diff options
author | Stef Walter <stefw@redhat.com> | 2017-01-29 15:10:37 +0100 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2017-01-31 17:38:15 +0100 |
commit | cfa9fefb2b4c4d8c1d38284817c61dcf5d3f4716 (patch) | |
tree | e5839794821273ace6543d1b699a70f75d4efca0 | |
parent | 2a46d81d84682181e0108ff2e5f973f7a319d25f (diff) |
trust: Implement a 'trust dump' command
This dumps all the PKCS#11 objects in the internal .p11-kit
persistence format.
This is part of the trust command and tooling, even though
at some point it could go in the p11-kit command. The reason
for this is that the code related to the internal .p11-kit
objects is in the trust code, and consumed solely by the
trust related modules.
-rw-r--r-- | doc/manual/trust.xml | 39 | ||||
-rw-r--r-- | trust/Makefile.am | 1 | ||||
-rw-r--r-- | trust/dump.c | 191 | ||||
-rw-r--r-- | trust/dump.h | 43 | ||||
-rw-r--r-- | trust/trust.c | 2 |
5 files changed, 276 insertions, 0 deletions
diff --git a/doc/manual/trust.xml b/doc/manual/trust.xml index 05f2726..f6f2b3e 100644 --- a/doc/manual/trust.xml +++ b/doc/manual/trust.xml @@ -39,6 +39,9 @@ <cmdsynopsis> <command>trust anchor</command> /path/to/certificate.crt </cmdsynopsis> + <cmdsynopsis> + <command>trust dump</command> + </cmdsynopsis> </refsynopsisdiv> <refsect1 id="trust-description"> @@ -347,6 +350,42 @@ $ trust extract-compat </refsect1> +<refsect1 id="trust-dump"> + <title>Dump</title> + + <para>Dump PKCS#11 items in the various tokens.</para> + +<programlisting> +$ trust dump +</programlisting> + + <para>Dump information about the various PKCS#11 items in the tokens. + Each item is dumped with it's PKCS#11 URI and information in the .p11-kit + persistence format.</para> + + <para>You can specify the following options to control what to dump.</para> + + <varlistentry> + <term><option>--filter=<what></option></term> + <listitem> + <para>Specifies what certificates to extract. You can specify the following values: + <variablelist> + <varlistentry> + <term><option>all</option></term> + <listitem><para>All objects. This is the default</para></listitem> + </varlistentry> + <varlistentry> + <term><option>pkcs11:object=xx</option></term> + <listitem><para>A PKCS#11 URI to filter with</para></listitem> + </varlistentry> + </variablelist> + </para> + </listitem> + </varlistentry> + +</refsect1> + + <refsect1 id="trust-bugs"> <title>Bugs</title> <para> diff --git a/trust/Makefile.am b/trust/Makefile.am index cc91bce..6df75a1 100644 --- a/trust/Makefile.am +++ b/trust/Makefile.am @@ -94,6 +94,7 @@ trust_trust_SOURCES = \ trust/parser.c trust/parser.h \ trust/persist.c trust/persist.h \ trust/digest.c trust/digest.h \ + trust/dump.c trust/dump.h \ trust/enumerate.c trust/enumerate.h \ trust/extract.c trust/extract.h \ trust/extract-jks.c \ diff --git a/trust/dump.c b/trust/dump.c new file mode 100644 index 0000000..ddc4581 --- /dev/null +++ b/trust/dump.c @@ -0,0 +1,191 @@ +/* + * Copyright (c) 2013, Red Hat Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above + * copyright notice, this list of conditions and the + * following disclaimer. + * * Redistributions in binary form must reproduce the + * above copyright notice, this list of conditions and + * the following disclaimer in the documentation and/or + * other materials provided with the distribution. + * * The names of contributors to this software may not be + * used to endorse or promote products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Author: Stef Walter <stefw@redhat.com> + */ + +#include "config.h" + +#define P11_DEBUG_FLAG P11_DEBUG_TOOL + +#include "attrs.h" +#include "debug.h" +#include "dump.h" +#include "enumerate.h" +#include "message.h" +#include "persist.h" +#include "tool.h" +#include "url.h" + +#include "p11-kit/iter.h" + +#include <assert.h> +#include <stdlib.h> +#include <string.h> + +static char * +format_uri (p11_enumerate *ex, + int flags) +{ + CK_ATTRIBUTE *attr; + p11_kit_uri *uri; + char *string; + + uri = p11_kit_uri_new (); + + memcpy (p11_kit_uri_get_token_info (uri), + p11_kit_iter_get_token (ex->iter), + sizeof (CK_TOKEN_INFO)); + + attr = p11_attrs_find (ex->attrs, CKA_CLASS); + if (attr != NULL) + p11_kit_uri_set_attribute (uri, attr); + attr = p11_attrs_find (ex->attrs, CKA_ID); + if (attr != NULL) + p11_kit_uri_set_attribute (uri, attr); + + if (p11_kit_uri_format (uri, flags, &string) != P11_KIT_URI_OK) + string = NULL; + + p11_kit_uri_free (uri); + return string; +} + +static bool +dump_iterate (p11_enumerate *ex) +{ + p11_persist *persist; + char *string; + p11_buffer buf; + CK_RV rv; + + persist = p11_persist_new (); + + if (!p11_buffer_init (&buf, 0)) + return_val_if_reached (false); + + while ((rv = p11_kit_iter_next (ex->iter)) == CKR_OK) { + if (!p11_buffer_reset (&buf, 8192)) + return_val_if_reached (false); + + string = format_uri (ex, P11_KIT_URI_FOR_OBJECT); + if (string) { + printf ("# %s\n", string); + free (string); + } + + if (!p11_persist_write (persist, ex->attrs, &buf)) { + p11_message ("could not dump object"); + continue; + } + + fwrite (buf.data, 1, buf.len, stdout); + printf ("\n"); + } + + p11_persist_free (persist); + p11_buffer_uninit (&buf); + + return (rv == CKR_CANCEL); +} + +int +p11_trust_dump (int argc, + char **argv) +{ + p11_enumerate ex; + int opt = 0; + int ret; + + enum { + opt_verbose = 'v', + opt_quiet = 'q', + opt_help = 'h', + opt_filter = 1000, + }; + + struct option options[] = { + { "filter", required_argument, NULL, opt_filter }, + { "verbose", no_argument, NULL, opt_verbose }, + { "quiet", no_argument, NULL, opt_quiet }, + { "help", no_argument, NULL, opt_help }, + { 0 }, + }; + + p11_tool_desc usages[] = { + { 0, "usage: trust list --filter=<what>" }, + { opt_filter, + "filter of what to export\n" + " pkcs11:object=xx a PKCS#11 URI\n" + " all all objects", + "what", + }, + { opt_verbose, "show verbose debug output", }, + { opt_quiet, "suppress command output", }, + { 0 }, + }; + + p11_enumerate_init (&ex); + + while ((opt = p11_tool_getopt (argc, argv, options)) != -1) { + switch (opt) { + case opt_verbose: + case opt_quiet: + break; + + case opt_filter: + if (!p11_enumerate_opt_filter (&ex, optarg)) + exit (2); + break; + case 'h': + p11_tool_usage (usages, options); + exit (0); + case '?': + exit (2); + default: + assert_not_reached (); + break; + } + } + + if (argc - optind != 0) { + p11_message ("extra arguments passed to command"); + exit (2); + } + + if (!p11_enumerate_ready (&ex, "all")) + exit (1); + + ret = dump_iterate (&ex) ? 0 : 1; + + p11_enumerate_cleanup (&ex); + return ret; +} diff --git a/trust/dump.h b/trust/dump.h new file mode 100644 index 0000000..7b9b225 --- /dev/null +++ b/trust/dump.h @@ -0,0 +1,43 @@ +/* + * Copyright (c) 2013, Red Hat Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above + * copyright notice, this list of conditions and the + * following disclaimer. + * * Redistributions in binary form must reproduce the + * above copyright notice, this list of conditions and + * the following disclaimer in the documentation and/or + * other materials provided with the distribution. + * * The names of contributors to this software may not be + * used to endorse or promote products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Author: Stef Walter <stefw@redhat.com> + */ + +#include "config.h" + +#ifndef P11_DUMP_H_ +#define P11_DUMP_H_ + +int p11_trust_dump (int argc, + char **argv); + +#endif /* P11_DUMP_H_ */ diff --git a/trust/trust.c b/trust/trust.c index b006ec8..64eddae 100644 --- a/trust/trust.c +++ b/trust/trust.c @@ -35,6 +35,7 @@ #include "config.h" #include "anchor.h" +#include "dump.h" #include "extract.h" #include "list.h" @@ -58,6 +59,7 @@ static const p11_tool_command commands[] = { { "extract", p11_trust_extract, "Extract certificates and trust" }, { "extract-compat", p11_trust_extract_compat, "Extract trust compatibility bundles" }, { "anchor", p11_trust_anchor, "Add, remove, change trust anchors" }, + { "dump", p11_trust_dump, "Dump trust objects in internal format" }, { 0, } }; |