static CK_SESSION_HANDLE
session_for_store_on_module (const char *name,
CK_FUNCTION_LIST *module,
bool *found_read_only)
{
CK_SESSION_HANDLE session = 0;
CK_SLOT_ID *slots = NULL;
CK_TOKEN_INFO info;
CK_ULONG count;
CK_ULONG i;
CK_RV rv;
rv = p11_kit_module_initialize (module);
if (rv != CKR_OK) {
p11_message ("%s: couldn't initialize: %s", name, p11_kit_message ());
return 0UL;
}
rv = (module->C_GetSlotList) (CK_TRUE, NULL, &count);
if (rv == CKR_OK) {
slots = calloc (count, sizeof (CK_ULONG));
return_val_if_fail (slots != NULL, 0UL);
rv = (module->C_GetSlotList) (CK_TRUE, slots, &count);
}
if (rv != CKR_OK) {
p11_message ("%s: couldn't enumerate slots: %s", name, p11_kit_strerror (rv));
free (slots);
return 0UL;
}
for (i = 0; session == 0 && i < count; i++) {
rv = (module->C_GetTokenInfo) (slots[i], &info);
if (rv != CKR_OK) {
p11_message ("%s: couldn't get token info: %s", name, p11_kit_strerror (rv));
continue;
}
if (info.flags & CKF_WRITE_PROTECTED) {
*found_read_only = true;
continue;
}
rv = (module->C_OpenSession) (slots[i], CKF_SERIAL_SESSION | CKF_RW_SESSION,
NULL, NULL, &session);
if (rv != CKR_OK) {
p11_message ("%s: couldn't open session: %s", name, p11_kit_strerror (rv));
session = 0;
}
p11_debug ("opened writable session on: %s", name);
}
free (slots);
if (session == 0UL)
p11_kit_module_finalize (module);
return session;
}
gboolean
g_pkcs11_propagate_error (GError **error, CK_RV rv)
{
if (rv == CKR_OK)
return FALSE;
if (rv == CKR_CANCEL)
g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_CANCELLED,
p11_kit_strerror (rv));
else
g_set_error_literal (error, G_PKCS11_ERROR, (gint)rv,
p11_kit_strerror (rv));
return TRUE;
}
static bool
remove_all (p11_kit_iter *iter,
bool *changed)
{
const char *desc;
CK_RV rv;
while ((rv = p11_kit_iter_next (iter)) == CKR_OK) {
desc = description_for_object_at_iter (iter);
p11_debug ("removing %s: %lu", desc, p11_kit_iter_get_object (iter));
rv = p11_kit_iter_destroy_object (iter);
switch (rv) {
case CKR_OK:
*changed = true;
/* fall through */
case CKR_OBJECT_HANDLE_INVALID:
continue;
case CKR_TOKEN_WRITE_PROTECTED:
case CKR_SESSION_READ_ONLY:
case CKR_ATTRIBUTE_READ_ONLY:
p11_message ("couldn't remove read-only %s", desc);
continue;
default:
p11_message ("couldn't remove %s: %s", desc,
p11_kit_strerror (rv));
break;
}
}
return (rv == CKR_CANCEL);
}
static bool
create_anchor (CK_FUNCTION_LIST *module,
CK_SESSION_HANDLE session,
CK_ATTRIBUTE *attrs)
{
CK_BBOOL truev = CK_TRUE;
CK_OBJECT_HANDLE object;
char *string;
CK_RV rv;
CK_ULONG klass;
CK_ATTRIBUTE basics_certificate[] = {
{ CKA_TOKEN, &truev, sizeof (truev) },
{ CKA_TRUSTED, &truev, sizeof (truev) },
{ CKA_INVALID, },
};
CK_ATTRIBUTE basics_extension[] = {
{ CKA_TOKEN, &truev, sizeof (truev) },
{ CKA_INVALID, },
};
CK_ATTRIBUTE basics_empty[] = {
{ CKA_INVALID, },
};
CK_ATTRIBUTE *basics = basics_empty;
if (p11_attrs_find_ulong (attrs, CKA_CLASS, &klass)) {
switch (klass) {
case CKO_CERTIFICATE:
basics = basics_certificate;
break;
case CKO_X_CERTIFICATE_EXTENSION:
basics = basics_extension;
break;
}
}
attrs = p11_attrs_merge (attrs, p11_attrs_dup (basics), true);
p11_attrs_remove (attrs, CKA_MODIFIABLE);
if (p11_debugging) {
string = p11_attrs_to_string (attrs, -1);
p11_debug ("storing: %s", string);
free (string);
}
rv = (module->C_CreateObject) (session, attrs,
p11_attrs_count (attrs), &object);
p11_attrs_free (attrs);
if (rv != CKR_OK) {
p11_message ("couldn't create object: %s", p11_kit_strerror (rv));
return false;
}
return true;
}
bool
p11_extract_x509_file (p11_enumerate *ex,
const char *destination)
{
bool found = false;
p11_save_file *file;
CK_RV rv;
while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) {
if (found) {
p11_message ("multiple certificates found but could only write one to file");
break;
}
file = p11_save_open_file (destination, NULL, ex->flags);
if (!p11_save_write_and_finish (file, ex->cert_der, ex->cert_len))
return false;
/* Wrote something */
found = true;
}
if (rv != CKR_OK && rv != CKR_CANCEL) {
p11_message ("failed to find certificates: %s", p11_kit_strerror (rv));
return false;
/* Remember that an empty DER file is not a valid file, so complain if nothing */
} else if (!found) {
p11_message ("no certificate found");
return false;
}
return true;
}
bool
p11_extract_openssl_bundle (p11_enumerate *ex,
const char *destination)
{
p11_save_file *file;
p11_buffer output;
p11_buffer buf;
char *comment;
bool ret = true;
bool first;
CK_RV rv;
file = p11_save_open_file (destination, NULL, ex->flags);
if (!file)
return false;
first = true;
p11_buffer_init (&output, 0);
while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) {
p11_buffer_init (&buf, 1024);
if (!p11_buffer_reset (&output, 2048))
return_val_if_reached (false);
if (prepare_pem_contents (ex, &buf)) {
if (!p11_pem_write (buf.data, buf.len, "TRUSTED CERTIFICATE", &output))
return_val_if_reached (false);
comment = p11_enumerate_comment (ex, first);
first = false;
ret = p11_save_write (file, comment, -1) &&
p11_save_write (file, output.data, output.len);
free (comment);
}
p11_buffer_uninit (&buf);
if (!ret)
break;
}
p11_buffer_uninit (&output);
if (rv != CKR_OK && rv != CKR_CANCEL) {
p11_message ("failed to find certificates: %s", p11_kit_strerror (rv));
ret = false;
}
/*
* This will produce an empty file (which is a valid PEM bundle) if no
* certificates were found.
*/
if (!p11_save_finish_file (file, NULL, ret))
ret = false;
return ret;
}
void
_p11_kit_default_message (CK_RV rv)
{
const char *msg;
if (rv != CKR_OK) {
msg = p11_kit_strerror (rv);
p11_message_store (msg, strlen (msg));
}
}
static bool
modify_anchor (CK_FUNCTION_LIST *module,
CK_SESSION_HANDLE session,
CK_OBJECT_HANDLE object,
CK_ATTRIBUTE *attrs)
{
CK_BBOOL truev = CK_TRUE;
CK_ATTRIBUTE *changes;
CK_ATTRIBUTE *label;
CK_ULONG klass;
char *string;
CK_RV rv;
CK_ATTRIBUTE trusted = { CKA_TRUSTED, &truev, sizeof (truev) };
label = p11_attrs_find_valid (attrs, CKA_LABEL);
if (p11_attrs_find_ulong (attrs, CKA_CLASS, &klass) &&
klass == CKO_CERTIFICATE)
changes = p11_attrs_build (NULL, &trusted, label, NULL);
else
changes = p11_attrs_build (NULL, label, NULL);
return_val_if_fail (attrs != NULL, FALSE);
/* Don't need the attributes anymore */
p11_attrs_free (attrs);
if (p11_debugging) {
string = p11_attrs_to_string (changes, -1);
p11_debug ("setting: %s", string);
free (string);
}
rv = (module->C_SetAttributeValue) (session, object, changes,
p11_attrs_count (changes));
p11_attrs_free (changes);
if (rv != CKR_OK) {
p11_message ("couldn't create object: %s", p11_kit_strerror (rv));
return false;
}
return true;
}
bool
p11_extract_x509_directory (p11_enumerate *ex,
const char *destination)
{
p11_save_file *file;
p11_save_dir *dir;
char *filename;
CK_RV rv;
bool ret;
dir = p11_save_open_directory (destination, ex->flags);
if (dir == NULL)
return false;
while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) {
filename = p11_enumerate_filename (ex);
return_val_if_fail (filename != NULL, -1);
file = p11_save_open_file_in (dir, filename, ".cer");
free (filename);
if (!p11_save_write_and_finish (file, ex->cert_der, ex->cert_len)) {
p11_save_finish_directory (dir, false);
return false;
}
}
if (rv != CKR_OK && rv != CKR_CANCEL) {
p11_message ("failed to find certificates: %s", p11_kit_strerror (rv));
ret = false;
} else {
ret = true;
}
p11_save_finish_directory (dir, ret);
return ret;
}
bool
p11_extract_openssl_directory (p11_enumerate *ex,
const char *destination)
{
char *filename;
p11_save_file *file;
p11_save_dir *dir;
p11_buffer output;
p11_buffer buf;
bool ret = true;
char *path;
char *name;
CK_RV rv;
dir = p11_save_open_directory (destination, ex->flags);
if (dir == NULL)
return false;
p11_buffer_init (&buf, 0);
p11_buffer_init (&output, 0);
while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) {
if (!p11_buffer_reset (&buf, 1024))
return_val_if_reached (false);
if (!p11_buffer_reset (&output, 2048))
return_val_if_reached (false);
if (prepare_pem_contents (ex, &buf)) {
if (!p11_pem_write (buf.data, buf.len, "TRUSTED CERTIFICATE", &output))
return_val_if_reached (false);
name = p11_enumerate_filename (ex);
return_val_if_fail (name != NULL, false);
filename = NULL;
path = NULL;
ret = false;
file = p11_save_open_file_in (dir, name, ".pem");
if (file != NULL) {
ret = p11_save_write (file, output.data, output.len);
if (!p11_save_finish_file (file, &path, ret))
ret = false;
if (ret)
filename = p11_path_base (path);
}
ret = p11_openssl_symlink(ex, dir, filename);
free (filename);
free (path);
free (name);
}
if (!ret)
break;
}
p11_buffer_uninit (&buf);
p11_buffer_uninit (&output);
if (rv != CKR_OK && rv != CKR_CANCEL) {
p11_message ("failed to find certificates: %s", p11_kit_strerror (rv));
ret = false;
}
p11_save_finish_directory (dir, ret);
return ret;
}
