static bool
remove_all (p11_kit_iter *iter,
bool *changed)
{
const char *desc;
CK_RV rv;
while ((rv = p11_kit_iter_next (iter)) == CKR_OK) {
desc = description_for_object_at_iter (iter);
p11_debug ("removing %s: %lu", desc, p11_kit_iter_get_object (iter));
rv = p11_kit_iter_destroy_object (iter);
switch (rv) {
case CKR_OK:
*changed = true;
/* fall through */
case CKR_OBJECT_HANDLE_INVALID:
continue;
case CKR_TOKEN_WRITE_PROTECTED:
case CKR_SESSION_READ_ONLY:
case CKR_ATTRIBUTE_READ_ONLY:
p11_message ("couldn't remove read-only %s", desc);
continue;
default:
p11_message ("couldn't remove %s: %s", desc,
p11_kit_strerror (rv));
break;
}
}
return (rv == CKR_CANCEL);
}
static CK_OBJECT_HANDLE
find_anchor (CK_FUNCTION_LIST *module,
CK_SESSION_HANDLE session,
CK_ATTRIBUTE *attrs)
{
CK_OBJECT_HANDLE object = 0UL;
CK_ATTRIBUTE *attr;
p11_kit_iter *iter;
attr = p11_attrs_find_valid (attrs, CKA_CLASS);
return_val_if_fail (attr != NULL, 0);
iter = p11_kit_iter_new (NULL, 0);
return_val_if_fail (iter != NULL, 0);
if (iter_match_anchor (iter, attrs)) {
p11_kit_iter_begin_with (iter, module, 0, session);
if (p11_kit_iter_next (iter) == CKR_OK)
object = p11_kit_iter_get_object (iter);
}
p11_kit_iter_free (iter);
return object;
}
bool
p11_extract_x509_file (p11_enumerate *ex,
const char *destination)
{
bool found = false;
p11_save_file *file;
CK_RV rv;
while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) {
if (found) {
p11_message ("multiple certificates found but could only write one to file");
break;
}
file = p11_save_open_file (destination, NULL, ex->flags);
if (!p11_save_write_and_finish (file, ex->cert_der, ex->cert_len))
return false;
/* Wrote something */
found = true;
}
if (rv != CKR_OK && rv != CKR_CANCEL) {
p11_message ("failed to find certificates: %s", p11_kit_strerror (rv));
return false;
/* Remember that an empty DER file is not a valid file, so complain if nothing */
} else if (!found) {
p11_message ("no certificate found");
return false;
}
return true;
}
bool
p11_extract_openssl_bundle (p11_enumerate *ex,
const char *destination)
{
p11_save_file *file;
p11_buffer output;
p11_buffer buf;
char *comment;
bool ret = true;
bool first;
CK_RV rv;
file = p11_save_open_file (destination, NULL, ex->flags);
if (!file)
return false;
first = true;
p11_buffer_init (&output, 0);
while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) {
p11_buffer_init (&buf, 1024);
if (!p11_buffer_reset (&output, 2048))
return_val_if_reached (false);
if (prepare_pem_contents (ex, &buf)) {
if (!p11_pem_write (buf.data, buf.len, "TRUSTED CERTIFICATE", &output))
return_val_if_reached (false);
comment = p11_enumerate_comment (ex, first);
first = false;
ret = p11_save_write (file, comment, -1) &&
p11_save_write (file, output.data, output.len);
free (comment);
}
p11_buffer_uninit (&buf);
if (!ret)
break;
}
p11_buffer_uninit (&output);
if (rv != CKR_OK && rv != CKR_CANCEL) {
p11_message ("failed to find certificates: %s", p11_kit_strerror (rv));
ret = false;
}
/*
* This will produce an empty file (which is a valid PEM bundle) if no
* certificates were found.
*/
if (!p11_save_finish_file (file, NULL, ret))
ret = false;
return ret;
}
bool
p11_extract_x509_directory (p11_enumerate *ex,
const char *destination)
{
p11_save_file *file;
p11_save_dir *dir;
char *filename;
CK_RV rv;
bool ret;
dir = p11_save_open_directory (destination, ex->flags);
if (dir == NULL)
return false;
while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) {
filename = p11_enumerate_filename (ex);
return_val_if_fail (filename != NULL, -1);
file = p11_save_open_file_in (dir, filename, ".cer");
free (filename);
if (!p11_save_write_and_finish (file, ex->cert_der, ex->cert_len)) {
p11_save_finish_directory (dir, false);
return false;
}
}
if (rv != CKR_OK && rv != CKR_CANCEL) {
p11_message ("failed to find certificates: %s", p11_kit_strerror (rv));
ret = false;
} else {
ret = true;
}
p11_save_finish_directory (dir, ret);
return ret;
}
bool
p11_extract_openssl_directory (p11_enumerate *ex,
const char *destination)
{
char *filename;
p11_save_file *file;
p11_save_dir *dir;
p11_buffer output;
p11_buffer buf;
bool ret = true;
char *path;
char *name;
CK_RV rv;
dir = p11_save_open_directory (destination, ex->flags);
if (dir == NULL)
return false;
p11_buffer_init (&buf, 0);
p11_buffer_init (&output, 0);
while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) {
if (!p11_buffer_reset (&buf, 1024))
return_val_if_reached (false);
if (!p11_buffer_reset (&output, 2048))
return_val_if_reached (false);
if (prepare_pem_contents (ex, &buf)) {
if (!p11_pem_write (buf.data, buf.len, "TRUSTED CERTIFICATE", &output))
return_val_if_reached (false);
name = p11_enumerate_filename (ex);
return_val_if_fail (name != NULL, false);
filename = NULL;
path = NULL;
ret = false;
file = p11_save_open_file_in (dir, name, ".pem");
if (file != NULL) {
ret = p11_save_write (file, output.data, output.len);
if (!p11_save_finish_file (file, &path, ret))
ret = false;
if (ret)
filename = p11_path_base (path);
}
ret = p11_openssl_symlink(ex, dir, filename);
free (filename);
free (path);
free (name);
}
if (!ret)
break;
}
p11_buffer_uninit (&buf);
p11_buffer_uninit (&output);
if (rv != CKR_OK && rv != CKR_CANCEL) {
p11_message ("failed to find certificates: %s", p11_kit_strerror (rv));
ret = false;
}
p11_save_finish_directory (dir, ret);
return ret;
}
/**
* p11_kit_iter_next:
* @iter: the iterator
*
* Iterate to the next matching object.
*
* To access the object, session and so on, use the p11_kit_iter_get_object(),
* p11_kit_iter_get_session(), and p11_kit_iter_get_module() functions.
*
* This call must only be called after either p11_kit_iter_begin()
* or p11_kit_iter_begin_with() have been called.
*
* Objects which are skipped by callbacks will not be returned here
* as matching objects.
*
* Returns: CKR_OK if an object matched, CKR_CANCEL if no more objects, or another error
*/
CK_RV
p11_kit_iter_next (P11KitIter *iter)
{
CK_ULONG batch;
CK_ULONG count;
CK_BBOOL matches;
CK_RV rv;
return_val_if_fail (iter->iterating, CKR_OPERATION_NOT_INITIALIZED);
iter->object = 0;
if (iter->match_nothing)
return finish_iterating (iter, CKR_CANCEL);
/*
* If we have outstanding objects, then iterate one through those
* Note that we pass each object through the filters, and only
* assume it's iterated if it matches
*/
while (iter->saw_objects < iter->num_objects) {
iter->object = iter->objects[iter->saw_objects++];
rv = call_all_filters (iter, &matches);
if (rv != CKR_OK)
return finish_iterating (iter, rv);
if (matches)
return CKR_OK;
}
/* If we have finished searching then move to next session */
if (iter->searched) {
rv = move_next_session (iter);
if (rv != CKR_OK)
return finish_iterating (iter, rv);
}
/* Ready to start searching */
if (!iter->searching && !iter->searched) {
count = p11_attrs_count (iter->match_attrs);
rv = (iter->module->C_FindObjectsInit) (iter->session, iter->match_attrs, count);
if (rv != CKR_OK)
return finish_iterating (iter, rv);
iter->searching = 1;
iter->searched = 0;
}
/* If we have searched on this session then try to continue */
if (iter->searching) {
assert (iter->module != NULL);
assert (iter->session != 0);
iter->num_objects = 0;
iter->saw_objects = 0;
for (;;) {
if (iter->max_objects - iter->num_objects == 0) {
iter->max_objects = iter->max_objects ? iter->max_objects * 2 : 64;
iter->objects = realloc (iter->objects, iter->max_objects * sizeof (CK_ULONG));
return_val_if_fail (iter->objects != NULL, CKR_HOST_MEMORY);
}
batch = iter->max_objects - iter->num_objects;
rv = (iter->module->C_FindObjects) (iter->session,
iter->objects + iter->num_objects,
batch, &count);
if (rv != CKR_OK)
return finish_iterating (iter, rv);
iter->num_objects += count;
/*
* Done searching on this session, although there are still
* objects outstanding, which will be returned on next
* iterations.
*/
if (batch != count) {
iter->searching = 0;
iter->searched = 1;
(iter->module->C_FindObjectsFinal) (iter->session);
break;
}
if (!iter->preload_results)
break;
}
}
/* Try again */
return p11_kit_iter_next (iter);
}
