summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@redhat.com>2016-05-03 09:28:36 +0200
committerNikos Mavrogiannopoulos <nmav@redhat.com>2016-05-03 11:11:42 +0200
commit01b07a23067c5c0b6d610fea5f29ab17d19cbdde (patch)
tree18bd85d2b6395f5375fc9f094780b966beb19d0a
parent7b898af19606c7a0c331f0768e3f2b2f8c53c9bb (diff)
downloadgnutls-01b07a23067c5c0b6d610fea5f29ab17d19cbdde.tar.gz
pkcs11: the flag GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT will be respected by imported certificates
That is, certificates imported with gnutls_pkcs11_obj_import_url() or gnutls_x509_crt_import_url() will be able to be extracted with their extensions overriden. Previously that was available only on gnutls_pkcs11_get_raw_issuer() and friends.
Diffstat
-rw-r--r--lib/pkcs11.c18
1 files changed, 18 insertions, 0 deletions
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 750e1d19bc..c9a8c8b82a 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -64,6 +64,7 @@ struct find_flags_data_st {
struct find_url_data_st {
gnutls_pkcs11_obj_t obj;
+ bool overwrite_exts; /* only valid if looking for a certificate */
};
struct find_obj_data_st {
@@ -1970,6 +1971,19 @@ find_obj_url_cb(struct ck_function_list *module, struct pkcs11_session_info *sin
cleanup:
pkcs11_find_objects_final(sinfo);
+ if (ret == 0 && find_data->overwrite_exts && find_data->obj->raw.size > 0) {
+ gnutls_datum_t spki;
+ rv = pkcs11_get_attribute_avalue(sinfo->module, sinfo->pks, obj, CKA_PUBLIC_KEY_INFO, &spki);
+ if (rv == CKR_OK) {
+ ret = pkcs11_override_cert_exts(sinfo, &spki, &find_data->obj->raw);
+ gnutls_free(spki.data);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+ }
+ }
+
return ret;
}
@@ -2022,6 +2036,10 @@ gnutls_pkcs11_obj_import_url(gnutls_pkcs11_obj_t obj, const char *url,
return ret;
}
+ if (flags & GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT) {
+ find_data.overwrite_exts = 1;
+ }
+
ret =
_pkcs11_traverse_tokens(find_obj_url_cb, &find_data, obj->info,
&obj->pin,
View Lorry Controller Status