p11tool: fix initialization of security officer's PINtmp-initialize-so-pin-fix

Previously we would call gnutls_pkcs11_token_set_pin() without an
old PIN provided, which will result to the use of C_InitPIN() on the
underlying module. The C_InitPIN() in contrast with C_SetPIN() will
only work for the user and not for the administrator. As such, we
always provide the oldpin for when we change the admin's PIN.

Resolves #561

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

1 files changed, 6 insertions, 8 deletions

diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 9909127903..1a335ea959 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -35,9 +35,7 @@
 
 #include <pin.h>
 #include <pkcs11_int.h>
-#include <p11-kit/p11-kit.h>
 #include "pkcs11x.h"
-#include <p11-kit/pin.h>
 #include <system-keys.h>
 #include "x509/x509_int.h"
 
@@ -2781,10 +2779,10 @@ retrieve_pin_from_callback(const struct pin_info_st *pin_info,
 	return 0;
 }
 
-static int
-retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info,
-	     struct ck_token_info *token_info, int attempts,
-	     ck_user_type_t user_type, struct p11_kit_pin **pin)
+int
+pkcs11_retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info,
+		    struct ck_token_info *token_info, int attempts,
+		    ck_user_type_t user_type, struct p11_kit_pin **pin)
 {
 	const char *pinfile;
 	int ret = GNUTLS_E_PKCS11_PIN_ERROR;
@@ -2930,8 +2928,8 @@ pkcs11_login(struct pkcs11_session_info *sinfo,
 		}
 
 		ret =
-		    retrieve_pin(pin_info, info, &tinfo, attempt++,
-				 user_type, &pin);
+		    pkcs11_retrieve_pin(pin_info, info, &tinfo, attempt++,
+					user_type, &pin);
 		if (ret < 0) {
 			gnutls_assert();
 			goto cleanup;