summaryrefslogtreecommitdiff
path: root/lib/pkcs11.c
diff options
context:
space:
mode:
Diffstat (limited to 'lib/pkcs11.c')
-rw-r--r--lib/pkcs11.c98
1 files changed, 70 insertions, 28 deletions
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index fad16aaf4f..d8d4a65114 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -4547,34 +4547,10 @@ int gnutls_pkcs11_get_raw_issuer_by_subject_key_id (const char *url,
return ret;
}
-/**
- * gnutls_pkcs11_crt_is_known:
- * @url: A PKCS 11 url identifying a token
- * @cert: is the certificate to find issuer for
- * @issuer: Will hold the issuer if any in an allocated buffer.
- * @fmt: The format of the exported issuer.
- * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG.
- *
- * This function will check whether the provided certificate is stored
- * in the specified token. This is useful in combination with
- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or
- * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,
- * to check whether a CA is present or a certificate is blacklisted in
- * a trust PKCS #11 module.
- *
- * This function can be used with a @url of "pkcs11:", and in that case all modules
- * will be searched. To restrict the modules to the marked as trusted in p11-kit
- * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.
- *
- * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is
- * specific to p11-kit trust modules.
- *
- * Returns: If the certificate exists non-zero is returned, otherwise zero.
- *
- * Since: 3.3.0
- **/
-unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
- unsigned int flags)
+unsigned
+_gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
+ unsigned int flags,
+ gnutls_x509_crt_t *trusted_cert)
{
int ret;
struct find_cert_st priv;
@@ -4586,6 +4562,15 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
memset(&priv, 0, sizeof(priv));
+ if (trusted_cert) {
+ ret = gnutls_pkcs11_obj_init(&priv.obj);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+ priv.need_import = 1;
+ }
+
if (url == NULL || url[0] == 0) {
url = "pkcs11:";
}
@@ -4632,8 +4617,18 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
_gnutls_debug_log("crt_is_known: did not find cert, using issuer DN + serial, using DN only\n");
/* attempt searching with the subject DN only */
gnutls_assert();
+ if (priv.obj)
+ gnutls_pkcs11_obj_deinit(priv.obj);
gnutls_free(priv.serial.data);
memset(&priv, 0, sizeof(priv));
+ if (trusted_cert) {
+ ret = gnutls_pkcs11_obj_init(&priv.obj);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+ priv.need_import = 1;
+ }
priv.crt = cert;
priv.flags = flags;
@@ -4650,9 +4645,26 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
goto cleanup;
}
+ if (trusted_cert) {
+ ret = gnutls_x509_crt_init(trusted_cert);
+ if (ret < 0) {
+ gnutls_assert();
+ ret = 0;
+ goto cleanup;
+ }
+ ret = gnutls_x509_crt_import_pkcs11(*trusted_cert, priv.obj);
+ if (ret < 0) {
+ gnutls_assert();
+ gnutls_x509_crt_deinit(*trusted_cert);
+ ret = 0;
+ goto cleanup;
+ }
+ }
ret = 1;
cleanup:
+ if (priv.obj)
+ gnutls_pkcs11_obj_deinit(priv.obj);
if (info)
p11_kit_uri_free(info);
gnutls_free(priv.serial.data);
@@ -4661,6 +4673,36 @@ unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
}
/**
+ * gnutls_pkcs11_crt_is_known:
+ * @url: A PKCS 11 url identifying a token
+ * @cert: is the certificate to find issuer for
+ * @flags: Use zero or flags from %GNUTLS_PKCS11_OBJ_FLAG.
+ *
+ * This function will check whether the provided certificate is stored
+ * in the specified token. This is useful in combination with
+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or
+ * %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,
+ * to check whether a CA is present or a certificate is blacklisted in
+ * a trust PKCS #11 module.
+ *
+ * This function can be used with a @url of "pkcs11:", and in that case all modules
+ * will be searched. To restrict the modules to the marked as trusted in p11-kit
+ * use the %GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE flag.
+ *
+ * Note that the flag %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED is
+ * specific to p11-kit trust modules.
+ *
+ * Returns: If the certificate exists non-zero is returned, otherwise zero.
+ *
+ * Since: 3.3.0
+ **/
+unsigned gnutls_pkcs11_crt_is_known(const char *url, gnutls_x509_crt_t cert,
+ unsigned int flags)
+{
+ return _gnutls_pkcs11_crt_is_known(url, cert, flags, NULL);
+}
+
+/**
* gnutls_pkcs11_obj_get_flags:
* @obj: The pkcs11 object
* @oflags: Will hold the output flags
View Lorry Controller Status