pkcs11: added flags to mark keys as not-being signable or decryptable

That adds GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_DECRYPT and GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN which can be set during generation or write of keys.
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2015-03-26 16:34:46 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2015-03-26 16:43:58 +0100
commit: 1e50c5a61fa3eeaba4f95d80155e7c55c3dde145 (patch)
tree: b8e6074131d5146f6d1b936216f7b4dca7a5b458 /lib/pkcs11_write.c
parent: ee205a8f1db490bad7b568c7fe5a963201bcda5e (diff)
download: gnutls-1e50c5a61fa3eeaba4f95d80155e7c55c3dde145.tar.gz
1 files changed, 14 insertions, 4 deletions
diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
index f28f0cefe8..5aa893c640 100644
--- a/lib/pkcs11_write.c
+++ b/lib/pkcs11_write.c
@@ -409,14 +409,24 @@ gnutls_pkcs11_copy_x509_privkey(const char *token_url,
 	a_val++;
 
 	a[a_val].type = CKA_SIGN;
-	a[a_val].value = (void*)&tval;
-	a[a_val].value_len = sizeof(tval);
+	if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN)) {
+		a[a_val].value = (void*)&tval;
+		a[a_val].value_len = sizeof(tval);
+	} else {
+		a[a_val].value = (void*)&fval;
+		a[a_val].value_len = sizeof(fval);
+	}
 	a_val++;
 
 	if (pk == GNUTLS_PK_RSA) {
 		a[a_val].type = CKA_DECRYPT;
-		a[a_val].value = (void*)&tval;
-		a[a_val].value_len = sizeof(tval);
+		if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_DECRYPT)) {
+			a[a_val].value = (void*)&tval;
+			a[a_val].value_len = sizeof(tval);
+		} else {
+			a[a_val].value = (void*)&fval;
+			a[a_val].value_len = sizeof(fval);
+		}
 		a_val++;
 	}
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2015-03-26 16:34:46 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2015-03-26 16:43:58 +0100
commit	1e50c5a61fa3eeaba4f95d80155e7c55c3dde145 (patch)
tree	b8e6074131d5146f6d1b936216f7b4dca7a5b458 /lib/pkcs11_write.c
parent	ee205a8f1db490bad7b568c7fe5a963201bcda5e (diff)
download	gnutls-1e50c5a61fa3eeaba4f95d80155e7c55c3dde145.tar.gz