trust: Check magic comment in persist file for modifiablity

A persistent file written by the trust module starts with the line "#
This file has been auto-generated and written by p11-kit".  This can
be used as a magic word to determine whether the objects read from a
.p11-kit file are read-only.

diff --git a/trust/parser.c b/trust/parser.c
index 41513d4f435b8480dde9ca244132d09dcdfd02b0..abe86fc3d7b8494612acbc9a51e394f0ad2892b3 100644 (file)
--- a/trust/parser.c
+++ b/trust/parser.c
@@ -49,6 +49,7 @@
 #include "pem.h"
 #include "pkcs11x.h"
 #include "persist.h"
+#include "types.h"
 #include "x509.h"
 
 #include <libtasn1.h>
@@ -630,7 +631,10 @@ p11_parser_format_persist (p11_parser *parser,
        ret = p11_persist_read (parser->persist, parser->basename, data, length, objects);
        if (ret) {
                for (i = 0; i < objects->num; i++) {
-                       attrs = p11_attrs_build (objects->elem[i], &modifiable, NULL);
+                       CK_BBOOL generatedv;
+                       attrs = objects->elem[i];
+                       if (p11_attrs_find_bool (attrs, CKA_X_GENERATED, &generatedv) && generatedv)
+                               attrs = p11_attrs_build (attrs, &modifiable, NULL);
                        sink_object (parser, attrs);
                }
        }

diff --git a/trust/persist.c b/trust/persist.c
index 63a531ecd276c1bf7f31c7414703606870124a60..928260e43437499c318207a1c9fb17a25cd627af 100644 (file)
--- a/trust/persist.c
+++ b/trust/persist.c
@@ -631,6 +631,9 @@ p11_persist_read (p11_persist *persist,
        CK_ATTRIBUTE *attrs;
        bool failed;
        bool skip;
+       CK_BBOOL generatedv = CK_FALSE;
+       CK_ATTRIBUTE generated = { CKA_X_GENERATED, &generatedv, sizeof (generatedv) };
+       static const char comment[] = "# This file has been auto-generated and written by p11-kit.";
 
        return_val_if_fail (persist != NULL, false);
        return_val_if_fail (objects != NULL, false);
@@ -639,6 +642,10 @@ p11_persist_read (p11_persist *persist,
        attrs = NULL;
        failed = false;
 
+       if (length >= sizeof (comment) - 1 &&
+           memcmp ((const char *)data, comment, sizeof (comment) - 1) == 0)
+               generatedv = CK_TRUE;
+
        p11_lexer_init (&lexer, filename, (const char *)data, length);
        while (p11_lexer_next (&lexer, &failed)) {
                switch (lexer.tok_type) {
@@ -650,7 +657,7 @@ p11_persist_read (p11_persist *persist,
                                p11_lexer_msg (&lexer, "unrecognized or invalid section header");
                                skip = true;
                        } else {
-                               attrs = p11_attrs_build (NULL, NULL);
+                               attrs = p11_attrs_build (NULL, &generated, NULL);
                                return_val_if_fail (attrs != NULL, false);
                                skip = false;
                        }

diff --git a/trust/test-token.c b/trust/test-token.c
index ad22fcb3e5c050aa43b59cd15eab76e90416f83e..3e7d735e3fd388c4b68ea4e1fb87399314390c9b 100644 (file)
--- a/trust/test-token.c
+++ b/trust/test-token.c
@@ -610,6 +610,7 @@ static void
 test_modify_multiple (void)
 {
        const char *test_data =
+               "# This file has been auto-generated and written by p11-kit.\n"
                "[p11-kit-object-v1]\n"
                "class: data\n"
                "label: \"first\"\n"