pkcs11_override_cert_exts: do not use CKA_X_DISTRUSTED flag when retrieving

This flag was introduced in order for reducing the number of duplicate
stapled extensions returned by p11-kit. Unfortunately that fix was bogus
and in fact it resulted to p11-kit not returning any stapled extensions.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

1 files changed, 2 insertions, 7 deletions

diff --git a/lib/pkcs11x.c b/lib/pkcs11x.c
index 186b3f642d..fc428e17a4 100644
--- a/lib/pkcs11x.c
+++ b/lib/pkcs11x.c
@@ -68,7 +68,7 @@ int pkcs11_override_cert_exts(struct pkcs11_session_info *sinfo, gnutls_datum_t
 {
 	int ret;
 	gnutls_datum_t new_der = {NULL, 0};
-	struct ck_attribute a[3];
+	struct ck_attribute a[2];
 	struct ck_attribute b[1];
 	unsigned long count;
 	unsigned ext_data_size = der->size;
@@ -78,7 +78,6 @@ int pkcs11_override_cert_exts(struct pkcs11_session_info *sinfo, gnutls_datum_t
 	unsigned finalize = 0;
 	ck_rv_t rv;
 	ck_object_handle_t obj;
-	ck_bool_t tfalse = 0;
 
 	if (sinfo->trusted == 0) {
 		_gnutls_debug_log("p11: cannot override extensions on a non-p11-kit trust module\n");
@@ -95,11 +94,7 @@ int pkcs11_override_cert_exts(struct pkcs11_session_info *sinfo, gnutls_datum_t
 	a[1].value = spki->data;
 	a[1].value_len = spki->size;
 
-	a[2].type = CKA_X_DISTRUSTED;
-	a[2].value = &tfalse;
-	a[2].value_len = sizeof(tfalse);
-
-	rv = pkcs11_find_objects_init(sinfo->module, sinfo->pks, a, 3);
+	rv = pkcs11_find_objects_init(sinfo->module, sinfo->pks, a, 2);
 	if (rv != CKR_OK) {
 		gnutls_assert();
 		_gnutls_debug_log