Use common code for PKCS #11 callbacks across clients.

Require SO login to write a trusted object.

3 files changed, 13 insertions, 67 deletions

diff --git a/src/Makefile.am b/src/Makefile.am
index 316389fc9d..80b0a0ffee 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -123,7 +123,7 @@ libcmd_certtool_la_LIBADD += ../gl/libgnu.la $(INET_PTON_LIB)
 if ENABLE_PKCS11
 
 p11tool_gaa_CFLAGS =
-p11tool_SOURCES = p11tool.gaa p11tool.c pkcs11.c certtool-common.c p11tool.h
+p11tool_SOURCES = p11tool.gaa p11tool.c pkcs11.c certtool-common.c p11tool.h $(PKCS11_SRCS)
 p11tool_LDADD = ../lib/libgnutls.la 
 p11tool_LDADD += libcmd-p11tool.la ../gl/libgnu.la
 p11tool_LDADD += $(LTLIBGCRYPT)
diff --git a/src/p11common.c b/src/p11common.c
index 799f866442..c866a521c1 100644
--- a/src/p11common.c
+++ b/src/p11common.c
@@ -36,11 +36,17 @@ pin_callback (void *user, int attempt, const char *token_url,
               size_t pin_max)
 {
   const char *password;
+  const char * desc;
   int len, cache = 1;
 /* allow caching of PIN */
   static char *cached_url = NULL;
   static char cached_pin[32] = "";
 
+  if (flags & GNUTLS_PKCS11_PIN_SO)
+    desc = "security officer";
+  else
+    desc = "user";
+
   if (flags & GNUTLS_PKCS11_PIN_FINAL_TRY)
     {
       cache = 0;
@@ -67,10 +73,10 @@ pin_callback (void *user, int attempt, const char *token_url,
         }
     }
 
-  printf ("PIN required for token '%s' with URL '%s'\n", token_label,
-          token_url);
+  printf ("Token '%s' with URL '%s' ", token_label, token_url);
+  printf ("requires %s PIN\n", desc);
 
-  password = getpass ("Enter pin: ");
+  password = getpass ("Enter PIN: ");
   if (password == NULL || password[0] == 0)
     {
       fprintf (stderr, "No password given\n");
diff --git a/src/pkcs11.c b/src/pkcs11.c
index dafabe3bc2..b073f758b1 100644
--- a/src/pkcs11.c
+++ b/src/pkcs11.c
@@ -32,68 +32,7 @@
 #include "certtool-common.h"
 #include <unistd.h>
 #include <string.h>
-
-#define MIN(x,y) ((x)<(y))?(x):(y)
-
-static int
-pin_callback (void *user, int attempt, const char *token_url,
-              const char *token_label, unsigned int flags, char *pin,
-              size_t pin_max)
-{
-  const char *password;
-  int len;
-/* allow caching of PIN */
-  static char *cached_url = NULL;
-  static char cached_pin[32] = "";
-
-  printf ("PIN required for token '%s' with URL '%s'\n", token_label,
-          token_url);
-  if (flags & GNUTLS_PKCS11_PIN_FINAL_TRY)
-    printf ("*** This is the final try before locking!\n");
-  if (flags & GNUTLS_PKCS11_PIN_COUNT_LOW)
-    printf ("*** Only few tries left before locking!\n");
-
-  if (flags == 0 && cached_url != NULL)
-    {
-      if (strcmp (cached_url, token_url) == 0)
-        {
-          strcpy (pin, cached_pin);
-          return 0;
-        }
-    }
-
-  password = getpass ("Enter PIN: ");
-  if (password == NULL || password[0] == 0)
-    {
-      fprintf (stderr, "No PIN given\n");
-      exit (1);
-    }
-
-  len = MIN (pin_max, strlen (password));
-  memcpy (pin, password, len);
-  pin[len] = 0;
-
-  /* cache */
-  if (strlen(pin) >= sizeof(cached_pin))
-    {
-      fprintf (stderr, "Too long PIN given\n");
-      exit (1);
-    }
-
-  strcpy (cached_pin, pin);
-  free (cached_url);
-  cached_url = strdup (token_url);
-
-  return 0;
-}
-
-static void
-pkcs11_common (void)
-{
-
-  gnutls_pkcs11_set_pin_function (pin_callback, NULL);
-
-}
+#include <p11common.h>
 
 void
 pkcs11_delete (FILE * outfile, const char *url, int batch, unsigned int login,
@@ -567,7 +506,8 @@ pkcs11_write (FILE * outfile, const char *url, const char *label, int trusted,
   if (xcrt != NULL)
     {
       if (trusted)
-        flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED;
+        flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED|GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO;
+
       ret = gnutls_pkcs11_copy_x509_crt (url, xcrt, label, flags);
       if (ret < 0)
         {