enhanced copy functions to allow specifying a CKA_ID

author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2015-03-30 16:12:27 +0200
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2016-11-29 16:27:40 +0100
commit: e0a706573fd81cf6a20914ee754d0faaab56a869 (patch)
tree: cb3200328bcc143bdb02efe642065aa55ba97732
parent: 474a1d01855d93131010e87e144035fb8394f6de (diff)
download: gnutls-e0a706573fd81cf6a20914ee754d0faaab56a869.tar.gz
2 files changed, 110 insertions, 29 deletions
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h
index de703e11b5..7df653ef1b 100644
--- a/lib/includes/gnutls/pkcs11.h
+++ b/lib/includes/gnutls/pkcs11.h
@@ -173,8 +173,15 @@ int gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
 
 int gnutls_pkcs11_copy_x509_crt(const char *token_url,
 				gnutls_x509_crt_t crt,
-				const char *label, unsigned int flags
-				/* GNUTLS_PKCS11_OBJ_FLAG_* */ );
+				const char *label,
+				unsigned int flags /* GNUTLS_PKCS11_OBJ_FLAG_* */);
+
+int gnutls_pkcs11_copy_x509_crt2(const char *token_url,
+				gnutls_x509_crt_t crt,
+				const char *label,
+				const gnutls_datum_t *id,
+				unsigned int flags /* GNUTLS_PKCS11_OBJ_FLAG_* */);
+
 int gnutls_pkcs11_copy_x509_privkey(const char *token_url,
 				    gnutls_x509_privkey_t key,
 				    const char *label,
@@ -183,6 +190,16 @@ int gnutls_pkcs11_copy_x509_privkey(const char *token_url,
 				    unsigned int flags
 				    /* GNUTLS_PKCS11_OBJ_FLAG_* */
     );
+
+int gnutls_pkcs11_copy_x509_privkey2(const char *token_url,
+				    gnutls_x509_privkey_t key,
+				    const char *label,
+				    const gnutls_datum_t *cid,
+				    unsigned int key_usage
+				    /*GNUTLS_KEY_* */ ,
+				    unsigned int flags
+				    /* GNUTLS_PKCS11_OBJ_FLAG_* */
+    );
 int gnutls_pkcs11_delete_url(const char *object_url, unsigned int flags
 			     /* GNUTLS_PKCS11_OBJ_FLAG_* */ );
 
diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
index 015f5630c5..28a8d86528 100644
--- a/lib/pkcs11_write.c
+++ b/lib/pkcs11_write.c
@@ -32,8 +32,8 @@ static const ck_bool_t fval = 0;
 /**
  * gnutls_pkcs11_copy_x509_crt:
  * @token_url: A PKCS #11 URL specifying a token
- * @crt: A certificate
- * @label: A name to be used for the stored data
+ * @crt: The certificate to copy
+ * @label: The name to be used for the stored data
  * @flags: One of GNUTLS_PKCS11_OBJ_FLAG_*
  *
  * This function will copy a certificate into a PKCS #11 token specified by
@@ -49,6 +49,31 @@ gnutls_pkcs11_copy_x509_crt(const char *token_url,
 			    gnutls_x509_crt_t crt, const char *label,
 			    unsigned int flags)
 {
+	return gnutls_pkcs11_copy_x509_crt2(token_url, crt, label, NULL, flags);
+}
+
+/**
+ * gnutls_pkcs11_copy_x509_crt2:
+ * @token_url: A PKCS #11 URL specifying a token
+ * @crt: The certificate to copy
+ * @label: The name to be used for the stored data
+ * @cid: The CKA_ID to set for the object -if NULL, the ID will be derived from the public key
+ * @flags: One of GNUTLS_PKCS11_OBJ_FLAG_*
+ *
+ * This function will copy a certificate into a PKCS #11 token specified by
+ * a URL. The certificate can be marked as trusted or not.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ *   negative error value.
+ *
+ * Since: 3.3.26
+ **/
+int
+gnutls_pkcs11_copy_x509_crt2(const char *token_url,
+			    gnutls_x509_crt_t crt, const char *label,
+			    const gnutls_datum_t *cid,
+			    unsigned int flags)
+{
 	int ret;
 	struct p11_kit_uri *info = NULL;
 	ck_rv_t rv;
@@ -110,25 +135,30 @@ gnutls_pkcs11_copy_x509_crt(const char *token_url,
 		goto cleanup;
 	}
 
-	id_size = sizeof(id);
-	ret = gnutls_x509_crt_get_subject_key_id(crt, id, &id_size, NULL);
-	if (ret < 0) {
-	        id_size = sizeof(id);
-		ret = gnutls_x509_crt_get_key_id(crt, 0, id, &id_size);
-		if (ret < 0) {
-		  gnutls_assert();
-		  goto cleanup;
-                }
-	}
-
-	/* FIXME: copy key usage flags */
-
 	a[0].type = CKA_CLASS;
 	a[0].value = &class;
 	a[0].value_len = sizeof(class);
+
 	a[1].type = CKA_ID;
-	a[1].value = id;
-	a[1].value_len = id_size;
+	if (cid == NULL || cid->size == 0) {
+		id_size = sizeof(id);
+		ret = gnutls_x509_crt_get_subject_key_id(crt, id, &id_size, NULL);
+		if (ret < 0) {
+		        id_size = sizeof(id);
+			ret = gnutls_x509_crt_get_key_id(crt, 0, id, &id_size);
+			if (ret < 0) {
+			  gnutls_assert();
+			  goto cleanup;
+	                }
+		}
+
+		a[1].value = id;
+		a[1].value_len = id_size;
+	} else {
+		a[1].value = cid->data;
+		a[1].value_len = cid->size;
+	}
+
 	a[2].type = CKA_VALUE;
 	a[2].value = der;
 	a[2].value_len = der_size;
@@ -138,6 +168,7 @@ gnutls_pkcs11_copy_x509_crt(const char *token_url,
 	a[4].type = CKA_CERTIFICATE_TYPE;
 	a[4].value = &type;
 	a[4].value_len = sizeof(type);
+	/* FIXME: copy key usage flags */
 
 	a_val = 5;
 
@@ -245,6 +276,34 @@ gnutls_pkcs11_copy_x509_privkey(const char *token_url,
 				const char *label,
 				unsigned int key_usage, unsigned int flags)
 {
+	return gnutls_pkcs11_copy_x509_privkey2(token_url, key, label, NULL, key_usage, flags);
+}
+
+/**
+ * gnutls_pkcs11_copy_x509_privkey2:
+ * @token_url: A PKCS #11 URL specifying a token
+ * @key: A private key
+ * @label: A name to be used for the stored data
+ * @cid: The CKA_ID to set for the object -if NULL, the ID will be derived from the public key
+ * @key_usage: One of GNUTLS_KEY_*
+ * @flags: One of GNUTLS_PKCS11_OBJ_* flags
+ *
+ * This function will copy a private key into a PKCS #11 token specified by
+ * a URL. It is highly recommended flags to contain %GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE
+ * unless there is a strong reason not to.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ *   negative error value.
+ *
+ * Since: 3.3.26
+ **/
+int
+gnutls_pkcs11_copy_x509_privkey2(const char *token_url,
+				gnutls_x509_privkey_t key,
+				const char *label,
+				const gnutls_datum_t *cid,
+				unsigned int key_usage, unsigned int flags)
+{
 	int ret;
 	struct p11_kit_uri *info = NULL;
 	ck_rv_t rv;
@@ -282,14 +341,6 @@ gnutls_pkcs11_copy_x509_privkey(const char *token_url,
 		return ret;
 	}
 
-	id_size = sizeof(id);
-	ret = gnutls_x509_privkey_get_key_id(key, 0, id, &id_size);
-	if (ret < 0) {
-		p11_kit_uri_free(info);
-		gnutls_assert();
-		return ret;
-	}
-
 	ret =
 	    pkcs11_open_session(&sinfo, NULL, info,
 				SESSION_WRITE |
@@ -311,8 +362,21 @@ gnutls_pkcs11_copy_x509_privkey(const char *token_url,
 	a_val++;
 
 	a[a_val].type = CKA_ID;
-	a[a_val].value = id;
-	a[a_val].value_len = id_size;
+	if (cid == NULL || cid->size == 0) {
+		id_size = sizeof(id);
+		ret = gnutls_x509_privkey_get_key_id(key, 0, id, &id_size);
+		if (ret < 0) {
+			p11_kit_uri_free(info);
+			gnutls_assert();
+			return ret;
+		}
+
+		a[a_val].value = id;
+		a[a_val].value_len = id_size;
+	} else {
+		a[a_val].value = cid->data;
+		a[a_val].value_len = cid->size;
+	}
 	a_val++;
 
 	a[a_val].type = CKA_SIGN;
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2015-03-30 16:12:27 +0200
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2016-11-29 16:27:40 +0100
commit	e0a706573fd81cf6a20914ee754d0faaab56a869 (patch)
tree	cb3200328bcc143bdb02efe642065aa55ba97732
parent	474a1d01855d93131010e87e144035fb8394f6de (diff)
download	gnutls-e0a706573fd81cf6a20914ee754d0faaab56a869.tar.gz