diff options
author | Daiki Ueno <dueno@redhat.com> | 2017-05-18 11:11:45 +0200 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2017-05-18 12:55:02 +0200 |
commit | 66c6a7e912d39d66cd4cc91375ac7be418bf7176 (patch) | |
tree | e781a94b2249f8f2a84046cba4198dfca699f280 | |
parent | acf8c4a91a76bf8049f6bfbd95b04e2e36bae4ea (diff) |
trust: Check magic comment in persist file for modifiablity
A persistent file written by the trust module starts with the line "#
This file has been auto-generated and written by p11-kit". This can
be used as a magic word to determine whether the objects read from a
.p11-kit file are read-only.
-rw-r--r-- | trust/parser.c | 6 | ||||
-rw-r--r-- | trust/persist.c | 9 | ||||
-rw-r--r-- | trust/test-token.c | 1 |
3 files changed, 14 insertions, 2 deletions
diff --git a/trust/parser.c b/trust/parser.c index 41513d4..abe86fc 100644 --- a/trust/parser.c +++ b/trust/parser.c @@ -49,6 +49,7 @@ #include "pem.h" #include "pkcs11x.h" #include "persist.h" +#include "types.h" #include "x509.h" #include <libtasn1.h> @@ -630,7 +631,10 @@ p11_parser_format_persist (p11_parser *parser, ret = p11_persist_read (parser->persist, parser->basename, data, length, objects); if (ret) { for (i = 0; i < objects->num; i++) { - attrs = p11_attrs_build (objects->elem[i], &modifiable, NULL); + CK_BBOOL generatedv; + attrs = objects->elem[i]; + if (p11_attrs_find_bool (attrs, CKA_X_GENERATED, &generatedv) && generatedv) + attrs = p11_attrs_build (attrs, &modifiable, NULL); sink_object (parser, attrs); } } diff --git a/trust/persist.c b/trust/persist.c index 63a531e..928260e 100644 --- a/trust/persist.c +++ b/trust/persist.c @@ -631,6 +631,9 @@ p11_persist_read (p11_persist *persist, CK_ATTRIBUTE *attrs; bool failed; bool skip; + CK_BBOOL generatedv = CK_FALSE; + CK_ATTRIBUTE generated = { CKA_X_GENERATED, &generatedv, sizeof (generatedv) }; + static const char comment[] = "# This file has been auto-generated and written by p11-kit."; return_val_if_fail (persist != NULL, false); return_val_if_fail (objects != NULL, false); @@ -639,6 +642,10 @@ p11_persist_read (p11_persist *persist, attrs = NULL; failed = false; + if (length >= sizeof (comment) - 1 && + memcmp ((const char *)data, comment, sizeof (comment) - 1) == 0) + generatedv = CK_TRUE; + p11_lexer_init (&lexer, filename, (const char *)data, length); while (p11_lexer_next (&lexer, &failed)) { switch (lexer.tok_type) { @@ -650,7 +657,7 @@ p11_persist_read (p11_persist *persist, p11_lexer_msg (&lexer, "unrecognized or invalid section header"); skip = true; } else { - attrs = p11_attrs_build (NULL, NULL); + attrs = p11_attrs_build (NULL, &generated, NULL); return_val_if_fail (attrs != NULL, false); skip = false; } diff --git a/trust/test-token.c b/trust/test-token.c index ad22fcb..3e7d735 100644 --- a/trust/test-token.c +++ b/trust/test-token.c @@ -610,6 +610,7 @@ static void test_modify_multiple (void) { const char *test_data = + "# This file has been auto-generated and written by p11-kit.\n" "[p11-kit-object-v1]\n" "class: data\n" "label: \"first\"\n" |