PKCS#11 bugs

Rickard Bellgrim rickard at opendnssec.org
Thu Jun 16 12:32:21 CEST 2011


On Wed, Jun 15, 2011 at 9:33 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
>> 4.
>> The p11tool has an option to mark a certificate as trusted when
>> importing it. The problem is that only the Security Officer can set it
>> to true. I do not have a patch for it. But the program have to login
>> as a SO and change the attribute of this object. Remember that the SO
>> can only see public objects. You do not set the CKA_PRIVATE and the
>> default value is "token-specific". SoftHSM sets the CKA_PRIVATE to
>> true and thus not visible for the SO since it then is a private
>> object.
>
> I think I've addressed it in the repository.

The first three items now work. But the CKA_TRUSTED is still set by
the user and not the SO.

// Rickard

Output from pkcs11-spy:

9: C_OpenSession
[in] slotID = 0x2
[in] flags = 0x6
pApplication=(nil)
Notify=(nil)
[out] *phSession = 0x1
Returned:  0 CKR_OK
PIN required for token 'token2' with URL
'pkcs11:model=SoftHSM;manufacturer=SoftHSM;serial=1;token=token2'
Enter PIN:


10: C_Login
[in] hSession = 0x1
[in] userType = CKU_USER
[in] pPin[ulPinLen] [size : 0x4 (4)]
    31323334
Returned:  0 CKR_OK


11: C_CreateObject
[in] hSession = 0x1
[in] pTemplate[8]:
    CKA_CLASS             CKO_CERTIFICATE
    CKA_ID                [size : 0x14 (20)]
    0D388EB8 8076B822 9EFCCBCB 207EF27B 870854CA
    CKA_VALUE             [size : 0x2A1 (673)]
    3082029D 30820206 020900ED B2014041 B7ACCB30 0D06092A 864886F7 0D010105
    05003081 92310B30 09060355 04061302 53453112 30100603 55040813 0953746F
    636B686F 6C6D3112 30100603 55040713 0953746F 636B686F 6C6D310C 300A0603
    55040A13 032E5345 310C300A 06035504 0B130346 6F553119 30170603 55040313
    10526963 6B617264 2042656C 6C677269 6D312430 2206092A 864886F7 0D010901
    16157269 636B6172 64624063 65727465 7A7A612E 6E657430 1E170D31 31303631
    36313032 3233315A 170D3132 30363135 31303232 33315A30 8192310B 30090603
    55040613 02534531 12301006 03550408 13095374 6F636B68 6F6C6D31 12301006
    03550407 13095374 6F636B68 6F6C6D31 0C300A06 0355040A 13032E53 45310C30
    0A060355 040B1303 466F5531 19301706 03550403 13105269 636B6172 64204265
    6C6C6772 696D3124 30220609 2A864886 F70D0109 01161572 69636B61 72646240
    63657274 657A7A61 2E6E6574 30819F30 0D06092A 864886F7 0D010101 05000381
    8D003081 89028181 00B3664B DE864766 54105F12 2791E5E6 5E9368B5 3FAFAA21
    9D0BFA7D E141CCA5 90BCE2A0 C8B3E836 6A070D8A E77FEA98 5964BC59 3FA75177
    E6879E14 D591BDA9 4ECD0B2E 7AE34A78 A115B838 60200E72 19FE0312 1D419250
    D4FECBCD 0EF7BEFB 1C0E6293 C4891955 6236E432 1C70D5FE 5DD00E83 748D2FE6
    7CF19B21 34313C5B 01020301 0001300D 06092A86 4886F70D 01010505 00038181
    0005C642 9D21D50B FD3C5957 EF8F0E16 C08CC216 FC9141DC 67AA452D A147EBE7
    BF95B508 5E43A9EA D61B8CDF 9BC839A3 AF991540 7F552A28 90C4D756 FC33416C
    B2B3C83C 973851BC 61FA0F0D 6C3B2CC1 0F0AC266 E15F07CD B79010D8 BA2984C3
    0708ECFF 49255890 BE84202C F3205AD5 85F19E87 9391F059 DEF749D0 F7FEF2B0
    39
    CKA_TOKEN             True
    CKA_CERTIFICATE_TYPE  CKC_X_509
    CKA_SUBJECT           [size : 0x95 (149)]
    30819231 0B300906 03550406 13025345 31123010 06035504 08130953 746F636B
    686F6C6D 31123010 06035504 07130953 746F636B 686F6C6D 310C300A 06035504
    0A13032E 5345310C 300A0603 55040B13 03466F55 31193017 06035504 03131052
    69636B61 72642042 656C6C67 72696D31 24302206 092A8648 86F70D01 09011615
    7269636B 61726462 40636572 74657A7A 612E6E65 74
    DN: C=SE, ST=Stockholm, L=Stockholm, O=.SE, OU=FoU, CN=Rickard
Bellgrim/emailAddress=rickardb at certezza.net
    CKA_LABEL             [size : 0x6 (6)]
    4D794365 7274
     M y C e  r t
    CKA_TRUSTED           [size : 0x1 (1)]
    01
Returned:  16 CKR_ATTRIBUTE_READ_ONLY


12: C_CloseSession
[in] hSession = 0x1
Returned:  0 CKR_OK
Error in pkcs11_write:574: PKCS #11 error in attribute




More information about the Gnutls-devel mailing list