static bool
write_trust_and_rejects (p11_enumerate *ex,
node_asn *asn)
{
p11_array *trusts = NULL;
p11_array *rejects = NULL;
CK_BBOOL trust;
CK_BBOOL distrust;
if (!p11_attrs_find_bool (ex->attrs, CKA_TRUSTED, &trust))
trust = CK_FALSE;
if (!p11_attrs_find_bool (ex->attrs, CKA_X_DISTRUSTED, &distrust))
distrust = CK_FALSE;
if (!load_usage_ext (ex, P11_OID_OPENSSL_REJECT, &rejects))
return_val_if_reached (false);
if (distrust) {
/*
* If this is on the blacklist then, make sure we have
* an empty trusts field and add as many things to rejects
* as possible.
*/
trusts = NULL;
if (!rejects)
rejects = empty_usages ();
if (!known_usages (rejects))
return_val_if_reached (false);
return_val_if_fail (rejects != NULL, false);
} else if (trust) {
/*
* If this is an anchor, then try and guarantee that there
* are some trust anchors.
*/
if (!load_usage_ext (ex, P11_OID_EXTENDED_KEY_USAGE, &trusts))
return_val_if_reached (false);
} else {
/*
* This is not an anchor, always put an empty trusts
* section, with possible rejects, loaded above
*/
trusts = empty_usages ();
}
if (!write_usages (asn, "trust", trusts) ||
!write_usages (asn, "reject", rejects))
return_val_if_reached (false);
p11_array_free (trusts);
p11_array_free (rejects);
return true;
}
static int
anchor_store (int argc,
char *argv[],
bool *changed)
{
CK_ATTRIBUTE *attrs;
CK_FUNCTION_LIST *module = NULL;
CK_SESSION_HANDLE session;
CK_OBJECT_HANDLE object;
p11_array *anchors;
int ret;
int i;
anchors = files_to_attrs (argc, argv);
if (anchors == NULL)
return 1;
if (anchors->num == 0) {
p11_message ("specify at least one anchor input file");
p11_array_free (anchors);
return 2;
}
session = session_for_store (&module);
if (session == 0UL) {
p11_array_free (anchors);
return 1;
}
for (i = 0, ret = 0; i < anchors->num; i++) {
attrs = anchors->elem[i];
anchors->elem[i] = NULL;
object = find_anchor (module, session, attrs);
if (object == 0) {
p11_debug ("don't yet have this anchor");
if (create_anchor (module, session, attrs)) {
*changed = true;
} else {
ret = 1;
break;
}
} else {
p11_debug ("already have this anchor");
if (modify_anchor (module, session, object, attrs)) {
*changed = true;
} else {
ret = 1;
break;
}
}
}
p11_array_free (anchors);
p11_kit_module_finalize (module);
p11_kit_module_release (module);
return ret;
}
static p11_array *
files_to_attrs (int argc,
char *argv[])
{
p11_parser *parser;
p11_array *parsed;
p11_array *array;
int ret = P11_PARSE_SUCCESS;
int i, j;
array = p11_array_new (p11_attrs_free);
return_val_if_fail (array != NULL, NULL);
parser = create_arg_file_parser ();
return_val_if_fail (parser != NULL, NULL);
for (i = 0; i < argc; i++) {
ret = p11_parse_file (parser, argv[i], NULL, P11_PARSE_FLAG_ANCHOR);
switch (ret) {
case P11_PARSE_SUCCESS:
p11_debug ("parsed file: %s", argv[i]);
break;
case P11_PARSE_UNRECOGNIZED:
p11_message ("unrecognized file format: %s", argv[i]);
break;
default:
p11_message ("failed to parse file: %s", argv[i]);
break;
}
if (ret != P11_PARSE_SUCCESS)
break;
parsed = p11_parser_parsed (parser);
for (j = 0; j < parsed->num; j++) {
if (!p11_array_push (array, parsed->elem[j]))
return_val_if_reached (NULL);
parsed->elem[j] = NULL;
}
}
p11_parser_free (parser);
if (ret == P11_PARSE_SUCCESS)
return array;
p11_array_free (array);
return NULL;
}
static int
anchor_remove (int argc,
char *argv[],
bool *changed)
{
CK_FUNCTION_LIST **modules;
p11_array *iters;
p11_kit_iter *iter;
int ret = 0;
int i;
iters = uris_or_files_to_iters (argc, argv, P11_KIT_ITER_WANT_WRITABLE);
return_val_if_fail (iters != NULL, 1);
if (iters->num == 0) {
p11_message ("at least one file or uri must be specified");
p11_array_free (iters);
return 2;
}
modules = p11_kit_modules_load_and_initialize (P11_KIT_MODULE_TRUSTED);
if (modules == NULL)
ret = 1;
for (i = 0; ret == 0 && i < iters->num; i++) {
iter = iters->elem[i];
p11_kit_iter_begin (iter, modules);
if (!remove_all (iter, changed))
ret = 1;
}
p11_array_free (iters);
p11_kit_modules_finalize_and_release (modules);
return ret;
}
p11_array *
p11_array_new (p11_destroyer destroyer)
{
p11_array *array;
array = calloc (1, sizeof (p11_array));
if (array == NULL)
return NULL;
if (!maybe_expand_array (array, 2)) {
p11_array_free (array);
return NULL;
}
array->destroyer = destroyer;
return array;
}
static p11_array *
uris_or_files_to_iters (int argc,
char *argv[],
int behavior)
{
int flags = P11_KIT_URI_FOR_OBJECT_ON_TOKEN_AND_MODULE;
p11_parser *parser = NULL;
p11_array *iters;
p11_array *parsed;
p11_kit_uri *uri;
p11_kit_iter *iter;
int ret;
int i, j;
iters = p11_array_new ((p11_destroyer)p11_kit_iter_free);
return_val_if_fail (iters != NULL, NULL);
for (i = 0; i < argc; i++) {
/* A PKCS#11 URI */
if (strncmp (argv[i], "pkcs11:", 7) == 0) {
uri = p11_kit_uri_new ();
if (p11_kit_uri_parse (argv[i], flags, uri) != P11_KIT_URI_OK) {
p11_message ("invalid PKCS#11 uri: %s", argv[i]);
p11_kit_uri_free (uri);
break;
}
iter = p11_kit_iter_new (uri, behavior);
return_val_if_fail (iter != NULL, NULL);
p11_kit_uri_free (uri);
if (!p11_array_push (iters, iter))
return_val_if_reached (NULL);
} else {
if (parser == NULL)
parser = create_arg_file_parser ();
ret = p11_parse_file (parser, argv[i], NULL, P11_PARSE_FLAG_ANCHOR);
switch (ret) {
case P11_PARSE_SUCCESS:
p11_debug ("parsed file: %s", argv[i]);
break;
case P11_PARSE_UNRECOGNIZED:
p11_message ("unrecognized file format: %s", argv[i]);
break;
default:
p11_message ("failed to parse file: %s", argv[i]);
break;
}
if (ret != P11_PARSE_SUCCESS)
break;
parsed = p11_parser_parsed (parser);
for (j = 0; j < parsed->num; j++) {
iter = p11_kit_iter_new (NULL, behavior);
return_val_if_fail (iter != NULL, NULL);
iter_match_anchor (iter, parsed->elem[j]);
if (!p11_array_push (iters, iter))
return_val_if_reached (NULL);
}
}
}
if (parser)
p11_parser_free (parser);
if (argc != i) {
p11_array_free (iters);
return NULL;
}
return iters;
}