summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStef Walter <stefw@gnome.org>2013-01-30 15:50:02 +0100
committerStef Walter <stefw@gnome.org>2013-02-05 15:00:25 +0100
commit39e9f190416ecb4260a3b079e1d79fc2e55f5a33 (patch)
treed5fb48883d20a3a73f7153971a6e3265b8a06535
parentdbcf3c049f4aadc1d25eb952b4feabdec14cf35d (diff)
downloadp11-kit-39e9f190416ecb4260a3b079e1d79fc2e55f5a33.tar.gz
Add support for exporting OpenSSL's TRUSTED CERTIFICATE format
-rw-r--r--build/certs/Makefile.am9
-rw-r--r--doc/p11-kit.xml8
-rw-r--r--tools/Makefile.am2
-rw-r--r--tools/extract-openssl.c686
-rw-r--r--tools/extract.c4
-rw-r--r--tools/tests/Makefile.am15
-rw-r--r--tools/tests/files/cacert3-distrust-all.pem44
-rw-r--r--tools/tests/files/cacert3-distrusted-all.pem43
-rw-r--r--tools/tests/files/cacert3-not-trusted.pem42
-rw-r--r--tools/tests/files/cacert3-trusted-alias.pem42
-rw-r--r--tools/tests/files/cacert3-trusted-client-server-alias.pem43
-rw-r--r--tools/tests/files/cacert3-trusted-keyid.pem42
-rw-r--r--tools/tests/files/cacert3-trusted-multiple.pem85
-rw-r--r--tools/tests/test-openssl.c671
-rw-r--r--tools/tests/test-utf8.c252
-rw-r--r--tools/tests/test.h9
-rw-r--r--tools/utf8.c328
-rw-r--r--tools/utf8.h53
18 files changed, 2378 insertions, 0 deletions
diff --git a/build/certs/Makefile.am b/build/certs/Makefile.am
index 1c30521..4428a2e 100644
--- a/build/certs/Makefile.am
+++ b/build/certs/Makefile.am
@@ -16,6 +16,15 @@ prepare-certs:
openssl x509 -in cacert3.der -inform DER -out $(TRUST)/files/cacert3-trusted.pem \
-addtrust clientAuth -addtrust serverAuth -addreject emailProtection \
-setalias "Custom Label"
+ cp $(TRUST)/files/cacert3-trusted.pem $(TOOLS)/files/cacert3-trusted-client-server-alias.pem
+ openssl x509 -in cacert3.der -inform DER -out $(TOOLS)/files/cacert3-trusted-alias.pem \
+ -setalias "Custom Label"
+ openssl x509 -in cacert3.der -inform DER -out $(TOOLS)/files/cacert3-distrust-all.pem \
+ -addreject serverAuth -addreject clientAuth -addreject codeSigning \
+ -addreject emailProtection -addreject ipsecEndSystem -addreject ipsecTunnel \
+ -addreject ipsecUser -addreject timeStamping
+ cat $(TOOLS)/files/cacert3-trusted-client-server-alias.pem \
+ $(TOOLS)/files/cacert3-trusted-alias.pem > $(TOOLS)/files/cacert3-trusted-multiple.pem
cp -v cacert-ca.der $(TRUST)/certificates
cp -v cacert-ca.der $(TRUST)/files
openssl x509 -in redhat-newca.der -inform DER -out $(TRUST)/files/distrusted.pem \
diff --git a/doc/p11-kit.xml b/doc/p11-kit.xml
index a980a82..c8735d8 100644
--- a/doc/p11-kit.xml
+++ b/doc/p11-kit.xml
@@ -136,6 +136,14 @@ $ p11-kit extract --format=x509-directory --filter=ca-certificates /path/to/dire
<term><option>pem-directory</option></term>
<listitem><para>Directory PEM files each containing one certifiacte</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>openssl-bundle</option></term>
+ <listitem><para>OpenSSL specific PEM bundle of certificates</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>openssl-directory</option></term>
+ <listitem><para>Directory of OpenSSL specific PEM files</para></listitem>
+ </varlistentry>
</variablelist>
</para></listitem>
</varlistentry>
diff --git a/tools/Makefile.am b/tools/Makefile.am
index 9a68686..6159c08 100644
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@@ -41,9 +41,11 @@ p11_kit_LDADD += \
p11_kit_SOURCES += \
extract.c extract.h \
extract-info.c \
+ extract-openssl.c \
extract-pem.c \
extract-x509.c \
save.c save.h \
+ utf8.c utf8.h \
$(NULL)
endif # WITH_ASN1
diff --git a/tools/extract-openssl.c b/tools/extract-openssl.c
new file mode 100644
index 0000000..e59d313
--- /dev/null
+++ b/tools/extract-openssl.c
@@ -0,0 +1,686 @@
+/*
+ * Copyright (c) 2013, Red Hat Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above
+ * copyright notice, this list of conditions and the
+ * following disclaimer.
+ * * Redistributions in binary form must reproduce the
+ * above copyright notice, this list of conditions and
+ * the following disclaimer in the documentation and/or
+ * other materials provided with the distribution.
+ * * The names of contributors to this software may not be
+ * used to endorse or promote products derived from this
+ * software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Stef Walter <stefw@redhat.com>
+ */
+
+#include "config.h"
+
+#include "asn1.h"
+#include "attrs.h"
+#include "buffer.h"
+#include "checksum.h"
+#include "compat.h"
+#include "debug.h"
+#include "dict.h"
+#include "extract.h"
+#include "library.h"
+#include "oid.h"
+#include "pem.h"
+#include "pkcs11.h"
+#include "pkcs11x.h"
+#include "save.h"
+#include "utf8.h"
+#include "x509.h"
+
+#include <assert.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* These functions are declared with a global scope for testing */
+
+void p11_openssl_canon_string (char *str,
+ long *len);
+
+bool p11_openssl_canon_string_der (p11_buffer *der);
+
+bool p11_openssl_canon_name_der (p11_dict *asn1_defs,
+ p11_buffer *der);
+
+static p11_array *
+empty_usages (void)
+{
+ return p11_array_new (free);
+}
+
+static bool
+known_usages (p11_array *oids)
+{
+ char *string;
+ int i;
+
+ const char *strings[] = {
+ P11_OID_SERVER_AUTH_STR,
+ P11_OID_CLIENT_AUTH_STR,
+ P11_OID_CODE_SIGNING_STR,
+ P11_OID_EMAIL_PROTECTION_STR,
+ P11_OID_IPSEC_END_SYSTEM_STR,
+ P11_OID_IPSEC_TUNNEL_STR,
+ P11_OID_IPSEC_USER_STR,
+ P11_OID_TIME_STAMPING_STR,
+ NULL,
+ };
+
+ for (i = 0; strings[i] != NULL; i++) {
+ string = strdup (strings[i]);
+ return_val_if_fail (string != NULL, false);
+ if (!p11_array_push (oids, string))
+ return_val_if_reached (false);
+ }
+
+ return true;
+}
+
+static bool
+load_usage_ext (p11_extract_info *ex,
+ const unsigned char *ext_oid,
+ p11_array **oids)
+{
+ CK_ATTRIBUTE attr = { CKA_OBJECT_ID, (void *)ext_oid,
+ p11_oid_length (ext_oid) };
+ CK_ATTRIBUTE *value;
+
+ value = p11_attrs_find_valid (p11_dict_get (ex->stapled, &attr), CKA_VALUE);
+ if (value == NULL) {
+ *oids = NULL;
+ return true;
+ }
+
+ *oids = p11_x509_parse_extended_key_usage (ex->asn1_defs, value->pValue,
+ value->ulValueLen);
+ return_val_if_fail (*oids != NULL, false);
+
+ return true;
+}
+
+static bool
+write_usages (node_asn *asn,
+ const char *field,
+ p11_array *oids)
+{
+ char *last;
+ int ret;
+ int i;
+
+ /*
+ * No oids? Then doing this will make the entire optional
+ * field go away
+ */
+ if (oids == NULL) {
+ ret = asn1_write_value (asn, field, NULL, 0);
+ return_val_if_fail (ret == ASN1_SUCCESS, false);
+
+ } else {
+ if (asprintf (&last, "%s.?LAST", field) < 0)
+ return_val_if_reached (false);
+ for (i = 0; i < oids->num; i++) {
+ ret = asn1_write_value (asn, field, "NEW", 1);
+ return_val_if_fail (ret == ASN1_SUCCESS, false);
+ ret = asn1_write_value (asn, last, oids->elem[i], -1);
+ return_val_if_fail (ret == ASN1_SUCCESS, false);
+ }
+
+ free (last);
+ }
+
+ return true;
+}
+
+static bool
+write_trust_and_rejects (p11_extract_info *ex,
+ node_asn *asn)
+{
+ p11_array *trusts = NULL;
+ p11_array *rejects = NULL;
+ CK_BBOOL trust;
+ CK_BBOOL distrust;
+
+ if (!p11_attrs_find_bool (ex->attrs, CKA_TRUSTED, &trust))
+ trust = CK_FALSE;
+ if (!p11_attrs_find_bool (ex->attrs, CKA_X_DISTRUSTED, &distrust))
+ distrust = CK_FALSE;
+
+ if (!load_usage_ext (ex, P11_OID_OPENSSL_REJECT, &rejects))
+ return_val_if_reached (false);
+
+ if (distrust) {
+
+ /*
+ * If this is on the blacklist then, make sure we have
+ * an empty trusts field and add as many things to rejects
+ * as possible.
+ */
+ trusts = NULL;
+
+ if (!rejects)
+ rejects = empty_usages ();
+ if (!known_usages (rejects))
+ return_val_if_reached (false);
+ return_val_if_fail (rejects != NULL, false);
+
+ } else if (trust) {
+
+ /*
+ * If this is an anchor, then try and guarantee that there
+ * are some trust anchors.
+ */
+
+ if (!load_usage_ext (ex, P11_OID_EXTENDED_KEY_USAGE, &trusts))
+ return_val_if_reached (false);
+
+ } else {
+
+ /*
+ * This is not an anchor, always put an empty trusts
+ * section, with possible rejects, loaded above
+ */
+
+ trusts = empty_usages ();
+ }
+
+ if (!write_usages (asn, "trust", trusts) ||
+ !write_usages (asn, "reject", rejects))
+ return_val_if_reached (false);
+
+ p11_array_free (trusts);
+ p11_array_free (rejects);
+ return true;
+}
+
+static bool
+write_keyid (p11_extract_info *ex,
+ node_asn *asn)
+{
+ CK_ATTRIBUTE attr = { CKA_OBJECT_ID,
+ (void *)P11_OID_SUBJECT_KEY_IDENTIFIER,
+ sizeof (P11_OID_SUBJECT_KEY_IDENTIFIER) };
+ CK_ATTRIBUTE *value;
+ int ret;
+
+ value = p11_attrs_find_valid (p11_dict_get (ex->stapled, &attr), CKA_VALUE);
+ if (value == NULL) {
+ ret = asn1_write_value (asn, "keyid", NULL, 0);
+ return_val_if_fail (ret == ASN1_SUCCESS, false);
+ } else {
+ ret = asn1_write_value (asn, "keyid", value->pValue, value->ulValueLen);
+ return_val_if_fail (ret == ASN1_SUCCESS, false);
+ }
+
+ return true;
+}
+
+static bool
+write_alias (p11_extract_info *ex,
+ node_asn *asn)
+{
+ CK_ATTRIBUTE *label;
+ int ret;
+
+ label = p11_attrs_find_valid (ex->attrs, CKA_LABEL);
+ if (label == NULL) {
+ ret = asn1_write_value (asn, "alias", NULL, 0);
+ return_val_if_fail (ret == ASN1_SUCCESS, false);
+ } else {
+ ret = asn1_write_value (asn, "alias", label->pValue, label->ulValueLen);
+ return_val_if_fail (ret == ASN1_SUCCESS, false);
+ }
+
+ return true;
+}
+
+static bool
+write_other (p11_extract_info *ex,
+ node_asn *asn)
+{
+ int ret;
+
+ ret = asn1_write_value (asn, "other", NULL, 0);
+ return_val_if_fail (ret == ASN1_SUCCESS, false);
+
+ return true;
+}
+
+static bool
+prepare_pem_contents (p11_extract_info *ex,
+ p11_buffer *buffer)
+{
+ char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE];
+ unsigned char *der;
+ node_asn *asn;
+ size_t offset;
+ int ret;
+ int len;
+
+ p11_buffer_add (buffer, ex->cert_der, ex->cert_len);
+
+ asn = p11_asn1_create (ex->asn1_defs, "OPENSSL.CertAux");
+ return_val_if_fail (asn != NULL, false);
+
+ if (!write_trust_and_rejects (ex, asn) ||
+ !write_alias (ex, asn) ||
+ !write_keyid (ex, asn) ||
+ !write_other (ex, asn))
+ return_val_if_reached (false);
+
+ len = 0;
+ offset = buffer->len;
+
+ ret = asn1_der_coding (asn, "", NULL, &len, message);
+ return_val_if_fail (ret == ASN1_MEM_ERROR, false);
+
+ der = p11_buffer_append (buffer, len);
+ return_val_if_fail (der != NULL, false);
+
+ ret = asn1_der_coding (asn, "", der, &len, message);
+ return_val_if_fail (ret == ASN1_SUCCESS, false);
+
+ buffer->len = offset + len;
+ asn1_delete_structure (&asn);
+ return true;
+}
+
+bool
+p11_extract_openssl_bundle (P11KitIter *iter,
+ p11_extract_info *ex)
+{
+ p11_save_file *file;
+ p11_buffer buf;
+ bool ret = true;
+ size_t length;
+ CK_RV rv;
+ char *pem;
+
+ file = p11_save_open_file (ex->destination, ex->flags);
+ if (!file)
+ return false;
+
+ while ((rv = p11_kit_iter_next (iter)) == CKR_OK) {
+ p11_buffer_init (&buf, 1024);
+
+ if (prepare_pem_contents (ex, &buf)) {
+ pem = p11_pem_write (buf.data, buf.len, "TRUSTED CERTIFICATE", &length);
+ return_val_if_fail (pem != NULL, false);
+
+ ret = p11_save_write (file, pem, length);
+ free (pem);
+ }
+
+ p11_buffer_uninit (&buf);
+
+ if (!ret)
+ break;
+ }
+
+ if (rv != CKR_OK && rv != CKR_CANCEL) {
+ p11_message ("failed to find certificates: %s", p11_kit_strerror (rv));
+ ret = false;
+ }
+
+ /*
+ * This will produce an empty file (which is a valid PEM bundle) if no
+ * certificates were found.
+ */
+
+ p11_save_finish_file (file, ret);
+ return ret;
+}
+
+void
+p11_openssl_canon_string (char *str,
+ long *len)
+{
+ bool nsp;
+ bool sp;
+ char *in;
+ char *out;
+ char *end;
+
+ /*
+ * Now that the string is UTF-8 here we convert the string to the
+ * OpenSSL canonical form. This is a bit odd and openssl specific.
+ * Basically they ignore any char over 127, do ascii tolower() stuff
+ * and collapse spaces based on isspace().
+ */
+
+ for (in = out = str, end = out + *len, sp = false, nsp = false; in < end; in++) {
+ if (*in & 0x80 || !isspace (*in)) {
+ /* If there has been a space, then add one */
+ if (sp)
+ *out++ = ' ';
+ *out++ = (*in & 0x80) ? *in : tolower (*in);
+ sp = false;
+ nsp = true;
+ /* If there has been a non-space, then note we should get one */
+ } else if (nsp) {
+ nsp = false;
+ sp = true;
+ }
+ }
+
+ if (out < end)
+ out[0] = 0;
+ *len = out - str;
+}
+
+bool
+p11_openssl_canon_string_der (p11_buffer *der)
+{
+ unsigned char *input = der->data;
+ int input_len = der->len;
+ unsigned char *output;
+ unsigned long tag;
+ unsigned char cls;
+ size_t conv_len;
+ int tag_len;
+ int len_len;
+ void *octets;
+ long octet_len;
+ int output_len;
+ void *conv = NULL;
+ int len;
+ int ret;
+
+ ret = asn1_get_tag_der (input, input_len, &cls, &tag_len, &tag);
+ return_val_if_fail (ret == ASN1_SUCCESS, false);
+
+ octet_len = asn1_get_length_der (input + tag_len, input_len - tag_len, &len_len);
+ return_val_if_fail (octet_len >= 0, false);
+ return_val_if_fail (tag_len + len_len + octet_len == input_len, false);
+
+ octets = input + tag_len + len_len;
+
+ /* The following strings are the ones we normalize */
+ switch (tag) {
+ case 12: /* UTF8String */
+ case 18: /* NumericString */
+ case 22: /* IA5String */
+ case 20: /* TeletexString */
+ case 19: /* PrintableString */
+ if (!p11_utf8_validate (octets, octet_len))
+ return false;
+ break;
+
+ case 28: /* UniversalString */
+ octets = conv = p11_utf8_for_ucs4be (octets, octet_len, &conv_len);
+ if (conv == NULL)
+ return false;
+ octet_len = conv_len;
+ break;
+
+ case 30: /* BMPString */
+ octets = conv = p11_utf8_for_ucs2be (octets, octet_len, &conv_len);
+ if (conv == NULL)
+ return false;
+ octet_len = conv_len;
+ break;
+
+ /* Just pass through all the non-string types */
+ default:
+ return true;
+ }
+
+ p11_openssl_canon_string (octets, &octet_len);
+
+ asn1_length_der (octet_len, NULL, &len_len);
+ output_len = 1 + len_len + octet_len;
+
+ if (!p11_buffer_reset (der, output_len))
+ return_val_if_reached (false);
+
+ output = der->data;
+ der->len = output_len;
+
+ output[0] = 12; /* UTF8String */
+ len = output_len - 1;
+ asn1_octet_der (octets, octet_len, output + 1, &len);
+ assert (len == output_len - 1);
+
+ free (conv);
+ return true;
+}
+
+bool
+p11_openssl_canon_name_der (p11_dict *asn1_defs,
+ p11_buffer *der)
+{
+ p11_buffer value;
+ char outer[64];
+ char field[64];
+ node_asn *name;
+ void *at;
+ int value_len;
+ bool failed;
+ size_t offset;
+ int ret;
+ int num;
+ int len;
+ int i, j;
+
+ name = p11_asn1_decode (asn1_defs, "PKIX1.Name", der->data, der->len, NULL);
+ return_val_if_fail (name != NULL, false);
+
+ ret = asn1_number_of_elements (name, "rdnSequence", &num);
+ return_val_if_fail (ret == ASN1_SUCCESS, false);
+
+ p11_buffer_init (&value, 0);
+ p11_buffer_reset (der, 0);
+
+ for (i = 1, failed = false; !failed && i < num + 1; i++) {
+ snprintf (outer, sizeof (outer), "rdnSequence.?%d", i);
+ for (j = 1; !failed; j++) {
+ snprintf (field, sizeof (field), "%s.?%d.value", outer, j);
+
+ value_len = 0;
+ ret = asn1_read_value (name, field, NULL, &value_len);
+ if (ret == ASN1_ELEMENT_NOT_FOUND)
+ break;
+
+ return_val_if_fail (ret == ASN1_MEM_ERROR, false);
+
+ if (!p11_buffer_reset (&value, value_len))
+ return_val_if_reached (false);
+
+ ret = asn1_read_value (name, field, value.data, &value_len);
+ return_val_if_fail (ret == ASN1_SUCCESS, false);
+ value.len = value_len;
+
+ if (p11_openssl_canon_string_der (&value)) {
+ ret = asn1_write_value (name, field, value.data, value.len);
+ return_val_if_fail (ret == ASN1_SUCCESS, false);
+ } else {
+ failed = true;
+ }
+ }
+
+ /*
+ * Yes the OpenSSL canon strangeness, is a concatenation
+ * of all the RelativeDistinguishedName DER encodings, without
+ * an outside wrapper.
+ */
+ if (!failed) {
+ len = -1;
+ ret = asn1_der_coding (name, outer, NULL, &len, NULL);
+ return_val_if_fail (ret == ASN1_MEM_ERROR, false);
+
+ offset = der->len;
+ at = p11_buffer_append (der, len);
+ return_val_if_fail (at != NULL, false);
+
+ ret = asn1_der_coding (name, outer, at, &len, NULL);
+ return_val_if_fail (ret == ASN1_SUCCESS, false);
+ der->len = offset + len;
+ }
+ }
+
+ asn1_delete_structure (&name);
+ p11_buffer_uninit (&value);
+ return !failed;
+}
+
+static char *
+symlink_for_subject_hash (p11_extract_info *ex)
+{
+ unsigned char md[P11_CHECKSUM_SHA1_LENGTH];
+ p11_buffer der;
+ CK_ATTRIBUTE *subject;
+ unsigned long hash;
+ char *linkname = NULL;
+
+ subject = p11_attrs_find_valid (ex->attrs, CKA_SUBJECT);
+ if (!subject || !subject->pValue || !subject->ulValueLen)
+ return NULL;
+
+ p11_buffer_init_full (&der, memdup (subject->pValue, subject->ulValueLen),
+ subject->ulValueLen, 0, realloc, free);
+ return_val_if_fail (der.data != NULL, NULL);
+
+ if (p11_openssl_canon_name_der (ex->asn1_defs, &der)) {
+ p11_checksum_sha1 (md, der.data, der.len, NULL);
+
+ hash = (
+ ((unsigned long)md[0] ) | ((unsigned long)md[1] << 8L) |
+ ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)
+ ) & 0xffffffffL;
+
+ if (asprintf (&linkname, "%08lx", hash) < 0)
+ return_val_if_reached (NULL);
+ }
+
+ p11_buffer_uninit (&der);
+ return linkname;
+}
+
+static char *
+symlink_for_subject_old_hash (p11_extract_info *ex)
+{
+ unsigned char md[P11_CHECKSUM_MD5_LENGTH];
+ CK_ATTRIBUTE *subject;
+ unsigned long hash;
+ char *linkname;
+
+ subject = p11_attrs_find_valid (ex->attrs, CKA_SUBJECT);
+ if (!subject)
+ return NULL;
+
+ p11_checksum_md5 (md, subject->pValue, subject->ulValueLen, NULL);
+
+ hash = (
+ ((unsigned long)md[0] ) | ((unsigned long)md[1] << 8L) |
+ ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)
+ ) & 0xffffffffL;
+
+ if (asprintf (&linkname, "%08lx", hash) < 0)
+ return_val_if_reached (NULL);
+
+ return linkname;
+}
+
+bool
+p11_extract_openssl_directory (P11KitIter *iter,
+ p11_extract_info *ex)
+{
+ const char *filename;
+ p11_save_file *file;
+ p11_save_dir *dir;
+ p11_buffer buf;
+ bool ret = true;
+ char *linkname;
+ char *name;
+ size_t length;
+ char *pem;
+ CK_RV rv;
+
+ dir = p11_save_open_directory (ex->destination, ex->flags);
+ if (dir == NULL)
+ return false;
+
+ p11_buffer_init (&buf, 0);
+
+ while ((rv = p11_kit_iter_next (iter)) == CKR_OK) {
+ pem = p11_pem_write (ex->cert_der, ex->cert_len, "CERTIFICATE", &length);
+ return_val_if_fail (pem != NULL, false);
+
+ if (!p11_buffer_reset (&buf, 1024))
+ return_val_if_reached (false);
+
+ if (prepare_pem_contents (ex, &buf)) {
+ pem = p11_pem_write (buf.data, buf.len, "TRUSTED CERTIFICATE", &length);
+ return_val_if_fail (pem != NULL, false);
+
+ name = p11_extract_info_filename (ex);
+ return_val_if_fail (name != NULL, false);
+
+ file = p11_save_open_file_in (dir, name, ".pem", &filename);
+
+ /*
+ * The OpenSSL style c_rehash stuff
+ *
+ * Different versions of openssl build these hashes differently
+ * so output both of them. Shouldn't cause confusion, because
+ * multiple certificates can hash to the same link anyway,
+ * and this is the reason for the trailing number after the dot.
+ *
+ * The trailing number is incremented p11_save_symlink_in() if it
+ * conflicts with something we've already written out.
+ */
+
+ linkname = symlink_for_subject_hash (ex);
+ if (file && linkname) {
+ ret = p11_save_symlink_in (dir, linkname, ".0", filename);
+ free (linkname);
+ }
+
+ linkname = symlink_for_subject_old_hash (ex);
+ if (file && linkname) {
+ ret = p11_save_symlink_in (dir, linkname, ".0", filename);
+ free (linkname);
+ }
+
+ ret = p11_save_write_and_finish (file, pem, length);
+ free (name);
+ free (pem);
+ }
+
+ if (!ret)
+ break;
+ }
+
+ p11_buffer_uninit (&buf);
+
+ if (rv != CKR_OK && rv != CKR_CANCEL) {
+ p11_message ("failed to find certificates: %s", p11_kit_strerror (rv));
+ ret = false;
+ }
+
+ p11_save_finish_directory (dir, ret);
+ return ret;
+}
diff --git a/tools/extract.c b/tools/extract.c
index 738b1c6..19b6c21 100644
--- a/tools/extract.c
+++ b/tools/extract.c
@@ -177,6 +177,8 @@ format_argument (const char *optarg,
{ "x509-directory", p11_extract_x509_directory, },
{ "pem-bundle", p11_extract_pem_bundle, },
{ "pem-directory", p11_extract_pem_directory },
+ { "openssl-bundle", p11_extract_openssl_bundle },
+ { "openssl-directory", p11_extract_openssl_directory },
{ NULL },
};
@@ -283,6 +285,8 @@ limit_purposes_if_necessary (p11_extract_info *ex,
*/
static p11_extract_func format_supports_purposes[] = {
+ p11_extract_openssl_bundle,
+ p11_extract_openssl_directory,
NULL
};
diff --git a/tools/tests/Makefile.am b/tools/tests/Makefile.am
index bf1d32d..e50836d 100644
--- a/tools/tests/Makefile.am
+++ b/tools/tests/Makefile.am
@@ -37,10 +37,12 @@ libtestcommon_la_SOURCES = \
test.c test.h
CHECK_PROGS = \
+ test-utf8 \
test-save \
test-extract \
test-x509 \
test-pem \
+ test-openssl \
$(NULL)
noinst_PROGRAMS = \
@@ -72,4 +74,17 @@ test_pem_SOURCES = \
$(TOOLS)/save.c \
$(NULL)
+test_openssl_SOURCES = \
+ test-openssl.c \
+ $(TOOLS)/extract-info.c \
+ $(TOOLS)/extract-openssl.c \
+ $(TOOLS)/save.c \
+ $(TOOLS)/utf8.c \
+ $(NULL)
+
+test_utf8_SOURCES = \
+ test-utf8.c \
+ $(TOOLS)/utf8.c \
+ $(NULL)
+
endif # WITH_ASN1
diff --git a/tools/tests/files/cacert3-distrust-all.pem b/tools/tests/files/cacert3-distrust-all.pem
new file mode 100644
index 0000000..ce5d887
--- /dev/null
+++ b/tools/tests/files/cacert3-distrust-all.pem
@@ -0,0 +1,44 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
+gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
+BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
+A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
+c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
+AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
+BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
+MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
+ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
+b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
+QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
+7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
+Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
+D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
+VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
+lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
+Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
+hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
+0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
+ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
+d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
+4GGSt/M3mMS+lqO3ijBSoFAGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMG
+CCsGAQUFBwMEBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQcD
+CA==
+-----END TRUSTED CERTIFICATE-----
diff --git a/tools/tests/files/cacert3-distrusted-all.pem b/tools/tests/files/cacert3-distrusted-all.pem
new file mode 100644
index 0000000..4a04a39
--- /dev/null
+++ b/tools/tests/files/cacert3-distrusted-all.pem
@@ -0,0 +1,43 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
+gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
+BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
+A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
+c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
+AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
+BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
+MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
+ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
+b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
+QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
+7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
+Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
+D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
+VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
+lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
+Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
+hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
+0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
+ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
+d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
+4GGSt/M3mMS+lqO3ijBIoEYGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMG
+CCsGAQUFBwMFBggrBgEFBQcDBgYIKwYBBQUHAwcGCCsGAQUFBwMI
+-----END TRUSTED CERTIFICATE-----
diff --git a/tools/tests/files/cacert3-not-trusted.pem b/tools/tests/files/cacert3-not-trusted.pem
new file mode 100644
index 0000000..eaa2e54
--- /dev/null
+++ b/tools/tests/files/cacert3-not-trusted.pem
@@ -0,0 +1,42 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
+gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
+BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
+A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
+c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
+AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
+BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
+MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
+ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
+b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
+QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
+7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
+Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
+D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
+VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
+lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
+Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
+hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
+0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
+ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
+d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
+4GGSt/M3mMS+lqO3ijACMAA=
+-----END TRUSTED CERTIFICATE-----
diff --git a/tools/tests/files/cacert3-trusted-alias.pem b/tools/tests/files/cacert3-trusted-alias.pem
new file mode 100644
index 0000000..44601ea
--- /dev/null
+++ b/tools/tests/files/cacert3-trusted-alias.pem
@@ -0,0 +1,42 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
+gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
+BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
+A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
+c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
+AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
+BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
+MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
+ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
+b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
+QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
+7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
+Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
+D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
+VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
+lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
+Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
+hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
+0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
+ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
+d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
+4GGSt/M3mMS+lqO3ijAODAxDdXN0b20gTGFiZWw=
+-----END TRUSTED CERTIFICATE-----
diff --git a/tools/tests/files/cacert3-trusted-client-server-alias.pem b/tools/tests/files/cacert3-trusted-client-server-alias.pem
new file mode 100644
index 0000000..c767eff
--- /dev/null
+++ b/tools/tests/files/cacert3-trusted-client-server-alias.pem
@@ -0,0 +1,43 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
+gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
+BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
+A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
+c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
+AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
+BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
+MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
+ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
+b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
+QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
+7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
+Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
+D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
+VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
+lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
+Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
+hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
+0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
+ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
+d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
+4GGSt/M3mMS+lqO3ijAwMBQGCCsGAQUFBwMCBggrBgEFBQcDAaAKBggrBgEFBQcD
+BAwMQ3VzdG9tIExhYmVs
+-----END TRUSTED CERTIFICATE-----
diff --git a/tools/tests/files/cacert3-trusted-keyid.pem b/tools/tests/files/cacert3-trusted-keyid.pem
new file mode 100644
index 0000000..e652733
--- /dev/null
+++ b/tools/tests/files/cacert3-trusted-keyid.pem
@@ -0,0 +1,42 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
+gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
+BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
+A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
+c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
+AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
+BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
+MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
+ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
+b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
+QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
+7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
+Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
+D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
+VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
+lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
+Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
+hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
+0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
+ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
+d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
+4GGSt/M3mMS+lqO3ijAJBAcAAQIDBAUG
+-----END TRUSTED CERTIFICATE-----
diff --git a/tools/tests/files/cacert3-trusted-multiple.pem b/tools/tests/files/cacert3-trusted-multiple.pem
new file mode 100644
index 0000000..5f8071b
--- /dev/null
+++ b/tools/tests/files/cacert3-trusted-multiple.pem
@@ -0,0 +1,85 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
+gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
+BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
+A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
+c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
+AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
+BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
+MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
+ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
+b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
+QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
+7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
+Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
+D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
+VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
+lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
+Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
+hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
+0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
+ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
+d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
+4GGSt/M3mMS+lqO3ijAwMBQGCCsGAQUFBwMCBggrBgEFBQcDAaAKBggrBgEFBQcD
+BAwMQ3VzdG9tIExhYmVs
+-----END TRUSTED CERTIFICATE-----
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
+gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
+BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
+A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
+c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
+AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
+BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
+MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
+ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
+b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
+QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
+7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
+Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
+D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
+VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
+lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
+Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
+hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
+0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
+ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
+d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
+4GGSt/M3mMS+lqO3ijAODAxDdXN0b20gTGFiZWw=
+-----END TRUSTED CERTIFICATE-----
diff --git a/tools/tests/test-openssl.c b/tools/tests/test-openssl.c
new file mode 100644
index 0000000..a48220d
--- /dev/null
+++ b/tools/tests/test-openssl.c
@@ -0,0 +1,671 @@
+/*
+ * Copyright (c) 2011, Collabora Ltd.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above
+ * copyright notice, this list of conditions and the
+ * following disclaimer.
+ * * Redistributions in binary form must reproduce the
+ * above copyright notice, this list of conditions and
+ * the following disclaimer in the documentation and/or
+ * other materials provided with the distribution.
+ * * The names of contributors to this software may not be
+ * used to endorse or promote products derived from this
+ * software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Stef Walter <stefw@collabora.co.uk>
+ */
+
+#include "config.h"
+#include "CuTest.h"
+
+#include "attrs.h"
+#include "buffer.h"
+#include "compat.h"
+#include "debug.h"
+#include "dict.h"
+#include "extract.h"
+#include "library.h"
+#include "mock.h"
+#include "pkcs11.h"
+#include "pkcs11x.h"
+#include "oid.h"
+#include "test.h"
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define ELEMS(x) (sizeof (x) / sizeof (x[0]))
+
+struct {
+ CK_FUNCTION_LIST module;
+ P11KitIter *iter;
+ p11_extract_info ex;
+ char *directory;
+} test;
+
+static void
+setup (CuTest *tc)
+{
+ CK_RV rv;
+
+ memcpy (&test.module, &mock_module, sizeof (CK_FUNCTION_LIST));
+ rv = p11_kit_initialize_module (&test.module);
+ CuAssertIntEquals (tc, CKR_OK, rv);
+
+ mock_module_reset_objects (MOCK_SLOT_ONE_ID);
+
+ test.iter = p11_kit_iter_new (NULL);
+
+ p11_extract_info_init (&test.ex);
+
+ test.directory = strdup ("/tmp/test-extract.XXXXXX");
+ if (!mkdtemp (test.directory))
+ assert_not_reached ();
+}
+
+static void
+teardown (CuTest *tc)
+{
+ CK_RV rv;
+
+ if (rmdir (test.directory) < 0)
+ assert_not_reached ();
+ free (test.directory);
+
+ p11_extract_info_cleanup (&test.ex);
+ p11_kit_iter_free (test.iter);
+
+ rv = p11_kit_finalize_module (&test.module);
+ CuAssertIntEquals (tc, CKR_OK, rv);
+}
+
+static CK_OBJECT_CLASS certificate_class = CKO_CERTIFICATE;
+static CK_OBJECT_CLASS extension_class = CKO_X_CERTIFICATE_EXTENSION;
+static CK_CERTIFICATE_TYPE x509_type = CKC_X_509;
+static CK_BBOOL vtrue = CK_TRUE;
+
+static CK_ATTRIBUTE cacert3_authority_attrs[] = {
+ { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
+ { CKA_CLASS, &certificate_class, sizeof (certificate_class) },
+ { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) },
+ { CKA_LABEL, "Custom Label", 12 },
+ { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) },
+ { CKA_TRUSTED, &vtrue, sizeof (vtrue) },
+ { CKA_INVALID },
+};
+
+static CK_ATTRIBUTE extension_eku_client_server[] = {
+ { CKA_CLASS, &extension_class, sizeof (extension_class) },
+ { CKA_OBJECT_ID, (void *)P11_OID_EXTENDED_KEY_USAGE, sizeof (P11_OID_EXTENDED_KEY_USAGE) },
+ { CKA_VALUE, (void *)test_eku_client_and_server, sizeof (test_eku_client_and_server) },
+ { CKA_INVALID },
+};
+
+static CK_ATTRIBUTE extension_reject_email[] = {
+ { CKA_CLASS, &extension_class, sizeof (extension_class) },
+ { CKA_OBJECT_ID, (void *)P11_OID_OPENSSL_REJECT, sizeof (P11_OID_OPENSSL_REJECT) },
+ { CKA_VALUE, (void *)test_eku_email, sizeof (test_eku_email) },
+ { CKA_INVALID },
+};
+
+static CK_ATTRIBUTE certificate_filter[] = {
+ { CKA_CLASS, &certificate_class, sizeof (certificate_class) },
+ { CKA_INVALID },
+};
+
+static void
+setup_objects (const CK_ATTRIBUTE *attrs,
+ ...) GNUC_NULL_TERMINATED;
+
+static void
+setup_objects (const CK_ATTRIBUTE *attrs,
+ ...)
+{
+ static CK_ULONG id_value = 8888;
+
+ CK_ATTRIBUTE id = { CKA_ID, &id_value, sizeof (id_value) };
+ CK_ATTRIBUTE *copy;
+ va_list va;
+
+ va_start (va, attrs);
+ while (attrs != NULL) {
+ copy = p11_attrs_build (p11_attrs_dup (attrs), &id, NULL);
+ assert (copy != NULL);
+ mock_module_take_object (MOCK_SLOT_ONE_ID, copy);
+ attrs = va_arg (va, const CK_ATTRIBUTE *);
+ }
+ va_end (va);
+
+ id_value++;
+}
+
+static void
+test_file (CuTest *tc)
+{
+ bool ret;
+
+ setup (tc);
+
+ setup_objects (cacert3_authority_attrs,
+ extension_eku_client_server,
+ extension_reject_email,
+ NULL);
+
+ p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL);
+ p11_kit_iter_add_filter (test.iter, certificate_filter, 1);
+ p11_kit_iter_begin_with (test.iter, &test.module, 0, 0);
+
+ if (asprintf (&test.ex.destination, "%s/%s", test.directory, "extract.pem") < 0)
+ assert_not_reached ();
+
+ ret = p11_extract_openssl_bundle (test.iter, &test.ex);
+ CuAssertIntEquals (tc, true, ret);
+
+ test_check_file (tc, test.directory, "extract.pem",
+ SRCDIR "/files/cacert3-trusted-client-server-alias.pem");
+
+ teardown (tc);
+}
+
+static void
+test_plain (CuTest *tc)
+{
+ bool ret;
+
+ setup (tc);
+ setup_objects (cacert3_authority_attrs, NULL);
+
+ p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL);
+ p11_kit_iter_add_filter (test.iter, certificate_filter, 1);
+ p11_kit_iter_begin_with (test.iter, &test.module, 0, 0);
+
+ if (asprintf (&test.ex.destination, "%s/%s", test.directory, "extract.pem") < 0)
+ assert_not_reached ();
+
+ ret = p11_extract_openssl_bundle (test.iter, &test.ex);
+ CuAssertIntEquals (tc, true, ret);
+
+ test_check_file (tc, test.directory, "extract.pem",
+ SRCDIR "/files/cacert3-trusted-alias.pem");
+
+ teardown (tc);
+}
+
+static void
+test_keyid (CuTest *tc)
+{
+ bool ret;
+
+ static CK_ATTRIBUTE cacert3_plain[] = {
+ { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
+ { CKA_CLASS, &certificate_class, sizeof (certificate_class) },
+ { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) },
+ { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) },
+ { CKA_TRUSTED, &vtrue, sizeof (vtrue) },
+ { CKA_INVALID },
+ };
+
+ static unsigned char identifier[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 };
+
+ static CK_ATTRIBUTE extension_subject_key_identifier[] = {
+ { CKA_CLASS, &extension_class, sizeof (extension_class) },
+ { CKA_OBJECT_ID, (void *)P11_OID_SUBJECT_KEY_IDENTIFIER, sizeof (P11_OID_SUBJECT_KEY_IDENTIFIER) },
+ { CKA_VALUE, identifier, sizeof (identifier) },
+ { CKA_INVALID },
+ };
+
+ setup (tc);
+ setup_objects (cacert3_plain, extension_subject_key_identifier, NULL);
+
+ p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL);
+ p11_kit_iter_add_filter (test.iter, certificate_filter, 1);
+ p11_kit_iter_begin_with (test.iter, &test.module, 0, 0);
+
+ if (asprintf (&test.ex.destination, "%s/%s", test.directory, "extract.pem") < 0)
+ assert_not_reached ();
+
+ ret = p11_extract_openssl_bundle (test.iter, &test.ex);
+ CuAssertIntEquals (tc, true, ret);
+
+ test_check_file (tc, test.directory, "extract.pem",
+ SRCDIR "/files/cacert3-trusted-keyid.pem");
+
+ teardown (tc);
+}
+
+static void
+test_not_authority (CuTest *tc)
+{
+ bool ret;
+
+ static CK_ATTRIBUTE cacert3_not_trusted[] = {
+ { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
+ { CKA_CLASS, &certificate_class, sizeof (certificate_class) },
+ { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) },
+ { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) },
+ { CKA_INVALID },
+ };
+
+ setup (tc);
+ setup_objects (cacert3_not_trusted, NULL);
+
+ p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL);
+ p11_kit_iter_add_filter (test.iter, certificate_filter, 1);
+ p11_kit_iter_begin_with (test.iter, &test.module, 0, 0);
+
+ if (asprintf (&test.ex.destination, "%s/%s", test.directory, "extract.pem") < 0)
+ assert_not_reached ();
+
+ ret = p11_extract_openssl_bundle (test.iter, &test.ex);
+ CuAssertIntEquals (tc, true, ret);
+
+ test_check_file (tc, test.directory, "extract.pem",
+ SRCDIR "/files/cacert3-not-trusted.pem");
+
+ teardown (tc);
+}
+
+static void
+test_distrust_all (CuTest *tc)
+{
+ bool ret;
+
+ static CK_ATTRIBUTE cacert3_blacklist[] = {
+ { CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
+ { CKA_CLASS, &certificate_class, sizeof (certificate_class) },
+ { CKA_CERTIFICATE_TYPE, &x509_type, sizeof (x509_type) },
+ { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) },
+ { CKA_X_DISTRUSTED, &vtrue, sizeof (vtrue) },
+ { CKA_INVALID },
+ };
+
+ setup (tc);
+
+ setup_objects (cacert3_blacklist, NULL);
+
+ p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL);
+ p11_kit_iter_add_filter (test.iter, certificate_filter, 1);
+ p11_kit_iter_begin_with (test.iter, &test.module, 0, 0);
+
+ if (asprintf (&test.ex.destination, "%s/%s", test.directory, "extract.pem") < 0)
+ assert_not_reached ();
+
+ ret = p11_extract_openssl_bundle (test.iter, &test.ex);
+ CuAssertIntEquals (tc, true, ret);
+
+ test_check_file (tc, test.directory, "extract.pem",
+ SRCDIR "/files/cacert3-distrust-all.pem");
+
+ teardown (tc);
+}
+
+static void
+test_file_multiple (CuTest *tc)
+{
+ bool ret;
+
+ setup (tc);
+
+ setup_objects (cacert3_authority_attrs,
+ extension_eku_client_server,
+ extension_reject_email,
+ NULL);
+
+ setup_objects (cacert3_authority_attrs,
+ NULL);
+
+ p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL);
+ p11_kit_iter_add_filter (test.iter, certificate_filter, 1);
+ p11_kit_iter_begin_with (test.iter, &test.module, 0, 0);
+
+ if (asprintf (&test.ex.destination, "%s/%s", test.directory, "extract.pem") < 0)
+ assert_not_reached ();
+
+ ret = p11_extract_openssl_bundle (test.iter, &test.ex);
+ CuAssertIntEquals (tc, true, ret);
+
+ test_check_file (tc, test.directory, "extract.pem",
+ SRCDIR "/files/cacert3-trusted-multiple.pem");
+
+ teardown (tc);
+}
+
+static void
+test_file_without (CuTest *tc)
+{
+ bool ret;
+
+ setup (tc);
+
+ p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL);
+ p11_kit_iter_add_filter (test.iter, certificate_filter, 1);
+ p11_kit_iter_begin_with (test.iter, &test.module, 0, 0);
+
+ if (asprintf (&test.ex.destination, "%s/%s", test.directory, "extract.pem") < 0)
+ assert_not_reached ();
+
+ ret = p11_extract_openssl_bundle (test.iter, &test.ex);
+ CuAssertIntEquals (tc, true, ret);
+
+ test_check_data (tc, test.directory, "extract.pem", "", 0);
+
+ teardown (tc);
+}
+
+/* From extract-openssl.c */
+void p11_openssl_canon_string (char *str, long *len);
+
+static void
+test_canon_string (CuTest *tc)
+{
+ struct {
+ char *input;
+ int input_len;
+ char *output;
+ int output_len;
+ } fixtures[] = {
+ { "A test", -1, "a test", -1 },
+ { " Strip spaces ", -1, "strip spaces", -1 },
+ { " Collapse \n\t spaces", -1, "collapse spaces", -1 },
+ { "Ignore non-ASCII \303\204", -1, "ignore non-ascii \303\204", -1 },
+ { "no-space", -1, "no-space", -1 },
+ };
+
+ char *str;
+ long len;
+ long out;
+ int i;
+
+ for (i = 0; i < ELEMS (fixtures); i++) {
+ len = fixtures[i].input_len;
+ if (len < 0)
+ len = strlen (fixtures[i].input);
+ str = strndup (fixtures[i].input, len);
+
+ p11_openssl_canon_string (str, &len);
+
+ out = fixtures[i].output_len;
+ if (out < 0)
+ out = strlen (fixtures[i].output);
+ CuAssertIntEquals (tc, out, len);
+ CuAssertStrEquals (tc, fixtures[i].output, str);
+
+ free (str);
+ }
+}
+
+bool p11_openssl_canon_string_der (p11_buffer *der);
+
+static void
+test_canon_string_der (CuTest *tc)
+{
+ struct {
+ unsigned char input[100];
+ int input_len;
+ unsigned char output[100];
+ int output_len;
+ } fixtures[] = {
+ /* UTF8String */
+ { { 0x0c, 0x0f, 0xc3, 0x84, ' ', 'U', 'T', 'F', '8', ' ', 's', 't', 'r', 'i', 'n', 'g', ' ', }, 17,
+ { 0x0c, 0x0e, 0xc3, 0x84, ' ', 'u', 't', 'f', '8', ' ', 's', 't', 'r', 'i', 'n', 'g', }, 16,
+ },
+
+ /* NumericString */
+ { { 0x12, 0x04, '0', '1', '2', '3', }, 6,
+ { 0x0c, 0x04, '0', '1', '2', '3' }, 6,
+ },
+
+ /* IA5String */
+ { { 0x16, 0x04, ' ', 'A', 'B', ' ', }, 6,
+ { 0x0c, 0x02, 'a', 'b', }, 4,
+ },
+
+ /* TeletexString */
+ { { 0x14, 0x07, 'A', ' ', ' ', 'n', 'i', 'c', 'e' }, 9,
+ { 0x0c, 0x06, 'a', ' ', 'n', 'i', 'c', 'e' }, 8,
+ },
+
+ /* PrintableString */
+ { { 0x13, 0x07, 'A', ' ', ' ', 'n', 'i', 'c', 'e' }, 9,
+ { 0x0c, 0x06, 'a', ' ', 'n', 'i', 'c', 'e' }, 8,
+ },
+
+ /* No change, not a known string type */
+ { { 0x05, 0x07, 'A', ' ', ' ', 'n', 'i', 'c', 'e' }, 9,
+ { 0x05, 0x07, 'A', ' ', ' ', 'n', 'i', 'c', 'e' }, 9
+ },
+
+ /* UniversalString */
+ { { 0x1c, 0x14, 0x00, 0x00, 0x00, 'F', 0x00, 0x00, 0x00, 'u',
+ 0x00, 0x00, 0x00, 'n', 0x00, 0x00, 0x00, ' ', 0x00, 0x01, 0x03, 0x19, }, 22,
+ { 0x0c, 0x08, 'f', 'u', 'n', ' ', 0xf0, 0x90, 0x8c, 0x99 }, 10,
+ },
+
+ /* BMPString */
+ { { 0x1e, 0x0a, 0x00, 'V', 0x00, 0xF6, 0x00, 'g', 0x00, 'e', 0x00, 'l' }, 12,
+ { 0x0c, 0x06, 'v', 0xc3, 0xb6, 'g', 'e', 'l' }, 8,
+ },
+ };
+
+ p11_buffer buf;
+ bool ret;
+ int i;
+
+ for (i = 0; i < ELEMS (fixtures); i++) {
+ p11_buffer_init_full (&buf, memdup (fixtures[i].input, fixtures[i].input_len),
+ fixtures[i].input_len, 0, realloc, free);
+
+ ret = p11_openssl_canon_string_der (&buf);
+ CuAssertIntEquals (tc, true, ret);
+
+ CuAssertIntEquals (tc, fixtures[i].output_len, buf.len);
+ CuAssertTrue (tc, memcmp (buf.data, fixtures[i].output, buf.len) == 0);
+
+ p11_buffer_uninit (&buf);
+ }
+}
+
+bool p11_openssl_canon_name_der (p11_dict *asn1_defs,
+ p11_buffer *der);
+
+static void
+test_canon_name_der (CuTest *tc)
+{
+ struct {
+ unsigned char input[100];
+ int input_len;
+ unsigned char output[100];
+ int output_len;
+ } fixtures[] = {
+ { { '0', 'T', '1', 0x14, '0', 0x12, 0x06, 0x03, 'U', 0x04, 0x0a,
+ 0x13, 0x0b, 'C', 'A', 'c', 'e', 'r', 't', 0x20, 'I', 'n',
+ 'c', '.', '1', 0x1e, '0', 0x1c, 0x06, 0x03, 'U', 0x04,
+ 0x0b, 0x13, 0x15, 'h', 't', 't', 'p', ':', '/', '/', 'w',
+ 'w', 'w', '.', 'C', 'A', 'c', 'e', 'r', 't', '.', 'o', 'r',
+ 'g', '1', 0x1c, '0', 0x1a, 0x06, 0x03, 'U', 0x04, 0x03, 0x13,
+ 0x13, 'C', 'A', 'c', 'e', 'r', 't', 0x20, 'C', 'l', 'a', 's',
+ 's', 0x20, '3', 0x20, 'R', 'o', 'o', 't', }, 86,
+ { '1', 0x14, '0', 0x12, 0x06, 0x03, 'U', 0x04, 0x0a,
+ 0x0c, 0x0b, 'c', 'a', 'c', 'e', 'r', 't', 0x20, 'i', 'n',
+ 'c', '.', '1', 0x1e, '0', 0x1c, 0x06, 0x03, 'U', 0x04,
+ 0x0b, 0x0c, 0x15, 'h', 't', 't', 'p', ':', '/', '/', 'w',
+ 'w', 'w', '.', 'c', 'a', 'c', 'e', 'r', 't', '.', 'o', 'r',
+ 'g', '1', 0x1c, '0', 0x1a, 0x06, 0x03, 'U', 0x04, 0x03, 0x0c,
+ 0x13, 'c', 'a', 'c', 'e', 'r', 't', 0x20, 'c', 'l', 'a', 's',
+ 's', 0x20, '3', 0x20, 'r', 'o', 'o', 't', }, 84,
+ },
+ { { '0', 0x00, }, 2,
+ { }, 0,
+ },
+ };
+
+ p11_buffer buf;
+ p11_dict *asn1_defs;
+ bool ret;
+ int i;
+
+ asn1_defs = p11_asn1_defs_load ();
+
+ for (i = 0; i < ELEMS (fixtures); i++) {
+ p11_buffer_init_full (&buf, memdup (fixtures[i].input, fixtures[i].input_len),
+ fixtures[i].input_len, 0, realloc, free);
+
+ ret = p11_openssl_canon_name_der (asn1_defs, &buf);
+ CuAssertIntEquals (tc, true, ret);
+
+ CuAssertIntEquals (tc, fixtures[i].output_len, buf.len);
+ CuAssertTrue (tc, memcmp (buf.data, fixtures[i].output, buf.len) == 0);
+
+ p11_buffer_uninit (&buf);
+ }
+
+ p11_dict_free (asn1_defs);
+}
+
+static void
+test_canon_string_der_fail (CuTest *tc)
+{
+ struct {
+ unsigned char input[100];
+ int input_len;
+ } fixtures[] = {
+ { { 0x0c, 0x02, 0xc3, 0xc4 /* Invalid UTF-8 */ }, 4 },
+ { { 0x1e, 0x01, 0x00 /* Invalid UCS2 */ }, 3 },
+ { { 0x1c, 0x02, 0x00, 0x01 /* Invalid UCS4 */ }, 4 },
+ };
+
+ p11_buffer buf;
+ bool ret;
+ int i;
+
+ for (i = 0; i < ELEMS (fixtures); i++) {
+ p11_buffer_init_full (&buf, memdup (fixtures[i].input, fixtures[i].input_len),
+ fixtures[i].input_len, 0, realloc, free);
+
+ ret = p11_openssl_canon_string_der (&buf);
+ CuAssertIntEquals (tc, false, ret);
+
+ p11_buffer_uninit (&buf);
+ }
+}
+
+static void
+test_directory (CuTest *tc)
+{
+ bool ret;
+
+ setup (tc);
+
+ setup_objects (cacert3_authority_attrs,
+ extension_eku_client_server,
+ extension_reject_email,
+ NULL);
+
+ setup_objects (cacert3_authority_attrs,
+ NULL);
+
+ p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL);
+ p11_kit_iter_add_filter (test.iter, certificate_filter, 1);
+ p11_kit_iter_begin_with (test.iter, &test.module, 0, 0);
+
+ /* Yes, this is a race, and why you shouldn't build software as root */
+ if (rmdir (test.directory) < 0)
+ assert_not_reached ();
+ test.ex.destination = test.directory;
+
+ ret = p11_extract_openssl_directory (test.iter, &test.ex);
+ CuAssertIntEquals (tc, true, ret);
+
+ test_check_directory (tc, test.directory, ("Custom_Label.pem", "Custom_Label.1.pem",
+ "e5662767.1", "e5662767.0", "590d426f.1", "590d426f.0", NULL));
+ test_check_file (tc, test.directory, "Custom_Label.pem",
+ SRCDIR "/files/cacert3-trusted-client-server-alias.pem");
+ test_check_file (tc, test.directory, "Custom_Label.1.pem",
+ SRCDIR "/files/cacert3-trusted-alias.pem");
+ test_check_symlink (tc, test.directory, "e5662767.0", "Custom_Label.pem");
+ test_check_symlink (tc, test.directory, "e5662767.1", "Custom_Label.1.pem");
+ test_check_symlink (tc, test.directory, "590d426f.0", "Custom_Label.pem");
+ test_check_symlink (tc, test.directory, "590d426f.1", "Custom_Label.1.pem");
+ teardown (tc);
+}
+
+static void
+test_directory_empty (CuTest *tc)
+{
+ bool ret;
+
+ setup (tc);
+
+ p11_kit_iter_add_callback (test.iter, p11_extract_info_load_filter, &test.ex, NULL);
+ p11_kit_iter_add_filter (test.iter, certificate_filter, 1);
+ p11_kit_iter_begin_with (test.iter, &test.module, 0, 0);
+
+ /* Yes, this is a race, and why you shouldn't build software as root */
+ if (rmdir (test.directory) < 0)
+ assert_not_reached ();
+ test.ex.destination = test.directory;
+
+ ret = p11_extract_openssl_directory (test.iter, &test.ex);
+ CuAssertIntEquals (tc, true, ret);
+
+ test_check_directory (tc, test.directory, (NULL, NULL));
+
+ teardown (tc);
+}
+
+int
+main (void)
+{
+ CuString *output = CuStringNew ();
+ CuSuite* suite = CuSuiteNew ();
+ int ret;
+
+ putenv ("P11_KIT_STRICT=1");
+ p11_debug_init ();
+
+ SUITE_ADD_TEST (suite, test_file);
+ SUITE_ADD_TEST (suite, test_plain);
+ SUITE_ADD_TEST (suite, test_keyid);
+ SUITE_ADD_TEST (suite, test_not_authority);
+ SUITE_ADD_TEST (suite, test_distrust_all);
+ SUITE_ADD_TEST (suite, test_file_multiple);
+ SUITE_ADD_TEST (suite, test_file_without);
+
+ SUITE_ADD_TEST (suite, test_canon_string);
+ SUITE_ADD_TEST (suite, test_canon_string_der);
+ SUITE_ADD_TEST (suite, test_canon_string_der_fail);
+ SUITE_ADD_TEST (suite, test_canon_name_der);
+
+ SUITE_ADD_TEST (suite, test_directory);
+ SUITE_ADD_TEST (suite, test_directory_empty);
+
+ CuSuiteRun (suite);
+ CuSuiteSummary (suite, output);
+ CuSuiteDetails (suite, output);
+ printf ("%s\n", output->buffer);
+ ret = suite->failCount;
+ CuSuiteDelete (suite);
+ CuStringDelete (output);
+
+ return ret;
+}
diff --git a/tools/tests/test-utf8.c b/tools/tests/test-utf8.c
new file mode 100644
index 0000000..d34f597
--- /dev/null
+++ b/tools/tests/test-utf8.c
@@ -0,0 +1,252 @@
+/*
+ * Copyright (c) 2013, Red Hat Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above
+ * copyright notice, this list of conditions and the
+ * following disclaimer.
+ * * Redistributions in binary form must reproduce the
+ * above copyright notice, this list of conditions and
+ * the following disclaimer in the documentation and/or
+ * other materials provided with the distribution.
+ * * The names of contributors to this software may not be
+ * used to endorse or promote products derived from this
+ * software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Stef Walter <stefw@collabora.co.uk>
+ */
+
+#include "config.h"
+#include "CuTest.h"
+
+#include "utf8.h"
+
+#include <stdio.h>
+
+#define ELEMS(x) (sizeof (x) / sizeof (x[0]))
+
+static void
+test_ucs2be (CuTest *cu)
+{
+ char *output;
+ size_t length;
+ int i;
+
+ struct {
+ const char *output;
+ size_t output_len;
+ const unsigned char input[100];
+ size_t input_len;
+ } fixtures[] = {
+ { "This is a test", 14,
+ { 0x00, 'T', 0x00, 'h', 0x00, 'i', 0x00, 's', 0x00, ' ', 0x00, 'i', 0x00, 's', 0x00, ' ',
+ 0x00, 'a', 0x00, ' ', 0x00, 't', 0x00, 'e', 0x00, 's', 0x00, 't' }, 28,
+ },
+ { "V\303\266gel", 6,
+ { 0x00, 'V', 0x00, 0xF6, 0x00, 'g', 0x00, 'e', 0x00, 'l' }, 10,
+ },
+ { "M\303\244nwich \340\264\205", 12,
+ { 0x00, 'M', 0x00, 0xE4, 0x00, 'n', 0x00, 'w', 0x00, 'i', 0x00, 'c', 0x00, 'h',
+ 0x00, ' ', 0x0D, 0x05 }, 18,
+ }
+ };
+
+ for (i = 0; i < ELEMS (fixtures); i++) {
+ output = p11_utf8_for_ucs2be (fixtures[i].input,
+ fixtures[i].input_len,
+ &length);
+
+ CuAssertIntEquals (cu, fixtures[i].output_len, length);
+ CuAssertStrEquals (cu, fixtures[i].output, output);
+ }
+}
+
+static void
+test_ucs2be_fail (CuTest *cu)
+{
+ char *output;
+ size_t length;
+ int i;
+
+ struct {
+ const unsigned char input[100];
+ size_t input_len;
+ } fixtures[] = {
+ { { 0x00, 'T', 0x00, 'h', 0x00, 'i', 0x00, }, 7 /* truncated */ }
+ };
+
+ for (i = 0; i < ELEMS (fixtures); i++) {
+ output = p11_utf8_for_ucs2be (fixtures[i].input,
+ fixtures[i].input_len,
+ &length);
+ CuAssertPtrEquals (cu, NULL, output);
+ }
+}
+
+static void
+test_ucs4be (CuTest *cu)
+{
+ char *output;
+ size_t length;
+ int i;
+
+ struct {
+ const char *output;
+ size_t output_len;
+ const unsigned char input[100];
+ size_t input_len;
+ } fixtures[] = {
+ { "This is a test", 14,
+ { 0x00, 0x00, 0x00, 'T',
+ 0x00, 0x00, 0x00, 'h',
+ 0x00, 0x00, 0x00, 'i',
+ 0x00, 0x00, 0x00, 's',
+ 0x00, 0x00, 0x00, ' ',
+ 0x00, 0x00, 0x00, 'i',
+ 0x00, 0x00, 0x00, 's',
+ 0x00, 0x00, 0x00, ' ',
+ 0x00, 0x00, 0x00, 'a',
+ 0x00, 0x00, 0x00, ' ',
+ 0x00, 0x00, 0x00, 't',
+ 0x00, 0x00, 0x00, 'e',
+ 0x00, 0x00, 0x00, 's',
+ 0x00, 0x00, 0x00, 't',
+ }, 56,
+ },
+ { "Fun \360\220\214\231", 8,
+ { 0x00, 0x00, 0x00, 'F',
+ 0x00, 0x00, 0x00, 'u',
+ 0x00, 0x00, 0x00, 'n',
+ 0x00, 0x00, 0x00, ' ',
+ 0x00, 0x01, 0x03, 0x19, /* U+10319: looks like an antenna */
+ }, 20,
+ }
+ };
+
+ for (i = 0; i < ELEMS (fixtures); i++) {
+ output = p11_utf8_for_ucs4be (fixtures[i].input,
+ fixtures[i].input_len,
+ &length);
+
+ CuAssertIntEquals (cu, fixtures[i].output_len, length);
+ CuAssertStrEquals (cu, fixtures[i].output, output);
+ }
+}
+
+static void
+test_ucs4be_fail (CuTest *cu)
+{
+ char *output;
+ size_t length;
+ int i;
+
+ struct {
+ const unsigned char input[100];
+ size_t input_len;
+ } fixtures[] = {
+ { { 0x00, 0x00, 'T',
+ }, 7 /* truncated */ },
+ { { 0x00, 0x00, 0x00, 'F',
+ 0x00, 0x00, 0x00, 'u',
+ 0x00, 0x00, 0x00, 'n',
+ 0x00, 0x00, 0x00, ' ',
+ 0xD8, 0x00, 0xDF, 0x19,
+ }, 20,
+ }
+ };
+
+ for (i = 0; i < ELEMS (fixtures); i++) {
+ output = p11_utf8_for_ucs4be (fixtures[i].input,
+ fixtures[i].input_len,
+ &length);
+ CuAssertPtrEquals (cu, NULL, output);
+ }
+}
+
+static void
+test_utf8 (CuTest *cu)
+{
+ bool ret;
+ int i;
+
+ struct {
+ const char *input;
+ size_t input_len;
+ } fixtures[] = {
+ { "This is a test", 14 },
+ { "Good news everyone", -1 },
+ { "Fun \360\220\214\231", -1 },
+ { "Fun invalid here: \xfe", 4 }, /* but limited length */
+ { "V\303\266gel", 6, },
+ };
+
+ for (i = 0; i < ELEMS (fixtures); i++) {
+ ret = p11_utf8_validate (fixtures[i].input,
+ fixtures[i].input_len);
+ CuAssertIntEquals (cu, true, ret);
+ }
+}
+
+static void
+test_utf8_fail (CuTest *cu)
+{
+ bool ret;
+ int i;
+
+ struct {
+ const char *input;
+ size_t input_len;
+ } fixtures[] = {
+ { "This is a test\x80", 15 },
+ { "Good news everyone\x88", -1 },
+ { "Bad \xe0v following chars should be |0x80", -1 },
+ { "Truncated \xe0", -1 },
+ };
+
+ for (i = 0; i < ELEMS (fixtures); i++) {
+ ret = p11_utf8_validate (fixtures[i].input,
+ fixtures[i].input_len);
+ CuAssertIntEquals (cu, false, ret);
+ }
+}
+
+int
+main (void)
+{
+ CuString *output = CuStringNew ();
+ CuSuite* suite = CuSuiteNew ();
+ int ret;
+
+ SUITE_ADD_TEST (suite, test_ucs2be);
+ SUITE_ADD_TEST (suite, test_ucs2be_fail);
+ SUITE_ADD_TEST (suite, test_ucs4be);
+ SUITE_ADD_TEST (suite, test_ucs4be_fail);
+ SUITE_ADD_TEST (suite, test_utf8);
+ SUITE_ADD_TEST (suite, test_utf8_fail);
+
+ CuSuiteRun (suite);
+ CuSuiteSummary (suite, output);
+ CuSuiteDetails (suite, output);
+ printf ("%s\n", output->buffer);
+ ret = suite->failCount;
+ CuSuiteDelete (suite);
+ CuStringDelete (output);
+
+ return ret;
+}
diff --git a/tools/tests/test.h b/tools/tests/test.h
index 2cc7c31..7cf2492 100644
--- a/tools/tests/test.h
+++ b/tools/tests/test.h
@@ -193,6 +193,15 @@ static const char test_eku_server_and_client[] = {
0x01, 0x05, 0x05, 0x07, 0x03, 0x02,
};
+static const char test_eku_client_and_server[] = {
+ 0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x06, 0x08, 0x2b, 0x06,
+ 0x01, 0x05, 0x05, 0x07, 0x03, 0x01,
+};
+
+static const char test_eku_email[] = {
+ 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04
+};
+
static const char test_eku_none[] = {
0x30, 0x00,
};
diff --git a/tools/utf8.c b/tools/utf8.c
new file mode 100644
index 0000000..5ce6889
--- /dev/null
+++ b/tools/utf8.c
@@ -0,0 +1,328 @@
+/*
+ * Copyright (c) 2013, Red Hat Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above
+ * copyright notice, this list of conditions and the
+ * following disclaimer.
+ * * Redistributions in binary form must reproduce the
+ * above copyright notice, this list of conditions and
+ * the following disclaimer in the documentation and/or
+ * other materials provided with the distribution.
+ * * The names of contributors to this software may not be
+ * used to endorse or promote products derived from this
+ * software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Stef Walter <stefw@redhat.com>
+ */
+
+#include "config.h"
+
+#include "buffer.h"
+#include "debug.h"
+#include "utf8.h"
+
+#include <assert.h>
+#include <stddef.h>
+#include <string.h>
+
+/*
+ * Some parts come from FreeBSD utf8.c
+ *
+ * Copyright (c) 2002-2004 Tim J. Robbins
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+static ssize_t
+utf8_to_wchar (const char *str,
+ size_t len,
+ wchar_t *wc)
+{
+ int ch, i, mask, want;
+ wchar_t lbound, wch;
+
+ assert (str != NULL);
+ assert (len > 0);
+ assert (wc != NULL);
+
+ if (((ch = (unsigned char)*str) & ~0x7f) == 0) {
+ /* Fast path for plain ASCII characters. */
+ *wc = ch;
+ return 1;
+ }
+
+ /*
+ * Determine the number of octets that make up this character
+ * from the first octet, and a mask that extracts the
+ * interesting bits of the first octet. We already know
+ * the character is at least two bytes long.
+ *
+ * We also specify a lower bound for the character code to
+ * detect redundant, non-"shortest form" encodings. For
+ * example, the sequence C0 80 is _not_ a legal representation
+ * of the null character. This enforces a 1-to-1 mapping
+ * between character codes and their multibyte representations.
+ */
+ ch = (unsigned char)*str;
+ if ((ch & 0xe0) == 0xc0) {
+ mask = 0x1f;
+ want = 2;
+ lbound = 0x80;
+ } else if ((ch & 0xf0) == 0xe0) {
+ mask = 0x0f;
+ want = 3;
+ lbound = 0x800;
+ } else if ((ch & 0xf8) == 0xf0) {
+ mask = 0x07;
+ want = 4;
+ lbound = 0x10000;
+ } else if ((ch & 0xfc) == 0xf8) {
+ mask = 0x03;
+ want = 5;
+ lbound = 0x200000;
+ } else if ((ch & 0xfe) == 0xfc) {
+ mask = 0x01;
+ want = 6;
+ lbound = 0x4000000;
+ } else {
+ /*
+ * Malformed input; input is not UTF-8.
+ */
+ return -1;
+ }
+
+ if (want > len) {
+ /* Incomplete multibyte sequence. */
+ return -1;
+ }
+
+ /*
+ * Decode the octet sequence representing the character in chunks
+ * of 6 bits, most significant first.
+ */
+ wch = (unsigned char)*str++ & mask;
+ for (i = 1; i < want; i++) {
+ if ((*str & 0xc0) != 0x80) {
+ /*
+ * Malformed input; bad characters in the middle
+ * of a character.
+ */
+ return -1;
+ }
+ wch <<= 6;
+ wch |= *str++ & 0x3f;
+ }
+ if (wch < lbound) {
+ /*
+ * Malformed input; redundant encoding.
+ */
+ return -1;
+ }
+
+ *wc = wch;
+ return want;
+}
+
+static size_t
+utf8_for_wchar (wchar_t wc,
+ char *str,
+ size_t len)
+{
+ unsigned char lead;
+ int i, want;
+
+ assert (str != NULL);
+ assert (len >= 6);
+
+ if ((wc & ~0x7f) == 0) {
+ /* Fast path for plain ASCII characters. */
+ *str = (char)wc;
+ return 1;
+ }
+
+ /*
+ * Determine the number of octets needed to represent this character.
+ * We always output the shortest sequence possible. Also specify the
+ * first few bits of the first octet, which contains the information
+ * about the sequence length.
+ */
+ if ((wc & ~0x7ff) == 0) {
+ lead = 0xc0;
+ want = 2;
+ } else if ((wc & ~0xffff) == 0) {
+ lead = 0xe0;
+ want = 3;
+ } else if ((wc & ~0x1fffff) == 0) {
+ lead = 0xf0;
+ want = 4;
+ } else if ((wc & ~0x3ffffff) == 0) {
+ lead = 0xf8;
+ want = 5;
+ } else if ((wc & ~0x7fffffff) == 0) {
+ lead = 0xfc;
+ want = 6;
+ } else {
+ return -1;
+ }
+
+ assert (want <= len);
+
+ /*
+ * Output the octets representing the character in chunks
+ * of 6 bits, least significant last. The first octet is
+ * a special case because it contains the sequence length
+ * information.
+ */
+ for (i = want - 1; i > 0; i--) {
+ str[i] = (wc & 0x3f) | 0x80;
+ wc >>= 6;
+ }
+ *str = (wc & 0xff) | lead;
+ return want;
+}
+
+static ssize_t
+ucs2be_to_wchar (const unsigned char *str,
+ size_t len,
+ wchar_t *wc)
+{
+ assert (str != NULL);
+ assert (len != 0);
+ assert (wc != NULL);
+
+ if (len < 2)
+ return -1;
+
+ *wc = (str[0] << 8 | str[1]);
+ return 2;
+}
+
+static ssize_t
+ucs4be_to_wchar (const unsigned char *str,
+ size_t len,
+ wchar_t *wc)
+{
+ assert (str != NULL);
+ assert (len != 0);
+ assert (wc != NULL);
+
+ if (len < 4)
+ return -1;
+
+ *wc = (str[0] << 24 | str[1] << 16 | str[2] << 8 | str[3]);
+ return 4;
+}
+
+bool
+p11_utf8_validate (const char *str,
+ ssize_t len)
+{
+ wchar_t dummy;
+ ssize_t ret;
+
+ if (len < 0)
+ len = strlen (str);
+
+ while (len > 0) {
+ ret = utf8_to_wchar (str, len, &dummy);
+ if (ret < 0)
+ return false;
+ str += ret;
+ len -= ret;
+ }
+
+ return true;
+}
+
+static char *
+utf8_for_convert (ssize_t (* convert) (const unsigned char *, size_t, wchar_t *),
+ const unsigned char *str,
+ size_t num_bytes,
+ size_t *ret_len)
+{
+ p11_buffer buf;
+ char block[6];
+ wchar_t wc;
+ ssize_t ret;
+
+ assert (convert);
+
+ if (!p11_buffer_init_null (&buf, num_bytes))
+ return_val_if_reached (NULL);
+
+ while (num_bytes != 0) {
+ ret = (convert) (str, num_bytes, &wc);
+ if (ret < 0) {
+ p11_buffer_uninit (&buf);
+ return NULL;
+ }
+
+ str += ret;
+ num_bytes -= ret;
+
+ ret = utf8_for_wchar (wc, block, 6);
+ if (ret < 0) {
+ p11_buffer_uninit (&buf);
+ return NULL;
+ }
+ p11_buffer_add (&buf, block, ret);
+ }
+
+ return_val_if_fail (p11_buffer_ok (&buf), NULL);
+ return p11_buffer_steal (&buf, ret_len);
+}
+
+char *
+p11_utf8_for_ucs2be (const unsigned char *str,
+ size_t num_bytes,
+ size_t *ret_len)
+{
+ assert (str != NULL);
+ return utf8_for_convert (ucs2be_to_wchar, str, num_bytes, ret_len);
+}
+
+char *
+p11_utf8_for_ucs4be (const unsigned char *str,
+ size_t num_bytes,
+ size_t *ret_len)
+{
+ assert (str != NULL);
+ return utf8_for_convert (ucs4be_to_wchar, str, num_bytes, ret_len);
+}
diff --git a/tools/utf8.h b/tools/utf8.h
new file mode 100644
index 0000000..8efa66f
--- /dev/null
+++ b/tools/utf8.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2013, Red Hat Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above
+ * copyright notice, this list of conditions and the
+ * following disclaimer.
+ * * Redistributions in binary form must reproduce the
+ * above copyright notice, this list of conditions and
+ * the following disclaimer in the documentation and/or
+ * other materials provided with the distribution.
+ * * The names of contributors to this software may not be
+ * used to endorse or promote products derived from this
+ * software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Stef Walter <stefw@redhat.com>
+ */
+
+#ifndef P11_UTF8_H_
+#define P11_UTF8_H_
+
+#include "compat.h"
+
+#include <sys/types.h>
+
+bool p11_utf8_validate (const char *str,
+ ssize_t len);
+
+char * p11_utf8_for_ucs2be (const unsigned char *str,
+ size_t num_bytes,
+ size_t *ret_len);
+
+char * p11_utf8_for_ucs4be (const unsigned char *str,
+ size_t num_bytes,
+ size_t *ret_len);
+
+#endif /* P11_UTF8_H_ */