diff options
| author | Martin Willi <martin@revosec.ch> | 2012-10-17 14:21:06 +0200 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2012-10-24 13:07:53 +0200 |
| commit | 36e47a409b992fb3dc0bb45553eceb60621f2714 (patch) | |
| tree | 0bc0e6568f078c143744e30683ae577bdc82c939 /src | |
| parent | 5d4c27d077ef0f21a9ab42a9735172c28e3683ea (diff) | |
| download | strongswan-36e47a409b992fb3dc0bb45553eceb60621f2714.tar.bz2 strongswan-36e47a409b992fb3dc0bb45553eceb60621f2714.tar.xz | |
Explicit pkcs11 certificate loading can enforce a module and a slot
Diffstat (limited to 'src')
| -rw-r--r-- | src/libstrongswan/plugins/pkcs11/pkcs11_creds.c | 22 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/pkcs11/pkcs11_creds.h | 3 |
2 files changed, 21 insertions, 4 deletions
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c index 410af3856..5b7883d83 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c @@ -269,7 +269,8 @@ certificate_t *pkcs11_creds_load(certificate_type_t type, va_list args) pkcs11_manager_t *manager; pkcs11_library_t *p11; certificate_t *cert = NULL; - CK_SLOT_ID slot; + CK_SLOT_ID current, slot = -1; + char *module = NULL; while (TRUE) { @@ -278,6 +279,12 @@ certificate_t *pkcs11_creds_load(certificate_type_t type, va_list args) case BUILD_PKCS11_KEYID: keyid = va_arg(args, chunk_t); continue; + case BUILD_PKCS11_SLOT: + slot = va_arg(args, int); + continue; + case BUILD_PKCS11_MODULE: + module = va_arg(args, char*); + continue; case BUILD_END: break; default: @@ -296,7 +303,7 @@ certificate_t *pkcs11_creds_load(certificate_type_t type, va_list args) return NULL; } enumerator = manager->create_token_enumerator(manager); - while (enumerator->enumerate(enumerator, &p11, &slot)) + while (enumerator->enumerate(enumerator, &p11, ¤t)) { CK_OBJECT_CLASS class = CKO_CERTIFICATE; CK_CERTIFICATE_TYPE type = CKC_X_509; @@ -312,7 +319,16 @@ certificate_t *pkcs11_creds_load(certificate_type_t type, va_list args) CK_SESSION_HANDLE session; CK_RV rv; - rv = p11->f->C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL, + if (slot != -1 && slot != current) + { + continue; + } + if (module && !streq(module, p11->get_name(p11))) + { + continue; + } + + rv = p11->f->C_OpenSession(current, CKF_SERIAL_SESSION, NULL, NULL, &session); if (rv != CKR_OK) { diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h index 5deb258be..a5a042397 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h @@ -68,7 +68,8 @@ pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot); /** * Load a specific certificate from a token. * - * Accepts a BUILD_PKCS11_KEYID as the only argument. + * Requires a BUILD_PKCS11_KEYID argument, and optionally BUILD_PKCS11_MODULE + * and/or BUILD_PKCS11_SLOT. * * @param type certificate type, must be CERT_X509 * @param args variable argument list, containing BUILD_PKCS11_KEYID. |