static GkmObject*
factory_create_generic_key (GkmSession *session, GkmTransaction *transaction,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
GkmGenericKey *key;
GkmManager *manager;
CK_ATTRIBUTE_PTR value;
value = gkm_attributes_find (attrs, n_attrs, CKA_VALUE);
if (value == NULL) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCOMPLETE);
return NULL;
}
if (gkm_attributes_find (attrs, n_attrs, CKA_VALUE_LEN)) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCONSISTENT);
return NULL;
}
manager = gkm_manager_for_template (attrs, n_attrs, session);
key = g_object_new (GKM_TYPE_GENERIC_KEY,
"module", gkm_session_get_module (session),
"manager", manager,
NULL);
key->value = egg_secure_alloc (value->ulValueLen);
key->n_value = value->ulValueLen;
memcpy (key->value, value->pValue, key->n_value);
gkm_attribute_consume (value);
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (key),
TRUE, attrs, n_attrs);
return GKM_OBJECT (key);
}
GkmXdgTrust*
gkm_xdg_trust_create_for_assertion (GkmModule *module, GkmManager *manager,
GkmTransaction *transaction,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
CK_ATTRIBUTE_PTR serial, issuer, cert;
GkmXdgTrust *trust;
g_return_val_if_fail (GKM_IS_MODULE (module), NULL);
g_return_val_if_fail (GKM_IS_MANAGER (manager), NULL);
g_return_val_if_fail (attrs || !n_attrs, NULL);
serial = gkm_attributes_find (attrs, n_attrs, CKA_SERIAL_NUMBER);
issuer = gkm_attributes_find (attrs, n_attrs, CKA_ISSUER);
cert = gkm_attributes_find (attrs, n_attrs, CKA_X_CERTIFICATE_VALUE);
/* A trust object with just serial + issuer */
if (serial != NULL && issuer != NULL) {
if (cert != NULL) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCONSISTENT);
return NULL;
}
if (!validate_der (issuer, "Name") || !validate_integer (serial)) {
gkm_transaction_fail (transaction, CKR_ATTRIBUTE_VALUE_INVALID);
return NULL;
}
trust = create_trust_for_reference (module, manager, serial, issuer);
/* A trust object with a full certificate */
} else if (cert != NULL) {
if (serial != NULL || issuer != NULL) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCONSISTENT);
return NULL;
}
if (!validate_der (cert, "Certificate")) {
gkm_transaction_fail (transaction, CKR_ATTRIBUTE_VALUE_INVALID);
return NULL;
}
trust = create_trust_for_complete (module, manager, cert);
/* Not sure what this is */
} else {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCOMPLETE);
return NULL;
}
gkm_attributes_consume (attrs, n_attrs, CKA_X_CERTIFICATE_VALUE, CKA_ISSUER,
CKA_SERIAL_NUMBER, G_MAXULONG);
return trust;
}
static void
prepare_unlock_prompt (GkmWrapPrompt *self, CK_ATTRIBUTE_PTR attrs,
CK_ULONG n_attrs, gboolean first)
{
CK_ATTRIBUTE_PTR attr;
GkuPrompt *prompt;
const gchar *label = NULL;
CK_OBJECT_CLASS klass;
g_assert (GKM_WRAP_IS_PROMPT (self));
prompt = GKU_PROMPT (self);
/* Hard reset on first prompt, soft on later */
gku_prompt_reset (GKU_PROMPT (prompt), first);
/* Load up the object class */
if (!gkm_attributes_find_ulong (attrs, n_attrs, CKA_CLASS, &klass))
klass = (CK_ULONG)-1;
/* Load up its label */
attr = gkm_attributes_find (attrs, n_attrs, CKA_LABEL);
if (attr != NULL)
label = attr->pValue;
/* Load up the identifier */
attr = gkm_attributes_find (attrs, n_attrs, CKA_ID);
if (attr != NULL && !label)
label = attr->pValue;
if (!label)
label = _("Unnamed");
if (klass == CKO_G_COLLECTION) {
if (is_login_keyring (attrs, n_attrs))
prepare_unlock_keyring_login (self);
else
prepare_unlock_keyring_other (self, label);
} else {
prepare_unlock_object (self, label, klass);
}
if (!first)
gku_prompt_set_warning (GKU_PROMPT (self), _("The unlock password was incorrect"));
}
static void
setup_unlock_prompt (GkmWrapPrompt *self,
CK_ATTRIBUTE_PTR attrs,
CK_ULONG n_attrs,
gboolean first)
{
CK_ATTRIBUTE_PTR attr;
GcrPrompt *prompt;
const gchar *label = NULL;
CK_OBJECT_CLASS klass;
g_assert (GKM_IS_WRAP_PROMPT (self));
prompt = GCR_PROMPT (self);
/* Load up the object class */
if (!gkm_attributes_find_ulong (attrs, n_attrs, CKA_CLASS, &klass))
klass = (CK_ULONG)-1;
/* Load up its label */
attr = gkm_attributes_find (attrs, n_attrs, CKA_LABEL);
if (attr != NULL)
label = attr->pValue;
/* Load up the identifier */
attr = gkm_attributes_find (attrs, n_attrs, CKA_ID);
if (attr != NULL && !label)
label = attr->pValue;
if (!label)
label = _("Unnamed");
if (klass == CKO_G_COLLECTION) {
if (is_login_keyring (attrs, n_attrs))
setup_unlock_keyring_login (self);
else
setup_unlock_keyring_other (self, label);
} else {
setup_unlock_object (self, label, klass);
}
if (!first)
gcr_prompt_set_warning (prompt, _("The unlock password was incorrect"));
gcr_prompt_set_continue_label (prompt, _("Unlock"));
}
static GkmObject*
factory_create_item (GkmSession *session, GkmTransaction *transaction,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
GkmSecretCollection *collection = NULL;
GkmSecretItem *item;
GkmManager *m_manager;
GkmManager *s_manager;
CK_ATTRIBUTE *attr;
gboolean is_token;
gchar *identifier;
g_return_val_if_fail (GKM_IS_TRANSACTION (transaction), NULL);
g_return_val_if_fail (attrs || !n_attrs, NULL);
/* See if a collection attribute was specified */
attr = gkm_attributes_find (attrs, n_attrs, CKA_G_COLLECTION);
if (attr == NULL) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCOMPLETE);
return NULL;
}
m_manager = gkm_module_get_manager (gkm_session_get_module (session));
s_manager = gkm_session_get_manager (session);
gkm_attribute_consume (attr);
if (!gkm_attributes_find_boolean (attrs, n_attrs, CKA_TOKEN, &is_token))
collection = gkm_secret_collection_find (session, attr, m_manager, s_manager, NULL);
else if (is_token)
collection = gkm_secret_collection_find (session, attr, m_manager, NULL);
else
collection = gkm_secret_collection_find (session, attr, s_manager, NULL);
if (!collection) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCONSISTENT);
return NULL;
}
/* If an ID was specified, then try and see if that ID already exists */
if (gkm_attributes_find_string (attrs, n_attrs, CKA_ID, &identifier)) {
item = gkm_secret_collection_get_item (collection, identifier);
if (item == NULL) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCONSISTENT);
return NULL;
} else {
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (item),
FALSE, attrs, n_attrs);
return g_object_ref (item);
}
}
/* Create a new collection which will own the item */
item = gkm_secret_collection_create_item (collection, transaction);
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (item),
TRUE, attrs, n_attrs);
return g_object_ref (item);
}
static gchar*
auto_unlock_object_unique (CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
CK_ATTRIBUTE_PTR attr;
attr = gkm_attributes_find (attrs, n_attrs, CKA_MATE_UNIQUE);
if (attr == NULL)
return NULL;
return g_strndup (attr->pValue, attr->ulValueLen);
}
static gchar*
auto_unlock_object_digest (CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
CK_ATTRIBUTE_PTR attr;
gchar *result;
attr = gkm_attributes_find (attrs, n_attrs, CKA_MATE_INTERNAL_SHA1);
if (attr == NULL)
return NULL;
result = g_strndup (attr->pValue, attr->ulValueLen);
convert_upper_case (result);
return result;
}
static void
gkm_object_real_create_attributes (GkmObject *self, GkmSession *session,
GkmTransaction *transaction, CK_ATTRIBUTE *attrs, CK_ULONG n_attrs)
{
CK_ATTRIBUTE_PTR transient_attr;
gboolean transient = FALSE;
gulong after = 0;
gulong idle = 0;
CK_RV rv;
/* Parse the transient attribute */
transient_attr = gkm_attributes_find (attrs, n_attrs, CKA_MATE_TRANSIENT);
if (transient_attr) {
rv = gkm_attribute_get_bool (transient_attr, &transient);
if (rv != CKR_OK) {
gkm_transaction_fail (transaction, rv);
return;
}
}
/* Parse the auto destruct attribute */
if (!gkm_attributes_find_ulong (attrs, n_attrs, CKA_G_DESTRUCT_AFTER, &after))
after = 0;
if (!gkm_attributes_find_ulong (attrs, n_attrs, CKA_G_DESTRUCT_IDLE, &idle))
idle = 0;
/* Default for the transient attribute */
if (!transient_attr && (idle || after))
transient = TRUE;
/* Used up these attributes */
gkm_attributes_consume (attrs, n_attrs, CKA_G_DESTRUCT_AFTER,
CKA_G_DESTRUCT_IDLE, CKA_MATE_TRANSIENT, G_MAXULONG);
if (transient) {
mark_object_transient (self);
self->pv->transient->timed_after = after;
self->pv->transient->timed_idle = idle;
}
if (after || idle) {
if (!self->pv->transient) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCONSISTENT);
return;
}
gkm_transaction_add (transaction, self, start_callback, NULL);
}
}
static GkmObject*
factory_create_credential (GkmSession *session, GkmTransaction *transaction,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
CK_OBJECT_HANDLE handle;
GkmCredential *cred;
CK_ATTRIBUTE *attr;
GkmManager *manager;
GkmModule *module;
GkmObject *object = NULL;
CK_RV rv;
g_return_val_if_fail (GKM_IS_TRANSACTION (transaction), NULL);
g_return_val_if_fail (attrs || !n_attrs, NULL);
/* The handle is optional */
if (gkm_attributes_find_ulong (attrs, n_attrs, CKA_G_OBJECT, &handle)) {
rv = gkm_session_lookup_readable_object (session, handle, &object);
if (rv != CKR_OK) {
gkm_transaction_fail (transaction, rv);
return NULL;
}
} else {
object = NULL;
}
/* The value is optional */
attr = gkm_attributes_find (attrs, n_attrs, CKA_VALUE);
gkm_attributes_consume (attrs, n_attrs, CKA_VALUE, CKA_G_OBJECT, G_MAXULONG);
module = gkm_session_get_module (session);
manager = gkm_manager_for_template (attrs, n_attrs, session);
rv = gkm_credential_create (module, manager, object,
attr ? attr->pValue : NULL,
attr ? attr->ulValueLen : 0, &cred);
if (rv == CKR_OK) {
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (cred),
TRUE, attrs, n_attrs);
return GKM_OBJECT (cred);
} else {
gkm_transaction_fail (transaction, rv);
return NULL;
}
}
static void
gkm_secret_key_real_create_attributes (GkmObject *object, GkmSession *session, GkmTransaction *transaction,
CK_ATTRIBUTE *attrs, CK_ULONG n_attrs)
{
GkmSecretKey *self = GKM_SECRET_KEY (object);
CK_ATTRIBUTE_PTR id;
if (!self->pv->n_id) {
id = gkm_attributes_find (attrs, n_attrs, CKA_ID);
if (id == NULL) {
self->pv->id = NULL;
self->pv->n_id = 0;
} else {
self->pv->id = g_memdup (id->pValue, id->ulValueLen);
self->pv->n_id = id->ulValueLen;
gkm_attribute_consume (id);
}
}
}
static gchar*
auto_unlock_keyring_location (CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
CK_ATTRIBUTE_PTR attr;
if (is_login_keyring (attrs, n_attrs))
return NULL;
attr = gkm_attributes_find (attrs, n_attrs, CKA_ID);
if (attr == NULL)
return NULL;
/*
* COMPAT: Format it into a string. This is done this way for compatibility
* with old mate-keyring releases. In the future this may change.
*/
return g_strdup_printf ("LOCAL:/keyrings/%s.keyring", (gchar*)attr->pValue);
}
static GkmObject*
factory_create_certificate (GkmSession *session, GkmTransaction *transaction,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
CK_ATTRIBUTE_PTR attr;
GkmCertificate *cert;
g_return_val_if_fail (GKM_IS_TRANSACTION (transaction), NULL);
g_return_val_if_fail (attrs || !n_attrs, NULL);
/* Dig out the value */
attr = gkm_attributes_find (attrs, n_attrs, CKA_VALUE);
if (attr == NULL) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCOMPLETE);
return NULL;
}
cert = g_object_new (GKM_TYPE_CERTIFICATE,
"module", gkm_session_get_module (session),
"manager", gkm_manager_for_template (attrs, n_attrs, session),
NULL);
/* Load the certificate from the data specified */
if (!gkm_serializable_load (GKM_SERIALIZABLE (cert), NULL, attr->pValue, attr->ulValueLen)) {
gkm_transaction_fail (transaction, CKR_ATTRIBUTE_VALUE_INVALID);
g_object_unref (cert);
return NULL;
}
/* Note that we ignore the subject */
gkm_attributes_consume (attrs, n_attrs, CKA_VALUE, CKA_SUBJECT, G_MAXULONG);
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (cert),
TRUE, attrs, n_attrs);
return GKM_OBJECT (cert);
}
static GkmXdgTrust*
lookup_or_create_trust_object (GkmSession *session, GkmManager *manager,
GkmTransaction *transaction, CK_X_ASSERTION_TYPE type,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs, gboolean *created)
{
CK_ATTRIBUTE_PTR serial, issuer, value;
CK_ATTRIBUTE lookups[3];
CK_OBJECT_CLASS klass;
CK_ULONG n_lookups;
GList *objects;
GkmXdgTrust *trust;
GkmModule *module;
klass = CKO_NETSCAPE_TRUST;
lookups[0].type = CKA_CLASS;
lookups[0].pValue = &klass;
lookups[0].ulValueLen = sizeof (klass);
switch (type) {
case CKT_X_ANCHORED_CERTIFICATE:
case CKT_X_PINNED_CERTIFICATE:
value = gkm_attributes_find (attrs, n_attrs, CKA_X_CERTIFICATE_VALUE);
if (!value) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCOMPLETE);
return NULL;
}
/* Attributes used for looking up trust object */
memcpy (&lookups[1], value, sizeof (CK_ATTRIBUTE));
n_lookups = 2;
break;
case CKT_X_DISTRUSTED_CERTIFICATE:
serial = gkm_attributes_find (attrs, n_attrs, CKA_SERIAL_NUMBER);
issuer = gkm_attributes_find (attrs, n_attrs, CKA_ISSUER);
if (!serial || !issuer) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCOMPLETE);
return NULL;
}
/* Attributes used for looking up trust object */
memcpy (&lookups[1], issuer, sizeof (CK_ATTRIBUTE));
memcpy (&lookups[2], serial, sizeof (CK_ATTRIBUTE));
n_lookups = 3;
break;
default:
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCONSISTENT);
return NULL;
};
objects = gkm_manager_find_by_attributes (manager, session, lookups, n_lookups);
module = gkm_session_get_module (session);
/* Found a matching trust object for this assertion */
if (objects) {
g_return_val_if_fail (GKM_XDG_IS_TRUST (objects->data), NULL);
trust = g_object_ref (objects->data);
g_list_free (objects);
/* Create a trust object for this assertion */
} else {
trust = gkm_xdg_trust_create_for_assertion (module, manager, transaction,
lookups, n_lookups);
gkm_attributes_consume (attrs, n_attrs, CKA_X_CERTIFICATE_VALUE,
CKA_ISSUER, CKA_SERIAL_NUMBER, G_MAXULONG);
gkm_attributes_consume (lookups, n_lookups, CKA_X_CERTIFICATE_VALUE,
CKA_ISSUER, CKA_SERIAL_NUMBER, G_MAXULONG);
if (!gkm_transaction_get_failed (transaction))
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (trust),
TRUE, lookups, n_lookups);
}
return trust;
}