diff options
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | lib/pkcs11.c | 2 | ||||
-rwxr-xr-x | tests/testpkcs11.sh | 20 |
3 files changed, 25 insertions, 1 deletions
@@ -25,6 +25,10 @@ See the end for copying conditions. a certificate. We were already enforcing the signature algorithm, but there was a bug in parameter checking code. +** libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable + session, as non-writeable security officer sessions are undefined in PKCS#11 + (#721). + ** libgnutls: no longer send downgrade sentinel in TLS 1.3. Previously the sentinel value was embedded to early in version negotiation and was sent even on TLS 1.3. It is now sent only when diff --git a/lib/pkcs11.c b/lib/pkcs11.c index 2ec642bf8a..de5309b296 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -2254,7 +2254,7 @@ unsigned int pkcs11_obj_flags_to_int(unsigned int flags) ret_flags |= SESSION_LOGIN | SESSION_FORCE_LOGIN; if (flags & GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO) - ret_flags |= SESSION_LOGIN | SESSION_SO | SESSION_FORCE_LOGIN; + ret_flags |= SESSION_LOGIN | SESSION_SO | SESSION_FORCE_LOGIN | SESSION_WRITE; if (flags & GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE) ret_flags |= SESSION_TRUSTED; diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh index 49acc0ff9f..e98fb8ed4a 100755 --- a/tests/testpkcs11.sh +++ b/tests/testpkcs11.sh @@ -341,6 +341,24 @@ export_pubkey_of_privkey () { } # $1: token +# $2: SO PIN +# $3: bits +list_pubkey_as_so () { + export GNUTLS_SO_PIN="$2" + token="$1" + bits="$3" + + echo -n "* Exporting public key as SO... " + ${P11TOOL} ${ADDITIONAL_PARAM} --so-login --list-all "${token}" >>"${LOGFILE}" 2>&1 + if test $? != 0; then + echo failed + exit 1 + fi + + echo ok +} + +# $1: token # $2: PIN change_id_of_privkey () { export GNUTLS_PIN="$2" @@ -599,6 +617,7 @@ write_certificate_test () { exit_error fi + echo ok rm -f ${TMPFILE} echo -n "* Trying to obtain back the cert... " @@ -1091,6 +1110,7 @@ generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024 change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}" export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}" change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}" +list_pubkey_as_so "${TOKEN}" "${GNUTLS_SO_PIN}" write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub write_serv_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.key" |