return NULL;
}
+static CK_RV
+check_index_writable (p11_session *session,
+ p11_index *index)
+{
+ if (index == p11_token_index (session->token)) {
+ if (!p11_token_is_writable (session->token))
+ return CKR_TOKEN_WRITE_PROTECTED;
+ else if (!session->read_write)
+ return CKR_SESSION_READ_ONLY;
+ }
+
+ return CKR_OK;
+}
static CK_RV
lookup_slot_inlock (CK_SLOT_ID id,
CK_ULONG pin_len,
CK_UTF8CHAR_PTR label)
{
- return_val_if_fail (check_slot (id), CKR_SLOT_ID_INVALID);
- return_val_if_reached (CKR_TOKEN_WRITE_PROTECTED);
+ p11_debug ("not supported");
+ return CKR_FUNCTION_NOT_SUPPORTED;
}
static CK_RV
} else if (!(flags & CKF_SERIAL_SESSION)) {
rv = CKR_SESSION_PARALLEL_NOT_SUPPORTED;
- } else if (flags & CKF_RW_SESSION) {
+ } else if ((flags & CKF_RW_SESSION) &&
+ !p11_token_is_writable (token)) {
rv = CKR_TOKEN_WRITE_PROTECTED;
} else {
session = p11_session_new (token);
if (p11_dict_set (gl.sessions, &session->handle, session)) {
rv = CKR_OK;
+ if (flags & CKF_RW_SESSION)
+ session->read_write = true;
*handle = session->handle;
p11_debug ("session: %lu", *handle);
} else {
CK_UTF8CHAR_PTR pin,
CK_ULONG pin_len)
{
- return_val_if_reached (CKR_TOKEN_WRITE_PROTECTED);
+ p11_debug ("not supported");
+ return CKR_FUNCTION_NOT_SUPPORTED;
}
static CK_RV
CK_UTF8CHAR_PTR new_pin,
CK_ULONG new_pin_len)
{
- return_val_if_reached (CKR_TOKEN_WRITE_PROTECTED);
+ p11_debug ("not supported");
+ return CKR_FUNCTION_NOT_SUPPORTED;
}
static CK_RV
CK_OBJECT_HANDLE_PTR new_object)
{
p11_session *session;
- CK_BBOOL token;
+ p11_index *index;
+ CK_BBOOL val;
CK_RV rv;
return_val_if_fail (new_object != NULL, CKR_ARGUMENTS_BAD);
rv = lookup_session (handle, &session);
if (rv == CKR_OK) {
- if (p11_attrs_findn_bool (template, count, CKA_TOKEN, &token) && token)
- rv = CKR_TOKEN_WRITE_PROTECTED;
+ if (p11_attrs_findn_bool (template, count, CKA_TOKEN, &val) && val)
+ index = p11_token_index (session->token);
+ else
+ index = session->index;
+ rv = check_index_writable (session, index);
}
if (rv == CKR_OK)
- rv = p11_index_add (session->index, template, count, new_object);
+ rv = p11_index_add (index, template, count, new_object);
p11_unlock ();
p11_session *session;
CK_ATTRIBUTE *original;
CK_ATTRIBUTE *attrs;
+ p11_index *index;
CK_BBOOL val;
CK_RV rv;
rv = lookup_session (handle, &session);
if (rv == CKR_OK) {
- original = lookup_object_inlock (session, object, NULL);
+ original = lookup_object_inlock (session, object, &index);
if (original == NULL)
rv = CKR_OBJECT_HANDLE_INVALID;
}
if (rv == CKR_OK) {
- if (p11_attrs_findn_bool (template, count, CKA_TOKEN, &val) && val)
- rv = CKR_TOKEN_WRITE_PROTECTED;
+ if (p11_attrs_findn_bool (template, count, CKA_TOKEN, &val))
+ index = val ? p11_token_index (session->token) : session->index;
+ rv = check_index_writable (session, index);
}
if (rv == CKR_OK) {
attrs = p11_attrs_dup (original);
attrs = p11_attrs_buildn (attrs, template, count);
attrs = p11_attrs_build (attrs, &token, NULL);
- rv = p11_index_take (session->index, attrs, new_object);
+ rv = p11_index_take (index, attrs, new_object);
}
p11_unlock ();
CK_OBJECT_HANDLE object)
{
p11_session *session;
+ CK_ATTRIBUTE *attrs;
+ p11_index *index;
+ CK_BBOOL val;
CK_RV rv;
p11_debug ("in");
rv = lookup_session (handle, &session);
if (rv == CKR_OK) {
- rv = p11_index_remove (session->index, object);
- if (rv == CKR_OBJECT_HANDLE_INVALID) {
- if (p11_index_lookup (p11_token_index (session->token), object))
- rv = CKR_TOKEN_WRITE_PROTECTED;
+ attrs = lookup_object_inlock (session, object, &index);
+ if (attrs == NULL)
+ rv = CKR_OBJECT_HANDLE_INVALID;
+ else
+ rv = check_index_writable (session, index);
+
+ if (rv == CKR_OK && p11_attrs_find_bool (attrs, CKA_MODIFIABLE, &val) && !val) {
+ /* TODO: This should be replaced with CKR_ACTION_PROHIBITED */
+ rv = CKR_FUNCTION_REJECTED;
}
+
+ if (rv == CKR_OK)
+ rv = p11_index_remove (index, object);
}
p11_unlock ();
CK_ULONG count)
{
p11_session *session;
+ CK_ATTRIBUTE *attrs;
+ p11_index *index;
+ CK_BBOOL val;
CK_RV rv;
p11_debug ("in");
rv = lookup_session (handle, &session);
if (rv == CKR_OK) {
- rv = p11_index_set (session->index, object, template, count);
- if (rv == CKR_OBJECT_HANDLE_INVALID) {
- if (p11_index_lookup (p11_token_index (session->token), object))
- rv = CKR_TOKEN_WRITE_PROTECTED;
+ attrs = lookup_object_inlock (session, object, &index);
+ if (attrs == NULL) {
+ rv = CKR_OBJECT_HANDLE_INVALID;
+
+ } else if (p11_attrs_find_bool (attrs, CKA_MODIFIABLE, &val) && !val) {
+ /* TODO: This should be replaced with CKR_ACTION_PROHIBITED */
+ rv = CKR_ATTRIBUTE_READ_ONLY;
}
+
+ if (rv == CKR_OK)
+ rv = check_index_writable (session, index);
+ if (rv == CKR_OK)
+ rv = p11_index_set (index, object, template, count);
}
p11_unlock ();
count = 1;
rv = test.module->C_GetSlotList (CK_TRUE, test.slots, &count);
- assert (rv == CKR_OK);
- assert (count == 1);
+ assert_num_eq (rv, CKR_OK);
+ assert_num_eq (count, 1);
}
static void
CK_ULONG count;
CK_RV rv;
- rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION, NULL, NULL, &session);
+ rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL, NULL, &session);
assert (rv == CKR_OK);
rv = test.module->C_FindObjectsInit (session, NULL, 0);
assert_num_eq (1, count);
rv = test.module->C_DestroyObject (session, handle);
- assert (rv == CKR_TOKEN_WRITE_PROTECTED);
+ assert_num_eq (rv, CKR_FUNCTION_REJECTED);
}
static void
CK_ULONG count;
CK_RV rv;
- rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION, NULL, NULL, &session);
+ rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION | CKF_RW_SESSION, NULL, NULL, &session);
assert (rv == CKR_OK);
rv = test.module->C_FindObjectsInit (session, NULL, 0);
assert_num_eq (1, count);
rv = test.module->C_SetAttributeValue (session, handle, original, 2);
- assert (rv == CKR_TOKEN_WRITE_PROTECTED);
+ assert_num_eq (rv, CKR_ATTRIBUTE_READ_ONLY);
}
static void
assert_num_eq (info.flags & CKF_WRITE_PROTECTED, 0);
}
+static void
+test_session_read_only_create (void)
+{
+ CK_ATTRIBUTE original[] = {
+ { CKA_CLASS, &data, sizeof (data) },
+ { CKA_LABEL, "yay", 3 },
+ { CKA_VALUE, "eight", 5 },
+ { CKA_TOKEN, &vtrue, sizeof (vtrue) },
+ { CKA_INVALID }
+ };
+
+ CK_SESSION_HANDLE session;
+ CK_OBJECT_HANDLE handle;
+ CK_RV rv;
+
+ /* Read-only session */
+ rv = test.module->C_OpenSession (test.slots[0], CKF_SERIAL_SESSION,
+ NULL, NULL, &session);
+ assert (rv == CKR_OK);
+
+ /* Create a token object */
+ rv = test.module->C_CreateObject (session, original, 4, &handle);
+ assert_num_eq (rv, CKR_SESSION_READ_ONLY);
+}
+
int
main (int argc,
char *argv[])
p11_fixture (setup_writable, teardown);
p11_test (test_token_writable, "/module/token-writable");
+ p11_test (test_session_read_only_create, "/module/session-read-only-create");
return p11_test_run (argc, argv);
}
projects / p11-kit / commitdiff