trust: Update frob-nss-tool so it can compare modules for trust info

Can run with two modules now so that it can compare tokens NSS trust info.
author: Stef Walter <stefw@gnome.org> 2013-03-15 19:38:01 +0100
committer: Stef Walter <stefw@gnome.org> 2013-03-15 19:38:01 +0100
commit: 57e835d55f6eae39c25b97e35efe0cb58e46b897 (patch)
tree: 7437615eec67552eb345e84c3ef793fac7a959a9
parent: 7fd74a78fcad81227be3650239669bca5851a1db (diff)
download: p11-kit-57e835d55f6eae39c25b97e35efe0cb58e46b897.tar.gz
3 files changed, 164 insertions, 35 deletions
diff --git a/common/attrs.c b/common/attrs.c
index 62b35cd..0b8032c 100644
--- a/common/attrs.c
+++ b/common/attrs.c
@@ -380,6 +380,7 @@ p11_attrs_findn_valid (CK_ATTRIBUTE *attrs,
 	return NULL;
 }
 
+
 bool
 p11_attrs_remove (CK_ATTRIBUTE *attrs,
                   CK_ATTRIBUTE_TYPE type)
@@ -404,6 +405,28 @@ p11_attrs_remove (CK_ATTRIBUTE *attrs,
 	return true;
 }
 
+void
+p11_attrs_purge (CK_ATTRIBUTE *attrs)
+{
+	int in, out;
+
+	for (in = 0, out = 0; !p11_attrs_is_empty (attrs + in); in++) {
+		if (attrs[in].ulValueLen == (CK_ULONG)-1) {
+			free (attrs[in].pValue);
+			attrs[in].pValue = NULL;
+			attrs[in].ulValueLen = 0;
+		} else {
+			if (in != out)
+				memcpy (attrs + out, attrs + in, sizeof (CK_ATTRIBUTE));
+			out++;
+		}
+	}
+
+	attrs[out].type = CKA_INVALID;
+	assert (p11_attrs_is_empty (attrs + out));
+
+}
+
 bool
 p11_attrs_match (const CK_ATTRIBUTE *attrs,
                  const CK_ATTRIBUTE *match)
diff --git a/common/attrs.h b/common/attrs.h
index 4e3f46c..619403d 100644
--- a/common/attrs.h
+++ b/common/attrs.h
@@ -59,6 +59,8 @@ CK_ATTRIBUTE *      p11_attrs_merge         (CK_ATTRIBUTE *attrs,
                                              CK_ATTRIBUTE *merge,
                                              bool replace);
 
+void                p11_attrs_purge         (CK_ATTRIBUTE *attrs);
+
 bool                p11_attrs_is_empty      (const CK_ATTRIBUTE *attrs);
 
 CK_ULONG            p11_attrs_count         (const CK_ATTRIBUTE *attrs);
diff --git a/trust/tests/frob-nss-trust.c b/trust/tests/frob-nss-trust.c
index 9ae0b27..790362f 100644
--- a/trust/tests/frob-nss-trust.c
+++ b/trust/tests/frob-nss-trust.c
@@ -34,9 +34,10 @@
 
 #include "config.h"
 
-#include "common/attrs.h"
-#include "common/debug.h"
-#include "common/pkcs11x.h"
+#include "compat.h"
+#include "attrs.h"
+#include "debug.h"
+#include "pkcs11x.h"
 
 #include "p11-kit/iter.h"
 #include "p11-kit/p11-kit.h"
@@ -45,59 +46,162 @@
 #include <stdlib.h>
 #include <string.h>
 
-int
-main (int argc,
-      char *argv[])
+static void
+dump_object (P11KitIter *iter,
+             CK_ATTRIBUTE *attrs)
+{
+	CK_ATTRIBUTE label = { CKA_LABEL, };
+	CK_ATTRIBUTE *attr;
+	char *string;
+	char *name;
+	CK_RV rv;
+
+	attr = p11_attrs_find_valid (attrs, CKA_LABEL);
+	if (!attr) {
+		rv = p11_kit_iter_load_attributes (iter, &label, 1);
+		if (rv == CKR_OK)
+			attr = &label;
+	}
+
+	if (attr)
+		name = strndup (attr->pValue, attr->ulValueLen);
+	else
+		name = strdup ("unknown");
+
+	string = p11_attrs_to_string (attrs);
+	printf ("\"%s\" = %s\n", name, string);
+	free (string);
+
+	free (label.pValue);
+}
+
+static int
+dump_trust_module (const char *path)
 {
 	CK_FUNCTION_LIST *module;
-	CK_TRUST untrusted = CKT_NSS_NOT_TRUSTED;
-	CK_ATTRIBUTE server_not_trusted =
-		{ CKA_TRUST_SERVER_AUTH, &untrusted, sizeof (untrusted) };
+	CK_OBJECT_CLASS nss_trust = CKO_NSS_TRUST;
+	CK_ATTRIBUTE match =
+		{ CKA_CLASS, &nss_trust, sizeof (nss_trust) };
 	P11KitIter *iter;
+	CK_ATTRIBUTE *attrs;
 	CK_RV rv;
-	char *string;
 
-	CK_ATTRIBUTE attrs[] = {
-		{ CKA_CLASS, NULL, 0 },
-		{ CKA_LABEL, NULL, 0  },
-		{ CKA_ISSUER, NULL, 0  },
-		{ CKA_SERIAL_NUMBER, NULL, 0  },
-		{ CKA_TRUST_SERVER_AUTH, NULL, 0  },
-		{ CKA_TRUST_EMAIL_PROTECTION, NULL, 0  },
-		{ CKA_TRUST_CODE_SIGNING, NULL, 0  },
-		{ CKA_TRUST_STEP_UP_APPROVED, NULL, 0  },
+	CK_ATTRIBUTE template[] = {
+		{ CKA_CLASS,},
+		{ CKA_LABEL, },
+		{ CKA_CERT_MD5_HASH, },
+		{ CKA_CERT_SHA1_HASH },
+		{ CKA_ISSUER, },
+		{ CKA_SERIAL_NUMBER, },
+		{ CKA_TRUST_SERVER_AUTH, },
+		{ CKA_TRUST_EMAIL_PROTECTION, },
+		{ CKA_TRUST_CODE_SIGNING, },
+		{ CKA_TRUST_STEP_UP_APPROVED, },
 		{ CKA_INVALID, }
 	};
 
-	CK_ULONG count = p11_attrs_count (attrs);
-	CK_ULONG i;
+	CK_ULONG count = p11_attrs_count (template);
 
-	if (argc != 2) {
-		fprintf (stderr, "usage: frob-nss-trust module\n");
-		return 2;
-	}
-
-	rv = p11_kit_load_initialize_module (argv[1], &module);
+	rv = p11_kit_load_initialize_module (path, &module);
 	return_val_if_fail (rv == CKR_OK, 1);
 
 	iter = p11_kit_iter_new (NULL);
-	p11_kit_iter_add_filter (iter, &server_not_trusted, 1);
+	p11_kit_iter_add_filter (iter, &match, 1);
 	p11_kit_iter_begin_with (iter, module, 0, 0);
 
 	while ((rv = p11_kit_iter_next (iter)) == CKR_OK) {
+		attrs = p11_attrs_dup (template);
 		rv = p11_kit_iter_load_attributes (iter, attrs, count);
-		return_val_if_fail (rv == CKR_OK, 1);
-		string = p11_attrs_to_string (attrs);
-		printf ("%s\n", string);
-		free (string);
+		return_val_if_fail (rv == CKR_OK || rv == CKR_ATTRIBUTE_VALUE_INVALID, 1);
+		p11_attrs_purge (attrs);
+		dump_object (iter, attrs);
+		p11_attrs_free (attrs);
 	}
 
 	return_val_if_fail (rv == CKR_CANCEL, 1);
 
-	for (i = 0; i < count; i++)
-		free (attrs[i].pValue);
-
 	p11_kit_finalize_module (module);
 
 	return 0;
 }
+
+static int
+compare_trust_modules (const char *path1,
+                       const char *path2)
+{
+	CK_FUNCTION_LIST *module1;
+	CK_FUNCTION_LIST *module2;
+	CK_OBJECT_CLASS nss_trust = CKO_NSS_TRUST;
+	CK_ATTRIBUTE match =
+		{ CKA_CLASS, &nss_trust, sizeof (nss_trust) };
+	P11KitIter *iter;
+	P11KitIter *iter2;
+	CK_ATTRIBUTE *check;
+	CK_RV rv;
+
+	CK_ATTRIBUTE template[] = {
+		{ CKA_CLASS, },
+		{ CKA_ISSUER, },
+		{ CKA_SERIAL_NUMBER, },
+		{ CKA_CERT_MD5_HASH, },
+		{ CKA_CERT_SHA1_HASH },
+		{ CKA_TRUST_SERVER_AUTH, },
+		{ CKA_TRUST_EMAIL_PROTECTION, },
+		{ CKA_TRUST_CODE_SIGNING, },
+		{ CKA_TRUST_STEP_UP_APPROVED, },
+		{ CKA_INVALID, }
+	};
+
+	rv = p11_kit_load_initialize_module (path1, &module1);
+	return_val_if_fail (rv == CKR_OK, 1);
+
+	rv = p11_kit_load_initialize_module (path2, &module2);
+	return_val_if_fail (rv == CKR_OK, 1);
+
+	iter = p11_kit_iter_new (NULL);
+	p11_kit_iter_add_filter (iter, &match, 1);
+	p11_kit_iter_begin_with (iter, module1, 0, 0);
+
+	while ((rv = p11_kit_iter_next (iter)) == CKR_OK) {
+		check = p11_attrs_dup (template);
+
+		rv = p11_kit_iter_load_attributes (iter, check, p11_attrs_count (check));
+		return_val_if_fail (rv == CKR_OK || rv == CKR_ATTRIBUTE_TYPE_INVALID, 1);
+
+		/* Go through and remove anything not found */
+		p11_attrs_purge (check);
+
+		/* Check that this object exists */
+		iter2 = p11_kit_iter_new (NULL);
+		p11_kit_iter_add_filter (iter2, check, p11_attrs_count (check));
+		p11_kit_iter_begin_with (iter2, module2, 0, 0);
+		rv = p11_kit_iter_next (iter2);
+		p11_kit_iter_free (iter2);
+
+		if (rv != CKR_OK)
+			dump_object (iter, check);
+
+		p11_attrs_free (check);
+	}
+
+	return_val_if_fail (rv == CKR_CANCEL, 1);
+	p11_kit_finalize_module (module1);
+	p11_kit_finalize_module (module2);
+
+	return 0;
+}
+
+int
+main (int argc,
+      char *argv[])
+{
+	if (argc == 2) {
+		return dump_trust_module (argv[1]);
+	} else if (argc == 3) {
+		return compare_trust_modules (argv[1], argv[2]);
+	} else {
+		fprintf (stderr, "usage: frob-nss-trust module\n");
+		fprintf (stderr, "       frob-nss-trust module1 module2\n");
+		return 2;
+	}
+}
author	Stef Walter <stefw@gnome.org>	2013-03-15 19:38:01 +0100
committer	Stef Walter <stefw@gnome.org>	2013-03-15 19:38:01 +0100
commit	57e835d55f6eae39c25b97e35efe0cb58e46b897 (patch)
tree	7437615eec67552eb345e84c3ef793fac7a959a9
parent	7fd74a78fcad81227be3650239669bca5851a1db (diff)
download	p11-kit-57e835d55f6eae39c25b97e35efe0cb58e46b897.tar.gz