From bb40e3ec1d31becc97afe92d53f30efc46d3324c Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 26 Sep 2016 14:24:31 +0200 Subject: p11tool: introduced the --mark-distrusted and --distrusted options This allows to mark objects as distrusted, as well as list all distrusted certificates (blacklisted) for a p11-kit trust module as: p11tool --list-all-certs --distrusted --- src/p11tool-args.def | 13 +++++++++++++ src/p11tool.c | 9 +++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/src/p11tool-args.def b/src/p11tool-args.def index b017ae9345..4213238420 100644 --- a/src/p11tool-args.def +++ b/src/p11tool-args.def @@ -259,6 +259,14 @@ flag = { disabled; descrip = "Marks the object to be written as trusted"; doc = "Marks the object to be generated/written with the CKA_TRUST flag."; + flags_cant = mark-distrusted; +}; + +flag = { + name = mark-distrusted; + descrip = "When retrieving objects, it requires the objects to be distrusted (blacklisted)"; + doc = "Ensures that the objects retrieved have the CKA_X_TRUST flag."; + flags_cant = mark-trusted; }; flag = { @@ -297,6 +305,11 @@ flag = { aliases = mark-trusted; }; +flag = { + name = distrusted; + aliases = mark-distrusted; +}; + flag = { name = ca; aliases = mark-ca; diff --git a/src/p11tool.c b/src/p11tool.c index 53a76016e3..80bcad039c 100644 --- a/src/p11tool.c +++ b/src/p11tool.c @@ -88,9 +88,14 @@ unsigned opt_to_flags(common_info_st *cinfo, unsigned *key_usage) /* else set the defaults of the token */ } - if (ENABLED_OPT(MARK_TRUSTED)) + if (HAVE_OPT(MARK_DISTRUSTED)) { flags |= - GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED; + GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED; + } else { + if (ENABLED_OPT(MARK_TRUSTED)) + flags |= + GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED; + } if (ENABLED_OPT(MARK_SIGN)) *key_usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; -- cgit v1.2.1