Add the builtin roots NSS specific object

This tells NSS that this is a source of anchors.

4 files changed, 61 insertions, 5 deletions

diff --git a/doc/p11-kit-trust.xml b/doc/p11-kit-trust.xml
index 036b422..ef2db28 100644
--- a/doc/p11-kit-trust.xml
+++ b/doc/p11-kit-trust.xml
@@ -63,7 +63,10 @@ $ pkg-config --variable p11_system_certificates p11-kit-1
 
 	<para>The trust policy module is a drop in replacement for the
 	<literal>libnssckbi.so</literal> module and thus works out of
-	the box with NSS. The module may be used to replace the
+	the box with NSS. The trust policy module provides NSS style
+	PKCS#11 trust objects for NSS to retrieve.</para>
+
+ 	<para>The module may be used to replace the
 	<literal>libnssckbi.so</literal> file via an distribution
 	specific alternatives mechanism or otherwise.</para>
 
diff --git a/trust/tests/test-module.c b/trust/tests/test-module.c
index 8bd8e10..64857a7 100644
--- a/trust/tests/test-module.c
+++ b/trust/tests/test-module.c
@@ -306,6 +306,32 @@ test_find_certificates (CuTest *cu)
 	teardown (cu);
 }
 
+static void
+test_find_builtin (CuTest *cu)
+{
+	CK_OBJECT_CLASS klass = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
+	CK_BBOOL vtrue = CK_TRUE;
+	CK_BBOOL vfalse = CK_FALSE;
+
+	CK_ATTRIBUTE match[] = {
+		{ CKA_CLASS, &klass, sizeof (klass) },
+		{ CKA_TOKEN, &vtrue, sizeof (vtrue) },
+		{ CKA_PRIVATE, &vfalse, sizeof (vfalse) },
+		{ CKA_MODIFIABLE, &vfalse, sizeof (vfalse) },
+		{ CKA_INVALID, }
+	};
+
+	CK_OBJECT_HANDLE objects[16];
+	CK_ULONG count;
+
+	setup (cu);
+
+	count = find_objects (cu, match, objects, 16);
+	CuAssertIntEquals (cu, 1, count);
+
+	teardown (cu);
+}
+
 int
 main (void)
 {
@@ -318,6 +344,7 @@ main (void)
 	/* p11_message_quiet (); */
 
 	SUITE_ADD_TEST (suite, test_find_certificates);
+	SUITE_ADD_TEST (suite, test_find_builtin);
 
 	CuSuiteRun (suite);
 	CuSuiteSummary (suite, output);
diff --git a/trust/tests/test-token.c b/trust/tests/test-token.c
index 1d9228a..8a5b34d 100644
--- a/trust/tests/test-token.c
+++ b/trust/tests/test-token.c
@@ -72,11 +72,11 @@ test_token_load (CuTest *cu)
 	setup (cu);
 
 	count = p11_token_load (test.token);
-	CuAssertIntEquals (cu, 4, count);
+	CuAssertIntEquals (cu, 5, count);
 
-	/* A certificate and trust object for each parsed object */
+	/* A certificate and trust object for each parsed object + builtin */
 	objects = p11_token_objects (test.token);
-	CuAssertIntEquals (cu, count * 2, p11_dict_size (objects));
+	CuAssertIntEquals (cu, ((count - 1) * 2) + 1, p11_dict_size (objects));
 
 	teardown (cu);
 }
diff --git a/trust/token.c b/trust/token.c
index 8a607f0..8f2cb3d 100644
--- a/trust/token.c
+++ b/trust/token.c
@@ -42,6 +42,7 @@
 #include "module.h"
 #include "parser.h"
 #include "pkcs11.h"
+#include "pkcs11x.h"
 #include "token.h"
 
 #include <sys/stat.h>
@@ -193,9 +194,32 @@ loader_load_paths (p11_token *token,
 	return total;
 }
 
+static int
+load_builtin_objects (p11_token *token)
+{
+	CK_OBJECT_CLASS builtin = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
+	const char *vlabel = "Trust Anchor Roots";
+	CK_BBOOL vtrue = CK_TRUE;
+	CK_BBOOL vfalse = CK_FALSE;
+	CK_ATTRIBUTE *attrs;
+
+	CK_ATTRIBUTE klass = { CKA_CLASS, &builtin, sizeof (builtin) };
+	CK_ATTRIBUTE tok = { CKA_TOKEN, &vtrue, sizeof (vtrue) };
+	CK_ATTRIBUTE priv = { CKA_PRIVATE, &vfalse, sizeof (vfalse) };
+	CK_ATTRIBUTE modifiable = { CKA_MODIFIABLE, &vfalse, sizeof (vfalse) };
+	CK_ATTRIBUTE label = { CKA_LABEL, (void *)vlabel, strlen (vlabel) };
+
+	attrs = p11_attrs_build (NULL, &klass, &tok, &priv, &modifiable, &label, NULL);
+	return_val_if_fail (attrs != NULL, 0);
+
+	on_parser_object (attrs, token);
+	return 1;
+}
+
 int
 p11_token_load (p11_token *token)
 {
+	int builtins;
 	int anchors;
 	int other;
 
@@ -203,6 +227,8 @@ p11_token_load (p11_token *token)
 		return 0;
 	token->loaded = 1;
 
+	builtins = load_builtin_objects (token);
+
 	anchors = loader_load_paths (token, token->anchor_paths, P11_PARSE_FLAG_ANCHOR);
 	if (anchors < 0)
 		return anchors;
@@ -211,7 +237,7 @@ p11_token_load (p11_token *token)
 	if (other < 0)
 		return other;
 
-	return anchors + other;
+	return anchors + builtins + other;
 }
 
 p11_dict *