TOOLS = $(top_srcdir)/tools/tests
prepare-certs:
- cp -v cacert3.der $(TRUST)/anchors
+ cp -v cacert3.der $(TRUST)/input/anchors
cp -v cacert3.der $(TRUST)/files
cp -v cacert3.der $(TOOLS)/files
openssl x509 -in cacert3.der -inform DER -out $(TRUST)/files/cacert3.pem
-addreject ipsecUser -addreject timeStamping
cat $(TOOLS)/files/cacert3-trusted-client-server-alias.pem \
$(TOOLS)/files/cacert3-trusted-alias.pem > $(TOOLS)/files/cacert3-trusted-multiple.pem
- cp -v cacert-ca.der $(TRUST)/certificates
+ cp -v cacert-ca.der $(TRUST)/input
cp -v cacert-ca.der $(TRUST)/files
openssl x509 -in redhat-newca.der -inform DER -out $(TRUST)/files/distrusted.pem \
-addreject clientAuth -setalias "Red Hat Is the CA"
- cp -v self-server.der $(TRUST)/files
- cp -v self-signed-with-eku.der $(TRUST)/certificates
- cp -v self-signed-with-ku.der $(TRUST)/certificates
- cp -v testing-ca.der $(TRUST)/anchors
+ cp -v $(TRUST)/files/distrusted.pem $(TRUST)/input
+ cp -v self-server.der $(TRUST)/input/blacklist
+ cp -v self-signed-with-eku.der $(TRUST)/files
+ cp -v self-signed-with-ku.der $(TRUST)/files
+ cp -v testing-ca.der $(TRUST)/input/anchors
cp -v testing-server.der $(TRUST)/files
# Rebuild the self-signed certificates. This is almost never necessary and
AM_CONDITIONAL(WITH_TRUST_MODULE, test "$enable_trust_module" = "yes")
AC_MSG_RESULT([$enable_trust_module])
-AC_ARG_WITH([system-anchors],
- AS_HELP_STRING([--with-system-anchors=@<:@path@:>@]:
- [files or directories containing system CA anchors])
+AC_ARG_WITH([trust-paths],
+ AS_HELP_STRING([--with-trust-paths=@<:@path@:>@]:
+ [input paths for trust module])
)
-AC_MSG_CHECKING([location of system CA anchors])
+AC_MSG_CHECKING([for trust module paths])
# This option was disabled, no anchors
-if test "$with_system_anchors" = "no"; then
- with_system_anchors=""
+if test "$with_trust_paths" = "no"; then
+ with_trust_paths=""
AC_MSG_RESULT([disabled])
elif test "$enable_trust_module" != "yes"; then
- if test "$with_system_anchors" != ""; then
- AC_MSG_ERROR([need --enable-trust-module in order to use system anchors.])
+ if test "$with_trust_paths" != ""; then
+ AC_MSG_ERROR([need --enable-trust-module in order to specify trust module paths.])
fi
- with_system_anchors=""
+ with_trust_paths=""
AC_MSG_RESULT([disabled])
# Option was not set, try to detect
-elif test "$with_system_anchors" = "" -o "$with_system_anchors" = "yes"; then
- with_system_anchors=""
+elif test "$with_trust_paths" = "" -o "$with_trust_paths" = "yes"; then
+ with_trust_paths=""
for f in /etc/pki/tls/certs/ca-bundle.crt \
/etc/ssl/certs/ca-certificates.crt \
/etc/ssl/ca-bundle.pem \
/etc/ssl/ca-bundle.crt; do
if test -f "$f"; then
- with_system_anchors="$f"
+ with_trust_paths="$f"
break
fi
done
- if test "$with_system_anchors" = ""; then
- AC_MSG_ERROR([could not find. Use --with-system-anchors=path to set, or --without-system-anchors to disable])
+ if test "$with_trust_paths" = ""; then
+ AC_MSG_ERROR([could not find. Use --with-trust-paths=/path to set, or --without-trust-paths to disable])
fi
- AC_MSG_RESULT($with_system_anchors)
+ AC_MSG_RESULT($with_trust_paths)
else
# Anchors explicitly set
- AC_MSG_RESULT($with_system_anchors)
+ AC_MSG_RESULT($with_trust_paths)
fi
-AC_DEFINE_UNQUOTED(SYSTEM_ANCHORS, ["$with_system_anchors"], [The system anchor paths])
-AC_SUBST(with_system_anchors)
-
-AC_ARG_WITH([system-certificates],
- AS_HELP_STRING([--with-system-certificates=@<:@path@:>@]:
- [files or directories containing additional system certificates])
-)
-
-AC_MSG_CHECKING([location of additional system certificates])
-
-# This option was disabled, no additional certificates
-if test "$with_system_certificates" = "no"; then
- with_system_certificates=""
- AC_MSG_RESULT([disabled])
-
-elif test "$enable_trust_module" != "yes"; then
- if test "$with_system_certificates" != ""; then
- AC_MSG_ERROR([need --enable-trust-module in order to use additional system certificates.])
- fi
- with_system_certificates=""
- AC_MSG_RESULT([disabled])
-
-elif test "$with_system_certificates" = "yes"; then
- AC_MSG_ERROR([--with-system-certificates requires paths as an argument])
-
-else
- # Anchors explicitly set
- AC_MSG_RESULT($with_system_certificates)
-fi
-
-AC_DEFINE_UNQUOTED(SYSTEM_CERTIFICATES, ["$with_system_certificates"], [Additional system certificate paths])
-AC_SUBST(with_system_certificates)
+AC_DEFINE_UNQUOTED(TRUST_PATHS, ["$with_trust_paths"], [The trust module input paths])
+AC_SUBST(with_trust_paths)
# --------------------------------------------------------------------
# GTK Doc
])
AC_OUTPUT
+# Format paths arguments which should wrap correctly in the output
+indent='\n '
+trust_status=$(echo "$with_trust_paths" | sed -e "s/:/$indent/g")
+
AC_MSG_NOTICE([build options:
Host: $host
With libtasn1 dependency: $with_libtasn1
Build trust module: $enable_trust_module
- System certificate anchor paths: $with_system_anchors
- Other system certificate paths: $with_system_certificates
+ Trust module paths: $trust_status
+
])
information is exposed as PKCS#11 objects.</para>
<section id="trust-files">
- <title>Files loaded by the Module</title>
+ <title>Paths loaded by the Module</title>
<para>The trust module loads certificates and trust policy information
- from preconfigured directories and allows them to be looked up via
- PKCS#11. The directories can be determined with using the following
- commands:</para>
+ from preconfigured paths and allows them to be looked up via PKCS#11.
+ The input paths can be determined with using the following command:</para>
- <itemizedlist>
- <listitem>
- <para>System Anchors: certificates in these locations
- are automatically treated as certificate authority anchors
- unless they contain information that prevents that. To check
- which locations are being used, run the following command:</para>
-<programlisting>
-$ pkg-config --variable p11_system_anchors p11-kit-1
-/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/anchors
-</programlisting>
- </listitem>
- <listitem>
- <para>System Certificates: certificates in these locations
- are not treated as anchors, but simply made available through
- the module. To find out which directory is used, run the
- following command:</para>
<programlisting>
-$ pkg-config --variable p11_system_certificates p11-kit-1
-/etc/pki/tls/other-certs
+$ pkg-config --variable p11_trust_paths p11-kit-1
+/usr/share/p11-kit/trust:/etc/pki/trust
</programlisting>
- </listitem>
- </itemizedlist>
<para>Files in the following formats are supported for loading by the
trust policy module:</para>
<variablelist>
<varlistentry>
<term>X.509 certificates</term>
- <listitem><para>X.509 certificates in raw DER format.</para></listitem>
+ <listitem><para>X.509 certificates in raw DER format. Does not
+ automatically contain trust policy information.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PEM certificates</term>
+ <listitem><para>X.509 certificates in PEM format. These have a
+ <literal>BEGIN CERTIFICATE</literal> header. This file does not
+ automatically contain trust policy information.</para></listitem>
</varlistentry>
<varlistentry>
<term>OpenSSL trust certificates</term>
<listitem><para>OpenSSL specific certificates in PEM format
that contain trust information. These have a
- <literal>TRUSTED CERTIFICATE</literal> PEM header. Both
- trust policy and blacklist information can be loaded
+ <literal>BEGIN TRUSTED CERTIFICATE</literal> PEM header. Both
+ trust anchor and blacklist information can be loaded
from these files.</para></listitem>
</varlistentry>
</variablelist>
+
+ <para>If the input path is a file, then it is loaded. Certificate(s) in the
+ file are automatically treated as anchors, unless they contain alternate
+ trust policy information.</para>
+
+ <para>If the input path is a directory, files inside that directory are
+ parsed and loaded. If the file contains trust policy information (such as the
+ OpenSSL trust certificates) then it will be respected. Files without trust policy
+ information are not automatically marked as an anchor or blacklisted.</para>
+
+ <para>In addition two optional subdirectories of the input path are loaded. Files
+ placed in the <literal>anchors/</literal> subdirectory become trust anchors
+ when they do not contain trust policy information. Files placed in the
+ <literal>blacklist/</literal> subdirectory are blacklisted whether they
+ contain trust information or not.</para>
+
+ <para>The first input path becomes the first PKCS#11 token of the trust
+ module, and has the highest priority when callers search for trust
+ policy information.</para>
</section>
<section id="trust-nss">
p11_module_path=@p11_module_path@
proxy_module=@libdir@/p11-kit-proxy.so
-p11_system_anchors=@with_system_anchors@
-p11_system_certificates=@with_system_certificates@
-
# This is for compatibility. Other packages were using this to determine
# the directory they should install their module configs to, so override
# this and redirect them to the new location
static struct _Shared {
p11_dict *sessions;
p11_token *token;
- char *anchor_paths;
- char *certificate_paths;
+ char *paths;
} gl = { NULL, NULL };
/* Used during FindObjects */
else
*(value++) = 0;
- if (strcmp (arg, "anchors") == 0) {
- free (gl.anchor_paths);
- gl.anchor_paths = value ? strdup (value) : NULL;
-
- } else if (strcmp (arg, "certificates") == 0) {
- free (gl.certificate_paths);
- gl.certificate_paths = value ? strdup (value) : NULL;
+ if (strcmp (arg, "paths") == 0) {
+ free (gl.paths);
+ gl.paths = value ? strdup (value) : NULL;
} else {
p11_message ("unrecognized module argument: %s", arg);
rv = CKR_CRYPTOKI_NOT_INITIALIZED;
} else {
- free (gl.certificate_paths);
- free (gl.anchor_paths);
- gl.certificate_paths = gl.anchor_paths = NULL;
+ free (gl.paths);
+ gl.paths = NULL;
p11_dict_free (gl.sessions);
gl.sessions = NULL;
p11_dict_ulongptr_equal,
NULL, p11_session_free);
- gl.token = p11_token_new (gl.anchor_paths ? gl.anchor_paths : SYSTEM_ANCHORS,
- gl.certificate_paths ? gl.certificate_paths : SYSTEM_CERTIFICATES);
+ gl.token = p11_token_new (gl.paths ? gl.paths : TRUST_PATHS);
if (gl.sessions == NULL || gl.token == NULL) {
warn_if_reached ();
/* Filled in later */
CK_ULONG vcategory = 0;
- CK_BBOOL vtrusted = CK_FALSE;
- CK_BBOOL vdistrusted = CK_FALSE;
+ CK_BBOOL vtrusted = (parser->flags & P11_PARSE_FLAG_ANCHOR) ? CK_TRUE : CK_FALSE;
+ CK_BBOOL vdistrusted = (parser->flags & P11_PARSE_FLAG_BLACKLIST) ? CK_TRUE : CK_FALSE;
CK_ATTRIBUTE certificate_type = { CKA_CERTIFICATE_TYPE, &vx509, sizeof (vx509) };
CK_ATTRIBUTE certificate_category = { CKA_CERTIFICATE_CATEGORY, &vcategory, sizeof (vcategory) };
p11_dict *trust = NULL;
p11_dict *reject = NULL;
p11_dictiter iter;
+ CK_ATTRIBUTE *attr;
+ CK_BBOOL trusted;
+ CK_BBOOL distrust;
void *key;
int start;
int end;
return_val_if_fail (ret == P11_PARSE_SUCCESS, ret);
}
+ /*
+ * If loading from an blacklist flagged directory, then override all
+ * trust assumptionsinformation and mark this as a blacklisted certificate
+ */
+
+ if (parser->flags & P11_PARSE_FLAG_BLACKLIST) {
+ trusted = CK_FALSE;
+ distrust = CK_TRUE;
+
+ /*
+ * OpenSSL model blacklists as anchors with all purposes being removed/rejected,
+ * we account for that here. If there is an ExtendedKeyUsage without any
+ * useful purposes, then treat like a blacklist.
+ */
+ } else if (trust && p11_dict_size (trust) == 0) {
+ trusted = CK_FALSE;
+ distrust = CK_TRUE;
+
+ /*
+ * Otherwise a 'TRUSTED CERTIFICATE' in an input directory is enough to
+ * mark this as a trusted certificate, even if we're not explicitly
+ * parsing an directory with the anchors flag.
+ */
+ } else {
+ trusted = CK_TRUE;
+ distrust = CK_FALSE;
+ }
+
+ attr = p11_attrs_find (cert, CKA_TRUSTED);
+ assert (attr != NULL);
+ assert (attr->pValue != NULL);
+ assert (attr->ulValueLen == sizeof (CK_BBOOL));
+ *((CK_BBOOL *)attr->pValue) = trusted;
+
+ attr = p11_attrs_find (cert, CKA_X_DISTRUSTED);
+ assert (attr != NULL);
+ assert (attr->pValue != NULL);
+ assert (attr->ulValueLen == sizeof (CK_BBOOL));
+ *((CK_BBOOL *)attr->pValue) = distrust;
+
p11_dict_free (trust);
p11_dict_free (reject);
return 2;
}
- token = p11_token_new (argv[1], NULL);
+ token = p11_token_new (argv[1]);
count = p11_token_load (token);
printf ("%d files loaded\n", count);
--- /dev/null
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIDsDCCAxmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBnTELMAkGA1UEBhMCVVMx
+FzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHEwdSYWxlaWdoMRYwFAYD
+VQQKEw1SZWQgSGF0LCBJbmMuMQswCQYDVQQLEwJJUzEWMBQGA1UEAxMNUmVkIEhh
+dCBJUyBDQTEmMCQGCSqGSIb3DQEJARYXc3lzYWRtaW4tcmR1QHJlZGhhdC5jb20w
+HhcNMDkwOTE2MTg0NTI1WhcNMTkwOTE0MTg0NTI1WjCBnTELMAkGA1UEBhMCVVMx
+FzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHEwdSYWxlaWdoMRYwFAYD
+VQQKEw1SZWQgSGF0LCBJbmMuMQswCQYDVQQLEwJJUzEWMBQGA1UEAxMNUmVkIEhh
+dCBJUyBDQTEmMCQGCSqGSIb3DQEJARYXc3lzYWRtaW4tcmR1QHJlZGhhdC5jb20w
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN/HDWGiL8BarUWDIjNC6uxCXqYN
+QkwcmhILX+cl+YuDDArFL1pYVrith228gF3dSUU5X7kIOmPkkjNheRkbnas61X+n
+i3+KWvbX3q+h5VMxKX2cA1U+R3jLuXqYjF+N2gkPyPvxeoDuEncKAItw+mK/r+4L
+WBb5nFzek7hP3017AgMBAAGjgf0wgfowHQYDVR0OBBYEFA2sGXDtBKdeeKv+i6g0
+6yEmwVY1MIHKBgNVHSMEgcIwgb+AFA2sGXDtBKdeeKv+i6g06yEmwVY1oYGjpIGg
+MIGdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xpbmExEDAOBgNV
+BAcTB1JhbGVpZ2gxFjAUBgNVBAoTDVJlZCBIYXQsIEluYy4xCzAJBgNVBAsTAklT
+MRYwFAYDVQQDEw1SZWQgSGF0IElTIENBMSYwJAYJKoZIhvcNAQkBFhdzeXNhZG1p
+bi1yZHVAcmVkaGF0LmNvbYIBATAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA
+A4GBAFBgO5y3JcPXH/goumNBW7rr8m9EFZmQyK5gT1Ljv5qaCSZwxkAomhriv04p
+mb1y8yjrK5OY3WwgaRaAWRHp4/hn2HWaRvx3S+gwLM7p8V1pWnbSFJOXF3kbuC41
+voMIMqAFfHKidKN/yrjJg/1ahIjSt11lMUvRJ4TNT+pk5VnBMB+gCgYIKwYBBQUH
+AwIMEVJlZCBIYXQgSXMgdGhlIENB
+-----END TRUSTED CERTIFICATE-----
setup (CuTest *cu)
{
CK_C_INITIALIZE_ARGS args;
- const char *anchors;
- const char *certs;
+ const char *paths;
char *arguments;
CK_ULONG count;
CK_RV rv;
CuAssertTrue (cu, rv == CKR_OK);
memset (&args, 0, sizeof (args));
- anchors = SRCDIR "/anchors:" SRCDIR "/files/cacert-ca.der";
- certs = SRCDIR "/certificates";
- if (asprintf (&arguments, "anchors='%s' certificates='%s'", anchors, certs) < 0)
+ paths = SRCDIR "/input:" SRCDIR "/files/cacert-ca.der";
+ if (asprintf (&arguments, "paths='%s'", paths) < 0)
CuAssertTrue (cu, false && "not reached");
args.pReserved = arguments;
args.flags = CKF_OS_LOCKING_OK;
static void
setup (CuTest *cu)
{
- test.token = p11_token_new ("", "");
+ test.token = p11_token_new ("");
CuAssertPtrNotNull (cu, test.token);
test.session = p11_session_new (test.token);
#include "attrs.h"
#include "debug.h"
+#include "pkcs11x.h"
#include "library.h"
+#include "test-data.h"
#include "token.h"
struct {
static void
setup (CuTest *cu)
{
- test.token = p11_token_new (SRCDIR "/anchors:" SRCDIR "/files/cacert-ca.der",
- SRCDIR "/files/self-server.der");
+ test.token = p11_token_new (SRCDIR "/input:" SRCDIR "/files/self-server.der:" SRCDIR "/files/cacert-ca.der");
CuAssertPtrNotNull (cu, test.token);
}
setup (cu);
count = p11_token_load (test.token);
- CuAssertIntEquals (cu, 5, count);
+ CuAssertIntEquals (cu, 7, count);
/* A certificate and trust object for each parsed object + builtin */
objects = p11_token_objects (test.token);
teardown (cu);
}
+static bool
+check_object (CK_ATTRIBUTE *match)
+{
+ CK_ATTRIBUTE *attrs;
+ p11_dict *objects;
+ p11_dictiter iter;
+
+ objects = p11_token_objects (test.token);
+
+ p11_dict_iterate (objects, &iter);
+ while (p11_dict_next (&iter, NULL, (void **)&attrs)) {
+ if (p11_attrs_match (attrs, match))
+ return true;
+ }
+
+ return false;
+}
+
+static void
+test_token_flags (CuTest *cu)
+{
+ CK_BBOOL falsev = CK_FALSE;
+ CK_BBOOL truev = CK_TRUE;
+
+ /*
+ * blacklist comes from the input/distrust.pem file. It is not in the blacklist
+ * directory, but is an OpenSSL trusted certificate file, and is marked
+ * in the blacklist style for OpenSSL.
+ */
+
+ CK_ATTRIBUTE blacklist[] = {
+ { CKA_LABEL, "Red Hat Is the CA", 17 },
+ { CKA_SERIAL_NUMBER, "\x02\x01\x01", 3 },
+ { CKA_TRUSTED, &falsev, sizeof (falsev) },
+ { CKA_X_DISTRUSTED, &truev, sizeof (truev) },
+ { CKA_INVALID },
+ };
+
+ /*
+ * blacklist2 comes from the input/blacklist/self-server.der file. It is
+ * explicitly put on the blacklist, even though it containts no trust
+ * policy information.
+ */
+
+ const unsigned char self_server_subject[] = {
+ 0x30, 0x4b, 0x31, 0x13, 0x30, 0x11, 0x06, 0x0a, 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64,
+ 0x01, 0x19, 0x16, 0x03, 0x43, 0x4f, 0x4d, 0x31, 0x17, 0x30, 0x15, 0x06, 0x0a, 0x09, 0x92, 0x26,
+ 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x07, 0x45, 0x58, 0x41, 0x4d, 0x50, 0x4c, 0x45,
+ 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x12, 0x73, 0x65, 0x72, 0x76, 0x65,
+ 0x72, 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
+ };
+
+ CK_ATTRIBUTE blacklist2[] = {
+ { CKA_SUBJECT, (void *)self_server_subject, sizeof (self_server_subject) },
+ { CKA_TRUSTED, &falsev, sizeof (falsev) },
+ { CKA_X_DISTRUSTED, &truev, sizeof (truev) },
+ { CKA_INVALID },
+ };
+
+ /*
+ * anchor comes from the input/anchors/cacert3.der file. It is
+ * explicitly marked as an anchor, even though it containts no trust
+ * policy information.
+ */
+
+ CK_ATTRIBUTE anchor[] = {
+ { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) },
+ { CKA_TRUSTED, &truev, sizeof (truev) },
+ { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) },
+ { CKA_INVALID },
+ };
+
+ const unsigned char cacert_root_subject[] = {
+ 0x30, 0x79, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x07, 0x52, 0x6f, 0x6f,
+ 0x74, 0x20, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, 0x68,
+ 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x63, 0x61, 0x63, 0x65, 0x72, 0x74,
+ 0x2e, 0x6f, 0x72, 0x67, 0x31, 0x22, 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x19, 0x43,
+ 0x41, 0x20, 0x43, 0x65, 0x72, 0x74, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x41,
+ 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x73, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74,
+ 0x40, 0x63, 0x61, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, 0x67,
+ };
+
+ /*
+ * notrust comes from the input/cacert-ca.der file. It contains no
+ * trust information, and is not explicitly marked as an anchor, so
+ * it's neither trusted or distrusted.
+ */
+
+ CK_ATTRIBUTE notrust[] = {
+ { CKA_SUBJECT, (void *)cacert_root_subject, sizeof (cacert_root_subject) },
+ { CKA_TRUSTED, &falsev, sizeof (falsev) },
+ { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) },
+ { CKA_INVALID },
+ };
+
+ CK_ATTRIBUTE invalid[] = {
+ { CKA_LABEL, "Waonec9aoe9", 8 },
+ { CKA_INVALID },
+ };
+
+ setup (cu);
+
+ if (p11_token_load (test.token) < 0)
+ CuFail (cu, "should not be reached");
+
+ CuAssertTrue (cu, !check_object (invalid));
+ CuAssertTrue (cu, check_object (anchor));
+ CuAssertTrue (cu, check_object (blacklist));
+ CuAssertTrue (cu, check_object (blacklist2));
+ CuAssertTrue (cu, check_object (notrust));
+
+ teardown (cu);
+}
+
int
main (void)
{
p11_message_quiet ();
SUITE_ADD_TEST (suite, test_token_load);
+ SUITE_ADD_TEST (suite, test_token_flags);
CuSuiteRun (suite);
CuSuiteSummary (suite, output);
#include <sys/types.h>
#include <dirent.h>
+#include <stdio.h>
#include <stdlib.h>
#include <string.h>
struct _p11_token {
p11_parser *parser;
p11_dict *objects;
- const char *anchor_paths;
- const char *other_paths;
- const char *certificate_paths;
+ const char *paths;
int loaded;
};
return total;
}
+static int
+loader_load_subdirectory (p11_token *token,
+ const char *directory,
+ const char *subdir,
+ int flags)
+{
+ struct stat sb;
+ char *path;
+ int ret = 0;
+
+ if (asprintf (&path, "%s/%s", directory, subdir) < 0)
+ return_val_if_reached (-1);
+
+ if (stat (path, &sb) >= 0 && S_ISDIR (sb.st_mode))
+ ret = loader_load_directory (token, path, flags);
+
+ free (path);
+ return ret;
+}
+
static int
loader_load_path (p11_token *token,
- const char *path,
- int flags)
+ const char *path)
{
struct stat sb;
+ int total;
+ int ret;
if (stat (path, &sb) < 0) {
if (errno == ENOENT) {
return 0;
}
- if (S_ISDIR (sb.st_mode))
- return loader_load_directory (token, path, flags);
- else
- return loader_load_file (token, path, &sb, flags);
+ if (S_ISDIR (sb.st_mode)) {
+ total = 0;
+
+ ret = loader_load_subdirectory (token, path, "anchors", P11_PARSE_FLAG_ANCHOR);
+ return_val_if_fail (ret >= 0, ret);
+ total += ret;
+
+ ret = loader_load_subdirectory (token, path, "blacklist", P11_PARSE_FLAG_BLACKLIST);
+ return_val_if_fail (ret >= 0, ret);
+ total += ret;
+
+ ret = loader_load_directory (token, path, P11_PARSE_FLAG_NONE);
+ return_val_if_fail (ret >= 0, ret);
+ total += ret;
+
+ return total;
+ } else {
+ return loader_load_file (token, path, &sb, P11_PARSE_FLAG_ANCHOR);
+ }
}
static int
loader_load_paths (p11_token *token,
- const char *paths,
- int flags)
+ const char *paths)
{
const char *pos;
int total = 0;
if (path[0] != '\0') {
/* We don't expect this to fail except for in strange circumstances */
- ret = loader_load_path (token, path, flags);
+ ret = loader_load_path (token, path);
if (ret < 0)
return_val_if_reached (-1);
total += ret;
p11_token_load (p11_token *token)
{
int builtins;
- int anchors;
- int other;
+ int count;
if (token->loaded)
return 0;
builtins = load_builtin_objects (token);
- anchors = loader_load_paths (token, token->anchor_paths, P11_PARSE_FLAG_ANCHOR);
- if (anchors < 0)
- return anchors;
-
- other = loader_load_paths (token, token->other_paths, P11_PARSE_FLAG_NONE);
- if (other < 0)
- return other;
+ count = loader_load_paths (token, token->paths);
+ return_val_if_fail (count >= 0, count);
- return anchors + builtins + other;
+ return count + builtins;
}
p11_dict *
}
p11_token *
-p11_token_new (const char *anchor_paths,
- const char *other_paths)
+p11_token_new (const char *paths)
{
p11_token *token;
free, p11_attrs_free);
return_val_if_fail (token->objects != NULL, NULL);
- token->anchor_paths = anchor_paths;
- token->other_paths = other_paths;
+ token->paths = paths;
token->loaded = 0;
return token;
typedef struct _p11_token p11_token;
-p11_token * p11_token_new (const char *anchor_paths,
- const char *other_paths);
+p11_token * p11_token_new (const char *paths);
void p11_token_free (p11_token *token);
projects / p11-kit / commitdiff