trust: Respect anyExtendedKeyUsage in CA certificates

diff --git a/trust/enumerate.c b/trust/enumerate.c
index 731fadca9de63a4828b2cf16c3177cc072ec3d96..9b43b9b58a6c7c214c07b659cb73f1167e54e1e9 100644 (file)
--- a/trust/enumerate.c
+++ b/trust/enumerate.c
@@ -374,6 +374,11 @@ on_iterate_load_filter (p11_kit_iter *iter,
        if (ex->limit_to_purposes && ex->purposes) {
                *matches = CK_FALSE;
                for (i = 0; i < ex->purposes->num; i++) {
+                       if (strcmp (ex->purposes->elem[i], P11_OID_ANY_EXTENDED_KEY_USAGE_STR) == 0) {
+                               p11_debug ("anyExtendedKeyUsage is set, skipping filtering by purposes");
+                               *matches = CK_TRUE;
+                               break;
+                       }
                        if (p11_dict_get (ex->limit_to_purposes, ex->purposes->elem[i])) {
                                *matches = CK_TRUE;
                                break;

diff --git a/trust/oid.h b/trust/oid.h
index cf510fe571e967ee31fab8c1ff36b56cda7bee54..297e7a65e9eb3bcb92f3efcbc59d448583ac3327 100644 (file)
--- a/trust/oid.h
+++ b/trust/oid.h
@@ -117,6 +117,15 @@ static const unsigned char P11_OID_EXTENDED_KEY_USAGE[] =
        { 0x06, 0x03, 0x55, 0x1d, 0x25 };
 static const char P11_OID_EXTENDED_KEY_USAGE_STR[] = "2.5.29.37";
 
+/*
+ * 2.5.29.37.0: anyExtendedKeyUsage
+ *
+ * Defined in RFC 5280
+ */
+static const unsigned char P11_OID_ANY_EXTENDED_KEY_USAGE[] =
+       { 0x06, 0x03, 0x55, 0x1d, 0x25, 0x00 };
+static const char P11_OID_ANY_EXTENDED_KEY_USAGE_STR[] = "2.5.29.37.0";
+
 /*
  * 1.3.6.1.4.1.3319.6.10.1: OpenSSL reject extension
  *

diff --git a/trust/test-enumerate.c b/trust/test-enumerate.c
index 3e188b24b0321c5c9d0b3ce91666ea3a0610d16d..0ac3a333949b0de129de7cd2b08140fef3f27417 100644 (file)
--- a/trust/test-enumerate.c
+++ b/trust/test-enumerate.c
@@ -243,6 +243,17 @@ static CK_ATTRIBUTE extension_eku_invalid[] = {
        { CKA_INVALID },
 };
 
+static CK_ATTRIBUTE extension_eku_any[] = {
+       { CKA_CLASS, &extension_class, sizeof (extension_class) },
+       { CKA_ID, "ID1", 3 },
+       { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) },
+       { CKA_PUBLIC_KEY_INFO, (void *)test_cacert3_ca_public_key, sizeof (test_cacert3_ca_public_key) },
+       /* anyExtendedKeyUsage ('2 5 29 37 0') and
+        * Microsoft Smart Card Logon ('1 3 6 1 4 1 311 20 2 2') */
+       { CKA_VALUE, "\x30\x1b\x06\x03\x55\x1d\x25\x04\x14\x30\x12\x06\x04\x55\x1d\x25\x00\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x14\x02\x02", 29 },
+       { CKA_INVALID },
+};
+
 static void
 test_info_simple_certificate (void)
 {
@@ -374,6 +385,25 @@ test_limit_to_purpose_no_match (void)
        p11_message_loud ();
 }
 
+static void
+test_limit_to_purpose_match_any (void)
+{
+       CK_RV rv;
+
+       mock_module_add_object (MOCK_SLOT_ONE_ID, cacert3_trusted);
+       mock_module_add_object (MOCK_SLOT_ONE_ID, extension_eku_any);
+
+       p11_enumerate_opt_purpose (&test.ex, P11_OID_SERVER_AUTH_STR);
+       p11_enumerate_ready (&test.ex, NULL);
+
+       p11_message_quiet ();
+
+       rv = p11_kit_iter_next (test.ex.iter);
+       assert_num_eq (CKR_OK, rv);
+
+       p11_message_loud ();
+}
+
 static void
 test_duplicate_extract (void)
 {
@@ -529,6 +559,7 @@ main (int argc,
        p11_test (test_info_skip_non_certificate, "/extract/test_info_skip_non_certificate");
        p11_test (test_limit_to_purpose_match, "/extract/test_limit_to_purpose_match");
        p11_test (test_limit_to_purpose_no_match, "/extract/test_limit_to_purpose_no_match");
+       p11_test (test_limit_to_purpose_match_any, "/extract/test_limit_to_purpose_no_match_any");
        p11_test (test_duplicate_extract, "/extract/test_duplicate_extract");
        p11_test (test_duplicate_distrusted, "/extract/test-duplicate-distrusted");
        p11_test (test_trusted_match, "/extract/test_trusted_match");