Hard code distrust temporarily.

This is because we have no way to load this data into the trust module.
Working on a real solution.

1 files changed, 149 insertions, 1 deletions

diff --git a/trust/token.c b/trust/token.c
index c9271ca..46eea20 100644
--- a/trust/token.c
+++ b/trust/token.c
@@ -215,10 +215,12 @@ static int
 load_builtin_objects (p11_token *token)
 {
 	CK_OBJECT_CLASS builtin = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
-	const char *trust_anchor_roots = "Trust Anchor Roots";
+	CK_OBJECT_CLASS nss_trust = CKO_NETSCAPE_TRUST;
+	CK_TRUST nss_not_trusted = CKT_NETSCAPE_UNTRUSTED;
 	CK_BBOOL vtrue = CK_TRUE;
 	CK_BBOOL vfalse = CK_FALSE;
 
+	const char *trust_anchor_roots = "Trust Anchor Roots";
 	CK_ATTRIBUTE builtin_root_list[] = {
 		{ CKA_CLASS, &builtin, sizeof (builtin) },
 		{ CKA_TOKEN, &vtrue, sizeof (vtrue) },
@@ -227,7 +229,153 @@ load_builtin_objects (p11_token *token)
 		{ CKA_LABEL, (void *)trust_anchor_roots, strlen (trust_anchor_roots) },
 	};
 
+	/* Explicitly Distrust "MITM subCA 1 issued by Trustwave", Bug 724929 */
+	char label_trustwave1[] = "MITM subCA 1 issued by Trustwave";
+	char issuer_trustwave1[] =
+		"\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123"
+		"\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156"
+		"\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150"
+		"\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030"
+		"\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156"
+		"\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004"
+		"\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147"
+		"\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156"
+		"\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060"
+		"\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141"
+		"\100\164\162\165\163\164\167\141\166\145\056\143\157\155";
+	char serial_trustwave1[] = "\002\004\153\111\322\005";
+	CK_ATTRIBUTE distrust_trustwave1[] = {
+		{ CKA_CLASS, &nss_trust, sizeof (nss_trust) },
+		{ CKA_TOKEN, &vtrue, sizeof (vtrue) },
+		{ CKA_PRIVATE, &vfalse, sizeof (vfalse) },
+		{ CKA_MODIFIABLE, &vfalse, sizeof (vfalse) },
+		{ CKA_LABEL, label_trustwave1, sizeof (label_trustwave1) - 1 },
+		{ CKA_ISSUER, issuer_trustwave1, sizeof (issuer_trustwave1) -1 },
+		{ CKA_SERIAL_NUMBER, serial_trustwave1, sizeof (serial_trustwave1) - 1 },
+		{ CKA_TRUST_SERVER_AUTH, &nss_not_trusted, sizeof (nss_not_trusted) },
+		{ CKA_TRUST_EMAIL_PROTECTION, &nss_not_trusted, sizeof (nss_not_trusted) },
+		{ CKA_TRUST_CODE_SIGNING, &nss_not_trusted, sizeof (nss_not_trusted) },
+		{ CKA_TRUST_STEP_UP_APPROVED, &vfalse, sizeof (vfalse) },
+	};
+
+	/* Explicitly Distrust "MITM subCA 2 issued by Trustwave", Bug 724929 */
+	char label_trustwave2[] = "MITM subCA 2 issued by Trustwave";
+	char issuer_trustwave2[] =
+		"\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123"
+		"\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156"
+		"\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150"
+		"\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030"
+		"\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156"
+		"\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004"
+		"\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147"
+		"\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156"
+		"\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060"
+		"\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141"
+		"\100\164\162\165\163\164\167\141\166\145\056\143\157\155";
+	char serial_trustwave2[] = "\002\004\153\111\322\006";
+	CK_ATTRIBUTE distrust_trustwave2[] = {
+		{ CKA_CLASS, &nss_trust, sizeof (nss_trust) },
+		{ CKA_TOKEN, &vtrue, sizeof (vtrue) },
+		{ CKA_PRIVATE, &vfalse, sizeof (vfalse) },
+		{ CKA_MODIFIABLE, &vfalse, sizeof (vfalse) },
+		{ CKA_LABEL, label_trustwave2, sizeof (label_trustwave2) - 1 },
+		{ CKA_ISSUER, issuer_trustwave2, sizeof (issuer_trustwave2) -1 },
+		{ CKA_SERIAL_NUMBER, serial_trustwave2, sizeof (serial_trustwave2) - 1 },
+		{ CKA_TRUST_SERVER_AUTH, &nss_not_trusted, sizeof (nss_not_trusted) },
+		{ CKA_TRUST_EMAIL_PROTECTION, &nss_not_trusted, sizeof (nss_not_trusted) },
+		{ CKA_TRUST_CODE_SIGNING, &nss_not_trusted, sizeof (nss_not_trusted) },
+		{ CKA_TRUST_STEP_UP_APPROVED, &vfalse, sizeof (vfalse) },
+	};
+
+	/* Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 1", Bug 825022 */
+	char label_turktrust1[] = "TURKTRUST Mis-issued Intermediate CA 1";
+	char issuer_turktrust1[] =
+		"\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303"
+		"\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157"
+		"\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151"
+		"\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145"
+		"\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061"
+		"\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124"
+		"\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164"
+		"\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151"
+		"\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151"
+		"\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050"
+		"\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065";
+	char serial_turktrust1[] = "\002\002\010\047";
+	CK_ATTRIBUTE distrust_turktrust1[] = {
+		{ CKA_CLASS, &nss_trust, sizeof (nss_trust) },
+		{ CKA_TOKEN, &vtrue, sizeof (vtrue) },
+		{ CKA_PRIVATE, &vfalse, sizeof (vfalse) },
+		{ CKA_MODIFIABLE, &vfalse, sizeof (vfalse) },
+		{ CKA_LABEL, label_turktrust1, sizeof (label_turktrust1) - 1 },
+		{ CKA_ISSUER, issuer_turktrust1, sizeof (issuer_turktrust1) -1 },
+		{ CKA_SERIAL_NUMBER, serial_turktrust1, sizeof (serial_turktrust1) - 1 },
+		{ CKA_TRUST_SERVER_AUTH, &nss_not_trusted, sizeof (nss_not_trusted) },
+		{ CKA_TRUST_EMAIL_PROTECTION, &nss_not_trusted, sizeof (nss_not_trusted) },
+		{ CKA_TRUST_CODE_SIGNING, &nss_not_trusted, sizeof (nss_not_trusted) },
+		{ CKA_TRUST_STEP_UP_APPROVED, &vfalse, sizeof (vfalse) },
+	};
+
+	/* Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 2", Bug 825022 */
+	char label_turktrust2[] = "TURKTRUST Mis-issued Intermediate CA 2";
+	char issuer_turktrust2[] =
+		"\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303"
+		"\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157"
+		"\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151"
+		"\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145"
+		"\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061"
+		"\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124"
+		"\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164"
+		"\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151"
+		"\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151"
+		"\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050"
+		"\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065";
+	char serial_turktrust2[] = "\002\002\010\144";
+	CK_ATTRIBUTE distrust_turktrust2[] = {
+		{ CKA_CLASS, &nss_trust, sizeof (nss_trust) },
+		{ CKA_TOKEN, &vtrue, sizeof (vtrue) },
+		{ CKA_PRIVATE, &vfalse, sizeof (vfalse) },
+		{ CKA_MODIFIABLE, &vfalse, sizeof (vfalse) },
+		{ CKA_LABEL, label_turktrust2, sizeof (label_turktrust2) - 1 },
+		{ CKA_ISSUER, issuer_turktrust2, sizeof (issuer_turktrust2) -1 },
+		{ CKA_SERIAL_NUMBER, serial_turktrust2, sizeof (serial_turktrust2) - 1 },
+		{ CKA_TRUST_SERVER_AUTH, &nss_not_trusted, sizeof (nss_not_trusted) },
+		{ CKA_TRUST_EMAIL_PROTECTION, &nss_not_trusted, sizeof (nss_not_trusted) },
+		{ CKA_TRUST_CODE_SIGNING, &nss_not_trusted, sizeof (nss_not_trusted) },
+		{ CKA_TRUST_STEP_UP_APPROVED, &vfalse, sizeof (vfalse) },
+	};
+
+	/* Explicitly Distrust "Explicitly distrust p11-kit Test SUB CA" */
+	char label_p11subca[] = "Explicitly distrust p11-kit Test SUB CA";
+	char issuer_p11subca[] =
+		"\060\152\061\013\060\011\006\003\125\004\006\023\002\104\105\061"
+		"\023\060\021\006\003\125\004\010\023\012\124\145\163\164\040\123"
+		"\164\141\164\145\061\021\060\017\006\003\125\004\007\023\010\124"
+		"\145\163\164\040\114\157\143\061\031\060\027\006\003\125\004\012"
+		"\023\020\160\061\061\055\153\151\164\040\124\145\163\164\040\117"
+		"\162\147\061\030\060\026\006\003\125\004\003\023\017\160\061\061"
+		"\055\153\151\164\040\124\145\163\164\040\103\101";
+	char serial_p11subca[] = "\002\002\047\020";
+	CK_ATTRIBUTE distrust_p11subca[] = {
+		{ CKA_CLASS, &nss_trust, sizeof (nss_trust) },
+		{ CKA_TOKEN, &vtrue, sizeof (vtrue) },
+		{ CKA_PRIVATE, &vfalse, sizeof (vfalse) },
+		{ CKA_MODIFIABLE, &vfalse, sizeof (vfalse) },
+		{ CKA_LABEL, label_p11subca, sizeof (label_p11subca) - 1 },
+		{ CKA_ISSUER, issuer_p11subca, sizeof (issuer_p11subca) -1 },
+		{ CKA_SERIAL_NUMBER, serial_p11subca, sizeof (serial_p11subca) - 1 },
+		{ CKA_TRUST_SERVER_AUTH, &nss_not_trusted, sizeof (nss_not_trusted) },
+		{ CKA_TRUST_EMAIL_PROTECTION, &nss_not_trusted, sizeof (nss_not_trusted) },
+		{ CKA_TRUST_CODE_SIGNING, &nss_not_trusted, sizeof (nss_not_trusted) },
+		{ CKA_TRUST_STEP_UP_APPROVED, &vfalse, sizeof (vfalse) },
+	};
+
 	on_parser_object (p11_attrs_buildn (NULL, builtin_root_list, ELEMS (builtin_root_list)), token);
+	on_parser_object (p11_attrs_buildn (NULL, distrust_trustwave1, ELEMS (distrust_trustwave1)), token);
+	on_parser_object (p11_attrs_buildn (NULL, distrust_trustwave2, ELEMS (distrust_trustwave2)), token);
+	on_parser_object (p11_attrs_buildn (NULL, distrust_turktrust1, ELEMS (distrust_turktrust1)), token);
+	on_parser_object (p11_attrs_buildn (NULL, distrust_turktrust2, ELEMS (distrust_turktrust2)), token);
+	on_parser_object (p11_attrs_buildn (NULL, distrust_p11subca, ELEMS (distrust_p11subca)), token);
 	return 1;
 }