diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-11-30 14:31:07 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-12-03 20:32:15 +0100 |
commit | b344a90a42570df5c8c7c256cc17e23e3ac6d446 (patch) | |
tree | f61c0afe7092988288be7c36fc1749b0261ed6b4 | |
parent | e461944297b25a38529c7f8ad6fbcd224025b493 (diff) | |
download | gnutls-b344a90a42570df5c8c7c256cc17e23e3ac6d446.tar.gz |
pkcs11 verification: always use the GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE
That is, make sure that all our calls to PKCS#11 subsystem for verification
will only trigger the trust module initialization, and not the generic
PKCS#11 initialization.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/x509/verify-high.c | 8 | ||||
-rw-r--r-- | lib/x509/verify-high2.c | 8 |
2 files changed, 10 insertions, 6 deletions
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 69fc0f2e68..7b375d61fb 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -367,7 +367,7 @@ advance_iter(gnutls_x509_trust_list_t list, if (list->pkcs11_token != NULL) { if (iter->pkcs11_list == NULL) { ret = gnutls_pkcs11_obj_list_import_url2(&iter->pkcs11_list, &iter->pkcs11_size, - list->pkcs11_token, (GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED), 0); + list->pkcs11_token, (GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED), 0); if (ret < 0) return gnutls_assert_val(ret); @@ -972,7 +972,7 @@ int gnutls_x509_trust_list_get_issuer(gnutls_x509_trust_list_t list, gnutls_datum_t der = {NULL, 0}; /* use the token for verification */ ret = gnutls_pkcs11_get_raw_issuer(list->pkcs11_token, cert, &der, - GNUTLS_X509_FMT_DER, 0); + GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE); if (ret < 0) { gnutls_assert(); return ret; @@ -1044,7 +1044,7 @@ int gnutls_x509_trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, gnutls_datum_t der = {NULL, 0}; /* use the token for verification */ ret = gnutls_pkcs11_get_raw_issuer_by_dn(list->pkcs11_token, dn, &der, - GNUTLS_X509_FMT_DER, 0); + GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE); if (ret < 0) { gnutls_assert(); return ret; @@ -1105,7 +1105,7 @@ int gnutls_x509_trust_list_get_issuer_by_subject_key_id(gnutls_x509_trust_list_t gnutls_datum_t der = {NULL, 0}; /* use the token for verification */ ret = gnutls_pkcs11_get_raw_issuer_by_subject_key_id(list->pkcs11_token, dn, spki, &der, - GNUTLS_X509_FMT_DER, 0); + GNUTLS_X509_FMT_DER, GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE); if (ret < 0) { gnutls_assert(); return ret; diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c index fb9f9ce101..8c75b26414 100644 --- a/lib/x509/verify-high2.c +++ b/lib/x509/verify-high2.c @@ -188,6 +188,10 @@ int add_trust_list_pkcs11_object_url(gnutls_x509_trust_list_t list, const char * gnutls_pkcs11_obj_t *pcrt_list = NULL; unsigned int pcrt_list_size = 0, i; int ret; + + /* here we don't use the flag GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE, + * as we want to explicitly load from any module available in the system. + */ ret = gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size, url, @@ -323,7 +327,7 @@ gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list, */ if (is_pkcs11_url_object(ca_file) != 0) { return add_trust_list_pkcs11_object_url(list, ca_file, tl_flags); - } else { /* token */ + } else { /* trusted token */ if (list->pkcs11_token != NULL) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); list->pkcs11_token = gnutls_strdup(ca_file); @@ -331,7 +335,7 @@ gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list, /* enumerate the certificates */ ret = gnutls_pkcs11_obj_list_import_url(NULL, &pcrt_list_size, ca_file, - (GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED), + (GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED), 0); if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER) return gnutls_assert_val(ret); |