]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
pkcs11: added the flag GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 7 Nov 2014 07:44:46 +0000 (08:44 +0100)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 7 Nov 2014 07:56:41 +0000 (08:56 +0100)
lib/includes/gnutls/pkcs11.h
lib/pkcs11.c
lib/pkcs11_write.c

index 7479779fb69e78cf30157f61bc2883116fa1ddeb..bc9795d19a821dfaf55e6001c7832df708daac36 100644 (file)
@@ -109,6 +109,7 @@ void gnutls_pkcs11_obj_set_pin_function(gnutls_pkcs11_obj_t obj,
  * @GNUTLS_PKCS11_OBJ_FLAG_MARK_CA: Mark the object as a CA.
  * @GNUTLS_PKCS11_OBJ_FLAG_MARK_KEY_WRAP: Mark the generated key pair as wrapping and unwrapping keys.
  * @GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT: When an issuer is requested, override its extensions with the ones present in the trust module.
+ * @GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH: Mark the key pair as requiring authentication (pin entry) before every operation.
  *
  * Enumeration of different PKCS #11 object flags.
  */
@@ -127,7 +128,8 @@ typedef enum gnutls_pkcs11_obj_flags {
        GNUTLS_PKCS11_OBJ_FLAG_MARK_CA = (1<<11),
        GNUTLS_PKCS11_OBJ_FLAG_MARK_KEY_WRAP = (1<<12),
        GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY = (1<<13),
-       GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT = (1<<14)
+       GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT = (1<<14),
+       GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH = (1<<15)
 } gnutls_pkcs11_obj_flags;
 
 /**
index fb5178b0cf1a9978fc164aac5dff5deef4fd80bf..b8c7503a3f6fce02fba296afa396a0cc07a5a3cb 100644 (file)
@@ -1585,6 +1585,14 @@ pkcs11_import_object(ck_object_handle_t obj, ck_object_class_t class,
        if (rv == CKR_OK && category == 2)
                fobj->flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_CA;
 
+       a[0].type = CKA_ALWAYS_AUTHENTICATE;
+       a[0].value = &b;
+       a[0].value_len = sizeof(b);
+
+       rv = pkcs11_get_attribute_value(sinfo->module, sinfo->pks, obj, a, 1);
+       if (rv == CKR_OK && b != 0)
+               fobj->flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH;
+
        /* now recover the object label/id */
        a[0].type = CKA_LABEL;
        a[0].value = label_tmp;
@@ -3650,6 +3658,9 @@ char *gnutls_pkcs11_obj_flags_get_str(unsigned int flags)
        if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE)
                _gnutls_buffer_append_str(&str, "CKA_PRIVATE; ");
 
+       if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH)
+               _gnutls_buffer_append_str(&str, "CKA_ALWAYS_AUTH; ");
+
        if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED)
                _gnutls_buffer_append_str(&str, "CKA_TRUSTED; ");
 
index b0b6e95f72f967f6709a008633d2e02222c79a33..d1a19cf35c3fee752394502897251f2b4f2365f1 100644 (file)
@@ -79,7 +79,7 @@ static void mark_flags(unsigned flags, struct ck_attribute *a, unsigned *a_val)
  * This function will copy a certificate into a PKCS #11 token specified by
  * a URL. Valid flags to mark the certificate: %GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED,
  * %GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE, %GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE,
- * %GNUTLS_PKCS11_OBJ_FLAG_MARK_CA.
+ * %GNUTLS_PKCS11_OBJ_FLAG_MARK_CA, %GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH.
  *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
  *   negative error value.
@@ -431,6 +431,13 @@ gnutls_pkcs11_copy_x509_privkey(const char *token_url,
                a_val++;
        }
 
+       if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH) {
+               a[a_val].type = CKA_ALWAYS_AUTHENTICATE;
+               a[a_val].value = (void *) &tval;
+               a[a_val].value_len = sizeof(tval);
+               a_val++;
+       }
+
        if (label) {
                a[a_val].type = CKA_LABEL;
                a[a_val].value = (void *) label;