From: Nikos Mavrogiannopoulos Date: Fri, 7 Nov 2014 07:44:46 +0000 (+0100) Subject: pkcs11: added the flag GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH X-Git-Tag: gnutls_3_4_0~663 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=52dacdc599683c736c4bd72b3b94cc825f41982b;p=thirdparty%2Fgnutls.git pkcs11: added the flag GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH --- diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h index 7479779fb6..bc9795d19a 100644 --- a/lib/includes/gnutls/pkcs11.h +++ b/lib/includes/gnutls/pkcs11.h @@ -109,6 +109,7 @@ void gnutls_pkcs11_obj_set_pin_function(gnutls_pkcs11_obj_t obj, * @GNUTLS_PKCS11_OBJ_FLAG_MARK_CA: Mark the object as a CA. * @GNUTLS_PKCS11_OBJ_FLAG_MARK_KEY_WRAP: Mark the generated key pair as wrapping and unwrapping keys. * @GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT: When an issuer is requested, override its extensions with the ones present in the trust module. + * @GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH: Mark the key pair as requiring authentication (pin entry) before every operation. * * Enumeration of different PKCS #11 object flags. */ @@ -127,7 +128,8 @@ typedef enum gnutls_pkcs11_obj_flags { GNUTLS_PKCS11_OBJ_FLAG_MARK_CA = (1<<11), GNUTLS_PKCS11_OBJ_FLAG_MARK_KEY_WRAP = (1<<12), GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY = (1<<13), - GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT = (1<<14) + GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT = (1<<14), + GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH = (1<<15) } gnutls_pkcs11_obj_flags; /** diff --git a/lib/pkcs11.c b/lib/pkcs11.c index fb5178b0cf..b8c7503a3f 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -1585,6 +1585,14 @@ pkcs11_import_object(ck_object_handle_t obj, ck_object_class_t class, if (rv == CKR_OK && category == 2) fobj->flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_CA; + a[0].type = CKA_ALWAYS_AUTHENTICATE; + a[0].value = &b; + a[0].value_len = sizeof(b); + + rv = pkcs11_get_attribute_value(sinfo->module, sinfo->pks, obj, a, 1); + if (rv == CKR_OK && b != 0) + fobj->flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH; + /* now recover the object label/id */ a[0].type = CKA_LABEL; a[0].value = label_tmp; @@ -3650,6 +3658,9 @@ char *gnutls_pkcs11_obj_flags_get_str(unsigned int flags) if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE) _gnutls_buffer_append_str(&str, "CKA_PRIVATE; "); + if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH) + _gnutls_buffer_append_str(&str, "CKA_ALWAYS_AUTH; "); + if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED) _gnutls_buffer_append_str(&str, "CKA_TRUSTED; "); diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c index b0b6e95f72..d1a19cf35c 100644 --- a/lib/pkcs11_write.c +++ b/lib/pkcs11_write.c @@ -79,7 +79,7 @@ static void mark_flags(unsigned flags, struct ck_attribute *a, unsigned *a_val) * This function will copy a certificate into a PKCS #11 token specified by * a URL. Valid flags to mark the certificate: %GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED, * %GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE, %GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE, - * %GNUTLS_PKCS11_OBJ_FLAG_MARK_CA. + * %GNUTLS_PKCS11_OBJ_FLAG_MARK_CA, %GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. @@ -431,6 +431,13 @@ gnutls_pkcs11_copy_x509_privkey(const char *token_url, a_val++; } + if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH) { + a[a_val].type = CKA_ALWAYS_AUTHENTICATE; + a[a_val].value = (void *) &tval; + a[a_val].value_len = sizeof(tval); + a_val++; + } + if (label) { a[a_val].type = CKA_LABEL; a[a_val].value = (void *) label;