| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Related to the following bug:
https://bugs.freedesktop.org/show_bug.cgi?id=69314
|
| |
|
|
|
|
| |
Because we want to use this same logic for listing trust
|
|
|
|
| |
This allows a token to remove the file if desired
|
|
|
|
|
| |
There was a bug where we were rewriting the modified object
multiple times.
|
|
|
|
|
|
| |
As a side effect we can also not use the dirent.d_type field
https://bugs.freedesktop.org/show_bug.cgi?id=68525
|
| |
|
|
|
|
|
|
|
|
|
| |
On certain file systems the size of the directory does not
change when adding a file. This caused the tests to fail. Make
the tests wait more than a second in certain tests to get the
mtime to change.
https://bugs.freedesktop.org/show_bug.cgi?id=65249
|
| |
|
|
|
|
|
| |
* Add a testing sanity check to see if we're catching errors
* Fix a few other testing issues
|
|
|
|
|
|
|
|
|
|
|
|
| |
TMPDIR is a more standard environment variable for locating the
temp directory on Unix. In addition since this is only used in
tests, remove the code from the generic p11_path_expand() func.
In general remove the possibility for forks to put $HOME or $TEMP
environment variables in configured paths. This was possible
due to code in p11_path_expand() but not something we supported.
https://bugzilla.redhat.com/show_bug.cgi?id=985017
|
|
|
|
| |
Among others fix possible usage of large stack allocation.
|
|
|
|
|
|
| |
Since we don't want to link freebl3 to libp11-kit.so where it isn't
needed, move the SHA-1 and MD5 digest functionality to the trust/
directory.
|
| |
|
|
|
|
|
|
|
|
| |
* Create directory before trying to write files to it
* Handle write failures appropriately
Refactor how we build and store objects in the index to handle
the above cases properly.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Use the concepts and PKCS#11 objects described in the
recently updated (still work in progress) storing trust spec.
* Define our own CKA_X_PUBLIC_KEY_INFO define for now, since the
the CKA_PUBLIC_KEY_INFO isn't defined yet.
* Most notably, the association between certificates and stapled
extensions is by public key.
* Rework some of the tests to take into account the above.
|
| |
|
|
|
|
| |
Some helpers for commonly used ASN.1 related stuff.
|
|
|
|
|
| |
* The objects are written out in the p11-kit persist format
* Parser marks files in p11-kit persist format as modifiable
|
| |
|
|
|
|
|
|
| |
The name makes it clearer what's going on. This is only used
during loading, so we can track whether a change has resulted
from the trust module or from the file storage.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Reload token data whenever a new session is opened.
* Only reload files/directories that have changed.
* Move duplicate anchor/blacklist detection logic into
the extract code. This is in line with the approach
being discussed on the mailing lists and spec document.
* New internal attribute CKA_X_ORIGIN set on all objects
so we can track where an object came from, and replace
it when reloaded.
In general this is a prerequisite for modification of objects
reload before modify is necessary to prevent multiple callers
clobbering each other's changes.
|
|
|
|
|
|
|
|
|
|
|
| |
In order to use the session we are iterating on for other tasks
such as other C_FindObject() calls, we need to make sure that
it's not in the middle of a find operation. Finish up the
complete find operation in advance of returning objects from
a session.
Make this the default mode. The previous behavior remains
as an option. Add tests.
|
| |
|
| |
|
|
|
|
|
|
|
| |
* p11-kit library and tool in the p11-kit/ subdirectory
* trust module and new trust tool in trust/ subdirectory
* No more tools/ subdirectory
* Lots less in the common/ subdirectory
|
|
|
|
|
|
| |
Although we don't actually write anything out yet, make the
various PKCS#11 functions behave properly when faced with
requests to write to token objects
|
|
|
|
|
| |
Correctly set the CKF_TOKEN_WRITE_PROTECTED flag for paths
which we will be able to write to.
|
|\ |
|
| |
| |
| |
| | |
https://bugs.freedesktop.org/show_bug.cgi?id=65401
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Track number of C_Initialize calls, and require similar number
of C_Finalize calls to finalize.
This fixes leaks/disappearing sessions in the trust module.
https://bugs.freedesktop.org/show_bug.cgi?id=65401
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
* Support the TAP protocol
* Much cleaner without having to carry around state
* First class support for setup/teardown
* Port the common tests
* Wait on porting other tests until we've merged outstanding code
|
|/
|
|
|
|
|
|
|
| |
Support a new managed style module loading for PKCS#11 modules. This
allows us to better coordinate between multiple callers of the same
PKCS#11 modules and provide hooks into their behavior.
This meant redoing the public facing API. The old methods are now
deprecated, marked and documented as such.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKCS#11 specification does not note what timezone these dates
are in. In addition the time values are not represented in PKCS#11.
So don't reinterpret certificate dates, other than filling in the
century for dates that have a two digit year.
Lastly, these are low resolution optional fields so not being all
strict about timezones here is appropriate.
https://bugs.freedesktop.org/show_bug.cgi?id=62825
|
|
|
|
|
|
|
|
| |
Sometimes NSS queries for trust objects using invalid serial numbers
that do not have their DER decoding. We fixed this earlier, but want
to make sure there are no corner cases, accidentally not matching
serial numbers that happen to start with the same bytes as a DER
TLV would.
|
|
|
|
|
|
|
|
|
|
| |
Centralize the path handling code, so we can remove unixy assumptions
and have a chance of running on Windows. The current goal is to run
all the tests on Windows.
Includes some code from LRN <lrn1986@gmail.com>
https://bugs.freedesktop.org/show_bug.cgi?id=63062
|
|
|
|
|
|
|
|
|
|
|
| |
Put library init/uninit code its into their own statically
linked library so that they don't get linked into the p11-kit
executable.
Refactor the message code so that the library initialization can
plug in its per thread message buffer.
https://bugs.freedesktop.org/show_bug.cgi?id=63046
|
|
|
|
| |
Also remove some generated files from the po/ directory.
|
|
|
|
|
|
|
| |
These don't contain the CKA_VALUE attribute for certificate data
but rather the CKA_X_CERTIFICATE_VALUE attribute.
https://bugs.freedesktop.org/show_bug.cgi?id=62896
|
|
|
|
|
|
|
| |
Some callers erroneously call our C_Logout function, like NSS.
So return appropriate error codes in these cases.
https://bugs.freedesktop.org/show_bug.cgi?id=62874
|
|
|
|
|
|
|
|
|
| |
Since CKA_START_DATE and CKA_END_DATE are the only places
where we want to parse out times, and these are optional, just
leave blank if the time overflows what libc can handle on
a 32-bit system.
https://bugs.freedesktop.org/show_bug.cgi?id=62825
|
| |
|
|
|
|
| |
These are things that showed up in valgrind while running the tests.
|
|
|
|
|
| |
* make memcheck: Runs basic memory checking
* make leakcheck: Also runs leak checking
|
|
|
|
|
|
|
|
| |
If duplicate certificates are present in a token, we warn about this,
and don't really recommend it. However we have predictable behavior
where blacklist is prefered to anchor is preferred to unknown trust.
https://bugs.freedesktop.org/show_bug.cgi?id=62548
|
|
|
|
|
|
|
|
|
| |
The index now uses a sort of cross between a hash table and a bloom
filter internally to select matching items. This is needed for the
massive amount of lookups we want to do during loading.
In addition make p11_index_find() and p11_index_replace() easier
to use.
|