pkcs11: configuration option to report as zero the CKA_ID of CA certificates

In fact, the middleware of the manufacturer of the gemalto (axalto, gemplus) cards reports the CKA_ID of CA certificates as '0'. But it's not true for the others middlewares (Oberthur), NSS (afais) and PKCS#11 standard. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@4095 c6295689-39f2-0310-b995-f0e70906c6a9
2010-03-09 15:43:16 +00:00 · 2010-03-09 15:43:16 +00:00 · e47baeaf9e
parent 54d2b20fe2
commit e47baeaf9e
3 changed files with 8 additions and 5 deletions
--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
@ -2009,9 +2009,8 @@ static CK_RV pkcs15_cert_get_attribute(struct sc_pkcs11_session *session,
 		*(CK_CERTIFICATE_TYPE*)attr->pValue = CKC_X_509;
 		break;
 	case CKA_ID:
-		/* Not sure why CA certs should be reported with an
-		 * ID of 00. --okir 20030413 */
-		if (cert->cert_info->authority) {
+		if (cert->cert_info->authority 
+				&& sc_pkcs11_conf.zero_ckaid_for_ca_certs) {
 			check_attribute_buffer(attr, 1);
 			*(unsigned char*)attr->pValue = 0;
 		} else {
--- a/src/pkcs11/misc.c
+++ b/src/pkcs11/misc.c
@ -261,6 +261,7 @@ void load_pkcs11_parameters(struct sc_pkcs11_config *conf, sc_context_t * ctx)
 	conf->soft_keygen_allowed = 0;
 	conf->pin_unblock_style = SC_PKCS11_PIN_UNBLOCK_NOT_ALLOWED;
 	conf->create_puk_slot = 0;
+	conf->zero_ckaid_for_ca_certs = 0;

 	conf_block = sc_get_conf_block(ctx, "pkcs11", NULL, 1);
 	if (!conf_block)
@ -285,9 +286,11 @@ void load_pkcs11_parameters(struct sc_pkcs11_config *conf, sc_context_t * ctx)
 		conf->pin_unblock_style = SC_PKCS11_PIN_UNBLOCK_SO_LOGGED_INITPIN;
 	
 	conf->create_puk_slot = scconf_get_bool(conf_block, "create_puk_slot", conf->create_puk_slot);
+	conf->zero_ckaid_for_ca_certs = scconf_get_bool(conf_block, "zero_ckaid_for_ca_certs", conf->zero_ckaid_for_ca_certs);

 	sc_debug(ctx, "PKCS#11 options: plug_and_play=%d max_virtual_slots=%d slots_per_card=%d "
-		 "hide_empty_tokens=%d lock_login=%d pin_unblock_style=%d",
+		 "hide_empty_tokens=%d lock_login=%d pin_unblock_style=%d zero_ckaid_for_ca_certs=%d",
 		 conf->plug_and_play, conf->max_virtual_slots, conf->slots_per_card,
-		 conf->hide_empty_tokens, conf->lock_login, conf->pin_unblock_style);
+		 conf->hide_empty_tokens, conf->lock_login, conf->pin_unblock_style,
+		 conf->zero_ckaid_for_ca_certs);
 }
--- a/src/pkcs11/sc-pkcs11.h
+++ b/src/pkcs11/sc-pkcs11.h
@ -80,6 +80,7 @@ struct sc_pkcs11_config {
 	unsigned char soft_keygen_allowed;
 	unsigned int pin_unblock_style;
 	unsigned int create_puk_slot;
+	unsigned int zero_ckaid_for_ca_certs;
 };

 /*