Do not use CKA_TRUSTED attribute for Cryptoki version < 2.20, handling all certs...
authorMartin Willi <martin@revosec.ch>
Wed, 10 Nov 2010 17:34:59 +0000 (18:34 +0100)
committerMartin Willi <martin@revosec.ch>
Wed, 10 Nov 2010 17:36:15 +0000 (18:36 +0100)
src/libstrongswan/plugins/pkcs11/pkcs11_creds.c

index 1b1448c..a81ec11 100644 (file)
@@ -55,19 +55,20 @@ struct private_pkcs11_creds_t {
  * Find certificates, optionally trusted
  */
 static void find_certificates(private_pkcs11_creds_t *this,
-                                                         CK_SESSION_HANDLE session, CK_BBOOL trusted)
+                                                         CK_SESSION_HANDLE session)
 {
        CK_OBJECT_CLASS class = CKO_CERTIFICATE;
        CK_CERTIFICATE_TYPE type = CKC_X_509;
+       CK_BBOOL trusted = TRUE;
        CK_ATTRIBUTE tmpl[] = {
                {CKA_CLASS, &class, sizeof(class)},
                {CKA_CERTIFICATE_TYPE, &type, sizeof(type)},
-               {CKA_TRUSTED, &trusted, sizeof(trusted)},
        };
        CK_OBJECT_HANDLE object;
        CK_ATTRIBUTE attr[] = {
                {CKA_VALUE, NULL, 0},
                {CKA_LABEL, NULL, 0},
+               {CKA_TRUSTED, &trusted, sizeof(trusted)}
        };
        enumerator_t *enumerator;
        linked_list_t *raw;
@@ -75,11 +76,19 @@ static void find_certificates(private_pkcs11_creds_t *this,
        struct {
                chunk_t value;
                chunk_t label;
+               bool trusted;
        } *entry;
+       int count = countof(attr);
 
+       /* store result in a temporary list, avoid recursive operation */
        raw = linked_list_create();
+       /* do not use trusted argument if not supported */
+       if (!(this->lib->get_features(this->lib) & PKCS11_TRUSTED_CERTS))
+       {
+               count--;
+       }
        enumerator = this->lib->create_object_enumerator(this->lib,
-                                                       session, tmpl, countof(tmpl), attr, countof(attr));
+                                                                       session, tmpl, countof(tmpl), attr, count);
        while (enumerator->enumerate(enumerator, &object))
        {
                entry = malloc(sizeof(*entry));
@@ -87,6 +96,7 @@ static void find_certificates(private_pkcs11_creds_t *this,
                                                        chunk_create(attr[0].pValue, attr[0].ulValueLen));
                entry->label = chunk_clone(
                                                        chunk_create(attr[1].pValue, attr[1].ulValueLen));
+               entry->trusted = trusted;
                raw->insert_last(raw, entry);
        }
        enumerator->destroy(enumerator);
@@ -99,10 +109,10 @@ static void find_certificates(private_pkcs11_creds_t *this,
                if (cert)
                {
                        DBG1(DBG_CFG, "    loaded %strusted cert '%.*s'",
-                                trusted ? "" : "un", entry->label.len, entry->label.ptr);
+                                entry->trusted ? "" : "un", entry->label.len, entry->label.ptr);
                        /* trusted certificates are also returned as untrusted */
                        this->untrusted->insert_last(this->untrusted, cert);
-                       if (trusted)
+                       if (entry->trusted)
                        {
                                this->trusted->insert_last(this->trusted, cert->get_ref(cert));
                        }
@@ -135,8 +145,7 @@ static bool load_certificates(private_pkcs11_creds_t *this)
                return FALSE;
        }
 
-       find_certificates(this, session, CK_TRUE);
-       find_certificates(this, session, CK_FALSE);
+       find_certificates(this, session);
 
        this->lib->f->C_CloseSession(session);
        return TRUE;