Explicitly set CKA_PRIVATE to false when writing certificates (#1272127)

Upstream: https://github.com/OpenSC/OpenSC/commit/4df35b92

opensc-0.15.0-cka_private.patch

@@ -0,0 +1,120 @@
+commit 4df35b922c8eb7e0776a23260b65e570b33e4d42
+Author: Nicholas Wilson <nicholas.wilson@realvnc.com>
+Date:   Tue Aug 11 14:02:52 2015 +0100
+
+    pkcs11: Fix to CKA_PRIVATE handling pcks11-tool
+    
+    There's a copy-and-paste bug in there, where the CKA_PRIVATE attribute
+    is being set on the wrong variables! As well as fixing that, we should
+    explicitly set CKA_PRIVATE to "false" for certificates and public keys,
+    since the PKCS#11 spec doesn't specify a default and some drivers use
+    "private" as the default, making it impossible to add a public key/cert
+    using pkcs11-tool.
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index 2781302..c3861d5 100644
+--- a/src/tools/pkcs11-tool.c
++++ b/src/tools/pkcs11-tool.c
+@@ -1923,6 +1923,7 @@ static int parse_gost_private_key(EVP_PKEY *evp_key, struct gostkey_info *gost)
+ static int write_object(CK_SESSION_HANDLE session)
+ {
+ 	CK_BBOOL _true = TRUE;
++	CK_BBOOL _false = FALSE;
+ 	unsigned char contents[MAX_OBJECT_SIZE + 1];
+ 	int contents_len = 0;
+ 	unsigned char certdata[MAX_OBJECT_SIZE];
+@@ -2026,28 +2027,24 @@ static int write_object(CK_SESSION_HANDLE session)
+ 		FILL_ATTR(cert_templ[1], CKA_VALUE, contents, contents_len);
+ 		FILL_ATTR(cert_templ[2], CKA_CLASS, &clazz, sizeof(clazz));
+ 		FILL_ATTR(cert_templ[3], CKA_CERTIFICATE_TYPE, &cert_type, sizeof(cert_type));
+-		n_cert_attr = 4;
++		FILL_ATTR(cert_templ[4], CKA_PRIVATE, &_false, sizeof(_false));
++		n_cert_attr = 5;
+ 
+ 		if (opt_object_label != NULL) {
+-			FILL_ATTR(cert_templ[n_cert_attr], CKA_LABEL,
+-				opt_object_label, strlen(opt_object_label));
++			FILL_ATTR(cert_templ[n_cert_attr], CKA_LABEL, opt_object_label, strlen(opt_object_label));
+ 			n_cert_attr++;
+ 		}
+ 		if (opt_object_id_len != 0) {
+-			FILL_ATTR(cert_templ[n_cert_attr], CKA_ID,
+-				opt_object_id, opt_object_id_len);
++			FILL_ATTR(cert_templ[n_cert_attr], CKA_ID, opt_object_id, opt_object_id_len);
+ 			n_cert_attr++;
+ 		}
+ #ifdef ENABLE_OPENSSL
+ 		/* according to PKCS #11 CKA_SUBJECT MUST be specified */
+-		FILL_ATTR(cert_templ[n_cert_attr], CKA_SUBJECT,
+-			cert.subject, cert.subject_len);
++		FILL_ATTR(cert_templ[n_cert_attr], CKA_SUBJECT, cert.subject, cert.subject_len);
+ 		n_cert_attr++;
+-		FILL_ATTR(cert_templ[n_cert_attr], CKA_ISSUER,
+-			cert.issuer, cert.issuer_len);
++		FILL_ATTR(cert_templ[n_cert_attr], CKA_ISSUER, cert.issuer, cert.issuer_len);
+ 		n_cert_attr++;
+-		FILL_ATTR(cert_templ[n_cert_attr], CKA_SERIAL_NUMBER,
+-			cert.serialnum, cert.serialnum_len);
++		FILL_ATTR(cert_templ[n_cert_attr], CKA_SERIAL_NUMBER, cert.serialnum, cert.serialnum_len);
+ 		n_cert_attr++;
+ #endif
+ 	}
+@@ -2150,9 +2147,12 @@ static int write_object(CK_SESSION_HANDLE session)
+ 		n_pubkey_attr = 3;
+ 
+ 		if (opt_is_private != 0) {
+-			FILL_ATTR(data_templ[n_data_attr], CKA_PRIVATE,
+-				&_true, sizeof(_true));
+-			n_data_attr++;
++			FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_PRIVATE, &_true, sizeof(_true));
++			n_pubkey_attr++;
++		}
++		else {
++			FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_PRIVATE, &_false, sizeof(_false));
++			n_pubkey_attr++;
+ 		}
+ 
+ 		if (opt_object_label != NULL) {
+@@ -2180,15 +2180,12 @@ static int write_object(CK_SESSION_HANDLE session)
+ 
+ #ifdef ENABLE_OPENSSL
+ 		if (cert.subject_len != 0) {
+-			FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_SUBJECT,
+-				cert.subject, cert.subject_len);
++			FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_SUBJECT, cert.subject, cert.subject_len);
+ 			n_pubkey_attr++;
+ 		}
+-		FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_MODULUS,
+-			rsa.modulus, rsa.modulus_len);
++		FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_MODULUS, rsa.modulus, rsa.modulus_len);
+ 		n_pubkey_attr++;
+-		FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_PUBLIC_EXPONENT,
+-			rsa.public_exponent, rsa.public_exponent_len);
++		FILL_ATTR(pubkey_templ[n_pubkey_attr], CKA_PUBLIC_EXPONENT, rsa.public_exponent, rsa.public_exponent_len);
+ 		n_pubkey_attr++;
+ #endif
+ 	}
+@@ -2202,8 +2199,11 @@ static int write_object(CK_SESSION_HANDLE session)
+ 		n_data_attr = 3;
+ 
+ 		if (opt_is_private != 0) {
+-			FILL_ATTR(data_templ[n_data_attr], CKA_PRIVATE,
+-				&_true, sizeof(_true));
++			FILL_ATTR(data_templ[n_data_attr], CKA_PRIVATE, &_true, sizeof(_true));
++			n_data_attr++;
++		}
++		else {
++			FILL_ATTR(data_templ[n_data_attr], CKA_PRIVATE, &_false, sizeof(_false));
+ 			n_data_attr++;
+ 		}
+ 
+@@ -2227,8 +2227,7 @@ static int write_object(CK_SESSION_HANDLE session)
+ 		}
+ 
+ 		if (opt_object_label != NULL) {
+-			FILL_ATTR(data_templ[n_data_attr], CKA_LABEL,
+-				opt_object_label, strlen(opt_object_label));
++			FILL_ATTR(data_templ[n_data_attr], CKA_LABEL, opt_object_label, strlen(opt_object_label));
+ 			n_data_attr++;
+ 		}
+