pkcs11 verification: always use the GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE

That is, make sure that all our calls to PKCS#11 subsystem for verification
will only trigger the trust module initialization, and not the generic
PKCS#11 initialization.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

2 files changed, 10 insertions, 6 deletions

diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 69fc0f2e68..7b375d61fb 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -367,7 +367,7 @@ advance_iter(gnutls_x509_trust_list_t list,
 	if (list->pkcs11_token != NULL) {
 		if (iter->pkcs11_list == NULL) {
 			ret = gnutls_pkcs11_obj_list_import_url2(&iter->pkcs11_list, &iter->pkcs11_size,
-			    list->pkcs11_token, (GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED), 0);
+			    list->pkcs11_token, (GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED), 0);
 			if (ret < 0)
 				return gnutls_assert_val(ret);
 
@@ -972,7 +972,7 @@ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list,
 		gnutls_datum_t der = {NULL, 0};
 		/* use the token for verification */
 		ret = gnutls_pkcs11_get_raw_issuer(list->pkcs11_token, cert, &der,
-			GNUTLS_X509_FMT_DER, 0);
+			GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE);
 		if (ret < 0) {
 			gnutls_assert();
 			return ret;
@@ -1044,7 +1044,7 @@ int gnutls_x509_trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list,
 		gnutls_datum_t der = {NULL, 0};
 		/* use the token for verification */
 		ret = gnutls_pkcs11_get_raw_issuer_by_dn(list->pkcs11_token, dn, &der,
-			GNUTLS_X509_FMT_DER, 0);
+			GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE);
 		if (ret < 0) {
 			gnutls_assert();
 			return ret;
@@ -1105,7 +1105,7 @@ int gnutls_x509_trust_list_get_issuer_by_subject_key_id(gnutls_x509_trust_list_t
 		gnutls_datum_t der = {NULL, 0};
 		/* use the token for verification */
 		ret = gnutls_pkcs11_get_raw_issuer_by_subject_key_id(list->pkcs11_token, dn, spki, &der,
-			GNUTLS_X509_FMT_DER, 0);
+			GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE);
 		if (ret < 0) {
 			gnutls_assert();
 			return ret;
diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c
index fb9f9ce101..8c75b26414 100644
--- a/lib/x509/verify-high2.c
+++ b/lib/x509/verify-high2.c
@@ -188,6 +188,10 @@ int add_trust_list_pkcs11_object_url(gnutls_x509_trust_list_t list, const char *
 	gnutls_pkcs11_obj_t *pcrt_list = NULL;
 	unsigned int pcrt_list_size = 0, i;
 	int ret;
+
+	/* here we don't use the flag GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE,
+	 * as we want to explicitly load from any module available in the system.
+	 */
 	ret =
 	    gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size,
 					       url,
@@ -323,7 +327,7 @@ gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,
 			 */
 			if (is_pkcs11_url_object(ca_file) != 0) {
 				return add_trust_list_pkcs11_object_url(list, ca_file, tl_flags);
-			} else { /* token */
+			} else { /* trusted token */
 				if (list->pkcs11_token != NULL)
 					return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 				list->pkcs11_token = gnutls_strdup(ca_file);
@@ -331,7 +335,7 @@ gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,
 				/* enumerate the certificates */
 				ret = gnutls_pkcs11_obj_list_import_url(NULL, &pcrt_list_size,
 					ca_file, 
-					(GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED),
+					(GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED),
 					0);
 				if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
 					return gnutls_assert_val(ret);