diff options
author | Stef Walter <stefw@gnome.org> | 2013-03-14 10:05:17 +0100 |
---|---|---|
committer | Stef Walter <stefw@gnome.org> | 2013-03-15 17:19:01 +0100 |
commit | 86e60637394340ef2fa3b3db6b451dac1d73052b (patch) | |
tree | 8fa4f4c353534ffc259f9e333e64fbf7d068e913 /trust | |
parent | bf63f009cd4a1147a3e0684d898f140f46666b0e (diff) |
trust: Rework input path treatment
* Accept a single --with-trust-paths argument to ./configure
which cotnains all the input paths.
* The --with-system-anchors and --with-system-certificates
./configure arguments are no longer supported. Since they were
only present briefly, no provision is made for backwards
compatibility.
* Each input file is treated as containing anchors by default
unless an input certificate contains detailed trust information.
* The files in each input directory are not automatically treated
as anchors unless a certificate contains detailed trust information.
* The files in anchors/ subdirectory of each input directory are
automatically marked as anchors.
* The files in the blacklist/ subdirectory of each input directory
are automatically marked as blacklisted.
* Update tests and move around test certificates so we can
test these changes.
https://bugs.freedesktop.org/show_bug.cgi?id=62327
Diffstat (limited to 'trust')
-rw-r--r-- | trust/module.c | 21 | ||||
-rw-r--r-- | trust/parser.c | 47 | ||||
-rw-r--r-- | trust/tests/certificates/self-signed-with-ku.der | bin | 501 -> 0 bytes | |||
-rw-r--r-- | trust/tests/files/self-signed-with-eku.der (renamed from trust/tests/certificates/self-signed-with-eku.der) | bin | 480 -> 480 bytes | |||
-rw-r--r-- | trust/tests/frob-token.c | 2 | ||||
-rw-r--r-- | trust/tests/input/anchors/cacert3.der (renamed from trust/tests/anchors/cacert3.der) | bin | 1885 -> 1885 bytes | |||
-rw-r--r-- | trust/tests/input/anchors/testing-ca.der (renamed from trust/tests/anchors/testing-ca.der) | bin | 970 -> 970 bytes | |||
-rw-r--r-- | trust/tests/input/blacklist/self-server.der (renamed from trust/tests/files/self-server.der) | bin | 396 -> 396 bytes | |||
-rw-r--r-- | trust/tests/input/cacert-ca.der (renamed from trust/tests/certificates/cacert-ca.der) | bin | 1857 -> 1857 bytes | |||
-rw-r--r-- | trust/tests/input/distrusted.pem | 23 | ||||
-rw-r--r-- | trust/tests/test-module.c | 8 | ||||
-rw-r--r-- | trust/tests/test-session.c | 2 | ||||
-rw-r--r-- | trust/tests/test-token.c | 123 | ||||
-rw-r--r-- | trust/token.c | 78 | ||||
-rw-r--r-- | trust/token.h | 3 |
15 files changed, 253 insertions, 54 deletions
diff --git a/trust/module.c b/trust/module.c index bf9c0db..5ac018e 100644 --- a/trust/module.c +++ b/trust/module.c @@ -64,8 +64,7 @@ static struct _Shared { p11_dict *sessions; p11_token *token; - char *anchor_paths; - char *certificate_paths; + char *paths; } gl = { NULL, NULL }; /* Used during FindObjects */ @@ -115,13 +114,9 @@ parse_argument (char *arg) else *(value++) = 0; - if (strcmp (arg, "anchors") == 0) { - free (gl.anchor_paths); - gl.anchor_paths = value ? strdup (value) : NULL; - - } else if (strcmp (arg, "certificates") == 0) { - free (gl.certificate_paths); - gl.certificate_paths = value ? strdup (value) : NULL; + if (strcmp (arg, "paths") == 0) { + free (gl.paths); + gl.paths = value ? strdup (value) : NULL; } else { p11_message ("unrecognized module argument: %s", arg); @@ -219,9 +214,8 @@ sys_C_Finalize (CK_VOID_PTR reserved) rv = CKR_CRYPTOKI_NOT_INITIALIZED; } else { - free (gl.certificate_paths); - free (gl.anchor_paths); - gl.certificate_paths = gl.anchor_paths = NULL; + free (gl.paths); + gl.paths = NULL; p11_dict_free (gl.sessions); gl.sessions = NULL; @@ -290,8 +284,7 @@ sys_C_Initialize (CK_VOID_PTR init_args) p11_dict_ulongptr_equal, NULL, p11_session_free); - gl.token = p11_token_new (gl.anchor_paths ? gl.anchor_paths : SYSTEM_ANCHORS, - gl.certificate_paths ? gl.certificate_paths : SYSTEM_CERTIFICATES); + gl.token = p11_token_new (gl.paths ? gl.paths : TRUST_PATHS); if (gl.sessions == NULL || gl.token == NULL) { warn_if_reached (); diff --git a/trust/parser.c b/trust/parser.c index 3448f40..0b62f01 100644 --- a/trust/parser.c +++ b/trust/parser.c @@ -283,8 +283,8 @@ build_x509_certificate (p11_parser *parser, /* Filled in later */ CK_ULONG vcategory = 0; - CK_BBOOL vtrusted = CK_FALSE; - CK_BBOOL vdistrusted = CK_FALSE; + CK_BBOOL vtrusted = (parser->flags & P11_PARSE_FLAG_ANCHOR) ? CK_TRUE : CK_FALSE; + CK_BBOOL vdistrusted = (parser->flags & P11_PARSE_FLAG_BLACKLIST) ? CK_TRUE : CK_FALSE; CK_ATTRIBUTE certificate_type = { CKA_CERTIFICATE_TYPE, &vx509, sizeof (vx509) }; CK_ATTRIBUTE certificate_category = { CKA_CERTIFICATE_CATEGORY, &vcategory, sizeof (vcategory) }; @@ -780,6 +780,9 @@ build_openssl_extensions (p11_parser *parser, p11_dict *trust = NULL; p11_dict *reject = NULL; p11_dictiter iter; + CK_ATTRIBUTE *attr; + CK_BBOOL trusted; + CK_BBOOL distrust; void *key; int start; int end; @@ -832,6 +835,46 @@ build_openssl_extensions (p11_parser *parser, return_val_if_fail (ret == P11_PARSE_SUCCESS, ret); } + /* + * If loading from an blacklist flagged directory, then override all + * trust assumptionsinformation and mark this as a blacklisted certificate + */ + + if (parser->flags & P11_PARSE_FLAG_BLACKLIST) { + trusted = CK_FALSE; + distrust = CK_TRUE; + + /* + * OpenSSL model blacklists as anchors with all purposes being removed/rejected, + * we account for that here. If there is an ExtendedKeyUsage without any + * useful purposes, then treat like a blacklist. + */ + } else if (trust && p11_dict_size (trust) == 0) { + trusted = CK_FALSE; + distrust = CK_TRUE; + + /* + * Otherwise a 'TRUSTED CERTIFICATE' in an input directory is enough to + * mark this as a trusted certificate, even if we're not explicitly + * parsing an directory with the anchors flag. + */ + } else { + trusted = CK_TRUE; + distrust = CK_FALSE; + } + + attr = p11_attrs_find (cert, CKA_TRUSTED); + assert (attr != NULL); + assert (attr->pValue != NULL); + assert (attr->ulValueLen == sizeof (CK_BBOOL)); + *((CK_BBOOL *)attr->pValue) = trusted; + + attr = p11_attrs_find (cert, CKA_X_DISTRUSTED); + assert (attr != NULL); + assert (attr->pValue != NULL); + assert (attr->ulValueLen == sizeof (CK_BBOOL)); + *((CK_BBOOL *)attr->pValue) = distrust; + p11_dict_free (trust); p11_dict_free (reject); diff --git a/trust/tests/certificates/self-signed-with-ku.der b/trust/tests/certificates/self-signed-with-ku.der Binary files differdeleted file mode 100644 index e6f36e3..0000000 --- a/trust/tests/certificates/self-signed-with-ku.der +++ /dev/null diff --git a/trust/tests/certificates/self-signed-with-eku.der b/trust/tests/files/self-signed-with-eku.der Binary files differindex 33e0760..33e0760 100644 --- a/trust/tests/certificates/self-signed-with-eku.der +++ b/trust/tests/files/self-signed-with-eku.der diff --git a/trust/tests/frob-token.c b/trust/tests/frob-token.c index 95c129a..23856cf 100644 --- a/trust/tests/frob-token.c +++ b/trust/tests/frob-token.c @@ -52,7 +52,7 @@ main (int argc, return 2; } - token = p11_token_new (argv[1], NULL); + token = p11_token_new (argv[1]); count = p11_token_load (token); printf ("%d files loaded\n", count); diff --git a/trust/tests/anchors/cacert3.der b/trust/tests/input/anchors/cacert3.der Binary files differindex 56f8c88..56f8c88 100644 --- a/trust/tests/anchors/cacert3.der +++ b/trust/tests/input/anchors/cacert3.der diff --git a/trust/tests/anchors/testing-ca.der b/trust/tests/input/anchors/testing-ca.der Binary files differindex d3f70ea..d3f70ea 100644 --- a/trust/tests/anchors/testing-ca.der +++ b/trust/tests/input/anchors/testing-ca.der diff --git a/trust/tests/files/self-server.der b/trust/tests/input/blacklist/self-server.der Binary files differindex 68fe9af..68fe9af 100644 --- a/trust/tests/files/self-server.der +++ b/trust/tests/input/blacklist/self-server.der diff --git a/trust/tests/certificates/cacert-ca.der b/trust/tests/input/cacert-ca.der Binary files differindex 719b0ff..719b0ff 100644 --- a/trust/tests/certificates/cacert-ca.der +++ b/trust/tests/input/cacert-ca.der diff --git a/trust/tests/input/distrusted.pem b/trust/tests/input/distrusted.pem new file mode 100644 index 0000000..8de6ff0 --- /dev/null +++ b/trust/tests/input/distrusted.pem @@ -0,0 +1,23 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDsDCCAxmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBnTELMAkGA1UEBhMCVVMx +FzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHEwdSYWxlaWdoMRYwFAYD +VQQKEw1SZWQgSGF0LCBJbmMuMQswCQYDVQQLEwJJUzEWMBQGA1UEAxMNUmVkIEhh +dCBJUyBDQTEmMCQGCSqGSIb3DQEJARYXc3lzYWRtaW4tcmR1QHJlZGhhdC5jb20w +HhcNMDkwOTE2MTg0NTI1WhcNMTkwOTE0MTg0NTI1WjCBnTELMAkGA1UEBhMCVVMx +FzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHEwdSYWxlaWdoMRYwFAYD +VQQKEw1SZWQgSGF0LCBJbmMuMQswCQYDVQQLEwJJUzEWMBQGA1UEAxMNUmVkIEhh +dCBJUyBDQTEmMCQGCSqGSIb3DQEJARYXc3lzYWRtaW4tcmR1QHJlZGhhdC5jb20w +gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN/HDWGiL8BarUWDIjNC6uxCXqYN +QkwcmhILX+cl+YuDDArFL1pYVrith228gF3dSUU5X7kIOmPkkjNheRkbnas61X+n +i3+KWvbX3q+h5VMxKX2cA1U+R3jLuXqYjF+N2gkPyPvxeoDuEncKAItw+mK/r+4L +WBb5nFzek7hP3017AgMBAAGjgf0wgfowHQYDVR0OBBYEFA2sGXDtBKdeeKv+i6g0 +6yEmwVY1MIHKBgNVHSMEgcIwgb+AFA2sGXDtBKdeeKv+i6g06yEmwVY1oYGjpIGg +MIGdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xpbmExEDAOBgNV +BAcTB1JhbGVpZ2gxFjAUBgNVBAoTDVJlZCBIYXQsIEluYy4xCzAJBgNVBAsTAklT +MRYwFAYDVQQDEw1SZWQgSGF0IElTIENBMSYwJAYJKoZIhvcNAQkBFhdzeXNhZG1p +bi1yZHVAcmVkaGF0LmNvbYIBATAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA +A4GBAFBgO5y3JcPXH/goumNBW7rr8m9EFZmQyK5gT1Ljv5qaCSZwxkAomhriv04p +mb1y8yjrK5OY3WwgaRaAWRHp4/hn2HWaRvx3S+gwLM7p8V1pWnbSFJOXF3kbuC41 +voMIMqAFfHKidKN/yrjJg/1ahIjSt11lMUvRJ4TNT+pk5VnBMB+gCgYIKwYBBQUH +AwIMEVJlZCBIYXQgSXMgdGhlIENB +-----END TRUSTED CERTIFICATE----- diff --git a/trust/tests/test-module.c b/trust/tests/test-module.c index 2d0e488..52fbe03 100644 --- a/trust/tests/test-module.c +++ b/trust/tests/test-module.c @@ -59,8 +59,7 @@ static void setup (CuTest *cu) { CK_C_INITIALIZE_ARGS args; - const char *anchors; - const char *certs; + const char *paths; char *arguments; CK_ULONG count; CK_RV rv; @@ -72,9 +71,8 @@ setup (CuTest *cu) CuAssertTrue (cu, rv == CKR_OK); memset (&args, 0, sizeof (args)); - anchors = SRCDIR "/anchors:" SRCDIR "/files/cacert-ca.der"; - certs = SRCDIR "/certificates"; - if (asprintf (&arguments, "anchors='%s' certificates='%s'", anchors, certs) < 0) + paths = SRCDIR "/input:" SRCDIR "/files/cacert-ca.der"; + if (asprintf (&arguments, "paths='%s'", paths) < 0) CuAssertTrue (cu, false && "not reached"); args.pReserved = arguments; args.flags = CKF_OS_LOCKING_OK; diff --git a/trust/tests/test-session.c b/trust/tests/test-session.c index d420d5c..e9031f2 100644 --- a/trust/tests/test-session.c +++ b/trust/tests/test-session.c @@ -53,7 +53,7 @@ struct { static void setup (CuTest *cu) { - test.token = p11_token_new ("", ""); + test.token = p11_token_new (""); CuAssertPtrNotNull (cu, test.token); test.session = p11_session_new (test.token); diff --git a/trust/tests/test-token.c b/trust/tests/test-token.c index 382d021..c566406 100644 --- a/trust/tests/test-token.c +++ b/trust/tests/test-token.c @@ -41,7 +41,9 @@ #include "attrs.h" #include "debug.h" +#include "pkcs11x.h" #include "library.h" +#include "test-data.h" #include "token.h" struct { @@ -51,8 +53,7 @@ struct { static void setup (CuTest *cu) { - test.token = p11_token_new (SRCDIR "/anchors:" SRCDIR "/files/cacert-ca.der", - SRCDIR "/files/self-server.der"); + test.token = p11_token_new (SRCDIR "/input:" SRCDIR "/files/self-server.der:" SRCDIR "/files/cacert-ca.der"); CuAssertPtrNotNull (cu, test.token); } @@ -72,7 +73,7 @@ test_token_load (CuTest *cu) setup (cu); count = p11_token_load (test.token); - CuAssertIntEquals (cu, 5, count); + CuAssertIntEquals (cu, 7, count); /* A certificate and trust object for each parsed object + builtin */ objects = p11_token_objects (test.token); @@ -81,6 +82,121 @@ test_token_load (CuTest *cu) teardown (cu); } +static bool +check_object (CK_ATTRIBUTE *match) +{ + CK_ATTRIBUTE *attrs; + p11_dict *objects; + p11_dictiter iter; + + objects = p11_token_objects (test.token); + + p11_dict_iterate (objects, &iter); + while (p11_dict_next (&iter, NULL, (void **)&attrs)) { + if (p11_attrs_match (attrs, match)) + return true; + } + + return false; +} + +static void +test_token_flags (CuTest *cu) +{ + CK_BBOOL falsev = CK_FALSE; + CK_BBOOL truev = CK_TRUE; + + /* + * blacklist comes from the input/distrust.pem file. It is not in the blacklist + * directory, but is an OpenSSL trusted certificate file, and is marked + * in the blacklist style for OpenSSL. + */ + + CK_ATTRIBUTE blacklist[] = { + { CKA_LABEL, "Red Hat Is the CA", 17 }, + { CKA_SERIAL_NUMBER, "\x02\x01\x01", 3 }, + { CKA_TRUSTED, &falsev, sizeof (falsev) }, + { CKA_X_DISTRUSTED, &truev, sizeof (truev) }, + { CKA_INVALID }, + }; + + /* + * blacklist2 comes from the input/blacklist/self-server.der file. It is + * explicitly put on the blacklist, even though it containts no trust + * policy information. + */ + + const unsigned char self_server_subject[] = { + 0x30, 0x4b, 0x31, 0x13, 0x30, 0x11, 0x06, 0x0a, 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, + 0x01, 0x19, 0x16, 0x03, 0x43, 0x4f, 0x4d, 0x31, 0x17, 0x30, 0x15, 0x06, 0x0a, 0x09, 0x92, 0x26, + 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x07, 0x45, 0x58, 0x41, 0x4d, 0x50, 0x4c, 0x45, + 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x12, 0x73, 0x65, 0x72, 0x76, 0x65, + 0x72, 0x2e, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, + }; + + CK_ATTRIBUTE blacklist2[] = { + { CKA_SUBJECT, (void *)self_server_subject, sizeof (self_server_subject) }, + { CKA_TRUSTED, &falsev, sizeof (falsev) }, + { CKA_X_DISTRUSTED, &truev, sizeof (truev) }, + { CKA_INVALID }, + }; + + /* + * anchor comes from the input/anchors/cacert3.der file. It is + * explicitly marked as an anchor, even though it containts no trust + * policy information. + */ + + CK_ATTRIBUTE anchor[] = { + { CKA_SUBJECT, (void *)test_cacert3_ca_subject, sizeof (test_cacert3_ca_subject) }, + { CKA_TRUSTED, &truev, sizeof (truev) }, + { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, + { CKA_INVALID }, + }; + + const unsigned char cacert_root_subject[] = { + 0x30, 0x79, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x07, 0x52, 0x6f, 0x6f, + 0x74, 0x20, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, 0x68, + 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x63, 0x61, 0x63, 0x65, 0x72, 0x74, + 0x2e, 0x6f, 0x72, 0x67, 0x31, 0x22, 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x19, 0x43, + 0x41, 0x20, 0x43, 0x65, 0x72, 0x74, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x41, + 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x73, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, + 0x40, 0x63, 0x61, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x6f, 0x72, 0x67, + }; + + /* + * notrust comes from the input/cacert-ca.der file. It contains no + * trust information, and is not explicitly marked as an anchor, so + * it's neither trusted or distrusted. + */ + + CK_ATTRIBUTE notrust[] = { + { CKA_SUBJECT, (void *)cacert_root_subject, sizeof (cacert_root_subject) }, + { CKA_TRUSTED, &falsev, sizeof (falsev) }, + { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, + { CKA_INVALID }, + }; + + CK_ATTRIBUTE invalid[] = { + { CKA_LABEL, "Waonec9aoe9", 8 }, + { CKA_INVALID }, + }; + + setup (cu); + + if (p11_token_load (test.token) < 0) + CuFail (cu, "should not be reached"); + + CuAssertTrue (cu, !check_object (invalid)); + CuAssertTrue (cu, check_object (anchor)); + CuAssertTrue (cu, check_object (blacklist)); + CuAssertTrue (cu, check_object (blacklist2)); + CuAssertTrue (cu, check_object (notrust)); + + teardown (cu); +} + int main (void) { @@ -94,6 +210,7 @@ main (void) p11_message_quiet (); SUITE_ADD_TEST (suite, test_token_load); + SUITE_ADD_TEST (suite, test_token_flags); CuSuiteRun (suite); CuSuiteSummary (suite, output); diff --git a/trust/token.c b/trust/token.c index 3c0de4c..f96d865 100644 --- a/trust/token.c +++ b/trust/token.c @@ -50,6 +50,7 @@ #include <sys/types.h> #include <dirent.h> +#include <stdio.h> #include <stdlib.h> #include <string.h> @@ -58,9 +59,7 @@ struct _p11_token { p11_parser *parser; p11_dict *objects; - const char *anchor_paths; - const char *other_paths; - const char *certificate_paths; + const char *paths; int loaded; }; @@ -149,11 +148,32 @@ loader_load_directory (p11_token *token, } static int +loader_load_subdirectory (p11_token *token, + const char *directory, + const char *subdir, + int flags) +{ + struct stat sb; + char *path; + int ret = 0; + + if (asprintf (&path, "%s/%s", directory, subdir) < 0) + return_val_if_reached (-1); + + if (stat (path, &sb) >= 0 && S_ISDIR (sb.st_mode)) + ret = loader_load_directory (token, path, flags); + + free (path); + return ret; +} + +static int loader_load_path (p11_token *token, - const char *path, - int flags) + const char *path) { struct stat sb; + int total; + int ret; if (stat (path, &sb) < 0) { if (errno == ENOENT) { @@ -167,16 +187,30 @@ loader_load_path (p11_token *token, return 0; } - if (S_ISDIR (sb.st_mode)) - return loader_load_directory (token, path, flags); - else - return loader_load_file (token, path, &sb, flags); + if (S_ISDIR (sb.st_mode)) { + total = 0; + + ret = loader_load_subdirectory (token, path, "anchors", P11_PARSE_FLAG_ANCHOR); + return_val_if_fail (ret >= 0, ret); + total += ret; + + ret = loader_load_subdirectory (token, path, "blacklist", P11_PARSE_FLAG_BLACKLIST); + return_val_if_fail (ret >= 0, ret); + total += ret; + + ret = loader_load_directory (token, path, P11_PARSE_FLAG_NONE); + return_val_if_fail (ret >= 0, ret); + total += ret; + + return total; + } else { + return loader_load_file (token, path, &sb, P11_PARSE_FLAG_ANCHOR); + } } static int loader_load_paths (p11_token *token, - const char *paths, - int flags) + const char *paths) { const char *pos; int total = 0; @@ -199,7 +233,7 @@ loader_load_paths (p11_token *token, if (path[0] != '\0') { /* We don't expect this to fail except for in strange circumstances */ - ret = loader_load_path (token, path, flags); + ret = loader_load_path (token, path); if (ret < 0) return_val_if_reached (-1); total += ret; @@ -383,8 +417,7 @@ int p11_token_load (p11_token *token) { int builtins; - int anchors; - int other; + int count; if (token->loaded) return 0; @@ -392,15 +425,10 @@ p11_token_load (p11_token *token) builtins = load_builtin_objects (token); - anchors = loader_load_paths (token, token->anchor_paths, P11_PARSE_FLAG_ANCHOR); - if (anchors < 0) - return anchors; - - other = loader_load_paths (token, token->other_paths, P11_PARSE_FLAG_NONE); - if (other < 0) - return other; + count = loader_load_paths (token, token->paths); + return_val_if_fail (count >= 0, count); - return anchors + builtins + other; + return count + builtins; } p11_dict * @@ -421,8 +449,7 @@ p11_token_free (p11_token *token) } p11_token * -p11_token_new (const char *anchor_paths, - const char *other_paths) +p11_token_new (const char *paths) { p11_token *token; @@ -437,8 +464,7 @@ p11_token_new (const char *anchor_paths, free, p11_attrs_free); return_val_if_fail (token->objects != NULL, NULL); - token->anchor_paths = anchor_paths; - token->other_paths = other_paths; + token->paths = paths; token->loaded = 0; return token; diff --git a/trust/token.h b/trust/token.h index 1152a68..0c53d32 100644 --- a/trust/token.h +++ b/trust/token.h @@ -39,8 +39,7 @@ typedef struct _p11_token p11_token; -p11_token * p11_token_new (const char *anchor_paths, - const char *other_paths); +p11_token * p11_token_new (const char *paths); void p11_token_free (p11_token *token); |