diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-03-13 15:14:37 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-03-15 10:10:27 +0100 |
| commit | e4c83eea960a43a38814ffd19cc5aae8ff1d206d (patch) | |
| tree | 3e1bc97d9de3505a6138d368b928a8284c5de06a | |
| parent | 9dca575622586e4c94ced9e453ae0a91f346d711 (diff) | |
| download | gnutls-tmp-fix-pkcs11-so.tar.gz | |
pkcs11: security officer login implies writable sessiontmp-fix-pkcs11-so
According to the PKCS#11 v2.30, 6.7.1 there are no read-only Security Officer
sessions.
Resolves: #721
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | lib/pkcs11.c | 2 | ||||
| -rwxr-xr-x | tests/testpkcs11.sh | 20 |
3 files changed, 25 insertions, 1 deletions
@@ -25,6 +25,10 @@ See the end for copying conditions. a certificate. We were already enforcing the signature algorithm, but there was a bug in parameter checking code. +** libgnutls: the flag GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO now implies a writable + session, as non-writeable security officer sessions are undefined in PKCS#11 + (#721). + ** libgnutls: no longer send downgrade sentinel in TLS 1.3. Previously the sentinel value was embedded to early in version negotiation and was sent even on TLS 1.3. It is now sent only when diff --git a/lib/pkcs11.c b/lib/pkcs11.c index fbe2b48f22..ea08fd0906 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -2254,7 +2254,7 @@ unsigned int pkcs11_obj_flags_to_int(unsigned int flags) ret_flags |= SESSION_LOGIN | SESSION_FORCE_LOGIN; if (flags & GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO) - ret_flags |= SESSION_LOGIN | SESSION_SO | SESSION_FORCE_LOGIN; + ret_flags |= SESSION_LOGIN | SESSION_SO | SESSION_FORCE_LOGIN | SESSION_WRITE; if (flags & GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE) ret_flags |= SESSION_TRUSTED; diff --git a/tests/testpkcs11.sh b/tests/testpkcs11.sh index 49acc0ff9f..e98fb8ed4a 100755 --- a/tests/testpkcs11.sh +++ b/tests/testpkcs11.sh @@ -341,6 +341,24 @@ export_pubkey_of_privkey () { } # $1: token +# $2: SO PIN +# $3: bits +list_pubkey_as_so () { + export GNUTLS_SO_PIN="$2" + token="$1" + bits="$3" + + echo -n "* Exporting public key as SO... " + ${P11TOOL} ${ADDITIONAL_PARAM} --so-login --list-all "${token}" >>"${LOGFILE}" 2>&1 + if test $? != 0; then + echo failed + exit 1 + fi + + echo ok +} + +# $1: token # $2: PIN change_id_of_privkey () { export GNUTLS_PIN="$2" @@ -599,6 +617,7 @@ write_certificate_test () { exit_error fi + echo ok rm -f ${TMPFILE} echo -n "* Trying to obtain back the cert... " @@ -1091,6 +1110,7 @@ generate_rsa_privkey "${TOKEN}" "${GNUTLS_PIN}" 1024 change_id_of_privkey "${TOKEN}" "${GNUTLS_PIN}" export_pubkey_of_privkey "${TOKEN}" "${GNUTLS_PIN}" change_label_of_privkey "${TOKEN}" "${GNUTLS_PIN}" +list_pubkey_as_so "${TOKEN}" "${GNUTLS_SO_PIN}" write_certificate_test "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/ca.key" "${srcdir}/testpkcs11-certs/ca.crt" tmp-client.pub write_serv_privkey "${TOKEN}" "${GNUTLS_PIN}" "${srcdir}/testpkcs11-certs/server.key" |