diff options
author | Stef Walter <stefw@gnome.org> | 2012-12-17 16:05:36 +0100 |
---|---|---|
committer | Stef Walter <stefw@gnome.org> | 2013-02-05 14:54:53 +0100 |
commit | 75654253498993ff1638e0e64440c335b54df1db (patch) | |
tree | 79b1dc525ed0f46becbfc1092f11971e0f456f31 | |
parent | c2dcd0b3cb1ccac4eff98044d43d3f8696094644 (diff) |
Add the builtin roots NSS specific object
This tells NSS that this is a source of anchors.
-rw-r--r-- | doc/p11-kit-trust.xml | 5 | ||||
-rw-r--r-- | trust/tests/test-module.c | 27 | ||||
-rw-r--r-- | trust/tests/test-token.c | 6 | ||||
-rw-r--r-- | trust/token.c | 28 |
4 files changed, 61 insertions, 5 deletions
diff --git a/doc/p11-kit-trust.xml b/doc/p11-kit-trust.xml index 036b422..ef2db28 100644 --- a/doc/p11-kit-trust.xml +++ b/doc/p11-kit-trust.xml @@ -63,7 +63,10 @@ $ pkg-config --variable p11_system_certificates p11-kit-1 <para>The trust policy module is a drop in replacement for the <literal>libnssckbi.so</literal> module and thus works out of - the box with NSS. The module may be used to replace the + the box with NSS. The trust policy module provides NSS style + PKCS#11 trust objects for NSS to retrieve.</para> + + <para>The module may be used to replace the <literal>libnssckbi.so</literal> file via an distribution specific alternatives mechanism or otherwise.</para> diff --git a/trust/tests/test-module.c b/trust/tests/test-module.c index 8bd8e10..64857a7 100644 --- a/trust/tests/test-module.c +++ b/trust/tests/test-module.c @@ -306,6 +306,32 @@ test_find_certificates (CuTest *cu) teardown (cu); } +static void +test_find_builtin (CuTest *cu) +{ + CK_OBJECT_CLASS klass = CKO_NETSCAPE_BUILTIN_ROOT_LIST; + CK_BBOOL vtrue = CK_TRUE; + CK_BBOOL vfalse = CK_FALSE; + + CK_ATTRIBUTE match[] = { + { CKA_CLASS, &klass, sizeof (klass) }, + { CKA_TOKEN, &vtrue, sizeof (vtrue) }, + { CKA_PRIVATE, &vfalse, sizeof (vfalse) }, + { CKA_MODIFIABLE, &vfalse, sizeof (vfalse) }, + { CKA_INVALID, } + }; + + CK_OBJECT_HANDLE objects[16]; + CK_ULONG count; + + setup (cu); + + count = find_objects (cu, match, objects, 16); + CuAssertIntEquals (cu, 1, count); + + teardown (cu); +} + int main (void) { @@ -318,6 +344,7 @@ main (void) /* p11_message_quiet (); */ SUITE_ADD_TEST (suite, test_find_certificates); + SUITE_ADD_TEST (suite, test_find_builtin); CuSuiteRun (suite); CuSuiteSummary (suite, output); diff --git a/trust/tests/test-token.c b/trust/tests/test-token.c index 1d9228a..8a5b34d 100644 --- a/trust/tests/test-token.c +++ b/trust/tests/test-token.c @@ -72,11 +72,11 @@ test_token_load (CuTest *cu) setup (cu); count = p11_token_load (test.token); - CuAssertIntEquals (cu, 4, count); + CuAssertIntEquals (cu, 5, count); - /* A certificate and trust object for each parsed object */ + /* A certificate and trust object for each parsed object + builtin */ objects = p11_token_objects (test.token); - CuAssertIntEquals (cu, count * 2, p11_dict_size (objects)); + CuAssertIntEquals (cu, ((count - 1) * 2) + 1, p11_dict_size (objects)); teardown (cu); } diff --git a/trust/token.c b/trust/token.c index 8a607f0..8f2cb3d 100644 --- a/trust/token.c +++ b/trust/token.c @@ -42,6 +42,7 @@ #include "module.h" #include "parser.h" #include "pkcs11.h" +#include "pkcs11x.h" #include "token.h" #include <sys/stat.h> @@ -193,9 +194,32 @@ loader_load_paths (p11_token *token, return total; } +static int +load_builtin_objects (p11_token *token) +{ + CK_OBJECT_CLASS builtin = CKO_NETSCAPE_BUILTIN_ROOT_LIST; + const char *vlabel = "Trust Anchor Roots"; + CK_BBOOL vtrue = CK_TRUE; + CK_BBOOL vfalse = CK_FALSE; + CK_ATTRIBUTE *attrs; + + CK_ATTRIBUTE klass = { CKA_CLASS, &builtin, sizeof (builtin) }; + CK_ATTRIBUTE tok = { CKA_TOKEN, &vtrue, sizeof (vtrue) }; + CK_ATTRIBUTE priv = { CKA_PRIVATE, &vfalse, sizeof (vfalse) }; + CK_ATTRIBUTE modifiable = { CKA_MODIFIABLE, &vfalse, sizeof (vfalse) }; + CK_ATTRIBUTE label = { CKA_LABEL, (void *)vlabel, strlen (vlabel) }; + + attrs = p11_attrs_build (NULL, &klass, &tok, &priv, &modifiable, &label, NULL); + return_val_if_fail (attrs != NULL, 0); + + on_parser_object (attrs, token); + return 1; +} + int p11_token_load (p11_token *token) { + int builtins; int anchors; int other; @@ -203,6 +227,8 @@ p11_token_load (p11_token *token) return 0; token->loaded = 1; + builtins = load_builtin_objects (token); + anchors = loader_load_paths (token, token->anchor_paths, P11_PARSE_FLAG_ANCHOR); if (anchors < 0) return anchors; @@ -211,7 +237,7 @@ p11_token_load (p11_token *token) if (other < 0) return other; - return anchors + other; + return anchors + builtins + other; } p11_dict * |