static bool
remove_all (p11_kit_iter *iter,
bool *changed)
{
const char *desc;
CK_RV rv;
while ((rv = p11_kit_iter_next (iter)) == CKR_OK) {
desc = description_for_object_at_iter (iter);
p11_debug ("removing %s: %lu", desc, p11_kit_iter_get_object (iter));
rv = p11_kit_iter_destroy_object (iter);
switch (rv) {
case CKR_OK:
*changed = true;
/* fall through */
case CKR_OBJECT_HANDLE_INVALID:
continue;
case CKR_TOKEN_WRITE_PROTECTED:
case CKR_SESSION_READ_ONLY:
case CKR_ATTRIBUTE_READ_ONLY:
p11_message ("couldn't remove read-only %s", desc);
continue;
default:
p11_message ("couldn't remove %s: %s", desc,
p11_kit_strerror (rv));
break;
}
}
return (rv == CKR_CANCEL);
}
bool
p11_extract_x509_file (p11_enumerate *ex,
const char *destination)
{
bool found = false;
p11_save_file *file;
CK_RV rv;
while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) {
if (found) {
p11_message ("multiple certificates found but could only write one to file");
break;
}
file = p11_save_open_file (destination, NULL, ex->flags);
if (!p11_save_write_and_finish (file, ex->cert_der, ex->cert_len))
return false;
/* Wrote something */
found = true;
}
if (rv != CKR_OK && rv != CKR_CANCEL) {
p11_message ("failed to find certificates: %s", p11_kit_strerror (rv));
return false;
/* Remember that an empty DER file is not a valid file, so complain if nothing */
} else if (!found) {
p11_message ("no certificate found");
return false;
}
return true;
}
static CK_SESSION_HANDLE
session_for_store_on_module (const char *name,
CK_FUNCTION_LIST *module,
bool *found_read_only)
{
CK_SESSION_HANDLE session = 0;
CK_SLOT_ID *slots = NULL;
CK_TOKEN_INFO info;
CK_ULONG count;
CK_ULONG i;
CK_RV rv;
rv = p11_kit_module_initialize (module);
if (rv != CKR_OK) {
p11_message ("%s: couldn't initialize: %s", name, p11_kit_message ());
return 0UL;
}
rv = (module->C_GetSlotList) (CK_TRUE, NULL, &count);
if (rv == CKR_OK) {
slots = calloc (count, sizeof (CK_ULONG));
return_val_if_fail (slots != NULL, 0UL);
rv = (module->C_GetSlotList) (CK_TRUE, slots, &count);
}
if (rv != CKR_OK) {
p11_message ("%s: couldn't enumerate slots: %s", name, p11_kit_strerror (rv));
free (slots);
return 0UL;
}
for (i = 0; session == 0 && i < count; i++) {
rv = (module->C_GetTokenInfo) (slots[i], &info);
if (rv != CKR_OK) {
p11_message ("%s: couldn't get token info: %s", name, p11_kit_strerror (rv));
continue;
}
if (info.flags & CKF_WRITE_PROTECTED) {
*found_read_only = true;
continue;
}
rv = (module->C_OpenSession) (slots[i], CKF_SERIAL_SESSION | CKF_RW_SESSION,
NULL, NULL, &session);
if (rv != CKR_OK) {
p11_message ("%s: couldn't open session: %s", name, p11_kit_strerror (rv));
session = 0;
}
p11_debug ("opened writable session on: %s", name);
}
free (slots);
if (session == 0UL)
p11_kit_module_finalize (module);
return session;
}
static p11_array *
files_to_attrs (int argc,
char *argv[])
{
p11_parser *parser;
p11_array *parsed;
p11_array *array;
int ret = P11_PARSE_SUCCESS;
int i, j;
array = p11_array_new (p11_attrs_free);
return_val_if_fail (array != NULL, NULL);
parser = create_arg_file_parser ();
return_val_if_fail (parser != NULL, NULL);
for (i = 0; i < argc; i++) {
ret = p11_parse_file (parser, argv[i], NULL, P11_PARSE_FLAG_ANCHOR);
switch (ret) {
case P11_PARSE_SUCCESS:
p11_debug ("parsed file: %s", argv[i]);
break;
case P11_PARSE_UNRECOGNIZED:
p11_message ("unrecognized file format: %s", argv[i]);
break;
default:
p11_message ("failed to parse file: %s", argv[i]);
break;
}
if (ret != P11_PARSE_SUCCESS)
break;
parsed = p11_parser_parsed (parser);
for (j = 0; j < parsed->num; j++) {
if (!p11_array_push (array, parsed->elem[j]))
return_val_if_reached (NULL);
parsed->elem[j] = NULL;
}
}
p11_parser_free (parser);
if (ret == P11_PARSE_SUCCESS)
return array;
p11_array_free (array);
return NULL;
}
static bool
create_anchor (CK_FUNCTION_LIST *module,
CK_SESSION_HANDLE session,
CK_ATTRIBUTE *attrs)
{
CK_BBOOL truev = CK_TRUE;
CK_OBJECT_HANDLE object;
char *string;
CK_RV rv;
CK_ULONG klass;
CK_ATTRIBUTE basics_certificate[] = {
{ CKA_TOKEN, &truev, sizeof (truev) },
{ CKA_TRUSTED, &truev, sizeof (truev) },
{ CKA_INVALID, },
};
CK_ATTRIBUTE basics_extension[] = {
{ CKA_TOKEN, &truev, sizeof (truev) },
{ CKA_INVALID, },
};
CK_ATTRIBUTE basics_empty[] = {
{ CKA_INVALID, },
};
CK_ATTRIBUTE *basics = basics_empty;
if (p11_attrs_find_ulong (attrs, CKA_CLASS, &klass)) {
switch (klass) {
case CKO_CERTIFICATE:
basics = basics_certificate;
break;
case CKO_X_CERTIFICATE_EXTENSION:
basics = basics_extension;
break;
}
}
attrs = p11_attrs_merge (attrs, p11_attrs_dup (basics), true);
p11_attrs_remove (attrs, CKA_MODIFIABLE);
if (p11_debugging) {
string = p11_attrs_to_string (attrs, -1);
p11_debug ("storing: %s", string);
free (string);
}
rv = (module->C_CreateObject) (session, attrs,
p11_attrs_count (attrs), &object);
p11_attrs_free (attrs);
if (rv != CKR_OK) {
p11_message ("couldn't create object: %s", p11_kit_strerror (rv));
return false;
}
return true;
}
static int
anchor_store (int argc,
char *argv[],
bool *changed)
{
CK_ATTRIBUTE *attrs;
CK_FUNCTION_LIST *module = NULL;
CK_SESSION_HANDLE session;
CK_OBJECT_HANDLE object;
p11_array *anchors;
int ret;
int i;
anchors = files_to_attrs (argc, argv);
if (anchors == NULL)
return 1;
if (anchors->num == 0) {
p11_message ("specify at least one anchor input file");
p11_array_free (anchors);
return 2;
}
session = session_for_store (&module);
if (session == 0UL) {
p11_array_free (anchors);
return 1;
}
for (i = 0, ret = 0; i < anchors->num; i++) {
attrs = anchors->elem[i];
anchors->elem[i] = NULL;
object = find_anchor (module, session, attrs);
if (object == 0) {
p11_debug ("don't yet have this anchor");
if (create_anchor (module, session, attrs)) {
*changed = true;
} else {
ret = 1;
break;
}
} else {
p11_debug ("already have this anchor");
if (modify_anchor (module, session, object, attrs)) {
*changed = true;
} else {
ret = 1;
break;
}
}
}
p11_array_free (anchors);
p11_kit_module_finalize (module);
p11_kit_module_release (module);
return ret;
}
bool
p11_extract_openssl_bundle (p11_enumerate *ex,
const char *destination)
{
p11_save_file *file;
p11_buffer output;
p11_buffer buf;
char *comment;
bool ret = true;
bool first;
CK_RV rv;
file = p11_save_open_file (destination, NULL, ex->flags);
if (!file)
return false;
first = true;
p11_buffer_init (&output, 0);
while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) {
p11_buffer_init (&buf, 1024);
if (!p11_buffer_reset (&output, 2048))
return_val_if_reached (false);
if (prepare_pem_contents (ex, &buf)) {
if (!p11_pem_write (buf.data, buf.len, "TRUSTED CERTIFICATE", &output))
return_val_if_reached (false);
comment = p11_enumerate_comment (ex, first);
first = false;
ret = p11_save_write (file, comment, -1) &&
p11_save_write (file, output.data, output.len);
free (comment);
}
p11_buffer_uninit (&buf);
if (!ret)
break;
}
p11_buffer_uninit (&output);
if (rv != CKR_OK && rv != CKR_CANCEL) {
p11_message ("failed to find certificates: %s", p11_kit_strerror (rv));
ret = false;
}
/*
* This will produce an empty file (which is a valid PEM bundle) if no
* certificates were found.
*/
if (!p11_save_finish_file (file, NULL, ret))
ret = false;
return ret;
}
static CK_SESSION_HANDLE
session_for_store (CK_FUNCTION_LIST **module)
{
CK_SESSION_HANDLE session = 0UL;
CK_FUNCTION_LIST **modules;
bool found_read_only = false;
char *name;
int i;
modules = p11_kit_modules_load (NULL, P11_KIT_MODULE_TRUSTED);
if (modules == NULL)
return 0;
for (i = 0; modules[i] != NULL; i++) {
if (session == 0UL) {
name = p11_kit_module_get_name (modules[i]);
session = session_for_store_on_module (name, modules[i],
&found_read_only);
if (session != 0UL) {
*module = modules[i];
modules[i] = NULL;
}
free (name);
}
if (modules[i])
p11_kit_module_release (modules[i]);
}
if (session == 0UL) {
if (found_read_only)
p11_message ("no configured writable location to store anchors");
else
p11_message ("no configured location to store anchors");
}
free (modules);
return session;
}
static int
on_unique_try_rename (void *data,
char *path)
{
p11_save_file *file = data;
if (rename (file->temp, path) < 0) {
if (errno == EEXIST)
return 0; /* Continue trying other names */
p11_message ("couldn't complete writing of file: %s", path);
return -1;
}
return 1; /* All done */
}
static bool
modify_anchor (CK_FUNCTION_LIST *module,
CK_SESSION_HANDLE session,
CK_OBJECT_HANDLE object,
CK_ATTRIBUTE *attrs)
{
CK_BBOOL truev = CK_TRUE;
CK_ATTRIBUTE *changes;
CK_ATTRIBUTE *label;
CK_ULONG klass;
char *string;
CK_RV rv;
CK_ATTRIBUTE trusted = { CKA_TRUSTED, &truev, sizeof (truev) };
label = p11_attrs_find_valid (attrs, CKA_LABEL);
if (p11_attrs_find_ulong (attrs, CKA_CLASS, &klass) &&
klass == CKO_CERTIFICATE)
changes = p11_attrs_build (NULL, &trusted, label, NULL);
else
changes = p11_attrs_build (NULL, label, NULL);
return_val_if_fail (attrs != NULL, FALSE);
/* Don't need the attributes anymore */
p11_attrs_free (attrs);
if (p11_debugging) {
string = p11_attrs_to_string (changes, -1);
p11_debug ("setting: %s", string);
free (string);
}
rv = (module->C_SetAttributeValue) (session, object, changes,
p11_attrs_count (changes));
p11_attrs_free (changes);
if (rv != CKR_OK) {
p11_message ("couldn't create object: %s", p11_kit_strerror (rv));
return false;
}
return true;
}
static bool
load_attached_extension (p11_dict *attached,
p11_dict *asn1_defs,
const unsigned char *der,
size_t len)
{
char message[ASN1_MAX_ERROR_DESCRIPTION_SIZE];
node_asn *ext;
char *oid;
int length;
int start;
int end;
int ret;
ext = p11_asn1_decode (asn1_defs, "PKIX1.Extension", der, len, message);
if (ext == NULL) {
p11_message ("couldn't parse attached certificate extension: %s", message);
return false;
}
ret = asn1_der_decoding_startEnd (ext, der, len, "extnID", &start, &end);
return_val_if_fail (ret == ASN1_SUCCESS, false);
/* Make sure it's a straightforward oid with certain assumptions */
length = (end - start) + 1;
if (!p11_oid_simple (der + start, length)) {
p11_debug ("strange complex certificate extension object id");
return false;
}
oid = memdup (der + start, length);
return_val_if_fail (oid != NULL, false);
if (!p11_dict_set (attached, oid, ext))
return_val_if_reached (false);
return true;
}
static int
anchor_remove (int argc,
char *argv[],
bool *changed)
{
CK_FUNCTION_LIST **modules;
p11_array *iters;
p11_kit_iter *iter;
int ret = 0;
int i;
iters = uris_or_files_to_iters (argc, argv, P11_KIT_ITER_WANT_WRITABLE);
return_val_if_fail (iters != NULL, 1);
if (iters->num == 0) {
p11_message ("at least one file or uri must be specified");
p11_array_free (iters);
return 2;
}
modules = p11_kit_modules_load_and_initialize (P11_KIT_MODULE_TRUSTED);
if (modules == NULL)
ret = 1;
for (i = 0; ret == 0 && i < iters->num; i++) {
iter = iters->elem[i];
p11_kit_iter_begin (iter, modules);
if (!remove_all (iter, changed))
ret = 1;
}
p11_array_free (iters);
p11_kit_modules_finalize_and_release (modules);
return ret;
}
bool
p11_extract_x509_directory (p11_enumerate *ex,
const char *destination)
{
p11_save_file *file;
p11_save_dir *dir;
char *filename;
CK_RV rv;
bool ret;
dir = p11_save_open_directory (destination, ex->flags);
if (dir == NULL)
return false;
while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) {
filename = p11_enumerate_filename (ex);
return_val_if_fail (filename != NULL, -1);
file = p11_save_open_file_in (dir, filename, ".cer");
free (filename);
if (!p11_save_write_and_finish (file, ex->cert_der, ex->cert_len)) {
p11_save_finish_directory (dir, false);
return false;
}
}
if (rv != CKR_OK && rv != CKR_CANCEL) {
p11_message ("failed to find certificates: %s", p11_kit_strerror (rv));
ret = false;
} else {
ret = true;
}
p11_save_finish_directory (dir, ret);
return ret;
}
static p11_array *
uris_or_files_to_iters (int argc,
char *argv[],
int behavior)
{
int flags = P11_KIT_URI_FOR_OBJECT_ON_TOKEN_AND_MODULE;
p11_parser *parser = NULL;
p11_array *iters;
p11_array *parsed;
p11_kit_uri *uri;
p11_kit_iter *iter;
int ret;
int i, j;
iters = p11_array_new ((p11_destroyer)p11_kit_iter_free);
return_val_if_fail (iters != NULL, NULL);
for (i = 0; i < argc; i++) {
/* A PKCS#11 URI */
if (strncmp (argv[i], "pkcs11:", 7) == 0) {
uri = p11_kit_uri_new ();
if (p11_kit_uri_parse (argv[i], flags, uri) != P11_KIT_URI_OK) {
p11_message ("invalid PKCS#11 uri: %s", argv[i]);
p11_kit_uri_free (uri);
break;
}
iter = p11_kit_iter_new (uri, behavior);
return_val_if_fail (iter != NULL, NULL);
p11_kit_uri_free (uri);
if (!p11_array_push (iters, iter))
return_val_if_reached (NULL);
} else {
if (parser == NULL)
parser = create_arg_file_parser ();
ret = p11_parse_file (parser, argv[i], NULL, P11_PARSE_FLAG_ANCHOR);
switch (ret) {
case P11_PARSE_SUCCESS:
p11_debug ("parsed file: %s", argv[i]);
break;
case P11_PARSE_UNRECOGNIZED:
p11_message ("unrecognized file format: %s", argv[i]);
break;
default:
p11_message ("failed to parse file: %s", argv[i]);
break;
}
if (ret != P11_PARSE_SUCCESS)
break;
parsed = p11_parser_parsed (parser);
for (j = 0; j < parsed->num; j++) {
iter = p11_kit_iter_new (NULL, behavior);
return_val_if_fail (iter != NULL, NULL);
iter_match_anchor (iter, parsed->elem[j]);
if (!p11_array_push (iters, iter))
return_val_if_reached (NULL);
}
}
}
if (parser)
p11_parser_free (parser);
if (argc != i) {
p11_array_free (iters);
return NULL;
}
return iters;
}
int
p11_trust_anchor (int argc,
char **argv)
{
bool changed = false;
int action = 0;
int opt;
int ret;
enum {
opt_verbose = 'v',
opt_quiet = 'q',
opt_help = 'h',
opt_store = 's',
opt_remove = 'r',
};
struct option options[] = {
{ "store", no_argument, NULL, opt_store },
{ "remove", no_argument, NULL, opt_remove },
{ "verbose", no_argument, NULL, opt_verbose },
{ "quiet", no_argument, NULL, opt_quiet },
{ "help", no_argument, NULL, opt_help },
{ 0 },
};
p11_tool_desc usages[] = {
{ 0, "usage: trust anchor --store <file> ...\n"
" trust anchor --remove <file or URI> ..."},
{ opt_verbose, "show verbose debug output", },
{ opt_quiet, "suppress command output", },
{ 0 },
};
while ((opt = p11_tool_getopt (argc, argv, options)) != -1) {
switch (opt) {
case opt_store:
case opt_remove:
if (action == 0) {
action = opt;
} else {
p11_message ("an action was already specified");
return 2;
}
break;
case opt_verbose:
case opt_quiet:
break;
case opt_help:
p11_tool_usage (usages, options);
return 0;
case '?':
p11_tool_usage (usages, options);
return 2;
default:
assert_not_reached ();
break;
}
};
argc -= optind;
argv += optind;
if (action == 0)
action = opt_store;
/* Store is different, and only accepts files */
if (action == opt_store)
ret = anchor_store (argc, argv, &changed);
else if (action == opt_remove)
ret = anchor_remove (argc, argv, &changed);
else
assert_not_reached ();
/* Extract the compat bundles after modification */
if (ret == 0 && changed) {
char *args[] = { argv[0], NULL };
ret = p11_trust_extract_compat (1, args);
}
return ret;
}
bool
p11_extract_openssl_directory (p11_enumerate *ex,
const char *destination)
{
char *filename;
p11_save_file *file;
p11_save_dir *dir;
p11_buffer output;
p11_buffer buf;
bool ret = true;
char *path;
char *name;
CK_RV rv;
dir = p11_save_open_directory (destination, ex->flags);
if (dir == NULL)
return false;
p11_buffer_init (&buf, 0);
p11_buffer_init (&output, 0);
while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) {
if (!p11_buffer_reset (&buf, 1024))
return_val_if_reached (false);
if (!p11_buffer_reset (&output, 2048))
return_val_if_reached (false);
if (prepare_pem_contents (ex, &buf)) {
if (!p11_pem_write (buf.data, buf.len, "TRUSTED CERTIFICATE", &output))
return_val_if_reached (false);
name = p11_enumerate_filename (ex);
return_val_if_fail (name != NULL, false);
filename = NULL;
path = NULL;
ret = false;
file = p11_save_open_file_in (dir, name, ".pem");
if (file != NULL) {
ret = p11_save_write (file, output.data, output.len);
if (!p11_save_finish_file (file, &path, ret))
ret = false;
if (ret)
filename = p11_path_base (path);
}
ret = p11_openssl_symlink(ex, dir, filename);
free (filename);
free (path);
free (name);
}
if (!ret)
break;
}
p11_buffer_uninit (&buf);
p11_buffer_uninit (&output);
if (rv != CKR_OK && rv != CKR_CANCEL) {
p11_message ("failed to find certificates: %s", p11_kit_strerror (rv));
ret = false;
}
p11_save_finish_directory (dir, ret);
return ret;
}
int
p11_tool_main (int argc,
char *argv[],
const p11_tool_command *commands)
{
const p11_tool_command *fallback = NULL;
char *command = NULL;
bool want_help = false;
bool skip;
int in, out;
int i;
/*
* Parse the global options. We rearrange the options as
* necessary, in order to pass relevant options through
* to the commands, but also have them take effect globally.
*/
for (in = 1, out = 1; in < argc; in++, out++) {
/* The non-option is the command, take it out of the arguments */
if (argv[in][0] != '-') {
if (!command) {
skip = true;
command = argv[in];
} else {
skip = false;
}
/* The global long options */
} else if (argv[in][1] == '-') {
skip = false;
if (strcmp (argv[in], "--") == 0) {
if (!command) {
p11_message ("no command specified");
return 2;
} else {
break;
}
} else if (strcmp (argv[in], "--verbose") == 0) {
verbose_arg ();
} else if (strcmp (argv[in], "--quiet") == 0) {
quiet_arg ();
} else if (strcmp (argv[in], "--help") == 0) {
want_help = true;
} else if (!command) {
p11_message ("unknown global option: %s", argv[in]);
return 2;
}
/* The global short options */
} else {
skip = false;
for (i = 1; argv[in][i] != '\0'; i++) {
switch (argv[in][i]) {
case 'h':
want_help = true;
break;
/* Compatibility option */
case 'l':
command = "list-modules";
break;
case 'v':
verbose_arg ();
break;
case 'q':
quiet_arg ();
break;
default:
if (!command) {
p11_message ("unknown global option: -%c", (int)argv[in][i]);
return 2;
}
break;
}
}
}
/* Skipping this argument? */
if (skip)
out--;
else
argv[out] = argv[in];
}
/* Initialize tool's debugging after setting env vars above */
p11_debug_init ();
if (command == NULL) {
/* As a special favor if someone just typed the command, help them out */
if (argc == 1) {
command_usage (commands);
return 2;
} else if (want_help) {
command_usage (commands);
return 0;
} else {
p11_message ("no command specified");
return 2;
}
}
argc = out;
/* Look for the command */
for (i = 0; commands[i].name != NULL; i++) {
if (strcmp (commands[i].name, P11_TOOL_FALLBACK) == 0) {
fallback = commands + i;
} else if (strcmp (commands[i].name, command) == 0) {
argv[0] = command;
return (commands[i].function) (argc, argv);
}
}
/* Got here because no command matched */
if (fallback != NULL) {
argv[0] = command;
return (fallback->function) (argc, argv);
}
/* At this point we have no command */
p11_message ("'%s' is not a valid command. See '%s --help'",
command, getprogname ());
return 2;
}
