PKCS#11 bugs

Nikos Mavrogiannopoulos nmav at
Fri Jun 17 20:41:31 CEST 2011

On 06/17/2011 09:13 AM, Rickard Bellgrim wrote:

> Great, now it logs in as SO. Just one more thing. Also set the 
> CKA_PRIVATE to false. As I noted above, the default value is 
> "token-specific". Otherwise the SO cannot create the object. If this 
> is fixed then it works. See table 6 (access rules) in the PKCS#11
> API, page 22.

I've set it to false when the CKA_TRUSTED is set as well.

> I also noted that the library enters an eternal loop when wrong PIN 
> has been entered. This was because I do not set PIN_COUNT_LOW or
> PIN_FINAL_TRY in SoftHSM. GnuTLS will thus keep using the cached PIN.
> I will see what I can do about that.

I've also limited the number of attempts a PIN is used with p11tool.
This would prevent such an infinite loop.


More information about the Gnutls-devel mailing list