p11tool: add --mark-always-authenticate option

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

diff --git a/src/p11tool-args.def b/src/p11tool-args.def
index 04cccc4b16579dcfedbb6189128044525383e570..65ed3411f58e901a9cd96be30e838e019b7146ef 100644 (file)
--- a/src/p11tool-args.def
+++ b/src/p11tool-args.def
@@ -360,6 +360,13 @@ flag = {
     aliases   = mark-private;
 };
 
+flag = {
+    name      = mark-always-authenticate;
+    disable   = "no";
+    descrip   = "Marks the object to be written as always authenticate";
+    doc = "Marks the object to be generated/written with the CKA_ALWAYS_AUTHENTICATE flag. The written object will Mark the object as requiring authentication (pin entry) before every operation.";
+};
+
 flag = {
     name      = secret-key;
     arg-type  = string;

diff --git a/src/p11tool.c b/src/p11tool.c
index 43ef4f5d46610f6644d808e4d195def4ce4dac93..693828fcc2955c2e66abb0ce5b3a2a7e3f90f044 100644 (file)
--- a/src/p11tool.c
+++ b/src/p11tool.c
@@ -98,6 +98,10 @@ unsigned opt_to_flags(common_info_st *cinfo, unsigned *key_usage)
                /* else set the defaults of the token */
        }
 
+       if (ENABLED_OPT(MARK_ALWAYS_AUTHENTICATE)) {
+               flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH;
+       }
+
        if (HAVE_OPT(MARK_DISTRUSTED)) {
                flags |=
                    GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED;

diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh
index 09a6274776935f07f91a5be1eb79a573165ded93..c26891352d31c6830de6fdef69056130b4e1442f 100755 (executable)
--- a/tests/testpkcs11.sh
+++ b/tests/testpkcs11.sh
@@ -116,6 +116,41 @@ write_privkey () {
                exit_error
        fi
        echo ok
+
+       echo -n "* Checking whether object was not marked always authenticate... "
+       ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client2" | grep "CKA_ALWAYS_AUTH" >/dev/null 2>&1
+       if test $? != 1; then
+               echo "private object was always authenticate"
+               exit_error
+       fi
+       echo ok
+}
+
+# $1: token
+# $2: PIN
+# $3: filename
+# ${srcdir}/testpkcs11-certs/client.key
+write_privkey_always_auth () {
+       export GNUTLS_PIN="$2"
+       filename="$3"
+       token="$1"
+
+       echo -n "* Writing a client private key... "
+       ${P11TOOL} ${ADDITIONAL_PARAM} --login --write --label gnutls-client2 --load-privkey "${filename}" --mark-always-authenticate "${token}" >>"${LOGFILE}" 2>&1
+       if test $? = 0; then
+               echo ok
+       else
+               echo failed
+               exit_error
+       fi
+
+       echo -n "* Checking whether object was marked always authenticate... "
+       ${P11TOOL} ${ADDITIONAL_PARAM} --login --list-privkeys "${token};object=gnutls-client2" | grep "CKA_ALWAYS_AUTH" >/dev/null 2>&1
+       if test $? != 0; then
+               echo "private object was not always authenticate"
+               exit_error
+       fi
+       echo ok
 }
 
 # $1: token
@@ -1131,6 +1166,7 @@ reset_pins "${TOKEN}" "${TEST_PIN}" "${TEST_SO_PIN}"
 
 #write a given privkey
 write_privkey "${TOKEN}" "${TEST_PIN}" "${srcdir}/testpkcs11-certs/client.key"
+write_privkey_always_auth "${TOKEN}" "${TEST_PIN}" "${srcdir}/testpkcs11-certs/client.key"
 
 generate_temp_ecc_privkey "${TOKEN}" "${TEST_PIN}" 256
 delete_temp_privkey "${TOKEN}" "${TEST_PIN}" ecc-256