diff options
Diffstat (limited to 'lib/pkcs11.c')
| -rw-r--r-- | lib/pkcs11.c | 132 |
1 files changed, 103 insertions, 29 deletions
diff --git a/lib/pkcs11.c b/lib/pkcs11.c index 2ef0e3e025..d8d4a65114 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -889,7 +889,7 @@ static void compat_load(const char *configfile) if (configfile == NULL) configfile = "/etc/gnutls/pkcs11.conf"; - fp = fopen(configfile, "r"); + fp = fopen(configfile, "re"); if (fp == NULL) { gnutls_assert(); return; @@ -1897,6 +1897,35 @@ int pkcs11_read_pubkey(struct ck_function_list *module, } break; +#ifdef HAVE_CKM_EDDSA + case CKK_EC_EDWARDS: + a[0].type = CKA_EC_PARAMS; + a[0].value = tmp1; + a[0].value_len = tmp1_size; + + a[1].type = CKA_EC_POINT; + a[1].value = tmp2; + a[1].value_len = tmp2_size; + + if ((rv = pkcs11_get_attribute_value(module, pks, ctx, a, 2)) == + CKR_OK) { + + pobj->pubkey[0].data = a[0].value; + pobj->pubkey[0].size = a[0].value_len; + + pobj->pubkey[1].data = a[1].value; + pobj->pubkey[1].size = a[1].value_len; + + pobj->pubkey_size = 2; + } else { + gnutls_assert(); + + ret = pkcs11_rv_to_err(rv); + goto cleanup; + } + + break; +#endif default: _gnutls_debug_log("requested reading public key of unsupported type %u\n", (unsigned)key_type); ret = gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); @@ -4112,6 +4141,8 @@ find_cert_cb(struct ck_function_list *module, struct pkcs11_session_info *sinfo, a_vals++; } + /* This doesn't do a proper comparison, see + * _gnutls_x509_compare_raw_dn() */ if (priv->dn.size > 0) { a[a_vals].type = CKA_SUBJECT; a[a_vals].value = priv->dn.data; @@ -4126,6 +4157,7 @@ find_cert_cb(struct ck_function_list *module, struct pkcs11_session_info *sinfo, a_vals++; } + /* Same problem as for priv->dn */ if (priv->issuer_dn.size > 0) { a[a_vals].type = CKA_ISSUER; a[a_vals].value = priv->issuer_dn.data; @@ -4515,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url, return ret; } -/** - * gnutls_pkcs11_crt_is_known: - * @url: A PKCS 11 url identifying a token - * @cert: is the certificate to find issuer for - * @issuer: Will hold the issuer if any in an allocated buffer. - * @fmt: The format of the exported issuer. - * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. - * - * This function will check whether the provided certificate is stored - * in the specified token. This is useful in combination with - * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or - * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, - * to check whether a CA is present or a certificate is blacklisted in - * a trust PKCS #11 module. - * - * This function can be used with a @url of "pkcs11:", and in that case all modules - * will be searched. To restrict the modules to the marked as trusted in p11-kit - * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. - * - * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is - * specific to p11-kit trust modules. - * - * Returns: If the certificate exists non-zero is returned, otherwise zero. - * - * Since: 3.3.0 - **/ -unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, - unsigned int flags) +unsigned +_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + unsigned int flags, + gnutls_x509_crt_t *trusted_cert) { int ret; struct find_cert_st priv; @@ -4554,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, memset(&priv, 0, sizeof(priv)); + if (trusted_cert) { + ret = gnutls_pkcs11_obj_init(&priv.obj); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + priv.need_import = 1; + } + if (url == NULL || url[0] == 0) { url = "pkcs11:"; } @@ -4600,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, _gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n"); /* attempt searching with the subject DN only */ gnutls_assert(); + if (priv.obj) + gnutls_pkcs11_obj_deinit(priv.obj); gnutls_free(priv.serial.data); memset(&priv, 0, sizeof(priv)); + if (trusted_cert) { + ret = gnutls_pkcs11_obj_init(&priv.obj); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + priv.need_import = 1; + } priv.crt = cert; priv.flags = flags; @@ -4618,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, goto cleanup; } + if (trusted_cert) { + ret = gnutls_x509_crt_init(trusted_cert); + if (ret < 0) { + gnutls_assert(); + ret = 0; + goto cleanup; + } + ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj); + if (ret < 0) { + gnutls_assert(); + gnutls_x509_crt_deinit(*trusted_cert); + ret = 0; + goto cleanup; + } + } ret = 1; cleanup: + if (priv.obj) + gnutls_pkcs11_obj_deinit(priv.obj); if (info) p11_kit_uri_free(info); gnutls_free(priv.serial.data); @@ -4629,6 +4673,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, } /** + * gnutls_pkcs11_crt_is_known: + * @url: A PKCS 11 url identifying a token + * @cert: is the certificate to find issuer for + * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG. + * + * This function will check whether the provided certificate is stored + * in the specified token. This is useful in combination with + * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or + * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED, + * to check whether a CA is present or a certificate is blacklisted in + * a trust PKCS #11 module. + * + * This function can be used with a @url of "pkcs11:", and in that case all modules + * will be searched. To restrict the modules to the marked as trusted in p11-kit + * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag. + * + * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is + * specific to p11-kit trust modules. + * + * Returns: If the certificate exists non-zero is returned, otherwise zero. + * + * Since: 3.3.0 + **/ +unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert, + unsigned int flags) +{ + return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL); +} + +/** * gnutls_pkcs11_obj_get_flags: * @obj: The pkcs11 object * @oflags: Will hold the output flags |