diff options
| author | Stef Walter <stefw@redhat.com> | 2014-10-09 08:15:29 +0200 |
|---|---|---|
| committer | Stef Walter <stefw@redhat.com> | 2014-10-09 13:08:05 +0200 |
| commit | 03d280df9a73aca5cb6eabbcb97ef3ca4e1ae0e5 (patch) | |
| tree | 943e5da0523a6c6094026cc96e393d40fee1e282 /trust/test-trust.c | |
| parent | b3579cb54bd5cd16e9740404408b2505b4b1e26b (diff) | |
| download | p11-kit-03d280df9a73aca5cb6eabbcb97ef3ca4e1ae0e5.tar.gz | |
trust: Certificate CKA_ID is SubjectKeyIdentifier if possible
The PKCS#11 spec states that the CKA_ID should match the
SubjectKeyIdentifier if such an extension is present.
We delay the filling of CKA_ID until the builder phase of populating
attributes which allows us to have more control over how this works.
Note that we don't make CKA_ID reflect SubjectKeyIdentifier *attached*
extensions. The CKA_ID isn't supposed to change after object creation.
Making it dependent on attached extensions would be making promises
we cannot keep, since attached extensions can be added/removed at any
time.
This also means the CKA_ID of attached extensions and certificates
won't necessarily match up, but that was never promised, and not how
attached extensions should be matched to their certificate anyway.
Based on a patch and research done by David Woodhouse.
https://bugs.freedesktop.org/show_bug.cgi?id=84761
Diffstat (limited to 'trust/test-trust.c')
| -rw-r--r-- | trust/test-trust.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/trust/test-trust.c b/trust/test-trust.c index 20306e0..802007d 100644 --- a/trust/test-trust.c +++ b/trust/test-trust.c @@ -131,6 +131,8 @@ test_check_attrs_msg (const char *file, CK_OBJECT_CLASS klass; CK_ATTRIBUTE *attr; + assert (expected != NULL); + if (!p11_attrs_find_ulong (expected, CKA_CLASS, &klass)) klass = CKA_INVALID; |