extract: --comment option adds comments to PEM bundles

 * Placed before the certificate, simple one liner
 * No need to put comments in PEM files extracted into
   directories, as the file names are already descriptive.

https://bugs.freedesktop.org/show_bug.cgi?id=62029

7 files changed, 103 insertions, 3 deletions

diff --git a/doc/manual/p11-kit.xml b/doc/manual/p11-kit.xml
index 5242b1a..9791c29 100644
--- a/doc/manual/p11-kit.xml
+++ b/doc/manual/p11-kit.xml
@@ -92,6 +92,11 @@ $ p11-kit extract --format=x509-directory --filter=ca-certificates /path/to/dire
 
 	<variablelist>
 		<varlistentry>
+			<term><option>--comment</option></term>
+			<listitem><para>Add identifying comments to PEM bundle output files
+			before each certificate.</para></listitem>
+		</varlistentry>
+		<varlistentry>
 			<term><option>--filter=&lt;what&gt;</option></term>
 			<listitem><para>Specifies what certificates to export.
 			You can specify the following values:
diff --git a/tools/extract-info.c b/tools/extract-info.c
index 2ae9e04..536d36a 100644
--- a/tools/extract-info.c
+++ b/tools/extract-info.c
@@ -366,3 +366,23 @@ p11_extract_info_filename (p11_extract_info *extract)
 
 	return label;
 }
+
+char *
+p11_extract_info_comment (p11_extract_info *ex,
+                          bool first)
+{
+	char *comment;
+	char *label;
+
+	if (!(ex->flags & P11_EXTRACT_COMMENT))
+		return NULL;
+
+	label = extract_label (ex);
+	if (!asprintf (&comment, "%s# %s\n",
+	               first ? "" : "\n",
+	               label ? label : ""))
+		return_val_if_reached (NULL);
+
+	free (label);
+	return comment;
+}
diff --git a/tools/extract-openssl.c b/tools/extract-openssl.c
index c2cdeab..13a1e05 100644
--- a/tools/extract-openssl.c
+++ b/tools/extract-openssl.c
@@ -314,8 +314,10 @@ p11_extract_openssl_bundle (P11KitIter *iter,
 {
 	p11_save_file *file;
 	p11_buffer buf;
+	char *comment;
 	bool ret = true;
 	size_t length;
+	bool first;
 	CK_RV rv;
 	char *pem;
 
@@ -323,6 +325,7 @@ p11_extract_openssl_bundle (P11KitIter *iter,
 	if (!file)
 		return false;
 
+	first = true;
 	while ((rv = p11_kit_iter_next (iter)) == CKR_OK) {
 		p11_buffer_init (&buf, 1024);
 
@@ -330,8 +333,14 @@ p11_extract_openssl_bundle (P11KitIter *iter,
 			pem = p11_pem_write (buf.data, buf.len, "TRUSTED CERTIFICATE", &length);
 			return_val_if_fail (pem != NULL, false);
 
-			ret = p11_save_write (file, pem, length);
+			comment = p11_extract_info_comment (ex, first);
+			first = false;
+
+			ret = p11_save_write (file, comment, -1) &&
+			      p11_save_write (file, pem, length);
+
 			free (pem);
+			free (comment);
 		}
 
 		p11_buffer_uninit (&buf);
diff --git a/tools/extract-pem.c b/tools/extract-pem.c
index e2ff974..4d03208 100644
--- a/tools/extract-pem.c
+++ b/tools/extract-pem.c
@@ -49,8 +49,10 @@ bool
 p11_extract_pem_bundle (P11KitIter *iter,
                         p11_extract_info *ex)
 {
+	char *comment;
 	p11_save_file *file;
 	bool ret = true;
+	bool first = true;
 	size_t length;
 	CK_RV rv;
 	char *pem;
@@ -63,8 +65,13 @@ p11_extract_pem_bundle (P11KitIter *iter,
 		pem = p11_pem_write (ex->cert_der, ex->cert_len, "CERTIFICATE", &length);
 		return_val_if_fail (pem != NULL, false);
 
-		p11_debug ("writing 'CERTIFICATE' PEM block of size %lu", (unsigned long)length);
-		ret = p11_save_write (file, pem, length);
+		comment = p11_extract_info_comment (ex, first);
+		first = false;
+
+		ret = p11_save_write (file, comment, -1) &&
+		      p11_save_write (file, pem, length);
+
+		free (comment);
 		free (pem);
 
 		if (!ret)
diff --git a/tools/extract.c b/tools/extract.c
index fe5ba15..6bdedfe 100644
--- a/tools/extract.c
+++ b/tools/extract.c
@@ -298,6 +298,7 @@ p11_tool_extract (int argc,
 		opt_filter = 1000,
 		opt_purpose,
 		opt_format,
+		opt_comment,
 	};
 
 	struct option options[] = {
@@ -305,6 +306,7 @@ p11_tool_extract (int argc,
 		{ "format", required_argument, NULL, opt_format },
 		{ "purpose", required_argument, NULL, opt_purpose },
 		{ "overwrite", no_argument, NULL, opt_overwrite },
+		{ "comment", no_argument, NULL, opt_comment },
 		{ "verbose", no_argument, NULL, opt_verbose },
 		{ "quiet", no_argument, NULL, opt_quiet },
 		{ "help", no_argument, NULL, opt_help },
@@ -342,6 +344,7 @@ p11_tool_extract (int argc,
 		  "usage"
 		},
 		{ opt_overwrite, "overwrite output file or directory" },
+		{ opt_comment, "add comments to bundles if possible" },
 		{ opt_verbose, "show verbose debug output", },
 		{ opt_quiet, "supress command output", },
 		{ 0 },
@@ -361,6 +364,9 @@ p11_tool_extract (int argc,
 		case opt_overwrite:
 			ex.flags |= P11_SAVE_OVERWRITE;
 			break;
+		case opt_comment:
+			ex.flags |= P11_EXTRACT_COMMENT;
+			break;
 		case opt_filter:
 			if (!filter_argument (optarg, &uri, &match))
 				return 2;
diff --git a/tools/extract.h b/tools/extract.h
index 32b4e35..dfd3a33 100644
--- a/tools/extract.h
+++ b/tools/extract.h
@@ -43,6 +43,11 @@
 #include "iter.h"
 #include "pkcs11.h"
 
+enum {
+	/* These overlap with the flags in save.h, so start higher */
+	P11_EXTRACT_COMMENT = 1 << 10,
+};
+
 typedef struct {
 	p11_dict *asn1_defs;
 	p11_dict *limit_to_purposes;
@@ -83,6 +88,9 @@ void            p11_extract_info_cleanup       (p11_extract_info *ex);
 
 char *          p11_extract_info_filename      (p11_extract_info *ex);
 
+char *          p11_extract_info_comment       (p11_extract_info *ex,
+                                                bool first);
+
 typedef bool (* p11_extract_func)              (P11KitIter *iter,
                                                 p11_extract_info *ex);
 
diff --git a/tools/tests/test-extract.c b/tools/tests/test-extract.c
index 5e2f6fe..69ba764 100644
--- a/tools/tests/test-extract.c
+++ b/tools/tests/test-extract.c
@@ -91,6 +91,49 @@ test_file_name_for_class (CuTest *tc)
 	p11_extract_info_cleanup (&ex);
 }
 
+static void
+test_comment_for_label (CuTest *tc)
+{
+	CK_ATTRIBUTE label = { CKA_LABEL, "The Label!", 10 };
+	p11_extract_info ex;
+	char *comment;
+
+	p11_extract_info_init (&ex);
+
+	ex.flags = P11_EXTRACT_COMMENT;
+	ex.attrs = p11_attrs_build (NULL, &label, NULL);
+
+	comment = p11_extract_info_comment (&ex, true);
+	CuAssertStrEquals (tc, "# The Label!\n", comment);
+	free (comment);
+
+	comment = p11_extract_info_comment (&ex, false);
+	CuAssertStrEquals (tc, "\n# The Label!\n", comment);
+	free (comment);
+
+	p11_extract_info_cleanup (&ex);
+}
+
+static void
+test_comment_not_enabled (CuTest *tc)
+{
+	CK_ATTRIBUTE label = { CKA_LABEL, "The Label!", 10 };
+	p11_extract_info ex;
+	char *comment;
+
+	p11_extract_info_init (&ex);
+
+	ex.attrs = p11_attrs_build (NULL, &label, NULL);
+
+	comment = p11_extract_info_comment (&ex, true);
+	CuAssertPtrEquals (tc, NULL, comment);
+
+	comment = p11_extract_info_comment (&ex, false);
+	CuAssertPtrEquals (tc, NULL, comment);
+
+	p11_extract_info_cleanup (&ex);
+}
+
 struct {
 	CK_FUNCTION_LIST module;
 	P11KitIter *iter;
@@ -334,6 +377,8 @@ main (void)
 
 	SUITE_ADD_TEST (suite, test_file_name_for_label);
 	SUITE_ADD_TEST (suite, test_file_name_for_class);
+	SUITE_ADD_TEST (suite, test_comment_for_label);
+	SUITE_ADD_TEST (suite, test_comment_not_enabled);
 	SUITE_ADD_TEST (suite, test_info_simple_certificate);
 	SUITE_ADD_TEST (suite, test_info_limit_purposes);
 	SUITE_ADD_TEST (suite, test_info_invalid_purposes);