From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Thu, 26 Mar 2015 15:34:46 +0000 (+0100)
Subject: pkcs11: added flags to mark keys as not-being signable or decryptable
X-Git-Tag: gnutls_3_4_0~113
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1e50c5a61fa3eeaba4f95d80155e7c55c3dde145;p=thirdparty%2Fgnutls.git

pkcs11: added flags to mark keys as not-being signable or decryptable

That adds GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_DECRYPT and GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN
which can be set during generation or write of keys.
---

diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h
index 0ba72a53d8..b68b92459f 100644
--- a/lib/includes/gnutls/pkcs11.h
+++ b/lib/includes/gnutls/pkcs11.h
@@ -111,6 +111,8 @@ void gnutls_pkcs11_obj_set_pin_function(gnutls_pkcs11_obj_t obj,
  * @GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT: When an issuer is requested, override its extensions with the ones present in the trust module (seek).
  * @GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH: Mark the key pair as requiring authentication (pin entry) before every operation (seek+store).
  * @GNUTLS_PKCS11_OBJ_FLAG_MARK_EXTRACTABLE: Mark the key pair as being extractable (store).
+ * @GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN: When writing/generating a private key do not mark the key for signing
+ * @GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_DECRYPT: When writing/generating a private key do not mark the key for decryption
  * @GNUTLS_PKCS11_OBJ_FLAG_NEVER_EXTRACTABLE: If set, the object was never marked as extractable (store).
  * @GNUTLS_PKCS11_OBJ_FLAG_CRT: When searching, restrict to certificates only (seek).
  * @GNUTLS_PKCS11_OBJ_FLAG_PUBKEY: When searching, restrict to public key objects only (seek).
@@ -143,7 +145,9 @@ typedef enum gnutls_pkcs11_obj_flags {
 	GNUTLS_PKCS11_OBJ_FLAG_CRT = (1<<18),
 	GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY = (1<<19),
 	GNUTLS_PKCS11_OBJ_FLAG_PUBKEY = (1<<20),
-	GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY = (1<<21)
+	GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY = (1<<21),
+	GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_DECRYPT = (1<<22),
+	GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN = (1<<23)
 	/* flags 1<<29 and later are reserved - see pkcs11_int.h */
 } gnutls_pkcs11_obj_flags;
 
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index 8b98d8dbea..3b5a991ccf 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -700,13 +700,23 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk,
 	switch (pk) {
 	case GNUTLS_PK_RSA:
 		p[p_val].type = CKA_DECRYPT;
-		p[p_val].value = (void *) &tval;
-		p[p_val].value_len = sizeof(tval);
+		if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_DECRYPT)) {
+			p[p_val].value = (void *) &tval;
+			p[p_val].value_len = sizeof(tval);
+		} else {
+			p[p_val].value = (void *) &fval;
+			p[p_val].value_len = sizeof(fval);
+		}
 		p_val++;
 
 		p[p_val].type = CKA_SIGN;
-		p[p_val].value = (void *) &tval;
-		p[p_val].value_len = sizeof(tval);
+		if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN)) {
+			p[p_val].value = (void *) &tval;
+			p[p_val].value_len = sizeof(tval);
+		} else {
+			p[p_val].value = (void *) &fval;
+			p[p_val].value_len = sizeof(fval);
+		}
 		p_val++;
 
 		a[a_val].type = CKA_ENCRYPT;
@@ -732,8 +742,13 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk,
 		break;
 	case GNUTLS_PK_DSA:
 		p[p_val].type = CKA_SIGN;
-		p[p_val].value = (void *) &tval;
-		p[p_val].value_len = sizeof(tval);
+		if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN)) {
+			p[p_val].value = (void *) &tval;
+			p[p_val].value_len = sizeof(tval);
+		} else {
+			p[p_val].value = (void *) &fval;
+			p[p_val].value_len = sizeof(fval);
+		}
 		p_val++;
 
 		a[a_val].type = CKA_VERIFY;
@@ -748,8 +763,13 @@ gnutls_pkcs11_privkey_generate2(const char *url, gnutls_pk_algorithm_t pk,
 		break;
 	case GNUTLS_PK_EC:
 		p[p_val].type = CKA_SIGN;
-		p[p_val].value = (void *) &tval;
-		p[p_val].value_len = sizeof(tval);
+		if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN)) {
+			p[p_val].value = (void *) &tval;
+			p[p_val].value_len = sizeof(tval);
+		} else {
+			p[p_val].value = (void *) &fval;
+			p[p_val].value_len = sizeof(fval);
+		}
 		p_val++;
 
 		a[a_val].type = CKA_VERIFY;
diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
index f28f0cefe8..5aa893c640 100644
--- a/lib/pkcs11_write.c
+++ b/lib/pkcs11_write.c
@@ -409,14 +409,24 @@ gnutls_pkcs11_copy_x509_privkey(const char *token_url,
 	a_val++;
 
 	a[a_val].type = CKA_SIGN;
-	a[a_val].value = (void*)&tval;
-	a[a_val].value_len = sizeof(tval);
+	if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN)) {
+		a[a_val].value = (void*)&tval;
+		a[a_val].value_len = sizeof(tval);
+	} else {
+		a[a_val].value = (void*)&fval;
+		a[a_val].value_len = sizeof(fval);
+	}
 	a_val++;
 
 	if (pk == GNUTLS_PK_RSA) {
 		a[a_val].type = CKA_DECRYPT;
-		a[a_val].value = (void*)&tval;
-		a[a_val].value_len = sizeof(tval);
+		if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_DECRYPT)) {
+			a[a_val].value = (void*)&tval;
+			a[a_val].value_len = sizeof(tval);
+		} else {
+			a[a_val].value = (void*)&fval;
+			a[a_val].value_len = sizeof(fval);
+		}
 		a_val++;
 	}