From 73ea673d5d1851dfcd3d4c159822a96e1e7ad5c9 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sat, 18 Jun 2011 11:53:14 +0200 Subject: [PATCH] Added new PKCS #11 flags to force an object being private or not. Those are GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE and GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE. p11tool supports now the --no-private and --private options. --- NEWS | 6 +++ lib/gnutls_errors.c | 2 + lib/includes/gnutls/pkcs11.h | 2 + lib/pkcs11.c | 2 +- lib/pkcs11_write.c | 72 ++++++++++++++++++++-------- src/p11tool-gaa.c | 110 ++++++++++++++++++++++++++----------------- src/p11tool-gaa.h | 26 +++++----- src/p11tool.c | 2 +- src/p11tool.gaa | 8 +++- src/p11tool.h | 2 +- src/pkcs11.c | 8 +++- 11 files changed, 160 insertions(+), 80 deletions(-) diff --git a/NEWS b/NEWS index be3e7ff7e..696335161 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,9 @@ See the end for copying conditions. * Version 2.99.3 (unreleased) +** libgnutls: Added new PKCS #11 flags to force an object being private or +not. (GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE and GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE) + ** libgnutls: Added SUITEB128 and SUITEB192 priority strings to enable the NSA SuiteB cryptography ciphersuites. @@ -44,6 +47,9 @@ gnutls_crypto_single_digest_register: REMOVED gnutls_crypto_single_mac_register: REMOVED GNUTLS_KX_ECDHE_PSK: New key exchange method GNUTLS_VERIFY_DISABLE_CRL_CHECKS: New certificate verification flag. +GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE: New PKCS#11 object flag. +GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE: New PKCS#11 object flag. + * Version 2.99.2 (released 2011-05-26) diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index 39bf11b3a..21d829763 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -332,6 +332,8 @@ static const gnutls_error_entry error_algorithms[] = { GNUTLS_E_ECC_NO_SUPPORTED_CURVES, 1), ERROR_ENTRY (N_("The curve is unsupported"), GNUTLS_E_ECC_UNSUPPORTED_CURVE, 1), + ERROR_ENTRY (N_("The requested PKCS #11 object is not available"), + GNUTLS_E_PKCS11_REQUESTED_OBJECT_NOT_AVAILBLE, 1), {NULL, NULL, 0, 0} }; diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h index c1b798103..edcea28bb 100644 --- a/lib/includes/gnutls/pkcs11.h +++ b/lib/includes/gnutls/pkcs11.h @@ -69,6 +69,8 @@ int gnutls_pkcs11_obj_init (gnutls_pkcs11_obj_t * obj); #define GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED (1<<1) /* object marked as trusted */ #define GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE (1<<2) /* object marked as sensitive (unexportable) */ #define GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO (1<<3) /* force login as a security officer in the token for the operation */ +#define GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE (1<<4) /* marked as private (requires PIN to access) */ +#define GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE (1<<5) /* marked as not private */ /** * gnutls_pkcs11_url_type_t: diff --git a/lib/pkcs11.c b/lib/pkcs11.c index 41126dd97..d76ed6514 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -814,7 +814,7 @@ pkcs11_find_slot (struct ck_function_list ** module, ck_slot_id_t * slot, } gnutls_assert (); - return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + return GNUTLS_E_PKCS11_REQUESTED_OBJECT_NOT_AVAILBLE; } int diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c index 3083faf8e..f376945f6 100644 --- a/lib/pkcs11_write.c +++ b/lib/pkcs11_write.c @@ -28,6 +28,9 @@ #include #include +static const ck_bool_t tval = 1; +static const ck_bool_t fval = 0; + /** * gnutls_pkcs11_copy_x509_crt: * @token_url: A PKCS #11 URL specifying a token @@ -58,8 +61,6 @@ gnutls_pkcs11_copy_x509_crt (const char *token_url, ck_object_class_t class = CKO_CERTIFICATE; ck_certificate_type_t type = CKC_X_509; ck_object_handle_t obj; - ck_bool_t tval = 1; - ck_bool_t fval = 0; int a_val; gnutls_datum_t subject = { NULL, 0 }; @@ -130,7 +131,7 @@ gnutls_pkcs11_copy_x509_crt (const char *token_url, a[2].value = der; a[2].value_len = der_size; a[3].type = CKA_TOKEN; - a[3].value = &tval; + a[3].value = (void*)&tval; a[3].value_len = sizeof (tval); a[4].type = CKA_CERTIFICATE_TYPE; a[4].value = &type; @@ -143,7 +144,6 @@ gnutls_pkcs11_copy_x509_crt (const char *token_url, a[a_val].value_len = subject.size; a_val++; - if (label) { a[a_val].type = CKA_LABEL; @@ -155,15 +155,32 @@ gnutls_pkcs11_copy_x509_crt (const char *token_url, if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED) { a[a_val].type = CKA_TRUSTED; - a[a_val].value = &tval; + a[a_val].value = (void*)&tval; a[a_val].value_len = sizeof (tval); a_val++; a[a_val].type = CKA_PRIVATE; - a[a_val].value = &fval; + a[a_val].value = (void*)&fval; a[a_val].value_len = sizeof(fval); a_val++; } + else + { + if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE) + { + a[a_val].type = CKA_PRIVATE; + a[a_val].value = (void*)&tval; + a[a_val].value_len = sizeof(tval); + a_val++; + } + else if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE) + { + a[a_val].type = CKA_PRIVATE; + a[a_val].value = (void*)&fval; + a[a_val].value_len = sizeof(fval); + a_val++; + } + } rv = pkcs11_create_object (module, pks, a, a_val, &obj); if (rv != CKR_OK) @@ -219,7 +236,6 @@ gnutls_pkcs11_copy_x509_privkey (const char *token_url, ck_object_class_t class = CKO_PRIVATE_KEY; ck_object_handle_t obj; ck_key_type_t type; - ck_bool_t tval = 1; int a_val; gnutls_pk_algorithm_t pk; gnutls_datum_t p, q, g, y, x; @@ -271,14 +287,27 @@ gnutls_pkcs11_copy_x509_privkey (const char *token_url, a_val++; a[a_val].type = CKA_TOKEN; - a[a_val].value = &tval; + a[a_val].value = (void*)&tval; a[a_val].value_len = sizeof (tval); a_val++; - a[a_val].type = CKA_PRIVATE; - a[a_val].value = &tval; - a[a_val].value_len = sizeof (tval); - a_val++; + /* a private key is set always as private unless + * requested otherwise + */ + if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE) + { + a[a_val].type = CKA_PRIVATE; + a[a_val].value = (void*)&fval; + a[a_val].value_len = sizeof(fval); + a_val++; + } + else + { + a[a_val].type = CKA_PRIVATE; + a[a_val].value = (void*)&tval; + a[a_val].value_len = sizeof (tval); + a_val++; + } if (label) { @@ -289,14 +318,19 @@ gnutls_pkcs11_copy_x509_privkey (const char *token_url, } if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE) - tval = 1; + { + a[a_val].type = CKA_SENSITIVE; + a[a_val].value = (void*)&tval; + a[a_val].value_len = sizeof (tval); + a_val++; + } else - tval = 0; - - a[a_val].type = CKA_SENSITIVE; - a[a_val].value = &tval; - a[a_val].value_len = sizeof (tval); - a_val++; + { + a[a_val].type = CKA_SENSITIVE; + a[a_val].value = (void*)&fval; + a[a_val].value_len = sizeof (fval); + a_val++; + } pk = gnutls_x509_privkey_get_pk_algorithm (key); switch (pk) diff --git a/src/p11tool-gaa.c b/src/p11tool-gaa.c index 83976f0b3..18162402e 100644 --- a/src/p11tool-gaa.c +++ b/src/p11tool-gaa.c @@ -146,7 +146,9 @@ void gaa_help(void) __gaa_helpsingle(0, "write", "URL ", "Writes loaded certificates, private or secret keys to a PKCS11 token."); __gaa_helpsingle(0, "delete", "URL ", "Deletes objects matching the URL."); __gaa_helpsingle(0, "label", "label ", "Sets a label for the write operation."); - __gaa_helpsingle(0, "trusted", "", "Marks the certificate to be imported as trusted."); + __gaa_helpsingle(0, "trusted", "", "Marks the certificate to be written as trusted."); + __gaa_helpsingle(0, "private", "", "Marks the object to be written as private (requires PIN)."); + __gaa_helpsingle(0, "no-private", "", "Marks the object to be written as not private."); __gaa_helpsingle(0, "login", "", "Force login to token"); __gaa_helpsingle(0, "detailed-url", "", "Export detailed URLs."); __gaa_helpsingle(0, "no-detailed-url", "", "Export less detailed URLs."); @@ -175,30 +177,32 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 80 "p11tool.gaa" +#line 84 "p11tool.gaa" int debug; -#line 75 "p11tool.gaa" +#line 79 "p11tool.gaa" char *outfile; -#line 72 "p11tool.gaa" +#line 76 "p11tool.gaa" int action; -#line 71 "p11tool.gaa" +#line 75 "p11tool.gaa" char* pkcs11_provider; -#line 67 "p11tool.gaa" +#line 71 "p11tool.gaa" int incert_format; -#line 64 "p11tool.gaa" +#line 68 "p11tool.gaa" int pkcs8; -#line 61 "p11tool.gaa" +#line 65 "p11tool.gaa" char *cert; -#line 58 "p11tool.gaa" +#line 62 "p11tool.gaa" char *pubkey; -#line 55 "p11tool.gaa" +#line 59 "p11tool.gaa" char *privkey; -#line 52 "p11tool.gaa" +#line 56 "p11tool.gaa" char* secret_key; -#line 48 "p11tool.gaa" +#line 52 "p11tool.gaa" int pkcs11_detailed_url; -#line 45 "p11tool.gaa" +#line 49 "p11tool.gaa" int pkcs11_login; +#line 45 "p11tool.gaa" + int pkcs11_private; #line 42 "p11tool.gaa" int pkcs11_trusted; #line 35 "p11tool.gaa" @@ -261,7 +265,7 @@ static int gaa_error = 0; #define GAA_MULTIPLE_OPTION 3 #define GAA_REST 0 -#define GAA_NB_OPTION 27 +#define GAA_NB_OPTION 29 #define GAAOPTID_help 1 #define GAAOPTID_debug 2 #define GAAOPTID_outfile 3 @@ -276,19 +280,21 @@ static int gaa_error = 0; #define GAAOPTID_no_detailed_url 12 #define GAAOPTID_detailed_url 13 #define GAAOPTID_login 14 -#define GAAOPTID_trusted 15 -#define GAAOPTID_label 16 -#define GAAOPTID_delete 17 -#define GAAOPTID_write 18 -#define GAAOPTID_initialize 19 -#define GAAOPTID_list_trusted 20 -#define GAAOPTID_list_privkeys 21 -#define GAAOPTID_list_certs 22 -#define GAAOPTID_list_all_certs 23 -#define GAAOPTID_list_all 24 -#define GAAOPTID_list_mechanisms 25 -#define GAAOPTID_list_tokens 26 -#define GAAOPTID_export 27 +#define GAAOPTID_no_private 15 +#define GAAOPTID_private 16 +#define GAAOPTID_trusted 17 +#define GAAOPTID_label 18 +#define GAAOPTID_delete 19 +#define GAAOPTID_write 20 +#define GAAOPTID_initialize 21 +#define GAAOPTID_list_trusted 22 +#define GAAOPTID_list_privkeys 23 +#define GAAOPTID_list_certs 24 +#define GAAOPTID_list_all_certs 25 +#define GAAOPTID_list_all 26 +#define GAAOPTID_list_mechanisms 27 +#define GAAOPTID_list_tokens 28 +#define GAAOPTID_export 29 #line 168 "gaa.skel" @@ -604,6 +610,8 @@ static int gaa_get_option_num(char *str, int status) GAA_CHECK1STR("", GAAOPTID_no_detailed_url); GAA_CHECK1STR("", GAAOPTID_detailed_url); GAA_CHECK1STR("", GAAOPTID_login); + GAA_CHECK1STR("", GAAOPTID_no_private); + GAA_CHECK1STR("", GAAOPTID_private); GAA_CHECK1STR("", GAAOPTID_trusted); GAA_CHECK1STR("", GAAOPTID_list_trusted); GAA_CHECK1STR("", GAAOPTID_list_privkeys); @@ -629,6 +637,8 @@ static int gaa_get_option_num(char *str, int status) GAA_CHECKSTR("no-detailed-url", GAAOPTID_no_detailed_url); GAA_CHECKSTR("detailed-url", GAAOPTID_detailed_url); GAA_CHECKSTR("login", GAAOPTID_login); + GAA_CHECKSTR("no-private", GAAOPTID_no_private); + GAA_CHECKSTR("private", GAAOPTID_private); GAA_CHECKSTR("trusted", GAAOPTID_trusted); GAA_CHECKSTR("label", GAAOPTID_label); GAA_CHECKSTR("delete", GAAOPTID_delete); @@ -689,7 +699,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) { case GAAOPTID_help: OK = 0; -#line 83 "p11tool.gaa" +#line 87 "p11tool.gaa" { gaa_help(); exit(0); ;}; return GAA_OK; @@ -699,7 +709,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_debug.arg1, gaa_getint, GAATMP_debug.size1); gaa_index++; -#line 81 "p11tool.gaa" +#line 85 "p11tool.gaa" { gaaval->debug = GAATMP_debug.arg1 ;}; return GAA_OK; @@ -709,7 +719,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_outfile.arg1, gaa_getstr, GAATMP_outfile.size1); gaa_index++; -#line 76 "p11tool.gaa" +#line 80 "p11tool.gaa" { gaaval->outfile = GAATMP_outfile.arg1 ;}; return GAA_OK; @@ -719,28 +729,28 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_provider.arg1, gaa_getstr, GAATMP_provider.size1); gaa_index++; -#line 73 "p11tool.gaa" +#line 77 "p11tool.gaa" { gaaval->pkcs11_provider = GAATMP_provider.arg1 ;}; return GAA_OK; break; case GAAOPTID_inraw: OK = 0; -#line 69 "p11tool.gaa" +#line 73 "p11tool.gaa" { gaaval->incert_format=GNUTLS_X509_FMT_DER ;}; return GAA_OK; break; case GAAOPTID_inder: OK = 0; -#line 68 "p11tool.gaa" +#line 72 "p11tool.gaa" { gaaval->incert_format=GNUTLS_X509_FMT_DER ;}; return GAA_OK; break; case GAAOPTID_pkcs8: OK = 0; -#line 65 "p11tool.gaa" +#line 69 "p11tool.gaa" { gaaval->pkcs8=1 ;}; return GAA_OK; @@ -750,7 +760,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_load_certificate.arg1, gaa_getstr, GAATMP_load_certificate.size1); gaa_index++; -#line 62 "p11tool.gaa" +#line 66 "p11tool.gaa" { gaaval->cert = GAATMP_load_certificate.arg1 ;}; return GAA_OK; @@ -760,7 +770,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_load_pubkey.arg1, gaa_getstr, GAATMP_load_pubkey.size1); gaa_index++; -#line 59 "p11tool.gaa" +#line 63 "p11tool.gaa" { gaaval->pubkey = GAATMP_load_pubkey.arg1 ;}; return GAA_OK; @@ -770,7 +780,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_load_privkey.arg1, gaa_getstr, GAATMP_load_privkey.size1); gaa_index++; -#line 56 "p11tool.gaa" +#line 60 "p11tool.gaa" { gaaval->privkey = GAATMP_load_privkey.arg1 ;}; return GAA_OK; @@ -780,32 +790,46 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_secret_key.arg1, gaa_getstr, GAATMP_secret_key.size1); gaa_index++; -#line 53 "p11tool.gaa" +#line 57 "p11tool.gaa" { gaaval->secret_key = GAATMP_secret_key.arg1; ;}; return GAA_OK; break; case GAAOPTID_no_detailed_url: OK = 0; -#line 50 "p11tool.gaa" +#line 54 "p11tool.gaa" { gaaval->pkcs11_detailed_url = 0; ;}; return GAA_OK; break; case GAAOPTID_detailed_url: OK = 0; -#line 49 "p11tool.gaa" +#line 53 "p11tool.gaa" { gaaval->pkcs11_detailed_url = GNUTLS_PKCS11_URL_LIB; ;}; return GAA_OK; break; case GAAOPTID_login: OK = 0; -#line 46 "p11tool.gaa" +#line 50 "p11tool.gaa" { gaaval->pkcs11_login = 1; ;}; return GAA_OK; break; + case GAAOPTID_no_private: + OK = 0; +#line 47 "p11tool.gaa" +{ gaaval->pkcs11_private = 0; ;}; + + return GAA_OK; + break; + case GAAOPTID_private: + OK = 0; +#line 46 "p11tool.gaa" +{ gaaval->pkcs11_private = 1; ;}; + + return GAA_OK; + break; case GAAOPTID_trusted: OK = 0; #line 43 "p11tool.gaa" @@ -939,12 +963,12 @@ int gaa(int argc, char **argv, gaainfo *gaaval) if(inited == 0) { -#line 85 "p11tool.gaa" +#line 89 "p11tool.gaa" { gaaval->action = -1; gaaval->pkcs11_provider= NULL; gaaval->outfile = NULL; gaaval->pubkey = NULL; gaaval->privkey = NULL; gaaval->pkcs11_url = NULL; gaaval->pkcs11_type = PKCS11_TYPE_PK; gaaval->pubkey=NULL; gaaval->pkcs11_label = NULL; gaaval->pkcs11_trusted=0; gaaval->pkcs11_login = 0; gaaval->pkcs11_detailed_url = GNUTLS_PKCS11_URL_LIB; - gaaval->secret_key = NULL; gaaval->cert = NULL; gaaval->incert_format = GNUTLS_X509_FMT_PEM; ;}; + gaaval->secret_key = NULL; gaaval->cert = NULL; gaaval->incert_format = GNUTLS_X509_FMT_PEM; gaaval->pkcs11_private = -1; ;}; } inited = 1; diff --git a/src/p11tool-gaa.h b/src/p11tool-gaa.h index f581def09..bc5871f5e 100644 --- a/src/p11tool-gaa.h +++ b/src/p11tool-gaa.h @@ -8,30 +8,32 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 80 "p11tool.gaa" +#line 84 "p11tool.gaa" int debug; -#line 75 "p11tool.gaa" +#line 79 "p11tool.gaa" char *outfile; -#line 72 "p11tool.gaa" +#line 76 "p11tool.gaa" int action; -#line 71 "p11tool.gaa" +#line 75 "p11tool.gaa" char* pkcs11_provider; -#line 67 "p11tool.gaa" +#line 71 "p11tool.gaa" int incert_format; -#line 64 "p11tool.gaa" +#line 68 "p11tool.gaa" int pkcs8; -#line 61 "p11tool.gaa" +#line 65 "p11tool.gaa" char *cert; -#line 58 "p11tool.gaa" +#line 62 "p11tool.gaa" char *pubkey; -#line 55 "p11tool.gaa" +#line 59 "p11tool.gaa" char *privkey; -#line 52 "p11tool.gaa" +#line 56 "p11tool.gaa" char* secret_key; -#line 48 "p11tool.gaa" +#line 52 "p11tool.gaa" int pkcs11_detailed_url; -#line 45 "p11tool.gaa" +#line 49 "p11tool.gaa" int pkcs11_login; +#line 45 "p11tool.gaa" + int pkcs11_private; #line 42 "p11tool.gaa" int pkcs11_trusted; #line 35 "p11tool.gaa" diff --git a/src/p11tool.c b/src/p11tool.c index ce3bebb0a..ebaa6fd4b 100644 --- a/src/p11tool.c +++ b/src/p11tool.c @@ -147,7 +147,7 @@ gaa_parser (int argc, char **argv) break; case ACTION_PKCS11_WRITE_URL: pkcs11_write (outfile, info.pkcs11_url, info.pkcs11_label, - info.pkcs11_trusted, info.pkcs11_login, &cinfo); + info.pkcs11_trusted, info.pkcs11_private, info.pkcs11_login, &cinfo); break; case ACTION_PKCS11_TOKEN_INIT: pkcs11_init (outfile, info.pkcs11_url, info.pkcs11_label, &cinfo); diff --git a/src/p11tool.gaa b/src/p11tool.gaa index 7c2ca91dc..9c2e4ae17 100644 --- a/src/p11tool.gaa +++ b/src/p11tool.gaa @@ -40,7 +40,11 @@ option (delete) STR "URL" { $action = ACTION_PKCS11_DELETE_URL; $pkcs11_url = $1 option (label) STR "label" { $pkcs11_label = $1; } "Sets a label for the write operation." #int pkcs11_trusted; -option (trusted) { $pkcs11_trusted = 1; } "Marks the certificate to be imported as trusted." +option (trusted) { $pkcs11_trusted = 1; } "Marks the certificate to be written as trusted." + +#int pkcs11_private; +option (private) { $pkcs11_private = 1; } "Marks the object to be written as private (requires PIN)." +option (no-private) { $pkcs11_private = 0; } "Marks the object to be written as not private." #int pkcs11_login; option (login) { $pkcs11_login = 1; } "Force login to token" @@ -86,4 +90,4 @@ init { $action = -1; $pkcs11_provider= NULL; $outfile = NULL; $pubkey = NULL; $privkey = NULL; $pkcs11_url = NULL; $pkcs11_type = PKCS11_TYPE_PK; $pubkey=NULL; $pkcs11_label = NULL; $pkcs11_trusted=0; $pkcs11_login = 0; $pkcs11_detailed_url = GNUTLS_PKCS11_URL_LIB; - $secret_key = NULL; $cert = NULL; $incert_format = GNUTLS_X509_FMT_PEM; } + $secret_key = NULL; $cert = NULL; $incert_format = GNUTLS_X509_FMT_PEM; $pkcs11_private = -1; } diff --git a/src/p11tool.h b/src/p11tool.h index ec48c79a4..3682fb15a 100644 --- a/src/p11tool.h +++ b/src/p11tool.h @@ -13,7 +13,7 @@ void pkcs11_export (FILE * outfile, const char *pkcs11_url, void pkcs11_token_list (FILE * outfile, unsigned int detailed, common_info_st *); void pkcs11_write (FILE * outfile, const char *pkcs11_url, const char *label, - int trusted, unsigned int login, common_info_st *); + int trusted, int private, unsigned int login, common_info_st *); void pkcs11_delete (FILE * outfile, const char *pkcs11_url, int batch, unsigned int login, common_info_st *); void pkcs11_init (FILE * outfile, const char *pkcs11_url, const char *label, diff --git a/src/pkcs11.c b/src/pkcs11.c index 25341063d..8a7420440 100644 --- a/src/pkcs11.c +++ b/src/pkcs11.c @@ -464,7 +464,8 @@ pkcs11_token_list (FILE * outfile, unsigned int detailed, } void -pkcs11_write (FILE * outfile, const char *url, const char *label, int trusted, +pkcs11_write (FILE * outfile, const char *url, const char *label, + int trusted, int private, unsigned int login, common_info_st * info) { gnutls_x509_crt_t xcrt; @@ -497,6 +498,11 @@ pkcs11_write (FILE * outfile, const char *url, const char *label, int trusted, } } + if (private == 1) + flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE; + else if (private == 0) + flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE; + xcrt = load_cert (0, info); if (xcrt != NULL) { -- 2.11.4.GIT