That adds GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_DECRYPT and GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN
which can be set during generation or write of keys.
* @GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT: When an issuer is requested, override its extensions with the ones present in the trust module (seek).
* @GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH: Mark the key pair as requiring authentication (pin entry) before every operation (seek+store).
* @GNUTLS_PKCS11_OBJ_FLAG_MARK_EXTRACTABLE: Mark the key pair as being extractable (store).
+ * @GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN: When writing/generating a private key do not mark the key for signing
+ * @GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_DECRYPT: When writing/generating a private key do not mark the key for decryption
* @GNUTLS_PKCS11_OBJ_FLAG_NEVER_EXTRACTABLE: If set, the object was never marked as extractable (store).
* @GNUTLS_PKCS11_OBJ_FLAG_CRT: When searching, restrict to certificates only (seek).
* @GNUTLS_PKCS11_OBJ_FLAG_PUBKEY: When searching, restrict to public key objects only (seek).
GNUTLS_PKCS11_OBJ_FLAG_CRT = (1<<18),
GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY = (1<<19),
GNUTLS_PKCS11_OBJ_FLAG_PUBKEY = (1<<20),
- GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY = (1<<21)
+ GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY = (1<<21),
+ GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_DECRYPT = (1<<22),
+ GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN = (1<<23)
/* flags 1<<29 and later are reserved - see pkcs11_int.h */
} gnutls_pkcs11_obj_flags;
switch (pk) {
case GNUTLS_PK_RSA:
p[p_val].type = CKA_DECRYPT;
- p[p_val].value = (void *) &tval;
- p[p_val].value_len = sizeof(tval);
+ if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_DECRYPT)) {
+ p[p_val].value = (void *) &tval;
+ p[p_val].value_len = sizeof(tval);
+ } else {
+ p[p_val].value = (void *) &fval;
+ p[p_val].value_len = sizeof(fval);
+ }
p_val++;
p[p_val].type = CKA_SIGN;
- p[p_val].value = (void *) &tval;
- p[p_val].value_len = sizeof(tval);
+ if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN)) {
+ p[p_val].value = (void *) &tval;
+ p[p_val].value_len = sizeof(tval);
+ } else {
+ p[p_val].value = (void *) &fval;
+ p[p_val].value_len = sizeof(fval);
+ }
p_val++;
a[a_val].type = CKA_ENCRYPT;
break;
case GNUTLS_PK_DSA:
p[p_val].type = CKA_SIGN;
- p[p_val].value = (void *) &tval;
- p[p_val].value_len = sizeof(tval);
+ if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN)) {
+ p[p_val].value = (void *) &tval;
+ p[p_val].value_len = sizeof(tval);
+ } else {
+ p[p_val].value = (void *) &fval;
+ p[p_val].value_len = sizeof(fval);
+ }
p_val++;
a[a_val].type = CKA_VERIFY;
break;
case GNUTLS_PK_EC:
p[p_val].type = CKA_SIGN;
- p[p_val].value = (void *) &tval;
- p[p_val].value_len = sizeof(tval);
+ if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN)) {
+ p[p_val].value = (void *) &tval;
+ p[p_val].value_len = sizeof(tval);
+ } else {
+ p[p_val].value = (void *) &fval;
+ p[p_val].value_len = sizeof(fval);
+ }
p_val++;
a[a_val].type = CKA_VERIFY;
a_val++;
a[a_val].type = CKA_SIGN;
- a[a_val].value = (void*)&tval;
- a[a_val].value_len = sizeof(tval);
+ if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN)) {
+ a[a_val].value = (void*)&tval;
+ a[a_val].value_len = sizeof(tval);
+ } else {
+ a[a_val].value = (void*)&fval;
+ a[a_val].value_len = sizeof(fval);
+ }
a_val++;
if (pk == GNUTLS_PK_RSA) {
a[a_val].type = CKA_DECRYPT;
- a[a_val].value = (void*)&tval;
- a[a_val].value_len = sizeof(tval);
+ if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_DECRYPT)) {
+ a[a_val].value = (void*)&tval;
+ a[a_val].value_len = sizeof(tval);
+ } else {
+ a[a_val].value = (void*)&fval;
+ a[a_val].value_len = sizeof(fval);
+ }
a_val++;
}
projects / thirdparty / gnutls.git / commitdiff
