diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-09-27 09:39:09 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-09-27 13:36:41 +0200 |
commit | c45a89307069cd544d74f95cdd5a3160bf006307 (patch) | |
tree | a1b740a3f66331d32c06b588397ae2d9bcfdc9ba /lib/pkcs11_write.c | |
parent | d6fd2339be4fc7cfcdb61dac13896de67f22cbac (diff) | |
download | gnutls-c45a89307069cd544d74f95cdd5a3160bf006307.tar.gz |
pkcs11: forbid PKCS#11 extensions to be used in other than trust modules
That is, only use the CKA_X_DISTRUSTED and the extension override in
p11-kit trust modules, to avoid conflicts with potentially other
PKCS#11 extensions.
Diffstat (limited to 'lib/pkcs11_write.c')
-rw-r--r-- | lib/pkcs11_write.c | 32 |
1 files changed, 12 insertions, 20 deletions
diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c index eb867d8755..23a8521ed5 100644 --- a/lib/pkcs11_write.c +++ b/lib/pkcs11_write.c @@ -33,7 +33,7 @@ static const ck_bool_t fval = 0; #define MAX_ASIZE 24 -static void mark_flags(unsigned flags, struct ck_attribute *a, unsigned *a_val) +static void mark_flags(unsigned flags, struct ck_attribute *a, unsigned *a_val, unsigned trusted) { static const unsigned long category = 2; @@ -45,10 +45,14 @@ static void mark_flags(unsigned flags, struct ck_attribute *a, unsigned *a_val) } if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED) { - a[*a_val].type = CKA_X_DISTRUSTED; - a[*a_val].value = (void *) &tval; - a[*a_val].value_len = sizeof(tval); - (*a_val)++; + if (trusted) { + a[*a_val].type = CKA_X_DISTRUSTED; + a[*a_val].value = (void *) &tval; + a[*a_val].value_len = sizeof(tval); + (*a_val)++; + } else { + _gnutls_debug_log("p11: ignoring the distrusted flag as it is not valid on non-p11-kit-trust modules\n"); + } } if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED) { @@ -117,8 +121,6 @@ gnutls_pkcs11_copy_x509_crt2(const char *token_url, PKCS11_CHECK_INIT; - memset(&sinfo, 0, sizeof(sinfo)); - ret = pkcs11_url_to_info(token_url, &info, 0); if (ret < 0) { gnutls_assert(); @@ -225,7 +227,7 @@ gnutls_pkcs11_copy_x509_crt2(const char *token_url, a_val++; } - mark_flags(flags, a, &a_val); + mark_flags(flags, a, &a_val, sinfo.trusted); rv = pkcs11_create_object(sinfo.module, sinfo.pks, a, a_val, &ctx); if (rv != CKR_OK) { @@ -395,8 +397,6 @@ gnutls_pkcs11_copy_pubkey(const char *token_url, PKCS11_CHECK_INIT; - memset(&sinfo, 0, sizeof(sinfo)); - ret = pkcs11_url_to_info(token_url, &info, 0); if (ret < 0) { gnutls_assert(); @@ -463,7 +463,7 @@ gnutls_pkcs11_copy_pubkey(const char *token_url, } a_val++; - mark_flags(flags, a, &a_val); + mark_flags(flags, a, &a_val, sinfo.trusted); a[a_val].type = CKA_VERIFY; if (key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE) { @@ -545,8 +545,6 @@ gnutls_pkcs11_copy_attached_extension(const char *token_url, PKCS11_CHECK_INIT; - memset(&sinfo, 0, sizeof(sinfo)); - ret = pkcs11_url_to_info(token_url, &info, 0); if (ret < 0) { gnutls_assert(); @@ -653,8 +651,6 @@ gnutls_pkcs11_copy_x509_privkey2(const char *token_url, PKCS11_CHECK_INIT; - memset(&sinfo, 0, sizeof(sinfo)); - memset(&p, 0, sizeof(p)); memset(&q, 0, sizeof(q)); memset(&g, 0, sizeof(g)); @@ -1164,7 +1160,7 @@ gnutls_pkcs11_token_init(const char *token_url, return ret; } - ret = pkcs11_find_slot(&module, &slot, info, NULL, NULL); + ret = pkcs11_find_slot(&module, &slot, info, NULL, NULL, NULL); p11_kit_uri_free(info); if (ret < 0) { @@ -1216,8 +1212,6 @@ gnutls_pkcs11_token_set_pin(const char *token_url, PKCS11_CHECK_INIT; - memset(&sinfo, 0, sizeof(sinfo)); - ret = pkcs11_url_to_info(token_url, &info, 0); if (ret < 0) { gnutls_assert(); @@ -1293,8 +1287,6 @@ gnutls_pkcs11_token_get_random(const char *token_url, PKCS11_CHECK_INIT; - memset(&sinfo, 0, sizeof(sinfo)); - ret = pkcs11_url_to_info(token_url, &info, 0); if (ret < 0) { gnutls_assert(); |