diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/includes/gnutls/pkcs11.h | 4 | ||||
-rw-r--r-- | lib/pkcs11.c | 8 | ||||
-rw-r--r-- | lib/pkcs11_privkey.c | 6 | ||||
-rw-r--r-- | lib/pkcs11_secret.c | 2 | ||||
-rw-r--r-- | lib/pkcs11_write.c | 22 |
5 files changed, 26 insertions, 16 deletions
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h index 52f7898b44..630fb7d014 100644 --- a/lib/includes/gnutls/pkcs11.h +++ b/lib/includes/gnutls/pkcs11.h @@ -95,7 +95,7 @@ void gnutls_pkcs11_obj_set_pin_function(gnutls_pkcs11_obj_t obj, * gnutls_pkcs11_obj_flags: * @GNUTLS_PKCS11_OBJ_FLAG_LOGIN: Force login in the token for the operation (seek+store). * @GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED: object marked as trusted (seek+store). - * @GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE: object marked as sensitive -unexportable (store). + * @GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE: object is explicitly marked as sensitive -unexportable (store). * @GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO: force login as a security officer in the token for the operation (seek+store). * @GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE: marked as private -requires PIN to access (store). * @GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE: marked as not private (store). @@ -117,6 +117,7 @@ void gnutls_pkcs11_obj_set_pin_function(gnutls_pkcs11_obj_t obj, * @GNUTLS_PKCS11_OBJ_FLAG_PUBKEY: When searching, restrict to public key objects only (seek). * @GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY: When searching, restrict to private key objects only (seek). * @GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY: When generating a keypair don't store the public key (store). + * @GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE: object marked as not sensitive -exportable (store). * * Enumeration of different PKCS #11 object flags. Some flags are used * to mark objects when storing, while others are also used while seeking @@ -147,6 +148,7 @@ typedef enum gnutls_pkcs11_obj_flags { GNUTLS_PKCS11_OBJ_FLAG_PUBKEY = (1<<20), GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY = GNUTLS_PKCS11_OBJ_FLAG_PUBKEY, GNUTLS_PKCS11_OBJ_FLAG_PRIVKEY = (1<<21), + GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE = (1<<22), /* flags 1<<29 and later are reserved - see pkcs11_int.h */ } gnutls_pkcs11_obj_flags; diff --git a/lib/pkcs11.c b/lib/pkcs11.c index e4d14f9f4b..395a7e59aa 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -1922,8 +1922,12 @@ pkcs11_import_object(ck_object_handle_t ctx, ck_object_class_t class, a[0].value_len = sizeof(b); rv = pkcs11_get_attribute_value(sinfo->module, sinfo->pks, ctx, a, 1); - if (rv == CKR_OK && b != 0) - pobj->flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE; + if (rv == CKR_OK) { + if (b != 0) + pobj->flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE; + else + pobj->flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE; + } a[0].type = CKA_EXTRACTABLE; a[0].value = &b; diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c index 48e4836ab2..b721ed1252 100644 --- a/lib/pkcs11_privkey.c +++ b/lib/pkcs11_privkey.c @@ -880,8 +880,8 @@ _dsa_params_generate(struct ck_function_list *module, ck_session_handle_t sessio * can be substituted in the place of the bits parameter using the * GNUTLS_CURVE_TO_BITS() macro. * - * It is highly recommended flags to contain %GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE - * unless there is a strong reason not to. + * Since 3.6.3 the objects are marked as sensitive by default unless + * %GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. @@ -1127,7 +1127,7 @@ gnutls_pkcs11_privkey_generate3(const char *url, gnutls_pk_algorithm_t pk, a_val++; } - if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE) { + if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE)) { p[p_val].type = CKA_SENSITIVE; p[p_val].value = (void *) &tval; p[p_val].value_len = sizeof(tval); diff --git a/lib/pkcs11_secret.c b/lib/pkcs11_secret.c index b9a88549ee..83cdf58457 100644 --- a/lib/pkcs11_secret.c +++ b/lib/pkcs11_secret.c @@ -119,7 +119,7 @@ gnutls_pkcs11_copy_secret_key(const char *token_url, gnutls_datum_t * key, a_val++; } - if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE) + if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE)) tval = 1; else tval = 0; diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c index 4386f727e1..e55bcbeda4 100644 --- a/lib/pkcs11_write.c +++ b/lib/pkcs11_write.c @@ -91,8 +91,8 @@ static void mark_flags(unsigned flags, struct ck_attribute *a, unsigned *a_val, * * This function will copy a certificate into a PKCS #11 token specified by * a URL. Valid flags to mark the certificate: %GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED, - * %GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE, %GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE, - * %GNUTLS_PKCS11_OBJ_FLAG_MARK_CA, %GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH. + * %GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE, %GNUTLS_PKCS11_OBJ_FLAG_MARK_CA, + * %GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. @@ -374,8 +374,8 @@ static int add_pubkey(gnutls_pubkey_t pubkey, struct ck_attribute *a, unsigned * * * This function will copy a public key object into a PKCS #11 token specified by * a URL. Valid flags to mark the key: %GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED, - * %GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE, %GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE, - * %GNUTLS_PKCS11_OBJ_FLAG_MARK_CA, %GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH. + * %GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE, %GNUTLS_PKCS11_OBJ_FLAG_MARK_CA, + * %GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. @@ -625,8 +625,10 @@ gnutls_pkcs11_copy_attached_extension(const char *token_url, * @flags: One of GNUTLS_PKCS11_OBJ_* flags * * This function will copy a private key into a PKCS #11 token specified by - * a URL. It is highly recommended flags to contain %GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE - * unless there is a strong reason not to. + * a URL. + * + * Since 3.6.3 the objects are marked as sensitive by default unless + * %GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. @@ -782,7 +784,7 @@ gnutls_pkcs11_copy_x509_privkey2(const char *token_url, a_val++; } - if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE) { + if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE)) { a[a_val].type = CKA_SENSITIVE; a[a_val].value = (void *) &tval; a[a_val].value_len = sizeof(tval); @@ -1356,8 +1358,10 @@ int gnutls_pkcs11_copy_x509_crt(const char *token_url, * @flags: One of GNUTLS_PKCS11_OBJ_* flags * * This function will copy a private key into a PKCS #11 token specified by - * a URL. It is highly recommended flags to contain %GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE - * unless there is a strong reason not to. + * a URL. + * + * Since 3.6.3 the objects are marked as sensitive by default unless + * %GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. |