diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-12-22 11:43:49 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-12-22 11:44:28 +0200 |
commit | cd4876433f3579093659fe4956bfa15b97b7f0a0 (patch) | |
tree | 088ce87950bfeb66afe9a8b3ea4977ddedf58801 /lib | |
parent | 853722becfd214dad05d7d7ca38fb3d8a31a77e3 (diff) | |
download | gnutls-cd4876433f3579093659fe4956bfa15b97b7f0a0.tar.gz |
combined gnutls_pkcs11_obj_attr_t with gnutls_pkcs11_obj_flags
That was done in an API-backwards compatible way. That
introduces gnutls_pkcs11_obj_list_import_url3() and
gnutls_pkcs11_obj_list_import_url4().
Diffstat (limited to 'lib')
-rw-r--r-- | lib/includes/gnutls/pkcs11.h | 95 | ||||
-rw-r--r-- | lib/libgnutls.map | 4 | ||||
-rw-r--r-- | lib/pkcs11.c | 48 | ||||
-rw-r--r-- | lib/x509/verify-high.c | 2 | ||||
-rw-r--r-- | lib/x509/verify-high2.c | 8 |
5 files changed, 81 insertions, 76 deletions
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h index 1fdfc02801..10494c497e 100644 --- a/lib/includes/gnutls/pkcs11.h +++ b/lib/includes/gnutls/pkcs11.h @@ -93,27 +93,33 @@ void gnutls_pkcs11_obj_set_pin_function(gnutls_pkcs11_obj_t obj, /** * gnutls_pkcs11_obj_flags: - * @GNUTLS_PKCS11_OBJ_FLAG_LOGIN: Force login in the token for the operation. - * @GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED: object marked as trusted. - * @GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE: object marked as sensitive (unexportable). - * @GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO: force login as a security officer in the token for the operation. - * @GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE: marked as private (requires PIN to access). - * @GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE: marked as not private. - * @GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY: When retrieving an object, do not set any requirements. - * @GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED: When retrieving an object, only retrieve the marked as trusted. + * @GNUTLS_PKCS11_OBJ_FLAG_LOGIN: Force login in the token for the operation (seek+store). + * @GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED: object marked as trusted (seek+store). + * @GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE: object marked as sensitive -unexportable (store). + * @GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO: force login as a security officer in the token for the operation (seek+store). + * @GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE: marked as private -requires PIN to access (store). + * @GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE: marked as not private (store). + * @GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY: When retrieving an object, do not set any requirements (store). + * @GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED: When retrieving an object, only retrieve the marked as trusted (alias to %GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED). * In gnutls_pkcs11_crt_is_known() it implies %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_COMPARE if %GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY is not given. - * @GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED: When retrieving an object, only retrieve the marked as distrusted. - * @GNUTLS_PKCS11_OBJ_FLAG_COMPARE: When checking an object's presence, fully compare it before returning any result. - * @GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY: When checking an object's presence, compare the key before returning any result. - * @GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE: The object must be present in a marked as trusted module. - * @GNUTLS_PKCS11_OBJ_FLAG_MARK_CA: Mark the object as a CA. - * @GNUTLS_PKCS11_OBJ_FLAG_MARK_KEY_WRAP: Mark the generated key pair as wrapping and unwrapping keys. - * @GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT: When an issuer is requested, override its extensions with the ones present in the trust module. - * @GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH: Mark the key pair as requiring authentication (pin entry) before every operation. - * @GNUTLS_PKCS11_OBJ_FLAG_MARK_EXTRACTABLE: Mark the key pair as being extractable (insecure). - * @GNUTLS_PKCS11_OBJ_FLAG_NEVER_EXTRACTABLE: If set, the object was never marked as extractable. + * @GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED: When retrieving an object, only retrieve the marked as distrusted (seek). + * @GNUTLS_PKCS11_OBJ_FLAG_COMPARE: When checking an object's presence, fully compare it before returning any result (seek). + * @GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY: When checking an object's presence, compare the key before returning any result (seek). + * @GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE: The object must be present in a marked as trusted module (seek). + * @GNUTLS_PKCS11_OBJ_FLAG_MARK_CA: Mark the object as a CA (seek+store). + * @GNUTLS_PKCS11_OBJ_FLAG_MARK_KEY_WRAP: Mark the generated key pair as wrapping and unwrapping keys (store). + * @GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT: When an issuer is requested, override its extensions with the ones present in the trust module (seek). + * @GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH: Mark the key pair as requiring authentication (pin entry) before every operation (seek+store). + * @GNUTLS_PKCS11_OBJ_FLAG_MARK_EXTRACTABLE: Mark the key pair as being extractable (store). + * @GNUTLS_PKCS11_OBJ_FLAG_NEVER_EXTRACTABLE: If set, the object was never marked as extractable (store). + * @GNUTLS_PKCS11_OBJ_FLAG_CRT: When searching, restrict to certificates only (seek). + * @GNUTLS_PKCS11_OBJ_FLAG_PUBKEY: When searching, restrict to public key objects only (seek). + * @GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY: When searching, restrict to private key objects only (seek). + * @GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY: When searching, restrict to objects which have a corresponding private key (seek). * - * Enumeration of different PKCS #11 object flags. + * Enumeration of different PKCS #11 object flags. Some flags are used + * to mark objects when storing, while others are also used while seeking + * or retrieving objects. */ typedef enum gnutls_pkcs11_obj_flags { GNUTLS_PKCS11_OBJ_FLAG_LOGIN = (1<<0), @@ -123,7 +129,7 @@ typedef enum gnutls_pkcs11_obj_flags { GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE = (1<<4), GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE = (1<<5), GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY = (1<<6), - GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED = (1<<7), + GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED = GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED, GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED = (1<<8), GNUTLS_PKCS11_OBJ_FLAG_COMPARE = (1<<9), GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE = (1<<10), @@ -133,9 +139,15 @@ typedef enum gnutls_pkcs11_obj_flags { GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT = (1<<14), GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH = (1<<15), GNUTLS_PKCS11_OBJ_FLAG_MARK_EXTRACTABLE = (1<<16), - GNUTLS_PKCS11_OBJ_FLAG_NEVER_EXTRACTABLE = (1<<17) + GNUTLS_PKCS11_OBJ_FLAG_NEVER_EXTRACTABLE = (1<<17), + GNUTLS_PKCS11_OBJ_FLAG_CRT = (1<<18), + GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY = (1<<19), + GNUTLS_PKCS11_OBJ_FLAG_PUBKEY = (1<<20), + GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY = (1<<21), } gnutls_pkcs11_obj_flags; +#define gnutls_pkcs11_obj_attr_t gnutls_pkcs11_obj_flags + /** * gnutls_pkcs11_url_type_t: * @GNUTLS_PKCS11_URL_GENERIC: A generic-purpose URL. @@ -235,32 +247,14 @@ int gnutls_pkcs11_obj_get_info(gnutls_pkcs11_obj_t crt, gnutls_pkcs11_obj_info_t itype, void *output, size_t * output_size); -/** - * gnutls_pkcs11_obj_attr_t: - * @GNUTLS_PKCS11_OBJ_ATTR_CRT: Specify all certificates in the specified token. - * @GNUTLS_PKCS11_OBJ_ATTR_PUBKEY: Specify all public keys in the specified token. - * @GNUTLS_PKCS11_OBJ_ATTR_MARKED_TRUSTED: Restrict to objects which are marked as trusted - * @GNUTLS_PKCS11_OBJ_ATTR_MARKED_CA: Restrict to certificates which are marked as CA - * @GNUTLS_PKCS11_OBJ_ATTR_WITH_PRIVKEY: Restrict to objects which have a corresponding private key - * - * This a list of flags to be used in combination with each other (since GnuTLS 3.4.0). They - * are used for matching and obtaining a list of objects. - */ -typedef enum { - GNUTLS_PKCS11_OBJ_ATTR_CRT = 1, /* all certificates */ - GNUTLS_PKCS11_OBJ_ATTR_MARKED_TRUSTED = 1<<1, /* certificates marked as trusted */ - GNUTLS_PKCS11_OBJ_ATTR_WITH_PRIVKEY = 1<<2, /* certificates with corresponding private key */ - GNUTLS_PKCS11_OBJ_ATTR_PUBKEY = 1<<3, /* public keys */ - GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY = 1<<4, /* private keys */ - GNUTLS_PKCS11_OBJ_ATTR_MARKED_CA = 1<<5, /* CAs */ -} gnutls_pkcs11_obj_attr_t; - -#define GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL GNUTLS_PKCS11_OBJ_ATTR_CRT +#define GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL GNUTLS_PKCS11_OBJ_FLAG_CRT #define GNUTLS_PKCS11_OBJ_ATTR_MATCH 0 /* always match the given URL */ #define GNUTLS_PKCS11_OBJ_ATTR_ALL 0 /* match everything! */ -#define GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED (GNUTLS_PKCS11_OBJ_ATTR_CRT|GNUTLS_PKCS11_OBJ_ATTR_MARKED_TRUSTED) -#define GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY (GNUTLS_PKCS11_OBJ_ATTR_CRT|GNUTLS_PKCS11_OBJ_ATTR_WITH_PRIVKEY) -#define GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA (GNUTLS_PKCS11_OBJ_ATTR_CRT|GNUTLS_PKCS11_OBJ_ATTR_MARKED_TRUSTED|GNUTLS_PKCS11_OBJ_ATTR_MARKED_CA) +#define GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED (GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED) +#define GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY (GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY) +#define GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA (GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED) +#define GNUTLS_PKCS11_OBJ_ATTR_PUBKEY GNUTLS_PKCS11_OBJ_FLAG_PUBKEY +#define GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY /** * gnutls_pkcs11_token_info_t: @@ -323,19 +317,20 @@ int gnutls_pkcs11_token_get_info(const char *url, #define GNUTLS_PKCS11_TOKEN_TRUSTED (1<<1) /* p11-kit trusted */ int gnutls_pkcs11_token_get_flags(const char *url, unsigned int *flags); -int gnutls_pkcs11_obj_list_import_url(gnutls_pkcs11_obj_t * p_list, +#define gnutls_pkcs11_obj_list_import_url(p_list, n_list, url, attrs, flags) gnutls_pkcs11_obj_list_import_url3(p_list, n_list, url, attrs|flags) +#define gnutls_pkcs11_obj_list_import_url2(p_list, n_list, url, attrs, flags) gnutls_pkcs11_obj_list_import_url4(p_list, n_list, url, attrs|flags) + +int gnutls_pkcs11_obj_list_import_url3(gnutls_pkcs11_obj_t * p_list, unsigned int *const n_list, const char *url, - gnutls_pkcs11_obj_attr_t - attrs, unsigned int flags + unsigned int flags /* GNUTLS_PKCS11_OBJ_FLAG_* */ ); int -gnutls_pkcs11_obj_list_import_url2(gnutls_pkcs11_obj_t ** p_list, +gnutls_pkcs11_obj_list_import_url4(gnutls_pkcs11_obj_t ** p_list, unsigned int *n_list, const char *url, - gnutls_pkcs11_obj_attr_t attrs, unsigned int flags /* GNUTLS_PKCS11_OBJ_FLAG_* */ ); diff --git a/lib/libgnutls.map b/lib/libgnutls.map index 3b72ed1013..33f2c78201 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -537,7 +537,7 @@ GNUTLS_3_4 gnutls_pkcs11_obj_import_url; gnutls_pkcs11_obj_export_url; gnutls_pkcs11_obj_deinit; - gnutls_pkcs11_obj_list_import_url; + gnutls_pkcs11_obj_list_import_url3; gnutls_x509_crt_import_pkcs11; gnutls_pkcs11_obj_get_type; gnutls_x509_crt_list_import_pkcs11; @@ -734,7 +734,7 @@ GNUTLS_3_4 gnutls_session_set_premaster; gnutls_ocsp_resp_check_crt; gnutls_pkcs11_get_pin_function; - gnutls_pkcs11_obj_list_import_url2; + gnutls_pkcs11_obj_list_import_url4; gnutls_x509_trust_list_add_system_trust; gnutls_x509_trust_list_add_trust_file; gnutls_x509_trust_list_add_trust_mem; diff --git a/lib/pkcs11.c b/lib/pkcs11.c index 7c0389adaa..d58c5bdd28 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -69,7 +69,7 @@ struct find_url_data_st { struct find_obj_data_st { gnutls_pkcs11_obj_t *p_list; unsigned int current; - gnutls_pkcs11_obj_attr_t flags; + unsigned int flags; struct p11_kit_uri *info; }; @@ -2462,7 +2462,7 @@ find_objs_cb(struct pkcs11_session_info *sinfo, memset(&plist, 0, sizeof(plist)); - if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_WITH_PRIVKEY) { + if (find_data->flags & GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY) { ret = find_privkeys(sinfo, tinfo, &plist); if (ret < 0) { gnutls_assert(); @@ -2486,7 +2486,7 @@ find_objs_cb(struct pkcs11_session_info *sinfo, } - if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_CRT) { + if (find_data->flags & GNUTLS_PKCS11_OBJ_FLAG_CRT) { class = CKO_CERTIFICATE; a[tot_values].type = CKA_CLASS; @@ -2503,7 +2503,7 @@ find_objs_cb(struct pkcs11_session_info *sinfo, _gnutls_assert_log("p11 attrs: CKA_CLASS (CERT), CKA_CERTIFICATE_TYPE\n"); } - if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_PUBKEY) { + if (find_data->flags & GNUTLS_PKCS11_OBJ_FLAG_PUBKEY) { class = CKO_PUBLIC_KEY; a[tot_values].type = CKA_CLASS; @@ -2514,7 +2514,7 @@ find_objs_cb(struct pkcs11_session_info *sinfo, _gnutls_assert_log("p11 attrs: CKA_CLASS (PUBLIC KEY)\n"); } - if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY) { + if (find_data->flags & GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY) { class = CKO_PRIVATE_KEY; a[tot_values].type = CKA_CLASS; @@ -2525,7 +2525,7 @@ find_objs_cb(struct pkcs11_session_info *sinfo, _gnutls_assert_log("p11 attrs: CKA_CLASS (PRIVATE KEY)\n"); } - if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_MARKED_TRUSTED) { + if (find_data->flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED) { trusted = 1; a[tot_values].type = CKA_TRUSTED; a[tot_values].value = &trusted; @@ -2534,7 +2534,7 @@ find_objs_cb(struct pkcs11_session_info *sinfo, _gnutls_assert_log("p11 attrs: CKA_TRUSTED\n"); } - if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_MARKED_CA) { + if (find_data->flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_CA) { category = 2; a[tot_values].type = CKA_CERTIFICATE_CATEGORY; a[tot_values].value = &category; @@ -2622,7 +2622,7 @@ find_objs_cb(struct pkcs11_session_info *sinfo, } } - if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY) { + if (find_data->flags & GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY) { for (i = 0; i < plist.key_ids_size; i++) { if (plist.key_ids[i].length != id.size @@ -2683,26 +2683,30 @@ find_objs_cb(struct pkcs11_session_info *sinfo, } /** - * gnutls_pkcs11_obj_list_import_url: + * gnutls_pkcs11_obj_list_import_url3: * @p_list: An uninitialized object list (may be NULL) * @n_list: initially should hold the maximum size of the list. Will contain the actual size. * @url: A PKCS 11 url identifying a set of objects - * @attrs: Attributes of type #gnutls_pkcs11_obj_attr_t that can be used to limit output * @flags: Or sequence of GNUTLS_PKCS11_OBJ_* flags * * This function will initialize and set values to an object list * by using all objects identified by a PKCS 11 URL. * + * The supported in this function @flags are %GNUTLS_PKCS11_OBJ_FLAG_LOGIN, + * %GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO, %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE, + * %GNUTLS_PKCS11_OBJ_FLAG_CRT, %GNUTLS_PKCS11_OBJ_FLAG_PUBKEY, %GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY, + * %GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY, %GNUTLS_PKCS11_OBJ_FLAG_MARK_CA, + * %GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED. + * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. * - * Since: 2.12.0 + * Since: 3.4.0 **/ int -gnutls_pkcs11_obj_list_import_url(gnutls_pkcs11_obj_t * p_list, +gnutls_pkcs11_obj_list_import_url3(gnutls_pkcs11_obj_t * p_list, unsigned int *n_list, const char *url, - gnutls_pkcs11_obj_attr_t attrs, unsigned int flags) { int ret; @@ -2714,7 +2718,7 @@ gnutls_pkcs11_obj_list_import_url(gnutls_pkcs11_obj_t * p_list, memset(&priv, 0, sizeof(priv)); /* fill in the find data structure */ - priv.flags = attrs; + priv.flags = flags; if (url == NULL || url[0] == 0) { url = "pkcs11:"; @@ -2757,11 +2761,10 @@ gnutls_pkcs11_obj_list_import_url(gnutls_pkcs11_obj_t * p_list, } /** - * gnutls_pkcs11_obj_list_import_url2: + * gnutls_pkcs11_obj_list_import_url4: * @p_list: An uninitialized object list (may be NULL) * @n_list: It will contain the size of the list. * @url: A PKCS 11 url identifying a set of objects - * @attrs: Attributes of type #gnutls_pkcs11_obj_attr_t that can be used to limit output * @flags: Or sequence of GNUTLS_PKCS11_OBJ_* flags * * This function will initialize and set values to an object list @@ -2771,16 +2774,21 @@ gnutls_pkcs11_obj_list_import_url(gnutls_pkcs11_obj_t * p_list, * All returned objects must be deinitialized using gnutls_pkcs11_obj_deinit(), * and @p_list must be free'd using gnutls_free(). * + * The supported in this function @flags are %GNUTLS_PKCS11_OBJ_FLAG_LOGIN, + * %GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO, %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE, + * %GNUTLS_PKCS11_OBJ_FLAG_CRT, %GNUTLS_PKCS11_OBJ_FLAG_PUBKEY, %GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY, + * %GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY, %GNUTLS_PKCS11_OBJ_FLAG_MARK_CA, + * %GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED. + * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. * - * Since: 3.1.0 + * Since: 3.4.0 **/ int -gnutls_pkcs11_obj_list_import_url2(gnutls_pkcs11_obj_t ** p_list, +gnutls_pkcs11_obj_list_import_url4(gnutls_pkcs11_obj_t ** p_list, unsigned int *n_list, const char *url, - gnutls_pkcs11_obj_attr_t attrs, unsigned int flags) { int ret; @@ -2791,7 +2799,7 @@ gnutls_pkcs11_obj_list_import_url2(gnutls_pkcs11_obj_t ** p_list, memset(&priv, 0, sizeof(priv)); /* fill in the find data structure */ - priv.flags = attrs; + priv.flags = flags; if (url == NULL || url[0] == 0) { url = "pkcs11:"; diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 7d754d1c47..96d61a81ac 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -367,7 +367,7 @@ advance_iter(gnutls_x509_trust_list_t list, if (list->pkcs11_token != NULL) { if (iter->pkcs11_list == NULL) { ret = gnutls_pkcs11_obj_list_import_url2(&iter->pkcs11_list, &iter->pkcs11_size, - list->pkcs11_token, GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA, 0); + list->pkcs11_token, (GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED), 0); if (ret < 0) return gnutls_assert_val(ret); diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c index dda1b131a5..09eefd4000 100644 --- a/lib/x509/verify-high2.c +++ b/lib/x509/verify-high2.c @@ -191,7 +191,7 @@ int add_trust_list_pkcs11_object_url(gnutls_x509_trust_list_t list, const char * ret = gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size, url, - GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL|GNUTLS_PKCS11_OBJ_ATTR_MARKED_TRUSTED, + GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED, 0); if (ret < 0) return gnutls_assert_val(ret); @@ -239,7 +239,7 @@ int remove_pkcs11_object_url(gnutls_x509_trust_list_t list, const char *url) ret = gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size, url, - GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL|GNUTLS_PKCS11_OBJ_ATTR_MARKED_TRUSTED, + GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED, 0); if (ret < 0) return gnutls_assert_val(ret); @@ -330,7 +330,9 @@ gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list, /* enumerate the certificates */ ret = gnutls_pkcs11_obj_list_import_url(NULL, &pcrt_list_size, - ca_file, GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA, 0); + ca_file, + (GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED), + 0); if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER) return gnutls_assert_val(ret); |