diff options
| author | Daiki Ueno <dueno@redhat.com> | 2016-09-23 11:10:21 +0200 |
|---|---|---|
| committer | Daiki Ueno <ueno@gnu.org> | 2016-12-06 13:12:41 +0100 |
| commit | b3418c2f0d223955723df7d65a31026ad038d943 (patch) | |
| tree | 613dc6a7d2d3a8116695b45d71b27fa917cd4852 | |
| parent | 65e8ad30e7832f3a979f88f4308cfa4f9a969829 (diff) | |
trust: Don't add CKA_TRUSTED to extension object
While 'trust anchor' command tries to add CKA_TRUSTED attribute to any
object, it is only valid for a certificate object.
https://bugzilla.redhat.com/show_bug.cgi?id=1158926
| -rw-r--r-- | trust/anchor.c | 35 |
1 files changed, 33 insertions, 2 deletions
diff --git a/trust/anchor.c b/trust/anchor.c index a1be472..03cf9e8 100644 --- a/trust/anchor.c +++ b/trust/anchor.c @@ -44,6 +44,7 @@ #include "message.h" #include "parser.h" #include "tool.h" +#include "pkcs11x.h" #include "p11-kit/iter.h" #include "p11-kit/p11-kit.h" @@ -330,13 +331,36 @@ create_anchor (CK_FUNCTION_LIST *module, CK_OBJECT_HANDLE object; char *string; CK_RV rv; + CK_ULONG klass; - CK_ATTRIBUTE basics[] = { + CK_ATTRIBUTE basics_certificate[] = { { CKA_TOKEN, &truev, sizeof (truev) }, { CKA_TRUSTED, &truev, sizeof (truev) }, { CKA_INVALID, }, }; + CK_ATTRIBUTE basics_extension[] = { + { CKA_TOKEN, &truev, sizeof (truev) }, + { CKA_INVALID, }, + }; + + CK_ATTRIBUTE basics_empty[] = { + { CKA_INVALID, }, + }; + + CK_ATTRIBUTE *basics = basics_empty; + + if (p11_attrs_find_ulong (attrs, CKA_CLASS, &klass)) { + switch (klass) { + case CKO_CERTIFICATE: + basics = basics_certificate; + break; + case CKO_X_CERTIFICATE_EXTENSION: + basics = basics_extension; + break; + } + } + attrs = p11_attrs_merge (attrs, p11_attrs_dup (basics), true); p11_attrs_remove (attrs, CKA_MODIFIABLE); @@ -368,13 +392,20 @@ modify_anchor (CK_FUNCTION_LIST *module, CK_BBOOL truev = CK_TRUE; CK_ATTRIBUTE *changes; CK_ATTRIBUTE *label; + CK_ULONG klass; char *string; CK_RV rv; CK_ATTRIBUTE trusted = { CKA_TRUSTED, &truev, sizeof (truev) }; label = p11_attrs_find_valid (attrs, CKA_LABEL); - changes = p11_attrs_build (NULL, &trusted, label, NULL); + + if (p11_attrs_find_ulong (attrs, CKA_CLASS, &klass) && + klass == CKO_CERTIFICATE) + changes = p11_attrs_build (NULL, &trusted, label, NULL); + else + changes = p11_attrs_build (NULL, label, NULL); + return_val_if_fail (attrs != NULL, FALSE); /* Don't need the attributes anymore */ |