void doit(void)
{
int ret, status;
const char *lib;
gnutls_privkey_t pkey;
pid_t pid;
signal(SIGPIPE, SIG_IGN);
gnutls_pkcs11_set_pin_function(pin_func, NULL);
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
lib = getenv("P11MOCKLIB1");
if (lib == NULL)
lib = P11LIB;
ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pkcs11_add_provider(lib, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
assert(gnutls_privkey_init(&pkey) == 0);
ret = gnutls_privkey_import_url(pkey, "pkcs11:object=test", GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
if (ret < 0) {
fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret));
exit(1);
}
/* fork to force PKCS#11 reinitialization */
pid = fork();
if (pid == -1) {
exit(1);
} else if (pid) {
waitpid(pid, &status, 0);
check_wait_status(status);
goto cleanup;
}
do_thread_stuff(pkey);
cleanup:
gnutls_privkey_deinit(pkey);
}
void doit(void)
{
int ret;
const char *lib;
gnutls_privkey_t key;
gnutls_pkcs11_obj_t obj;
gnutls_datum_t sig = {NULL, 0}, data;
unsigned flags = 0;
lib = getenv("P11MOCKLIB1");
if (lib == NULL)
lib = P11LIB;
{
void *dl;
unsigned int *pflags;
dl = dlopen(lib, RTLD_NOW);
if (dl == NULL) {
fail("could not dlopen %s\n", lib);
exit(1);
}
pflags = dlsym(dl, "pkcs11_mock_flags");
if (pflags == NULL) {
fail("could find pkcs11_mock_flags\n");
exit(1);
}
*pflags = MOCK_FLAG_ALWAYS_AUTH;
}
data.data = (void*)"\x38\x17\x0c\x08\xcb\x45\x8f\xd4\x87\x9c\x34\xb6\xf6\x08\x29\x4c\x50\x31\x2b\xbb";
data.size = 20;
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pkcs11_add_provider(lib, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pkcs11_obj_init(&obj);
assert(ret>=0);
gnutls_pkcs11_obj_set_pin_function(obj, pin_func, NULL);
ret = gnutls_pkcs11_obj_import_url(obj, "pkcs11:object=test;type=private", GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
assert(ret>=0);
ret = gnutls_pkcs11_obj_get_flags(obj, &flags);
assert(ret>=0);
if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH)) {
fail("key object doesn't have the always authenticate flag\n");
}
gnutls_pkcs11_obj_deinit(obj);
ret = gnutls_privkey_init(&key);
assert(ret>=0);
gnutls_privkey_set_pin_function(key, pin_func, NULL);
ret = gnutls_privkey_import_url(key, "pkcs11:object=test", GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
pin_called = 0;
ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
if (pin_called == 0) {
fail("PIN function wasn't called!\n");
}
pin_called = 0;
gnutls_free(sig.data);
/* call again - should re-authenticate */
ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
if (pin_called == 0) {
fail("PIN function wasn't called twice!\n");
}
pin_called = 0;
gnutls_free(sig.data);
if (debug)
printf("done\n\n\n");
gnutls_privkey_deinit(key);
gnutls_pkcs11_deinit();
gnutls_global_deinit();
}
static void
cmd_parser (int argc, char **argv)
{
int ret, debug = 0;
common_info_st cinfo;
unsigned int pkcs11_type = -1, key_type = GNUTLS_PK_UNKNOWN;
const char* url = NULL;
unsigned int detailed_url = 0, optct;
unsigned int login = 0, bits = 0;
const char* label = NULL, *sec_param = NULL;
optct = optionProcess( &p11toolOptions, argc, argv);
argc += optct;
argv += optct;
if (url == NULL && argc > 0)
url = argv[0];
else
url = "pkcs11:";
if (HAVE_OPT(DEBUG))
debug = OPT_VALUE_DEBUG;
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (debug);
if (debug > 1)
printf ("Setting log level to %d\n", debug);
if ((ret = gnutls_global_init ()) < 0)
error (EXIT_FAILURE, 0, "global_init: %s", gnutls_strerror (ret));
if (HAVE_OPT(PROVIDER))
{
ret = gnutls_pkcs11_init (GNUTLS_PKCS11_FLAG_MANUAL, NULL);
if (ret < 0)
fprintf (stderr, "pkcs11_init: %s", gnutls_strerror (ret));
else
{
ret = gnutls_pkcs11_add_provider (OPT_ARG(PROVIDER), NULL);
if (ret < 0)
error (EXIT_FAILURE, 0, "pkcs11_add_provider: %s",
gnutls_strerror (ret));
}
}
else
{
ret = gnutls_pkcs11_init (GNUTLS_PKCS11_FLAG_AUTO, NULL);
if (ret < 0)
fprintf (stderr, "pkcs11_init: %s", gnutls_strerror (ret));
}
if (HAVE_OPT(OUTFILE))
{
outfile = safe_open_rw (OPT_ARG(OUTFILE), 0);
if (outfile == NULL)
error (EXIT_FAILURE, errno, "%s", OPT_ARG(OUTFILE));
}
else
outfile = stdout;
memset (&cinfo, 0, sizeof (cinfo));
if (HAVE_OPT(SECRET_KEY))
cinfo.secret_key = OPT_ARG(SECRET_KEY);
if (HAVE_OPT(LOAD_PRIVKEY))
cinfo.privkey = OPT_ARG(LOAD_PRIVKEY);
if (HAVE_OPT(PKCS8))
cinfo.pkcs8 = 1;
if (ENABLED_OPT(INDER) || ENABLED_OPT(INRAW))
cinfo.incert_format = GNUTLS_X509_FMT_DER;
else
cinfo.incert_format = GNUTLS_X509_FMT_PEM;
if (HAVE_OPT(LOAD_CERTIFICATE))
cinfo.cert = OPT_ARG(LOAD_CERTIFICATE);
if (HAVE_OPT(LOAD_PUBKEY))
cinfo.pubkey = OPT_ARG(LOAD_PUBKEY);
if (ENABLED_OPT(DETAILED_URL))
detailed_url = 1;
if (ENABLED_OPT(LOGIN))
login = 1;
if (HAVE_OPT(LABEL))
{
label = OPT_ARG(LABEL);
}
if (HAVE_OPT(BITS))
{
bits = OPT_VALUE_BITS;
}
if (HAVE_OPT(SEC_PARAM))
{
sec_param = OPT_ARG(SEC_PARAM);
}
if (debug > 0)
{
if (HAVE_OPT(PRIVATE)) fprintf(stderr, "Private: %s\n", ENABLED_OPT(PRIVATE)?"yes":"no");
fprintf(stderr, "Trusted: %s\n", ENABLED_OPT(TRUSTED)?"yes":"no");
fprintf(stderr, "Login: %s\n", ENABLED_OPT(LOGIN)?"yes":"no");
fprintf(stderr, "Detailed URLs: %s\n", ENABLED_OPT(DETAILED_URL)?"yes":"no");
fprintf(stderr, "\n");
}
/* handle actions
*/
if (HAVE_OPT(LIST_TOKENS))
pkcs11_token_list (outfile, detailed_url, &cinfo);
else if (HAVE_OPT(LIST_MECHANISMS))
pkcs11_mechanism_list (outfile, url, login,
&cinfo);
else if (HAVE_OPT(LIST_ALL))
{
pkcs11_type = PKCS11_TYPE_ALL;
pkcs11_list (outfile, url, pkcs11_type,
login, detailed_url, &cinfo);
}
else if (HAVE_OPT(LIST_ALL_CERTS))
{
pkcs11_type = PKCS11_TYPE_CRT_ALL;
pkcs11_list (outfile, url, pkcs11_type,
login, detailed_url, &cinfo);
}
else if (HAVE_OPT(LIST_CERTS))
{
pkcs11_type = PKCS11_TYPE_PK;
pkcs11_list (outfile, url, pkcs11_type,
login, detailed_url, &cinfo);
}
else if (HAVE_OPT(LIST_ALL_PRIVKEYS))
{
pkcs11_type = PKCS11_TYPE_PRIVKEY;
pkcs11_list (outfile, url, pkcs11_type,
login, detailed_url, &cinfo);
}
else if (HAVE_OPT(LIST_ALL_TRUSTED))
{
pkcs11_type = PKCS11_TYPE_TRUSTED;
pkcs11_list (outfile, url, pkcs11_type,
login, detailed_url, &cinfo);
}
else if (HAVE_OPT(EXPORT))
{
pkcs11_export (outfile, url, login, &cinfo);
}
else if (HAVE_OPT(WRITE))
{
int priv;
if (HAVE_OPT(PRIVATE))
priv = ENABLED_OPT(PRIVATE);
else priv = -1;
pkcs11_write (outfile, url, label,
ENABLED_OPT(TRUSTED), priv, login, &cinfo);
}
else if (HAVE_OPT(INITIALIZE))
pkcs11_init (outfile, url, label, &cinfo);
else if (HAVE_OPT(DELETE))
pkcs11_delete (outfile, url, 0, login, &cinfo);
else if (HAVE_OPT(GENERATE_ECC))
{
key_type = GNUTLS_PK_EC;
pkcs11_generate (outfile, url, key_type, get_bits(key_type, bits, sec_param),
label, ENABLED_OPT(PRIVATE), detailed_url, login,
&cinfo);
}
else if (HAVE_OPT(GENERATE_RSA))
{
key_type = GNUTLS_PK_RSA;
pkcs11_generate (outfile, url, key_type, get_bits(key_type, bits, sec_param),
label, ENABLED_OPT(PRIVATE), detailed_url, login,
&cinfo);
}
else if (HAVE_OPT(GENERATE_DSA))
{
key_type = GNUTLS_PK_DSA;
pkcs11_generate (outfile, url, key_type, get_bits(key_type, bits, sec_param),
label, ENABLED_OPT(PRIVATE), detailed_url, login,
&cinfo);
}
else
{
USAGE(1);
}
fclose (outfile);
#ifdef ENABLE_PKCS11
gnutls_pkcs11_deinit ();
#endif
gnutls_global_deinit ();
}
void doit(void)
{
int ret;
const char *lib;
gnutls_privkey_t key;
gnutls_pubkey_t pub;
gnutls_datum_t m1, e1;
gnutls_datum_t m2, e2;
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
lib = getenv("P11MOCKLIB1");
if (lib == NULL)
lib = P11LIB;
ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pkcs11_add_provider(lib, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_privkey_init(&key);
assert(ret>=0);
ret = gnutls_pubkey_init(&pub);
assert(ret>=0);
gnutls_privkey_set_pin_function(key, pin_func, NULL);
ret = gnutls_privkey_import_url(key, "pkcs11:object=test", GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pubkey_import_privkey(pub, key, 0, 0);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pubkey_export_rsa_raw(pub, &m1, &e1);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_pubkey_deinit(pub);
gnutls_privkey_deinit(key);
/* try again using gnutls_pubkey_import_url */
ret = gnutls_pubkey_init(&pub);
assert(ret>=0);
ret = gnutls_pubkey_import_url(pub, "pkcs11:object=test;type=public", 0);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pubkey_export_rsa_raw(pub, &m2, &e2);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
assert(m1.size == m2.size);
assert(e1.size == e2.size);
assert(memcmp(e1.data, e2.data, e2.size)==0);
assert(memcmp(m1.data, m2.data, m2.size)==0);
gnutls_pubkey_deinit(pub);
gnutls_free(m1.data);
gnutls_free(e1.data);
gnutls_free(m2.data);
gnutls_free(e2.data);
gnutls_pkcs11_deinit();
gnutls_global_deinit();
}
static void
gaa_parser (int argc, char **argv)
{
int ret;
common_info_st cinfo;
if (gaa (argc, argv, &info) != -1)
{
fprintf (stderr, "Try `%s --help' for more information.\n",
program_name);
exit (1);
}
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (info.debug);
if (info.debug > 1)
printf ("Setting log level to %d\n", info.debug);
if ((ret = gnutls_global_init ()) < 0)
error (EXIT_FAILURE, 0, "global_init: %s", gnutls_strerror (ret));
if (info.pkcs11_provider != NULL)
{
ret = gnutls_pkcs11_init (GNUTLS_PKCS11_FLAG_MANUAL, NULL);
if (ret < 0)
fprintf (stderr, "pkcs11_init: %s", gnutls_strerror (ret));
else
{
ret = gnutls_pkcs11_add_provider (info.pkcs11_provider, NULL);
if (ret < 0)
error (EXIT_FAILURE, 0, "pkcs11_add_provider: %s",
gnutls_strerror (ret));
}
}
else
{
ret = gnutls_pkcs11_init (GNUTLS_PKCS11_FLAG_AUTO, NULL);
if (ret < 0)
fprintf (stderr, "pkcs11_init: %s", gnutls_strerror (ret));
}
if (info.outfile)
{
outfile = safe_open_rw (info.outfile, 0);
if (outfile == NULL)
error (EXIT_FAILURE, errno, "%s", info.outfile);
}
else
outfile = stdout;
memset (&cinfo, 0, sizeof (cinfo));
cinfo.secret_key = info.secret_key;
cinfo.privkey = info.privkey;
cinfo.pkcs8 = info.pkcs8;
cinfo.incert_format = info.incert_format;
cinfo.cert = info.cert;
switch (info.action)
{
case ACTION_PKCS11_LIST:
pkcs11_list (outfile, info.pkcs11_url, info.pkcs11_type,
info.pkcs11_login, info.pkcs11_detailed_url, &cinfo);
break;
case ACTION_PKCS11_TOKENS:
pkcs11_token_list (outfile, info.pkcs11_detailed_url, &cinfo);
break;
case ACTION_PKCS11_MECHANISMS:
pkcs11_mechanism_list (outfile, info.pkcs11_url, info.pkcs11_login,
&cinfo);
break;
case ACTION_PKCS11_EXPORT_URL:
pkcs11_export (outfile, info.pkcs11_url, info.pkcs11_login, &cinfo);
break;
case ACTION_PKCS11_WRITE_URL:
pkcs11_write (outfile, info.pkcs11_url, info.pkcs11_label,
info.pkcs11_trusted, info.pkcs11_login, &cinfo);
break;
case ACTION_PKCS11_TOKEN_INIT:
pkcs11_init (outfile, info.pkcs11_url, info.pkcs11_label, &cinfo);
break;
case ACTION_PKCS11_DELETE_URL:
pkcs11_delete (outfile, info.pkcs11_url, 0, info.pkcs11_login, &cinfo);
break;
default:
gaa_help ();
exit (0);
}
fclose (outfile);
gnutls_pkcs11_deinit ();
gnutls_global_deinit ();
}
/**
* gnutls_global_init:
*
* This function performs any required precalculations, detects
* the supported CPU capabilities and initializes the underlying
* cryptographic backend. In order to free any resources
* taken by this call you should gnutls_global_deinit()
* when gnutls usage is no longer needed.
*
* This function increments a global counter, so that
* gnutls_global_deinit() only releases resources when it has been
* called as many times as gnutls_global_init(). This is useful when
* GnuTLS is used by more than one library in an application. This
* function can be called many times, but will only do something the
* first time.
*
* Note! This function is not thread safe. If two threads call this
* function simultaneously, they can cause a race between checking
* the global counter and incrementing it, causing both threads to
* execute the library initialization code. That would lead to a
* memory leak. To handle this, your application could invoke this
* function after aquiring a thread mutex. To ignore the potential
* memory leak is also an option.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned,
* otherwise a negative error code is returned.
**/
int
gnutls_global_init (void)
{
int result = 0;
int res;
if (_gnutls_init++)
goto out;
if (gl_sockets_startup (SOCKETS_1_1))
return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
bindtextdomain (PACKAGE, LOCALEDIR);
res = gnutls_crypto_init ();
if (res != 0)
{
gnutls_assert ();
return GNUTLS_E_CRYPTO_INIT_FAILED;
}
_gnutls_register_accel_crypto();
/* initialize ASN.1 parser
* This should not deal with files in the final
* version.
*/
if (asn1_check_version (GNUTLS_MIN_LIBTASN1_VERSION) == NULL)
{
gnutls_assert ();
_gnutls_debug_log ("Checking for libtasn1 failed: %s < %s\n",
asn1_check_version (NULL),
GNUTLS_MIN_LIBTASN1_VERSION);
return GNUTLS_E_INCOMPATIBLE_LIBTASN1_LIBRARY;
}
res = asn1_array2tree (pkix_asn1_tab, &_gnutls_pkix1_asn, NULL);
if (res != ASN1_SUCCESS)
{
result = _gnutls_asn2err (res);
goto out;
}
res = asn1_array2tree (gnutls_asn1_tab, &_gnutls_gnutls_asn, NULL);
if (res != ASN1_SUCCESS)
{
result = _gnutls_asn2err (res);
goto out;
}
/* Initialize the random generator */
result = _gnutls_rnd_init ();
if (result < 0)
{
gnutls_assert ();
goto out;
}
/* Initialize the default TLS extensions */
result = _gnutls_ext_init ();
if (result < 0)
{
gnutls_assert ();
goto out;
}
result = gnutls_mutex_init(&_gnutls_file_mutex);
if (result < 0)
{
gnutls_assert();
goto out;
}
result = gnutls_system_global_init ();
if (result < 0)
{
gnutls_assert ();
goto out;
}
#ifdef ENABLE_PKCS11
gnutls_pkcs11_init (GNUTLS_PKCS11_FLAG_AUTO, NULL);
#endif
_gnutls_cryptodev_init ();
out:
return result;
}
void doit(void)
{
int ret;
const char *lib;
gnutls_privkey_t key;
gnutls_datum_t sig = {NULL, 0}, data;
pid_t pid;
data.data = (void*)"\x38\x17\x0c\x08\xcb\x45\x8f\xd4\x87\x9c\x34\xb6\xf6\x08\x29\x4c\x50\x31\x2b\xbb";
data.size = 20;
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
lib = getenv("P11MOCKLIB1");
if (lib == NULL)
lib = P11LIB;
ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pkcs11_add_provider(lib, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_privkey_init(&key);
assert(ret>=0);
gnutls_privkey_set_pin_function(key, pin_func, NULL);
ret = gnutls_privkey_import_url(key, "pkcs11:object=test", GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_free(sig.data);
pid = fork();
if (pid != 0) {
int status;
assert(waitpid(pid, &status, 0) >= 0);
if (WEXITSTATUS(status) != 0) {
fail("child return status was unexpected: %d\n", WEXITSTATUS(status));
exit(1);
}
} else { /* child */
ret = gnutls_pkcs11_reinit();
assert(ret == 0);
ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_free(sig.data);
gnutls_privkey_deinit(key);
gnutls_pkcs11_deinit();
gnutls_global_deinit();
exit(0);
}
if (debug)
printf("done\n\n\n");
gnutls_privkey_deinit(key);
gnutls_pkcs11_deinit();
gnutls_global_deinit();
}
void doit(void)
{
int ret;
gnutls_x509_crt_t crt, ocrt;
unsigned keyusage;
const char *lib;
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
lib = getenv("P11MOCKLIB1");
if (lib == NULL)
lib = P11LIB;
gnutls_global_set_time_function(mytime);
if (debug) {
gnutls_global_set_log_level(4711);
success("loading lib %s\n", lib);
}
ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pkcs11_add_provider(lib, "trusted");
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
assert(gnutls_x509_crt_init(&crt)>=0);
assert(gnutls_x509_crt_init(&ocrt)>=0);
/* check high level certificate functions */
ret = gnutls_x509_crt_import_url(crt, "pkcs11:type=cert;object=cert1", 0);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_x509_crt_import_url(ocrt, "pkcs11:type=cert;object=cert1", GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_x509_crt_equals(crt, ocrt);
if (ret != 0) {
fail("exported certificates are equal!\n");
}
ret = gnutls_x509_crt_get_ca_status(ocrt, NULL);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
if (ret == 0) {
fail("overriden cert is not a CA!\n");
exit(1);
}
ret = gnutls_x509_crt_get_key_usage(ocrt, &keyusage, NULL);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
if (keyusage != (GNUTLS_KEY_KEY_ENCIPHERMENT|GNUTLS_KEY_ENCIPHER_ONLY|GNUTLS_KEY_KEY_CERT_SIGN)) {
fail("Extension does not have the expected key usage!\n");
}
gnutls_x509_crt_deinit(crt);
gnutls_x509_crt_deinit(ocrt);
if (debug)
printf("done\n\n\n");
gnutls_global_deinit();
}