diff options
Diffstat (limited to 'trust/extract.c')
-rw-r--r-- | trust/extract.c | 180 |
1 files changed, 14 insertions, 166 deletions
diff --git a/trust/extract.c b/trust/extract.c index 1aec3e6..0389d29 100644 --- a/trust/extract.c +++ b/trust/extract.c @@ -55,114 +55,6 @@ #include <string.h> static bool -filter_argument (const char *optarg, - P11KitUri **uri, - CK_ATTRIBUTE **match, - int *flags) -{ - CK_ATTRIBUTE *attrs; - int ret; - - CK_OBJECT_CLASS vcertificate = CKO_CERTIFICATE; - CK_ULONG vauthority = 2; - CK_CERTIFICATE_TYPE vx509 = CKC_X_509; - - CK_ATTRIBUTE certificate = { CKA_CLASS, &vcertificate, sizeof (vcertificate) }; - CK_ATTRIBUTE authority = { CKA_CERTIFICATE_CATEGORY, &vauthority, sizeof (vauthority) }; - CK_ATTRIBUTE x509 = { CKA_CERTIFICATE_TYPE, &vx509, sizeof (vx509) }; - - if (strncmp (optarg, "pkcs11:", 7) == 0) { - if (*uri != NULL) { - p11_message ("only one pkcs11 uri filter may be specified"); - return false; - } - *uri = p11_kit_uri_new (); - ret = p11_kit_uri_parse (optarg, P11_KIT_URI_FOR_OBJECT_ON_TOKEN_AND_MODULE, *uri); - if (ret != P11_KIT_URI_OK) { - p11_message ("couldn't parse pkcs11 uri filter: %s", optarg); - return false; - } - return true; - } - - if (strcmp (optarg, "ca-anchors") == 0) { - attrs = p11_attrs_build (NULL, &certificate, &authority, &x509, NULL); - *flags |= P11_EXTRACT_ANCHORS | P11_EXTRACT_COLLAPSE; - - } else if (strcmp (optarg, "trust-policy") == 0) { - attrs = p11_attrs_build (NULL, &certificate, &x509, NULL); - *flags |= P11_EXTRACT_ANCHORS | P11_EXTRACT_BLACKLIST | P11_EXTRACT_COLLAPSE; - - } else if (strcmp (optarg, "blacklist") == 0) { - attrs = p11_attrs_build (NULL, &certificate, &x509, NULL); - *flags |= P11_EXTRACT_BLACKLIST | P11_EXTRACT_COLLAPSE; - - } else if (strcmp (optarg, "certificates") == 0) { - attrs = p11_attrs_build (NULL, &certificate, &x509, NULL); - *flags |= P11_EXTRACT_COLLAPSE; - - } else { - p11_message ("unsupported or unrecognized filter: %s", optarg); - return false; - } - - if (*match != NULL) { - p11_message ("a conflicting filter has already been specified"); - p11_attrs_free (attrs); - return false; - } - - *match = attrs; - return true; -} - -static int -is_valid_oid_rough (const char *string) -{ - size_t len; - - len = strlen (string); - - /* Rough check if a valid OID */ - return (strspn (string, "0123456789.") == len && - !strstr (string, "..") && string[0] != '\0' && string[0] != '.' && - string[len - 1] != '.'); -} - -static bool -purpose_argument (const char *optarg, - p11_extract_info *ex) -{ - const char *oid; - - if (strcmp (optarg, "server-auth") == 0) { - oid = P11_OID_SERVER_AUTH_STR; - } else if (strcmp (optarg, "client-auth") == 0) { - oid = P11_OID_CLIENT_AUTH_STR; - } else if (strcmp (optarg, "email-protection") == 0 || strcmp (optarg, "email") == 0) { - oid = P11_OID_EMAIL_PROTECTION_STR; - } else if (strcmp (optarg, "code-signing") == 0) { - oid = P11_OID_CODE_SIGNING_STR; - } else if (strcmp (optarg, "ipsec-end-system") == 0) { - oid = P11_OID_IPSEC_END_SYSTEM_STR; - } else if (strcmp (optarg, "ipsec-tunnel") == 0) { - oid = P11_OID_IPSEC_TUNNEL_STR; - } else if (strcmp (optarg, "ipsec-user") == 0) { - oid = P11_OID_IPSEC_USER_STR; - } else if (strcmp (optarg, "time-stamping") == 0) { - oid = P11_OID_TIME_STAMPING_STR; - } else if (is_valid_oid_rough (optarg)) { - oid = optarg; - } else { - p11_message ("unsupported or unregonized purpose: %s", optarg); - return false; - } - - p11_extract_info_limit_purpose (ex, oid); - return true; -} - -static bool format_argument (const char *optarg, p11_extract_func *func) { @@ -209,9 +101,8 @@ format_argument (const char *optarg, } static bool -validate_filter_and_format (p11_extract_info *ex, - p11_extract_func func, - CK_ATTRIBUTE *match) +validate_filter_and_format (p11_enumerate *ex, + p11_extract_func func) { int i; @@ -233,8 +124,8 @@ validate_filter_and_format (p11_extract_info *ex, return true; } - if ((ex->flags & P11_EXTRACT_ANCHORS) && - (ex->flags & P11_EXTRACT_BLACKLIST)) { + if ((ex->flags & P11_ENUMERATE_ANCHORS) && + (ex->flags & P11_ENUMERATE_BLACKLIST)) { /* * If we're extracting *both* anchors and blacklist, then we must have * a format that can represent the different types of information. @@ -243,7 +134,7 @@ validate_filter_and_format (p11_extract_info *ex, p11_message ("format does not support trust policy"); return false; - } else if (ex->flags & P11_EXTRACT_ANCHORS) { + } else if (ex->flags & P11_ENUMERATE_ANCHORS) { /* * If we're extracting anchors, then we must have either limited the @@ -252,7 +143,7 @@ validate_filter_and_format (p11_extract_info *ex, if (!ex->limit_to_purposes) { p11_message ("format does not support multiple purposes, defaulting to 'server-auth'"); - p11_extract_info_limit_purpose (ex, P11_OID_SERVER_AUTH_STR); + p11_enumerate_opt_purpose (ex, "server-auth"); } } @@ -264,12 +155,7 @@ p11_trust_extract (int argc, char **argv) { p11_extract_func format = NULL; - CK_FUNCTION_LIST_PTR *modules; - P11KitIter *iter; - p11_extract_info ex; - CK_ATTRIBUTE *match; - P11KitUri *uri; - int flags; + p11_enumerate ex; int opt = 0; int ret; @@ -334,10 +220,7 @@ p11_trust_extract (int argc, { 0 }, }; - match = NULL; - uri = NULL; - - p11_extract_info_init (&ex); + p11_enumerate_init (&ex); while ((opt = p11_tool_getopt (argc, argv, options)) != -1) { switch (opt) { @@ -352,11 +235,11 @@ p11_trust_extract (int argc, ex.flags |= P11_EXTRACT_COMMENT; break; case opt_filter: - if (!filter_argument (optarg, &uri, &match, &ex.flags)) + if (!p11_enumerate_opt_filter (&ex, optarg)) exit (2); break; case opt_purpose: - if (!purpose_argument (optarg, &ex)) + if (!p11_enumerate_opt_purpose (&ex, optarg)) exit (2); break; case opt_format: @@ -381,55 +264,20 @@ p11_trust_extract (int argc, p11_message ("specify one destination file or directory"); exit (2); } - ex.destination = argv[0]; if (!format) { p11_message ("no output format specified"); exit (2); } - /* If nothing that was useful to enumerate was specified, then bail */ - if (uri == NULL && match == NULL) { - p11_message ("no filter specified, defaulting to 'ca-anchors'"); - filter_argument ("ca-anchors", &uri, &match, &ex.flags); - } - - if (!validate_filter_and_format (&ex, format, match)) + if (!validate_filter_and_format (&ex, format)) exit (1); - if (uri && p11_kit_uri_any_unrecognized (uri)) - p11_message ("uri contained unrecognized components, nothing will be extracted"); - - /* - * We only "believe" the CKA_TRUSTED and CKA_X_DISTRUSTED attributes - * we get from modules explicitly marked as containing trust-policy. - */ - flags = 0; - if (ex.flags & (P11_EXTRACT_ANCHORS | P11_EXTRACT_BLACKLIST)) - flags |= P11_KIT_MODULE_TRUSTED; - - modules = p11_kit_modules_load_and_initialize (flags); - if (!modules) + if (!p11_enumerate_ready (&ex, "ca-anchors")) exit (1); - if (modules[0] == NULL) - p11_message ("no modules containing trust policy are registered"); - - iter = p11_kit_iter_new (uri, 0); - - p11_kit_iter_add_callback (iter, p11_extract_info_load_filter, &ex, NULL); - p11_kit_iter_add_filter (iter, match, p11_attrs_count (match)); - - p11_kit_iter_begin (iter, modules); - - ret = (format) (iter, &ex) ? 0 : 1; - - p11_extract_info_cleanup (&ex); - p11_kit_iter_free (iter); - p11_kit_uri_free (uri); - - p11_kit_modules_finalize (modules); - p11_kit_modules_release (modules); + ret = (format) (&ex, argv[0]) ? 0 : 1; + p11_enumerate_cleanup (&ex); return ret; } |