From e4c83eea960a43a38814ffd19cc5aae8ff1d206d Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 13 Mar 2019 15:14:37 +0100
Subject: pkcs11: security officer login implies writable session

According to the PKCS#11 v2.30, 6.7.1 there are no read-only Security Officer
sessions.

Resolves: #721

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 NEWS                |  4 ++++
 lib/pkcs11.c        |  2 +-
 tests/testpkcs11.sh | 20 ++++++++++++++++++++
 3 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 885a19c8d7..422ccea685 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,10 @@ See the end for copying conditions.
    a certificate. We were already enforcing the signature algorithm, but there
    was a bug in parameter checking code.
 
+** libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable
+   session, as non-writeable security officer sessions are undefined in PKCS#11
+   (#721).
+
 ** libgnutls: no longer send downgrade sentinel in TLS 1.3.
    Previously the sentinel value was embedded to early in version
    negotiation and was sent even on TLS 1.3. It is now sent only when
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index fbe2b48f22..ea08fd0906 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -2254,7 +2254,7 @@ unsigned int pkcs11_obj_flags_to_int(unsigned int flags)
 		ret_flags |= SESSION_LOGIN | SESSION_FORCE_LOGIN;
 
 	if (flags & GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO)
-		ret_flags |= SESSION_LOGIN | SESSION_SO | SESSION_FORCE_LOGIN;
+		ret_flags |= SESSION_LOGIN | SESSION_SO | SESSION_FORCE_LOGIN | SESSION_WRITE;
 
 	if (flags & GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE)
 		ret_flags |= SESSION_TRUSTED;
diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh
index 49acc0ff9f..e98fb8ed4a 100755
--- a/tests/testpkcs11.sh
+++ b/tests/testpkcs11.sh
@@ -340,6 +340,24 @@ export_pubkey_of_privkey () {
 	echo ok
 }
 
+# $1: token
+# $2: SO PIN
+# $3: bits
+list_pubkey_as_so () {
+	export GNUTLS_SO_PIN="$2"
+	token="$1"
+	bits="$3"
+
+	echo -n "* Exporting public key as SO... "
+	${P11TOOL} ${ADDITIONAL_PARAM} --so-login --list-all "${token}" >>"${LOGFILE}" 2>&1
+	if test $? != 0; then
+		echo failed
+		exit 1
+	fi
+
+	echo ok
+}
+
 # $1: token
 # $2: PIN
 change_id_of_privkey () {
@@ -599,6 +617,7 @@ write_certificate_test () {
 		exit_error
 	fi
 
+	echo ok
 	rm -f ${TMPFILE}
 
 	echo -n "* Trying to obtain back the cert... "
@@ -1091,6 +1110,7 @@ generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024
 change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
 export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
 change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
+list_pubkey_as_so "${TOKEN}" "${GNUTLS_SO_PIN}"
 
 write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub
 write_serv_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.key"
-- 
cgit v1.2.1