Explicit pkcs11 certificate loading can enforce a module and a slot
This commit is contained in:
parent
5d4c27d077
commit
36e47a409b
|
@ -269,7 +269,8 @@ certificate_t *pkcs11_creds_load(certificate_type_t type, va_list args)
|
|||
pkcs11_manager_t *manager;
|
||||
pkcs11_library_t *p11;
|
||||
certificate_t *cert = NULL;
|
||||
CK_SLOT_ID slot;
|
||||
CK_SLOT_ID current, slot = -1;
|
||||
char *module = NULL;
|
||||
|
||||
while (TRUE)
|
||||
{
|
||||
|
@ -278,6 +279,12 @@ certificate_t *pkcs11_creds_load(certificate_type_t type, va_list args)
|
|||
case BUILD_PKCS11_KEYID:
|
||||
keyid = va_arg(args, chunk_t);
|
||||
continue;
|
||||
case BUILD_PKCS11_SLOT:
|
||||
slot = va_arg(args, int);
|
||||
continue;
|
||||
case BUILD_PKCS11_MODULE:
|
||||
module = va_arg(args, char*);
|
||||
continue;
|
||||
case BUILD_END:
|
||||
break;
|
||||
default:
|
||||
|
@ -296,7 +303,7 @@ certificate_t *pkcs11_creds_load(certificate_type_t type, va_list args)
|
|||
return NULL;
|
||||
}
|
||||
enumerator = manager->create_token_enumerator(manager);
|
||||
while (enumerator->enumerate(enumerator, &p11, &slot))
|
||||
while (enumerator->enumerate(enumerator, &p11, ¤t))
|
||||
{
|
||||
CK_OBJECT_CLASS class = CKO_CERTIFICATE;
|
||||
CK_CERTIFICATE_TYPE type = CKC_X_509;
|
||||
|
@ -312,7 +319,16 @@ certificate_t *pkcs11_creds_load(certificate_type_t type, va_list args)
|
|||
CK_SESSION_HANDLE session;
|
||||
CK_RV rv;
|
||||
|
||||
rv = p11->f->C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL,
|
||||
if (slot != -1 && slot != current)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
if (module && !streq(module, p11->get_name(p11)))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
rv = p11->f->C_OpenSession(current, CKF_SERIAL_SESSION, NULL, NULL,
|
||||
&session);
|
||||
if (rv != CKR_OK)
|
||||
{
|
||||
|
|
|
@ -68,7 +68,8 @@ pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot);
|
|||
/**
|
||||
* Load a specific certificate from a token.
|
||||
*
|
||||
* Accepts a BUILD_PKCS11_KEYID as the only argument.
|
||||
* Requires a BUILD_PKCS11_KEYID argument, and optionally BUILD_PKCS11_MODULE
|
||||
* and/or BUILD_PKCS11_SLOT.
|
||||
*
|
||||
* @param type certificate type, must be CERT_X509
|
||||
* @param args variable argument list, containing BUILD_PKCS11_KEYID.
|
||||
|
|
Loading…
Reference in New Issue