Stef Walter [Tue, 12 Mar 2013 17:03:25 +0000 (18:03 +0100)]
trust: Refactor to include concept of the index
* The index holds PKCS#11 objects whether for the token or for the session.
* The index provides hook for a builder to expand or validate objects
being added to the index.
* In addition theres a change hook so that a builder can maintain state
between objects, such as the compat NSS trust objects.
Stef Walter [Thu, 14 Mar 2013 10:14:52 +0000 (11:14 +0100)]
asn1: Implement a parsed ASN.1 tree cache
In order to unmarry the parser from the future builder, but still retain
efficiency, we need to be able to cache parsed ASN.1 trees. The ASN.1
cache provides this. In addition it carries around the loaded ASN.1
definitions.
Stef Walter [Fri, 15 Mar 2013 08:22:57 +0000 (09:22 +0100)]
extract: Combine trust policy when extracting
* Collapse multiple identical certificates coming from different
tokens. Note that if a certificate should not be placed multiple
times on a token. We cannot know which one to respect.
* Add a new extract filter: --trust-policy
This extracts all anchor and blacklist information
Stef Walter [Fri, 15 Mar 2013 07:23:43 +0000 (08:23 +0100)]
extract: --comment option adds comments to PEM bundles
* Placed before the certificate, simple one liner
* No need to put comments in PEM files extracted into
directories, as the file names are already descriptive.
Stef Walter [Thu, 7 Mar 2013 17:53:50 +0000 (18:53 +0100)]
p11-kit: New priority option and change trust-policy option
* Sort loaded modules appropriately using the 'priority' option. This
allows us to have a predictable order for callers, when callers
iterate through modules.
* Modules default to having an 'priority' option of '0'.
* If modules have the same order value, then sort by name.
* The above assumes the role of ordering trust-policy sources.
* Change the trust-policy option to a boolean
* Some of this code will be rearranged when the managed branch
is merged.
Stef Walter [Wed, 6 Mar 2013 18:16:09 +0000 (19:16 +0100)]
trust: Make each configured path its own token
* Each source directory or file configured into the module or passed
in as an initialization argument becomes its own token.
Previously there was one token that contained certificates from
all the configured paths.
* These tokens are clearly labeled in the token info as
to the directory or file that they represent.
* Update PKCS#11 module logic to deal with multiple tokens, validate
the slot ids and so on.
* The order in which the paths are configured will become the
order of trust priority. This is the same order in which they
are listed through 'p11-kit list-modules' and C_GetSlotList.
* Update the frob-token internal tool to only play with one path
* Adjust tests where necessary to reflect the new state of things
and add tests for modified trust module code
Stef Walter [Thu, 14 Mar 2013 09:05:17 +0000 (10:05 +0100)]
trust: Rework input path treatment
* Accept a single --with-trust-paths argument to ./configure
which cotnains all the input paths.
* The --with-system-anchors and --with-system-certificates
./configure arguments are no longer supported. Since they were
only present briefly, no provision is made for backwards
compatibility.
* Each input file is treated as containing anchors by default
unless an input certificate contains detailed trust information.
* The files in each input directory are not automatically treated
as anchors unless a certificate contains detailed trust information.
* The files in anchors/ subdirectory of each input directory are
automatically marked as anchors.
* The files in the blacklist/ subdirectory of each input directory
are automatically marked as blacklisted.
* Update tests and move around test certificates so we can
test these changes.
Stef Walter [Sun, 10 Mar 2013 20:42:49 +0000 (21:42 +0100)]
Fix up the system anchors/certificates configure arguments
Double check various combinations, and make sure we don't fail
needlessly when --disable-trust-module. Also check that actual
paths are passed into the arguments.
Stef Walter [Fri, 8 Mar 2013 07:32:50 +0000 (08:32 +0100)]
extract: Fix regression in --purpose option
The --purpose option would only match certificates that had no
purposes marked on them. Fix it so that it correctly matches
certificates with the given purpose.
Stef Walter [Sun, 3 Mar 2013 09:03:40 +0000 (10:03 +0100)]
Windows doesn't support symlinks, chmod, or atomic renames
* Don't create symlinks on windows
* No atomic renames, so delete and then rename
* Make sure to close files before unlinking on windows
* No chmod permissions on windows
Stef Walter [Sun, 3 Mar 2013 09:02:06 +0000 (10:02 +0100)]
Use mingw compatible coverage flags
The way that coverage is built and linked is different with mingw
so just use the --coverage flag to represent the correct behavior
when cross compiling.
Stef Walter [Wed, 6 Feb 2013 21:16:42 +0000 (22:16 +0100)]
Only do shared object and DLL initialization in libraries
Don't do library initialization on shared object load when not running
in a library. We'll want to plug into this and do different things
per library in the future.
Stef Walter [Wed, 23 Jan 2013 11:15:27 +0000 (12:15 +0100)]
Implement code for writing PEM
* Based on the gcr code
* Bring in base64 output code from BSD
* Make sure to output base64 lines of 64 character length since
this is what OpenSSL expects
Stef Walter [Wed, 23 Jan 2013 16:35:58 +0000 (17:35 +0100)]
Support for sane writing to files extracted
* Implement atomic writes of files
* Writing with checks that not overwriting anything unless desired
* Writing and overwriting of directory contents in a robust way
Stef Walter [Fri, 4 Jan 2013 12:57:28 +0000 (13:57 +0100)]
Implement trust assertion PKCS#11 objects
* Implement trust assertions for anchored and distrusted certs
* Pinned certificate trust assertions are not implemented yet
* Add an internal tool for pulling apart bits of certificates
Stef Walter [Thu, 3 Jan 2013 10:07:47 +0000 (11:07 +0100)]
Fill in certificate authority and trust data correctly
* Fill in CKA_CERTIFICATE_CATEGORY properly for authorities
based on the presence of BasicConstraints and/or v1 certificates
* Fill in CKA_TRUSTED and CKA_X_DISTRUSTED based on whether the
parser is running for anchors or blacklist
* In addition support the concept of blacklisted certificates mixed
in with the anchors (without any purposes) since that's what exists
in the real world.
* We do this after the various hooks have had a chance to mess
with the certificate extensions and such.
* Use stapled certificate extensions to represent loaded trust policy
* Build NSS trust objects from stapled certificate extensions
* Add further attribute debugging for NSS trust objects
* Use a custom certificate extension for the OpenSSL reject purpose data
* Use SubjectKeyIdentifier for OpenSSL keyid data
* Use ExtendedKeyUsage for OpenSSL trust purpose data
* Implement simple way to handle binary DER OIDs, using the DER TLV
length. DER OIDs are used in the CKA_OBJECT_ID value, and elsewhere.
* Split out the building of NSS trust objects from the main parser
Stef Walter [Thu, 24 Jan 2013 10:28:47 +0000 (11:28 +0100)]
Add basic checksum algorithms
The SHA-1 and MD5 digests here are used for checksums in legacy
protocols. We don't use them in cryptographic contexts at all.
These particular algorithms would be poor choices for that.
projects / p11-kit / log