diff options
Diffstat (limited to 'trust/frob-nss-trust.c')
-rw-r--r-- | trust/frob-nss-trust.c | 221 |
1 files changed, 221 insertions, 0 deletions
diff --git a/trust/frob-nss-trust.c b/trust/frob-nss-trust.c new file mode 100644 index 0000000..fd69573 --- /dev/null +++ b/trust/frob-nss-trust.c @@ -0,0 +1,221 @@ +/* + * Copyright (c) 2013 Red Hat Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above + * copyright notice, this list of conditions and the + * following disclaimer. + * * Redistributions in binary form must reproduce the + * above copyright notice, this list of conditions and + * the following disclaimer in the documentation and/or + * other materials provided with the distribution. + * * The names of contributors to this software may not be + * used to endorse or promote products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Author: Stef Walter <stefw@redhat.com> + */ + +#include "config.h" + +#include "compat.h" +#include "attrs.h" +#include "debug.h" +#include "pkcs11x.h" + +#include "p11-kit/iter.h" +#include "p11-kit/p11-kit.h" + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +static void +dump_object (P11KitIter *iter, + CK_ATTRIBUTE *attrs) +{ + CK_ATTRIBUTE label = { CKA_LABEL, }; + CK_ATTRIBUTE *attr; + char *string; + char *name; + CK_RV rv; + + attr = p11_attrs_find_valid (attrs, CKA_LABEL); + if (!attr) { + rv = p11_kit_iter_load_attributes (iter, &label, 1); + if (rv == CKR_OK) + attr = &label; + } + + if (attr) + name = strndup (attr->pValue, attr->ulValueLen); + else + name = strdup ("unknown"); + + string = p11_attrs_to_string (attrs, -1); + printf ("\"%s\" = %s\n", name, string); + free (string); + + free (label.pValue); + free (name); +} + +static int +dump_trust_module (const char *path) +{ + CK_FUNCTION_LIST *module; + CK_OBJECT_CLASS nss_trust = CKO_NSS_TRUST; + CK_ATTRIBUTE match = + { CKA_CLASS, &nss_trust, sizeof (nss_trust) }; + P11KitIter *iter; + CK_ATTRIBUTE *attrs; + CK_RV rv; + + CK_ATTRIBUTE template[] = { + { CKA_CLASS,}, + { CKA_LABEL, }, + { CKA_CERT_MD5_HASH, }, + { CKA_CERT_SHA1_HASH }, + { CKA_ISSUER, }, + { CKA_SERIAL_NUMBER, }, + { CKA_TRUST_SERVER_AUTH, }, + { CKA_TRUST_EMAIL_PROTECTION, }, + { CKA_TRUST_CODE_SIGNING, }, + { CKA_TRUST_STEP_UP_APPROVED, }, + { CKA_INVALID, } + }; + + CK_ULONG count = p11_attrs_count (template); + + module = p11_kit_module_load (path, 0); + return_val_if_fail (module != NULL, 1); + + rv = p11_kit_module_initialize (module); + return_val_if_fail (rv == CKR_OK, 1); + + iter = p11_kit_iter_new (NULL, 0); + p11_kit_iter_add_filter (iter, &match, 1); + p11_kit_iter_begin_with (iter, module, 0, 0); + + while ((rv = p11_kit_iter_next (iter)) == CKR_OK) { + attrs = p11_attrs_dup (template); + rv = p11_kit_iter_load_attributes (iter, attrs, count); + return_val_if_fail (rv == CKR_OK || rv == CKR_ATTRIBUTE_VALUE_INVALID, 1); + p11_attrs_purge (attrs); + dump_object (iter, attrs); + p11_attrs_free (attrs); + } + + return_val_if_fail (rv == CKR_CANCEL, 1); + + p11_kit_module_finalize (module); + p11_kit_module_release (module); + + return 0; +} + +static int +compare_trust_modules (const char *path1, + const char *path2) +{ + CK_FUNCTION_LIST *module1; + CK_FUNCTION_LIST *module2; + CK_OBJECT_CLASS nss_trust = CKO_NSS_TRUST; + CK_ATTRIBUTE match = + { CKA_CLASS, &nss_trust, sizeof (nss_trust) }; + P11KitIter *iter; + P11KitIter *iter2; + CK_ATTRIBUTE *check; + CK_RV rv; + + CK_ATTRIBUTE template[] = { + { CKA_CLASS, }, + { CKA_ISSUER, }, + { CKA_SERIAL_NUMBER, }, + { CKA_CERT_MD5_HASH, }, + { CKA_CERT_SHA1_HASH }, + { CKA_TRUST_SERVER_AUTH, }, + { CKA_TRUST_EMAIL_PROTECTION, }, + { CKA_TRUST_CODE_SIGNING, }, + { CKA_TRUST_STEP_UP_APPROVED, }, + { CKA_INVALID, } + }; + + module1 = p11_kit_module_load (path1, 0); + return_val_if_fail (module1 != NULL, 1); + + rv = p11_kit_module_initialize (module1); + return_val_if_fail (rv == CKR_OK, 1); + + module2 = p11_kit_module_load (path2, 0); + return_val_if_fail (module2 != NULL, 1); + + rv = p11_kit_module_initialize (module2); + return_val_if_fail (rv == CKR_OK, 1); + + iter = p11_kit_iter_new (NULL, 0); + p11_kit_iter_add_filter (iter, &match, 1); + p11_kit_iter_begin_with (iter, module1, 0, 0); + + while ((rv = p11_kit_iter_next (iter)) == CKR_OK) { + check = p11_attrs_dup (template); + + rv = p11_kit_iter_load_attributes (iter, check, p11_attrs_count (check)); + return_val_if_fail (rv == CKR_OK || rv == CKR_ATTRIBUTE_TYPE_INVALID, 1); + + /* Go through and remove anything not found */ + p11_attrs_purge (check); + + /* Check that this object exists */ + iter2 = p11_kit_iter_new (NULL, 0); + p11_kit_iter_add_filter (iter2, check, p11_attrs_count (check)); + p11_kit_iter_begin_with (iter2, module2, 0, 0); + rv = p11_kit_iter_next (iter2); + p11_kit_iter_free (iter2); + + if (rv != CKR_OK) + dump_object (iter, check); + + p11_attrs_free (check); + } + + return_val_if_fail (rv == CKR_CANCEL, 1); + p11_kit_module_finalize (module1); + p11_kit_module_release (module1); + + p11_kit_module_finalize (module2); + p11_kit_module_release (module2); + + return 0; +} + +int +main (int argc, + char *argv[]) +{ + if (argc == 2) { + return dump_trust_module (argv[1]); + } else if (argc == 3) { + return compare_trust_modules (argv[1], argv[2]); + } else { + fprintf (stderr, "usage: frob-nss-trust module\n"); + fprintf (stderr, " frob-nss-trust module1 module2\n"); + return 2; + } +} |