static GkmObject*
factory_create_generic_key (GkmSession *session, GkmTransaction *transaction,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
GkmGenericKey *key;
GkmManager *manager;
CK_ATTRIBUTE_PTR value;
value = gkm_attributes_find (attrs, n_attrs, CKA_VALUE);
if (value == NULL) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCOMPLETE);
return NULL;
}
if (gkm_attributes_find (attrs, n_attrs, CKA_VALUE_LEN)) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCONSISTENT);
return NULL;
}
manager = gkm_manager_for_template (attrs, n_attrs, session);
key = g_object_new (GKM_TYPE_GENERIC_KEY,
"module", gkm_session_get_module (session),
"manager", manager,
NULL);
key->value = egg_secure_alloc (value->ulValueLen);
key->n_value = value->ulValueLen;
memcpy (key->value, value->pValue, key->n_value);
gkm_attribute_consume (value);
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (key),
TRUE, attrs, n_attrs);
return GKM_OBJECT (key);
}
static GkmObject*
factory_create_private_key (GkmSession *session, GkmTransaction *transaction,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
GkmGnome2PrivateKey *key;
GkmSexp *sexp;
g_return_val_if_fail (attrs || !n_attrs, NULL);
sexp = gkm_private_xsa_key_create_sexp (session, transaction, attrs, n_attrs);
if (sexp == NULL)
return NULL;
key = g_object_new (GKM_TYPE_GNOME2_PRIVATE_KEY, "base-sexp", sexp,
"module", gkm_session_get_module (session),
"manager", gkm_manager_for_template (attrs, n_attrs, session),
NULL);
g_return_val_if_fail (!key->private_sexp, NULL);
key->private_sexp = gkm_sexp_ref (sexp);
gkm_sexp_unref (sexp);
/* TODO: We don't support setting these yet, so ignore them */
gkm_attributes_consume (attrs, n_attrs,
CKA_SIGN_RECOVER, CKA_UNWRAP, CKA_ID,
G_MAXULONG);
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (key),
TRUE, attrs, n_attrs);
return GKM_OBJECT (key);
}
static GkmObject*
factory_create_private_key (GkmSession *session, GkmTransaction *transaction,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
GkmMate2PrivateKey *key;
GkmSexp *sexp;
g_return_val_if_fail (attrs || !n_attrs, NULL);
sexp = gkm_private_xsa_key_create_sexp (session, transaction, attrs, n_attrs);
if (sexp == NULL)
return NULL;
key = g_object_new (GKM_TYPE_MATE2_PRIVATE_KEY, "base-sexp", sexp,
"module", gkm_session_get_module (session),
"manager", gkm_manager_for_template (attrs, n_attrs, session),
NULL);
g_return_val_if_fail (!key->private_sexp, NULL);
key->private_sexp = gkm_sexp_ref (sexp);
gkm_sexp_unref (sexp);
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (key),
TRUE, attrs, n_attrs);
return GKM_OBJECT (key);
}
static GkmObject*
factory_create_item (GkmSession *session, GkmTransaction *transaction,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
GkmSecretCollection *collection = NULL;
GkmSecretItem *item;
GkmManager *m_manager;
GkmManager *s_manager;
CK_ATTRIBUTE *attr;
gboolean is_token;
gchar *identifier;
g_return_val_if_fail (GKM_IS_TRANSACTION (transaction), NULL);
g_return_val_if_fail (attrs || !n_attrs, NULL);
/* See if a collection attribute was specified */
attr = gkm_attributes_find (attrs, n_attrs, CKA_G_COLLECTION);
if (attr == NULL) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCOMPLETE);
return NULL;
}
m_manager = gkm_module_get_manager (gkm_session_get_module (session));
s_manager = gkm_session_get_manager (session);
gkm_attribute_consume (attr);
if (!gkm_attributes_find_boolean (attrs, n_attrs, CKA_TOKEN, &is_token))
collection = gkm_secret_collection_find (session, attr, m_manager, s_manager, NULL);
else if (is_token)
collection = gkm_secret_collection_find (session, attr, m_manager, NULL);
else
collection = gkm_secret_collection_find (session, attr, s_manager, NULL);
if (!collection) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCONSISTENT);
return NULL;
}
/* If an ID was specified, then try and see if that ID already exists */
if (gkm_attributes_find_string (attrs, n_attrs, CKA_ID, &identifier)) {
item = gkm_secret_collection_get_item (collection, identifier);
if (item == NULL) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCONSISTENT);
return NULL;
} else {
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (item),
FALSE, attrs, n_attrs);
return g_object_ref (item);
}
}
/* Create a new collection which will own the item */
item = gkm_secret_collection_create_item (collection, transaction);
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (item),
TRUE, attrs, n_attrs);
return g_object_ref (item);
}
static GkmObject*
factory_create_credential (GkmSession *session, GkmTransaction *transaction,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
CK_OBJECT_HANDLE handle;
GkmCredential *cred;
CK_ATTRIBUTE *attr;
GkmManager *manager;
GkmModule *module;
GkmObject *object = NULL;
CK_RV rv;
g_return_val_if_fail (GKM_IS_TRANSACTION (transaction), NULL);
g_return_val_if_fail (attrs || !n_attrs, NULL);
/* The handle is optional */
if (gkm_attributes_find_ulong (attrs, n_attrs, CKA_G_OBJECT, &handle)) {
rv = gkm_session_lookup_readable_object (session, handle, &object);
if (rv != CKR_OK) {
gkm_transaction_fail (transaction, rv);
return NULL;
}
} else {
object = NULL;
}
/* The value is optional */
attr = gkm_attributes_find (attrs, n_attrs, CKA_VALUE);
gkm_attributes_consume (attrs, n_attrs, CKA_VALUE, CKA_G_OBJECT, G_MAXULONG);
module = gkm_session_get_module (session);
manager = gkm_manager_for_template (attrs, n_attrs, session);
rv = gkm_credential_create (module, manager, object,
attr ? attr->pValue : NULL,
attr ? attr->ulValueLen : 0, &cred);
if (rv == CKR_OK) {
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (cred),
TRUE, attrs, n_attrs);
return GKM_OBJECT (cred);
} else {
gkm_transaction_fail (transaction, rv);
return NULL;
}
}
static GkmObject*
factory_create_null_key (GkmSession *session, GkmTransaction *transaction,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
GkmNullKey *key;
GkmManager *manager;
manager = gkm_manager_for_template (attrs, n_attrs, session);
key = g_object_new (GKM_TYPE_NULL_KEY,
"module", gkm_session_get_module (session),
"manager", manager,
NULL);
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (key),
TRUE, attrs, n_attrs);
return GKM_OBJECT (key);
}
static GkmObject*
factory_create_public_key (GkmSession *session, GkmTransaction *transaction,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
GkmObject *object = NULL;
GkmSexp *sexp;
g_return_val_if_fail (attrs || !n_attrs, NULL);
sexp = gkm_public_xsa_key_create_sexp (session, transaction, attrs, n_attrs);
if (sexp != NULL) {
object = g_object_new (GKM_TYPE_MATE2_PUBLIC_KEY, "base-sexp", sexp,
"module", gkm_session_get_module (session),
"manager", gkm_manager_for_template (attrs, n_attrs, session),
NULL);
gkm_sexp_unref (sexp);
gkm_session_complete_object_creation (session, transaction, object,
TRUE, attrs, n_attrs);
}
return object;
}
static GkmObject*
factory_create_certificate (GkmSession *session, GkmTransaction *transaction,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
CK_ATTRIBUTE_PTR attr;
GkmCertificate *cert;
g_return_val_if_fail (GKM_IS_TRANSACTION (transaction), NULL);
g_return_val_if_fail (attrs || !n_attrs, NULL);
/* Dig out the value */
attr = gkm_attributes_find (attrs, n_attrs, CKA_VALUE);
if (attr == NULL) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCOMPLETE);
return NULL;
}
cert = g_object_new (GKM_TYPE_CERTIFICATE,
"module", gkm_session_get_module (session),
"manager", gkm_manager_for_template (attrs, n_attrs, session),
NULL);
/* Load the certificate from the data specified */
if (!gkm_serializable_load (GKM_SERIALIZABLE (cert), NULL, attr->pValue, attr->ulValueLen)) {
gkm_transaction_fail (transaction, CKR_ATTRIBUTE_VALUE_INVALID);
g_object_unref (cert);
return NULL;
}
/* Note that we ignore the subject */
gkm_attributes_consume (attrs, n_attrs, CKA_VALUE, CKA_SUBJECT, G_MAXULONG);
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (cert),
TRUE, attrs, n_attrs);
return GKM_OBJECT (cert);
}
static GkmXdgTrust*
lookup_or_create_trust_object (GkmSession *session, GkmManager *manager,
GkmTransaction *transaction, CK_X_ASSERTION_TYPE type,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs, gboolean *created)
{
CK_ATTRIBUTE_PTR serial, issuer, value;
CK_ATTRIBUTE lookups[3];
CK_OBJECT_CLASS klass;
CK_ULONG n_lookups;
GList *objects;
GkmXdgTrust *trust;
GkmModule *module;
klass = CKO_NETSCAPE_TRUST;
lookups[0].type = CKA_CLASS;
lookups[0].pValue = &klass;
lookups[0].ulValueLen = sizeof (klass);
switch (type) {
case CKT_X_ANCHORED_CERTIFICATE:
case CKT_X_PINNED_CERTIFICATE:
value = gkm_attributes_find (attrs, n_attrs, CKA_X_CERTIFICATE_VALUE);
if (!value) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCOMPLETE);
return NULL;
}
/* Attributes used for looking up trust object */
memcpy (&lookups[1], value, sizeof (CK_ATTRIBUTE));
n_lookups = 2;
break;
case CKT_X_DISTRUSTED_CERTIFICATE:
serial = gkm_attributes_find (attrs, n_attrs, CKA_SERIAL_NUMBER);
issuer = gkm_attributes_find (attrs, n_attrs, CKA_ISSUER);
if (!serial || !issuer) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCOMPLETE);
return NULL;
}
/* Attributes used for looking up trust object */
memcpy (&lookups[1], issuer, sizeof (CK_ATTRIBUTE));
memcpy (&lookups[2], serial, sizeof (CK_ATTRIBUTE));
n_lookups = 3;
break;
default:
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCONSISTENT);
return NULL;
};
objects = gkm_manager_find_by_attributes (manager, session, lookups, n_lookups);
module = gkm_session_get_module (session);
/* Found a matching trust object for this assertion */
if (objects) {
g_return_val_if_fail (GKM_XDG_IS_TRUST (objects->data), NULL);
trust = g_object_ref (objects->data);
g_list_free (objects);
/* Create a trust object for this assertion */
} else {
trust = gkm_xdg_trust_create_for_assertion (module, manager, transaction,
lookups, n_lookups);
gkm_attributes_consume (attrs, n_attrs, CKA_X_CERTIFICATE_VALUE,
CKA_ISSUER, CKA_SERIAL_NUMBER, G_MAXULONG);
gkm_attributes_consume (lookups, n_lookups, CKA_X_CERTIFICATE_VALUE,
CKA_ISSUER, CKA_SERIAL_NUMBER, G_MAXULONG);
if (!gkm_transaction_get_failed (transaction))
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (trust),
TRUE, lookups, n_lookups);
}
return trust;
}
static GkmObject*
factory_create_assertion (GkmSession *session, GkmTransaction *transaction,
CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
{
GkmAssertion *assertion;
CK_X_ASSERTION_TYPE type;
GkmManager *manager;
gboolean created = FALSE;
GkmXdgTrust *trust;
gchar *purpose;
gchar *peer;
g_return_val_if_fail (attrs || !n_attrs, NULL);
if (!gkm_attributes_find_ulong (attrs, n_attrs, CKA_X_ASSERTION_TYPE, &type)) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCOMPLETE);
return NULL;
}
if (!gkm_attributes_find_string (attrs, n_attrs, CKA_X_PURPOSE, &purpose)) {
gkm_transaction_fail (transaction, CKR_TEMPLATE_INCOMPLETE);
return NULL;
}
if (!gkm_attributes_find_string (attrs, n_attrs, CKA_X_PEER, &peer))
peer = NULL;
/* Try to find or create an appropriate trust object for this assertion */
manager = gkm_manager_for_template (attrs, n_attrs, session);
trust = lookup_or_create_trust_object (session, manager, transaction,
type, attrs, n_attrs, &created);
/* Creating the trust object failed */
if (trust == NULL) {
g_return_val_if_fail (gkm_transaction_get_failed (transaction), NULL);
g_free (purpose);
g_free (peer);
return NULL;
}
assertion = g_object_new (GKM_XDG_TYPE_ASSERTION,
"module", gkm_session_get_module (session),
"manager", manager,
"trust", trust,
"type", type,
"purpose", purpose,
"peer", peer,
NULL);
g_free (purpose);
g_free (peer);
/* Add the assertion to the trust object */
if (!gkm_transaction_get_failed (transaction)) {
gkm_xdg_trust_replace_assertion (trust, GKM_ASSERTION (assertion), transaction);
if (gkm_transaction_get_failed (transaction)) {
gkm_transaction_fail (transaction, CKR_GENERAL_ERROR);
/* A new trust assertion */
} else {
gkm_attributes_consume (attrs, n_attrs, CKA_X_ASSERTION_TYPE, CKA_X_PURPOSE, G_MAXULONG);
gkm_session_complete_object_creation (session, transaction, GKM_OBJECT (assertion),
TRUE, attrs, n_attrs);
}
}
g_object_unref (trust);
return GKM_OBJECT (assertion);
}
gboolean
gkm_credential_for_each (GkmSession *session, GkmObject *object,
GkmCredentialFunc func, gpointer user_data)
{
CK_OBJECT_HANDLE handle;
CK_OBJECT_CLASS klass;
CK_ATTRIBUTE attrs[2];
GList *results, *l;
GkmCredential *cred;
gboolean ret;
g_return_val_if_fail (GKM_IS_SESSION (session), FALSE);
g_return_val_if_fail (GKM_IS_OBJECT (object), FALSE);
g_return_val_if_fail (func, FALSE);
/* Do we have one right on the session */
cred = gkm_session_get_credential (session);
if (cred && gkm_credential_get_object (cred) == object) {
g_object_ref (cred);
ret = (func) (cred, object, user_data);
g_object_unref (cred);
if (ret)
return TRUE;
}
klass = CKO_G_CREDENTIAL;
attrs[0].type = CKA_CLASS;
attrs[0].pValue = &klass;
attrs[0].ulValueLen = sizeof (klass);
handle = gkm_object_get_handle (object);
attrs[1].type = CKA_G_OBJECT;
attrs[1].pValue = &handle;
attrs[1].ulValueLen = sizeof (handle);
/* Find any on the session */
results = gkm_manager_find_by_attributes (gkm_session_get_manager (session),
session, attrs, G_N_ELEMENTS (attrs));
for (l = results; l; l = g_list_next (l)) {
g_object_ref (l->data);
ret = (func) (l->data, object, user_data);
g_object_unref (l->data);
if (ret)
break;
}
g_list_free (results);
if (l != NULL)
return TRUE;
/* Find any in the token */
results = gkm_manager_find_by_attributes (gkm_module_get_manager (gkm_session_get_module (session)),
session, attrs, G_N_ELEMENTS (attrs));
for (l = results; l; l = g_list_next (l)) {
g_object_ref (l->data);
ret = (func) (l->data, object, user_data);
g_object_unref (l->data);
if (ret)
break;
}
g_list_free (results);
return (l != NULL);
}