Merge branch 'tmp-fix-pkcs11-so' into 'master'

pkcs11: security officer login implies writable session Closes #721 See merge request gnutls/gnutls!953
author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2019-03-19 16:46:01 +0000
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2019-03-19 16:46:01 +0000
commit: f82ffe2b3031072ad1bfdf589e945263a1696e3f (patch)
tree: b22f118434b52e101e07885028e84b1eab209808
parent: b6c6e148b542a3ac3b0c407708fbc86e884d4f82 (diff)
parent: e4c83eea960a43a38814ffd19cc5aae8ff1d206d (diff)
download: gnutls-f82ffe2b3031072ad1bfdf589e945263a1696e3f.tar.gz
3 files changed, 25 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index 10ee9bf0b0..5087eb94dd 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,10 @@ See the end for copying conditions.
    a certificate. We were already enforcing the signature algorithm, but there
    was a bug in parameter checking code.
 
+** libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable
+   session, as non-writeable security officer sessions are undefined in PKCS#11
+   (#721).
+
 ** libgnutls: no longer send downgrade sentinel in TLS 1.3.
    Previously the sentinel value was embedded to early in version
    negotiation and was sent even on TLS 1.3. It is now sent only when
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 2ec642bf8a..de5309b296 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -2254,7 +2254,7 @@ unsigned int pkcs11_obj_flags_to_int(unsigned int flags)
 		ret_flags |= SESSION_LOGIN | SESSION_FORCE_LOGIN;
 
 	if (flags & GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO)
-		ret_flags |= SESSION_LOGIN | SESSION_SO | SESSION_FORCE_LOGIN;
+		ret_flags |= SESSION_LOGIN | SESSION_SO | SESSION_FORCE_LOGIN | SESSION_WRITE;
 
 	if (flags & GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE)
 		ret_flags |= SESSION_TRUSTED;
diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh
index 49acc0ff9f..e98fb8ed4a 100755
--- a/tests/testpkcs11.sh
+++ b/tests/testpkcs11.sh
@@ -341,6 +341,24 @@ export_pubkey_of_privkey () {
 }
 
 # $1: token
+# $2: SO PIN
+# $3: bits
+list_pubkey_as_so () {
+	export GNUTLS_SO_PIN="$2"
+	token="$1"
+	bits="$3"
+
+	echo -n "* Exporting public key as SO... "
+	${P11TOOL} ${ADDITIONAL_PARAM} --so-login --list-all "${token}" >>"${LOGFILE}" 2>&1
+	if test $? != 0; then
+		echo failed
+		exit 1
+	fi
+
+	echo ok
+}
+
+# $1: token
 # $2: PIN
 change_id_of_privkey () {
 	export GNUTLS_PIN="$2"
@@ -599,6 +617,7 @@ write_certificate_test () {
 		exit_error
 	fi
 
+	echo ok
 	rm -f ${TMPFILE}
 
 	echo -n "* Trying to obtain back the cert... "
@@ -1091,6 +1110,7 @@ generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024
 change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
 export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
 change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
+list_pubkey_as_so "${TOKEN}" "${GNUTLS_SO_PIN}"
 
 write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub
 write_serv_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.key"
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-03-19 16:46:01 +0000
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2019-03-19 16:46:01 +0000
commit	f82ffe2b3031072ad1bfdf589e945263a1696e3f (patch)
tree	b22f118434b52e101e07885028e84b1eab209808
parent	b6c6e148b542a3ac3b0c407708fbc86e884d4f82 (diff)
parent	e4c83eea960a43a38814ffd19cc5aae8ff1d206d (diff)
download	gnutls-f82ffe2b3031072ad1bfdf589e945263a1696e3f.tar.gz