Add flags for PKCS#11 libraries with reduced feature set

diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
index 9fb1b77..e2b06cc 100644 (file)
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
@@ -466,6 +466,11 @@ struct private_pkcs11_library_t {
         * Name as passed to the constructor
         */
        char *name;
+
+       /**
+        * Supported feature set
+        */
+       pkcs11_feature_t features;
 };
 
 METHOD(pkcs11_library_t, get_name, char*,
@@ -474,6 +479,12 @@ METHOD(pkcs11_library_t, get_name, char*,
        return this->name;
 }
 
+METHOD(pkcs11_library_t, get_features, pkcs11_feature_t,
+       private_pkcs11_library_t *this)
+{
+       return this->features;
+}
+
 /**
  * Object enumerator
  */
@@ -766,6 +777,27 @@ static CK_RV UnlockMutex(CK_VOID_PTR data)
 }
 
 /**
+ * Check if the library has at least a given cryptoki version
+ */
+static bool has_version(CK_INFO *info, int major, int minor)
+{
+       return info->cryptokiVersion.major > major ||
+                       (info->cryptokiVersion.major == major &&
+                        info->cryptokiVersion.minor >= minor);
+}
+
+/**
+ * Check for optional PKCS#11 library functionality
+ */
+static void check_features(private_pkcs11_library_t *this, CK_INFO *info)
+{
+       if (has_version(info, 2, 20))
+       {
+               this->features |= PKCS11_TRUSTED_CERTS;
+       }
+}
+
+/**
  * Initialize a PKCS#11 library
  */
 static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
@@ -830,6 +862,8 @@ static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
        {
                DBG1(DBG_CFG, "  uses OS locking functions");
        }
+
+       check_features(this, &info);
        return TRUE;
 }
 
@@ -843,6 +877,7 @@ pkcs11_library_t *pkcs11_library_create(char *name, char *file)
        INIT(this,
                .public = {
                        .get_name = _get_name,
+                       .get_features = _get_features,
                        .create_object_enumerator = _create_object_enumerator,
                        .create_mechanism_enumerator = _create_mechanism_enumerator,
                        .destroy = _destroy,

diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
index 1457d24..36fe841 100644 (file)
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
@@ -21,6 +21,7 @@
 #ifndef PKCS11_LIBRARY_H_
 #define PKCS11_LIBRARY_H_
 
+typedef enum pkcs11_feature_t pkcs11_feature_t;
 typedef struct pkcs11_library_t pkcs11_library_t;
 
 #include "pkcs11.h"
@@ -29,6 +30,14 @@ typedef struct pkcs11_library_t pkcs11_library_t;
 #include <utils/enumerator.h>
 
 /**
+ * Optional PKCS#11 features some libraries support, some not
+ */
+enum pkcs11_feature_t {
+       /** CKA_TRUSTED attribute supported for certificate objects */
+       PKCS11_TRUSTED_CERTS = (1<<0),
+};
+
+/**
  * A loaded and initialized PKCS#11 library.
  */
 struct pkcs11_library_t {
@@ -46,6 +55,13 @@ struct pkcs11_library_t {
        char* (*get_name)(pkcs11_library_t *this);
 
        /**
+        * Get the feature set supported by this library.
+        *
+        * @return                      ORed set of features supported
+        */
+       pkcs11_feature_t (*get_features)(pkcs11_library_t *this);
+
+       /**
         * Create an enumerator over CK_OBJECT_HANDLE using a search template.
         *
         * An optional attribute array is automatically filled in with the