summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaiki Ueno <dueno@redhat.com>2017-05-18 11:11:45 +0200
committerDaiki Ueno <ueno@gnu.org>2017-05-18 12:55:02 +0200
commit66c6a7e912d39d66cd4cc91375ac7be418bf7176 (patch)
treee781a94b2249f8f2a84046cba4198dfca699f280
parentacf8c4a91a76bf8049f6bfbd95b04e2e36bae4ea (diff)
trust: Check magic comment in persist file for modifiablity
A persistent file written by the trust module starts with the line "# This file has been auto-generated and written by p11-kit". This can be used as a magic word to determine whether the objects read from a .p11-kit file are read-only.
-rw-r--r--trust/parser.c6
-rw-r--r--trust/persist.c9
-rw-r--r--trust/test-token.c1
3 files changed, 14 insertions, 2 deletions
diff --git a/trust/parser.c b/trust/parser.c
index 41513d4..abe86fc 100644
--- a/trust/parser.c
+++ b/trust/parser.c
@@ -49,6 +49,7 @@
#include "pem.h"
#include "pkcs11x.h"
#include "persist.h"
+#include "types.h"
#include "x509.h"
#include <libtasn1.h>
@@ -630,7 +631,10 @@ p11_parser_format_persist (p11_parser *parser,
ret = p11_persist_read (parser->persist, parser->basename, data, length, objects);
if (ret) {
for (i = 0; i < objects->num; i++) {
- attrs = p11_attrs_build (objects->elem[i], &modifiable, NULL);
+ CK_BBOOL generatedv;
+ attrs = objects->elem[i];
+ if (p11_attrs_find_bool (attrs, CKA_X_GENERATED, &generatedv) && generatedv)
+ attrs = p11_attrs_build (attrs, &modifiable, NULL);
sink_object (parser, attrs);
}
}
diff --git a/trust/persist.c b/trust/persist.c
index 63a531e..928260e 100644
--- a/trust/persist.c
+++ b/trust/persist.c
@@ -631,6 +631,9 @@ p11_persist_read (p11_persist *persist,
CK_ATTRIBUTE *attrs;
bool failed;
bool skip;
+ CK_BBOOL generatedv = CK_FALSE;
+ CK_ATTRIBUTE generated = { CKA_X_GENERATED, &generatedv, sizeof (generatedv) };
+ static const char comment[] = "# This file has been auto-generated and written by p11-kit.";
return_val_if_fail (persist != NULL, false);
return_val_if_fail (objects != NULL, false);
@@ -639,6 +642,10 @@ p11_persist_read (p11_persist *persist,
attrs = NULL;
failed = false;
+ if (length >= sizeof (comment) - 1 &&
+ memcmp ((const char *)data, comment, sizeof (comment) - 1) == 0)
+ generatedv = CK_TRUE;
+
p11_lexer_init (&lexer, filename, (const char *)data, length);
while (p11_lexer_next (&lexer, &failed)) {
switch (lexer.tok_type) {
@@ -650,7 +657,7 @@ p11_persist_read (p11_persist *persist,
p11_lexer_msg (&lexer, "unrecognized or invalid section header");
skip = true;
} else {
- attrs = p11_attrs_build (NULL, NULL);
+ attrs = p11_attrs_build (NULL, &generated, NULL);
return_val_if_fail (attrs != NULL, false);
skip = false;
}
diff --git a/trust/test-token.c b/trust/test-token.c
index ad22fcb..3e7d735 100644
--- a/trust/test-token.c
+++ b/trust/test-token.c
@@ -610,6 +610,7 @@ static void
test_modify_multiple (void)
{
const char *test_data =
+ "# This file has been auto-generated and written by p11-kit.\n"
"[p11-kit-object-v1]\n"
"class: data\n"
"label: \"first\"\n"