[Softhsm-develop] CKA_SENSITIVE and CKA_EXTRACTABLE handling

Petr Spacek pspacek at redhat.com
Fri Jul 18 19:00:59 CEST 2014


On 18.7.2014 10:18, Roland van Rijswijk - Deij wrote:
> Petr Spacek wrote:
>> I think that SoftHSM should allow key wrapping in case where
>> CKA_EXTRACTABLE=TRUE and CKA_SENSITIVE=TRUE. In that case
>> C_GetAttributeValue with CKA_VALUE should fail but C_WrapKey should work.
>>
>> IMHO this is allowed behavior, see [1] page 83:
>> Do you agree? Would you accept patch which will modify attribute
>> handling to follow logic explained above?
>
> Yes, I agree, that is a correct interpretation of the PKCS #11
> specification, I'm a bit surprised that we didn't implement it that way.
> We will certainly accept a patch that fixes this, thanks!

Here it is:
https://github.com/opendnssec/SoftHSMv2/pull/84

I have extended test suite a little bit to make sure that CKA_SENSITIVE works 
as described above.

Enjoy.

-- 
Petr Spacek  @  Red Hat



More information about the Softhsm-develop mailing list