diff options
| -rw-r--r-- | lib/includes/gnutls/pkcs11.h | 16 | ||||
| -rw-r--r-- | lib/pkcs11_write.c | 81 |
2 files changed, 60 insertions, 37 deletions
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h index b68b92459f..9280181dbf 100644 --- a/lib/includes/gnutls/pkcs11.h +++ b/lib/includes/gnutls/pkcs11.h @@ -196,13 +196,21 @@ int gnutls_pkcs11_get_raw_issuer_by_dn (const char *url, const gnutls_datum_t *d int gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, unsigned int flags); -int gnutls_pkcs11_copy_x509_crt(const char *token_url, +#define gnutls_pkcs11_copy_x509_crt(url, crt, label, flags) \ + gnutls_pkcs11_copy_x509_crt2(url, crt, label, NULL, flags) + +int gnutls_pkcs11_copy_x509_crt2(const char *token_url, gnutls_x509_crt_t crt, - const char *label, unsigned int flags - /* GNUTLS_PKCS11_OBJ_FLAG_* */ ); -int gnutls_pkcs11_copy_x509_privkey(const char *token_url, + const char *label, + const gnutls_datum_t *id, + unsigned int flags /* GNUTLS_PKCS11_OBJ_FLAG_* */); + +#define gnutls_pkcs11_copy_x509_privkey(url, key, label, usage, flags) \ + gnutls_pkcs11_copy_x509_privkey2(url, key, label, NULL, usage, flags) +int gnutls_pkcs11_copy_x509_privkey2(const char *token_url, gnutls_x509_privkey_t key, const char *label, + const gnutls_datum_t *cid, unsigned int key_usage /*GNUTLS_KEY_* */ , unsigned int flags diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c index 2fa4ce6021..b070f9590c 100644 --- a/lib/pkcs11_write.c +++ b/lib/pkcs11_write.c @@ -70,10 +70,11 @@ static void mark_flags(unsigned flags, struct ck_attribute *a, unsigned *a_val) } /** - * gnutls_pkcs11_copy_x509_crt: + * gnutls_pkcs11_copy_x509_crt2: * @token_url: A PKCS #11 URL specifying a token - * @crt: A certificate - * @label: A name to be used for the stored data + * @crt: The certificate to copy + * @label: The name to be used for the stored data + * @cid: The CKA_ID to set for the object -if NULL, the ID will be derived from the public key * @flags: One of GNUTLS_PKCS11_OBJ_FLAG_* * * This function will copy a certificate into a PKCS #11 token specified by @@ -84,11 +85,12 @@ static void mark_flags(unsigned flags, struct ck_attribute *a, unsigned *a_val) * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. * - * Since: 2.12.0 + * Since: 3.4.0 **/ int -gnutls_pkcs11_copy_x509_crt(const char *token_url, +gnutls_pkcs11_copy_x509_crt2(const char *token_url, gnutls_x509_crt_t crt, const char *label, + const gnutls_datum_t *cid, unsigned int flags) { int ret; @@ -149,25 +151,30 @@ gnutls_pkcs11_copy_x509_crt(const char *token_url, goto cleanup; } - id_size = sizeof(id); - ret = gnutls_x509_crt_get_subject_key_id(crt, id, &id_size, NULL); - if (ret < 0) { - id_size = sizeof(id); - ret = gnutls_x509_crt_get_key_id(crt, 0, id, &id_size); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - } - - /* FIXME: copy key usage flags */ - a[0].type = CKA_CLASS; a[0].value = &class; a[0].value_len = sizeof(class); + a[1].type = CKA_ID; - a[1].value = id; - a[1].value_len = id_size; + if (cid == NULL || cid->size == 0) { + id_size = sizeof(id); + ret = gnutls_x509_crt_get_subject_key_id(crt, id, &id_size, NULL); + if (ret < 0) { + id_size = sizeof(id); + ret = gnutls_x509_crt_get_key_id(crt, 0, id, &id_size); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + } + + a[1].value = id; + a[1].value_len = id_size; + } else { + a[1].value = cid->data; + a[1].value_len = cid->size; + } + a[2].type = CKA_VALUE; a[2].value = der; a[2].value_len = der_size; @@ -177,6 +184,7 @@ gnutls_pkcs11_copy_x509_crt(const char *token_url, a[4].type = CKA_CERTIFICATE_TYPE; a[4].value = &type; a[4].value_len = sizeof(type); + /* FIXME: copy key usage flags */ a_val = 5; @@ -316,10 +324,11 @@ gnutls_pkcs11_copy_attached_extension(const char *token_url, } /** - * gnutls_pkcs11_copy_x509_privkey: + * gnutls_pkcs11_copy_x509_privkey2: * @token_url: A PKCS #11 URL specifying a token * @key: A private key * @label: A name to be used for the stored data + * @cid: The CKA_ID to set for the object -if NULL, the ID will be derived from the public key * @key_usage: One of GNUTLS_KEY_* * @flags: One of GNUTLS_PKCS11_OBJ_* flags * @@ -330,12 +339,13 @@ gnutls_pkcs11_copy_attached_extension(const char *token_url, * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. * - * Since: 2.12.0 + * Since: 3.4.0 **/ int -gnutls_pkcs11_copy_x509_privkey(const char *token_url, +gnutls_pkcs11_copy_x509_privkey2(const char *token_url, gnutls_x509_privkey_t key, const char *label, + const gnutls_datum_t *cid, unsigned int key_usage, unsigned int flags) { int ret; @@ -375,14 +385,6 @@ gnutls_pkcs11_copy_x509_privkey(const char *token_url, return ret; } - id_size = sizeof(id); - ret = gnutls_x509_privkey_get_key_id(key, 0, id, &id_size); - if (ret < 0) { - p11_kit_uri_free(info); - gnutls_assert(); - return ret; - } - ret = pkcs11_open_session(&sinfo, NULL, info, SESSION_WRITE | @@ -404,8 +406,21 @@ gnutls_pkcs11_copy_x509_privkey(const char *token_url, a_val++; a[a_val].type = CKA_ID; - a[a_val].value = id; - a[a_val].value_len = id_size; + if (cid == NULL || cid->size == 0) { + id_size = sizeof(id); + ret = gnutls_x509_privkey_get_key_id(key, 0, id, &id_size); + if (ret < 0) { + p11_kit_uri_free(info); + gnutls_assert(); + return ret; + } + + a[a_val].value = id; + a[a_val].value_len = id_size; + } else { + a[a_val].value = cid->data; + a[a_val].value_len = cid->size; + } a_val++; a[a_val].type = CKA_SIGN; |