static GkmObject*
factory_create_private_key (GkmSession *session, GkmTransaction *transaction,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
GkmGnome2PrivateKey *key;
GkmSexp *sexp;
g_return_val_if_fail (attrs || !n_attrs, NULL);
sexp = gkm_private_xsa_key_create_sexp (session, transaction, attrs, n_attrs);
if (sexp == NULL)
return NULL;
key = g_object_new (GKM_TYPE_GNOME2_PRIVATE_KEY, "base-sexp", sexp,
"module", gkm_session_get_module (session),
"manager", gkm_manager_for_template (attrs, n_attrs, session),
NULL);
g_return_val_if_fail (!key->private_sexp, NULL);
key->private_sexp = gkm_sexp_ref (sexp);
gkm_sexp_unref (sexp);
/* TODO: We don't support setting these yet, so ignore them */
gkm_attributes_consume (attrs, n_attrs,
CKA_SIGN_RECOVER, CKA_UNWRAP, CKA_ID,
G_MAXULONG);
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (key),
TRUE, attrs, n_attrs);
return GKM_OBJECT (key);
}
GkmXdgTrust*
gkm_xdg_trust_create_for_assertion (GkmModule *module, GkmManager *manager,
GkmTransaction *transaction,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
CK_ATTRIBUTE_PTR serial, issuer, cert;
GkmXdgTrust *trust;
g_return_val_if_fail (GKM_IS_MODULE (module), NULL);
g_return_val_if_fail (GKM_IS_MANAGER (manager), NULL);
g_return_val_if_fail (attrs || !n_attrs, NULL);
serial = gkm_attributes_find (attrs, n_attrs, CKA_SERIAL_NUMBER);
issuer = gkm_attributes_find (attrs, n_attrs, CKA_ISSUER);
cert = gkm_attributes_find (attrs, n_attrs, CKA_X_CERTIFICATE_VALUE);
/* A trust object with just serial + issuer */
if (serial != NULL && issuer != NULL) {
if (cert != NULL) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCONSISTENT);
return NULL;
}
if (!validate_der (issuer, "Name") || !validate_integer (serial)) {
gkm_transaction_fail (transaction, CKR_ATTRIBUTE_VALUE_INVALID);
return NULL;
}
trust = create_trust_for_reference (module, manager, serial, issuer);
/* A trust object with a full certificate */
} else if (cert != NULL) {
if (serial != NULL || issuer != NULL) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCONSISTENT);
return NULL;
}
if (!validate_der (cert, "Certificate")) {
gkm_transaction_fail (transaction, CKR_ATTRIBUTE_VALUE_INVALID);
return NULL;
}
trust = create_trust_for_complete (module, manager, cert);
/* Not sure what this is */
} else {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCOMPLETE);
return NULL;
}
gkm_attributes_consume (attrs, n_attrs, CKA_X_CERTIFICATE_VALUE, CKA_ISSUER,
CKA_SERIAL_NUMBER, G_MAXULONG);
return trust;
}
static void
gkm_object_real_create_attributes (GkmObject *self, GkmSession *session,
GkmTransaction *transaction, CK_ATTRIBUTE *attrs, CK_ULONG n_attrs)
{
CK_ATTRIBUTE_PTR transient_attr;
gboolean transient = FALSE;
gulong after = 0;
gulong idle = 0;
CK_RV rv;
/* Parse the transient attribute */
transient_attr = gkm_attributes_find (attrs, n_attrs, CKA_MATE_TRANSIENT);
if (transient_attr) {
rv = gkm_attribute_get_bool (transient_attr, &transient);
if (rv != CKR_OK) {
gkm_transaction_fail (transaction, rv);
return;
}
}
/* Parse the auto destruct attribute */
if (!gkm_attributes_find_ulong (attrs, n_attrs, CKA_G_DESTRUCT_AFTER, &after))
after = 0;
if (!gkm_attributes_find_ulong (attrs, n_attrs, CKA_G_DESTRUCT_IDLE, &idle))
idle = 0;
/* Default for the transient attribute */
if (!transient_attr && (idle || after))
transient = TRUE;
/* Used up these attributes */
gkm_attributes_consume (attrs, n_attrs, CKA_G_DESTRUCT_AFTER,
CKA_G_DESTRUCT_IDLE, CKA_MATE_TRANSIENT, G_MAXULONG);
if (transient) {
mark_object_transient (self);
self->pv->transient->timed_after = after;
self->pv->transient->timed_idle = idle;
}
if (after || idle) {
if (!self->pv->transient) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCONSISTENT);
return;
}
gkm_transaction_add (transaction, self, start_callback, NULL);
}
}
static GkmObject*
factory_create_credential (GkmSession *session, GkmTransaction *transaction,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
CK_OBJECT_HANDLE handle;
GkmCredential *cred;
CK_ATTRIBUTE *attr;
GkmManager *manager;
GkmModule *module;
GkmObject *object = NULL;
CK_RV rv;
g_return_val_if_fail (GKM_IS_TRANSACTION (transaction), NULL);
g_return_val_if_fail (attrs || !n_attrs, NULL);
/* The handle is optional */
if (gkm_attributes_find_ulong (attrs, n_attrs, CKA_G_OBJECT, &handle)) {
rv = gkm_session_lookup_readable_object (session, handle, &object);
if (rv != CKR_OK) {
gkm_transaction_fail (transaction, rv);
return NULL;
}
} else {
object = NULL;
}
/* The value is optional */
attr = gkm_attributes_find (attrs, n_attrs, CKA_VALUE);
gkm_attributes_consume (attrs, n_attrs, CKA_VALUE, CKA_G_OBJECT, G_MAXULONG);
module = gkm_session_get_module (session);
manager = gkm_manager_for_template (attrs, n_attrs, session);
rv = gkm_credential_create (module, manager, object,
attr ? attr->pValue : NULL,
attr ? attr->ulValueLen : 0, &cred);
if (rv == CKR_OK) {
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (cred),
TRUE, attrs, n_attrs);
return GKM_OBJECT (cred);
} else {
gkm_transaction_fail (transaction, rv);
return NULL;
}
}
static GkmObject*
factory_create_certificate (GkmSession *session, GkmTransaction *transaction,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
CK_ATTRIBUTE_PTR attr;
GkmCertificate *cert;
g_return_val_if_fail (GKM_IS_TRANSACTION (transaction), NULL);
g_return_val_if_fail (attrs || !n_attrs, NULL);
/* Dig out the value */
attr = gkm_attributes_find (attrs, n_attrs, CKA_VALUE);
if (attr == NULL) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCOMPLETE);
return NULL;
}
cert = g_object_new (GKM_TYPE_CERTIFICATE,
"module", gkm_session_get_module (session),
"manager", gkm_manager_for_template (attrs, n_attrs, session),
NULL);
/* Load the certificate from the data specified */
if (!gkm_serializable_load (GKM_SERIALIZABLE (cert), NULL, attr->pValue, attr->ulValueLen)) {
gkm_transaction_fail (transaction, CKR_ATTRIBUTE_VALUE_INVALID);
g_object_unref (cert);
return NULL;
}
/* Note that we ignore the subject */
gkm_attributes_consume (attrs, n_attrs, CKA_VALUE, CKA_SUBJECT, G_MAXULONG);
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (cert),
TRUE, attrs, n_attrs);
return GKM_OBJECT (cert);
}
static GkmXdgTrust*
lookup_or_create_trust_object (GkmSession *session, GkmManager *manager,
GkmTransaction *transaction, CK_X_ASSERTION_TYPE type,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs, gboolean *created)
{
CK_ATTRIBUTE_PTR serial, issuer, value;
CK_ATTRIBUTE lookups[3];
CK_OBJECT_CLASS klass;
CK_ULONG n_lookups;
GList *objects;
GkmXdgTrust *trust;
GkmModule *module;
klass = CKO_NETSCAPE_TRUST;
lookups[0].type = CKA_CLASS;
lookups[0].pValue = &klass;
lookups[0].ulValueLen = sizeof (klass);
switch (type) {
case CKT_X_ANCHORED_CERTIFICATE:
case CKT_X_PINNED_CERTIFICATE:
value = gkm_attributes_find (attrs, n_attrs, CKA_X_CERTIFICATE_VALUE);
if (!value) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCOMPLETE);
return NULL;
}
/* Attributes used for looking up trust object */
memcpy (&lookups[1], value, sizeof (CK_ATTRIBUTE));
n_lookups = 2;
break;
case CKT_X_DISTRUSTED_CERTIFICATE:
serial = gkm_attributes_find (attrs, n_attrs, CKA_SERIAL_NUMBER);
issuer = gkm_attributes_find (attrs, n_attrs, CKA_ISSUER);
if (!serial || !issuer) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCOMPLETE);
return NULL;
}
/* Attributes used for looking up trust object */
memcpy (&lookups[1], issuer, sizeof (CK_ATTRIBUTE));
memcpy (&lookups[2], serial, sizeof (CK_ATTRIBUTE));
n_lookups = 3;
break;
default:
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCONSISTENT);
return NULL;
};
objects = gkm_manager_find_by_attributes (manager, session, lookups, n_lookups);
module = gkm_session_get_module (session);
/* Found a matching trust object for this assertion */
if (objects) {
g_return_val_if_fail (GKM_XDG_IS_TRUST (objects->data), NULL);
trust = g_object_ref (objects->data);
g_list_free (objects);
/* Create a trust object for this assertion */
} else {
trust = gkm_xdg_trust_create_for_assertion (module, manager, transaction,
lookups, n_lookups);
gkm_attributes_consume (attrs, n_attrs, CKA_X_CERTIFICATE_VALUE,
CKA_ISSUER, CKA_SERIAL_NUMBER, G_MAXULONG);
gkm_attributes_consume (lookups, n_lookups, CKA_X_CERTIFICATE_VALUE,
CKA_ISSUER, CKA_SERIAL_NUMBER, G_MAXULONG);
if (!gkm_transaction_get_failed (transaction))
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (trust),
TRUE, lookups, n_lookups);
}
return trust;
}
static GkmObject*
factory_create_assertion (GkmSession *session, GkmTransaction *transaction,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
GkmAssertion *assertion;
CK_X_ASSERTION_TYPE type;
GkmManager *manager;
gboolean created = FALSE;
GkmXdgTrust *trust;
gchar *purpose;
gchar *peer;
g_return_val_if_fail (attrs || !n_attrs, NULL);
if (!gkm_attributes_find_ulong (attrs, n_attrs, CKA_X_ASSERTION_TYPE, &type)) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCOMPLETE);
return NULL;
}
if (!gkm_attributes_find_string (attrs, n_attrs, CKA_X_PURPOSE, &purpose)) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCOMPLETE);
return NULL;
}
if (!gkm_attributes_find_string (attrs, n_attrs, CKA_X_PEER, &peer))
peer = NULL;
/* Try to find or create an appropriate trust object for this assertion */
manager = gkm_manager_for_template (attrs, n_attrs, session);
trust = lookup_or_create_trust_object (session, manager, transaction,
type, attrs, n_attrs, &created);
/* Creating the trust object failed */
if (trust == NULL) {
g_return_val_if_fail (gkm_transaction_get_failed (transaction), NULL);
g_free (purpose);
g_free (peer);
return NULL;
}
assertion = g_object_new (GKM_XDG_TYPE_ASSERTION,
"module", gkm_session_get_module (session),
"manager", manager,
"trust", trust,
"type", type,
"purpose", purpose,
"peer", peer,
NULL);
g_free (purpose);
g_free (peer);
/* Add the assertion to the trust object */
if (!gkm_transaction_get_failed (transaction)) {
gkm_xdg_trust_replace_assertion (trust, GKM_ASSERTION (assertion), transaction);
if (gkm_transaction_get_failed (transaction)) {
gkm_transaction_fail (transaction, CKR_GENERAL_ERROR);
/* A new trust assertion */
} else {
gkm_attributes_consume (attrs, n_attrs, CKA_X_ASSERTION_TYPE, CKA_X_PURPOSE, G_MAXULONG);
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (assertion),
TRUE, attrs, n_attrs);
}
}
g_object_unref (trust);
return GKM_OBJECT (assertion);
}
