diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-02-13 09:22:25 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-02-13 09:44:00 +0100 |
| commit | 41c446121dde80ea2190f156b6e344d37b6ffcc4 (patch) | |
| tree | 4d170111c33331ff0e5212a2597f2627d8310562 | |
| parent | 80bdbbe0dc9738a734af20bab2fb6a95b97c376e (diff) | |
| download | gnutls-41c446121dde80ea2190f156b6e344d37b6ffcc4.tar.gz | |
Added flag GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE.
This flag can be used to ensure that the object request lies on
a marked as trusted PKCS #11 module. The marking is done on
p11-kit configuration.
| -rw-r--r-- | lib/includes/gnutls/pkcs11.h | 9 | ||||
| -rw-r--r-- | lib/pkcs11.c | 17 | ||||
| -rw-r--r-- | lib/pkcs11_int.h | 1 |
3 files changed, 19 insertions, 8 deletions
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h index fc297580d6..86f391144b 100644 --- a/lib/includes/gnutls/pkcs11.h +++ b/lib/includes/gnutls/pkcs11.h @@ -97,11 +97,12 @@ void gnutls_pkcs11_obj_set_pin_function(gnutls_pkcs11_obj_t obj, #define GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO (1<<3) /* force login as a security officer in the token for the operation */ #define GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE (1<<4) /* marked as private (requires PIN to access) */ #define GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE (1<<5) /* marked as not private */ -#define GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY (1<<6) /* No need for the certificate to be a trusted one */ -#define GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED (1<<7) /* The certificate must be marked as trusted +#define GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY (1<<6) /* No need for the object to be a trusted one */ +#define GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED (1<<7) /* The object must be marked as trusted * in gnutls_pkcs11_crt_is_known() it implies GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_COMPARE */ -#define GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED (1<<8) /* The certificate must be marked as distrusted */ -#define GNUTLS_PKCS11_OBJ_FLAG_COMPARE (1<<9) /* The certificate must be fully compared */ +#define GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED (1<<8) /* The object must be marked as distrusted */ +#define GNUTLS_PKCS11_OBJ_FLAG_COMPARE (1<<9) /* The object must be fully compared */ +#define GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE (1<<10) /* The object must be present in a marked as trusted module */ /** * gnutls_pkcs11_url_type_t: diff --git a/lib/pkcs11.c b/lib/pkcs11.c index 857f16a927..fa8fb5e9c0 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -1009,6 +1009,9 @@ _pkcs11_traverse_tokens(find_func_t find_func, void *input, for (x = 0; x < active_providers; x++) { + if (flags & SESSION_TRUSTED && providers[x].trusted == 0) + continue; + nslots = sizeof(slots) / sizeof(slots[0]); ret = scan_slots(&providers[x], slots, &nslots); if (ret < 0) { @@ -1021,8 +1024,7 @@ _pkcs11_traverse_tokens(find_func_t find_func, void *input, struct token_info tinfo; if (pkcs11_get_token_info(module, slots[z], - &tinfo.tinfo) != CKR_OK) - { + &tinfo.tinfo) != CKR_OK) { continue; } tinfo.sid = slots[z]; @@ -1580,6 +1582,8 @@ unsigned int pkcs11_obj_flags_to_int(unsigned int flags) ret_flags |= SESSION_LOGIN; if (flags & GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO) ret_flags |= SESSION_LOGIN | SESSION_SO; + if (flags & GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE) + ret_flags |= SESSION_TRUSTED; return ret_flags; } @@ -3232,9 +3236,14 @@ int gnutls_pkcs11_get_raw_issuer(const char *url, gnutls_x509_crt_t cert, * * This function will check whether the provided certificate is stored * in the specified token. This is useful in combination with - * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED, + * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or + * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, * to check whether a CA is present or a certificate is blacklisted in - * trust PKCS #11 modules. + * a trust PKCS #11 module. + * + * This function can be used with a @url of "pkcs11:", and in that case all modules + * will be searched. To restrict the modules to the marked as trusted in p11-kit + * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. * * Returns: If the certificate exists non-zero is returned, otherwise zero. * diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h index b1341fa33d..2b209bfc84 100644 --- a/lib/pkcs11_int.h +++ b/lib/pkcs11_int.h @@ -100,6 +100,7 @@ int pkcs11_info_to_url(struct p11_kit_uri *info, #define SESSION_WRITE (1<<0) #define SESSION_LOGIN (1<<1) #define SESSION_SO (1<<2) /* security officer session */ +#define SESSION_TRUSTED (1<<3) /* session on a marked as trusted (p11-kit) module */ int pkcs11_open_session(struct pkcs11_session_info *sinfo, struct pin_info_st *pin_info, struct p11_kit_uri *info, unsigned int flags); |