The GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED flag is specific to p11-kit trust modules.

1 files changed, 11 insertions, 0 deletions

diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 8b43792142..1827b57622 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -2947,6 +2947,14 @@ find_cert(struct pkcs11_session_info *sinfo,
 		return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
 	}
 
+	/* the DISTRUSTED flag is p11-kit module specific */
+	if (priv->flags & GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED) {
+		if (memcmp(lib_info->manufacturer_id, "PKCS#11 Kit", 11) != 0) {
+			gnutls_assert();
+			return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
+		}
+	}
+
 	if (priv->dn.size == 0 && priv->key_id.size == 0 && priv->issuer_dn.size == 0 &&
 		priv->serial.size == 0)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -3229,6 +3237,9 @@ int gnutls_pkcs11_get_raw_issuer(const char *url, gnutls_x509_crt_t cert,
  * will be searched. To restrict the modules to the marked as trusted in p11-kit
  * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.
  *
+ * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is
+ * specific to p11-kit trust modules.
+ *
  * Returns: If the certificate exists non-zero is returned, otherwise zero.
  *
  * Since: 3.2.9