|
 |
b88a44 |
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
|
|
|
b88a44 |
index 4fdd58f39..68ee2960a 100644
|
|
|
b88a44 |
--- a/lib/pkcs11.c
|
|
|
b88a44 |
+++ b/lib/pkcs11.c
|
|
|
b88a44 |
@@ -2368,6 +2368,11 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info,
|
|
|
b88a44 |
/* First check for pin-value field */
|
|
|
b88a44 |
pinfile = p11_kit_uri_get_pin_value(info);
|
|
|
b88a44 |
if (pinfile != NULL) {
|
|
|
b88a44 |
+ if (attempts > 0) {
|
|
|
b88a44 |
+ _gnutls_debug_log("p11: refusing more than a single attempts with pin-value\n");
|
|
|
b88a44 |
+ return gnutls_assert_val(GNUTLS_E_PKCS11_PIN_ERROR);
|
|
|
b88a44 |
+ }
|
|
|
b88a44 |
+
|
|
|
b88a44 |
_gnutls_debug_log("p11: Using pin-value to retrieve PIN\n");
|
|
|
b88a44 |
*pin = p11_kit_pin_new_for_string(pinfile);
|
|
|
b88a44 |
if (*pin != NULL)
|
|
|
b88a44 |
@@ -2376,6 +2381,11 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info,
|
|
|
b88a44 |
/* Check if a pinfile is specified, and use that if possible */
|
|
|
b88a44 |
pinfile = p11_kit_uri_get_pin_source(info);
|
|
|
b88a44 |
if (pinfile != NULL) {
|
|
|
b88a44 |
+ if (attempts > 0) {
|
|
|
b88a44 |
+ _gnutls_debug_log("p11: refusing more than a single attempts with pin-source\n");
|
|
|
b88a44 |
+ return gnutls_assert_val(GNUTLS_E_PKCS11_PIN_ERROR);
|
|
|
b88a44 |
+ }
|
|
|
b88a44 |
+
|
|
|
b88a44 |
_gnutls_debug_log("p11: Using pin-source to retrieve PIN\n");
|
|
|
b88a44 |
ret =
|
|
|
b88a44 |
retrieve_pin_from_source(pinfile, token_info, attempts,
|
|
|
b88a44 |
diff --git a/tests/pkcs11/pkcs11-import-with-pin.c b/tests/pkcs11/pkcs11-import-with-pin.c
|
|
|
b88a44 |
index e43591927..ecc98175d 100644
|
|
|
b88a44 |
--- a/tests/pkcs11/pkcs11-import-with-pin.c
|
|
|
b88a44 |
+++ b/tests/pkcs11/pkcs11-import-with-pin.c
|
|
|
b88a44 |
@@ -157,6 +157,16 @@ void doit()
|
|
|
b88a44 |
assert(gnutls_privkey_init(&pkey) == 0);
|
|
|
b88a44 |
|
|
|
b88a44 |
/* Test 1
|
|
|
b88a44 |
+ * Try importing with wrong pin-value */
|
|
|
b88a44 |
+ ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value=XXXX");
|
|
|
b88a44 |
+ if (ret != GNUTLS_E_PKCS11_PIN_ERROR) {
|
|
|
b88a44 |
+ fprintf(stderr, "unexpected error in %d: %s\n", __LINE__, gnutls_strerror(ret));
|
|
|
b88a44 |
+ exit(1);
|
|
|
b88a44 |
+ }
|
|
|
b88a44 |
+ gnutls_privkey_deinit(pkey);
|
|
|
b88a44 |
+ assert(gnutls_privkey_init(&pkey) == 0);
|
|
|
b88a44 |
+
|
|
|
b88a44 |
+ /* Test 2
|
|
|
b88a44 |
* Try importing with pin-value */
|
|
|
b88a44 |
ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value="PIN);
|
|
|
b88a44 |
if (ret < 0) {
|
|
|
b88a44 |
@@ -169,13 +179,26 @@ void doit()
|
|
|
b88a44 |
gnutls_free(sig.data);
|
|
|
b88a44 |
gnutls_privkey_deinit(pkey);
|
|
|
b88a44 |
|
|
|
b88a44 |
- /* Test 2
|
|
|
b88a44 |
- * Try importing with pin-source */
|
|
|
b88a44 |
+ /* Test 3
|
|
|
b88a44 |
+ * Try importing with wrong pin-source */
|
|
|
b88a44 |
track_temp_files();
|
|
|
b88a44 |
get_tmpname(file);
|
|
|
b88a44 |
|
|
|
b88a44 |
- write_pin(file, PIN);
|
|
|
b88a44 |
+ write_pin(file, "XXXX");
|
|
|
b88a44 |
+
|
|
|
b88a44 |
+ assert(gnutls_privkey_init(&pkey) == 0);
|
|
|
b88a44 |
+ snprintf(buf, sizeof(buf), "%s;object=cert;object-type=private;pin-source=%s", SOFTHSM_URL, file);
|
|
|
b88a44 |
+ ret = gnutls_privkey_import_pkcs11_url(pkey, buf);
|
|
|
b88a44 |
+ if (ret != GNUTLS_E_PKCS11_PIN_ERROR) {
|
|
|
b88a44 |
+ fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret));
|
|
|
b88a44 |
+ exit(1);
|
|
|
b88a44 |
+ }
|
|
|
b88a44 |
+
|
|
|
b88a44 |
+ gnutls_privkey_deinit(pkey);
|
|
|
b88a44 |
|
|
|
b88a44 |
+ /* Test 4
|
|
|
b88a44 |
+ * Try importing with pin-source */
|
|
|
b88a44 |
+ write_pin(file, PIN);
|
|
|
b88a44 |
|
|
|
b88a44 |
assert(gnutls_privkey_init(&pkey) == 0);
|
|
|
b88a44 |
snprintf(buf, sizeof(buf), "%s;object=cert;object-type=private;pin-source=%s", SOFTHSM_URL, file);
|
|
|
b88a44 |
--
|
|
|
b88a44 |
2.14.3
|
|
|
b88a44 |
|