Add flags for PKCS#11 libraries with reduced feature set

2 files changed, 51 insertions, 0 deletions

diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
index 9fb1b7769..e2b06ccc1 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
@@ -466,6 +466,11 @@ struct private_pkcs11_library_t {
 	 * Name as passed to the constructor
 	 */
 	char *name;
+
+	/**
+	 * Supported feature set
+	 */
+	pkcs11_feature_t features;
 };
 
 METHOD(pkcs11_library_t, get_name, char*,
@@ -474,6 +479,12 @@ METHOD(pkcs11_library_t, get_name, char*,
 	return this->name;
 }
 
+METHOD(pkcs11_library_t, get_features, pkcs11_feature_t,
+	private_pkcs11_library_t *this)
+{
+	return this->features;
+}
+
 /**
  * Object enumerator
  */
@@ -766,6 +777,27 @@ static CK_RV UnlockMutex(CK_VOID_PTR data)
 }
 
 /**
+ * Check if the library has at least a given cryptoki version
+ */
+static bool has_version(CK_INFO *info, int major, int minor)
+{
+	return info->cryptokiVersion.major > major ||
+			(info->cryptokiVersion.major == major &&
+			 info->cryptokiVersion.minor >= minor);
+}
+
+/**
+ * Check for optional PKCS#11 library functionality
+ */
+static void check_features(private_pkcs11_library_t *this, CK_INFO *info)
+{
+	if (has_version(info, 2, 20))
+	{
+		this->features |= PKCS11_TRUSTED_CERTS;
+	}
+}
+
+/**
  * Initialize a PKCS#11 library
  */
 static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
@@ -830,6 +862,8 @@ static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
 	{
 		DBG1(DBG_CFG, "  uses OS locking functions");
 	}
+
+	check_features(this, &info);
 	return TRUE;
 }
 
@@ -843,6 +877,7 @@ pkcs11_library_t *pkcs11_library_create(char *name, char *file)
 	INIT(this,
 		.public = {
 			.get_name = _get_name,
+			.get_features = _get_features,
 			.create_object_enumerator = _create_object_enumerator,
 			.create_mechanism_enumerator = _create_mechanism_enumerator,
 			.destroy = _destroy,
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
index 1457d24d4..36fe841b4 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
@@ -21,6 +21,7 @@
 #ifndef PKCS11_LIBRARY_H_
 #define PKCS11_LIBRARY_H_
 
+typedef enum pkcs11_feature_t pkcs11_feature_t;
 typedef struct pkcs11_library_t pkcs11_library_t;
 
 #include "pkcs11.h"
@@ -29,6 +30,14 @@ typedef struct pkcs11_library_t pkcs11_library_t;
 #include <utils/enumerator.h>
 
 /**
+ * Optional PKCS#11 features some libraries support, some not
+ */
+enum pkcs11_feature_t {
+	/** CKA_TRUSTED attribute supported for certificate objects */
+	PKCS11_TRUSTED_CERTS = (1<<0),
+};
+
+/**
  * A loaded and initialized PKCS#11 library.
  */
 struct pkcs11_library_t {
@@ -46,6 +55,13 @@ struct pkcs11_library_t {
 	char* (*get_name)(pkcs11_library_t *this);
 
 	/**
+	 * Get the feature set supported by this library.
+	 *
+	 * @return			ORed set of features supported
+	 */
+	pkcs11_feature_t (*get_features)(pkcs11_library_t *this);
+
+	/**
 	 * Create an enumerator over CK_OBJECT_HANDLE using a search template.
 	 *
 	 * An optional attribute array is automatically filled in with the