/**
* gnutls_pkcs11_obj_attr_t:
- * @GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL: Specify all certificates in the specified token.
- * @GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED: Specify all certificates marked as trusted in the specified token.
- * @GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA: Specify all certificates marked as trusted and are CAs in the specified token.
- * @GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY: Specify all certificates with a corresponding private key in the specified token.
+ * @GNUTLS_PKCS11_OBJ_ATTR_CRT: Specify all certificates in the specified token.
* @GNUTLS_PKCS11_OBJ_ATTR_PUBKEY: Specify all public keys in the specified token.
- * @GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY: Specify all private keys in the specified token.
- * @GNUTLS_PKCS11_OBJ_ATTR_ALL: Specify all objects in the specified token.
- * @GNUTLS_PKCS11_OBJ_ATTR_MATCH: Only the objects that match the URL.
+ * @GNUTLS_PKCS11_OBJ_ATTR_MARKED_TRUSTED: Restrict to objects which are marked as trusted
+ * @GNUTLS_PKCS11_OBJ_ATTR_MARKED_CA: Restrict to certificates which are marked as CA
+ * @GNUTLS_PKCS11_OBJ_ATTR_WITH_PRIVKEY: Restrict to objects which have a corresponding private key
*
- * Enumeration of several attributes for object enumeration.
+ * This a list of flags to be used in combination with each other (since GnuTLS 3.4.0). They
+ * are used for matching and obtaining a list of objects.
*/
typedef enum {
- GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL = 1, /* all certificates */
- GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED, /* certificates marked as trusted */
- GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY, /* certificates with corresponding private key */
- GNUTLS_PKCS11_OBJ_ATTR_PUBKEY, /* public keys */
- GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY, /* private keys */
- GNUTLS_PKCS11_OBJ_ATTR_ALL, /* everything! */
- GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA, /* CAs */
- GNUTLS_PKCS11_OBJ_ATTR_MATCH
+ GNUTLS_PKCS11_OBJ_ATTR_CRT = 1, /* all certificates */
+ GNUTLS_PKCS11_OBJ_ATTR_MARKED_TRUSTED = 1<<1, /* certificates marked as trusted */
+ GNUTLS_PKCS11_OBJ_ATTR_WITH_PRIVKEY = 1<<2, /* certificates with corresponding private key */
+ GNUTLS_PKCS11_OBJ_ATTR_PUBKEY = 1<<3, /* public keys */
+ GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY = 1<<4, /* private keys */
+ GNUTLS_PKCS11_OBJ_ATTR_MARKED_CA = 1<<5, /* CAs */
} gnutls_pkcs11_obj_attr_t;
+#define GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL GNUTLS_PKCS11_OBJ_ATTR_CRT
+#define GNUTLS_PKCS11_OBJ_ATTR_MATCH 0 /* always match the given URL */
+#define GNUTLS_PKCS11_OBJ_ATTR_ALL 0 /* match everything! */
+#define GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED (GNUTLS_PKCS11_OBJ_ATTR_CRT|GNUTLS_PKCS11_OBJ_ATTR_MARKED_TRUSTED)
+#define GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY (GNUTLS_PKCS11_OBJ_ATTR_CRT|GNUTLS_PKCS11_OBJ_ATTR_WITH_PRIVKEY)
+#define GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA (GNUTLS_PKCS11_OBJ_ATTR_CRT|GNUTLS_PKCS11_OBJ_ATTR_MARKED_TRUSTED|GNUTLS_PKCS11_OBJ_ATTR_MARKED_CA)
+
/**
* gnutls_pkcs11_token_info_t:
* @GNUTLS_PKCS11_TOKEN_LABEL: The token's label (string)
char certid_tmp[PKCS11_ID_SIZE];
int ret;
struct find_pkey_list_st plist; /* private key holder */
- unsigned int i, tot_values = 0;
+ unsigned int i, tot_values = 0, class_set = 0;
if (tinfo == NULL) {
gnutls_assert();
memset(&plist, 0, sizeof(plist));
- if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY) {
+ if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_WITH_PRIVKEY) {
ret = find_privkeys(sinfo, tinfo, &plist);
if (ret < 0) {
gnutls_assert();
type = CKC_X_509;
}
- /* Find objects with cert class and X.509 cert type. */
- tot_values = 0;
-
- if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL
- || find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY)
- {
+ if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_CRT) {
class = CKO_CERTIFICATE;
- type = CKC_X_509;
- trusted = 1;
a[tot_values].type = CKA_CLASS;
a[tot_values].value = &class;
a[tot_values].value_len = sizeof class;
tot_values++;
+ class_set = 1;
+ type = CKC_X_509;
a[tot_values].type = CKA_CERTIFICATE_TYPE;
a[tot_values].value = &type;
a[tot_values].value_len = sizeof type;
tot_values++;
+ _gnutls_assert_log("p11 attrs: CKA_CLASS (CERT), CKA_CERTIFICATE_TYPE\n");
+ }
- } else if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_MATCH) {
- if (class != (ck_object_class_t)-1) {
- a[tot_values].type = CKA_CLASS;
- a[tot_values].value = &class;
- a[tot_values].value_len = sizeof class;
- tot_values++;
- }
-
- attr = p11_kit_uri_get_attribute(find_data->info, CKA_ID);
- if (attr) {
- a[tot_values].type = CKA_ID;
- a[tot_values].value = attr->value;
- a[tot_values].value_len = attr->value_len;
- tot_values++;
- }
-
- attr = p11_kit_uri_get_attribute(find_data->info, CKA_LABEL);
- if (attr) {
- a[tot_values].type = CKA_LABEL;
- a[tot_values].value = attr->value;
- a[tot_values].value_len = attr->value_len;
- tot_values++;
- }
- } else if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED) {
- class = CKO_CERTIFICATE;
- type = CKC_X_509;
- trusted = 1;
+ if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_PUBKEY) {
+ class = CKO_PUBLIC_KEY;
a[tot_values].type = CKA_CLASS;
a[tot_values].value = &class;
a[tot_values].value_len = sizeof class;
tot_values++;
+ class_set = 1;
+ _gnutls_assert_log("p11 attrs: CKA_CLASS (PUBLIC KEY)\n");
+ }
- a[tot_values].type = CKA_TRUSTED;
- a[tot_values].value = &trusted;
- a[tot_values].value_len = sizeof trusted;
- tot_values++;
-
- } else if (find_data->flags ==
- GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA) {
- class = CKO_CERTIFICATE;
- type = CKC_X_509;
- trusted = 1;
+ if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY) {
+ class = CKO_PRIVATE_KEY;
a[tot_values].type = CKA_CLASS;
a[tot_values].value = &class;
a[tot_values].value_len = sizeof class;
tot_values++;
+ class_set = 1;
+ _gnutls_assert_log("p11 attrs: CKA_CLASS (PRIVATE KEY)\n");
+ }
+ if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_MARKED_TRUSTED) {
+ trusted = 1;
a[tot_values].type = CKA_TRUSTED;
a[tot_values].value = &trusted;
a[tot_values].value_len = sizeof trusted;
tot_values++;
+ _gnutls_assert_log("p11 attrs: CKA_TRUSTED\n");
+ }
+ if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_MARKED_CA) {
category = 2;
a[tot_values].type = CKA_CERTIFICATE_CATEGORY;
a[tot_values].value = &category;
a[tot_values].value_len = sizeof category;
tot_values++;
- } else if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_PUBKEY) {
- class = CKO_PUBLIC_KEY;
+ _gnutls_assert_log("p11 attrs: CKA_CERTIFICATE_CATEGORY=CA\n");
+ }
+ if (class_set == 0 && class != (ck_object_class_t)-1) {
a[tot_values].type = CKA_CLASS;
a[tot_values].value = &class;
a[tot_values].value_len = sizeof class;
tot_values++;
- } else if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY) {
- class = CKO_PRIVATE_KEY;
+ class_set = 1;
+ _gnutls_assert_log("p11 attrs: CKA_CLASS\n");
+ }
- a[tot_values].type = CKA_CLASS;
- a[tot_values].value = &class;
- a[tot_values].value_len = sizeof class;
+ attr = p11_kit_uri_get_attribute(find_data->info, CKA_ID);
+ if (attr) {
+ a[tot_values].type = CKA_ID;
+ a[tot_values].value = attr->value;
+ a[tot_values].value_len = attr->value_len;
tot_values++;
- } else if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_ALL) {
- if (class != (ck_object_class_t) - 1) {
- a[tot_values].type = CKA_CLASS;
- a[tot_values].value = &class;
- a[tot_values].value_len = sizeof class;
- tot_values++;
- }
- if (type != (ck_certificate_type_t) - 1) {
- a[tot_values].type = CKA_CERTIFICATE_TYPE;
- a[tot_values].value = &type;
- a[tot_values].value_len = sizeof type;
- tot_values++;
- }
- } else {
- gnutls_assert();
- ret = GNUTLS_E_INVALID_REQUEST;
- goto fail;
+ _gnutls_assert_log("p11 attrs: CKA_ID\n");
}
- attr = p11_kit_uri_get_attribute(find_data->info, CKA_ID);
- if (attr != NULL) {
- memcpy(a + tot_values, attr, sizeof(struct ck_attribute));
+ attr = p11_kit_uri_get_attribute(find_data->info, CKA_LABEL);
+ if (attr) {
+ a[tot_values].type = CKA_LABEL;
+ a[tot_values].value = attr->value;
+ a[tot_values].value_len = attr->value_len;
tot_values++;
+ _gnutls_assert_log("p11 attrs: CKA_LABEL\n");
}
rv = pkcs11_find_objects_init(sinfo->module, sinfo->pks, a,
id.size = 0;
}
- if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_ALL ||
- find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_MATCH) {
+ if (class_set == 0) {
a[0].type = CKA_CLASS;
a[0].value = &class;
a[0].value_len = sizeof class;
}
}
- if (find_data->flags ==
- GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY) {
+ if (find_data->flags & GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY) {
for (i = 0; i < plist.key_ids_size; i++) {
if (plist.key_ids[i].length !=
id.size
projects / thirdparty / gnutls.git / commitdiff
