diff options
author | Stef Walter <stef@thewalter.net> | 2013-07-04 21:49:57 +0200 |
---|---|---|
committer | Stef Walter <stef@thewalter.net> | 2013-07-04 21:49:57 +0200 |
commit | 75e2cb73df51a2688ecd2f4b4e3b490ae7b9f5a7 (patch) | |
tree | 4ebf9e32a8cfe4afcf656f1b903dde18199784d0 /trust | |
parent | 7d4941715b5afc2ef8ea18716990d28965737c70 (diff) |
p11-kit: Add P11_KIT_MODULE_TRUSTED flag
A new flag to pass to p11_kit_modules_load() and related functions
which limits loaded modules to ones with "trust-policy: yes".
Diffstat (limited to 'trust')
-rw-r--r-- | trust/extract.c | 49 |
1 files changed, 12 insertions, 37 deletions
diff --git a/trust/extract.c b/trust/extract.c index d5ceb13..39d30e0 100644 --- a/trust/extract.c +++ b/trust/extract.c @@ -208,41 +208,6 @@ format_argument (const char *optarg, return true; } -static void -limit_modules_if_necessary (CK_FUNCTION_LIST_PTR *modules, - int flags) -{ - char *string; - int i, out; - - /* - * We only "believe" the CKA_TRUSTED and CKA_X_DISTRUSTED attributes - * we get from modules explicitly marked as containing trust-policy. - */ - - if ((flags & (P11_EXTRACT_ANCHORS | P11_EXTRACT_BLACKLIST)) == 0) - return; - - /* Count the number of modules */ - for (out = 0; modules[out] != NULL; out++); - - if (out == 0) - return; - - /* TODO: This logic will move once we merge our p11-kit managed code */ - for (i = 0, out = 0; modules[i] != NULL; i++) { - string = p11_kit_config_option (modules[i], "trust-policy"); - if (string && strcmp (string, "yes") == 0) - modules[out++] = modules[i]; - else if (string && strcmp (string, "no") != 0) - p11_message ("skipping module with invalid 'trust-policy' setting: %s", string); - free (string); - } - - if (out == 0) - p11_message ("no modules containing trust policy are registered"); -} - static bool validate_filter_and_format (p11_extract_info *ex, p11_extract_func func, @@ -304,6 +269,7 @@ p11_trust_extract (int argc, p11_extract_info ex; CK_ATTRIBUTE *match; P11KitUri *uri; + int flags; int opt = 0; int ret; @@ -434,11 +400,20 @@ p11_trust_extract (int argc, if (uri && p11_kit_uri_any_unrecognized (uri)) p11_message ("uri contained unrecognized components, nothing will be extracted"); - modules = p11_kit_modules_load_and_initialize (0); + /* + * We only "believe" the CKA_TRUSTED and CKA_X_DISTRUSTED attributes + * we get from modules explicitly marked as containing trust-policy. + */ + flags = 0; + if (ex.flags & (P11_EXTRACT_ANCHORS | P11_EXTRACT_BLACKLIST)) + flags |= P11_KIT_MODULE_TRUSTED; + + modules = p11_kit_modules_load_and_initialize (flags); if (!modules) return 1; - limit_modules_if_necessary (modules, ex.flags); + if (modules[0] == NULL) + p11_message ("no modules containing trust policy are registered"); iter = p11_kit_iter_new (uri, 0); |