Bug 73558

Summary: Anchors that are on blacklisted remain in extract-compat --filter=ca-anchors
Product: p11-glue Reporter: Stef Walter <stefw>
Component: p11-kitAssignee: Stef Walter <stefw>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium CC: stefw
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: enumerate: Use p11_enumerate_ready() from tests
attrs: Allow NULL attribute to be passed to p11_attr_hash()
enumerate: Preload and respect blacklist across all tokens

Description Stef Walter 2014-01-13 14:45:17 UTC 
Anchors that are blacklisted remain in the output of extract-compat with --filter=ca-anchors.

This occurs when the blacklist occurs in a different PKCS#11 module than where the anchor is stored.
Comment 1 Stef Walter 2014-01-13 14:52:53 UTC 
More info here: https://bugzilla.redhat.com/show_bug.cgi?id=1041328
Comment 2 Stef Walter 2014-01-13 17:17:54 UTC 
Created attachment 91961 [details] [review]
enumerate: Use p11_enumerate_ready() from tests

This gives a little broader testing of the enumerator
Comment 3 Stef Walter 2014-01-13 17:17:57 UTC 
Created attachment 91962 [details] [review]
attrs: Allow NULL attribute to be passed to p11_attr_hash()

This allows simpler lookups.
Comment 4 Stef Walter 2014-01-13 17:18:00 UTC 
Created attachment 91963 [details] [review]
enumerate: Preload and respect blacklist across all tokens

This fixes an issue where a blacklist in one token wasn't properly
skipping anchors being extracted with extract-compat
Comment 5 Stef Walter 2014-01-13 17:21:05 UTC 
These patches fix the problem. However it's apparent that we need integration testing upstream to catch issues like this.
Comment 6 Stef Walter 2014-01-14 14:15:55 UTC 
Attachment 91961 [details] pushed as 8d5bff6 - enumerate: Use p11_enumerate_ready() from tests
Attachment 91962 [details] pushed as 6bc661e - attrs: Allow NULL attribute to be passed to p11_attr_hash()
Attachment 91963 [details] pushed as 635c22f - enumerate: Preload and respect blacklist across all tokens
Comment 7 Stef Walter 2014-01-14 14:19:32 UTC 
Integration test in this commit:

commit 99904e84d9f8f0637f66107807ac4ac9e3339e4a
Author: Stef Walter <stef@thewalter.net>
Date:   Tue Jan 14 11:20:57 2014 +0100

    trust: Add installcheck target for testing extract
    
    This is an integration test that the extract and blacklist
    functionality basics work.
    
    More integration tests should follow, at which point we should
    place the various generic testing bits into their own file.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.