Added flag GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE.

This flag can be used to ensure that the object request lies on
a marked as trusted PKCS #11 module. The marking is done on
p11-kit configuration.

diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h
index 93445f3abf0674a0159d0f3a51604a80f6c0aa69..636afd44386a8c6cafc466c83eafe74f1dff820b 100644 (file)
--- a/lib/includes/gnutls/pkcs11.h
+++ b/lib/includes/gnutls/pkcs11.h
@@ -97,11 +97,12 @@ void gnutls_pkcs11_obj_set_pin_function(gnutls_pkcs11_obj_t obj,
 #define GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO (1<<3) /* force login as a security officer in the token for the operation */
 #define GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE (1<<4)     /* marked as private (requires PIN to access) */
 #define GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE (1<<5) /* marked as not private */
-#define GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY (1<<6) /* No need for the certificate to be a trusted one */
-#define GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED (1<<7) /* The certificate must be marked as trusted 
+#define GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY (1<<6) /* No need for the object to be a trusted one */
+#define GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED (1<<7) /* The object must be marked as trusted 
        * in gnutls_pkcs11_crt_is_known() it implies GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_COMPARE */
-#define GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED (1<<8) /* The certificate must be marked as distrusted */
-#define GNUTLS_PKCS11_OBJ_FLAG_COMPARE (1<<9) /* The certificate must be fully compared */
+#define GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED (1<<8) /* The object must be marked as distrusted */
+#define GNUTLS_PKCS11_OBJ_FLAG_COMPARE (1<<9) /* The object must be fully compared */
+#define GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE (1<<10) /* The object must be present in a marked as trusted module */
 
 /**
  * gnutls_pkcs11_url_type_t:

diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 7f87877ceb27754a466172f91ad7d020325b460f..55a05d2139579f0510fc30f4a717d4e4e71f3ef1 100644 (file)
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -1090,6 +1090,9 @@ _pkcs11_traverse_tokens(find_func_t find_func, void *input,
                if (providers[x].active == 0)
                        continue;
 
+               if (flags & SESSION_TRUSTED && providers[x].trusted == 0)
+                       continue;
+
                nslots = sizeof(slots) / sizeof(slots[0]);
                ret = scan_slots(&providers[x], slots, &nslots);
                if (ret < 0) {
@@ -1102,8 +1105,7 @@ _pkcs11_traverse_tokens(find_func_t find_func, void *input,
                        struct token_info tinfo;
 
                        if (pkcs11_get_token_info(module, slots[z],
-                                                 &tinfo.tinfo) != CKR_OK)
-                       {
+                                                 &tinfo.tinfo) != CKR_OK) {
                                continue;
                        }
                        tinfo.sid = slots[z];
@@ -1646,6 +1648,8 @@ unsigned int pkcs11_obj_flags_to_int(unsigned int flags)
                ret_flags |= SESSION_LOGIN;
        if (flags & GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO)
                ret_flags |= SESSION_LOGIN | SESSION_SO;
+       if (flags & GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE)
+               ret_flags |= SESSION_TRUSTED;
 
        return ret_flags;
 }
@@ -3310,9 +3314,14 @@ int gnutls_pkcs11_get_raw_issuer(const char *url, gnutls_x509_crt_t cert,
  *
  * This function will check whether the provided certificate is stored
  * in the specified token. This is useful in combination with 
- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED,
+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or 
+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,
  * to check whether a CA is present or a certificate is blacklisted in
- * trust PKCS #11 modules.
+ * a trust PKCS #11 module.
+ *
+ * This function can be used with a @url of "pkcs11:", and in that case all modules
+ * will be searched. To restrict the modules to the marked as trusted in p11-kit
+ * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.
  *
  * Returns: If the certificate exists non-zero is returned, otherwise zero.
  *

diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
index 02c47d67245b1af7c10af42965cd95e6d8e999d0..f94473e26cb77c1837bd8435c958e4bb55d08b57 100644 (file)
--- a/lib/pkcs11_int.h
+++ b/lib/pkcs11_int.h
@@ -113,6 +113,7 @@ int pkcs11_info_to_url(struct p11_kit_uri *info,
 #define SESSION_WRITE (1<<0)
 #define SESSION_LOGIN (1<<1)
 #define SESSION_SO (1<<2)      /* security officer session */
+#define SESSION_TRUSTED (1<<3) /* session on a marked as trusted (p11-kit) module */
 int pkcs11_open_session(struct pkcs11_session_info *sinfo,
                        struct pin_info_st *pin_info,
                        struct p11_kit_uri *info, unsigned int flags);