From f6eeb995a8c3952ac6efd28ce0a929372e5e2949 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 10 May 2017 17:23:54 +0200 Subject: pkcs11_override_cert_exts: do not use CKA_X_DISTRUSTED flag when retrieving This flag was introduced in order for reducing the number of duplicate stapled extensions returned by p11-kit. Unfortunately that fix was bogus and in fact it resulted to p11-kit not returning any stapled extensions. Signed-off-by: Nikos Mavrogiannopoulos --- lib/pkcs11x.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/lib/pkcs11x.c b/lib/pkcs11x.c index 186b3f642d..fc428e17a4 100644 --- a/lib/pkcs11x.c +++ b/lib/pkcs11x.c @@ -68,7 +68,7 @@ int pkcs11_override_cert_exts(struct pkcs11_session_info *sinfo, gnutls_datum_t { int ret; gnutls_datum_t new_der = {NULL, 0}; - struct ck_attribute a[3]; + struct ck_attribute a[2]; struct ck_attribute b[1]; unsigned long count; unsigned ext_data_size = der->size; @@ -78,7 +78,6 @@ int pkcs11_override_cert_exts(struct pkcs11_session_info *sinfo, gnutls_datum_t unsigned finalize = 0; ck_rv_t rv; ck_object_handle_t obj; - ck_bool_t tfalse = 0; if (sinfo->trusted == 0) { _gnutls_debug_log("p11: cannot override extensions on a non-p11-kit trust module\n"); @@ -95,11 +94,7 @@ int pkcs11_override_cert_exts(struct pkcs11_session_info *sinfo, gnutls_datum_t a[1].value = spki->data; a[1].value_len = spki->size; - a[2].type = CKA_X_DISTRUSTED; - a[2].value = &tfalse; - a[2].value_len = sizeof(tfalse); - - rv = pkcs11_find_objects_init(sinfo->module, sinfo->pks, a, 3); + rv = pkcs11_find_objects_init(sinfo->module, sinfo->pks, a, 2); if (rv != CKR_OK) { gnutls_assert(); _gnutls_debug_log -- cgit v1.2.1