p11tool: use the key usage flags to set PKCS #11 properties

author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2015-04-04 09:36:34 +0200
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2015-04-04 09:36:34 +0200
commit: 8d03f2296aa6b4827ce886754d2b0cb42f7741f9 (patch)
tree: b487a51566fdfd1e5a9bc40dfd39c545c01fb35b /src
parent: 786220782ab16bbf32f09b3a69e1be4b40caf267 (diff)
download: gnutls-8d03f2296aa6b4827ce886754d2b0cb42f7741f9.tar.gz
4 files changed, 21 insertions, 17 deletions
diff --git a/src/certtool-common.h b/src/certtool-common.h
index e0b82813c2..538b1e2354 100644
--- a/src/certtool-common.h
+++ b/src/certtool-common.h
@@ -57,6 +57,7 @@ typedef struct common_info {
 	const char *so_pin;
 
 	int cprint;
+	unsigned key_usage;
 
 	unsigned int batch;
 	unsigned int verbose;
diff --git a/src/p11tool-args.def b/src/p11tool-args.def
index ade9c3e98c..94ccbced29 100644
--- a/src/p11tool-args.def
+++ b/src/p11tool-args.def
@@ -191,19 +191,19 @@ flag = {
 };
 
 flag = {
-    name      = mark-no-decrypt;
+    name      = mark-decrypt;
     disable   = "no";
     disabled;
-    descrip   = "Marks the object to be written for no decryption";
-    doc = "Marks the object to be generated/copied with the CKA_DECRYPT flag set to false.";
+    descrip   = "Marks the object to be written for decryption";
+    doc = "Marks the object to be generated/copied with the CKA_DECRYPT flag set to true.";
 };
 
 flag = {
-    name      = mark-no-sign;
+    name      = mark-sign;
     disable   = "no";
     disabled;
-    descrip   = "Marks the object to be written for no sign";
-    doc = "Marks the object to be generated/copied with the CKA_SIGN flag set to false.";
+    descrip   = "Marks the object to be written for signature generation";
+    doc = "Marks the object to be generated/copied with the CKA_SIGN flag set to true.";
 };
 
 flag = {
diff --git a/src/p11tool.c b/src/p11tool.c
index 105c5b9b5c..a3442d8a35 100644
--- a/src/p11tool.c
+++ b/src/p11tool.c
@@ -68,9 +68,11 @@ int main(int argc, char **argv)
 }
 
 static
-unsigned opt_to_flags(void)
+unsigned opt_to_flags(unsigned *key_usage)
 {
 	unsigned flags = 0;
+	
+	*key_usage = 0;
 
 	if (HAVE_OPT(MARK_PRIVATE)) {
 		if (ENABLED_OPT(MARK_PRIVATE)) {
@@ -84,13 +86,11 @@ unsigned opt_to_flags(void)
 		flags |=
 		    GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED;
 
-	if (ENABLED_OPT(MARK_NO_SIGN))
-		flags |=
-		    GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_SIGN;
+	if (ENABLED_OPT(MARK_SIGN))
+		*key_usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
 
-	if (ENABLED_OPT(MARK_NO_DECRYPT))
-		flags |=
-		    GNUTLS_PKCS11_OBJ_FLAG_MARK_NO_DECRYPT;
+	if (ENABLED_OPT(MARK_DECRYPT))
+		*key_usage |= GNUTLS_KEY_DECIPHER_ONLY;
 
 	if (ENABLED_OPT(MARK_CA))
 		flags |=
@@ -118,6 +118,7 @@ static void cmd_parser(int argc, char **argv)
 	unsigned int bits = 0;
 	const char *label = NULL, *sec_param = NULL, *id = NULL;
 	unsigned flags;
+	unsigned key_usage;
 
 	optct = optionProcess(&p11toolOptions, argc, argv);
 	argc += optct;
@@ -174,7 +175,8 @@ static void cmd_parser(int argc, char **argv)
 
 	memset(&cinfo, 0, sizeof(cinfo));
 
-	flags = opt_to_flags();
+	flags = opt_to_flags(&key_usage);
+	cinfo.key_usage = key_usage;
 
 	if (HAVE_OPT(SECRET_KEY))
 		cinfo.secret_key = OPT_ARG(SECRET_KEY);
diff --git a/src/pkcs11.c b/src/pkcs11.c
index 3eb38a8a3a..a77ac68cf1 100644
--- a/src/pkcs11.c
+++ b/src/pkcs11.c
@@ -626,8 +626,8 @@ pkcs11_write(FILE * outfile, const char *url, const char *label,
 	gnutls_x509_crt_t xcrt;
 	gnutls_x509_privkey_t xkey;
 	int ret;
-	unsigned int key_usage = 0;
 	gnutls_datum_t *secret_key;
+	unsigned key_usage = 0;
 	unsigned char raw_id[128];
 	size_t raw_id_size;
 	gnutls_datum_t cid = {NULL, 0};
@@ -656,7 +656,7 @@ pkcs11_write(FILE * outfile, const char *url, const char *label,
 	if (secret_key != NULL) {
 		ret =
 		    gnutls_pkcs11_copy_secret_key(url, secret_key, label,
-						  key_usage,
+						  info->key_usage,
 						  flags |
 						  GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE);
 		if (ret < 0) {
@@ -685,7 +685,7 @@ pkcs11_write(FILE * outfile, const char *url, const char *label,
 	if (xkey != NULL) {
 		ret =
 		    gnutls_pkcs11_copy_x509_privkey2(url, xkey, label,
-						     &cid, key_usage,
+						     &cid, key_usage|info->key_usage,
 						     flags |
 						     GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE);
 		if (ret < 0) {
@@ -743,6 +743,7 @@ pkcs11_generate(FILE * outfile, const char *url, gnutls_pk_algorithm_t pk,
 	ret =
 	    gnutls_pkcs11_privkey_generate3(url, pk, bits, label, &cid,
 					    GNUTLS_X509_FMT_PEM, &pubkey,
+					    info->key_usage,
 					    flags);
 	if (ret < 0) {
 		fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2015-04-04 09:36:34 +0200
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2015-04-04 09:36:34 +0200
commit	8d03f2296aa6b4827ce886754d2b0cb42f7741f9 (patch)
tree	b487a51566fdfd1e5a9bc40dfd39c545c01fb35b /src
parent	786220782ab16bbf32f09b3a69e1be4b40caf267 (diff)
download	gnutls-8d03f2296aa6b4827ce886754d2b0cb42f7741f9.tar.gz