From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Mon, 3 Aug 2015 12:17:16 +0000 (+0200)
Subject: pkcs11: set the CKA_TOKEN attribute on generated public keys
X-Git-Tag: gnutls_3_5_0~761
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4fc45d9f36769eb5a7b9cf66ba0bf596178ecd95;p=thirdparty%2Fgnutls.git

pkcs11: set the CKA_TOKEN attribute on generated public keys

That also introduces the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY flag,
to simulate the previous behavior.
---

diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h
index fd9aa452fe..0f67fdfe05 100644
--- a/lib/includes/gnutls/pkcs11.h
+++ b/lib/includes/gnutls/pkcs11.h
@@ -114,7 +114,7 @@ void gnutls_pkcs11_obj_set_pin_function(gnutls_pkcs11_obj_t obj,
  * @GNUTLS_PKCS11_OBJ_FLAG_CRT: When searching, restrict to certificates only (seek).
  * @GNUTLS_PKCS11_OBJ_FLAG_PUBKEY: When searching, restrict to public key objects only (seek).
  * @GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY: When searching, restrict to private key objects only (seek).
- * @GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY: When searching, restrict to objects which have a corresponding private key (seek).
+ * @GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY: When generating a keypair don't store the public key (store).
  *
  * Enumeration of different PKCS #11 object flags. Some flags are used
  * to mark objects when storing, while others are also used while seeking
@@ -142,6 +142,7 @@ typedef enum gnutls_pkcs11_obj_flags {
 	GNUTLS_PKCS11_OBJ_FLAG_CRT = (1<<18),
 	GNUTLS_PKCS11_OBJ_FLAG_WITH_PRIVKEY = (1<<19),
 	GNUTLS_PKCS11_OBJ_FLAG_PUBKEY = (1<<20),
+	GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY = GNUTLS_PKCS11_OBJ_FLAG_PUBKEY,
 	GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY = (1<<21),
 	/* flags 1<<29 and later are reserved - see pkcs11_int.h */
 } gnutls_pkcs11_obj_flags;
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index f0c75b1fb1..5e4e5d2017 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -697,7 +697,7 @@ gnutls_pkcs11_privkey_generate3(const char *url, gnutls_pk_algorithm_t pk,
 	struct pkcs11_session_info sinfo;
 	struct p11_kit_uri *info = NULL;
 	ck_rv_t rv;
-	struct ck_attribute a[20], p[20];
+	struct ck_attribute a[22], p[22];
 	ck_object_handle_t pub, priv;
 	unsigned long _bits = bits;
 	int a_val, p_val;
@@ -738,6 +738,13 @@ gnutls_pkcs11_privkey_generate3(const char *url, gnutls_pk_algorithm_t pk,
 	mech.parameter_len = 0;
 	mech.mechanism = pk_to_genmech(pk, &key_type);
 
+	if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY)) {
+		a[a_val].type = CKA_TOKEN;
+		a[a_val].value = (void *) &tval;
+		a[a_val].value_len = sizeof(tval);
+		a_val++;
+	}
+
 	a[a_val].type = CKA_ID;
 	if (cid == NULL || cid->size == 0) {
 		ret = gnutls_rnd(GNUTLS_RND_NONCE, id, sizeof(id));