Do not query for CKA_ALWAYS_AUTHENTICATE if PKCS#11 Cryptoki version < 2.20
authorMartin Willi <martin@revosec.ch>
Thu, 18 Nov 2010 07:56:12 +0000 (08:56 +0100)
committerMartin Willi <martin@revosec.ch>
Thu, 18 Nov 2010 07:56:12 +0000 (08:56 +0100)
src/libstrongswan/plugins/pkcs11/pkcs11_library.c
src/libstrongswan/plugins/pkcs11/pkcs11_library.h
src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c

index e5af0c2..6f79268 100644 (file)
@@ -794,6 +794,7 @@ static void check_features(private_pkcs11_library_t *this, CK_INFO *info)
        if (has_version(info, 2, 20))
        {
                this->features |= PKCS11_TRUSTED_CERTS;
        if (has_version(info, 2, 20))
        {
                this->features |= PKCS11_TRUSTED_CERTS;
+               this->features |= PKCS11_ALWAYS_AUTH_KEYS;
        }
 }
 
        }
 }
 
index 33e5f97..abe0234 100644 (file)
@@ -35,6 +35,8 @@ typedef struct pkcs11_library_t pkcs11_library_t;
 enum pkcs11_feature_t {
        /** CKA_TRUSTED attribute supported for certificate objects */
        PKCS11_TRUSTED_CERTS = (1<<0),
 enum pkcs11_feature_t {
        /** CKA_TRUSTED attribute supported for certificate objects */
        PKCS11_TRUSTED_CERTS = (1<<0),
+       /** CKA_ALWAYS_AUTHENTICATE attribute supported for private keys */
+       PKCS11_ALWAYS_AUTH_KEYS = (1<<1),
 };
 
 /**
 };
 
 /**
index cabca3f..1977204 100644 (file)
@@ -401,18 +401,24 @@ static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid)
        };
        CK_OBJECT_HANDLE object;
        CK_KEY_TYPE type;
        };
        CK_OBJECT_HANDLE object;
        CK_KEY_TYPE type;
-       CK_BBOOL reauth;
+       CK_BBOOL reauth = FALSE;
        CK_ATTRIBUTE attr[] = {
                {CKA_KEY_TYPE, &type, sizeof(type)},
        CK_ATTRIBUTE attr[] = {
                {CKA_KEY_TYPE, &type, sizeof(type)},
-               {CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)},
                {CKA_MODULUS, NULL, 0},
                {CKA_PUBLIC_EXPONENT, NULL, 0},
                {CKA_MODULUS, NULL, 0},
                {CKA_PUBLIC_EXPONENT, NULL, 0},
+               {CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)},
        };
        enumerator_t *enumerator;
        chunk_t modulus, pubexp;
        };
        enumerator_t *enumerator;
        chunk_t modulus, pubexp;
+       int count = countof(attr);
 
 
+       /* do not use CKA_ALWAYS_AUTHENTICATE if not supported */
+       if (!(this->lib->get_features(this->lib) & PKCS11_ALWAYS_AUTH_KEYS))
+       {
+               count--;
+       }
        enumerator = this->lib->create_object_enumerator(this->lib,
        enumerator = this->lib->create_object_enumerator(this->lib,
-                                               this->session, tmpl, countof(tmpl), attr, countof(attr));
+                                                       this->session, tmpl, countof(tmpl), attr, count);
        if (enumerator->enumerate(enumerator, &object))
        {
                switch (type)
        if (enumerator->enumerate(enumerator, &object))
        {
                switch (type)