[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_0-71-ge829173
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_0-71-ge829173 |
|
Date: |
Sun, 14 Aug 2011 12:44:34 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=e829173095ee8b74c246a4d45aa0f7a0a7e7a98a
The branch, master has been updated
via e829173095ee8b74c246a4d45aa0f7a0a7e7a98a (commit)
via b7a73de6ada1d6423b65ce35acbf7718b387c0dc (commit)
via 8dc3420e6719cfc4dadd35bd61342765c62f9eec (commit)
via c94124a582aa3f7219e6a071b9f5576f9be79bb7 (commit)
from 29312015b1677b28df92ee1d6acbbb2863cdacc2 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
configure.ac | 2 +-
doc/cha-programs.texi | 36 +++++++++++++++++++++++++++---------
lib/pkcs11.c | 19 +++++++++----------
src/crywrap/crywrap.c | 4 ++--
4 files changed, 39 insertions(+), 22 deletions(-)
diff --git a/configure.ac b/configure.ac
index b76c648..141c39f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -189,7 +189,7 @@ PKG_CHECK_EXISTS(zlib, ZLIB_HAS_PKGCONFIG=y,
ZLIB_HAS_PKGCONFIG=n)
if test x$ac_zlib != xno; then
if test "$ZLIB_HAS_PKGCONFIG" = "y" ; then
- if test x$GNUTLS_REQUIRES_PRIVATE = x; then
+ if test "x$GNUTLS_REQUIRES_PRIVATE" = x; then
GNUTLS_REQUIRES_PRIVATE="Requires.private: zlib"
else
GNUTLS_REQUIRES_PRIVATE="$GNUTLS_REQUIRES_PRIVATE , zlib"
diff --git a/doc/cha-programs.texi b/doc/cha-programs.texi
index b0d46cf..bf9a993 100644
--- a/doc/cha-programs.texi
+++ b/doc/cha-programs.texi
@@ -48,7 +48,7 @@ Usage: certtool [options]
--get-dh-params Get the included PKCS #3 encoded
Diffie-Hellman parameters.
--load-privkey FILE Private key file to use.
- --load-pubkey FILE Private key file to use.
+ --load-pubkey FILE Public key file to use.
--load-request FILE Certificate request file to use.
--load-certificate FILE
Certificate file to use.
@@ -146,11 +146,8 @@ To create a private key (RSA by default), run:
$ certtool --generate-privkey --outfile key.pem
@end smallexample
-To create a DSA private key, run:
-
address@hidden
-$ certtool --dsa --generate-privkey --outfile key-dsa.pem
address@hidden smallexample
+To create a DSA or elliptic curves (ECDSA) private key use the
+above command combined with @code{--dsa} or @code{--ecc} options.
@subsection Certificate generation
To generate a certificate using the private key, use the command:
@@ -169,6 +166,15 @@ $ certtool --generate-request --load-privkey key.pem \
--outfile request.pem
@end smallexample
+If the private key is stored in a smart card you can generate
+a request by specifying the private key object URL (see @ref{Invoking p11tool}
+on how to obtain the URL).
+
address@hidden
+$ certtool --generate-request --load-privkey pkcs11:(PRIVKEY URL) \
+ --load-pubkey pkcs11:(PUBKEY URL) --outfile request.pem
address@hidden smallexample
+
To generate a certificate using the previous request, use the command:
@smallexample
@@ -866,6 +872,9 @@ file for PKCS #11 as in @ref{Hardware tokens}.
@example
p11tool help
Usage: p11tool [options]
+Usage: p11tool --list-tokens
+Usage: p11tool --list-all
+Usage: p11tool --export 'pkcs11:...'
--export URL Export an object specified by a pkcs11
URL
@@ -886,8 +895,12 @@ Usage: p11tool [options]
secret keys to a PKCS11 token.
--delete URL Deletes objects matching the URL.
--label label Sets a label for the write operation.
- --trusted Marks the certificate to be imported as
+ --trusted Marks the certificate to be written as
trusted.
+ --private Marks the object to be written as
+ private (requires PIN).
+ --no-private Marks the object to be written as not
+ private.
--login Force login to token
--detailed-url Export detailed URLs.
--no-detailed-url Export less detailed URLs.
@@ -919,18 +932,23 @@ $ p11tool --list-tokens
@end smallexample
@subsection List all objects
+The following command will list all objects in a token. The @code{--login}
+is required to show objects marked as private.
@smallexample
$ p11tool --login --list-all
@end smallexample
@subsection Exporting an object
+To retrieve an object stored in the card use the following command.
+Note however that objects marked as sensitive (typically PKCS #11 private
keys)
+are not allowed to be extracted from the token.
@smallexample
$ p11tool --login --export pkcs11:(OBJECT URL)
@end smallexample
-Note however that typically PKCS #11 private key objects are not allowed
-to be extracted from the token.
@subsection Copy an object to a token
+To copy an object, such as a certificate or private key to a token
+use the following command.
@smallexample
$ p11tool --login --write pkcs11:(TOKEN URL) \
--load-certificate cert.pem --label "my_cert"
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 9db09c5..23a1ed9 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -1853,16 +1853,12 @@ retrieve_pin_for_callback (struct ck_token_info
*token_info, int attempts,
free (label);
if (ret < 0)
- {
- gnutls_assert ();
- return GNUTLS_E_PKCS11_PIN_ERROR;
- }
+ return gnutls_assert_val(GNUTLS_E_PKCS11_PIN_ERROR);
*pin = p11_kit_pin_new_for_string (pin_value);
-
- /* Try to scrub the pin off the stack. Clever compilers will
- * probably optimize this away, oh well. */
- memset (pin, 0, sizeof pin);
+
+ if (*pin == NULL)
+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
return 0;
}
@@ -1878,7 +1874,10 @@ retrieve_pin (struct p11_kit_uri *info, struct
ck_token_info *token_info,
/* Check if a pinfile is specified, and use that if possible */
pinfile = p11_kit_uri_get_pinfile (info);
if (pinfile != NULL)
- return retrieve_pin_for_pinfile (pinfile, token_info, attempts, user_type,
pin);
+ {
+ _gnutls_debug_log("pk11: Using pinfile to retrieve PIN\n");
+ return retrieve_pin_for_pinfile (pinfile, token_info, attempts,
user_type, pin);
+ }
/* The global gnutls pin callback */
else if (pin_func)
@@ -1960,7 +1959,7 @@ pkcs11_login (struct ck_function_list * module,
ck_session_handle_t pks,
}
}
- ret = retrieve_pin (info, &tinfo, attempt, user_type, &pin);
+ ret = retrieve_pin (info, &tinfo, attempt++, user_type, &pin);
if (ret < 0)
{
gnutls_assert ();
diff --git a/src/crywrap/crywrap.c b/src/crywrap/crywrap.c
index be2aff3..1a46e5b 100644
--- a/src/crywrap/crywrap.c
+++ b/src/crywrap/crywrap.c
@@ -156,7 +156,7 @@ static const struct argp_option _crywrap_options[] = {
{"verify", 'v', "LEVEL", OPTION_ARG_OPTIONAL,
"Verify clients certificate (1: verify if exists, 2: require)", 2},
{NULL, 0, NULL, 0, "Other options:", 3},
- {"dhparams", 'h', "FILE", 0, "Diffie Hellman (PKCS #3) parameters file", 3},
+ {"dhparams", 'r', "FILE", 0, "Diffie Hellman (PKCS #3) parameters file", 3},
{"user", 'u', "UID", 0, "User ID to run as", 3},
{"pidfile", 'P', "PATH", 0, "File to log the PID into", 3},
{"priority", 'p', "STRING", 0, "GnuTLS ciphersuite priority string", 3},
@@ -392,7 +392,7 @@ _crywrap_config_parse_opt (int key, char *arg, struct
argp_state *state)
else
cfg->pidfile = NULL;
break;
- case 'h':
+ case 'r':
if (arg && *arg)
{
dh_file = load_file(arg);
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_0_0-71-ge829173,
Nikos Mavrogiannopoulos <=