[Softhsm-develop] CKA_SENSITIVE and CKA_EXTRACTABLE handling

Roland van Rijswijk - Deij Roland.vanRijswijk at surfnet.nl
Fri Jul 18 08:18:37 UTC 2014


Hi Petr,

Petr Spacek wrote:
> I'm working on CKM_RSA_PKCS support for C_WrapKey (as I promised earlier).
> 
> I have found out that SoftHSM allows me to *wrap* key if and only if
> this key has CKA_SENSITIVE=FALSE and CKA_EXTRACTABLE=TRUE.
> 
> Unfortunately, this combination of flags also means that I'm able to get
> plaintext values from the token (using C_GetAttributeValue for CKA_VALUE
> or so).
> 
> I think that SoftHSM should allow key wrapping in case where
> CKA_EXTRACTABLE=TRUE and CKA_SENSITIVE=TRUE. In that case
> C_GetAttributeValue with CKA_VALUE should fail but C_WrapKey should work.
> 
> IMHO this is allowed behavior, see [1] page 83:
> Do you agree? Would you accept patch which will modify attribute
> handling to follow logic explained above?

Yes, I agree, that is a correct interpretation of the PKCS #11
specification, I'm a bit surprised that we didn't implement it that way.
We will certainly accept a patch that fixes this, thanks!

Cheers,

Roland

-- 
-- Roland M. van Rijswijk - Deij
-- SURFnet bv
-- w: http://www.surfnet.nl/en/
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4412 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.opendnssec.org/pipermail/softhsm-develop/attachments/20140718/39ad526e/attachment.bin>


More information about the Softhsm-develop mailing list