Anchors that are blacklisted remain in the output of extract-compat with --filter=ca-anchors. This occurs when the blacklist occurs in a different PKCS#11 module than where the anchor is stored.
More info here: https://bugzilla.redhat.com/show_bug.cgi?id=1041328
Created attachment 91961 [details] [review] enumerate: Use p11_enumerate_ready() from tests This gives a little broader testing of the enumerator
Created attachment 91962 [details] [review] attrs: Allow NULL attribute to be passed to p11_attr_hash() This allows simpler lookups.
Created attachment 91963 [details] [review] enumerate: Preload and respect blacklist across all tokens This fixes an issue where a blacklist in one token wasn't properly skipping anchors being extracted with extract-compat
These patches fix the problem. However it's apparent that we need integration testing upstream to catch issues like this.
Attachment 91961 [details] pushed as 8d5bff6 - enumerate: Use p11_enumerate_ready() from tests Attachment 91962 [details] pushed as 6bc661e - attrs: Allow NULL attribute to be passed to p11_attr_hash() Attachment 91963 [details] pushed as 635c22f - enumerate: Preload and respect blacklist across all tokens
Integration test in this commit: commit 99904e84d9f8f0637f66107807ac4ac9e3339e4a Author: Stef Walter <stef@thewalter.net> Date: Tue Jan 14 11:20:57 2014 +0100 trust: Add installcheck target for testing extract This is an integration test that the extract and blacklist functionality basics work. More integration tests should follow, at which point we should place the various generic testing bits into their own file.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.