diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-06-16 20:39:52 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-06-16 20:40:00 +0200 |
commit | 923451d4270fc1a2b678d21fa3c1f432f807f48d (patch) | |
tree | 40d1be6265aaf2b1af3b73f4dbed7004a3107d1f | |
parent | 774369a90aed872ea37b493cb3724cddcfef3f22 (diff) | |
download | gnutls-923451d4270fc1a2b678d21fa3c1f432f807f48d.tar.gz |
Use common code for PKCS #11 callbacks across clients.
Require SO login to write a trusted object.
-rw-r--r-- | src/Makefile.am | 2 | ||||
-rw-r--r-- | src/p11common.c | 12 | ||||
-rw-r--r-- | src/pkcs11.c | 66 |
3 files changed, 13 insertions, 67 deletions
diff --git a/src/Makefile.am b/src/Makefile.am index 316389fc9d..80b0a0ffee 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -123,7 +123,7 @@ libcmd_certtool_la_LIBADD += ../gl/libgnu.la $(INET_PTON_LIB) if ENABLE_PKCS11 p11tool_gaa_CFLAGS = -p11tool_SOURCES = p11tool.gaa p11tool.c pkcs11.c certtool-common.c p11tool.h +p11tool_SOURCES = p11tool.gaa p11tool.c pkcs11.c certtool-common.c p11tool.h $(PKCS11_SRCS) p11tool_LDADD = ../lib/libgnutls.la p11tool_LDADD += libcmd-p11tool.la ../gl/libgnu.la p11tool_LDADD += $(LTLIBGCRYPT) diff --git a/src/p11common.c b/src/p11common.c index 799f866442..c866a521c1 100644 --- a/src/p11common.c +++ b/src/p11common.c @@ -36,11 +36,17 @@ pin_callback (void *user, int attempt, const char *token_url, size_t pin_max) { const char *password; + const char * desc; int len, cache = 1; /* allow caching of PIN */ static char *cached_url = NULL; static char cached_pin[32] = ""; + if (flags & GNUTLS_PKCS11_PIN_SO) + desc = "security officer"; + else + desc = "user"; + if (flags & GNUTLS_PKCS11_PIN_FINAL_TRY) { cache = 0; @@ -67,10 +73,10 @@ pin_callback (void *user, int attempt, const char *token_url, } } - printf ("PIN required for token '%s' with URL '%s'\n", token_label, - token_url); + printf ("Token '%s' with URL '%s' ", token_label, token_url); + printf ("requires %s PIN\n", desc); - password = getpass ("Enter pin: "); + password = getpass ("Enter PIN: "); if (password == NULL || password[0] == 0) { fprintf (stderr, "No password given\n"); diff --git a/src/pkcs11.c b/src/pkcs11.c index dafabe3bc2..b073f758b1 100644 --- a/src/pkcs11.c +++ b/src/pkcs11.c @@ -32,68 +32,7 @@ #include "certtool-common.h" #include <unistd.h> #include <string.h> - -#define MIN(x,y) ((x)<(y))?(x):(y) - -static int -pin_callback (void *user, int attempt, const char *token_url, - const char *token_label, unsigned int flags, char *pin, - size_t pin_max) -{ - const char *password; - int len; -/* allow caching of PIN */ - static char *cached_url = NULL; - static char cached_pin[32] = ""; - - printf ("PIN required for token '%s' with URL '%s'\n", token_label, - token_url); - if (flags & GNUTLS_PKCS11_PIN_FINAL_TRY) - printf ("*** This is the final try before locking!\n"); - if (flags & GNUTLS_PKCS11_PIN_COUNT_LOW) - printf ("*** Only few tries left before locking!\n"); - - if (flags == 0 && cached_url != NULL) - { - if (strcmp (cached_url, token_url) == 0) - { - strcpy (pin, cached_pin); - return 0; - } - } - - password = getpass ("Enter PIN: "); - if (password == NULL || password[0] == 0) - { - fprintf (stderr, "No PIN given\n"); - exit (1); - } - - len = MIN (pin_max, strlen (password)); - memcpy (pin, password, len); - pin[len] = 0; - - /* cache */ - if (strlen(pin) >= sizeof(cached_pin)) - { - fprintf (stderr, "Too long PIN given\n"); - exit (1); - } - - strcpy (cached_pin, pin); - free (cached_url); - cached_url = strdup (token_url); - - return 0; -} - -static void -pkcs11_common (void) -{ - - gnutls_pkcs11_set_pin_function (pin_callback, NULL); - -} +#include <p11common.h> void pkcs11_delete (FILE * outfile, const char *url, int batch, unsigned int login, @@ -567,7 +506,8 @@ pkcs11_write (FILE * outfile, const char *url, const char *label, int trusted, if (xcrt != NULL) { if (trusted) - flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED; + flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED|GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO; + ret = gnutls_pkcs11_copy_x509_crt (url, xcrt, label, flags); if (ret < 0) { |