From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sun, 21 Dec 2014 18:33:22 +0000 (+0200)
Subject: first attempt to unify obj_attrs with obj_flags
X-Git-Tag: gnutls_3_4_0~449
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=853722becfd214dad05d7d7ca38fb3d8a31a77e3;p=thirdparty%2Fgnutls.git

first attempt to unify obj_attrs with obj_flags
---

diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h
index 3bb27e1521..1fdfc02801 100644
--- a/lib/includes/gnutls/pkcs11.h
+++ b/lib/includes/gnutls/pkcs11.h
@@ -237,28 +237,31 @@ int gnutls_pkcs11_obj_get_info(gnutls_pkcs11_obj_t crt,
 
 /**
  * gnutls_pkcs11_obj_attr_t:
- * @GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL: Specify all certificates in the specified token.
- * @GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED: Specify all certificates marked as trusted in the specified token.
- * @GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA: Specify all certificates marked as trusted and are CAs in the specified token.
- * @GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY: Specify all certificates with a corresponding private key in the specified token.
+ * @GNUTLS_PKCS11_OBJ_ATTR_CRT: Specify all certificates in the specified token.
  * @GNUTLS_PKCS11_OBJ_ATTR_PUBKEY: Specify all public keys in the specified token.
- * @GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY: Specify all private keys in the specified token.
- * @GNUTLS_PKCS11_OBJ_ATTR_ALL: Specify all objects in the specified token.
- * @GNUTLS_PKCS11_OBJ_ATTR_MATCH: Only the objects that match the URL.
+ * @GNUTLS_PKCS11_OBJ_ATTR_MARKED_TRUSTED: Restrict to objects which are marked as trusted
+ * @GNUTLS_PKCS11_OBJ_ATTR_MARKED_CA: Restrict to certificates which are marked as CA
+ * @GNUTLS_PKCS11_OBJ_ATTR_WITH_PRIVKEY: Restrict to objects which have a corresponding private key
  *
- * Enumeration of several attributes for object enumeration.
+ * This a list of flags to be used in combination with each other (since GnuTLS 3.4.0). They
+ * are used for matching and obtaining a list of objects.
  */
 typedef enum {
-	GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL = 1,	/* all certificates */
-	GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED,	/* certificates marked as trusted */
-	GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY,	/* certificates with corresponding private key */
-	GNUTLS_PKCS11_OBJ_ATTR_PUBKEY,	/* public keys */
-	GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY,	/* private keys */
-	GNUTLS_PKCS11_OBJ_ATTR_ALL,	/* everything! */
-	GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA,	/* CAs */
-	GNUTLS_PKCS11_OBJ_ATTR_MATCH
+	GNUTLS_PKCS11_OBJ_ATTR_CRT = 1,	/* all certificates */
+	GNUTLS_PKCS11_OBJ_ATTR_MARKED_TRUSTED = 1<<1,	/* certificates marked as trusted */
+	GNUTLS_PKCS11_OBJ_ATTR_WITH_PRIVKEY = 1<<2,	/* certificates with corresponding private key */
+	GNUTLS_PKCS11_OBJ_ATTR_PUBKEY = 1<<3,	/* public keys */
+	GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY = 1<<4,	/* private keys */
+	GNUTLS_PKCS11_OBJ_ATTR_MARKED_CA = 1<<5,	/* CAs */
 } gnutls_pkcs11_obj_attr_t;
 
+#define GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL GNUTLS_PKCS11_OBJ_ATTR_CRT
+#define GNUTLS_PKCS11_OBJ_ATTR_MATCH 0 /* always match the given URL */
+#define GNUTLS_PKCS11_OBJ_ATTR_ALL 0 /* match everything! */
+#define GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED (GNUTLS_PKCS11_OBJ_ATTR_CRT|GNUTLS_PKCS11_OBJ_ATTR_MARKED_TRUSTED)
+#define GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY (GNUTLS_PKCS11_OBJ_ATTR_CRT|GNUTLS_PKCS11_OBJ_ATTR_WITH_PRIVKEY)
+#define GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA (GNUTLS_PKCS11_OBJ_ATTR_CRT|GNUTLS_PKCS11_OBJ_ATTR_MARKED_TRUSTED|GNUTLS_PKCS11_OBJ_ATTR_MARKED_CA)
+
 /**
  * gnutls_pkcs11_token_info_t:
  * @GNUTLS_PKCS11_TOKEN_LABEL: The token's label (string)
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index f0d2f63bb2..7c0389adaa 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -2445,7 +2445,7 @@ find_objs_cb(struct pkcs11_session_info *sinfo,
 	char certid_tmp[PKCS11_ID_SIZE];
 	int ret;
 	struct find_pkey_list_st plist;	/* private key holder */
-	unsigned int i, tot_values = 0;
+	unsigned int i, tot_values = 0, class_set = 0;
 
 	if (tinfo == NULL) {
 		gnutls_assert();
@@ -2462,7 +2462,7 @@ find_objs_cb(struct pkcs11_session_info *sinfo,
 
 	memset(&plist, 0, sizeof(plist));
 
-	if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY) {
+	if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_WITH_PRIVKEY) {
 		ret = find_privkeys(sinfo, tinfo, &plist);
 		if (ret < 0) {
 			gnutls_assert();
@@ -2485,123 +2485,89 @@ find_objs_cb(struct pkcs11_session_info *sinfo,
 			type = CKC_X_509;
 	}
 
-	/* Find objects with cert class and X.509 cert type. */
 
-	tot_values = 0;
-
-	if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL
-	    || find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY)
-	{
+	if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_CRT) {
 		class = CKO_CERTIFICATE;
-		type = CKC_X_509;
-		trusted = 1;
 
 		a[tot_values].type = CKA_CLASS;
 		a[tot_values].value = &class;
 		a[tot_values].value_len = sizeof class;
 		tot_values++;
+		class_set = 1;
 
+		type = CKC_X_509;
 		a[tot_values].type = CKA_CERTIFICATE_TYPE;
 		a[tot_values].value = &type;
 		a[tot_values].value_len = sizeof type;
 		tot_values++;
+		_gnutls_assert_log("p11 attrs: CKA_CLASS (CERT), CKA_CERTIFICATE_TYPE\n");
+	}
 
-	} else if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_MATCH) {
-		if (class != (ck_object_class_t)-1) {
-			a[tot_values].type = CKA_CLASS;
-			a[tot_values].value = &class;
-			a[tot_values].value_len = sizeof class;
-			tot_values++;
-		}
-
-		attr = p11_kit_uri_get_attribute(find_data->info, CKA_ID);
-		if (attr) {
-			a[tot_values].type = CKA_ID;
-			a[tot_values].value = attr->value;
-			a[tot_values].value_len = attr->value_len;
-			tot_values++;
-		}
-
-		attr = p11_kit_uri_get_attribute(find_data->info, CKA_LABEL);
-		if (attr) {
-			a[tot_values].type = CKA_LABEL;
-			a[tot_values].value = attr->value;
-			a[tot_values].value_len = attr->value_len;
-			tot_values++;
-		}
-	} else if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED) {
-		class = CKO_CERTIFICATE;
-		type = CKC_X_509;
-		trusted = 1;
+	if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_PUBKEY) {
+		class = CKO_PUBLIC_KEY;
 
 		a[tot_values].type = CKA_CLASS;
 		a[tot_values].value = &class;
 		a[tot_values].value_len = sizeof class;
 		tot_values++;
+		class_set = 1;
+		_gnutls_assert_log("p11 attrs: CKA_CLASS (PUBLIC KEY)\n");
+	}
 
-		a[tot_values].type = CKA_TRUSTED;
-		a[tot_values].value = &trusted;
-		a[tot_values].value_len = sizeof trusted;
-		tot_values++;
-
-	} else if (find_data->flags ==
-		   GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA) {
-		class = CKO_CERTIFICATE;
-		type = CKC_X_509;
-		trusted = 1;
+	if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY) {
+		class = CKO_PRIVATE_KEY;
 
 		a[tot_values].type = CKA_CLASS;
 		a[tot_values].value = &class;
 		a[tot_values].value_len = sizeof class;
 		tot_values++;
+		class_set = 1;
+		_gnutls_assert_log("p11 attrs: CKA_CLASS (PRIVATE KEY)\n");
+	}
 
+	if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_MARKED_TRUSTED) {
+		trusted = 1;
 		a[tot_values].type = CKA_TRUSTED;
 		a[tot_values].value = &trusted;
 		a[tot_values].value_len = sizeof trusted;
 		tot_values++;
+		_gnutls_assert_log("p11 attrs: CKA_TRUSTED\n");
+	}
 
+	if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_MARKED_CA) {
 		category = 2;
 		a[tot_values].type = CKA_CERTIFICATE_CATEGORY;
 		a[tot_values].value = &category;
 		a[tot_values].value_len = sizeof category;
 		tot_values++;
-	} else if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_PUBKEY) {
-		class = CKO_PUBLIC_KEY;
+		_gnutls_assert_log("p11 attrs: CKA_CERTIFICATE_CATEGORY=CA\n");
+	}
 
+	if (class_set == 0 && class != (ck_object_class_t)-1) {
 		a[tot_values].type = CKA_CLASS;
 		a[tot_values].value = &class;
 		a[tot_values].value_len = sizeof class;
 		tot_values++;
-	} else if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY) {
-		class = CKO_PRIVATE_KEY;
+		class_set = 1;
+		_gnutls_assert_log("p11 attrs: CKA_CLASS\n");
+	}
 
-		a[tot_values].type = CKA_CLASS;
-		a[tot_values].value = &class;
-		a[tot_values].value_len = sizeof class;
+	attr = p11_kit_uri_get_attribute(find_data->info, CKA_ID);
+	if (attr) {
+		a[tot_values].type = CKA_ID;
+		a[tot_values].value = attr->value;
+		a[tot_values].value_len = attr->value_len;
 		tot_values++;
-	} else if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_ALL) {
-		if (class != (ck_object_class_t) - 1) {
-			a[tot_values].type = CKA_CLASS;
-			a[tot_values].value = &class;
-			a[tot_values].value_len = sizeof class;
-			tot_values++;
-		}
-		if (type != (ck_certificate_type_t) - 1) {
-			a[tot_values].type = CKA_CERTIFICATE_TYPE;
-			a[tot_values].value = &type;
-			a[tot_values].value_len = sizeof type;
-			tot_values++;
-		}
-	} else {
-		gnutls_assert();
-		ret = GNUTLS_E_INVALID_REQUEST;
-		goto fail;
+		_gnutls_assert_log("p11 attrs: CKA_ID\n");
 	}
 
-	attr = p11_kit_uri_get_attribute(find_data->info, CKA_ID);
-	if (attr != NULL) {
-		memcpy(a + tot_values, attr, sizeof(struct ck_attribute));
+	attr = p11_kit_uri_get_attribute(find_data->info, CKA_LABEL);
+	if (attr) {
+		a[tot_values].type = CKA_LABEL;
+		a[tot_values].value = attr->value;
+		a[tot_values].value_len = attr->value_len;
 		tot_values++;
+		_gnutls_assert_log("p11 attrs: CKA_LABEL\n");
 	}
 
 	rv = pkcs11_find_objects_init(sinfo->module, sinfo->pks, a,
@@ -2644,8 +2610,7 @@ find_objs_cb(struct pkcs11_session_info *sinfo,
 				id.size = 0;
 			}
 
-			if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_ALL ||
-			    find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_MATCH) {
+			if (class_set == 0) {
 				a[0].type = CKA_CLASS;
 				a[0].value = &class;
 				a[0].value_len = sizeof class;
@@ -2657,8 +2622,7 @@ find_objs_cb(struct pkcs11_session_info *sinfo,
 				}
 			}
 
-			if (find_data->flags ==
-			    GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY) {
+			if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY) {
 				for (i = 0; i < plist.key_ids_size; i++) {
 					if (plist.key_ids[i].length !=
 					    id.size
diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c
index 471a6ca90b..dda1b131a5 100644
--- a/lib/x509/verify-high2.c
+++ b/lib/x509/verify-high2.c
@@ -191,7 +191,7 @@ int add_trust_list_pkcs11_object_url(gnutls_x509_trust_list_t list, const char *
 	ret =
 	    gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size,
 					       url,
-					       GNUTLS_PKCS11_OBJ_ATTR_MATCH,
+					       GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL|GNUTLS_PKCS11_OBJ_ATTR_MARKED_TRUSTED,
 					       0);
 	if (ret < 0)
 		return gnutls_assert_val(ret);
@@ -239,7 +239,7 @@ int remove_pkcs11_object_url(gnutls_x509_trust_list_t list, const char *url)
 	ret =
 	    gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size,
 					       url,
-					       GNUTLS_PKCS11_OBJ_ATTR_MATCH,
+					       GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL|GNUTLS_PKCS11_OBJ_ATTR_MARKED_TRUSTED,
 					       0);
 	if (ret < 0)
 		return gnutls_assert_val(ret);