[Opendnssec-user] Question about P11Attributes checks

Rickard Bellgrim rickard at opendnssec.org
Mon Oct 23 17:28:02 UTC 2017


Hi Dave, the third search result for "ck7" will show where it is enforced.

https://github.com/opendnssec/SoftHSMv2/search?q=ck7

// Rickard

On Mon, Oct 23, 2017 at 5:13 PM, Dave Fine <finerrecliner at gmail.com> wrote:

> Thank you for the information. I still don't see where in the code that
> any of these `ck` checks are enforced though. For example, who enforces
> `ck7` on a P11ECPrivateKeyObj, so that a sensitive key cannot be revealed?
>
> Thank you,
> -Dave
>
> On Thu, Oct 12, 2017 at 11:09 AM Rickard Bellgrim <rickard at opendnssec.org>
> wrote:
>
>> Hi Dave
>>
>> The checks comes from PKCS#11 [1] and is enforced according to it. You
>> can cross-reference all the attributes with PKCS#11.
>>
>> ck1 is set for CKA_CLASS [2], but CKA_TOKEN is an optional attribute that
>> will default to CK_FALSE and is not required when creating an object.
>>
>> CKA_CERTIFICATE_TYPE is only used by certificate object and will not be
>> required for key objects. You can check how the attributes are used in
>> P11Objects.cpp [3] and also in the PKCS#11 standard.
>>
>> [1] http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/
>> os/pkcs11-base-v2.40-os.html
>> [2] https://github.com/opendnssec/SoftHSMv2/blob/
>> develop/src/lib/P11Attributes.h#L140
>> [3] https://github.com/opendnssec/SoftHSMv2/blob/
>> develop/src/lib/P11Objects.cpp
>>
>> // Rickard
>>
>> On Wed, Oct 11, 2017 at 11:34 PM, Dave Fine <finerrecliner at gmail.com>
>> wrote:
>>
>>> Hello,
>>>
>>> I have a question regarding P11Attributes.h the SoftHSMv2 code base. In
>>> this file, there is an enum that defines a number of `ck` checks. As an
>>> example, ck1 seems to be reserved for when an attribute is required while
>>> creating an object. Therefore, I would expect ck1 to be set on P11Attribute
>>> child classes such as P11AttrClass, and P11AttrToken (to enforce
>>> requiring CKA_CLASS and CKA_TOKEN). However, I see that ck1 is not used for
>>> P11AttrToken. Instead I see P11AttrCertificateType uses a ck1 check,
>>> which is not something I would think be required when creating an object.
>>> For example, why would CKA_CERTIFICATE_TYPE be required, if you were
>>> creating a key object?
>>>
>>> Could someone clear up how the `ck` checks are supposed to be used?
>>> Perhaps I am not understanding it correctly.
>>>
>>> Thank you,
>>> -Dave
>>>
>>> _______________________________________________
>>> Opendnssec-user mailing list
>>> Opendnssec-user at lists.opendnssec.org
>>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20171023/6a5f19fa/attachment.htm>


More information about the Opendnssec-user mailing list