Use the CN, OU or O of certificates to generate a label

 * This is in cases where the certificate information does not
   already have a friendly name or alias.

14 files changed, 318 insertions, 101 deletions

diff --git a/common/Makefile.am b/common/Makefile.am
index 145627c..96000dd 100644
--- a/common/Makefile.am
+++ b/common/Makefile.am
@@ -46,6 +46,7 @@ libp11_data_la_SOURCES = \
 	openssl.asn openssl.asn.h \
 	pem.c pem.h \
 	pkix.asn pkix.asn.h \
+	utf8.c utf8.h \
 	x509.c x509.h \
 	$(NULL)
 
diff --git a/common/oid.h b/common/oid.h
index 08b3feb..96b7a27 100644
--- a/common/oid.h
+++ b/common/oid.h
@@ -48,6 +48,24 @@ bool           p11_oid_equal   (const void *oid_one,
 int            p11_oid_length  (const unsigned char *oid);
 
 /*
+ * 2.5.4.3: CN or commonName
+ */
+static const unsigned char P11_OID_CN[] =
+	{ 0x06, 0x03, 0x55, 0x04, 0x03, };
+
+/*
+ * 2.5.4.10: O or organization
+ */
+static const unsigned char P11_OID_O[] =
+	{ 0x06, 0x03, 0x55, 0x04, 0x0a, };
+
+/*
+ * 2.5.4.11: OU or organizationalUnit
+ */
+static const unsigned char P11_OID_OU[] =
+	{ 0x06, 0x03, 0x55, 0x04, 0x0b, };
+
+/*
  * Our support of certificate extensions and so on is not limited to what is
  * listed here. This is simply the OIDs used by the parsing code that generates
  * backwards compatible PKCS#11 objects for NSS and the like.
diff --git a/common/tests/Makefile.am b/common/tests/Makefile.am
index ceb0d47..3ef4471 100644
--- a/common/tests/Makefile.am
+++ b/common/tests/Makefile.am
@@ -38,6 +38,7 @@ CHECK_PROGS += \
 	test-checksum \
 	test-pem \
 	test-oid \
+	test-utf8 \
 	test-x509 \
 	$(NULL)
 
diff --git a/tools/tests/test-utf8.c b/common/tests/test-utf8.c
index d34f597..d34f597 100644
--- a/tools/tests/test-utf8.c
+++ b/common/tests/test-utf8.c
diff --git a/common/tests/test-x509.c b/common/tests/test-x509.c
index 0341ed9..6da26bf 100644
--- a/common/tests/test-x509.c
+++ b/common/tests/test-x509.c
@@ -44,6 +44,8 @@
 #include <stdio.h>
 #include <string.h>
 
+#define ELEMS(x) (sizeof (x) / sizeof (x[0]))
+
 struct {
 	p11_dict *asn1_defs;
 } test;
@@ -335,6 +337,83 @@ test_parse_extension_not_found (CuTest *cu)
 	teardown (cu);
 }
 
+static void
+test_directory_string (CuTest *tc)
+{
+	struct {
+		unsigned char input[100];
+		int input_len;
+		char *output;
+		int output_len;
+	} fixtures[] = {
+		/* UTF8String */
+		{ { 0x0c, 0x0f, 0xc3, 0x84, ' ', 'U', 'T', 'F', '8', ' ', 's', 't', 'r', 'i', 'n', 'g', ' ', }, 17,
+		  "\xc3\x84 UTF8 string ", 15,
+		},
+
+		/* NumericString */
+		{ { 0x12, 0x04, '0', '1', '2', '3', }, 6,
+		  "0123", 4,
+		},
+
+		/* IA5String */
+		{ { 0x16, 0x04, ' ', 'A', 'B', ' ', }, 6,
+		  " AB ", 4
+		},
+
+		/* TeletexString */
+		{ { 0x14, 0x07, 'A', ' ', ' ', 'n', 'i', 'c', 'e' }, 9,
+		  "A  nice", 7
+		},
+
+		/* PrintableString */
+		{ { 0x13, 0x07, 'A', ' ', ' ', 'n', 'i', 'c', 'e' }, 9,
+		  "A  nice", 7,
+		},
+
+		/* UniversalString */
+		{ { 0x1c, 0x14, 0x00, 0x00, 0x00, 'F', 0x00, 0x00, 0x00, 'u',
+		    0x00, 0x00, 0x00, 'n', 0x00, 0x00, 0x00, ' ', 0x00, 0x01, 0x03, 0x19, }, 22,
+		  "Fun \xf0\x90\x8c\x99", 8
+		},
+
+		/* BMPString */
+		{ { 0x1e, 0x0a, 0x00, 'V', 0x00, 0xF6, 0x00, 'g', 0x00, 'e', 0x00, 'l' }, 12,
+		  "V\xc3\xb6gel", 6
+		},
+	};
+
+	char *string;
+	bool unknown;
+	size_t length;
+	int i;
+
+	for (i = 0; i < ELEMS (fixtures); i++) {
+		string = p11_x509_parse_directory_string (fixtures[i].input,
+		                                          fixtures[i].input_len,
+		                                          &unknown, &length);
+		CuAssertPtrNotNull (tc, string);
+		CuAssertIntEquals (tc, false, unknown);
+
+		CuAssertIntEquals (tc, fixtures[i].output_len, length);
+		CuAssertStrEquals (tc, fixtures[i].output, string);
+	}
+}
+
+static void
+test_directory_string_unknown (CuTest *tc)
+{
+	/* Not a valid choice in DirectoryString */
+	unsigned char input[] = { 0x05, 0x07, 'A', ' ', ' ', 'n', 'i', 'c', 'e' };
+	char *string;
+	bool unknown = false;
+	size_t length;
+
+	string = p11_x509_parse_directory_string (input, sizeof (input), &unknown, &length);
+	CuAssertPtrEquals (tc, NULL, string);
+	CuAssertIntEquals (tc, true, unknown);
+}
+
 int
 main (void)
 {
@@ -349,6 +428,8 @@ main (void)
 	SUITE_ADD_TEST (suite, test_parse_key_usage);
 	SUITE_ADD_TEST (suite, test_parse_extension);
 	SUITE_ADD_TEST (suite, test_parse_extension_not_found);
+	SUITE_ADD_TEST (suite, test_directory_string);
+	SUITE_ADD_TEST (suite, test_directory_string_unknown);
 
 	CuSuiteRun (suite);
 	CuSuiteSummary (suite, output);
diff --git a/tools/utf8.c b/common/utf8.c
index 5ce6889..5ce6889 100644
--- a/tools/utf8.c
+++ b/common/utf8.c
diff --git a/tools/utf8.h b/common/utf8.h
index 8efa66f..8efa66f 100644
--- a/tools/utf8.h
+++ b/common/utf8.h
diff --git a/common/x509.c b/common/x509.c
index bfb49df..46e3bd9 100644
--- a/common/x509.c
+++ b/common/x509.c
@@ -38,6 +38,7 @@
 #define P11_DEBUG_FLAG P11_DEBUG_TRUST
 #include "debug.h"
 #include "oid.h"
+#include "utf8.h"
 #include "x509.h"
 
 #include <stdlib.h>
@@ -209,3 +210,138 @@ p11_x509_parse_extended_key_usage (p11_dict *asn1_defs,
 
 	return ekus;
 }
+
+char *
+p11_x509_parse_directory_string (const unsigned char *input,
+                                 size_t input_len,
+                                 bool *unknown_string,
+                                 size_t *string_len)
+{
+	unsigned long tag;
+	unsigned char cls;
+	int tag_len;
+	int len_len;
+	const void *octets;
+	long octet_len;
+	int ret;
+
+	ret = asn1_get_tag_der (input, input_len, &cls, &tag_len, &tag);
+	return_val_if_fail (ret == ASN1_SUCCESS, NULL);
+
+	octet_len = asn1_get_length_der (input + tag_len, input_len - tag_len, &len_len);
+	return_val_if_fail (octet_len >= 0, false);
+	return_val_if_fail (tag_len + len_len + octet_len == input_len, NULL);
+
+	octets = input + tag_len + len_len;
+
+	if (unknown_string)
+		*unknown_string = false;
+
+	/* The following strings are the ones we normalize */
+	switch (tag) {
+	case 12: /* UTF8String */
+	case 18: /* NumericString */
+	case 22: /* IA5String */
+	case 20: /* TeletexString */
+	case 19: /* PrintableString */
+		if (!p11_utf8_validate (octets, octet_len))
+			return NULL;
+		if (string_len)
+			*string_len = octet_len;
+		return strndup (octets, octet_len);
+
+	case 28: /* UniversalString */
+		return p11_utf8_for_ucs4be (octets, octet_len, string_len);
+
+	case 30: /* BMPString */
+		return p11_utf8_for_ucs2be (octets, octet_len, string_len);
+
+	/* Just pass through all the non-string types */
+	default:
+		if (unknown_string)
+			*unknown_string = true;
+		return NULL;
+	}
+
+}
+
+char *
+p11_x509_parse_dn_name (p11_dict *asn_defs,
+                        const unsigned char *der,
+                        size_t der_len,
+                        const unsigned char *oid)
+{
+	node_asn *asn;
+	char *part;
+
+	asn = p11_asn1_decode (asn_defs, "PKIX1.Name", der, der_len, NULL);
+	if (asn == NULL)
+		return NULL;
+
+	part = p11_x509_lookup_dn_name (asn, NULL, der, der_len, oid);
+	asn1_delete_structure (&asn);
+	return part;
+}
+
+char *
+p11_x509_lookup_dn_name (node_asn *asn,
+                         const char *dn_field,
+                         const unsigned char *der,
+                         size_t der_len,
+                         const unsigned char *oid)
+{
+	unsigned char *value;
+	char field[128];
+	int value_len;
+	char *part;
+	int i, j;
+	int start;
+	int end;
+	int ret;
+
+	for (i = 1; true; i++) {
+		for (j = 1; true; j++) {
+			snprintf (field, sizeof (field), "%s%srdnSequence.?%d.?%d.type",
+			          dn_field, dn_field ? "." : "", i, j);
+
+			ret = asn1_der_decoding_startEnd (asn, der, der_len, field, &start, &end);
+
+			/* No more dns */
+			if (ret == ASN1_ELEMENT_NOT_FOUND)
+				break;
+
+			return_val_if_fail (ret == ASN1_SUCCESS, NULL);
+
+			/* Make sure it's a straightforward oid with certain assumptions */
+			if (!p11_oid_simple (der + start, (end - start) + 1))
+				continue;
+
+			/* The one we're lookin for? */
+			if (!p11_oid_equal (der + start, oid))
+				continue;
+
+			snprintf (field, sizeof (field), "%s%srdnSequence.?%d.?%d.value",
+			          dn_field, dn_field ? "." : "", i, j);
+
+			value_len = 0;
+			ret = asn1_read_value (asn, field, NULL, &value_len);
+			return_val_if_fail (ret == ASN1_MEM_ERROR, NULL);
+
+			value = malloc (value_len + 1);
+			return_val_if_fail (value != NULL, NULL);
+
+			ret = asn1_read_value (asn, field, value, &value_len);
+			return_val_if_fail (ret == ASN1_SUCCESS, false);
+
+			part = p11_x509_parse_directory_string (value, value_len, NULL, NULL);
+			free (value);
+
+			return part;
+		}
+
+		if (j == 1)
+			break;
+	}
+
+	return NULL;
+}
diff --git a/common/x509.h b/common/x509.h
index 2ec5eb8..cbfc574 100644
--- a/common/x509.h
+++ b/common/x509.h
@@ -60,4 +60,20 @@ p11_array *      p11_x509_parse_extended_key_usage  (p11_dict *asn1_defs,
                                                      const unsigned char *ext_der,
                                                      size_t ext_len);
 
+char *           p11_x509_parse_dn_name             (p11_dict *asn_defs,
+                                                     const unsigned char *der,
+                                                     size_t der_len,
+                                                     const unsigned char *oid);
+
+char *           p11_x509_lookup_dn_name            (node_asn *asn,
+                                                     const char *dn_field,
+                                                     const unsigned char *der,
+                                                     size_t der_len,
+                                                     const unsigned char *oid);
+
+char *           p11_x509_parse_directory_string    (const unsigned char *input,
+                                                     size_t input_len,
+                                                     bool *unknown_string,
+                                                     size_t *string_len);
+
 #endif /* P11_X509_H_ */
diff --git a/tools/extract-openssl.c b/tools/extract-openssl.c
index e59d313..fb87cd6 100644
--- a/tools/extract-openssl.c
+++ b/tools/extract-openssl.c
@@ -59,7 +59,7 @@
 /* These functions are declared with a global scope for testing */
 
 void        p11_openssl_canon_string           (char *str,
-                                                long *len);
+                                                size_t *len);
 
 bool        p11_openssl_canon_string_der       (p11_buffer *der);
 
@@ -356,7 +356,7 @@ p11_extract_openssl_bundle (P11KitIter *iter,
 
 void
 p11_openssl_canon_string (char *str,
-                          long *len)
+                          size_t *len)
 {
 	bool nsp;
 	bool sp;
@@ -394,64 +394,24 @@ p11_openssl_canon_string (char *str,
 bool
 p11_openssl_canon_string_der (p11_buffer *der)
 {
-	unsigned char *input = der->data;
-	int input_len = der->len;
-	unsigned char *output;
-	unsigned long tag;
-	unsigned char cls;
-	size_t conv_len;
-	int tag_len;
-	int len_len;
-	void *octets;
-	long octet_len;
+	char *string;
+	size_t length;
 	int output_len;
-	void *conv = NULL;
+	int len_len;
+	bool unknown_string;
+	unsigned char *output;
 	int len;
-	int ret;
-
-	ret = asn1_get_tag_der (input, input_len, &cls, &tag_len, &tag);
-	return_val_if_fail (ret == ASN1_SUCCESS, false);
 
-	octet_len = asn1_get_length_der (input + tag_len, input_len - tag_len, &len_len);
-	return_val_if_fail (octet_len >= 0, false);
-	return_val_if_fail (tag_len + len_len + octet_len == input_len, false);
-
-	octets = input + tag_len + len_len;
-
-	/* The following strings are the ones we normalize */
-	switch (tag) {
-	case 12: /* UTF8String */
-	case 18: /* NumericString */
-	case 22: /* IA5String */
-	case 20: /* TeletexString */
-	case 19: /* PrintableString */
-		if (!p11_utf8_validate (octets, octet_len))
-			return false;
-		break;
-
-	case 28: /* UniversalString */
-		octets = conv = p11_utf8_for_ucs4be (octets, octet_len, &conv_len);
-		if (conv == NULL)
-			return false;
-		octet_len = conv_len;
-		break;
-
-	case 30: /* BMPString */
-		octets = conv = p11_utf8_for_ucs2be (octets, octet_len, &conv_len);
-		if (conv == NULL)
-			return false;
-		octet_len = conv_len;
-		break;
+	string = p11_x509_parse_directory_string (der->data, der->len, &unknown_string, &length);
 
 	/* Just pass through all the non-string types */
-	default:
-		return true;
-	}
+	if (string == NULL)
+		return unknown_string;
 
-	p11_openssl_canon_string (octets, &octet_len);
+	p11_openssl_canon_string (string, &length);
 
-	asn1_length_der (octet_len, NULL, &len_len);
-	output_len = 1 + len_len + octet_len;
+	asn1_length_der (length, NULL, &len_len);
+	output_len = 1 + len_len + length;
 
 	if (!p11_buffer_reset (der, output_len))
 		return_val_if_reached (false);
@@ -461,10 +421,10 @@ p11_openssl_canon_string_der (p11_buffer *der)
 
 	output[0] = 12; /* UTF8String */
 	len = output_len - 1;
-	asn1_octet_der (octets, octet_len, output + 1, &len);
+	asn1_octet_der ((unsigned char *)string, length, output + 1, &len);
 	assert (len == output_len - 1);
 
-	free (conv);
+	free (string);
 	return true;
 }
 
diff --git a/tools/tests/Makefile.am b/tools/tests/Makefile.am
index e50836d..4239a41 100644
--- a/tools/tests/Makefile.am
+++ b/tools/tests/Makefile.am
@@ -37,7 +37,6 @@ libtestcommon_la_SOURCES = \
 	test.c test.h
 
 CHECK_PROGS = \
-	test-utf8 \
 	test-save \
 	test-extract \
 	test-x509 \
@@ -79,12 +78,6 @@ test_openssl_SOURCES = \
 	$(TOOLS)/extract-info.c \
 	$(TOOLS)/extract-openssl.c \
 	$(TOOLS)/save.c \
-	$(TOOLS)/utf8.c \
-	$(NULL)
-
-test_utf8_SOURCES = \
-	test-utf8.c \
-	$(TOOLS)/utf8.c \
 	$(NULL)
 
 endif # WITH_ASN1
diff --git a/tools/tests/test-openssl.c b/tools/tests/test-openssl.c
index a48220d..d242b50 100644
--- a/tools/tests/test-openssl.c
+++ b/tools/tests/test-openssl.c
@@ -373,7 +373,7 @@ test_file_without (CuTest *tc)
 }
 
 /* From extract-openssl.c */
-void p11_openssl_canon_string (char *str, long *len);
+void p11_openssl_canon_string (char *str, size_t *len);
 
 static void
 test_canon_string (CuTest *tc)
@@ -392,21 +392,23 @@ test_canon_string (CuTest *tc)
 	};
 
 	char *str;
-	long len;
-	long out;
+	size_t len;
+	size_t out;
 	int i;
 
 	for (i = 0; i < ELEMS (fixtures); i++) {
-		len = fixtures[i].input_len;
-		if (len < 0)
+		if (fixtures[i].input_len < 0)
 			len = strlen (fixtures[i].input);
+		else
+			len = fixtures[i].input_len;
 		str = strndup (fixtures[i].input, len);
 
 		p11_openssl_canon_string (str, &len);
 
-		out = fixtures[i].output_len;
-		if (out < 0)
+		if (fixtures[i].output_len < 0)
 			out = strlen (fixtures[i].output);
+		else
+			out = fixtures[i].output_len;
 		CuAssertIntEquals (tc, out, len);
 		CuAssertStrEquals (tc, fixtures[i].output, str);
 
diff --git a/trust/parser.c b/trust/parser.c
index f6da728..6229d09 100644
--- a/trust/parser.c
+++ b/trust/parser.c
@@ -69,7 +69,7 @@ struct _p11_parser {
 	/* Set during a parse */
 	p11_parser_sink sink;
 	void *sink_data;
-	const char *probable_label;
+	const char *basename;
 	int flags;
 
 	/* Parsing state */
@@ -152,12 +152,11 @@ static CK_ATTRIBUTE *
 build_object (p11_parser *parser,
               CK_OBJECT_CLASS vclass,
               CK_BYTE *vid,
-              const char *explicit_label)
+              const char *vlabel)
 {
 	CK_ATTRIBUTE *attrs = NULL;
 	CK_BBOOL vtrue = CK_TRUE;
 	CK_BBOOL vfalse = CK_FALSE;
-	const char *vlabel;
 
 	CK_ATTRIBUTE klass = { CKA_CLASS, &vclass, sizeof (vclass) };
 	CK_ATTRIBUTE token = { CKA_TOKEN, &vtrue, sizeof (vtrue) };
@@ -166,7 +165,8 @@ build_object (p11_parser *parser,
 	CK_ATTRIBUTE id = { CKA_ID, vid, ID_LENGTH };
 	CK_ATTRIBUTE label = { CKA_LABEL, };
 
-	vlabel = explicit_label ? (char *)explicit_label : parser->probable_label;
+	if (!vlabel)
+		vlabel = parser->basename;
 	if (vlabel) {
 		label.pValue = (void *)vlabel;
 		label.ulValueLen = strlen (vlabel);
@@ -277,6 +277,7 @@ build_x509_certificate (p11_parser *parser,
 	CK_ATTRIBUTE *attrs;
 	CK_CERTIFICATE_TYPE vx509 = CKC_X_509;
 	CK_BYTE vchecksum[3];
+	char *label;
 
 	CK_DATE vstart;
 	CK_DATE vend;
@@ -321,8 +322,18 @@ build_x509_certificate (p11_parser *parser,
 	if (!calc_element (cert, data, length, "tbsCertificate.serialNumber", &serial_number))
 		serial_number.type = CKA_INVALID;
 
-	attrs = build_object (parser, CKO_CERTIFICATE, vid, NULL);
+	label = p11_x509_lookup_dn_name (parser->cert_asn, "tbsCertificate.subject",
+	                                 parser->cert_der, parser->cert_len, P11_OID_CN);
+	if (!label)
+		label = p11_x509_lookup_dn_name (parser->cert_asn, "tbsCertificate.subject",
+		                                 parser->cert_der, parser->cert_len, P11_OID_OU);
+	if (!label)
+		label = p11_x509_lookup_dn_name (parser->cert_asn, "tbsCertificate.subject",
+		                                 parser->cert_der, parser->cert_len, P11_OID_O);
+
+	attrs = build_object (parser, CKO_CERTIFICATE, vid, label);
 	return_val_if_fail (attrs != NULL, NULL);
+	free (label);
 
 	attrs = p11_attrs_build (attrs, &certificate_type, &certificate_category,
 	                         &check_value, &trusted, &distrusted, &start_date, &end_date,
@@ -852,7 +863,7 @@ parse_openssl_trusted_certificate (p11_parser *parser,
 {
 	CK_ATTRIBUTE *attrs;
 	CK_BYTE vid[ID_LENGTH];
-	const char *old_label = NULL;
+	CK_ATTRIBUTE *attr;
 	char *label = NULL;
 	node_asn *cert;
 	node_asn *aux;
@@ -883,6 +894,12 @@ parse_openssl_trusted_certificate (p11_parser *parser,
 
 	begin_parsing (parser, cert, data, cert_len);
 
+	/* The CKA_ID links related objects */
+	id_generate (parser, vid);
+
+	attrs = build_x509_certificate (parser, vid, cert, data, cert_len);
+	return_val_if_fail (attrs != NULL, P11_PARSE_FAILURE);
+
 	/* Pull the label out of the CertAux */
 	len = 0;
 	ret = asn1_read_value (aux, "alias", NULL, &len);
@@ -893,16 +910,13 @@ parse_openssl_trusted_certificate (p11_parser *parser,
 		ret = asn1_read_value (aux, "alias", label, &len);
 		return_val_if_fail (ret == ASN1_SUCCESS, P11_PARSE_FAILURE);
 
-		old_label = parser->probable_label;
-		parser->probable_label = label;
+		attr = p11_attrs_find (attrs, CKA_LABEL);
+		assert (attr != NULL);
+		free (attr->pValue);
+		attr->pValue = label;
+		attr->ulValueLen = strlen (label);
 	}
 
-	/* The CKA_ID links related objects */
-	id_generate (parser, vid);
-
-	attrs = build_x509_certificate (parser, vid, cert, data, cert_len);
-	return_val_if_fail (attrs != NULL, P11_PARSE_FAILURE);
-
 	ret = build_openssl_extensions (parser, attrs, aux, data + cert_len, length - cert_len);
 	return_val_if_fail (ret == P11_PARSE_SUCCESS, ret);
 
@@ -911,11 +925,6 @@ parse_openssl_trusted_certificate (p11_parser *parser,
 	asn1_delete_structure (&cert);
 	asn1_delete_structure (&aux);
 
-	if (label) {
-		parser->probable_label = old_label;
-		free (label);
-	}
-
 	return P11_PARSE_SUCCESS;
 }
 
@@ -1002,7 +1011,7 @@ p11_parse_memory (p11_parser *parser,
 	return_val_if_fail (parser->sink == NULL, P11_PARSE_FAILURE);
 
 	base = basename (filename);
-	parser->probable_label = base;
+	parser->basename = base;
 	parser->sink = sink;
 	parser->sink_data = sink_data;
 	parser->flags = flags;
@@ -1019,7 +1028,7 @@ p11_parse_memory (p11_parser *parser,
 			break;
 	}
 
-	parser->probable_label = NULL;
+	parser->basename = NULL;
 	parser->sink = NULL;
 	parser->sink_data = NULL;
 	parser->flags = 0;
diff --git a/trust/tests/test-parser.c b/trust/tests/test-parser.c
index a504cab..52092d0 100644
--- a/trust/tests/test-parser.c
+++ b/trust/tests/test-parser.c
@@ -530,7 +530,7 @@ test_parse_with_key_usage (CuTest *cu)
 		{ CKA_PRIVATE, &vfalse, sizeof (vfalse) },
 		{ CKA_MODIFIABLE, &vfalse, sizeof (vfalse) },
 		{ CKA_CLASS, &klass, sizeof (klass) },
-		{ CKA_LABEL, "self-signed-with-ku.der", 23 },
+		{ CKA_LABEL, "self-signed-with-ku.example.com", 31 },
 		{ CKA_CERTIFICATE_TYPE, &x509, sizeof (x509) },
 		{ CKA_CERTIFICATE_CATEGORY, &category, sizeof (category) },
 		{ CKA_CHECK_VALUE, "d/\x9c", 3 },
@@ -545,7 +545,7 @@ test_parse_with_key_usage (CuTest *cu)
 	};
 
 	CK_ATTRIBUTE nss_trust[] = {
-		{ CKA_LABEL, "self-signed-with-ku.der", 23 },
+		{ CKA_LABEL, "self-signed-with-ku.example.com", 31 },
 		{ CKA_CLASS, &trust_object, sizeof (trust_object), },
 		{ CKA_CERT_SHA1_HASH, "d/\x9c=\xbc\x9a\x7f\x91\xc7wT\t`\x86\xe2\x8e\x8f\xa8J\x12", 20 },
 		{ CKA_CERT_MD5_HASH, "\xb1N=\x16\x12?dz\x97\x81""By/\xcc\x97\x82", 16 },
@@ -613,7 +613,7 @@ test_parse_anchor (CuTest *cu)
 	CK_X_ASSERTION_TYPE anchored_certificate = CKT_X_ANCHORED_CERTIFICATE;
 
 	CK_ATTRIBUTE nss_trust[] = {
-		{ CKA_LABEL, "cacert3.der", 11 },
+		{ CKA_LABEL, "CAcert Class 3 Root", 19 },
 		{ CKA_CLASS, &trust_object, sizeof (trust_object), },
 		{ CKA_CERT_SHA1_HASH, "\xad\x7c\x3f\x64\xfc\x44\x39\xfe\xf4\xe9\x0b\xe8\xf4\x7c\x6c\xfa\x8a\xad\xfd\xce", 20 },
 		{ CKA_CERT_MD5_HASH, "\xf7\x25\x12\x82\x4e\x67\xb5\xd0\x8d\x92\xb7\x7c\x0b\x86\x7a\x42", 16 },
@@ -639,7 +639,7 @@ test_parse_anchor (CuTest *cu)
 	};
 
 	CK_ATTRIBUTE server_anchor[] = {
-		{ CKA_LABEL, "cacert3.der", 11 },
+		{ CKA_LABEL, "CAcert Class 3 Root", 19 },
 		{ CKA_CLASS, &trust_assertion, sizeof (trust_assertion) },
 		{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
 		{ CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) },
@@ -648,7 +648,7 @@ test_parse_anchor (CuTest *cu)
 	};
 
 	CK_ATTRIBUTE client_anchor[] = {
-		{ CKA_LABEL, "cacert3.der", 11 },
+		{ CKA_LABEL, "CAcert Class 3 Root", 19 },
 		{ CKA_CLASS, &trust_assertion, sizeof (trust_assertion) },
 		{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
 		{ CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) },
@@ -657,7 +657,7 @@ test_parse_anchor (CuTest *cu)
 	};
 
 	CK_ATTRIBUTE code_anchor[] = {
-		{ CKA_LABEL, "cacert3.der", 11 },
+		{ CKA_LABEL, "CAcert Class 3 Root", 19 },
 		{ CKA_CLASS, &trust_assertion, sizeof (trust_assertion) },
 		{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
 		{ CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) },
@@ -666,7 +666,7 @@ test_parse_anchor (CuTest *cu)
 	};
 
 	CK_ATTRIBUTE email_anchor[] = {
-		{ CKA_LABEL, "cacert3.der", 11 },
+		{ CKA_LABEL, "CAcert Class 3 Root", 19 },
 		{ CKA_CLASS, &trust_assertion, sizeof (trust_assertion) },
 		{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
 		{ CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) },
@@ -675,7 +675,7 @@ test_parse_anchor (CuTest *cu)
 	};
 
 	CK_ATTRIBUTE ipsec_system_anchor[] = {
-		{ CKA_LABEL, "cacert3.der", 11 },
+		{ CKA_LABEL, "CAcert Class 3 Root", 19 },
 		{ CKA_CLASS, &trust_assertion, sizeof (trust_assertion) },
 		{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
 		{ CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) },
@@ -684,7 +684,7 @@ test_parse_anchor (CuTest *cu)
 	};
 
 	CK_ATTRIBUTE ipsec_tunnel_anchor[] = {
-		{ CKA_LABEL, "cacert3.der", 11 },
+		{ CKA_LABEL, "CAcert Class 3 Root", 19 },
 		{ CKA_CLASS, &trust_assertion, sizeof (trust_assertion) },
 		{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
 		{ CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) },
@@ -693,7 +693,7 @@ test_parse_anchor (CuTest *cu)
 	};
 
 	CK_ATTRIBUTE ipsec_user_anchor[] = {
-		{ CKA_LABEL, "cacert3.der", 11 },
+		{ CKA_LABEL, "CAcert Class 3 Root", 19 },
 		{ CKA_CLASS, &trust_assertion, sizeof (trust_assertion) },
 		{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
 		{ CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) },
@@ -702,7 +702,7 @@ test_parse_anchor (CuTest *cu)
 	};
 
 	CK_ATTRIBUTE stamping_anchor[] = {
-		{ CKA_LABEL, "cacert3.der", 11 },
+		{ CKA_LABEL, "CAcert Class 3 Root", 19 },
 		{ CKA_CLASS, &trust_assertion, sizeof (trust_assertion) },
 		{ CKA_VALUE, (void *)test_cacert3_ca_der, sizeof (test_cacert3_ca_der) },
 		{ CKA_X_ASSERTION_TYPE, &anchored_certificate, sizeof (anchored_certificate) },