* @GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY: When retrieving an object, do not set any requirements (store).
* @GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED: When retrieving an object, only retrieve the marked as trusted (alias to %GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED).
* In gnutls_pkcs11_crt_is_known() it implies %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_COMPARE if %GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY is not given.
+ * @GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED: When writing an object, mark it as distrusted (store).
* @GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED: When retrieving an object, only retrieve the marked as distrusted (seek).
* @GNUTLS_PKCS11_OBJ_FLAG_COMPARE: When checking an object's presence, fully compare it before returning any result (seek).
* @GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY: When checking an object's presence, compare the key before returning any result (seek).
GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE = (1<<5),
GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY = (1<<6),
GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED = GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED,
- GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED = (1<<8),
+ GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED = (1<<8),
+ GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED = GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED,
GNUTLS_PKCS11_OBJ_FLAG_COMPARE = (1<<9),
GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE = (1<<10),
GNUTLS_PKCS11_OBJ_FLAG_MARK_CA = (1<<11),
if (rv == CKR_OK && b != 0)
pobj->flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED;
+ a[0].type = CKA_X_DISTRUSTED;
+ a[0].value = &b;
+ a[0].value_len = sizeof(b);
+
+ rv = pkcs11_get_attribute_value(sinfo->module, sinfo->pks, ctx, a, 1);
+ if (rv == CKR_OK && b != 0)
+ pobj->flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED;
+
a[0].type = CKA_SENSITIVE;
a[0].value = &b;
a[0].value_len = sizeof(b);
type = CKC_X_509;
}
-
if (find_data->flags & GNUTLS_PKCS11_OBJ_FLAG_CRT) {
class = CKO_CERTIFICATE;
_gnutls_assert_log("p11 attrs: CKA_TRUSTED\n");
}
+ if (find_data->flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED) {
+ trusted = 1;
+ a[tot_values].type = CKA_X_DISTRUSTED;
+ a[tot_values].value = &trusted;
+ a[tot_values].value_len = sizeof trusted;
+ tot_values++;
+ _gnutls_assert_log("p11 attrs: CKA_X_DISTRUSTED\n");
+ }
+
if (find_data->flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_CA) {
category = 2;
a[tot_values].type = CKA_CERTIFICATE_CATEGORY;
if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED)
_gnutls_buffer_append_str(&str, "CKA_TRUSTED; ");
+ if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED)
+ _gnutls_buffer_append_str(&str, "CKA_X_DISTRUSTED; ");
+
if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_EXTRACTABLE)
_gnutls_buffer_append_str(&str, "CKA_EXTRACTABLE; ");
(*a_val)++;
}
+ if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED) {
+ a[*a_val].type = CKA_X_DISTRUSTED;
+ a[*a_val].value = (void *) &tval;
+ a[*a_val].value_len = sizeof(tval);
+ (*a_val)++;
+ }
+
if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED) {
a[*a_val].type = CKA_TRUSTED;
a[*a_val].value = (void *) &tval;
projects / thirdparty / gnutls.git / commitdiff
