool ret; - - if (asprintf (&filename, "%s/%s", test.directory, "extract-file") < 0) - assert_not_reached (); - - file = p11_save_open_file (filename, NULL, 0); - assert_ptr_not_null (file); - - ret = p11_save_write_and_finish (file, "The simple string is hairy", -1); - assert_num_eq (true, ret); - free (filename); - - test_check_file (test.directory, "extract-file", SRCDIR "/trust/fixtures/simple-string"); -} - -static void -test_write_with_null (void) -{ - bool ret; - - ret = p11_save_write (NULL, "test", 4); - assert_num_eq (false, ret); -} - -static void -test_write_and_finish_with_null (void) -{ - bool ret; - - ret = p11_save_write_and_finish (NULL, "test", 4); - assert_num_eq (false, ret); -} - -static void -test_file_abort (void) -{ - struct stat st; - p11_save_file *file; - char *filename; - char *path; - bool ret; - - if (asprintf (&filename, "%s/%s", test.directory, "extract-file") < 0) - assert_not_reached (); - - file = p11_save_open_file (filename, NULL, 0); - assert_ptr_not_null (file); - - path = NULL; - ret = p11_save_finish_file (file, &path, false); - assert_num_eq (true, ret); - assert (path == NULL); - - if (stat (filename, &st) >= 0 || errno != ENOENT) - assert_fail ("file should not exist", filename); - - free (filename); -} - - -static void -test_directory_empty (void) -{ - p11_save_dir *dir; - char *subdir; - bool ret; - - if (asprintf (&subdir, "%s/%s", test.directory, "extract-dir") < 0) - assert_not_reached (); - - dir = p11_save_open_directory (subdir, 0); - assert_ptr_not_null (dir); - - ret = p11_save_finish_directory (dir, true); - assert_num_eq (true, ret); - - test_check_directory (subdir, (NULL, NULL)); - - assert (rmdir (subdir) >= 0); - free (subdir); -} - -static void -test_directory_files (void) -{ - char *path; - char *check; - p11_save_file *file; - p11_save_dir *dir; - char *subdir; - bool ret; - - if (asprintf (&subdir, "%s/%s", test.directory, "extract-dir") < 0) - assert_not_reached (); - - dir = p11_save_open_directory (subdir, 0); - assert_ptr_not_null (dir); - - file = p11_save_open_file_in (dir, "blah", ".cer"); - assert_ptr_not_null (file); - ret = p11_save_write (file, test_cacert3_ca_der, sizeof (test_cacert3_ca_der)); - assert_num_eq (true, ret); - ret = p11_save_finish_file (file, &path, true); - assert_num_eq (true, ret); - if (asprintf (&check, "%s/%s", subdir, "blah.cer") < 0) - assert_not_reached (); - assert_str_eq (check, path); - free (check); - free (path); - - file = p11_save_open_file_in (dir, "file", ".txt"); - assert_ptr_not_null (file); - ret = p11_save_write (file, test_text, strlen (test_text)); - assert_num_eq (true, ret); - ret = p11_save_finish_file (file, &path, true); - assert_num_eq (true, ret); - if (asprintf (&check, "%s/%s", subdir, "file.txt") < 0) - assert_not_reached (); - assert_str_eq (check, path); - free (check); - free (path); - -#ifdef OS_UNIX - ret = p11_save_symlink_in (dir, "link", ".ext", "/the/destination"); - assert_num_eq (true, ret); -#endif - - ret = p11_save_finish_directory (dir, true); - assert_num_eq (true, ret); - - test_check_directory (subdir, ("blah.cer", "file.txt", -#ifdef OS_UNIX - "link.ext", -#endif - NULL)); - test_check_file (subdir, "blah.cer", SRCDIR "/trust/fixtures/cacert3.der"); - test_check_data (subdir, "file.txt", test_text, strlen (test_text)); -#ifdef OS_UNIX - test_check_symlink (subdir, "link.ext", "/the/destination"); -#endif - - assert (rmdir (subdir) >= 0); - free (subdir); -} - -static void -test_directory_dups (void) -{ - char *path; - char *check; - p11_save_file *file; - p11_save_dir *dir; - char *subdir; - bool ret; - - if (asprintf (&subdir, "%s/%s", test.directory, "extract-dir") < 0) - assert_not_reached (); - - dir = p11_save_open_directory (subdir, 0); - assert_ptr_not_null (dir); - - file = p11_save_open_file_in (dir, "file", ".txt"); - assert_ptr_not_null (file); - ret = p11_save_write (file, test_text, 5); - assert_num_eq (true, ret); - ret = p11_save_finish_file (file, &path, true); - assert_num_eq (true, ret); - if (asprintf (&check, "%s/%s", subdir, "file.txt") < 0) - assert_not_reached (); - assert_str_eq (check, path); - free (check); - free (path); - - file = p11_save_open_file_in (dir, "file", ".txt"); - assert_ptr_not_null (file); - ret = p11_save_write (file, test_text, 10); - assert_num_eq (true, ret); - ret = p11_save_finish_file (file, &path, true); - assert_num_eq (true, ret); - if (asprintf (&check, "%s/%s", subdir, "file.1.txt") < 0) - assert_not_reached (); - assert_str_eq (check, path); - free (check); - free (path); - - ret = p11_save_write_and_finish (p11_save_open_file_in (dir, "file", ".txt"), - test_text, 15); - assert_num_eq (true, ret); - - ret = p11_save_write_and_finish (p11_save_open_file_in (dir, "no-ext", NULL), - test_text, 8); - assert_num_eq (true, ret); - - ret = p11_save_write_and_finish (p11_save_open_file_in (dir, "no-ext", NULL), - test_text, 16); - assert_num_eq (true, ret); - - ret = p11_save_write_and_finish (p11_save_open_file_in (dir, "with-num", ".0"), - test_text, 14); - assert_num_eq (true, ret); - - ret = p11_save_write_and_finish (p11_save_open_file_in (dir, "with-num", ".0"), - test_text, 15); - assert_num_eq (true, ret); - -#ifdef OS_UNIX - ret = p11_save_symlink_in (dir, "link", ".0", "/destination1"); - assert_num_eq (true, ret); - - ret = p11_save_symlink_in (dir, "link", ".0", "/destination2"); - assert_num_eq (true, ret); -#endif - - ret = p11_save_finish_directory (dir, true); - assert_num_eq (true, ret); - - test_check_directory (subdir, ("file.txt", "file.1.txt", "file.2.txt", - "no-ext", "no-ext.1", - "with-num.0", "with-num.1", -#ifdef OS_UNIX - "link.0", "link.1", -#endif - NULL)); - test_check_data (subdir, "file.txt", test_text, 5); - test_check_data (subdir, "file.1.txt", test_text, 10); - test_check_data (subdir, "file.2.txt", test_text, 15); - test_check_data (subdir, "no-ext", test_text, 8); - test_check_data (subdir, "no-ext.1", test_text, 16); - test_check_data (subdir, "with-num.0", test_text, 14); - test_check_data (subdir, "with-num.1", test_text, 15); -#ifdef OS_UNIX - test_check_symlink (subdir, "link.0", "/destination1"); - test_check_symlink (subdir, "link.1", "/destination2"); -#endif - - assert (rmdir (subdir) >= 0); - free (subdir); -} - -static void -test_directory_exists (void) -{ - p11_save_dir *dir; - char *subdir; - - if (asprintf (&subdir, "%s/%s", test.directory, "extract-dir") < 0) - assert_not_reached (); - -#ifdef OS_UNIX - if (mkdir (subdir, S_IRWXU) < 0) -#else - if (mkdir (subdir) < 0) -#endif - assert_fail ("mkdir() failed", subdir); - - p11_message_quiet (); - - dir = p11_save_open_directory (subdir, 0); - assert_ptr_eq (NULL, dir); - - p11_message_loud (); - - rmdir (subdir); - free (subdir); -} - -static void -test_directory_overwrite (void) -{ - char *path; - char *check; - p11_save_file *file; - p11_save_dir *dir; - char *subdir; - bool ret; - - if (asprintf (&subdir, "%s/%s", test.directory, "extract-dir") < 0) - assert_not_reached (); - - /* Some initial files into this directory, which get overwritten */ - dir = p11_save_open_directory (subdir, 0); - ret = p11_save_write_and_finish (p11_save_open_file_in (dir, "file", ".txt"), "", 0) && - p11_save_write_and_finish (p11_save_open_file_in (dir, "another-file", NULL), "", 0) && - p11_save_write_and_finish (p11_save_open_file_in (dir, "third-file", NULL), "", 0) && - p11_save_finish_directory (dir, true); - assert (ret && dir); - - /* Now the actual test, using the same directory */ - dir = p11_save_open_directory (subdir, P11_SAVE_OVERWRITE); - assert_ptr_not_null (dir); - - file = p11_save_open_file_in (dir, "blah", ".cer"); - assert_ptr_not_null (file); - ret = p11_save_write (file, test_cacert3_ca_der, sizeof (test_cacert3_ca_der)); - assert_num_eq (true, ret); - ret = p11_save_finish_file (file, &path, true); - assert_num_eq (true, ret); - if (asprintf (&check, "%s/%s", subdir, "blah.cer") < 0) - assert_not_reached (); - assert_str_eq (check, path); - free (check); - free (path); - - file = p11_save_open_file_in (dir, "file", ".txt"); - assert_ptr_not_null (file); - ret = p11_save_write (file, test_text, strlen (test_text)); - assert_num_eq (true, ret); - ret = p11_save_finish_file (file, &path, true); - assert_num_eq (true, ret); - if (asprintf (&check, "%s/%s", subdir, "file.txt") < 0) - assert_not_reached (); - assert_str_eq (check, path); - free (check); - free (path); - - file = p11_save_open_file_in (dir, "file", ".txt"); - assert_ptr_not_null (file); - ret = p11_save_write (file, test_text, 10); - assert_num_eq (true, ret); - ret = p11_save_finish_file (file, &path, true); - assert_num_eq (true, ret); - if (asprintf (&check, "%s/%s", subdir, "file.1.txt") < 0) - assert_not_reached (); - assert_str_eq (check, path); - free (check); - free (path); - - ret = p11_save_finish_directory (dir, true); - assert_num_eq (true, ret); - - test_check_directory (subdir, ("blah.cer", "file.txt", "file.1.txt", NULL)); - test_check_data (subdir, "blah.cer", test_cacert3_ca_der, sizeof (test_cacert3_ca_der)); - test_check_data (subdir, "file.txt", test_text, strlen (test_text)); - test_check_data (subdir, "file.1.txt", test_text, 10); - - assert (rmdir (subdir) >= 0); - free (subdir); -} - -int -main (int argc, - char *argv[]) -{ - p11_fixture (setup, teardown); - p11_test (test_file_write, "/save/test_file_write"); - p11_test (test_file_exists, "/save/test_file_exists"); - p11_test (test_file_bad_directory, "/save/test_file_bad_directory"); - p11_test (test_file_overwrite, "/save/test_file_overwrite"); - p11_test (test_file_unique, "/save/file-unique"); - p11_test (test_file_auto_empty, "/save/test_file_auto_empty"); - p11_test (test_file_auto_length, "/save/test_file_auto_length"); - - p11_fixture (NULL, NULL); - p11_test (test_write_with_null, "/save/test_write_with_null"); - p11_test (test_write_and_finish_with_null, "/save/test_write_and_finish_with_null"); - - p11_fixture (setup, teardown); - p11_test (test_file_abort, "/save/test_file_abort"); - - p11_test (test_directory_empty, "/save/test_directory_empty"); - p11_test (test_directory_files, "/save/test_directory_files"); - p11_test (test_directory_dups, "/save/test_directory_dups"); - p11_test (test_directory_exists, "/save/test_directory_exists"); - p11_test (test_directory_overwrite, "/save/test_directory_overwrite"); - return p11_test_run (argc, argv); -} diff --git a/trust/test-token.c b/trust/test-token.c deleted file mode 100644 index d4c89ce..0000000 --- a/trust/test-token.c +++ /dev/null @@ -1,793 +0,0 @@ -/* - * Copyright (c) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@gnome.org> - */ - -#include "config.h" -#include "test.h" -#include "test-trust.h" - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> - -#include "attrs.h" -#include "debug.h" -#include "parser.h" -#include "path.h" -#include "pkcs11x.h" -#include "message.h" -#include "token.h" - -static CK_OBJECT_CLASS certificate = CKO_CERTIFICATE; -static CK_OBJECT_CLASS data = CKO_DATA; -static CK_BBOOL falsev = CK_FALSE; -static CK_BBOOL truev = CK_TRUE; - -struct { - p11_token *token; - p11_index *index; - p11_parser *parser; - char *directory; -} test; - -static void -setup (void *path) -{ - test.token = p11_token_new (333, path, "Label"); - assert_ptr_not_null (test.token); - - test.index = p11_token_index (test.token); - assert_ptr_not_null (test.token); - - test.parser = p11_token_parser (test.token); - assert_ptr_not_null (test.parser); -} - -static void -setup_temp (void *unused) -{ - test.directory = p11_test_directory ("test-module"); - setup (test.directory); -} - -static void -teardown (void *path) -{ - p11_token_free (test.token); - memset (&test, 0, sizeof (test)); -} - -static void -teardown_temp (void *unused) -{ - p11_test_directory_delete (test.directory); - teardown (test.directory); - free (test.directory); -} - -static void -test_token_load (void *path) -{ - p11_index *index; - int count; - - count = p11_token_load (test.token); - assert_num_eq (6, count); - - /* A certificate and trust object for each parsed object */ - index = p11_token_index (test.token); - assert (((count - 1) * 2) + 1 <= p11_index_size (index)); -} - -static void -test_token_flags (void *path) -{ - /* - * blacklist comes from the input/distrust.pem file. It is not in the blacklist - * directory, but is an OpenSSL trusted certificate file, and is marked - * in the blacklist style for OpenSSL. - */ - - CK_ATTRIBUTE blacklist[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_LABEL, "Red Hat Is the CA", 17 }, - { CKA_SERIAL_NUMBER, "\x02\x01\x01", 3 }, - { CKA_TRUSTED, &falsev, sizeof (falsev) }, - { CKA_X_DISTRUSTED, &truev, sizeof (truev) }, - { CKA_INVALID }, - }; - - /* - * blacklist2 comes from the input/blacklist/self-server.der file. It is - * explicitly put on the blacklist, even though it containts no trust - * policy information. - */ - - const unsigned char self_server_subject[] = { - 0x30, 0x4b, 0x31, 0x13, 0x30, 0x11, 0x06, 0x0a, 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, - 0x01, 0x19, 0x16, 0x03, 0x43, 0x4f, 0x4d, 0x31, 0x17, 0x30, 0x15, 0x06, 0x0a, 0x09, 0x92, 0x26, - 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x07, 0x45, 0x58, 0x41, 0x4d, 0x50, 0x4c, 0x45, - 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x12, 0x73, 0x65, 0x72, 0x76, 0x65, - 0x72, 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, - }; - - CK_ATTRIBUTE blacklist2[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_SUBJECT, (void *)self_server_subject, sizeof (self_server_subject) }, - { CKA_TRUSTED, &falsev, sizeof (falsev) }, - { CKA_X_DISTRUSTED, &truev, sizeof (truev) }, - { CKA_INVALID }, - }; - - /* - * anchor comes from the input/anchors/cacert3.der file. It is - * explicitly marked as an anchor, even though it containts no trust - * policy information. - */ - - CK_ATTRIBUTE anchor[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_TRUSTED, &truev, sizeof (truev) }, - { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, - { CKA_INVALID }, - }; - - const unsigned char cacert_root_subject[] = { - 0x30, 0x79, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x07, 0x52, 0x6f, 0x6f, - 0x74, 0x20, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, 0x68, - 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x63, 0x61, 0x63, 0x65, 0x72, 0x74, - 0x2e, 0x6f, 0x72, 0x67, 0x31, 0x22, 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x19, 0x43, - 0x41, 0x20, 0x43, 0x65, 0x72, 0x74, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x41, - 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, - 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x73, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, - 0x40, 0x63, 0x61, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, 0x67, - }; - - /* - * notrust comes from the input/cacert-ca.der file. It contains no - * trust information, and is not explicitly marked as an anchor, so - * it's neither trusted or distrusted. - */ - - CK_ATTRIBUTE notrust[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_SUBJECT, (void *)cacert_root_subject, sizeof (cacert_root_subject) }, - { CKA_TRUSTED, &falsev, sizeof (falsev) }, - { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *expected[] = { - anchor, - blacklist, - blacklist2, - notrust, - NULL, - }; - - CK_OBJECT_HANDLE handle; - CK_ATTRIBUTE *object; - int i; - - if (p11_token_load (test.token) < 0) - assert_not_reached (); - - /* The other objects */ - for (i = 0; expected[i]; i++) { - handle = p11_index_find (p11_token_index (test.token), expected[i], 2); - assert (handle != 0); - - object = p11_index_lookup (p11_token_index (test.token), handle); - assert_ptr_not_null (object); - - test_check_attrs (expected[i], object); - } -} - -static void -test_token_path (void *path) -{ - assert_str_eq (path, p11_token_get_path (test.token)); -} - -static void -test_token_label (void *path) -{ - assert_str_eq ("Label", p11_token_get_label (test.token)); -} - -static void -test_token_slot (void *path) -{ - assert_num_eq (333, p11_token_get_slot (test.token)); -} - -static void -test_not_writable (void) -{ - p11_token *token; - -#ifdef OS_UNIX - if (getuid () != 0) { -#endif - token = p11_token_new (333, "/", "Label"); - assert (!p11_token_is_writable (token)); - p11_token_free (token); -#ifdef OS_UNIX - } -#endif - - token = p11_token_new (333, "", "Label"); - assert (!p11_token_is_writable (token)); - p11_token_free (token); - - token = p11_token_new (333, "/non-existant", "Label"); - assert (!p11_token_is_writable (token)); - p11_token_free (token); -} - -static void -test_writable_exists (void) -{ - /* A writable directory since we created it */ - assert (p11_token_is_writable (test.token)); -} - -static void -test_writable_no_exist (void) -{ - char *directory; - p11_token *token; - char *path; - - directory = p11_test_directory ("test-module"); - - path = p11_path_build (directory, "subdir", NULL); - assert (path != NULL); - - token = p11_token_new (333, path, "Label"); - free (path); - - /* A writable directory since parent is writable */ - assert (p11_token_is_writable (token)); - - p11_token_free (token); - - if (rmdir (directory) < 0) - assert_not_reached (); - - free (directory); -} - -static void -test_load_already (void) -{ - CK_ATTRIBUTE cert[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_INVALID }, - }; - - CK_OBJECT_HANDLE handle; - int ret; - - p11_test_file_write (test.directory, "test.cer", test_cacert3_ca_der, - sizeof (test_cacert3_ca_der)); - - ret = p11_token_load (test.token); - assert_num_eq (ret, 1); - handle = p11_index_find (test.index, cert, -1); - assert (handle != 0); - - /* Have to wait to make sure changes are detected */ - p11_sleep_ms (1100); - - ret = p11_token_load (test.token); - assert_num_eq (ret, 0); - assert_num_eq (p11_index_find (test.index, cert, -1), handle); -} - -static void -test_load_unreadable (void) -{ - CK_ATTRIBUTE cert[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_INVALID }, - }; - - int ret; - - p11_test_file_write (test.directory, "test.cer", test_cacert3_ca_der, - sizeof (test_cacert3_ca_der)); - - ret = p11_token_load (test.token); - assert_num_eq (ret, 1); - assert (p11_index_find (test.index, cert, -1) != 0); - - p11_test_file_write (test.directory, "test.cer", "", 0); - - /* Have to wait to make sure changes are detected */ - p11_sleep_ms (1100); - - ret = p11_token_load (test.token); - assert_num_eq (ret, 0); - assert (p11_index_find (test.index, cert, -1) == 0); -} - -static void -test_load_gone (void) -{ - CK_ATTRIBUTE cert[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_INVALID }, - }; - - int ret; - - p11_test_file_write (test.directory, "test.cer", test_cacert3_ca_der, - sizeof (test_cacert3_ca_der)); - - ret = p11_token_load (test.token); - assert_num_eq (ret, 1); - assert (p11_index_find (test.index, cert, -1) != 0); - - p11_test_file_delete (test.directory, "test.cer"); - - /* Have to wait to make sure changes are detected */ - p11_sleep_ms (1100); - - ret = p11_token_load (test.token); - assert_num_eq (ret, 0); - assert (p11_index_find (test.index, cert, -1) == 0); -} - -static void -test_load_found (void) -{ - CK_ATTRIBUTE cert[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_INVALID }, - }; - - int ret; - - ret = p11_token_load (test.token); - assert_num_eq (ret, 0); - assert (p11_index_find (test.index, cert, -1) == 0); - - /* Have to wait to make sure changes are detected */ - p11_sleep_ms (1100); - - p11_test_file_write (test.directory, "test.cer", test_cacert3_ca_der, - sizeof (test_cacert3_ca_der)); - - ret = p11_token_load (test.token); - assert_num_eq (ret, 1); - assert (p11_index_find (test.index, cert, -1) != 0); -} - -static void -test_reload_changed (void) -{ - CK_ATTRIBUTE cacert3[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE verisign[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_VALUE, (void *)verisign_v1_ca, sizeof (verisign_v1_ca) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_OBJECT_HANDLE handle; - int ret; - - /* Just one file */ - p11_test_file_write (test.directory, "test.cer", test_cacert3_ca_der, - sizeof (test_cacert3_ca_der)); - - ret = p11_token_load (test.token); - assert_num_eq (ret, 1); - handle = p11_index_find (test.index, cacert3, -1); - assert (handle != 0); - - /* Replace the file with verisign */ - p11_test_file_write (test.directory, "test.cer", verisign_v1_ca, - sizeof (verisign_v1_ca)); - - /* Add another file with cacert3, but not reloaded */ - p11_test_file_write (test.directory, "another.cer", test_cacert3_ca_der, - sizeof (test_cacert3_ca_der)); - - attrs = p11_index_lookup (test.index, handle); - assert_ptr_not_null (attrs); - if (!p11_token_reload (test.token, attrs)) - assert_not_reached (); - - assert (p11_index_find (test.index, cacert3, -1) == 0); - assert (p11_index_find (test.index, verisign, -1) != 0); -} - -static void -test_reload_gone (void) -{ - CK_ATTRIBUTE cacert3[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE verisign[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_VALUE, (void *)verisign_v1_ca, sizeof (verisign_v1_ca) }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE *attrs; - CK_OBJECT_HANDLE handle; - int ret; - - /* Just one file */ - p11_test_file_write (test.directory, "cacert3.cer", test_cacert3_ca_der, - sizeof (test_cacert3_ca_der)); - p11_test_file_write (test.directory, "verisign.cer", verisign_v1_ca, - sizeof (verisign_v1_ca)); - - ret = p11_token_load (test.token); - assert_num_eq (ret, 2); - handle = p11_index_find (test.index, cacert3, -1); - assert (handle != 0); - assert (p11_index_find (test.index, verisign, -1) != 0); - - p11_test_file_delete (test.directory, "cacert3.cer"); - p11_test_file_delete (test.directory, "verisign.cer"); - - attrs = p11_index_lookup (test.index, handle); - assert_ptr_not_null (attrs); - if (p11_token_reload (test.token, attrs)) - assert_not_reached (); - - assert (p11_index_find (test.index, cacert3, -1) == 0); - assert (p11_index_find (test.index, verisign, -1) != 0); -} - -static void -test_reload_no_origin (void) -{ - CK_ATTRIBUTE cacert3[] = { - { CKA_CLASS, &certificate, sizeof (certificate) }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_INVALID }, - }; - - if (p11_token_reload (test.token, cacert3)) - assert_not_reached (); -} - -static void -test_write_new (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "Yay!", 4 }, - { CKA_VALUE, "eight", 5 }, - { CKA_TOKEN, &truev, sizeof (truev) }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE expected[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "Yay!", 4 }, - { CKA_VALUE, "eight", 5 }, - { CKA_APPLICATION, "", 0 }, - { CKA_OBJECT_ID, "", 0 }, - { CKA_INVALID } - }; - - CK_OBJECT_HANDLE handle; - p11_array *parsed; - char *path; - CK_RV rv; - int ret; - - rv = p11_index_add (test.index, original, 4, &handle); - assert_num_eq (rv, CKR_OK); - - /* The expected file name */ - path = p11_path_build (test.directory, "Yay_.p11-kit", NULL); - ret = p11_parse_file (test.parser, path, NULL, 0); - assert_num_eq (ret, P11_PARSE_SUCCESS); - free (path); - - parsed = p11_parser_parsed (test.parser); - assert_num_eq (parsed->num, 1); - - test_check_attrs (expected, parsed->elem[0]); -} - -static void -test_write_no_label (void) -{ - CK_ATTRIBUTE original[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_VALUE, "eight", 5 }, - { CKA_TOKEN, &truev, sizeof (truev) }, - { CKA_INVALID } - }; - - CK_ATTRIBUTE expected[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "", 0 }, - { CKA_VALUE, "eight", 5 }, - { CKA_APPLICATION, "", 0 }, - { CKA_OBJECT_ID, "", 0 }, - { CKA_INVALID } - }; - - CK_OBJECT_HANDLE handle; - p11_array *parsed; - char *path; - CK_RV rv; - int ret; - - rv = p11_index_add (test.index, original, 4, &handle); - assert_num_eq (rv, CKR_OK); - - /* The expected file name */ - path = p11_path_build (test.directory, "data.p11-kit", NULL); - ret = p11_parse_file (test.parser, path, NULL, 0); - assert_num_eq (ret, P11_PARSE_SUCCESS); - free (path); - - parsed = p11_parser_parsed (test.parser); - assert_num_eq (parsed->num, 1); - - test_check_attrs (expected, parsed->elem[0]); -} - -static void -test_modify_multiple (void) -{ - const char *test_data = - "[p11-kit-object-v1]\n" - "class: data\n" - "label: \"first\"\n" - "value: \"1\"\n" - "\n" - "[p11-kit-object-v1]\n" - "class: data\n" - "label: \"second\"\n" - "value: \"2\"\n" - "\n" - "[p11-kit-object-v1]\n" - "class: data\n" - "label: \"third\"\n" - "value: \"3\"\n"; - - CK_ATTRIBUTE first[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "first", 5 }, - { CKA_VALUE, "1", 1 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE second[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "zwei", 4 }, - { CKA_VALUE, "2", 2 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE third[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "third", 5 }, - { CKA_VALUE, "3", 1 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE match = { CKA_LABEL, "second", 6 }; - - CK_OBJECT_HANDLE handle; - p11_array *parsed; - char *path; - int ret; - CK_RV rv; - - p11_test_file_write (test.directory, "Test.p11-kit", test_data, strlen (test_data)); - - /* Reload now that we have this new file */ - p11_token_load (test.token); - - handle = p11_index_find (test.index, &match, 1); - - rv = p11_index_update (test.index, handle, p11_attrs_dup (second)); - assert_num_eq (rv, CKR_OK); - - /* Now read in the file and make sure it has all the objects */ - path = p11_path_build (test.directory, "Test.p11-kit", NULL); - ret = p11_parse_file (test.parser, path, NULL, 0); - assert_num_eq (ret, P11_PARSE_SUCCESS); - free (path); - - parsed = p11_parser_parsed (test.parser); - assert_num_eq (parsed->num, 3); - - /* The modified one will be first */ - test_check_attrs (second, parsed->elem[0]); - test_check_attrs (first, parsed->elem[1]); - test_check_attrs (third, parsed->elem[2]); -} - -static void -test_remove_one (void) -{ - const char *test_data = - "[p11-kit-object-v1]\n" - "class: data\n" - "label: \"first\"\n" - "value: \"1\"\n" - "\n"; - - CK_ATTRIBUTE match = { CKA_LABEL, "first", 5 }; - - CK_OBJECT_HANDLE handle; - CK_RV rv; - - p11_test_file_write (test.directory, "Test.p11-kit", test_data, strlen (test_data)); - test_check_directory (test.directory, ("Test.p11-kit", NULL)); - - /* Reload now that we have this new file */ - p11_token_load (test.token); - - handle = p11_index_find (test.index, &match, 1); - assert_num_cmp (handle, !=, 0); - - rv = p11_index_remove (test.index, handle); - assert_num_eq (rv, CKR_OK); - - /* No other files in the test directory, all files gone */ - test_check_directory (test.directory, (NULL, NULL)); -} - -static void -test_remove_multiple (void) -{ - const char *test_data = - "[p11-kit-object-v1]\n" - "class: data\n" - "label: \"first\"\n" - "value: \"1\"\n" - "\n" - "[p11-kit-object-v1]\n" - "class: data\n" - "label: \"second\"\n" - "value: \"2\"\n" - "\n" - "[p11-kit-object-v1]\n" - "class: data\n" - "label: \"third\"\n" - "value: \"3\"\n"; - - CK_ATTRIBUTE first[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "first", 5 }, - { CKA_VALUE, "1", 1 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE third[] = { - { CKA_CLASS, &data, sizeof (data) }, - { CKA_LABEL, "third", 5 }, - { CKA_VALUE, "3", 1 }, - { CKA_INVALID }, - }; - - CK_ATTRIBUTE match = { CKA_LABEL, "second", 6 }; - - CK_OBJECT_HANDLE handle; - p11_array *parsed; - char *path; - int ret; - CK_RV rv; - - p11_test_file_write (test.directory, "Test.p11-kit", test_data, strlen (test_data)); - - /* Reload now that we have this new file */ - p11_token_load (test.token); - - handle = p11_index_find (test.index, &match, 1); - assert_num_cmp (handle, !=, 0); - - rv = p11_index_remove (test.index, handle); - assert_num_eq (rv, CKR_OK); - - /* Now read in the file and make sure it has all the objects */ - path = p11_path_build (test.directory, "Test.p11-kit", NULL); - ret = p11_parse_file (test.parser, path, NULL, 0); - assert_num_eq (ret, P11_PARSE_SUCCESS); - free (path); - - parsed = p11_parser_parsed (test.parser); - assert_num_eq (parsed->num, 2); - - /* The modified one will be first */ - test_check_attrs (first, parsed->elem[0]); - test_check_attrs (third, parsed->elem[1]); -} - -int -main (int argc, - char *argv[]) -{ - p11_fixture (setup, teardown); - p11_testx (test_token_load, SRCDIR "/trust/input", "/token/load"); - p11_testx (test_token_flags, SRCDIR "/trust/input", "/token/flags"); - p11_testx (test_token_path, "/wheee", "/token/path"); - p11_testx (test_token_label, "/wheee", "/token/label"); - p11_testx (test_token_slot, "/unneeded", "/token/slot"); - - p11_fixture (NULL, NULL); - p11_test (test_not_writable, "/token/not-writable"); - p11_test (test_writable_no_exist, "/token/writable-no-exist"); - - p11_fixture (setup_temp, teardown_temp); - p11_test (test_writable_exists, "/token/writable-exists"); - p11_test (test_load_found, "/token/load-found"); - p11_test (test_load_already, "/token/load-already"); - p11_test (test_load_unreadable, "/token/load-unreadable"); - p11_test (test_load_gone, "/token/load-gone"); - p11_test (test_reload_changed, "/token/reload-changed"); - p11_test (test_reload_gone, "/token/reload-gone"); - p11_test (test_reload_no_origin, "/token/reload-no-origin"); - p11_test (test_write_new, "/token/write-new"); - p11_test (test_write_no_label, "/token/write-no-label"); - p11_test (test_modify_multiple, "/token/modify-multiple"); - p11_test (test_remove_one, "/token/remove-one"); - p11_test (test_remove_multiple, "/token/remove-multiple"); - - return p11_test_run (argc, argv); -} diff --git a/trust/test-trust.c b/trust/test-trust.c deleted file mode 100644 index 802007d..0000000 --- a/trust/test-trust.c +++ /dev/null @@ -1,333 +0,0 @@ -/* - * Copyright (c) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@gnome.org> - */ - -#include "config.h" - -#include "attrs.h" -#include "debug.h" -#include "message.h" -#include "path.h" -#include "test.h" - -#include "test-trust.h" - -#include <sys/stat.h> - -#include <assert.h> -#include <dirent.h> -#include <errno.h> -#include <fcntl.h> -#include <stdarg.h> -#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <unistd.h> - -#ifdef OS_UNIX -#include <paths.h> -#endif - -void -test_check_object_msg (const char *file, - int line, - const char *function, - CK_ATTRIBUTE *attrs, - CK_OBJECT_CLASS klass, - const char *label) -{ - CK_BBOOL vfalse = CK_FALSE; - - CK_ATTRIBUTE expected[] = { - { CKA_PRIVATE, &vfalse, sizeof (vfalse) }, - { CKA_CLASS, &klass, sizeof (klass) }, - { label ? CKA_LABEL : CKA_INVALID, (void *)label, label ? strlen (label) : 0 }, - { CKA_INVALID }, - }; - - test_check_attrs_msg (file, line, function, expected, attrs); -} - -void -test_check_cacert3_ca_msg (const char *file, - int line, - const char *function, - CK_ATTRIBUTE *attrs, - const char *label) -{ - CK_CERTIFICATE_TYPE x509 = CKC_X_509; - CK_ULONG category = 2; /* authority */ - - CK_ATTRIBUTE expected[] = { - { CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) }, - { CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) }, - { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) }, - { CKA_CHECK_VALUE, "\xad\x7c\x3f", 3 }, - { CKA_START_DATE, "20110523", 8 }, - { CKA_END_DATE, "20210520", 8, }, - { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, - { CKA_ISSUER, (void *)test_cacert3_ca_issuer, sizeof (test_cacert3_ca_issuer) }, - { CKA_SERIAL_NUMBER, (void *)test_cacert3_ca_serial, sizeof (test_cacert3_ca_serial) }, - { CKA_INVALID }, - }; - - test_check_object_msg (file, line, function, attrs, CKO_CERTIFICATE, label); - test_check_attrs_msg (file, line, function, expected, attrs); -} - -void -test_check_id_msg (const char *file, - int line, - const char *function, - CK_ATTRIBUTE *expected, - CK_ATTRIBUTE *attr) -{ - CK_ATTRIBUTE *one; - CK_ATTRIBUTE *two; - - one = p11_attrs_find (expected, CKA_ID); - two = p11_attrs_find (attr, CKA_ID); - - test_check_attr_msg (file, line, function, CKA_INVALID, one, two); -} - -void -test_check_attrs_msg (const char *file, - int line, - const char *function, - CK_ATTRIBUTE *expected, - CK_ATTRIBUTE *attrs) -{ - CK_OBJECT_CLASS klass; - CK_ATTRIBUTE *attr; - - assert (expected != NULL); - - if (!p11_attrs_find_ulong (expected, CKA_CLASS, &klass)) - klass = CKA_INVALID; - - while (!p11_attrs_terminator (expected)) { - attr = p11_attrs_find (attrs, expected->type); - test_check_attr_msg (file, line, function, klass, expected, attr); - expected++; - } -} - -void -test_check_attr_msg (const char *file, - int line, - const char *function, - CK_OBJECT_CLASS klass, - CK_ATTRIBUTE *expected, - CK_ATTRIBUTE *attr) -{ - assert (expected != NULL); - - if (attr == NULL) { - p11_test_fail (file, line, function, - "attribute does not match: (expected %s but found NULL)", - p11_attr_to_string (expected, klass)); - } - - if (!p11_attr_equal (attr, expected)) { - p11_test_fail (file, line, function, - "attribute does not match: (expected %s but found %s)", - p11_attr_to_string (expected, klass), - attr ? p11_attr_to_string (attr, klass) : "(null)"); - } -} - -static char * -read_file (const char *file, - int line, - const char *function, - const char *filename, - long *len) -{ - struct stat sb; - FILE *f = NULL; - char *data; - - f = fopen (filename, "rb"); - if (f == NULL) - p11_test_fail (file, line, function, "Couldn't open file: %s", filename); - - /* Figure out size */ - if (stat (filename, &sb) < 0) - p11_test_fail (file, line, function, "Couldn't stat file: %s", filename); - - *len = sb.st_size; - data = malloc (*len ? *len : 1); - assert (data != NULL); - - /* And read in one block */ - if (fread (data, 1, *len, f) != *len) - p11_test_fail (file, line, function, "Couldn't read file: %s", filename); - - fclose (f); - - return data; -} - -void -test_check_file_msg (const char *file, - int line, - const char *function, - const char *directory, - const char *name, - const char *reference) -{ - char *refdata; - long reflen; - - refdata = read_file (file, line, function, reference, &reflen); - test_check_data_msg (file, line, function, directory, name, refdata, reflen); - free (refdata); -} - -void -test_check_data_msg (const char *file, - int line, - const char *function, - const char *directory, - const char *name, - const void *refdata, - long reflen) -{ - char *filedata; - char *filename; - long filelen; - - if (asprintf (&filename, "%s/%s", directory, name) < 0) - assert_not_reached (); - - filedata = read_file (file, line, function, filename, &filelen); - - if (filelen != reflen || memcmp (filedata, refdata, reflen) != 0) - p11_test_fail (file, line, function, "File contents not as expected: %s", filename); - - if (unlink (filename) < 0) - p11_test_fail (file, line, function, "Couldn't remove file: %s", filename); - free (filename); - free (filedata); -} - -#ifdef OS_UNIX - -void -test_check_symlink_msg (const char *file, - int line, - const char *function, - const char *directory, - const char *name, - const char *destination) -{ - char buf[1024] = { 0, }; - char *filename; - - if (asprintf (&filename, "%s/%s", directory, name) < 0) - assert_not_reached (); - - if (readlink (filename, buf, sizeof (buf)) < 0) - p11_test_fail (file, line, function, "Couldn't read symlink: %s", filename); - - if (strcmp (destination, buf) != 0) - p11_test_fail (file, line, function, "Symlink contents wrong: %s != %s", destination, buf); - - if (unlink (filename) < 0) - p11_test_fail (file, line, function, "Couldn't remove symlink: %s", filename); - free (filename); -} - -#endif /* OS_UNIX */ - -p11_dict * -test_check_directory_files (const char *file, - ...) -{ - p11_dict *files; - va_list va; - - files = p11_dict_new (p11_dict_str_hash, p11_dict_str_equal, NULL, NULL); - - va_start (va, file); - - while (file != NULL) { - if (!p11_dict_set (files, (void *)file, (void *)file)) - return_val_if_reached (NULL); - file = va_arg (va, const char *); - } - - va_end (va); - - return files; -} - -void -test_check_directory_msg (const char *file, - int line, - const char *function, - const char *directory, - p11_dict *files) -{ - p11_dictiter iter; - struct dirent *dp; - const char *name; - DIR *dir; - - dir = opendir (directory); - if (dir == NULL) - p11_test_fail (file ,line, function, "Couldn't open directory: %s", directory); - - while ((dp = readdir (dir)) != NULL) { - if (strcmp (dp->d_name, ".") == 0 || - strcmp (dp->d_name, "..") == 0) - continue; - - if (!p11_dict_remove (files, dp->d_name)) - p11_test_fail (file, line, function, "Unexpected file in directory: %s", dp->d_name); - } - - closedir (dir); - -#ifdef OS_UNIX - if (chmod (directory, S_IRWXU) < 0) - p11_test_fail (file, line, function, "couldn't chown directory: %s: %s", directory, strerror (errno)); -#endif - - p11_dict_iterate (files, &iter); - while (p11_dict_next (&iter, (void **)&name, NULL)) - p11_test_fail (file, line, function, "Couldn't find file in directory: %s", name); - - p11_dict_free (files); -} diff --git a/trust/test-trust.h b/trust/test-trust.h deleted file mode 100644 index 81c779c..0000000 --- a/trust/test-trust.h +++ /dev/null @@ -1,431 +0,0 @@ -/* - * Copyright (c) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@gnome.org> - */ - -#include "dict.h" -#include "pkcs11.h" -#include "test.h" - -#include <sys/types.h> -#include <stdlib.h> - -#ifndef TEST_DATA_H_ -#define TEST_DATA_H_ - -#define test_check_object(attrs, klass, label) \ - test_check_object_msg (__FILE__, __LINE__, __FUNCTION__, attrs, klass, label) - -void test_check_object_msg (const char *file, - int line, - const char *function, - CK_ATTRIBUTE *attrs, - CK_OBJECT_CLASS klass, - const char *label); - -#define test_check_cacert3_ca(attrs, label) \ - test_check_cacert3_ca_msg (__FILE__, __LINE__, __FUNCTION__, attrs, label) - -void test_check_cacert3_ca_msg (const char *file, - int line, - const char *function, - CK_ATTRIBUTE *attrs, - const char *label); - -#define test_check_attrs(expected, attrs) \ - test_check_attrs_msg (__FILE__, __LINE__, __FUNCTION__, expected, attrs) - -void test_check_attrs_msg (const char *file, - int line, - const char *function, - CK_ATTRIBUTE *expected, - CK_ATTRIBUTE *attrs); - -#define test_check_attr(expected, attr) \ - test_check_attr_msg (__FILE__, __LINE__, __FUNCTION__, CKA_INVALID, expected, attr) - -void test_check_attr_msg (const char *file, - int line, - const char *function, - CK_OBJECT_CLASS klass, - CK_ATTRIBUTE *expected, - CK_ATTRIBUTE *attr); - -#define test_check_id(expected, attrs) \ - test_check_id_msg (__FILE__, __LINE__, __FUNCTION__, expected, attrs) - -void test_check_id_msg (const char *file, - int line, - const char *function, - CK_ATTRIBUTE *expected, - CK_ATTRIBUTE *attr); - -static const unsigned char test_cacert3_ca_der[] = { - 0x30, 0x82, 0x07, 0x59, 0x30, 0x82, 0x05, 0x41, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x03, 0x0a, - 0x41, 0x8a, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, - 0x00, 0x30, 0x79, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x07, 0x52, 0x6f, - 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, - 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x63, 0x61, 0x63, 0x65, 0x72, - 0x74, 0x2e, 0x6f, 0x72, 0x67, 0x31, 0x22, 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x19, - 0x43, 0x41, 0x20, 0x43, 0x65, 0x72, 0x74, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, - 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, - 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x73, 0x75, 0x70, 0x70, 0x6f, 0x72, - 0x74, 0x40, 0x63, 0x61, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, 0x67, 0x30, 0x1e, 0x17, 0x0d, - 0x31, 0x31, 0x30, 0x35, 0x32, 0x33, 0x31, 0x37, 0x34, 0x38, 0x30, 0x32, 0x5a, 0x17, 0x0d, 0x32, - 0x31, 0x30, 0x35, 0x32, 0x30, 0x31, 0x37, 0x34, 0x38, 0x30, 0x32, 0x5a, 0x30, 0x54, 0x31, 0x14, - 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b, 0x43, 0x41, 0x63, 0x65, 0x72, 0x74, 0x20, - 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, 0x68, - 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x43, 0x41, 0x63, 0x65, 0x72, 0x74, - 0x2e, 0x6f, 0x72, 0x67, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x13, 0x43, - 0x41, 0x63, 0x65, 0x72, 0x74, 0x20, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x20, 0x33, 0x20, 0x52, 0x6f, - 0x6f, 0x74, 0x30, 0x82, 0x02, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, - 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x02, 0x0f, 0x00, 0x30, 0x82, 0x02, 0x0a, 0x02, 0x82, - 0x02, 0x01, 0x00, 0xab, 0x49, 0x35, 0x11, 0x48, 0x7c, 0xd2, 0x26, 0x7e, 0x53, 0x94, 0xcf, 0x43, - 0xa9, 0xdd, 0x28, 0xd7, 0x42, 0x2a, 0x8b, 0xf3, 0x87, 0x78, 0x19, 0x58, 0x7c, 0x0f, 0x9e, 0xda, - 0x89, 0x7d, 0xe1, 0xfb, 0xeb, 0x72, 0x90, 0x0d, 0x74, 0xa1, 0x96, 0x64, 0xab, 0x9f, 0xa0, 0x24, - 0x99, 0x73, 0xda, 0xe2, 0x55, 0x76, 0xc7, 0x17, 0x7b, 0xf5, 0x04, 0xac, 0x46, 0xb8, 0xc3, 0xbe, - 0x7f, 0x64, 0x8d, 0x10, 0x6c, 0x24, 0xf3, 0x61, 0x9c, 0xc0, 0xf2, 0x90, 0xfa, 0x51, 0xe6, 0xf5, - 0x69, 0x01, 0x63, 0xc3, 0x0f, 0x56, 0xe2, 0x4a, 0x42, 0xcf, 0xe2, 0x44, 0x8c, 0x25, 0x28, 0xa8, - 0xc5, 0x79, 0x09, 0x7d, 0x46, 0xb9, 0x8a, 0xf3, 0xe9, 0xf3, 0x34, 0x29, 0x08, 0x45, 0xe4, 0x1c, - 0x9f, 0xcb, 0x94, 0x04, 0x1c, 0x81, 0xa8, 0x14, 0xb3, 0x98, 0x65, 0xc4, 0x43, 0xec, 0x4e, 0x82, - 0x8d, 0x09, 0xd1, 0xbd, 0xaa, 0x5b, 0x8d, 0x92, 0xd0, 0xec, 0xde, 0x90, 0xc5, 0x7f, 0x0a, 0xc2, - 0xe3, 0xeb, 0xe6, 0x31, 0x5a, 0x5e, 0x74, 0x3e, 0x97, 0x33, 0x59, 0xe8, 0xc3, 0x03, 0x3d, 0x60, - 0x33, 0xbf, 0xf7, 0xd1, 0x6f, 0x47, 0xc4, 0xcd, 0xee, 0x62, 0x83, 0x52, 0x6e, 0x2e, 0x08, 0x9a, - 0xa4, 0xd9, 0x15, 0x18, 0x91, 0xa6, 0x85, 0x92, 0x47, 0xb0, 0xae, 0x48, 0xeb, 0x6d, 0xb7, 0x21, - 0xec, 0x85, 0x1a, 0x68, 0x72, 0x35, 0xab, 0xff, 0xf0, 0x10, 0x5d, 0xc0, 0xf4, 0x94, 0xa7, 0x6a, - 0xd5, 0x3b, 0x92, 0x7e, 0x4c, 0x90, 0x05, 0x7e, 0x93, 0xc1, 0x2c, 0x8b, 0xa4, 0x8e, 0x62, 0x74, - 0x15, 0x71, 0x6e, 0x0b, 0x71, 0x03, 0xea, 0xaf, 0x15, 0x38, 0x9a, 0xd4, 0xd2, 0x05, 0x72, 0x6f, - 0x8c, 0xf9, 0x2b, 0xeb, 0x5a, 0x72, 0x25, 0xf9, 0x39, 0x46, 0xe3, 0x72, 0x1b, 0x3e, 0x04, 0xc3, - 0x64, 0x27, 0x22, 0x10, 0x2a, 0x8a, 0x4f, 0x58, 0xa7, 0x03, 0xad, 0xbe, 0xb4, 0x2e, 0x13, 0xed, - 0x5d, 0xaa, 0x48, 0xd7, 0xd5, 0x7d, 0xd4, 0x2a, 0x7b, 0x5c, 0xfa, 0x46, 0x04, 0x50, 0xe4, 0xcc, - 0x0e, 0x42, 0x5b, 0x8c, 0xed, 0xdb, 0xf2, 0xcf, 0xfc, 0x96, 0x93, 0xe0, 0xdb, 0x11, 0x36, 0x54, - 0x62, 0x34, 0x38, 0x8f, 0x0c, 0x60, 0x9b, 0x3b, 0x97, 0x56, 0x38, 0xad, 0xf3, 0xd2, 0x5b, 0x8b, - 0xa0, 0x5b, 0xea, 0x4e, 0x96, 0xb8, 0x7c, 0xd7, 0xd5, 0xa0, 0x86, 0x70, 0x40, 0xd3, 0x91, 0x29, - 0xb7, 0xa2, 0x3c, 0xad, 0xf5, 0x8c, 0xbb, 0xcf, 0x1a, 0x92, 0x8a, 0xe4, 0x34, 0x7b, 0xc0, 0xd8, - 0x6c, 0x5f, 0xe9, 0x0a, 0xc2, 0xc3, 0xa7, 0x20, 0x9a, 0x5a, 0xdf, 0x2c, 0x5d, 0x52, 0x5c, 0xba, - 0x47, 0xd5, 0x9b, 0xef, 0x24, 0x28, 0x70, 0x38, 0x20, 0x2f, 0xd5, 0x7f, 0x29, 0xc0, 0xb2, 0x41, - 0x03, 0x68, 0x92, 0xcc, 0xe0, 0x9c, 0xcc, 0x97, 0x4b, 0x45, 0xef, 0x3a, 0x10, 0x0a, 0xab, 0x70, - 0x3a, 0x98, 0x95, 0x70, 0xad, 0x35, 0xb1, 0xea, 0x85, 0x2b, 0xa4, 0x1c, 0x80, 0x21, 0x31, 0xa9, - 0xae, 0x60, 0x7a, 0x80, 0x26, 0x48, 0x00, 0xb8, 0x01, 0xc0, 0x93, 0x63, 0x55, 0x22, 0x91, 0x3c, - 0x56, 0xe7, 0xaf, 0xdb, 0x3a, 0x25, 0xf3, 0x8f, 0x31, 0x54, 0xea, 0x26, 0x8b, 0x81, 0x59, 0xf9, - 0xa1, 0xd1, 0x53, 0x11, 0xc5, 0x7b, 0x9d, 0x03, 0xf6, 0x74, 0x11, 0xe0, 0x6d, 0xb1, 0x2c, 0x3f, - 0x2c, 0x86, 0x91, 0x99, 0x71, 0x9a, 0xa6, 0x77, 0x8b, 0x34, 0x60, 0xd1, 0x14, 0xb4, 0x2c, 0xac, - 0x9d, 0xaf, 0x8c, 0x10, 0xd3, 0x9f, 0xc4, 0x6a, 0xf8, 0x6f, 0x13, 0xfc, 0x73, 0x59, 0xf7, 0x66, - 0x42, 0x74, 0x1e, 0x8a, 0xe3, 0xf8, 0xdc, 0xd2, 0x6f, 0x98, 0x9c, 0xcb, 0x47, 0x98, 0x95, 0x40, - 0x05, 0xfb, 0xe9, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x02, 0x0d, 0x30, 0x82, 0x02, 0x09, - 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x75, 0xa8, 0x71, 0x60, 0x4c, - 0x88, 0x13, 0xf0, 0x78, 0xd9, 0x89, 0x77, 0xb5, 0x6d, 0xc5, 0x89, 0xdf, 0xbc, 0xb1, 0x7a, 0x30, - 0x81, 0xa3, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x81, 0x9b, 0x30, 0x81, 0x98, 0x80, 0x14, 0x16, - 0xb5, 0x32, 0x1b, 0xd4, 0xc7, 0xf3, 0xe0, 0xe6, 0x8e, 0xf3, 0xbd, 0xd2, 0xb0, 0x3a, 0xee, 0xb2, - 0x39, 0x18, 0xd1, 0xa1, 0x7d, 0xa4, 0x7b, 0x30, 0x79, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, - 0x04, 0x0a, 0x13, 0x07, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c, 0x06, - 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, - 0x2e, 0x63, 0x61, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, 0x67, 0x31, 0x22, 0x30, 0x20, 0x06, - 0x03, 0x55, 0x04, 0x03, 0x13, 0x19, 0x43, 0x41, 0x20, 0x43, 0x65, 0x72, 0x74, 0x20, 0x53, 0x69, - 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, - 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, - 0x73, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x40, 0x63, 0x61, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, - 0x72, 0x67, 0x82, 0x01, 0x00, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, - 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x5d, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, - 0x01, 0x01, 0x04, 0x51, 0x30, 0x4f, 0x30, 0x23, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, - 0x30, 0x01, 0x86, 0x17, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, - 0x43, 0x41, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x30, 0x28, 0x06, 0x08, 0x2b, - 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x1c, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, - 0x77, 0x77, 0x77, 0x2e, 0x43, 0x41, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x63, - 0x61, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x4a, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x43, 0x30, 0x41, - 0x30, 0x3f, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x81, 0x90, 0x4a, 0x30, 0x33, 0x30, 0x31, - 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x25, 0x68, 0x74, 0x74, 0x70, - 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x43, 0x41, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, - 0x67, 0x2f, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x2e, 0x70, 0x68, 0x70, 0x3f, 0x69, 0x64, 0x3d, 0x31, - 0x30, 0x30, 0x34, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x08, 0x04, 0x27, - 0x16, 0x25, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x43, 0x41, 0x63, - 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x2e, 0x70, 0x68, - 0x70, 0x3f, 0x69, 0x64, 0x3d, 0x31, 0x30, 0x30, 0x50, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, - 0xf8, 0x42, 0x01, 0x0d, 0x04, 0x43, 0x16, 0x41, 0x54, 0x6f, 0x20, 0x67, 0x65, 0x74, 0x20, 0x79, - 0x6f, 0x75, 0x72, 0x20, 0x6f, 0x77, 0x6e, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x65, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x46, 0x52, 0x45, 0x45, 0x2c, 0x20, 0x67, 0x6f, - 0x20, 0x74, 0x6f, 0x20, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x43, - 0x41, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, 0x67, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, - 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x29, 0x28, 0x85, - 0xae, 0x44, 0xa9, 0xb9, 0xaf, 0xa4, 0x79, 0x13, 0xf0, 0xa8, 0xa3, 0x2b, 0x97, 0x60, 0xf3, 0x5c, - 0xee, 0xe3, 0x2f, 0xc1, 0xf6, 0xe2, 0x66, 0xa0, 0x11, 0xae, 0x36, 0x37, 0x3a, 0x76, 0x15, 0x04, - 0x53, 0xea, 0x42, 0xf5, 0xf9, 0xea, 0xc0, 0x15, 0xd8, 0xa6, 0x82, 0xd9, 0xe4, 0x61, 0xae, 0x72, - 0x0b, 0x29, 0x5c, 0x90, 0x43, 0xe8, 0x41, 0xb2, 0xe1, 0x77, 0xdb, 0x02, 0x13, 0x44, 0x78, 0x47, - 0x55, 0xaf, 0x58, 0xfc, 0xcc, 0x98, 0xf6, 0x45, 0xb9, 0xd1, 0x20, 0xf8, 0xd8, 0x21, 0x07, 0xfe, - 0x6d, 0xaa, 0x73, 0xd4, 0xb3, 0xc6, 0x07, 0xe9, 0x09, 0x85, 0xcc, 0x3b, 0xf2, 0xb6, 0xbe, 0x2c, - 0x1c, 0x25, 0xd5, 0x71, 0x8c, 0x39, 0xb5, 0x2e, 0xea, 0xbe, 0x18, 0x81, 0xba, 0xb0, 0x93, 0xb8, - 0x0f, 0xe3, 0xe6, 0xd7, 0x26, 0x8c, 0x31, 0x5a, 0x72, 0x03, 0x84, 0x52, 0xe6, 0xa6, 0xf5, 0x33, - 0x22, 0x45, 0x0a, 0xc8, 0x0b, 0x0d, 0x8a, 0xb8, 0x36, 0x6f, 0x90, 0x09, 0xa1, 0xab, 0xbd, 0xd7, - 0xd5, 0x4e, 0x2e, 0x71, 0xa2, 0xd4, 0xae, 0xfa, 0xa7, 0x54, 0x2b, 0xeb, 0x35, 0x8d, 0x5a, 0xb7, - 0x54, 0x88, 0x2f, 0xee, 0x74, 0x9f, 0xed, 0x48, 0x16, 0xca, 0x0d, 0x48, 0xd0, 0x94, 0xd3, 0xac, - 0xa4, 0xa2, 0xf6, 0x24, 0xdf, 0x92, 0xe3, 0xbd, 0xeb, 0x43, 0x40, 0x91, 0x6e, 0x1c, 0x18, 0x8e, - 0x56, 0xb4, 0x82, 0x12, 0xf3, 0xa9, 0x93, 0x9f, 0xd4, 0xbc, 0x9c, 0xad, 0x9c, 0x75, 0xee, 0x5a, - 0x97, 0x1b, 0x95, 0xe7, 0x74, 0x2d, 0x1c, 0x0f, 0xb0, 0x2c, 0x97, 0x9f, 0xfb, 0xa9, 0x33, 0x39, - 0x7a, 0xe7, 0x03, 0x3a, 0x92, 0x8e, 0x22, 0xf6, 0x8c, 0x0d, 0xe4, 0xd9, 0x7e, 0x0d, 0x76, 0x18, - 0xf7, 0x01, 0xf9, 0xef, 0x96, 0x96, 0xa2, 0x55, 0x73, 0xc0, 0x3c, 0x71, 0xb4, 0x1d, 0x1a, 0x56, - 0x43, 0xb7, 0xc3, 0x0a, 0x8d, 0x72, 0xfc, 0xe2, 0x10, 0x09, 0x0b, 0x41, 0xce, 0x8c, 0x94, 0xa0, - 0xf9, 0x03, 0xfd, 0x71, 0x73, 0x4b, 0x8a, 0x57, 0x33, 0xe5, 0x8e, 0x74, 0x7e, 0x15, 0x01, 0x00, - 0xe6, 0xcc, 0x4a, 0x1c, 0xe7, 0x7f, 0x95, 0x19, 0x2d, 0xc5, 0xa5, 0x0c, 0x8b, 0xbb, 0xb5, 0xed, - 0x85, 0xb3, 0x5c, 0xd3, 0xdf, 0xb8, 0xb9, 0xf2, 0xca, 0xc7, 0x0d, 0x01, 0x14, 0xac, 0x70, 0x58, - 0xc5, 0x8c, 0x8d, 0x33, 0xd4, 0x9d, 0x66, 0xa3, 0x1a, 0x50, 0x95, 0x23, 0xfc, 0x48, 0xe0, 0x06, - 0x43, 0x12, 0xd9, 0xcd, 0xa7, 0x86, 0x39, 0x2f, 0x36, 0x72, 0xa3, 0x80, 0x10, 0xe4, 0xe1, 0xf3, - 0xd1, 0xcb, 0x5b, 0x1a, 0xc0, 0xe4, 0x80, 0x9a, 0x7c, 0x13, 0x73, 0x06, 0x4f, 0xdb, 0xa3, 0x6b, - 0x24, 0x0a, 0xba, 0xb3, 0x1c, 0xbc, 0x4a, 0x78, 0xbb, 0xe5, 0xe3, 0x75, 0x38, 0xa5, 0x48, 0xa7, - 0xa2, 0x1e, 0xaf, 0x76, 0xd4, 0x5e, 0xf7, 0x38, 0x86, 0x56, 0x5a, 0x89, 0xce, 0xd6, 0xc3, 0xa7, - 0x79, 0xb2, 0x52, 0xa0, 0xc6, 0xf1, 0x85, 0xb4, 0x25, 0x8c, 0xf2, 0x3f, 0x96, 0xb3, 0x10, 0xd9, - 0x8d, 0x6c, 0x57, 0x3b, 0x9f, 0x6f, 0x86, 0x3a, 0x18, 0x82, 0x22, 0x36, 0xc8, 0xb0, 0x91, 0x38, - 0xdb, 0x2a, 0xa1, 0x93, 0xaa, 0x84, 0x3f, 0xf5, 0x27, 0x65, 0xae, 0x73, 0xd5, 0xc8, 0xd5, 0xd3, - 0x77, 0xea, 0x4b, 0x9d, 0xc7, 0x41, 0xbb, 0xc7, 0xc0, 0xe3, 0xa0, 0x3f, 0xe4, 0x7d, 0xa4, 0x8d, - 0x73, 0xe6, 0x12, 0x4b, 0xdf, 0xa1, 0x73, 0x73, 0x73, 0x3a, 0x80, 0xe8, 0xd5, 0xcb, 0x8e, 0x2f, - 0xcb, 0xea, 0x13, 0xa7, 0xd6, 0x41, 0x8b, 0xac, 0xfa, 0x3c, 0x89, 0xd7, 0x24, 0xf5, 0x4e, 0xb4, - 0xe0, 0x61, 0x92, 0xb7, 0xf3, 0x37, 0x98, 0xc4, 0xbe, 0x96, 0xa3, 0xb7, 0x8a, -}; - -static const char test_cacert3_ca_subject[] = { - 0x30, 0x54, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b, 0x43, 0x41, 0x63, - 0x65, 0x72, 0x74, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, - 0x0b, 0x13, 0x15, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x43, 0x41, - 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, 0x67, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, - 0x03, 0x13, 0x13, 0x43, 0x41, 0x63, 0x65, 0x72, 0x74, 0x20, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x20, - 0x33, 0x20, 0x52, 0x6f, 0x6f, 0x74, -}; - -static const char test_cacert3_ca_issuer[] = { - 0x30, 0x79, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x07, 0x52, 0x6f, 0x6f, - 0x74, 0x20, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, 0x68, - 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x63, 0x61, 0x63, 0x65, 0x72, 0x74, - 0x2e, 0x6f, 0x72, 0x67, 0x31, 0x22, 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x19, 0x43, - 0x41, 0x20, 0x43, 0x65, 0x72, 0x74, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x41, - 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, - 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x73, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, - 0x40, 0x63, 0x61, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, 0x67, -}; - -static const char test_cacert3_ca_serial[] = { - 0x02, 0x03, 0x0a, 0x41, 0x8a, -}; - -static const char test_cacert3_ca_public_key[] = { - 0x30, 0x82, 0x02, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, - 0x01, 0x05, 0x00, 0x03, 0x82, 0x02, 0x0f, 0x00, 0x30, 0x82, 0x02, 0x0a, 0x02, 0x82, 0x02, 0x01, - 0x00, 0xab, 0x49, 0x35, 0x11, 0x48, 0x7c, 0xd2, 0x26, 0x7e, 0x53, 0x94, 0xcf, 0x43, 0xa9, 0xdd, - 0x28, 0xd7, 0x42, 0x2a, 0x8b, 0xf3, 0x87, 0x78, 0x19, 0x58, 0x7c, 0x0f, 0x9e, 0xda, 0x89, 0x7d, - 0xe1, 0xfb, 0xeb, 0x72, 0x90, 0x0d, 0x74, 0xa1, 0x96, 0x64, 0xab, 0x9f, 0xa0, 0x24, 0x99, 0x73, - 0xda, 0xe2, 0x55, 0x76, 0xc7, 0x17, 0x7b, 0xf5, 0x04, 0xac, 0x46, 0xb8, 0xc3, 0xbe, 0x7f, 0x64, - 0x8d, 0x10, 0x6c, 0x24, 0xf3, 0x61, 0x9c, 0xc0, 0xf2, 0x90, 0xfa, 0x51, 0xe6, 0xf5, 0x69, 0x01, - 0x63, 0xc3, 0x0f, 0x56, 0xe2, 0x4a, 0x42, 0xcf, 0xe2, 0x44, 0x8c, 0x25, 0x28, 0xa8, 0xc5, 0x79, - 0x09, 0x7d, 0x46, 0xb9, 0x8a, 0xf3, 0xe9, 0xf3, 0x34, 0x29, 0x08, 0x45, 0xe4, 0x1c, 0x9f, 0xcb, - 0x94, 0x04, 0x1c, 0x81, 0xa8, 0x14, 0xb3, 0x98, 0x65, 0xc4, 0x43, 0xec, 0x4e, 0x82, 0x8d, 0x09, - 0xd1, 0xbd, 0xaa, 0x5b, 0x8d, 0x92, 0xd0, 0xec, 0xde, 0x90, 0xc5, 0x7f, 0x0a, 0xc2, 0xe3, 0xeb, - 0xe6, 0x31, 0x5a, 0x5e, 0x74, 0x3e, 0x97, 0x33, 0x59, 0xe8, 0xc3, 0x03, 0x3d, 0x60, 0x33, 0xbf, - 0xf7, 0xd1, 0x6f, 0x47, 0xc4, 0xcd, 0xee, 0x62, 0x83, 0x52, 0x6e, 0x2e, 0x08, 0x9a, 0xa4, 0xd9, - 0x15, 0x18, 0x91, 0xa6, 0x85, 0x92, 0x47, 0xb0, 0xae, 0x48, 0xeb, 0x6d, 0xb7, 0x21, 0xec, 0x85, - 0x1a, 0x68, 0x72, 0x35, 0xab, 0xff, 0xf0, 0x10, 0x5d, 0xc0, 0xf4, 0x94, 0xa7, 0x6a, 0xd5, 0x3b, - 0x92, 0x7e, 0x4c, 0x90, 0x05, 0x7e, 0x93, 0xc1, 0x2c, 0x8b, 0xa4, 0x8e, 0x62, 0x74, 0x15, 0x71, - 0x6e, 0x0b, 0x71, 0x03, 0xea, 0xaf, 0x15, 0x38, 0x9a, 0xd4, 0xd2, 0x05, 0x72, 0x6f, 0x8c, 0xf9, - 0x2b, 0xeb, 0x5a, 0x72, 0x25, 0xf9, 0x39, 0x46, 0xe3, 0x72, 0x1b, 0x3e, 0x04, 0xc3, 0x64, 0x27, - 0x22, 0x10, 0x2a, 0x8a, 0x4f, 0x58, 0xa7, 0x03, 0xad, 0xbe, 0xb4, 0x2e, 0x13, 0xed, 0x5d, 0xaa, - 0x48, 0xd7, 0xd5, 0x7d, 0xd4, 0x2a, 0x7b, 0x5c, 0xfa, 0x46, 0x04, 0x50, 0xe4, 0xcc, 0x0e, 0x42, - 0x5b, 0x8c, 0xed, 0xdb, 0xf2, 0xcf, 0xfc, 0x96, 0x93, 0xe0, 0xdb, 0x11, 0x36, 0x54, 0x62, 0x34, - 0x38, 0x8f, 0x0c, 0x60, 0x9b, 0x3b, 0x97, 0x56, 0x38, 0xad, 0xf3, 0xd2, 0x5b, 0x8b, 0xa0, 0x5b, - 0xea, 0x4e, 0x96, 0xb8, 0x7c, 0xd7, 0xd5, 0xa0, 0x86, 0x70, 0x40, 0xd3, 0x91, 0x29, 0xb7, 0xa2, - 0x3c, 0xad, 0xf5, 0x8c, 0xbb, 0xcf, 0x1a, 0x92, 0x8a, 0xe4, 0x34, 0x7b, 0xc0, 0xd8, 0x6c, 0x5f, - 0xe9, 0x0a, 0xc2, 0xc3, 0xa7, 0x20, 0x9a, 0x5a, 0xdf, 0x2c, 0x5d, 0x52, 0x5c, 0xba, 0x47, 0xd5, - 0x9b, 0xef, 0x24, 0x28, 0x70, 0x38, 0x20, 0x2f, 0xd5, 0x7f, 0x29, 0xc0, 0xb2, 0x41, 0x03, 0x68, - 0x92, 0xcc, 0xe0, 0x9c, 0xcc, 0x97, 0x4b, 0x45, 0xef, 0x3a, 0x10, 0x0a, 0xab, 0x70, 0x3a, 0x98, - 0x95, 0x70, 0xad, 0x35, 0xb1, 0xea, 0x85, 0x2b, 0xa4, 0x1c, 0x80, 0x21, 0x31, 0xa9, 0xae, 0x60, - 0x7a, 0x80, 0x26, 0x48, 0x00, 0xb8, 0x01, 0xc0, 0x93, 0x63, 0x55, 0x22, 0x91, 0x3c, 0x56, 0xe7, - 0xaf, 0xdb, 0x3a, 0x25, 0xf3, 0x8f, 0x31, 0x54, 0xea, 0x26, 0x8b, 0x81, 0x59, 0xf9, 0xa1, 0xd1, - 0x53, 0x11, 0xc5, 0x7b, 0x9d, 0x03, 0xf6, 0x74, 0x11, 0xe0, 0x6d, 0xb1, 0x2c, 0x3f, 0x2c, 0x86, - 0x91, 0x99, 0x71, 0x9a, 0xa6, 0x77, 0x8b, 0x34, 0x60, 0xd1, 0x14, 0xb4, 0x2c, 0xac, 0x9d, 0xaf, - 0x8c, 0x10, 0xd3, 0x9f, 0xc4, 0x6a, 0xf8, 0x6f, 0x13, 0xfc, 0x73, 0x59, 0xf7, 0x66, 0x42, 0x74, - 0x1e, 0x8a, 0xe3, 0xf8, 0xdc, 0xd2, 0x6f, 0x98, 0x9c, 0xcb, 0x47, 0x98, 0x95, 0x40, 0x05, 0xfb, - 0xe9, 0x02, 0x03, 0x01, 0x00, 0x01, -}; - -static const unsigned char verisign_v1_ca[] = { - 0x30, 0x82, 0x02, 0x3c, 0x30, 0x82, 0x01, 0xa5, 0x02, 0x10, 0x3f, 0x69, 0x1e, 0x81, 0x9c, 0xf0, - 0x9a, 0x4a, 0xf3, 0x73, 0xff, 0xb9, 0x48, 0xa2, 0xe4, 0xdd, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, - 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x5f, 0x31, 0x0b, 0x30, 0x09, 0x06, - 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, - 0x0a, 0x13, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, - 0x2e, 0x31, 0x37, 0x30, 0x35, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x2e, 0x43, 0x6c, 0x61, 0x73, - 0x73, 0x20, 0x31, 0x20, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x20, 0x50, 0x72, 0x69, 0x6d, 0x61, - 0x72, 0x79, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1e, 0x17, 0x0d, 0x39, 0x36, - 0x30, 0x31, 0x32, 0x39, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x32, 0x38, 0x30, - 0x38, 0x30, 0x32, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x5f, 0x31, 0x0b, 0x30, 0x09, - 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, - 0x04, 0x0a, 0x13, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, - 0x63, 0x2e, 0x31, 0x37, 0x30, 0x35, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x2e, 0x43, 0x6c, 0x61, - 0x73, 0x73, 0x20, 0x31, 0x20, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x20, 0x50, 0x72, 0x69, 0x6d, - 0x61, 0x72, 0x79, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x81, 0x9f, 0x30, 0x0d, - 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, - 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xe5, 0x19, 0xbf, 0x6d, 0xa3, 0x56, 0x61, 0x2d, - 0x99, 0x48, 0x71, 0xf6, 0x67, 0xde, 0xb9, 0x8d, 0xeb, 0xb7, 0x9e, 0x86, 0x80, 0x0a, 0x91, 0x0e, - 0xfa, 0x38, 0x25, 0xaf, 0x46, 0x88, 0x82, 0xe5, 0x73, 0xa8, 0xa0, 0x9b, 0x24, 0x5d, 0x0d, 0x1f, - 0xcc, 0x65, 0x6e, 0x0c, 0xb0, 0xd0, 0x56, 0x84, 0x18, 0x87, 0x9a, 0x06, 0x9b, 0x10, 0xa1, 0x73, - 0xdf, 0xb4, 0x58, 0x39, 0x6b, 0x6e, 0xc1, 0xf6, 0x15, 0xd5, 0xa8, 0xa8, 0x3f, 0xaa, 0x12, 0x06, - 0x8d, 0x31, 0xac, 0x7f, 0xb0, 0x34, 0xd7, 0x8f, 0x34, 0x67, 0x88, 0x09, 0xcd, 0x14, 0x11, 0xe2, - 0x4e, 0x45, 0x56, 0x69, 0x1f, 0x78, 0x02, 0x80, 0xda, 0xdc, 0x47, 0x91, 0x29, 0xbb, 0x36, 0xc9, - 0x63, 0x5c, 0xc5, 0xe0, 0xd7, 0x2d, 0x87, 0x7b, 0xa1, 0xb7, 0x32, 0xb0, 0x7b, 0x30, 0xba, 0x2a, - 0x2f, 0x31, 0xaa, 0xee, 0xa3, 0x67, 0xda, 0xdb, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x0d, 0x06, - 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, - 0x58, 0x15, 0x29, 0x39, 0x3c, 0x77, 0xa3, 0xda, 0x5c, 0x25, 0x03, 0x7c, 0x60, 0xfa, 0xee, 0x09, - 0x99, 0x3c, 0x27, 0x10, 0x70, 0xc8, 0x0c, 0x09, 0xe6, 0xb3, 0x87, 0xcf, 0x0a, 0xe2, 0x18, 0x96, - 0x35, 0x62, 0xcc, 0xbf, 0x9b, 0x27, 0x79, 0x89, 0x5f, 0xc9, 0xc4, 0x09, 0xf4, 0xce, 0xb5, 0x1d, - 0xdf, 0x2a, 0xbd, 0xe5, 0xdb, 0x86, 0x9c, 0x68, 0x25, 0xe5, 0x30, 0x7c, 0xb6, 0x89, 0x15, 0xfe, - 0x67, 0xd1, 0xad, 0xe1, 0x50, 0xac, 0x3c, 0x7c, 0x62, 0x4b, 0x8f, 0xba, 0x84, 0xd7, 0x12, 0x15, - 0x1b, 0x1f, 0xca, 0x5d, 0x0f, 0xc1, 0x52, 0x94, 0x2a, 0x11, 0x99, 0xda, 0x7b, 0xcf, 0x0c, 0x36, - 0x13, 0xd5, 0x35, 0xdc, 0x10, 0x19, 0x59, 0xea, 0x94, 0xc1, 0x00, 0xbf, 0x75, 0x8f, 0xd9, 0xfa, - 0xfd, 0x76, 0x04, 0xdb, 0x62, 0xbb, 0x90, 0x6a, 0x03, 0xd9, 0x46, 0x35, 0xd9, 0xf8, 0x7c, 0x5b, -}; - -static const unsigned char verisign_v1_ca_subject[] = { - 0x30, 0x5f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, - 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, - 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x37, 0x30, 0x35, 0x06, 0x03, 0x55, 0x04, - 0x0b, 0x13, 0x2e, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x20, 0x31, 0x20, 0x50, 0x75, 0x62, 0x6c, 0x69, - 0x63, 0x20, 0x50, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, - 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, - 0x79, -}; - -static const unsigned char verisign_v1_ca_public_key[] = { - 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, - 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xe5, 0x19, 0xbf, - 0x6d, 0xa3, 0x56, 0x61, 0x2d, 0x99, 0x48, 0x71, 0xf6, 0x67, 0xde, 0xb9, 0x8d, 0xeb, 0xb7, 0x9e, - 0x86, 0x80, 0x0a, 0x91, 0x0e, 0xfa, 0x38, 0x25, 0xaf, 0x46, 0x88, 0x82, 0xe5, 0x73, 0xa8, 0xa0, - 0x9b, 0x24, 0x5d, 0x0d, 0x1f, 0xcc, 0x65, 0x6e, 0x0c, 0xb0, 0xd0, 0x56, 0x84, 0x18, 0x87, 0x9a, - 0x06, 0x9b, 0x10, 0xa1, 0x73, 0xdf, 0xb4, 0x58, 0x39, 0x6b, 0x6e, 0xc1, 0xf6, 0x15, 0xd5, 0xa8, - 0xa8, 0x3f, 0xaa, 0x12, 0x06, 0x8d, 0x31, 0xac, 0x7f, 0xb0, 0x34, 0xd7, 0x8f, 0x34, 0x67, 0x88, - 0x09, 0xcd, 0x14, 0x11, 0xe2, 0x4e, 0x45, 0x56, 0x69, 0x1f, 0x78, 0x02, 0x80, 0xda, 0xdc, 0x47, - 0x91, 0x29, 0xbb, 0x36, 0xc9, 0x63, 0x5c, 0xc5, 0xe0, 0xd7, 0x2d, 0x87, 0x7b, 0xa1, 0xb7, 0x32, - 0xb0, 0x7b, 0x30, 0xba, 0x2a, 0x2f, 0x31, 0xaa, 0xee, 0xa3, 0x67, 0xda, 0xdb, 0x02, 0x03, 0x01, - 0x00, 0x01, -}; - -static const unsigned char example_public_key[] = { - 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, - 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, - 0x00, 0xaf, 0x24, 0x08, 0x08, 0x29, 0x7a, 0x35, 0x9e, 0x60, 0x0c, 0xaa, 0xe7, 0x4b, 0x3b, 0x4e, - 0xdc, 0x7c, 0xbc, 0x3c, 0x45, 0x1c, 0xbb, 0x2b, 0xe0, 0xfe, 0x29, 0x02, 0xf9, 0x57, 0x08, 0xa3, - 0x64, 0x85, 0x15, 0x27, 0xf5, 0xf1, 0xad, 0xc8, 0x31, 0x89, 0x5d, 0x22, 0xe8, 0x2a, 0xaa, 0xa6, - 0x42, 0xb3, 0x8f, 0xf8, 0xb9, 0x55, 0xb7, 0xb1, 0xb7, 0x4b, 0xb3, 0xfe, 0x8f, 0x7e, 0x07, 0x57, - 0xec, 0xef, 0x43, 0xdb, 0x66, 0x62, 0x15, 0x61, 0xcf, 0x60, 0x0d, 0xa4, 0xd8, 0xde, 0xf8, 0xe0, - 0xc3, 0x62, 0x08, 0x3d, 0x54, 0x13, 0xeb, 0x49, 0xca, 0x59, 0x54, 0x85, 0x26, 0xe5, 0x2b, 0x8f, - 0x1b, 0x9f, 0xeb, 0xf5, 0xa1, 0x91, 0xc2, 0x33, 0x49, 0xd8, 0x43, 0x63, 0x6a, 0x52, 0x4b, 0xd2, - 0x8f, 0xe8, 0x70, 0x51, 0x4d, 0xd1, 0x89, 0x69, 0x7b, 0xc7, 0x70, 0xf6, 0xb3, 0xdc, 0x12, 0x74, - 0xdb, 0x7b, 0x5d, 0x4b, 0x56, 0xd3, 0x96, 0xbf, 0x15, 0x77, 0xa1, 0xb0, 0xf4, 0xa2, 0x25, 0xf2, - 0xaf, 0x1c, 0x92, 0x67, 0x18, 0xe5, 0xf4, 0x06, 0x04, 0xef, 0x90, 0xb9, 0xe4, 0x00, 0xe4, 0xdd, - 0x3a, 0xb5, 0x19, 0xff, 0x02, 0xba, 0xf4, 0x3c, 0xee, 0xe0, 0x8b, 0xeb, 0x37, 0x8b, 0xec, 0xf4, - 0xd7, 0xac, 0xf2, 0xf6, 0xf0, 0x3d, 0xaf, 0xdd, 0x75, 0x91, 0x33, 0x19, 0x1d, 0x1c, 0x40, 0xcb, - 0x74, 0x24, 0x19, 0x21, 0x93, 0xd9, 0x14, 0xfe, 0xac, 0x2a, 0x52, 0xc7, 0x8f, 0xd5, 0x04, 0x49, - 0xe4, 0x8d, 0x63, 0x47, 0x88, 0x3c, 0x69, 0x83, 0xcb, 0xfe, 0x47, 0xbd, 0x2b, 0x7e, 0x4f, 0xc5, - 0x95, 0xae, 0x0e, 0x9d, 0xd4, 0xd1, 0x43, 0xc0, 0x67, 0x73, 0xe3, 0x14, 0x08, 0x7e, 0xe5, 0x3f, - 0x9f, 0x73, 0xb8, 0x33, 0x0a, 0xcf, 0x5d, 0x3f, 0x34, 0x87, 0x96, 0x8a, 0xee, 0x53, 0xe8, 0x25, - 0x15, 0x02, 0x03, 0x01, 0x00, 0x01 -}; - -static const char test_text[] = "This is the file text"; - -static const char test_eku_server_and_client[] = { - 0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, - 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, -}; - -static const char test_eku_server[] = { - 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, -}; - -static const char test_eku_email[] = { - 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04 -}; - -static const char test_eku_none[] = { - 0x30, 0x00, -}; - -void test_check_file_msg (const char *file, - int line, - const char *function, - const char *directory, - const char *filename, - const char *reference); - -void test_check_data_msg (const char *file, - int line, - const char *function, - const char *directory, - const char *filename, - const void *refdata, - long reflen); - -#ifdef OS_UNIX - -void test_check_symlink_msg (const char *file, - int line, - const char *function, - const char *directory, - const char *name, - const char *destination); - -#endif /* OS_UNIX */ - -p11_dict * test_check_directory_files (const char *file, - ...) GNUC_NULL_TERMINATED; - -void test_check_directory_msg (const char *file, - int line, - const char *function, - const char *directory, - p11_dict *files); - -#define test_check_file(directory, name, reference) \ - (test_check_file_msg (__FILE__, __LINE__, __FUNCTION__, directory, name, reference)) - -#define test_check_data(directory, name, data, length) \ - (test_check_data_msg (__FILE__, __LINE__, __FUNCTION__, directory, name, data, length)) - -#ifdef OS_UNIX - -#define test_check_symlink(directory, name, destination) \ - (test_check_symlink_msg (__FILE__, __LINE__, __FUNCTION__, directory, name, destination)) - -#endif /* OS_UNIX */ - -#define test_check_directory(directory, files) \ - (test_check_directory_msg (__FILE__, __LINE__, __FUNCTION__, directory, \ - test_check_directory_files files)) - -#endif /* TEST_DATA_H_ */ diff --git a/trust/test-utf8.c b/trust/test-utf8.c deleted file mode 100644 index 9b2c3d5..0000000 --- a/trust/test-utf8.c +++ /dev/null @@ -1,244 +0,0 @@ -/* - * Copyright (c) 2013, Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@collabora.co.uk> - */ - -#include "config.h" -#include "test.h" - -#include "utf8.h" - -#include <stdio.h> -#include <stdlib.h> - -#define ELEMS(x) (sizeof (x) / sizeof (x[0])) - -static void -test_ucs2be (void) -{ - char *output; - size_t length; - int i; - - struct { - const char *output; - size_t output_len; - const unsigned char input[100]; - size_t input_len; - } fixtures[] = { - { "This is a test", 14, - { 0x00, 'T', 0x00, 'h', 0x00, 'i', 0x00, 's', 0x00, ' ', 0x00, 'i', 0x00, 's', 0x00, ' ', - 0x00, 'a', 0x00, ' ', 0x00, 't', 0x00, 'e', 0x00, 's', 0x00, 't' }, 28, - }, - { "V\303\266gel", 6, - { 0x00, 'V', 0x00, 0xF6, 0x00, 'g', 0x00, 'e', 0x00, 'l' }, 10, - }, - { "M\303\244nwich \340\264\205", 12, - { 0x00, 'M', 0x00, 0xE4, 0x00, 'n', 0x00, 'w', 0x00, 'i', 0x00, 'c', 0x00, 'h', - 0x00, ' ', 0x0D, 0x05 }, 18, - } - }; - - for (i = 0; i < ELEMS (fixtures); i++) { - output = p11_utf8_for_ucs2be (fixtures[i].input, - fixtures[i].input_len, - &length); - - assert_num_eq (fixtures[i].output_len, length); - assert_str_eq (fixtures[i].output, output); - free (output); - } -} - -static void -test_ucs2be_fail (void) -{ - char *output; - size_t length; - int i; - - struct { - const unsigned char input[100]; - size_t input_len; - } fixtures[] = { - { { 0x00, 'T', 0x00, 'h', 0x00, 'i', 0x00, }, 7 /* truncated */ } - }; - - for (i = 0; i < ELEMS (fixtures); i++) { - output = p11_utf8_for_ucs2be (fixtures[i].input, - fixtures[i].input_len, - &length); - assert_ptr_eq (NULL, output); - } -} - -static void -test_ucs4be (void) -{ - char *output; - size_t length; - int i; - - struct { - const char *output; - size_t output_len; - const unsigned char input[100]; - size_t input_len; - } fixtures[] = { - { "This is a test", 14, - { 0x00, 0x00, 0x00, 'T', - 0x00, 0x00, 0x00, 'h', - 0x00, 0x00, 0x00, 'i', - 0x00, 0x00, 0x00, 's', - 0x00, 0x00, 0x00, ' ', - 0x00, 0x00, 0x00, 'i', - 0x00, 0x00, 0x00, 's', - 0x00, 0x00, 0x00, ' ', - 0x00, 0x00, 0x00, 'a', - 0x00, 0x00, 0x00, ' ', - 0x00, 0x00, 0x00, 't', - 0x00, 0x00, 0x00, 'e', - 0x00, 0x00, 0x00, 's', - 0x00, 0x00, 0x00, 't', - }, 56, - }, - { "Fun \360\220\214\231", 8, - { 0x00, 0x00, 0x00, 'F', - 0x00, 0x00, 0x00, 'u', - 0x00, 0x00, 0x00, 'n', - 0x00, 0x00, 0x00, ' ', - 0x00, 0x01, 0x03, 0x19, /* U+10319: looks like an antenna */ - }, 20, - } - }; - - for (i = 0; i < ELEMS (fixtures); i++) { - output = p11_utf8_for_ucs4be (fixtures[i].input, - fixtures[i].input_len, - &length); - - assert_num_eq (fixtures[i].output_len, length); - assert_str_eq (fixtures[i].output, output); - - free (output); - } -} - -static void -test_ucs4be_fail (void) -{ - char *output; - size_t length; - int i; - - struct { - const unsigned char input[100]; - size_t input_len; - } fixtures[] = { - { { 0x00, 0x00, 'T', - }, 7 /* truncated */ }, - { { 0x00, 0x00, 0x00, 'F', - 0x00, 0x00, 0x00, 'u', - 0x00, 0x00, 0x00, 'n', - 0x00, 0x00, 0x00, ' ', - 0xD8, 0x00, 0xDF, 0x19, - }, 20, - } - }; - - for (i = 0; i < ELEMS (fixtures); i++) { - output = p11_utf8_for_ucs4be (fixtures[i].input, - fixtures[i].input_len, - &length); - assert_ptr_eq (NULL, output); - } -} - -static void -test_utf8 (void) -{ - bool ret; - int i; - - struct { - const char *input; - size_t input_len; - } fixtures[] = { - { "This is a test", 14 }, - { "Good news everyone", -1 }, - { "Fun \360\220\214\231", -1 }, - { "Fun invalid here: \xfe", 4 }, /* but limited length */ - { "V\303\266gel", 6, }, - }; - - for (i = 0; i < ELEMS (fixtures); i++) { - ret = p11_utf8_validate (fixtures[i].input, - fixtures[i].input_len); - assert_num_eq (true, ret); - } -} - -static void -test_utf8_fail (void) -{ - bool ret; - int i; - - struct { - const char *input; - size_t input_len; - } fixtures[] = { - { "This is a test\x80", 15 }, - { "Good news everyone\x88", -1 }, - { "Bad \xe0v following chars should be |0x80", -1 }, - { "Truncated \xe0", -1 }, - }; - - for (i = 0; i < ELEMS (fixtures); i++) { - ret = p11_utf8_validate (fixtures[i].input, - fixtures[i].input_len); - assert_num_eq (false, ret); - } -} - -int -main (int argc, - char *argv[]) -{ - p11_test (test_ucs2be, "/utf8/ucs2be"); - p11_test (test_ucs2be_fail, "/utf8/ucs2be_fail"); - p11_test (test_ucs4be, "/utf8/ucs4be"); - p11_test (test_ucs4be_fail, "/utf8/ucs4be_fail"); - p11_test (test_utf8, "/utf8/utf8"); - p11_test (test_utf8_fail, "/utf8/utf8_fail"); - return p11_test_run (argc, argv); -} diff --git a/trust/test-x509.c b/trust/test-x509.c deleted file mode 100644 index 9f7d258..0000000 --- a/trust/test-x509.c +++ /dev/null @@ -1,416 +0,0 @@ -/* - * Copyright (c) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@gnome.org> - */ - -#include "config.h" -#include "test.h" - -#include "asn1.h" -#include "debug.h" -#include "oid.h" -#include "x509.h" - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> - -#define ELEMS(x) (sizeof (x) / sizeof (x[0])) - -struct { - p11_dict *asn1_defs; -} test; - -static void -setup (void *unused) -{ - test.asn1_defs = p11_asn1_defs_load (); - assert_ptr_not_null (test.asn1_defs); -} - -static void -teardown (void *unused) -{ - p11_dict_free (test.asn1_defs); - memset (&test, 0, sizeof (test)); -} - -static const char test_ku_ds_and_np[] = { - 0x03, 0x03, 0x07, 0xc0, 0x00, -}; - -static const char test_ku_none[] = { - 0x03, 0x03, 0x07, 0x00, 0x00, -}; - -static const char test_ku_cert_crl_sign[] = { - 0x03, 0x03, 0x07, 0x06, 0x00, -}; - -static const char test_eku_server_and_client[] = { - 0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, - 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, -}; - -static const char test_eku_none[] = { - 0x30, 0x00, -}; - -static const char test_eku_client_email_and_timestamp[] = { - 0x30, 0x1e, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x06, 0x08, 0x2b, 0x06, - 0x01, 0x05, 0x05, 0x07, 0x03, 0x04, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x08, -}; - -static const unsigned char test_cacert3_ca_der[] = { - 0x30, 0x82, 0x07, 0x59, 0x30, 0x82, 0x05, 0x41, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x03, 0x0a, - 0x41, 0x8a, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, - 0x00, 0x30, 0x79, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x07, 0x52, 0x6f, - 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, - 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x63, 0x61, 0x63, 0x65, 0x72, - 0x74, 0x2e, 0x6f, 0x72, 0x67, 0x31, 0x22, 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x19, - 0x43, 0x41, 0x20, 0x43, 0x65, 0x72, 0x74, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, - 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, - 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x73, 0x75, 0x70, 0x70, 0x6f, 0x72, - 0x74, 0x40, 0x63, 0x61, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, 0x67, 0x30, 0x1e, 0x17, 0x0d, - 0x31, 0x31, 0x30, 0x35, 0x32, 0x33, 0x31, 0x37, 0x34, 0x38, 0x30, 0x32, 0x5a, 0x17, 0x0d, 0x32, - 0x31, 0x30, 0x35, 0x32, 0x30, 0x31, 0x37, 0x34, 0x38, 0x30, 0x32, 0x5a, 0x30, 0x54, 0x31, 0x14, - 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b, 0x43, 0x41, 0x63, 0x65, 0x72, 0x74, 0x20, - 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, 0x68, - 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x43, 0x41, 0x63, 0x65, 0x72, 0x74, - 0x2e, 0x6f, 0x72, 0x67, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x13, 0x43, - 0x41, 0x63, 0x65, 0x72, 0x74, 0x20, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x20, 0x33, 0x20, 0x52, 0x6f, - 0x6f, 0x74, 0x30, 0x82, 0x02, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, - 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x02, 0x0f, 0x00, 0x30, 0x82, 0x02, 0x0a, 0x02, 0x82, - 0x02, 0x01, 0x00, 0xab, 0x49, 0x35, 0x11, 0x48, 0x7c, 0xd2, 0x26, 0x7e, 0x53, 0x94, 0xcf, 0x43, - 0xa9, 0xdd, 0x28, 0xd7, 0x42, 0x2a, 0x8b, 0xf3, 0x87, 0x78, 0x19, 0x58, 0x7c, 0x0f, 0x9e, 0xda, - 0x89, 0x7d, 0xe1, 0xfb, 0xeb, 0x72, 0x90, 0x0d, 0x74, 0xa1, 0x96, 0x64, 0xab, 0x9f, 0xa0, 0x24, - 0x99, 0x73, 0xda, 0xe2, 0x55, 0x76, 0xc7, 0x17, 0x7b, 0xf5, 0x04, 0xac, 0x46, 0xb8, 0xc3, 0xbe, - 0x7f, 0x64, 0x8d, 0x10, 0x6c, 0x24, 0xf3, 0x61, 0x9c, 0xc0, 0xf2, 0x90, 0xfa, 0x51, 0xe6, 0xf5, - 0x69, 0x01, 0x63, 0xc3, 0x0f, 0x56, 0xe2, 0x4a, 0x42, 0xcf, 0xe2, 0x44, 0x8c, 0x25, 0x28, 0xa8, - 0xc5, 0x79, 0x09, 0x7d, 0x46, 0xb9, 0x8a, 0xf3, 0xe9, 0xf3, 0x34, 0x29, 0x08, 0x45, 0xe4, 0x1c, - 0x9f, 0xcb, 0x94, 0x04, 0x1c, 0x81, 0xa8, 0x14, 0xb3, 0x98, 0x65, 0xc4, 0x43, 0xec, 0x4e, 0x82, - 0x8d, 0x09, 0xd1, 0xbd, 0xaa, 0x5b, 0x8d, 0x92, 0xd0, 0xec, 0xde, 0x90, 0xc5, 0x7f, 0x0a, 0xc2, - 0xe3, 0xeb, 0xe6, 0x31, 0x5a, 0x5e, 0x74, 0x3e, 0x97, 0x33, 0x59, 0xe8, 0xc3, 0x03, 0x3d, 0x60, - 0x33, 0xbf, 0xf7, 0xd1, 0x6f, 0x47, 0xc4, 0xcd, 0xee, 0x62, 0x83, 0x52, 0x6e, 0x2e, 0x08, 0x9a, - 0xa4, 0xd9, 0x15, 0x18, 0x91, 0xa6, 0x85, 0x92, 0x47, 0xb0, 0xae, 0x48, 0xeb, 0x6d, 0xb7, 0x21, - 0xec, 0x85, 0x1a, 0x68, 0x72, 0x35, 0xab, 0xff, 0xf0, 0x10, 0x5d, 0xc0, 0xf4, 0x94, 0xa7, 0x6a, - 0xd5, 0x3b, 0x92, 0x7e, 0x4c, 0x90, 0x05, 0x7e, 0x93, 0xc1, 0x2c, 0x8b, 0xa4, 0x8e, 0x62, 0x74, - 0x15, 0x71, 0x6e, 0x0b, 0x71, 0x03, 0xea, 0xaf, 0x15, 0x38, 0x9a, 0xd4, 0xd2, 0x05, 0x72, 0x6f, - 0x8c, 0xf9, 0x2b, 0xeb, 0x5a, 0x72, 0x25, 0xf9, 0x39, 0x46, 0xe3, 0x72, 0x1b, 0x3e, 0x04, 0xc3, - 0x64, 0x27, 0x22, 0x10, 0x2a, 0x8a, 0x4f, 0x58, 0xa7, 0x03, 0xad, 0xbe, 0xb4, 0x2e, 0x13, 0xed, - 0x5d, 0xaa, 0x48, 0xd7, 0xd5, 0x7d, 0xd4, 0x2a, 0x7b, 0x5c, 0xfa, 0x46, 0x04, 0x50, 0xe4, 0xcc, - 0x0e, 0x42, 0x5b, 0x8c, 0xed, 0xdb, 0xf2, 0xcf, 0xfc, 0x96, 0x93, 0xe0, 0xdb, 0x11, 0x36, 0x54, - 0x62, 0x34, 0x38, 0x8f, 0x0c, 0x60, 0x9b, 0x3b, 0x97, 0x56, 0x38, 0xad, 0xf3, 0xd2, 0x5b, 0x8b, - 0xa0, 0x5b, 0xea, 0x4e, 0x96, 0xb8, 0x7c, 0xd7, 0xd5, 0xa0, 0x86, 0x70, 0x40, 0xd3, 0x91, 0x29, - 0xb7, 0xa2, 0x3c, 0xad, 0xf5, 0x8c, 0xbb, 0xcf, 0x1a, 0x92, 0x8a, 0xe4, 0x34, 0x7b, 0xc0, 0xd8, - 0x6c, 0x5f, 0xe9, 0x0a, 0xc2, 0xc3, 0xa7, 0x20, 0x9a, 0x5a, 0xdf, 0x2c, 0x5d, 0x52, 0x5c, 0xba, - 0x47, 0xd5, 0x9b, 0xef, 0x24, 0x28, 0x70, 0x38, 0x20, 0x2f, 0xd5, 0x7f, 0x29, 0xc0, 0xb2, 0x41, - 0x03, 0x68, 0x92, 0xcc, 0xe0, 0x9c, 0xcc, 0x97, 0x4b, 0x45, 0xef, 0x3a, 0x10, 0x0a, 0xab, 0x70, - 0x3a, 0x98, 0x95, 0x70, 0xad, 0x35, 0xb1, 0xea, 0x85, 0x2b, 0xa4, 0x1c, 0x80, 0x21, 0x31, 0xa9, - 0xae, 0x60, 0x7a, 0x80, 0x26, 0x48, 0x00, 0xb8, 0x01, 0xc0, 0x93, 0x63, 0x55, 0x22, 0x91, 0x3c, - 0x56, 0xe7, 0xaf, 0xdb, 0x3a, 0x25, 0xf3, 0x8f, 0x31, 0x54, 0xea, 0x26, 0x8b, 0x81, 0x59, 0xf9, - 0xa1, 0xd1, 0x53, 0x11, 0xc5, 0x7b, 0x9d, 0x03, 0xf6, 0x74, 0x11, 0xe0, 0x6d, 0xb1, 0x2c, 0x3f, - 0x2c, 0x86, 0x91, 0x99, 0x71, 0x9a, 0xa6, 0x77, 0x8b, 0x34, 0x60, 0xd1, 0x14, 0xb4, 0x2c, 0xac, - 0x9d, 0xaf, 0x8c, 0x10, 0xd3, 0x9f, 0xc4, 0x6a, 0xf8, 0x6f, 0x13, 0xfc, 0x73, 0x59, 0xf7, 0x66, - 0x42, 0x74, 0x1e, 0x8a, 0xe3, 0xf8, 0xdc, 0xd2, 0x6f, 0x98, 0x9c, 0xcb, 0x47, 0x98, 0x95, 0x40, - 0x05, 0xfb, 0xe9, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x02, 0x0d, 0x30, 0x82, 0x02, 0x09, - 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x75, 0xa8, 0x71, 0x60, 0x4c, - 0x88, 0x13, 0xf0, 0x78, 0xd9, 0x89, 0x77, 0xb5, 0x6d, 0xc5, 0x89, 0xdf, 0xbc, 0xb1, 0x7a, 0x30, - 0x81, 0xa3, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x81, 0x9b, 0x30, 0x81, 0x98, 0x80, 0x14, 0x16, - 0xb5, 0x32, 0x1b, 0xd4, 0xc7, 0xf3, 0xe0, 0xe6, 0x8e, 0xf3, 0xbd, 0xd2, 0xb0, 0x3a, 0xee, 0xb2, - 0x39, 0x18, 0xd1, 0xa1, 0x7d, 0xa4, 0x7b, 0x30, 0x79, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, - 0x04, 0x0a, 0x13, 0x07, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c, 0x06, - 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, - 0x2e, 0x63, 0x61, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, 0x67, 0x31, 0x22, 0x30, 0x20, 0x06, - 0x03, 0x55, 0x04, 0x03, 0x13, 0x19, 0x43, 0x41, 0x20, 0x43, 0x65, 0x72, 0x74, 0x20, 0x53, 0x69, - 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, - 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, - 0x73, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x40, 0x63, 0x61, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, - 0x72, 0x67, 0x82, 0x01, 0x00, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, - 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x5d, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, - 0x01, 0x01, 0x04, 0x51, 0x30, 0x4f, 0x30, 0x23, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, - 0x30, 0x01, 0x86, 0x17, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, - 0x43, 0x41, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x30, 0x28, 0x06, 0x08, 0x2b, - 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x1c, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, - 0x77, 0x77, 0x77, 0x2e, 0x43, 0x41, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x63, - 0x61, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x4a, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x43, 0x30, 0x41, - 0x30, 0x3f, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x81, 0x90, 0x4a, 0x30, 0x33, 0x30, 0x31, - 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x25, 0x68, 0x74, 0x74, 0x70, - 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x43, 0x41, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, - 0x67, 0x2f, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x2e, 0x70, 0x68, 0x70, 0x3f, 0x69, 0x64, 0x3d, 0x31, - 0x30, 0x30, 0x34, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x08, 0x04, 0x27, - 0x16, 0x25, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x43, 0x41, 0x63, - 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x2e, 0x70, 0x68, - 0x70, 0x3f, 0x69, 0x64, 0x3d, 0x31, 0x30, 0x30, 0x50, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, - 0xf8, 0x42, 0x01, 0x0d, 0x04, 0x43, 0x16, 0x41, 0x54, 0x6f, 0x20, 0x67, 0x65, 0x74, 0x20, 0x79, - 0x6f, 0x75, 0x72, 0x20, 0x6f, 0x77, 0x6e, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x65, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x46, 0x52, 0x45, 0x45, 0x2c, 0x20, 0x67, 0x6f, - 0x20, 0x74, 0x6f, 0x20, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x43, - 0x41, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, 0x67, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, - 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x29, 0x28, 0x85, - 0xae, 0x44, 0xa9, 0xb9, 0xaf, 0xa4, 0x79, 0x13, 0xf0, 0xa8, 0xa3, 0x2b, 0x97, 0x60, 0xf3, 0x5c, - 0xee, 0xe3, 0x2f, 0xc1, 0xf6, 0xe2, 0x66, 0xa0, 0x11, 0xae, 0x36, 0x37, 0x3a, 0x76, 0x15, 0x04, - 0x53, 0xea, 0x42, 0xf5, 0xf9, 0xea, 0xc0, 0x15, 0xd8, 0xa6, 0x82, 0xd9, 0xe4, 0x61, 0xae, 0x72, - 0x0b, 0x29, 0x5c, 0x90, 0x43, 0xe8, 0x41, 0xb2, 0xe1, 0x77, 0xdb, 0x02, 0x13, 0x44, 0x78, 0x47, - 0x55, 0xaf, 0x58, 0xfc, 0xcc, 0x98, 0xf6, 0x45, 0xb9, 0xd1, 0x20, 0xf8, 0xd8, 0x21, 0x07, 0xfe, - 0x6d, 0xaa, 0x73, 0xd4, 0xb3, 0xc6, 0x07, 0xe9, 0x09, 0x85, 0xcc, 0x3b, 0xf2, 0xb6, 0xbe, 0x2c, - 0x1c, 0x25, 0xd5, 0x71, 0x8c, 0x39, 0xb5, 0x2e, 0xea, 0xbe, 0x18, 0x81, 0xba, 0xb0, 0x93, 0xb8, - 0x0f, 0xe3, 0xe6, 0xd7, 0x26, 0x8c, 0x31, 0x5a, 0x72, 0x03, 0x84, 0x52, 0xe6, 0xa6, 0xf5, 0x33, - 0x22, 0x45, 0x0a, 0xc8, 0x0b, 0x0d, 0x8a, 0xb8, 0x36, 0x6f, 0x90, 0x09, 0xa1, 0xab, 0xbd, 0xd7, - 0xd5, 0x4e, 0x2e, 0x71, 0xa2, 0xd4, 0xae, 0xfa, 0xa7, 0x54, 0x2b, 0xeb, 0x35, 0x8d, 0x5a, 0xb7, - 0x54, 0x88, 0x2f, 0xee, 0x74, 0x9f, 0xed, 0x48, 0x16, 0xca, 0x0d, 0x48, 0xd0, 0x94, 0xd3, 0xac, - 0xa4, 0xa2, 0xf6, 0x24, 0xdf, 0x92, 0xe3, 0xbd, 0xeb, 0x43, 0x40, 0x91, 0x6e, 0x1c, 0x18, 0x8e, - 0x56, 0xb4, 0x82, 0x12, 0xf3, 0xa9, 0x93, 0x9f, 0xd4, 0xbc, 0x9c, 0xad, 0x9c, 0x75, 0xee, 0x5a, - 0x97, 0x1b, 0x95, 0xe7, 0x74, 0x2d, 0x1c, 0x0f, 0xb0, 0x2c, 0x97, 0x9f, 0xfb, 0xa9, 0x33, 0x39, - 0x7a, 0xe7, 0x03, 0x3a, 0x92, 0x8e, 0x22, 0xf6, 0x8c, 0x0d, 0xe4, 0xd9, 0x7e, 0x0d, 0x76, 0x18, - 0xf7, 0x01, 0xf9, 0xef, 0x96, 0x96, 0xa2, 0x55, 0x73, 0xc0, 0x3c, 0x71, 0xb4, 0x1d, 0x1a, 0x56, - 0x43, 0xb7, 0xc3, 0x0a, 0x8d, 0x72, 0xfc, 0xe2, 0x10, 0x09, 0x0b, 0x41, 0xce, 0x8c, 0x94, 0xa0, - 0xf9, 0x03, 0xfd, 0x71, 0x73, 0x4b, 0x8a, 0x57, 0x33, 0xe5, 0x8e, 0x74, 0x7e, 0x15, 0x01, 0x00, - 0xe6, 0xcc, 0x4a, 0x1c, 0xe7, 0x7f, 0x95, 0x19, 0x2d, 0xc5, 0xa5, 0x0c, 0x8b, 0xbb, 0xb5, 0xed, - 0x85, 0xb3, 0x5c, 0xd3, 0xdf, 0xb8, 0xb9, 0xf2, 0xca, 0xc7, 0x0d, 0x01, 0x14, 0xac, 0x70, 0x58, - 0xc5, 0x8c, 0x8d, 0x33, 0xd4, 0x9d, 0x66, 0xa3, 0x1a, 0x50, 0x95, 0x23, 0xfc, 0x48, 0xe0, 0x06, - 0x43, 0x12, 0xd9, 0xcd, 0xa7, 0x86, 0x39, 0x2f, 0x36, 0x72, 0xa3, 0x80, 0x10, 0xe4, 0xe1, 0xf3, - 0xd1, 0xcb, 0x5b, 0x1a, 0xc0, 0xe4, 0x80, 0x9a, 0x7c, 0x13, 0x73, 0x06, 0x4f, 0xdb, 0xa3, 0x6b, - 0x24, 0x0a, 0xba, 0xb3, 0x1c, 0xbc, 0x4a, 0x78, 0xbb, 0xe5, 0xe3, 0x75, 0x38, 0xa5, 0x48, 0xa7, - 0xa2, 0x1e, 0xaf, 0x76, 0xd4, 0x5e, 0xf7, 0x38, 0x86, 0x56, 0x5a, 0x89, 0xce, 0xd6, 0xc3, 0xa7, - 0x79, 0xb2, 0x52, 0xa0, 0xc6, 0xf1, 0x85, 0xb4, 0x25, 0x8c, 0xf2, 0x3f, 0x96, 0xb3, 0x10, 0xd9, - 0x8d, 0x6c, 0x57, 0x3b, 0x9f, 0x6f, 0x86, 0x3a, 0x18, 0x82, 0x22, 0x36, 0xc8, 0xb0, 0x91, 0x38, - 0xdb, 0x2a, 0xa1, 0x93, 0xaa, 0x84, 0x3f, 0xf5, 0x27, 0x65, 0xae, 0x73, 0xd5, 0xc8, 0xd5, 0xd3, - 0x77, 0xea, 0x4b, 0x9d, 0xc7, 0x41, 0xbb, 0xc7, 0xc0, 0xe3, 0xa0, 0x3f, 0xe4, 0x7d, 0xa4, 0x8d, - 0x73, 0xe6, 0x12, 0x4b, 0xdf, 0xa1, 0x73, 0x73, 0x73, 0x3a, 0x80, 0xe8, 0xd5, 0xcb, 0x8e, 0x2f, - 0xcb, 0xea, 0x13, 0xa7, 0xd6, 0x41, 0x8b, 0xac, 0xfa, 0x3c, 0x89, 0xd7, 0x24, 0xf5, 0x4e, 0xb4, - 0xe0, 0x61, 0x92, 0xb7, 0xf3, 0x37, 0x98, 0xc4, 0xbe, 0x96, 0xa3, 0xb7, 0x8a, -}; - -struct { - const char *eku; - size_t length; - const char *expected[16]; -} extended_key_usage_fixtures[] = { - { test_eku_server_and_client, sizeof (test_eku_server_and_client), - { P11_OID_SERVER_AUTH_STR, P11_OID_CLIENT_AUTH_STR, NULL }, }, - { test_eku_none, sizeof (test_eku_none), - { NULL, }, }, - { test_eku_client_email_and_timestamp, sizeof (test_eku_client_email_and_timestamp), - { P11_OID_CLIENT_AUTH_STR, P11_OID_EMAIL_PROTECTION_STR, P11_OID_TIME_STAMPING_STR }, }, - { NULL }, -}; - -static void -test_parse_extended_key_usage (void) -{ - p11_array *ekus; - int i, j, count; - - for (i = 0; extended_key_usage_fixtures[i].eku != NULL; i++) { - ekus = p11_x509_parse_extended_key_usage (test.asn1_defs, - (const unsigned char *)extended_key_usage_fixtures[i].eku, - extended_key_usage_fixtures[i].length); - assert_ptr_not_null (ekus); - - for (count = 0; extended_key_usage_fixtures[i].expected[count] != NULL; count++); - - assert_num_eq (count, ekus->num); - for (j = 0; j < count; j++) - assert_str_eq (ekus->elem[j], extended_key_usage_fixtures[i].expected[j]); - - p11_array_free (ekus); - } -} - -struct { - const char *ku; - size_t length; - unsigned int expected; -} key_usage_fixtures[] = { - { test_ku_ds_and_np, sizeof (test_ku_ds_and_np), P11_KU_DIGITAL_SIGNATURE | P11_KU_NON_REPUDIATION }, - { test_ku_none, sizeof (test_ku_none), 0 }, - { test_ku_cert_crl_sign, sizeof (test_ku_cert_crl_sign), P11_KU_KEY_CERT_SIGN | P11_KU_CRL_SIGN }, - { NULL }, -}; - -static void -test_parse_key_usage (void) -{ - unsigned int ku; - int i; - bool ret; - - for (i = 0; key_usage_fixtures[i].ku != NULL; i++) { - ku = 0; - - ret = p11_x509_parse_key_usage (test.asn1_defs, - (const unsigned char *)key_usage_fixtures[i].ku, - key_usage_fixtures[i].length, &ku); - assert_num_eq (true, ret); - - assert_num_eq (key_usage_fixtures[i].expected, ku); - } -} - -static void -test_parse_extension (void) -{ - node_asn *cert; - unsigned char *ext; - size_t length; - bool is_ca; - - cert = p11_asn1_decode (test.asn1_defs, "PKIX1.Certificate", - test_cacert3_ca_der, sizeof (test_cacert3_ca_der), NULL); - assert_ptr_not_null (cert); - - ext = p11_x509_find_extension (cert, P11_OID_BASIC_CONSTRAINTS, - test_cacert3_ca_der, sizeof (test_cacert3_ca_der), - &length); - assert_ptr_not_null (ext); - assert (length > 0); - - asn1_delete_structure (&cert); - - if (!p11_x509_parse_basic_constraints (test.asn1_defs, ext, length, &is_ca)) - assert_fail ("failed to parse message", "basic constraints"); - - free (ext); -} -static void -test_parse_extension_not_found (void) -{ - node_asn *cert; - unsigned char *ext; - size_t length; - - cert = p11_asn1_decode (test.asn1_defs, "PKIX1.Certificate", - test_cacert3_ca_der, sizeof (test_cacert3_ca_der), NULL); - assert_ptr_not_null (cert); - - ext = p11_x509_find_extension (cert, P11_OID_OPENSSL_REJECT, - test_cacert3_ca_der, sizeof (test_cacert3_ca_der), - &length); - assert_ptr_eq (NULL, ext); - - asn1_delete_structure (&cert); -} - -static void -test_directory_string (void) -{ - struct { - unsigned char input[100]; - int input_len; - char *output; - int output_len; - } fixtures[] = { - /* UTF8String */ - { { 0x0c, 0x0f, 0xc3, 0x84, ' ', 'U', 'T', 'F', '8', ' ', 's', 't', 'r', 'i', 'n', 'g', ' ', }, 17, - "\xc3\x84 UTF8 string ", 15, - }, - - /* NumericString */ - { { 0x12, 0x04, '0', '1', '2', '3', }, 6, - "0123", 4, - }, - - /* IA5String */ - { { 0x16, 0x04, ' ', 'A', 'B', ' ', }, 6, - " AB ", 4 - }, - - /* TeletexString */ - { { 0x14, 0x07, 'A', ' ', ' ', 'n', 'i', 'c', 'e' }, 9, - "A nice", 7 - }, - - /* PrintableString */ - { { 0x13, 0x07, 'A', ' ', ' ', 'n', 'i', 'c', 'e' }, 9, - "A nice", 7, - }, - - /* UniversalString */ - { { 0x1c, 0x14, 0x00, 0x00, 0x00, 'F', 0x00, 0x00, 0x00, 'u', - 0x00, 0x00, 0x00, 'n', 0x00, 0x00, 0x00, ' ', 0x00, 0x01, 0x03, 0x19, }, 22, - "Fun \xf0\x90\x8c\x99", 8 - }, - - /* BMPString */ - { { 0x1e, 0x0a, 0x00, 'V', 0x00, 0xF6, 0x00, 'g', 0x00, 'e', 0x00, 'l' }, 12, - "V\xc3\xb6gel", 6 - }, - }; - - char *string; - bool unknown; - size_t length; - int i; - - for (i = 0; i < ELEMS (fixtures); i++) { - string = p11_x509_parse_directory_string (fixtures[i].input, - fixtures[i].input_len, - &unknown, &length); - assert_ptr_not_null (string); - assert_num_eq (false, unknown); - - assert_num_eq (fixtures[i].output_len, length); - assert_str_eq (fixtures[i].output, string); - free (string); - } -} - -static void -test_directory_string_unknown (void) -{ - /* Not a valid choice in DirectoryString */ - unsigned char input[] = { 0x05, 0x07, 'A', ' ', ' ', 'n', 'i', 'c', 'e' }; - char *string; - bool unknown = false; - size_t length; - - string = p11_x509_parse_directory_string (input, sizeof (input), &unknown, &length); - assert_ptr_eq (NULL, string); - assert_num_eq (true, unknown); -} - -int -main (int argc, - char *argv[]) -{ - p11_fixture (setup, teardown); - p11_test (test_parse_extended_key_usage, "/x509/parse-extended-key-usage"); - p11_test (test_parse_key_usage, "/x509/parse-key-usage"); - p11_test (test_parse_extension, "/x509/parse-extension"); - p11_test (test_parse_extension_not_found, "/x509/parse-extension-not-found"); - - p11_fixture (NULL, NULL); - p11_test (test_directory_string, "/x509/directory-string"); - p11_test (test_directory_string_unknown, "/x509/directory-string-unknown"); - return p11_test_run (argc, argv); -} diff --git a/trust/token.c b/trust/token.c deleted file mode 100644 index 47b80d8..0000000 --- a/trust/token.c +++ /dev/null @@ -1,909 +0,0 @@ -/* - * Copyright (C) 2012-2013 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#include "asn1.h" -#include "attrs.h" -#include "builder.h" -#include "compat.h" -#include "constants.h" -#define P11_DEBUG_FLAG P11_DEBUG_TRUST -#include "debug.h" -#include "errno.h" -#include "message.h" -#include "module.h" -#include "parser.h" -#include "path.h" -#include "persist.h" -#include "pkcs11.h" -#include "pkcs11x.h" -#include "save.h" -#include "token.h" - -#include <sys/stat.h> -#include <sys/types.h> - -#include <assert.h> -#include <dirent.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -struct _p11_token { - p11_parser *parser; /* Parser we use to load files */ - p11_index *index; /* Index we load objects into */ - p11_builder *builder; /* Expands objects and applies policy */ - p11_dict *loaded; /* stat structs for loaded files, track reloads */ - - char *path; /* Main path to load from */ - char *anchors; /* Path to load anchors from */ - char *blacklist; /* Path to load blacklist from */ - char *label; /* The token label */ - CK_SLOT_ID slot; /* The slot id */ - - bool checked_path; - bool is_writable; - bool make_directory; -}; - -static bool -loader_is_necessary (p11_token *token, - const char *filename, - struct stat *sb) -{ - struct stat *last; - - last = p11_dict_get (token->loaded, filename); - - /* Never seen this before, load it */ - if (last == NULL) - return true; - - /* - * If any of these are different assume that the file - * needs to be reloaded - */ - return (sb->st_mode != last->st_mode || - sb->st_mtime != last->st_mtime || - sb->st_size != last->st_size); -} - -static void -loader_was_loaded (p11_token *token, - const char *filename, - struct stat *sb) -{ - char *key; - - key = strdup (filename); - return_if_fail (key != NULL); - - sb = memdup (sb, sizeof (struct stat)); - return_if_fail (sb != NULL); - - /* Track the info about this file, so we don't reload unnecessarily */ - if (!p11_dict_set (token->loaded, key, sb)) - return_if_reached (); -} - -static bool -loader_not_loaded (p11_token *token, - const char *filename) -{ - /* No longer track info about this file */ - return p11_dict_remove (token->loaded, filename); -} - -static void -loader_gone_file (p11_token *token, - const char *filename) -{ - CK_ATTRIBUTE origin[] = { - { CKA_X_ORIGIN, (void *)filename, strlen (filename) }, - { CKA_INVALID }, - }; - - CK_RV rv; - - p11_index_load (token->index); - - /* Remove everything at this origin */ - rv = p11_index_replace_all (token->index, origin, CKA_INVALID, NULL); - return_if_fail (rv == CKR_OK); - - p11_index_finish (token->index); - - /* No longer track info about this file */ - loader_not_loaded (token, filename); -} - -static int -loader_load_file (p11_token *token, - const char *filename, - struct stat *sb) -{ - CK_ATTRIBUTE origin[] = { - { CKA_X_ORIGIN, (void *)filename, strlen (filename) }, - { CKA_INVALID }, - }; - - p11_array *parsed; - CK_RV rv; - int flags; - int ret; - int i; - - /* Check if this file is already loaded */ - if (!loader_is_necessary (token, filename, sb)) - return 0; - - flags = P11_PARSE_FLAG_NONE; - - /* If it's in the anchors subdirectory, treat as an anchor */ - if (p11_path_prefix (filename, token->anchors)) - flags = P11_PARSE_FLAG_ANCHOR; - - /* If it's in the blacklist subdirectory, treat as a blacklist */ - else if (p11_path_prefix (filename, token->blacklist)) - flags = P11_PARSE_FLAG_BLACKLIST; - - /* If the token is just one path, then assume they are anchors */ - else if (strcmp (filename, token->path) == 0 && !S_ISDIR (sb->st_mode)) - flags = P11_PARSE_FLAG_ANCHOR; - - ret = p11_parse_file (token->parser, filename, sb, flags); - - switch (ret) { - case P11_PARSE_SUCCESS: - p11_debug ("loaded: %s", filename); - break; - case P11_PARSE_UNRECOGNIZED: - p11_debug ("skipped: %s", filename); - loader_gone_file (token, filename); - return 0; - default: - p11_debug ("failed to parse: %s", filename); - loader_gone_file (token, filename); - return 0; - } - - /* Update each parsed object with the origin */ - parsed = p11_parser_parsed (token->parser); - for (i = 0; i < parsed->num; i++) { - parsed->elem[i] = p11_attrs_build (parsed->elem[i], origin, NULL); - return_val_if_fail (parsed->elem[i] != NULL, 0); - } - - p11_index_load (token->index); - - /* Now place all of these in the index */ - rv = p11_index_replace_all (token->index, origin, CKA_CLASS, parsed); - - p11_index_finish (token->index); - - if (rv != CKR_OK) { - p11_message ("couldn't load file into objects: %s", filename); - return 0; - } - - loader_was_loaded (token, filename, sb); - return 1; -} - -static int -loader_load_if_file (p11_token *token, - const char *path) -{ - struct stat sb; - - if (stat (path, &sb) < 0) { - if (errno != ENOENT) - p11_message_err (errno, "couldn't stat path: %d: %s", errno, path); - - } else if (!S_ISDIR (sb.st_mode)) { - return loader_load_file (token, path, &sb); - } - - /* Perhaps the file became unloadable, so track properly */ - loader_gone_file (token, path); - return 0; -} - -static int -loader_load_directory (p11_token *token, - const char *directory, - p11_dict *present) -{ - p11_dictiter iter; - struct dirent *dp; - char *path; - int total = 0; - int ret; - DIR *dir; - - /* First we load all the modules */ - dir = opendir (directory); - if (!dir) { - p11_message_err (errno, "couldn't list directory: %s", directory); - loader_not_loaded (token, directory); - return 0; - } - - while ((dp = readdir (dir)) != NULL) { - path = p11_path_build (directory, dp->d_name, NULL); - return_val_if_fail (path != NULL, -1); - - ret = loader_load_if_file (token, path); - return_val_if_fail (ret >=0, -1); - total += ret; - - /* Make note that this file was seen */ - p11_dict_remove (present, path); - - free (path); - } - - closedir (dir); - - /* All other files that were present, not here now */ - p11_dict_iterate (present, &iter); - while (p11_dict_next (&iter, (void **)&path, NULL)) - loader_gone_file (token, path); - - return total; -} - -static int -loader_load_path (p11_token *token, - const char *path, - bool *is_dir) -{ - p11_dictiter iter; - p11_dict *present; - char *filename; - struct stat sb; - int total; - int ret; - - if (stat (path, &sb) < 0) { - if (errno != ENOENT) - p11_message_err (errno, "cannot access trust certificate path: %s", path); - loader_gone_file (token, path); - *is_dir = false; - ret = 0; - - } else if (S_ISDIR (sb.st_mode)) { - *is_dir = true; - ret = 0; - - /* All the files we know about at this path */ - present = p11_dict_new (p11_dict_str_hash, p11_dict_str_equal, NULL, NULL); - p11_dict_iterate (token->loaded, &iter); - while (p11_dict_next (&iter, (void **)&filename, NULL)) { - if (p11_path_prefix (filename, path)) { - if (!p11_dict_set (present, filename, filename)) - return_val_if_reached (-1); - } - } - - /* If the directory has changed, reload it */ - if (loader_is_necessary (token, path, &sb)) { - ret = loader_load_directory (token, path, present); - - /* Directory didn't change, but maybe files changed? */ - } else { - total = 0; - p11_dict_iterate (present, &iter); - while (p11_dict_next (&iter, (void **)&filename, NULL)) { - ret = loader_load_if_file (token, filename); - return_val_if_fail (ret >= 0, ret); - total += ret; - } - } - - p11_dict_free (present); - loader_was_loaded (token, path, &sb); - - } else { - *is_dir = false; - ret = loader_load_file (token, path, &sb); - } - - return ret; -} - -static int -load_builtin_objects (p11_token *token) -{ - CK_OBJECT_CLASS builtin = CKO_NSS_BUILTIN_ROOT_LIST; - CK_BBOOL vtrue = CK_TRUE; - CK_BBOOL vfalse = CK_FALSE; - CK_RV rv; - - const char *trust_anchor_roots = "Trust Anchor Roots"; - CK_ATTRIBUTE builtin_root_list[] = { - { CKA_CLASS, &builtin, sizeof (builtin) }, - { CKA_TOKEN, &vtrue, sizeof (vtrue) }, - { CKA_PRIVATE, &vfalse, sizeof (vfalse) }, - { CKA_MODIFIABLE, &vfalse, sizeof (vfalse) }, - { CKA_LABEL, (void *)trust_anchor_roots, strlen (trust_anchor_roots) }, - { CKA_INVALID }, - }; - - p11_index_load (token->index); - rv = p11_index_take (token->index, p11_attrs_dup (builtin_root_list), NULL); - return_val_if_fail (rv == CKR_OK, 0); - p11_index_finish (token->index); - return 1; -} - -int -p11_token_load (p11_token *token) -{ - int total = 0; - bool is_dir; - int ret; - - ret = loader_load_path (token, token->path, &is_dir); - return_val_if_fail (ret >= 0, -1); - total += ret; - - if (is_dir) { - ret = loader_load_path (token, token->anchors, &is_dir); - return_val_if_fail (ret >= 0, -1); - total += ret; - - ret = loader_load_path (token, token->blacklist, &is_dir); - return_val_if_fail (ret >= 0, -1); - total += ret; - } - - return total; -} - -bool -p11_token_reload (p11_token *token, - CK_ATTRIBUTE *attrs) -{ - CK_ATTRIBUTE *attr; - struct stat sb; - char *origin; - bool ret; - - attr = p11_attrs_find (attrs, CKA_X_ORIGIN); - if (attr == NULL) - return false; - - origin = strndup (attr->pValue, attr->ulValueLen); - return_val_if_fail (origin != NULL, false); - - if (stat (origin, &sb) < 0) { - if (errno == ENOENT) { - loader_gone_file (token, origin); - } else { - p11_message_err (errno, "cannot access trust file: %s", origin); - } - ret = false; - - } else { - ret = loader_load_file (token, origin, &sb) > 0; - } - - free (origin); - return ret; -} - -static bool -check_directory (const char *path, - bool *make_directory, - bool *is_writable) -{ - struct stat sb; - char *parent; - bool dummy; - bool ret; - - /* - * This function attempts to determine whether a later write - * to this token will succeed so we can setup the appropriate - * token flags. Yes, it is racy, but that's inherent to the problem. - */ - - if (stat (path, &sb) == 0) { - *make_directory = false; - *is_writable = S_ISDIR (sb.st_mode) && access (path, W_OK) == 0; - return true; - } - - switch (errno) { - case EACCES: - *is_writable = false; - *make_directory = false; - return true; - case ENOENT: - *make_directory = true; - parent = p11_path_parent (path); - if (parent == NULL) - ret = false; - else - ret = check_directory (parent, &dummy, is_writable); - free (parent); - return ret; - default: - p11_message_err (errno, "couldn't access: %s", path); - return false; - } -} - -static bool -check_token_directory (p11_token *token) -{ - if (!token->checked_path) { - token->checked_path = check_directory (token->path, - &token->make_directory, - &token->is_writable); - } - - return token->checked_path; -} - -static bool -writer_remove_origin (p11_token *token, - CK_ATTRIBUTE *origin) -{ - bool ret = true; - char *path; - - path = strndup (origin->pValue, origin->ulValueLen); - return_val_if_fail (path != NULL, false); - - if (unlink (path) < 0) { - p11_message_err (errno, "couldn't remove file: %s", path); - ret = false; - } - - free (path); - return ret; -} - -static p11_save_file * -writer_overwrite_origin (p11_token *token, - CK_ATTRIBUTE *origin) -{ - p11_save_file *file; - char *path; - - path = strndup (origin->pValue, origin->ulValueLen); - return_val_if_fail (path != NULL, NULL); - - file = p11_save_open_file (path, NULL, P11_SAVE_OVERWRITE); - free (path); - - return file; -} - -static char * -writer_suggest_name (CK_ATTRIBUTE *attrs) -{ - CK_ATTRIBUTE *label; - CK_OBJECT_CLASS klass; - const char *nick; - - label = p11_attrs_find (attrs, CKA_LABEL); - if (label && label->ulValueLen) - return strndup (label->pValue, label->ulValueLen); - - nick = NULL; - if (p11_attrs_find_ulong (attrs, CKA_CLASS, &klass)) - nick = p11_constant_nick (p11_constant_classes, klass); - if (nick == NULL) - nick = "object"; - return strdup (nick); -} - -static p11_save_file * -writer_create_origin (p11_token *token, - CK_ATTRIBUTE *attrs) -{ - p11_save_file *file; - char *name; - char *path; - - name = writer_suggest_name (attrs); - return_val_if_fail (name != NULL, NULL); - - p11_path_canon (name); - - path = p11_path_build (token->path, name, NULL); - free (name); - - file = p11_save_open_file (path, ".p11-kit", P11_SAVE_UNIQUE); - free (path); - - return file; -} - -static CK_RV -writer_put_header (p11_save_file *file) -{ - const char *header = - "# This file has been auto-generated and written by p11-kit. Changes will be\n" - "# unceremoniously overwritten.\n" - "#\n" - "# The format is designed to be somewhat human readable and debuggable, and a\n" - "# bit transparent but it is not encouraged to read/write this format from other\n" - "# applications or tools without first discussing this at the the mailing list:\n" - "#\n" - "# p11-glue@lists.freedesktop.org\n" - "#\n"; - - if (!p11_save_write (file, header, -1)) - return CKR_FUNCTION_FAILED; - - return CKR_OK; -} - -static CK_RV -writer_put_object (p11_save_file *file, - p11_persist *persist, - p11_buffer *buffer, - CK_ATTRIBUTE *attrs) -{ - if (!p11_buffer_reset (buffer, 0)) - assert_not_reached (); - if (!p11_persist_write (persist, attrs, buffer)) - return_val_if_reached (CKR_GENERAL_ERROR); - if (!p11_save_write (file, buffer->data, buffer->len)) - return CKR_FUNCTION_FAILED; - - return CKR_OK; -} - -static bool -mkdir_with_parents (const char *path) -{ - char *parent; - bool ret; - -#ifdef OS_UNIX - int mode = S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH; - if (mkdir (path, mode) == 0) -#else - if (mkdir (path) == 0) -#endif - return true; - - switch (errno) { - case ENOENT: - parent = p11_path_parent (path); - if (parent != NULL) { - ret = mkdir_with_parents (parent); - free (parent); - if (ret == true) { -#ifdef OS_UNIX - if (mkdir (path, mode) == 0) -#else - if (mkdir (path) == 0) -#endif - return true; - } - } - /* fall through */ - default: - p11_message_err (errno, "couldn't create directory: %s", path); - return false; - } -} - -static CK_RV -on_index_build (void *data, - p11_index *index, - CK_ATTRIBUTE *attrs, - CK_ATTRIBUTE *merge, - CK_ATTRIBUTE **extra) -{ - p11_token *token = data; - return p11_builder_build (token->builder, index, attrs, merge, extra); -} - -static CK_RV -on_index_store (void *data, - p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE **attrs) -{ - p11_token *token = data; - CK_OBJECT_HANDLE *other; - p11_persist *persist; - p11_buffer buffer; - CK_ATTRIBUTE *origin; - CK_ATTRIBUTE *object; - p11_save_file *file; - bool creating = false; - char *path; - CK_RV rv; - int i; - - /* Signifies that data is being loaded, don't write out */ - if (p11_index_loading (index)) - return CKR_OK; - - if (!check_token_directory (token)) - return CKR_FUNCTION_FAILED; - - if (token->make_directory) { - if (!mkdir_with_parents (token->path)) - return CKR_FUNCTION_FAILED; - token->make_directory = false; - } - - /* Do we already have a filename? */ - origin = p11_attrs_find (*attrs, CKA_X_ORIGIN); - if (origin == NULL) { - file = writer_create_origin (token, *attrs); - creating = true; - other = NULL; - - } else { - other = p11_index_find_all (index, origin, 1); - file = writer_overwrite_origin (token, origin); - creating = false; - } - - if (file == NULL) { - free (origin); - free (other); - return CKR_GENERAL_ERROR; - } - - persist = p11_persist_new (); - p11_buffer_init (&buffer, 1024); - - rv = writer_put_header (file); - if (rv == CKR_OK) - rv = writer_put_object (file, persist, &buffer, *attrs); - - for (i = 0; rv == CKR_OK && other && other[i] != 0; i++) { - if (other[i] != handle) { - object = p11_index_lookup (index, other[i]); - if (object != NULL) - rv = writer_put_object (file, persist, &buffer, object); - } - } - - p11_buffer_uninit (&buffer); - p11_persist_free (persist); - free (other); - - if (rv == CKR_OK) { - if (!p11_save_finish_file (file, &path, true)) - rv = CKR_FUNCTION_FAILED; - else if (creating) - *attrs = p11_attrs_take (*attrs, CKA_X_ORIGIN, path, strlen (path)); - else - free (path); - } else { - p11_save_finish_file (file, NULL, false); - } - - return rv; -} - -static CK_RV -on_index_remove (void *data, - p11_index *index, - CK_ATTRIBUTE *attrs) -{ - p11_token *token = data; - CK_OBJECT_HANDLE *other; - p11_persist *persist; - p11_buffer buffer; - CK_ATTRIBUTE *origin; - CK_ATTRIBUTE *object; - p11_save_file *file; - CK_RV rv = CKR_OK; - int i; - - /* Signifies that data is being loaded, don't write out */ - if (p11_index_loading (index)) - return CKR_OK; - - if (!check_token_directory (token)) - return CKR_FUNCTION_FAILED; - - /* We should have a file name */ - origin = p11_attrs_find (attrs, CKA_X_ORIGIN); - return_val_if_fail (origin != NULL, CKR_GENERAL_ERROR); - - /* If there are other objects in this file, then rewrite it */ - other = p11_index_find_all (index, origin, 1); - if (other && other[0]) { - file = writer_overwrite_origin (token, origin); - if (file == NULL) { - free (other); - return CKR_GENERAL_ERROR; - } - - persist = p11_persist_new (); - p11_buffer_init (&buffer, 1024); - - rv = writer_put_header (file); - for (i = 0; rv == CKR_OK && other && other[i] != 0; i++) { - object = p11_index_lookup (index, other[i]); - if (object != NULL) - rv = writer_put_object (file, persist, &buffer, object); - } - - if (rv == CKR_OK) { - if (!p11_save_finish_file (file, NULL, true)) - rv = CKR_FUNCTION_FAILED; - } else { - p11_save_finish_file (file, NULL, false); - } - - p11_persist_free (persist); - p11_buffer_uninit (&buffer); - - /* Otherwise just remove the file */ - } else { - if (!writer_remove_origin (token, origin)) - rv = CKR_FUNCTION_FAILED; - } - - free (other); - - return rv; -} - -static void -on_index_notify (void *data, - p11_index *index, - CK_OBJECT_HANDLE handle, - CK_ATTRIBUTE *attrs) -{ - p11_token *token = data; - p11_builder_changed (token->builder, index, handle, attrs); -} - -void -p11_token_free (p11_token *token) -{ - if (!token) - return; - - p11_index_free (token->index); - p11_parser_free (token->parser); - p11_builder_free (token->builder); - p11_dict_free (token->loaded); - free (token->path); - free (token->anchors); - free (token->blacklist); - free (token->label); - free (token); -} - -p11_token * -p11_token_new (CK_SLOT_ID slot, - const char *path, - const char *label) -{ - p11_token *token; - - return_val_if_fail (path != NULL, NULL); - return_val_if_fail (label != NULL, NULL); - - token = calloc (1, sizeof (p11_token)); - return_val_if_fail (token != NULL, NULL); - - token->builder = p11_builder_new (P11_BUILDER_FLAG_TOKEN); - return_val_if_fail (token->builder != NULL, NULL); - - token->index = p11_index_new (on_index_build, - on_index_store, - on_index_remove, - on_index_notify, - token); - return_val_if_fail (token->index != NULL, NULL); - - token->parser = p11_parser_new (p11_builder_get_cache (token->builder)); - return_val_if_fail (token->parser != NULL, NULL); - p11_parser_formats (token->parser, p11_parser_format_persist, - p11_parser_format_pem, p11_parser_format_x509, NULL); - - token->loaded = p11_dict_new (p11_dict_str_hash, p11_dict_str_equal, free, free); - return_val_if_fail (token->loaded != NULL, NULL); - - token->path = p11_path_expand (path); - return_val_if_fail (token->path != NULL, NULL); - - token->anchors = p11_path_build (token->path, "anchors", NULL); - return_val_if_fail (token->anchors != NULL, NULL); - - token->blacklist = p11_path_build (token->path, "blacklist", NULL); - return_val_if_fail (token->blacklist != NULL, NULL); - - token->label = strdup (label); - return_val_if_fail (token->label != NULL, NULL); - - token->slot = slot; - - load_builtin_objects (token); - - p11_debug ("token: %s: %s", token->label, token->path); - return token; -} - -const char * -p11_token_get_label (p11_token *token) -{ - return_val_if_fail (token != NULL, NULL); - return token->label; -} - -const char * -p11_token_get_path (p11_token *token) -{ - return_val_if_fail (token != NULL, NULL); - return token->path; -} - -CK_SLOT_ID -p11_token_get_slot (p11_token *token) -{ - return_val_if_fail (token != NULL, 0); - return token->slot; -} - -p11_index * -p11_token_index (p11_token *token) -{ - return_val_if_fail (token != NULL, NULL); - return token->index; -} - -p11_parser * -p11_token_parser (p11_token *token) -{ - return_val_if_fail (token != NULL, NULL); - return token->parser; -} - -bool -p11_token_is_writable (p11_token *token) -{ - if (!check_token_directory (token)) - return false; - return token->is_writable; -} diff --git a/trust/token.h b/trust/token.h deleted file mode 100644 index 1180b27..0000000 --- a/trust/token.h +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#ifndef P11_TOKEN_H_ -#define P11_TOKEN_H_ - -#include "dict.h" -#include "index.h" -#include "parser.h" -#include "pkcs11.h" - -typedef struct _p11_token p11_token; - -p11_token * p11_token_new (CK_SLOT_ID slot, - const char *path, - const char *label); - -void p11_token_free (p11_token *token); - -int p11_token_load (p11_token *token); - -bool p11_token_reload (p11_token *token, - CK_ATTRIBUTE *attrs); - -p11_index * p11_token_index (p11_token *token); - -p11_parser * p11_token_parser (p11_token *token); - -const char * p11_token_get_path (p11_token *token); - -const char * p11_token_get_label (p11_token *token); - -CK_SLOT_ID p11_token_get_slot (p11_token *token); - -bool p11_token_is_writable (p11_token *token); - -#endif /* P11_TOKEN_H_ */ diff --git a/trust/trust-extract-compat.in b/trust/trust-extract-compat.in deleted file mode 100755 index 9b46055..0000000 --- a/trust/trust-extract-compat.in +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh - -# This script is a placeholder designed to be replaced when this software -# has been customized for distribution. It should be symlinked linked to the -# distribution's update-ca-certificates or update-ca-trust command as -# appropriate. In the future this script will be called when the PKCS#11 -# trust module is used to modifiy trust anchors and related data. - -if [ $# -ne 0 ]; then - echo "usage: trust extract-compat" >&2 - exit 2 -fi - -uid=$(id -u) -if [ "$uid" != 0 ]; then - echo "trust: running as non-root user: skip extracting compat bundles" >&2 - exit 0 -fi - -echo "trust: the placeholder extract-compat command has not been customized by your distribution." >&2 - -# You can use commands like this to extract data from trust modules -# into appropriate locations for your distribution. -# -# trust extract --format=openssl-bundle --filter=ca-anchors \ -# --overwrite /tmp/openssl-bundle.pem -# trust extract --format=pem-bundle --filter=ca-anchors --overwrite \ -# --purpose server-auth /tmp/server-auth-bundle.pem -# trust extract --format=java-cacerts --filter=ca-anchors --overwrite \ -# --purpose server-auth /tmp/cacerts - -exit 1 diff --git a/trust/trust.c b/trust/trust.c deleted file mode 100644 index b006ec8..0000000 --- a/trust/trust.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (c) 2011, Collabora Ltd. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@collabora.co.uk> - */ - -#include "config.h" - -#include "anchor.h" -#include "extract.h" -#include "list.h" - -#include "buffer.h" -#include "compat.h" -#include "debug.h" -#include "message.h" -#include "path.h" -#include "tool.h" - -#include <assert.h> -#include <ctype.h> -#include <getopt.h> -#include <string.h> -#include <stdio.h> -#include <stdlib.h> -#include <unistd.h> - -static const p11_tool_command commands[] = { - { "list", p11_trust_list, "List trust or certificates" }, - { "extract", p11_trust_extract, "Extract certificates and trust" }, - { "extract-compat", p11_trust_extract_compat, "Extract trust compatibility bundles" }, - { "anchor", p11_trust_anchor, "Add, remove, change trust anchors" }, - { 0, } -}; - -int -main (int argc, - char *argv[]) -{ - return p11_tool_main (argc, argv, commands); -} diff --git a/trust/types.h b/trust/types.h deleted file mode 100644 index 64a92b1..0000000 --- a/trust/types.h +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (c) 2013 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#ifndef TYPES_H_ -#define TYPES_H_ 1 - -#include "pkcs11x.h" - -/* - * A boolean value which denotes whether we auto generated - * this object, as opposed to coming from outside the builder. - * - * We set this on all objects. It will always be either CK_TRUE - * or CK_FALSE for all objects built by this builder. - */ -#define CKA_X_GENERATED (CKA_X_VENDOR + 8000) - -/* - * A string pointing to the filename from which this was loaded. - */ -#define CKA_X_ORIGIN (CKA_X_VENDOR + 8001) - -#endif /* TYPES_H_ */ diff --git a/trust/utf8.c b/trust/utf8.c deleted file mode 100644 index b94c3e7..0000000 --- a/trust/utf8.c +++ /dev/null @@ -1,329 +0,0 @@ -/* - * Copyright (c) 2013, Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#include "buffer.h" -#include "debug.h" -#include "utf8.h" - -#include <assert.h> -#include <stddef.h> -#include <stdint.h> -#include <string.h> - -/* - * Some parts come from FreeBSD utf8.c - * - * Copyright (c) 2002-2004 Tim J. Robbins - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -static ssize_t -utf8_to_uchar (const char *str, - size_t len, - uint32_t *uc) -{ - int ch, i, mask, want; - uint32_t lbound, uch; - - assert (str != NULL); - assert (len > 0); - assert (uc != NULL); - - if (((ch = (unsigned char)*str) & ~0x7f) == 0) { - /* Fast path for plain ASCII characters. */ - *uc = ch; - return 1; - } - - /* - * Determine the number of octets that make up this character - * from the first octet, and a mask that extracts the - * interesting bits of the first octet. We already know - * the character is at least two bytes long. - * - * We also specify a lower bound for the character code to - * detect redundant, non-"shortest form" encodings. For - * example, the sequence C0 80 is _not_ a legal representation - * of the null character. This enforces a 1-to-1 mapping - * between character codes and their multibyte representations. - */ - ch = (unsigned char)*str; - if ((ch & 0xe0) == 0xc0) { - mask = 0x1f; - want = 2; - lbound = 0x80; - } else if ((ch & 0xf0) == 0xe0) { - mask = 0x0f; - want = 3; - lbound = 0x800; - } else if ((ch & 0xf8) == 0xf0) { - mask = 0x07; - want = 4; - lbound = 0x10000; - } else if ((ch & 0xfc) == 0xf8) { - mask = 0x03; - want = 5; - lbound = 0x200000; - } else if ((ch & 0xfe) == 0xfc) { - mask = 0x01; - want = 6; - lbound = 0x4000000; - } else { - /* - * Malformed input; input is not UTF-8. - */ - return -1; - } - - if (want > len) { - /* Incomplete multibyte sequence. */ - return -1; - } - - /* - * Decode the octet sequence representing the character in chunks - * of 6 bits, most significant first. - */ - uch = (unsigned char)*str++ & mask; - for (i = 1; i < want; i++) { - if ((*str & 0xc0) != 0x80) { - /* - * Malformed input; bad characters in the middle - * of a character. - */ - return -1; - } - uch <<= 6; - uch |= *str++ & 0x3f; - } - if (uch < lbound) { - /* - * Malformed input; redundant encoding. - */ - return -1; - } - - *uc = uch; - return want; -} - -static size_t -utf8_for_uchar (uint32_t uc, - char *str, - size_t len) -{ - unsigned char lead; - int i, want; - - assert (str != NULL); - assert (len >= 6); - - if ((uc & ~0x7f) == 0) { - /* Fast path for plain ASCII characters. */ - *str = (char)uc; - return 1; - } - - /* - * Determine the number of octets needed to represent this character. - * We always output the shortest sequence possible. Also specify the - * first few bits of the first octet, which contains the information - * about the sequence length. - */ - if ((uc & ~0x7ff) == 0) { - lead = 0xc0; - want = 2; - } else if ((uc & ~0xffff) == 0) { - lead = 0xe0; - want = 3; - } else if ((uc & ~0x1fffff) == 0) { - lead = 0xf0; - want = 4; - } else if ((uc & ~0x3ffffff) == 0) { - lead = 0xf8; - want = 5; - } else if ((uc & ~0x7fffffff) == 0) { - lead = 0xfc; - want = 6; - } else { - return -1; - } - - assert (want <= len); - - /* - * Output the octets representing the character in chunks - * of 6 bits, least significant last. The first octet is - * a special case because it contains the sequence length - * information. - */ - for (i = want - 1; i > 0; i--) { - str[i] = (uc & 0x3f) | 0x80; - uc >>= 6; - } - *str = (uc & 0xff) | lead; - return want; -} - -static ssize_t -ucs2be_to_uchar (const unsigned char *str, - size_t len, - uint32_t *wc) -{ - assert (str != NULL); - assert (len != 0); - assert (wc != NULL); - - if (len < 2) - return -1; - - *wc = (str[0] << 8 | str[1]); - return 2; -} - -static ssize_t -ucs4be_to_uchar (const unsigned char *str, - size_t len, - uint32_t *uc) -{ - assert (str != NULL); - assert (len != 0); - assert (uc != NULL); - - if (len < 4) - return -1; - - *uc = (str[0] << 24 | str[1] << 16 | str[2] << 8 | str[3]); - return 4; -} - -bool -p11_utf8_validate (const char *str, - ssize_t len) -{ - uint32_t dummy; - ssize_t ret; - - if (len < 0) - len = strlen (str); - - while (len > 0) { - ret = utf8_to_uchar (str, len, &dummy); - if (ret < 0) - return false; - str += ret; - len -= ret; - } - - return true; -} - -static char * -utf8_for_convert (ssize_t (* convert) (const unsigned char *, size_t, uint32_t *), - const unsigned char *str, - size_t num_bytes, - size_t *ret_len) -{ - p11_buffer buf; - char block[6]; - uint32_t uc; - ssize_t ret; - - assert (convert); - - if (!p11_buffer_init_null (&buf, num_bytes)) - return_val_if_reached (NULL); - - while (num_bytes != 0) { - ret = (convert) (str, num_bytes, &uc); - if (ret < 0) { - p11_buffer_uninit (&buf); - return NULL; - } - - str += ret; - num_bytes -= ret; - - ret = utf8_for_uchar (uc, block, 6); - if (ret < 0) { - p11_buffer_uninit (&buf); - return NULL; - } - p11_buffer_add (&buf, block, ret); - } - - return_val_if_fail (p11_buffer_ok (&buf), NULL); - return p11_buffer_steal (&buf, ret_len); -} - -char * -p11_utf8_for_ucs2be (const unsigned char *str, - size_t num_bytes, - size_t *ret_len) -{ - assert (str != NULL); - return utf8_for_convert (ucs2be_to_uchar, str, num_bytes, ret_len); -} - -char * -p11_utf8_for_ucs4be (const unsigned char *str, - size_t num_bytes, - size_t *ret_len) -{ - assert (str != NULL); - return utf8_for_convert (ucs4be_to_uchar, str, num_bytes, ret_len); -} diff --git a/trust/utf8.h b/trust/utf8.h deleted file mode 100644 index 8efa66f..0000000 --- a/trust/utf8.h +++ /dev/null @@ -1,53 +0,0 @@ -/* - * Copyright (c) 2013, Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#ifndef P11_UTF8_H_ -#define P11_UTF8_H_ - -#include "compat.h" - -#include <sys/types.h> - -bool p11_utf8_validate (const char *str, - ssize_t len); - -char * p11_utf8_for_ucs2be (const unsigned char *str, - size_t num_bytes, - size_t *ret_len); - -char * p11_utf8_for_ucs4be (const unsigned char *str, - size_t num_bytes, - size_t *ret_len); - -#endif /* P11_UTF8_H_ */ diff --git a/trust/x509.c b/trust/x509.c deleted file mode 100644 index 3b4fb2d..0000000 --- a/trust/x509.c +++ /dev/null @@ -1,370 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include "config.h" - -#include "asn1.h" -#define P11_DEBUG_FLAG P11_DEBUG_TRUST -#include "debug.h" -#include "digest.h" -#include "oid.h" -#include "utf8.h" -#include "x509.h" - -#include <stdlib.h> -#include <string.h> - -unsigned char * -p11_x509_find_extension (node_asn *cert, - const unsigned char *oid, - const unsigned char *der, - size_t der_len, - size_t *ext_len) -{ - char field[128]; - int start; - int end; - int ret; - int i; - - return_val_if_fail (cert != NULL, NULL); - return_val_if_fail (oid != NULL, NULL); - return_val_if_fail (ext_len != NULL, NULL); - - for (i = 1; ; i++) { - if (snprintf (field, sizeof (field), "tbsCertificate.extensions.?%u.extnID", i) < 0) - return_val_if_reached (NULL); - - ret = asn1_der_decoding_startEnd (cert, der, der_len, field, &start, &end); - - /* No more extensions */ - if (ret == ASN1_ELEMENT_NOT_FOUND) - break; - - return_val_if_fail (ret == ASN1_SUCCESS, NULL); - - /* Make sure it's a straightforward oid with certain assumptions */ - if (!p11_oid_simple (der + start, (end - start) + 1)) - continue; - - /* The one we're lookin for? */ - if (!p11_oid_equal (der + start, oid)) - continue; - - if (snprintf (field, sizeof (field), "tbsCertificate.extensions.?%u.extnValue", i) < 0) - return_val_if_reached (NULL); - - return p11_asn1_read (cert, field, ext_len); - } - - return NULL; -} - -bool -p11_x509_hash_subject_public_key (node_asn *cert, - const unsigned char *der, - size_t der_len, - unsigned char *keyid) -{ - int start, end; - size_t len; - int ret; - - return_val_if_fail (cert != NULL, NULL); - return_val_if_fail (der != NULL, NULL); - - ret = asn1_der_decoding_startEnd (cert, der, der_len, "tbsCertificate.subjectPublicKeyInfo", &start, &end); - return_val_if_fail (ret == ASN1_SUCCESS, false); - return_val_if_fail (end >= start, false); - - len = (end - start) + 1; - p11_digest_sha1 (keyid, (der + start), len, NULL); - return true; -} - -unsigned char * -p11_x509_parse_subject_key_identifier (p11_dict *asn1_defs, - const unsigned char *ext_der, - size_t ext_len, - size_t *keyid_len) -{ - unsigned char *keyid; - node_asn *ext; - - return_val_if_fail (keyid_len != NULL, false); - - ext = p11_asn1_decode (asn1_defs, "PKIX1.SubjectKeyIdentifier", ext_der, ext_len, NULL); - if (ext == NULL) - return NULL; - - keyid = p11_asn1_read (ext, "", keyid_len); - return_val_if_fail (keyid != NULL, NULL); - - asn1_delete_structure (&ext); - - return keyid; -} - -bool -p11_x509_parse_basic_constraints (p11_dict *asn1_defs, - const unsigned char *ext_der, - size_t ext_len, - bool *is_ca) -{ - char buffer[8]; - node_asn *ext; - int ret; - int len; - - return_val_if_fail (is_ca != NULL, false); - - ext = p11_asn1_decode (asn1_defs, "PKIX1.BasicConstraints", ext_der, ext_len, NULL); - if (ext == NULL) - return false; - - len = sizeof (buffer); - ret = asn1_read_value (ext, "cA", buffer, &len); - - /* Default value for cA is FALSE */ - if (ret == ASN1_ELEMENT_NOT_FOUND) { - *is_ca = false; - - } else { - return_val_if_fail (ret == ASN1_SUCCESS, false); - *is_ca = (strcmp (buffer, "TRUE") == 0); - } - - asn1_delete_structure (&ext); - - return true; -} - -bool -p11_x509_parse_key_usage (p11_dict *asn1_defs, - const unsigned char *ext_der, - size_t ext_len, - unsigned int *ku) -{ - char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE] = { 0, }; - unsigned char buf[2]; - node_asn *ext; - int len; - int ret; - - ext = p11_asn1_decode (asn1_defs, "PKIX1.KeyUsage", ext_der, ext_len, message); - if (ext == NULL) - return false; - - len = sizeof (buf); - ret = asn1_read_value (ext, "", buf, &len); - return_val_if_fail (ret == ASN1_SUCCESS, false); - - /* A bit string, so combine into one set of flags */ - *ku = buf[0] | (buf[1] << 8); - - asn1_delete_structure (&ext); - - return true; -} - -p11_array * -p11_x509_parse_extended_key_usage (p11_dict *asn1_defs, - const unsigned char *ext_der, - size_t ext_len) -{ - node_asn *asn; - char field[128]; - p11_array *ekus; - size_t len; - char *eku; - int i; - - asn = p11_asn1_decode (asn1_defs, "PKIX1.ExtKeyUsageSyntax", ext_der, ext_len, NULL); - if (asn == NULL) - return NULL; - - ekus = p11_array_new (free); - - for (i = 1; ; i++) { - if (snprintf (field, sizeof (field), "?%u", i) < 0) - return_val_if_reached (NULL); - - eku = p11_asn1_read (asn, field, &len); - if (eku == NULL) - break; - - eku[len] = 0; - - /* If it's our reserved OID, then skip */ - if (strcmp (eku, P11_OID_RESERVED_PURPOSE_STR) == 0) { - free (eku); - continue; - } - - if (!p11_array_push (ekus, eku)) - return_val_if_reached (NULL); - } - - asn1_delete_structure (&asn); - - return ekus; -} - -char * -p11_x509_parse_directory_string (const unsigned char *input, - size_t input_len, - bool *unknown_string, - size_t *string_len) -{ - unsigned long tag; - unsigned char cls; - int tag_len; - int len_len; - const void *octets; - long octet_len; - int ret; - - ret = asn1_get_tag_der (input, input_len, &cls, &tag_len, &tag); - return_val_if_fail (ret == ASN1_SUCCESS, NULL); - - octet_len = asn1_get_length_der (input + tag_len, input_len - tag_len, &len_len); - return_val_if_fail (octet_len >= 0, false); - return_val_if_fail (tag_len + len_len + octet_len == input_len, NULL); - - octets = input + tag_len + len_len; - - if (unknown_string) - *unknown_string = false; - - /* The following strings are the ones we normalize */ - switch (tag) { - case 12: /* UTF8String */ - case 18: /* NumericString */ - case 22: /* IA5String */ - case 20: /* TeletexString */ - case 19: /* PrintableString */ - if (!p11_utf8_validate (octets, octet_len)) - return NULL; - if (string_len) - *string_len = octet_len; - return strndup (octets, octet_len); - - case 28: /* UniversalString */ - return p11_utf8_for_ucs4be (octets, octet_len, string_len); - - case 30: /* BMPString */ - return p11_utf8_for_ucs2be (octets, octet_len, string_len); - - /* Just pass through all the non-string types */ - default: - if (unknown_string) - *unknown_string = true; - return NULL; - } - -} - -char * -p11_x509_parse_dn_name (p11_dict *asn_defs, - const unsigned char *der, - size_t der_len, - const unsigned char *oid) -{ - node_asn *asn; - char *part; - - asn = p11_asn1_decode (asn_defs, "PKIX1.Name", der, der_len, NULL); - if (asn == NULL) - return NULL; - - part = p11_x509_lookup_dn_name (asn, NULL, der, der_len, oid); - asn1_delete_structure (&asn); - return part; -} - -char * -p11_x509_lookup_dn_name (node_asn *asn, - const char *dn_field, - const unsigned char *der, - size_t der_len, - const unsigned char *oid) -{ - unsigned char *value; - char field[128]; - size_t value_len; - char *part; - int i, j; - int start; - int end; - int ret; - - for (i = 1; true; i++) { - for (j = 1; true; j++) { - snprintf (field, sizeof (field), "%s%srdnSequence.?%d.?%d.type", - dn_field, dn_field ? "." : "", i, j); - - ret = asn1_der_decoding_startEnd (asn, der, der_len, field, &start, &end); - - /* No more dns */ - if (ret == ASN1_ELEMENT_NOT_FOUND) - break; - - return_val_if_fail (ret == ASN1_SUCCESS, NULL); - - /* Make sure it's a straightforward oid with certain assumptions */ - if (!p11_oid_simple (der + start, (end - start) + 1)) - continue; - - /* The one we're lookin for? */ - if (!p11_oid_equal (der + start, oid)) - continue; - - snprintf (field, sizeof (field), "%s%srdnSequence.?%d.?%d.value", - dn_field, dn_field ? "." : "", i, j); - - value = p11_asn1_read (asn, field, &value_len); - return_val_if_fail (value != NULL, NULL); - - part = p11_x509_parse_directory_string (value, value_len, NULL, NULL); - free (value); - - return part; - } - - if (j == 1) - break; - } - - return NULL; -} diff --git a/trust/x509.h b/trust/x509.h deleted file mode 100644 index 45fa628..0000000 --- a/trust/x509.h +++ /dev/null @@ -1,89 +0,0 @@ -/* - * Copyright (C) 2012 Red Hat Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above - * copyright notice, this list of conditions and the - * following disclaimer. - * * Redistributions in binary form must reproduce the - * above copyright notice, this list of conditions and - * the following disclaimer in the documentation and/or - * other materials provided with the distribution. - * * The names of contributors to this software may not be - * used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF - * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - * DAMAGE. - * - * Author: Stef Walter <stefw@redhat.com> - */ - -#include <libtasn1.h> - -#include "array.h" -#include "dict.h" - -#ifndef P11_X509_H_ -#define P11_X509_H_ - -unsigned char * p11_x509_find_extension (node_asn *cert, - const unsigned char *oid, - const unsigned char *der, - size_t der_len, - size_t *ext_len); - -bool p11_x509_hash_subject_public_key (node_asn *cert, - const unsigned char *der, - size_t der_len, - unsigned char *keyid); - -bool p11_x509_parse_basic_constraints (p11_dict *asn1_defs, - const unsigned char *ext_der, - size_t ext_len, - bool *is_ca); - -bool p11_x509_parse_key_usage (p11_dict *asn1_defs, - const unsigned char *data, - size_t length, - unsigned int *ku); - -p11_array * p11_x509_parse_extended_key_usage (p11_dict *asn1_defs, - const unsigned char *ext_der, - size_t ext_len); - -unsigned char * p11_x509_parse_subject_key_identifier (p11_dict *asn1_defs, - const unsigned char *ext_der, - size_t ext_len, - size_t *keyid_len); - -char * p11_x509_parse_dn_name (p11_dict *asn_defs, - const unsigned char *der, - size_t der_len, - const unsigned char *oid); - -char * p11_x509_lookup_dn_name (node_asn *asn, - const char *dn_field, - const unsigned char *der, - size_t der_len, - const unsigned char *oid); - -char * p11_x509_parse_directory_string (const unsigned char *input, - size_t input_len, - bool *unknown_string, - size_t *string_len); - -#endif /* P11_X509_H_ */ |