oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

hx509: private key exclusion options

Browse Source 
Add two ways to exclude private keys when dealing with an hx509
certificate store.  One as a load option (load no private keys, never
add private keys), one as a store option (store no private keys).

This is useful for CA code so it can have a single store with the
issuer's credentials _and_ the chain for it, and copy those to a store
with the issued certificate and _not_ accidentally include the issuer's
private key.

It would be much safer still to flip the default for this flag, but that
could break out-of-tree libhx509 dependents.
This commit is contained in:
Nicolas Williams
2019-12-06 17:11:01 -06:00
parent 3c0d1258ce
commit e515745996
9 changed files with 177 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
lib/hx509/ks_p11.c
View File

@@ -820,6 +820,13 @@ p11_init(hx509_context context,
*data = NULL;
if (flags & HX509_CERTS_NO_PRIVATE_KEYS) {
hx509_set_error_string(context, 0, ENOTSUP,
"PKCS#11 store does not support "
"HX509_CERTS_NO_PRIVATE_KEYS flag");
return ENOTSUP;
}
if (residue == NULL || residue[0] == '\0') {
hx509_set_error_string(context, 0, EINVAL,
"PKCS#11 store not specified");