PKCS#11 bugs
Rickard Bellgrim
rickard at opendnssec.org
Fri Jun 17 09:13:09 CEST 2011
On Thu, Jun 16, 2011 at 8:51 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> On 06/16/2011 12:32 PM, Rickard Bellgrim wrote:
>> On Wed, Jun 15, 2011 at 9:33 PM, Nikos Mavrogiannopoulos
>> <nmav at gnutls.org> wrote:
>>>> 4.
>>>> The p11tool has an option to mark a certificate as trusted when
>>>> importing it. The problem is that only the Security Officer can set it
>>>> to true. I do not have a patch for it. But the program have to login
>>>> as a SO and change the attribute of this object. Remember that the SO
>>>> can only see public objects. You do not set the CKA_PRIVATE and the
>>>> default value is "token-specific". SoftHSM sets the CKA_PRIVATE to
>>>> true and thus not visible for the SO since it then is a private
>>>> object.
>>> I think I've addressed it in the repository.
>> The first three items now work. But the CKA_TRUSTED is still set by
>> the user and not the SO.
>
> Ooops. Should be fixed now.
Great, now it logs in as SO. Just one more thing. Also set the
CKA_PRIVATE to false. As I noted above, the default value is
"token-specific". Otherwise the SO cannot create the object. If this
is fixed then it works.
See table 6 (access rules) in the PKCS#11 API, page 22.
I also noted that the library enters an eternal loop when wrong PIN
has been entered.
// Rickard
More information about the Gnutls-devel
mailing list