aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_library.c1
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_library.h2
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c12
3 files changed, 12 insertions, 3 deletions
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
index e5af0c292..6f7926808 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
@@ -794,6 +794,7 @@ static void check_features(private_pkcs11_library_t *this, CK_INFO *info)
if (has_version(info, 2, 20))
{
this->features |= PKCS11_TRUSTED_CERTS;
+ this->features |= PKCS11_ALWAYS_AUTH_KEYS;
}
}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
index 33e5f97dc..abe023448 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
@@ -35,6 +35,8 @@ typedef struct pkcs11_library_t pkcs11_library_t;
enum pkcs11_feature_t {
/** CKA_TRUSTED attribute supported for certificate objects */
PKCS11_TRUSTED_CERTS = (1<<0),
+ /** CKA_ALWAYS_AUTHENTICATE attribute supported for private keys */
+ PKCS11_ALWAYS_AUTH_KEYS = (1<<1),
};
/**
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
index cabca3f54..1977204ed 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
@@ -401,18 +401,24 @@ static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid)
};
CK_OBJECT_HANDLE object;
CK_KEY_TYPE type;
- CK_BBOOL reauth;
+ CK_BBOOL reauth = FALSE;
CK_ATTRIBUTE attr[] = {
{CKA_KEY_TYPE, &type, sizeof(type)},
- {CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)},
{CKA_MODULUS, NULL, 0},
{CKA_PUBLIC_EXPONENT, NULL, 0},
+ {CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)},
};
enumerator_t *enumerator;
chunk_t modulus, pubexp;
+ int count = countof(attr);
+ /* do not use CKA_ALWAYS_AUTHENTICATE if not supported */
+ if (!(this->lib->get_features(this->lib) & PKCS11_ALWAYS_AUTH_KEYS))
+ {
+ count--;
+ }
enumerator = this->lib->create_object_enumerator(this->lib,
- this->session, tmpl, countof(tmpl), attr, countof(attr));
+ this->session, tmpl, countof(tmpl), attr, count);
if (enumerator->enumerate(enumerator, &object))
{
switch (type)
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-15 10:26:14 +0000