diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-02-03 10:36:57 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-02-03 10:36:57 +0100 |
| commit | e92c14f02d017059b69aafd5ef3e80d4638956a8 (patch) | |
| tree | 30d80efd831398f7ba2e2398e17750047a59e233 | |
| parent | 21b1bddb09897f318dbe0c6ec07e83b142c5d490 (diff) | |
| download | gnutls-e92c14f02d017059b69aafd5ef3e80d4638956a8.tar.gz | |
Added GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA to specify trusted CA certificates.
| -rw-r--r-- | lib/gnutls_x509.c | 6 | ||||
| -rw-r--r-- | lib/includes/gnutls/pkcs11.h | 4 | ||||
| -rw-r--r-- | lib/pkcs11.c | 26 | ||||
| -rw-r--r-- | lib/x509/verify-high2.c | 2 |
4 files changed, 30 insertions, 8 deletions
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index fa4bbe410f..bba68f5dd3 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -721,8 +721,6 @@ cleanup: } #ifdef ENABLE_PKCS11 -/* Reads a private key from a token. - */ static int read_cas_url (gnutls_certificate_credentials_t res, const char *url) { @@ -734,7 +732,7 @@ read_cas_url (gnutls_certificate_credentials_t res, const char *url) /* FIXME: should we use login? */ ret = gnutls_pkcs11_obj_list_import_url (NULL, &pcrt_list_size, url, - GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED, 0); + GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA, 0); if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { gnutls_assert (); @@ -756,7 +754,7 @@ read_cas_url (gnutls_certificate_credentials_t res, const char *url) ret = gnutls_pkcs11_obj_list_import_url (pcrt_list, &pcrt_list_size, url, - GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED, 0); + GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA, 0); if (ret < 0) { gnutls_assert (); diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h index 9ae7e13332..3c6cf44dab 100644 --- a/lib/includes/gnutls/pkcs11.h +++ b/lib/includes/gnutls/pkcs11.h @@ -176,6 +176,7 @@ int gnutls_pkcs11_obj_get_info (gnutls_pkcs11_obj_t crt, * gnutls_pkcs11_obj_attr_t: * @GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL: Specify all certificates. * @GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED: Specify all certificates marked as trusted. + * @GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA: Specify all certificates marked as trusted and are CAs. * @GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY: Specify all certificates with a corresponding private key. * @GNUTLS_PKCS11_OBJ_ATTR_PUBKEY: Specify all public keys. * @GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY: Specify all private keys. @@ -190,7 +191,8 @@ typedef enum GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY, /* certificates with corresponding private key */ GNUTLS_PKCS11_OBJ_ATTR_PUBKEY, /* public keys */ GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY, /* private keys */ - GNUTLS_PKCS11_OBJ_ATTR_ALL /* everything! */ + GNUTLS_PKCS11_OBJ_ATTR_ALL, /* everything! */ + GNUTLS_PKCS11_OBJ_ATTR_TRUSTED_CA, /* CAs */ } gnutls_pkcs11_obj_attr_t; /** diff --git a/lib/pkcs11.c b/lib/pkcs11.c index 42d4b8413a..6ca0a8e7c2 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -2207,11 +2207,11 @@ find_objs (struct pkcs11_session_info* sinfo, struct token_info *info, struct ck_info *lib_info, void *input) { struct crt_find_data_st *find_data = input; - struct ck_attribute a[4]; + struct ck_attribute a[6]; struct ck_attribute *attr; ck_object_class_t class = (ck_object_class_t)-1; ck_certificate_type_t type = (ck_certificate_type_t)-1; - unsigned int trusted; + unsigned int trusted, category; ck_rv_t rv; ck_object_handle_t obj; unsigned long count; @@ -2317,6 +2317,28 @@ find_objs (struct pkcs11_session_info* sinfo, tot_values++; } + else if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA) + { + class = CKO_CERTIFICATE; + type = CKC_X_509; + trusted = 1; + + a[tot_values].type = CKA_CLASS; + a[tot_values].value = &class; + a[tot_values].value_len = sizeof class; + tot_values++; + + a[tot_values].type = CKA_TRUSTED; + a[tot_values].value = &trusted; + a[tot_values].value_len = sizeof trusted; + tot_values++; + + category = 2; + a[tot_values].type = CKA_CATEGORY; + a[tot_values].value = &category; + a[tot_values].value_len = sizeof trusted; + tot_values++; + } else if (find_data->flags == GNUTLS_PKCS11_OBJ_ATTR_PUBKEY) { class = CKO_PUBLIC_KEY; diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c index 7f03e1c0a4..039d312e40 100644 --- a/lib/x509/verify-high2.c +++ b/lib/x509/verify-high2.c @@ -109,7 +109,7 @@ unsigned int pcrt_list_size = 0, i; int ret; ret = gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size, ca_file, - GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED, 0); + GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA, 0); if (ret < 0) return gnutls_assert_val(ret); |