2 files changed, 20 insertions, 2 deletions

diff --git a/src/p11tool-args.def b/src/p11tool-args.def
index b017ae9345..4213238420 100644
--- a/src/p11tool-args.def
+++ b/src/p11tool-args.def
@@ -259,6 +259,14 @@ flag = {
     disabled;
     descrip   = "Marks the object to be written as trusted";
     doc = "Marks the object to be generated/written with the CKA_TRUST flag.";
+    flags_cant = mark-distrusted;
+};
+
+flag = {
+    name      = mark-distrusted;
+    descrip   = "When retrieving objects, it requires the objects to be distrusted (blacklisted)";
+    doc = "Ensures that the objects retrieved have the CKA_X_TRUST flag.";
+    flags_cant = mark-trusted;
 };
 
 flag = {
@@ -298,6 +306,11 @@ flag = {
 };
 
 flag = {
+    name      = distrusted;
+    aliases   = mark-distrusted;
+};
+
+flag = {
     name      = ca;
     aliases   = mark-ca;
 };
diff --git a/src/p11tool.c b/src/p11tool.c
index 53a76016e3..80bcad039c 100644
--- a/src/p11tool.c
+++ b/src/p11tool.c
@@ -88,9 +88,14 @@ unsigned opt_to_flags(common_info_st *cinfo, unsigned *key_usage)
 		/* else set the defaults of the token */
 	}
 
-	if (ENABLED_OPT(MARK_TRUSTED))
+	if (HAVE_OPT(MARK_DISTRUSTED)) {
 		flags |=
-		    GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED;
+		    GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED;
+	} else {
+		if (ENABLED_OPT(MARK_TRUSTED))
+			flags |=
+			    GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED;
+	}
 
 	if (ENABLED_OPT(MARK_SIGN))
 		*key_usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;