diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2015-04-04 09:36:34 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2015-04-04 09:36:34 +0200 |
commit | 8d03f2296aa6b4827ce886754d2b0cb42f7741f9 (patch) | |
tree | b487a51566fdfd1e5a9bc40dfd39c545c01fb35b /src | |
parent | 786220782ab16bbf32f09b3a69e1be4b40caf267 (diff) | |
download | gnutls-8d03f2296aa6b4827ce886754d2b0cb42f7741f9.tar.gz |
p11tool: use the key usage flags to set PKCS #11 properties
Diffstat (limited to 'src')
-rw-r--r-- | src/certtool-common.h | 1 | ||||
-rw-r--r-- | src/p11tool-args.def | 12 | ||||
-rw-r--r-- | src/p11tool.c | 18 | ||||
-rw-r--r-- | src/pkcs11.c | 7 |
4 files changed, 21 insertions, 17 deletions
diff --git a/src/certtool-common.h b/src/certtool-common.h index e0b82813c2..538b1e2354 100644 --- a/src/certtool-common.h +++ b/src/certtool-common.h @@ -57,6 +57,7 @@ typedef struct common_info { const char *so_pin; int cprint; + unsigned key_usage; unsigned int batch; unsigned int verbose; diff --git a/src/p11tool-args.def b/src/p11tool-args.def index ade9c3e98c..94ccbced29 100644 --- a/src/p11tool-args.def +++ b/src/p11tool-args.def @@ -191,19 +191,19 @@ flag = { }; flag = { - name = mark-no-decrypt; + name = mark-decrypt; disable = "no"; disabled; - descrip = "Marks the object to be written for no decryption"; - doc = "Marks the object to be generated/copied with the CKA_DECRYPT flag set to false."; + descrip = "Marks the object to be written for decryption"; + doc = "Marks the object to be generated/copied with the CKA_DECRYPT flag set to true."; }; flag = { - name = mark-no-sign; + name = mark-sign; disable = "no"; disabled; - descrip = "Marks the object to be written for no sign"; - doc = "Marks the object to be generated/copied with the CKA_SIGN flag set to false."; + descrip = "Marks the object to be written for signature generation"; + doc = "Marks the object to be generated/copied with the CKA_SIGN flag set to true."; }; flag = { diff --git a/src/p11tool.c b/src/p11tool.c index 105c5b9b5c..a3442d8a35 100644 --- a/src/p11tool.c +++ b/src/p11tool.c @@ -68,9 +68,11 @@ int main(int argc, char **argv) } static -unsigned opt_to_flags(void) +unsigned opt_to_flags(unsigned *key_usage) { unsigned flags = 0; + + *key_usage = 0; if (HAVE_OPT(MARK_PRIVATE)) { if (ENABLED_OPT(MARK_PRIVATE)) { @@ -84,13 +86,11 @@ unsigned opt_to_flags(void) flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED; - if (ENABLED_OPT(MARK_NO_SIGN)) - flags |= - GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN; + if (ENABLED_OPT(MARK_SIGN)) + *key_usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; - if (ENABLED_OPT(MARK_NO_DECRYPT)) - flags |= - GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_DECRYPT; + if (ENABLED_OPT(MARK_DECRYPT)) + *key_usage |= GNUTLS_KEY_DECIPHER_ONLY; if (ENABLED_OPT(MARK_CA)) flags |= @@ -118,6 +118,7 @@ static void cmd_parser(int argc, char **argv) unsigned int bits = 0; const char *label = NULL, *sec_param = NULL, *id = NULL; unsigned flags; + unsigned key_usage; optct = optionProcess(&p11toolOptions, argc, argv); argc += optct; @@ -174,7 +175,8 @@ static void cmd_parser(int argc, char **argv) memset(&cinfo, 0, sizeof(cinfo)); - flags = opt_to_flags(); + flags = opt_to_flags(&key_usage); + cinfo.key_usage = key_usage; if (HAVE_OPT(SECRET_KEY)) cinfo.secret_key = OPT_ARG(SECRET_KEY); diff --git a/src/pkcs11.c b/src/pkcs11.c index 3eb38a8a3a..a77ac68cf1 100644 --- a/src/pkcs11.c +++ b/src/pkcs11.c @@ -626,8 +626,8 @@ pkcs11_write(FILE * outfile, const char *url, const char *label, gnutls_x509_crt_t xcrt; gnutls_x509_privkey_t xkey; int ret; - unsigned int key_usage = 0; gnutls_datum_t *secret_key; + unsigned key_usage = 0; unsigned char raw_id[128]; size_t raw_id_size; gnutls_datum_t cid = {NULL, 0}; @@ -656,7 +656,7 @@ pkcs11_write(FILE * outfile, const char *url, const char *label, if (secret_key != NULL) { ret = gnutls_pkcs11_copy_secret_key(url, secret_key, label, - key_usage, + info->key_usage, flags | GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE); if (ret < 0) { @@ -685,7 +685,7 @@ pkcs11_write(FILE * outfile, const char *url, const char *label, if (xkey != NULL) { ret = gnutls_pkcs11_copy_x509_privkey2(url, xkey, label, - &cid, key_usage, + &cid, key_usage|info->key_usage, flags | GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE); if (ret < 0) { @@ -743,6 +743,7 @@ pkcs11_generate(FILE * outfile, const char *url, gnutls_pk_algorithm_t pk, ret = gnutls_pkcs11_privkey_generate3(url, pk, bits, label, &cid, GNUTLS_X509_FMT_PEM, &pubkey, + info->key_usage, flags); if (ret < 0) { fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__, |