[gnome-keyring/trust-store] [xdg-store] Trust assertions with same purpose/peer replace each other.

From: Stefan Walter <stefw src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-keyring/trust-store] [xdg-store] Trust assertions with same purpose/peer replace each other.
Date: Fri, 26 Nov 2010 21:55:48 +0000 (UTC)
commit 0dff075a4470947bdf36341955d37fd578957d39
Author: Stef Walter <stefw collabora co uk>
Date:   Fri Nov 26 20:18:04 2010 +0000

    [xdg-store] Trust assertions with same purpose/peer replace each other.

 pkcs11/xdg-store/gkm-xdg-assertion.c    |    9 +--------
 pkcs11/xdg-store/gkm-xdg-trust.c        |   22 +++++++++-------------
 pkcs11/xdg-store/gkm-xdg-trust.h        |    2 +-
 pkcs11/xdg-store/tests/test-xdg-trust.c |   25 ++++++++++++++++---------
 4 files changed, 27 insertions(+), 31 deletions(-)
---
diff --git a/pkcs11/xdg-store/gkm-xdg-assertion.c b/pkcs11/xdg-store/gkm-xdg-assertion.c
index 33b024e..0c6fcde 100644
--- a/pkcs11/xdg-store/gkm-xdg-assertion.c
+++ b/pkcs11/xdg-store/gkm-xdg-assertion.c
@@ -130,7 +130,6 @@ factory_create_assertion (GkmSession *session, GkmTransaction *transaction,
                           CK_ATTRIBUTE_PTR attrs, CK_ULONG n_attrs)
 {
 	GkmAssertion *assertion;
-	GkmAssertion *previous;
 	CK_ASSERTION_TYPE type;
 	GkmManager *manager;
 	gboolean created = FALSE;
@@ -177,16 +176,10 @@ factory_create_assertion (GkmSession *session, GkmTransaction *transaction,
 
 	/* Add the assertion to the trust object */
 	if (!gkm_transaction_get_failed (transaction)) {
-		previous = gkm_xdg_trust_add_assertion (trust, GKM_ASSERTION (assertion), transaction);
+		gkm_xdg_trust_replace_assertion (trust, GKM_ASSERTION (assertion), transaction);
 		if (gkm_transaction_get_failed (transaction)) {
 			gkm_transaction_fail (transaction, CKR_GENERAL_ERROR);
 
-		/* If trust refused to add this object, return whatever we did add */
-		} else if (previous != assertion) {
-			g_assert (previous);
-			g_object_unref (assertion);
-			assertion = g_object_ref (previous);
-
 		/* A new trust assertion */
 		} else {
 			gkm_attributes_consume (attrs, n_attrs, CKA_G_ASSERTION_TYPE, CKA_G_PURPOSE, G_MAXULONG);
diff --git a/pkcs11/xdg-store/gkm-xdg-trust.c b/pkcs11/xdg-store/gkm-xdg-trust.c
index df3f8a8..3012f46 100644
--- a/pkcs11/xdg-store/gkm-xdg-trust.c
+++ b/pkcs11/xdg-store/gkm-xdg-trust.c
@@ -834,31 +834,27 @@ gkm_xdg_trust_create_for_assertion (GkmModule *module, GkmManager *manager,
 	return trust;
 }
 
-GkmAssertion*
-gkm_xdg_trust_add_assertion (GkmXdgTrust *self, GkmAssertion *assertion,
+void
+gkm_xdg_trust_replace_assertion (GkmXdgTrust *self, GkmAssertion *assertion,
                              GkmTransaction *transaction)
 {
 	GkmAssertion *previous;
 	GByteArray *key;
 
-	g_return_val_if_fail (GKM_XDG_IS_TRUST (self), NULL);
-	g_return_val_if_fail (GKM_IS_ASSERTION (assertion), NULL);
-	g_return_val_if_fail (!transaction || GKM_IS_TRANSACTION (transaction), NULL);
+	g_return_if_fail (GKM_XDG_IS_TRUST (self));
+	g_return_if_fail (GKM_IS_ASSERTION (assertion));
+	g_return_if_fail (!transaction || GKM_IS_TRANSACTION (transaction));
 
 	/* Build up a key if we don't have one */
 	key = lookup_or_create_assertion_key (assertion);
 
-	/* Check if we alraedy have the assertion */
+	/* Remove any previous assertion with this key */
 	previous = g_hash_table_lookup (self->pv->assertions, key);
-
-	g_byte_array_unref (key);
-
-	/* Just return previous assertion, don't add */
 	if (previous != NULL)
-		return previous;
-
+		remove_assertion_from_trust (self, previous, transaction);
 	add_assertion_to_trust (self, assertion, transaction);
-	return assertion;
+
+	g_byte_array_unref (key);
 }
 
 void
diff --git a/pkcs11/xdg-store/gkm-xdg-trust.h b/pkcs11/xdg-store/gkm-xdg-trust.h
index 88bc872..a17f161 100644
--- a/pkcs11/xdg-store/gkm-xdg-trust.h
+++ b/pkcs11/xdg-store/gkm-xdg-trust.h
@@ -56,7 +56,7 @@ GkmXdgTrust*          gkm_xdg_trust_create_for_assertion   (GkmModule *module,
                                                             CK_ATTRIBUTE_PTR attrs,
                                                             CK_ULONG n_attrs);
 
-GkmAssertion*         gkm_xdg_trust_add_assertion          (GkmXdgTrust *trust,
+void                  gkm_xdg_trust_replace_assertion      (GkmXdgTrust *trust,
                                                             GkmAssertion *assertion,
                                                             GkmTransaction *transaction);
 
diff --git a/pkcs11/xdg-store/tests/test-xdg-trust.c b/pkcs11/xdg-store/tests/test-xdg-trust.c
index 5269705..2832722 100644
--- a/pkcs11/xdg-store/tests/test-xdg-trust.c
+++ b/pkcs11/xdg-store/tests/test-xdg-trust.c
@@ -471,7 +471,7 @@ TESTING_TEST (trust_create_assertion_twice)
 		{ CKA_ISSUER, (void*)DER_ISSUER, XL (DER_ISSUER) }
 	};
 
-	/* Should end up pointing to the same object */
+	/* First object should go away when we create an overlapping assertion */
 
 	rv = gkm_session_C_CreateObject (session, attrs, G_N_ELEMENTS (attrs), &object_1);
 	gkm_assert_cmprv (rv, ==, CKR_OK);
@@ -481,7 +481,11 @@ TESTING_TEST (trust_create_assertion_twice)
 	gkm_assert_cmprv (rv, ==, CKR_OK);
 	gkm_assert_cmpulong (object_2, !=, 0);
 
-	gkm_assert_cmpulong (object_1, ==, object_2);
+	gkm_assert_cmpulong (object_1, !=, object_2);
+
+	/* First object no longer exists */
+	rv = gkm_session_C_DestroyObject (session, object_1);
+	gkm_assert_cmprv (rv, ==, CKR_OBJECT_HANDLE_INVALID);
 }
 
 TESTING_TEST (trust_untrusted_assertion_has_no_cert_value)
@@ -540,8 +544,6 @@ TESTING_TEST (trust_create_assertion_complete_on_token)
 	gkm_assert_cmprv (rv, ==, CKR_OK);
 	gkm_assert_cmpulong (check, !=, 0);
 
-	gkm_assert_cmpulong (check, ==, object);
-
 	rv = gkm_session_C_FindObjectsInit (session, attrs, G_N_ELEMENTS (attrs));
 	gkm_assert_cmprv (rv, ==, CKR_OK);
 	rv = gkm_session_C_FindObjects (session, results, G_N_ELEMENTS (results), &n_objects);
@@ -549,8 +551,9 @@ TESTING_TEST (trust_create_assertion_complete_on_token)
 	rv = gkm_session_C_FindObjectsFinal (session);
 	gkm_assert_cmprv (rv, ==, CKR_OK);
 
+	/* Second should have overwritten the first */
 	gkm_assert_cmpulong (n_objects, ==, 1);
-	gkm_assert_cmpulong (results[0], ==, object);
+	gkm_assert_cmpulong (results[0], ==, check);
 }
 
 static void
@@ -621,14 +624,18 @@ _assert_positive_netscape (CK_ASSERTION_TYPE assertion_type, const gchar *purpos
 #define assert_positive_netscape(a, b, c, d) \
 	_assert_positive_netscape (a, b, c, d, #a ", " #b ", " #c ", " #d)
 
-TESTING_TEST (trust_netscape_map_email)
+TESTING_TEST (trust_netscape_map_server_aunth)
 {
-	assert_positive_netscape (CKT_G_CERTIFICATE_TRUST_EXCEPTION, "1.3.6.1.5.5.7.3.4",
-	                          CKA_TRUST_EMAIL_PROTECTION, CKT_NETSCAPE_TRUSTED);
+	assert_positive_netscape (CKT_G_CERTIFICATE_TRUST_EXCEPTION, "1.3.6.1.5.5.7.3.1",
+	                          CKA_TRUST_SERVER_AUTH, CKT_NETSCAPE_TRUSTED);
+	assert_positive_netscape (CKT_G_CERTIFICATE_TRUST_ANCHOR, "1.3.6.1.5.5.7.3.1",
+	                          CKA_TRUST_SERVER_AUTH, CKT_NETSCAPE_TRUSTED_DELEGATOR);
 }
 
-TESTING_TEST (trust_netscape_map_email_anchor)
+TESTING_TEST (trust_netscape_map_email)
 {
+	assert_positive_netscape (CKT_G_CERTIFICATE_TRUST_EXCEPTION, "1.3.6.1.5.5.7.3.4",
+	                          CKA_TRUST_EMAIL_PROTECTION, CKT_NETSCAPE_TRUSTED);
 	assert_positive_netscape (CKT_G_CERTIFICATE_TRUST_ANCHOR, "1.3.6.1.5.5.7.3.4",
 	                          CKA_TRUST_EMAIL_PROTECTION, CKT_NETSCAPE_TRUSTED_DELEGATOR);
 }
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]