p11tool: don't outsmart user and override login type

Unfortunately tokens vary on their requirements for writing trusted
and private objects, and there is no one-size fits all policy. Thus
allow a proper failure and warn the user that so-login may be required.

diff --git a/src/pkcs11.c b/src/pkcs11.c
index 5e6806b049078d9ba4043ab10a656d90e3a9c85a..7f4ba261e177015a67f5997fe56dca6ab1da6ca0 100644 (file)
--- a/src/pkcs11.c
+++ b/src/pkcs11.c
@@ -483,18 +483,17 @@ pkcs11_write(FILE * outfile, const char *url, const char *label,
        if (xcrt != NULL) {
                if (trusted)
                        flags |=
-                           GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED |
-                           GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO;
+                           GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED;
 
                if (ca)
                        flags |=
-                           GNUTLS_PKCS11_OBJ_FLAG_MARK_CA |
-                           GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO;
+                           GNUTLS_PKCS11_OBJ_FLAG_MARK_CA;
 
                ret = gnutls_pkcs11_copy_x509_crt(url, xcrt, label, flags);
                if (ret < 0) {
-                       fprintf(stderr, "Error in %s:%d: %s\n", __func__,
-                               __LINE__, gnutls_strerror(ret));
+                       fprintf(stderr, "Error writing certificate: %s\n", gnutls_strerror(ret));
+                       if ((ca || trusted) && (flags & GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO) == 0)
+                               fprintf(stderr, "note: some tokens may require security officer login for this operation\n");
                        exit(1);
                }