[gnome-keyring/trust-store] [gcr] Add config file for setting trust slot origin/storage
- From: Stefan Walter <stefw src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-keyring/trust-store] [gcr] Add config file for setting trust slot origin/storage
- Date: Sat, 18 Dec 2010 18:22:13 +0000 (UTC)
commit fef64c17c38ffaa6e1dc0839198e7d60beeaf81b
Author: Stef Walter <stef memberwebs com>
Date: Sat Dec 18 12:21:02 2010 -0600
[gcr] Add config file for setting trust slot origin/storage
Looks up which PKCS#11 slots to use for trust assertion lookups
and storage in /etc/pkcs11.conf
docs/reference/gcr/gcr-sections.txt | 4 +-
gcr/Makefile.am | 2 +-
gcr/gcr-library.c | 137 +++++++++++++++++++++++++++--------
gcr/gcr-library.h | 8 ++-
gcr/gcr-trust.c | 66 ++++++-----------
gcr/tests/test-certificate-chain.c | 6 ++-
gcr/tests/test-trust.c | 5 ++
7 files changed, 152 insertions(+), 76 deletions(-)
---
diff --git a/docs/reference/gcr/gcr-sections.txt b/docs/reference/gcr/gcr-sections.txt
index 2947d0d..95ba401 100644
--- a/docs/reference/gcr/gcr-sections.txt
+++ b/docs/reference/gcr/gcr-sections.txt
@@ -174,8 +174,10 @@ gcr_pkcs11_get_modules
gcr_pkcs11_set_modules
gcr_pkcs11_add_module
gcr_pkcs11_add_module_from_file
-gcr_pkcs11_get_trust_lookup_modules
+gcr_pkcs11_get_trust_lookup_slots
gcr_pkcs11_get_trust_store_slot
+gcr_pkcs11_get_trust_lookup_uris
+gcr_pkcs11_set_trust_lookup_uris
gcr_pkcs11_get_trust_store_uri
gcr_pkcs11_set_trust_store_uri
</SECTION>
diff --git a/gcr/Makefile.am b/gcr/Makefile.am
index aad078a..fc77e2c 100644
--- a/gcr/Makefile.am
+++ b/gcr/Makefile.am
@@ -75,7 +75,7 @@ libgcr GCR_VERSION_SUFFIX@_la_SOURCES = \
$(BUILT_SOURCES)
libgcr GCR_VERSION_SUFFIX@_la_CFLAGS = \
- -DPKCS11_MODULE_PATH=\""$(libdir)/gnome-keyring/gnome-keyring-pkcs11.so"\" \
+ -DPKCS11_CONF_PATH=\""$(sysconfdir)/pkcs11.conf"\" \
-DGCK_API_SUBJECT_TO_CHANGE \
-DGCR_API_SUBJECT_TO_CHANGE \
-DGCR_COMPILATION \
diff --git a/gcr/gcr-library.c b/gcr/gcr-library.c
index c6f912d..9ac37fa 100644
--- a/gcr/gcr-library.c
+++ b/gcr/gcr-library.c
@@ -52,12 +52,24 @@
* if you have special needs, you can use the gcr_pkcs11_set_modules() and
* gcr_pkcs11_add_module() to do so.
*
- * Trust assertions are stored and looked up in specific PKCS\#11 modules.
- * You can examine this list with gcr_pkcs11_get_trust_lookup_modules()
+ * Trust assertions are stored and looked up in specific PKCS\#11 slots.
+ * You can examine this list with gcr_pkcs11_get_trust_lookup_slots()
*/
static GList *all_modules = NULL;
static gchar *trust_store_uri = NULL;
+static gchar **trust_lookup_uris = NULL;
+
+const gchar DEFAULT_PKCS11_CONF[] =
+ "[trust-assertions]\n" \
+ "lookups=pkcs11:manufacturer=Gnome%20Keyring;serial=1:ROOTS:DEFAULT " \
+ "pkcs11:manufacturer=Gnome%20Keyring;serial=1:XDG:DEFAULT\n" \
+ "storage=pkcs11:manufacturer=Gnome%20Keyring;serial=1:XDG:DEFAULT\n" \
+;
+
+/* -----------------------------------------------------------------------------
+ * ERRORS
+ */
GQuark
gcr_data_error_get_domain (void)
@@ -143,10 +155,17 @@ egg_memory_fallback (void *p, size_t sz)
return g_realloc (p, sz);
}
+/* -----------------------------------------------------------------------------
+ * INITIALIZATION
+ */
+
void
_gcr_initialize (void)
{
static volatile gsize gcr_initialized = 0;
+ GError *error = NULL;
+ GKeyFile *key_file;
+ gchar *value;
/* Initialize the libgcrypt library if needed */
egg_libgcrypt_initialize ();
@@ -154,8 +173,28 @@ _gcr_initialize (void)
if (g_once_init_enter (&gcr_initialized)) {
all_modules = gck_modules_initialize_registered (0);
- /* TODO: We should be loading this from a config file */
- trust_store_uri = g_strdup ("pkcs11:manufacturer=Gnome%20Keyring;serial=1:XDG:DEFAULT");
+ key_file = g_key_file_new ();
+ if (g_file_test (PKCS11_CONF_PATH, G_FILE_TEST_EXISTS)) {
+ if (!g_key_file_load_from_file (key_file, PKCS11_CONF_PATH,
+ G_KEY_FILE_NONE, &error)) {
+ g_warning ("couldn't parse %s file: %s", PKCS11_CONF_PATH,
+ egg_error_message (error));
+ g_clear_error (&error);
+ }
+ } else {
+ if (!g_key_file_load_from_data (key_file, DEFAULT_PKCS11_CONF,
+ strlen (DEFAULT_PKCS11_CONF),
+ G_KEY_FILE_NONE, NULL))
+ g_warn_if_reached ();
+ }
+
+ trust_store_uri = g_key_file_get_string (key_file, "trust-assertions", "storage", NULL);
+
+ value = g_key_file_get_string (key_file, "trust-assertions", "lookups", NULL);
+ trust_lookup_uris = g_strsplit_set (value ? value : "", " \t", -1);
+ g_free (value);
+
+ g_key_file_free (key_file);
g_once_init_leave (&gcr_initialized, 1);
}
@@ -259,7 +298,6 @@ gcr_pkcs11_add_module_from_file (const gchar *module_path, const gchar *init_par
/**
* gcr_pkcs11_get_trust_store_slot:
- * @error: a #GError or NULL
*
* Selects an appropriate PKCS\#11 slot to store trust assertions. The slot
* to use is normally configured automatically by the system.
@@ -269,50 +307,57 @@ gcr_pkcs11_add_module_from_file (const gchar *module_path, const gchar *init_par
* Returns: the #GckSlot to use for trust assertions.
*/
GckSlot*
-gcr_pkcs11_get_trust_store_slot (GError **error)
+gcr_pkcs11_get_trust_store_slot (void)
{
- GList *modules;
GckSlot *slot;
-
- g_return_val_if_fail (!error || !*error, NULL);
+ GError *error = NULL;
_gcr_initialize ();
- modules = gcr_pkcs11_get_trust_lookup_modules ();
-
- /*
- * TODO: We need a better way to figure this out as far as
- * being able to store trust. But for now just hard code in
- * gnome-keyring.
- */
- slot = gck_modules_token_for_uri (modules, gcr_pkcs11_get_trust_store_uri (), error);
+ slot = gck_modules_token_for_uri (all_modules, trust_store_uri, &error);
if (!slot) {
- if (error && !*error) {
- g_set_error (error, GCR_ERROR, /* TODO: */ 0,
- _("Unable to find a place to store trust choices."));
+ if (error) {
+ g_warning ("error finding slot to store trust assertions: %s: %s",
+ trust_store_uri, egg_error_message (error));
+ g_clear_error (&error);
}
}
- gck_list_unref_free (modules);
return slot;
}
/**
- * gcr_pkcs11_get_trust_lookup_modules:
+ * gcr_pkcs11_get_trust_lookup_slots:
*
- * List all the PKCS\#11 modules that are used by the GCR library for lookup
- * of trust assertions. Each module is a #GckModule object.
+ * List all the PKCS\#11 slots that are used by the GCR library for lookup
+ * of trust assertions. Each slot is a #GckSlot object.
*
* When done with the list, free it with gck_list_unref_free().
*
- * Returns: a list of #GckModule objects to use for lookup of trust.
+ * Returns: a list of #GckSlot objects to use for lookup of trust.
*/
GList*
-gcr_pkcs11_get_trust_lookup_modules (void)
+gcr_pkcs11_get_trust_lookup_slots (void)
{
- /* TODO: This should be configurable, for now all modules */
+ GList *results = NULL;
+ GError *error = NULL;
+ GckSlot *slot;
+ gchar **uri;
+
_gcr_initialize ();
- return gck_list_ref_copy (all_modules);
+
+ for (uri = trust_lookup_uris; uri && *uri; ++uri) {
+ slot = gck_modules_token_for_uri (all_modules, *uri, &error);
+ if (slot) {
+ results = g_list_append (results, slot);
+ } else if (error) {
+ g_warning ("error finding slot for trust assertions: %s: %s",
+ *uri, egg_error_message (error));
+ g_clear_error (&error);
+ }
+ }
+
+ return results;
}
/**
@@ -335,7 +380,7 @@ gcr_pkcs11_get_trust_store_uri (void)
* @pkcs11_uri: the uri which identifies trust storage slot
*
* Set the PKCS\#11 URI that is used to identify which slot to use for
- * storing trust storage.
+ * storing trust assertions.
*
* It is not normally necessary to call this function. The relevant
* PKCS\#11 slot is automatically configured by the GCR library.
@@ -347,3 +392,37 @@ gcr_pkcs11_set_trust_store_uri (const gchar *pkcs11_uri)
g_free (trust_store_uri);
trust_store_uri = g_strdup (pkcs11_uri);
}
+
+
+/**
+ * gcr_pkcs11_get_trust_lookup_uris:
+ *
+ * Get the PKCS\#11 URIs that are used to identify which slots to use for
+ * lookup trust assertions.
+ *
+ * Returns: the uri which identifies trust storage slot
+ */
+const gchar**
+gcr_pkcs11_get_trust_lookup_uris (void)
+{
+ _gcr_initialize ();
+ return (const gchar**) trust_lookup_uris;
+}
+
+/**
+ * gcr_pkcs11_set_trust_lookup_uris:
+ * @pkcs11_uris: the uris which identifies trust lookup slots
+ *
+ * Set the PKCS\#11 URIs that are used to identify which slots to use for
+ * lookup of trust assertions.
+ *
+ * It is not normally necessary to call this function. The relevant
+ * PKCS\#11 slots are automatically configured by the GCR library.
+ */
+void
+gcr_pkcs11_set_trust_lookup_uris (const gchar **pkcs11_uris)
+{
+ _gcr_initialize ();
+ g_strfreev (trust_lookup_uris);
+ trust_lookup_uris = g_strdupv ((gchar**)pkcs11_uris);
+}
diff --git a/gcr/gcr-library.h b/gcr/gcr-library.h
index d1204fe..61317aa 100644
--- a/gcr/gcr-library.h
+++ b/gcr/gcr-library.h
@@ -42,9 +42,13 @@ gboolean gcr_pkcs11_add_module_from_file (const gchar *module_
const gchar *init_params,
GError **error);
-GList* gcr_pkcs11_get_trust_lookup_modules (void);
+GList* gcr_pkcs11_get_trust_lookup_slots (void);
-GckSlot* gcr_pkcs11_get_trust_store_slot (GError **error);
+GckSlot* gcr_pkcs11_get_trust_store_slot (void);
+
+const gchar** gcr_pkcs11_get_trust_lookup_uris (void);
+
+void gcr_pkcs11_set_trust_lookup_uris (const gchar **pkcs11_uris);
const gchar* gcr_pkcs11_get_trust_store_uri (void);
diff --git a/gcr/gcr-trust.c b/gcr/gcr-trust.c
index 333102e..f53ee91 100644
--- a/gcr/gcr-trust.c
+++ b/gcr/gcr-trust.c
@@ -35,6 +35,8 @@
#include "pkcs11/pkcs11i.h"
#include "pkcs11/pkcs11x.h"
+#include <glib/gi18n-lib.h>
+
/**
* SECTION:gcr-trust
* @title: Trust Storage and Lookups
@@ -175,7 +177,7 @@ prepare_is_certificate_pinned (GcrCertificate *certificate, const gchar *purpose
{
GckAttributes *attrs;
GckEnumerator *en;
- GList *modules;
+ GList *slots;
attrs = prepare_trust_attrs (certificate, CKT_X_PINNED_CERTIFICATE);
g_return_val_if_fail (attrs, NULL);
@@ -183,17 +185,11 @@ prepare_is_certificate_pinned (GcrCertificate *certificate, const gchar *purpose
gck_attributes_add_string (attrs, CKA_X_PURPOSE, purpose);
gck_attributes_add_string (attrs, CKA_X_PEER, peer);
- /*
- * TODO: We need to be able to sort the modules by preference
- * on which sources of trust storage we want to read over which
- * others.
- */
-
- modules = gcr_pkcs11_get_trust_lookup_modules ();
- en = gck_modules_enumerate_objects (modules, attrs, 0);
+ slots = gcr_pkcs11_get_trust_lookup_slots ();
+ en = gck_slots_enumerate_objects (slots, attrs, 0);
trust_operation_init (en, attrs);
gck_attributes_unref (attrs);
- gck_list_unref_free (modules);
+ gck_list_unref_free (slots);
return en;
}
@@ -363,7 +359,7 @@ prepare_add_pinned_certificate (GcrCertificate *certificate, const gchar *purpos
{
GckAttributes *attrs;
GckEnumerator *en;
- GList *modules;
+ GList *slots;
attrs = prepare_trust_attrs (certificate, CKT_X_PINNED_CERTIFICATE);
g_return_val_if_fail (attrs, NULL);
@@ -372,17 +368,11 @@ prepare_add_pinned_certificate (GcrCertificate *certificate, const gchar *purpos
gck_attributes_add_string (attrs, CKA_X_PEER, peer);
gck_attributes_add_boolean (attrs, CKA_TOKEN, TRUE);
- /*
- * TODO: We need to be able to sort the modules by preference
- * on which sources of trust storage we want to read over which
- * others.
- */
-
- modules = gcr_pkcs11_get_trust_lookup_modules ();
- en = gck_modules_enumerate_objects (modules, attrs, CKF_RW_SESSION);
+ slots = gcr_pkcs11_get_trust_lookup_slots ();
+ en = gck_slots_enumerate_objects (slots, attrs, CKF_RW_SESSION);
trust_operation_init (en, attrs);
gck_attributes_unref (attrs);
- gck_list_unref_free (modules);
+ gck_list_unref_free (slots);
return en;
}
@@ -421,8 +411,12 @@ perform_add_pinned_certificate (GckEnumerator *en, GCancellable *cancellable, GE
/* TODO: Add relevant label */
/* Find an appropriate token */
- slot = gcr_pkcs11_get_trust_store_slot (error);
- if (slot != NULL) {
+ slot = gcr_pkcs11_get_trust_store_slot ();
+ if (slot == NULL) {
+ g_set_error (error, GCK_ERROR, CKR_FUNCTION_FAILED,
+ _("Couldn't find a place to store the pinned certificate"));
+ ret = FALSE;
+ } else {
session = gck_slot_open_session (slot, CKF_RW_SESSION, NULL, error);
if (session != NULL) {
object = gck_session_create_object (session, attrs, cancellable, error);
@@ -589,7 +583,7 @@ prepare_remove_pinned_certificate (GcrCertificate *certificate, const gchar *pur
{
GckAttributes *attrs;
GckEnumerator *en;
- GList *modules;
+ GList *slots;
attrs = prepare_trust_attrs (certificate, CKT_X_PINNED_CERTIFICATE);
g_return_val_if_fail (attrs, NULL);
@@ -597,17 +591,11 @@ prepare_remove_pinned_certificate (GcrCertificate *certificate, const gchar *pur
gck_attributes_add_string (attrs, CKA_X_PURPOSE, purpose);
gck_attributes_add_string (attrs, CKA_X_PEER, peer);
- /*
- * TODO: We need to be able to sort the modules by preference
- * on which sources of trust storage we want to read over which
- * others.
- */
-
- modules = gcr_pkcs11_get_trust_lookup_modules ();
- en = gck_modules_enumerate_objects (modules, attrs, CKF_RW_SESSION);
+ slots = gcr_pkcs11_get_trust_lookup_slots ();
+ en = gck_slots_enumerate_objects (slots, attrs, CKF_RW_SESSION);
trust_operation_init (en, attrs);
gck_attributes_unref (attrs);
- gck_list_unref_free (modules);
+ gck_list_unref_free (slots);
return en;
}
@@ -787,24 +775,18 @@ prepare_is_certificate_anchored (GcrCertificate *certificate, const gchar *purpo
{
GckAttributes *attrs;
GckEnumerator *en;
- GList *modules;
+ GList *slots;
attrs = prepare_trust_attrs (certificate, CKT_X_ANCHORED_CERTIFICATE);
g_return_val_if_fail (attrs, NULL);
gck_attributes_add_string (attrs, CKA_X_PURPOSE, purpose);
- /*
- * TODO: We need to be able to sort the modules by preference
- * on which sources of trust storage we want to read over which
- * others.
- */
-
- modules = gcr_pkcs11_get_trust_lookup_modules ();
- en = gck_modules_enumerate_objects (modules, attrs, 0);
+ slots = gcr_pkcs11_get_trust_lookup_slots ();
+ en = gck_slots_enumerate_objects (slots, attrs, 0);
trust_operation_init (en, attrs);
gck_attributes_unref (attrs);
- gck_list_unref_free (modules);
+ gck_list_unref_free (slots);
return en;
}
diff --git a/gcr/tests/test-certificate-chain.c b/gcr/tests/test-certificate-chain.c
index 8a3856a..94a7d3b 100644
--- a/gcr/tests/test-certificate-chain.c
+++ b/gcr/tests/test-certificate-chain.c
@@ -105,6 +105,7 @@ TESTING_SETUP (certificate_chain)
CK_FUNCTION_LIST_PTR f;
guchar *contents;
gsize n_contents;
+ const gchar *uris[2];
CK_RV rv;
GckModule *module;
@@ -120,6 +121,9 @@ TESTING_SETUP (certificate_chain)
module = gck_module_new (&funcs, 0);
modules = g_list_prepend (modules, module);
gcr_pkcs11_set_modules (modules);
+ uris[0] = GCK_MOCK_SLOT_ONE_URI;
+ uris[1] = NULL;
+ gcr_pkcs11_set_trust_lookup_uris (uris);
gcr_pkcs11_set_trust_store_uri (GCK_MOCK_SLOT_ONE_URI);
gck_list_unref_free (modules);
@@ -367,7 +371,7 @@ TESTING_TEST (certificate_chain_complete_async)
{
GcrCertificateChain *chain;
GError *error = NULL;
- GAsyncResult *result;
+ GAsyncResult *result = NULL;
chain = gcr_certificate_chain_new ();
diff --git a/gcr/tests/test-trust.c b/gcr/tests/test-trust.c
index 0bb0215..923dcd5 100644
--- a/gcr/tests/test-trust.c
+++ b/gcr/tests/test-trust.c
@@ -44,6 +44,7 @@ TESTING_SETUP (trust_setup)
CK_FUNCTION_LIST_PTR f;
GckModule *module;
guchar *contents;
+ const gchar *uris[2];
gsize len;
CK_RV rv;
@@ -67,7 +68,11 @@ TESTING_SETUP (trust_setup)
gcr_pkcs11_set_modules (modules);
gck_list_unref_free (modules);
+ uris[0] = GCK_MOCK_SLOT_ONE_URI;
+ uris[1] = NULL;
+
gcr_pkcs11_set_trust_store_uri (GCK_MOCK_SLOT_ONE_URI);
+ gcr_pkcs11_set_trust_lookup_uris (uris);
}
TESTING_TEARDOWN (trust_setup)
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
