From b3418c2f0d223955723df7d65a31026ad038d943 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 23 Sep 2016 11:10:21 +0200 Subject: trust: Don't add CKA_TRUSTED to extension object While 'trust anchor' command tries to add CKA_TRUSTED attribute to any object, it is only valid for a certificate object. https://bugzilla.redhat.com/show_bug.cgi?id=1158926 --- trust/anchor.c | 35 +++++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/trust/anchor.c b/trust/anchor.c index a1be472..03cf9e8 100644 --- a/trust/anchor.c +++ b/trust/anchor.c @@ -44,6 +44,7 @@ #include "message.h" #include "parser.h" #include "tool.h" +#include "pkcs11x.h" #include "p11-kit/iter.h" #include "p11-kit/p11-kit.h" @@ -330,13 +331,36 @@ create_anchor (CK_FUNCTION_LIST *module, CK_OBJECT_HANDLE object; char *string; CK_RV rv; + CK_ULONG klass; - CK_ATTRIBUTE basics[] = { + CK_ATTRIBUTE basics_certificate[] = { { CKA_TOKEN, &truev, sizeof (truev) }, { CKA_TRUSTED, &truev, sizeof (truev) }, { CKA_INVALID, }, }; + CK_ATTRIBUTE basics_extension[] = { + { CKA_TOKEN, &truev, sizeof (truev) }, + { CKA_INVALID, }, + }; + + CK_ATTRIBUTE basics_empty[] = { + { CKA_INVALID, }, + }; + + CK_ATTRIBUTE *basics = basics_empty; + + if (p11_attrs_find_ulong (attrs, CKA_CLASS, &klass)) { + switch (klass) { + case CKO_CERTIFICATE: + basics = basics_certificate; + break; + case CKO_X_CERTIFICATE_EXTENSION: + basics = basics_extension; + break; + } + } + attrs = p11_attrs_merge (attrs, p11_attrs_dup (basics), true); p11_attrs_remove (attrs, CKA_MODIFIABLE); @@ -368,13 +392,20 @@ modify_anchor (CK_FUNCTION_LIST *module, CK_BBOOL truev = CK_TRUE; CK_ATTRIBUTE *changes; CK_ATTRIBUTE *label; + CK_ULONG klass; char *string; CK_RV rv; CK_ATTRIBUTE trusted = { CKA_TRUSTED, &truev, sizeof (truev) }; label = p11_attrs_find_valid (attrs, CKA_LABEL); - changes = p11_attrs_build (NULL, &trusted, label, NULL); + + if (p11_attrs_find_ulong (attrs, CKA_CLASS, &klass) && + klass == CKO_CERTIFICATE) + changes = p11_attrs_build (NULL, &trusted, label, NULL); + else + changes = p11_attrs_build (NULL, label, NULL); + return_val_if_fail (attrs != NULL, FALSE); /* Don't need the attributes anymore */ -- cgit v1.1