pkcs11: security officer login implies writable session

According to the PKCS#11 v2.30, 6.7.1 there are no read-only Security Officer
sessions.

Resolves: #721

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/NEWS b/NEWS
index 885a19c8d7fcfaef54d3650cb9c9a54e091191ad..422ccea685622c0cde2d5931b1c34af0bbcb126a 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,10 @@ See the end for copying conditions.
    a certificate. We were already enforcing the signature algorithm, but there
    was a bug in parameter checking code.
 
+** libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable
+   session, as non-writeable security officer sessions are undefined in PKCS#11
+   (#721).
+
 ** libgnutls: no longer send downgrade sentinel in TLS 1.3.
    Previously the sentinel value was embedded to early in version
    negotiation and was sent even on TLS 1.3. It is now sent only when

diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index fbe2b48f2299fc14a55403f81ce329ef7fa93f40..ea08fd0906d2eabb6744ec15fb0e979d6f475c81 100644 (file)
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -2254,7 +2254,7 @@ unsigned int pkcs11_obj_flags_to_int(unsigned int flags)
                ret_flags |= SESSION_LOGIN | SESSION_FORCE_LOGIN;
 
        if (flags & GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO)
-               ret_flags |= SESSION_LOGIN | SESSION_SO | SESSION_FORCE_LOGIN;
+               ret_flags |= SESSION_LOGIN | SESSION_SO | SESSION_FORCE_LOGIN | SESSION_WRITE;
 
        if (flags & GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE)
                ret_flags |= SESSION_TRUSTED;

diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh
index 49acc0ff9f3104671ed297e554cf8e20198e9df5..e98fb8ed4aba20abd71fa9a3eb56fdc086d8c1ff 100755 (executable)
--- a/tests/testpkcs11.sh
+++ b/tests/testpkcs11.sh
@@ -340,6 +340,24 @@ export_pubkey_of_privkey () {
        echo ok
 }
 
+# $1: token
+# $2: SO PIN
+# $3: bits
+list_pubkey_as_so () {
+       export GNUTLS_SO_PIN="$2"
+       token="$1"
+       bits="$3"
+
+       echo -n "* Exporting public key as SO... "
+       ${P11TOOL} ${ADDITIONAL_PARAM} --so-login --list-all "${token}" >>"${LOGFILE}" 2>&1
+       if test $? != 0; then
+               echo failed
+               exit 1
+       fi
+
+       echo ok
+}
+
 # $1: token
 # $2: PIN
 change_id_of_privkey () {
@@ -599,6 +617,7 @@ write_certificate_test () {
                exit_error
        fi
 
+       echo ok
        rm -f ${TMPFILE}
 
        echo -n "* Trying to obtain back the cert... "
@@ -1091,6 +1110,7 @@ generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024
 change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
 export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
 change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}"
+list_pubkey_as_so "${TOKEN}" "${GNUTLS_SO_PIN}"
 
 write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub
 write_serv_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.key"