diff options
-rw-r--r-- | lib/includes/gnutls/pkcs11.h | 4 | ||||
-rw-r--r-- | lib/pkcs11.c | 21 | ||||
-rw-r--r-- | lib/pkcs11_write.c | 7 |
3 files changed, 30 insertions, 2 deletions
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h index d61d34f41b..e7a57d96a7 100644 --- a/lib/includes/gnutls/pkcs11.h +++ b/lib/includes/gnutls/pkcs11.h @@ -101,6 +101,7 @@ void gnutls_pkcs11_obj_set_pin_function(gnutls_pkcs11_obj_t obj, * @GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY: When retrieving an object, do not set any requirements (store). * @GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED: When retrieving an object, only retrieve the marked as trusted (alias to %GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED). * In gnutls_pkcs11_crt_is_known() it implies %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_COMPARE if %GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY is not given. + * @GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED: When writing an object, mark it as distrusted (store). * @GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED: When retrieving an object, only retrieve the marked as distrusted (seek). * @GNUTLS_PKCS11_OBJ_FLAG_COMPARE: When checking an object's presence, fully compare it before returning any result (seek). * @GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY: When checking an object's presence, compare the key before returning any result (seek). @@ -129,7 +130,8 @@ typedef enum gnutls_pkcs11_obj_flags { GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE = (1<<5), GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY = (1<<6), GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED = GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED, - GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED = (1<<8), + GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED = (1<<8), + GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED = GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED, GNUTLS_PKCS11_OBJ_FLAG_COMPARE = (1<<9), GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE = (1<<10), GNUTLS_PKCS11_OBJ_FLAG_MARK_CA = (1<<11), diff --git a/lib/pkcs11.c b/lib/pkcs11.c index ff618a7116..2c2480f115 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -1796,6 +1796,14 @@ pkcs11_import_object(ck_object_handle_t ctx, ck_object_class_t class, if (rv == CKR_OK && b != 0) pobj->flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED; + a[0].type = CKA_X_DISTRUSTED; + a[0].value = &b; + a[0].value_len = sizeof(b); + + rv = pkcs11_get_attribute_value(sinfo->module, sinfo->pks, ctx, a, 1); + if (rv == CKR_OK && b != 0) + pobj->flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED; + a[0].type = CKA_SENSITIVE; a[0].value = &b; a[0].value_len = sizeof(b); @@ -2754,7 +2762,6 @@ find_objs_cb(struct ck_function_list *module, struct pkcs11_session_info *sinfo, type = CKC_X_509; } - if (find_data->flags & GNUTLS_PKCS11_OBJ_FLAG_CRT) { class = CKO_CERTIFICATE; @@ -2803,6 +2810,15 @@ find_objs_cb(struct ck_function_list *module, struct pkcs11_session_info *sinfo, _gnutls_assert_log("p11 attrs: CKA_TRUSTED\n"); } + if (find_data->flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED) { + trusted = 1; + a[tot_values].type = CKA_X_DISTRUSTED; + a[tot_values].value = &trusted; + a[tot_values].value_len = sizeof trusted; + tot_values++; + _gnutls_assert_log("p11 attrs: CKA_X_DISTRUSTED\n"); + } + if (find_data->flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_CA) { category = 2; a[tot_values].type = CKA_CERTIFICATE_CATEGORY; @@ -4117,6 +4133,9 @@ char *gnutls_pkcs11_obj_flags_get_str(unsigned int flags) if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED) _gnutls_buffer_append_str(&str, "CKA_TRUSTED; "); + if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED) + _gnutls_buffer_append_str(&str, "CKA_X_DISTRUSTED; "); + if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_EXTRACTABLE) _gnutls_buffer_append_str(&str, "CKA_EXTRACTABLE; "); diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c index 79c1f93c9e..eb867d8755 100644 --- a/lib/pkcs11_write.c +++ b/lib/pkcs11_write.c @@ -44,6 +44,13 @@ static void mark_flags(unsigned flags, struct ck_attribute *a, unsigned *a_val) (*a_val)++; } + if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED) { + a[*a_val].type = CKA_X_DISTRUSTED; + a[*a_val].value = (void *) &tval; + a[*a_val].value_len = sizeof(tval); + (*a_val)++; + } + if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED) { a[*a_val].type = CKA_TRUSTED; a[*a_val].value = (void *) &tval; |