On 10/28/2009 02:25 AM, Konstantin Andreev wrote: > Hello. > > It looks somewhat strange how default (so-called legacydb) database > allows upper layer (softoken) to manipulate key's attributes. Yes, the mapping between what the database could store and change versus what the PKCS #11 expected to store and change wasn't always very clean. > > [ > http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/softoken/legacydb/lgattr.c&rev=1.9&mark=1630-1641#1601 > ] > > ---- lg_SetPrivateKeyAttribute() @ lib/softoken/legacydb/lgattr.c ---- > ........ > case CKA_VALUE: > case CKA_PRIVATE_EXPONENT: > case CKA_PRIME_1: > case CKA_PRIME_2: > case CKA_EXPONENT_1: > case CKA_EXPONENT_2: > case CKA_COEFFICIENT: > /* We aren't really changing these values, we are just triggering > * the database to update it's entry */ > *writePrivate = PR_TRUE; > crv = CKR_OK; > break; > ........ > ------------------------------------- > > One can see that softoken is allowed to change attributes of a RSA > key, but *NOT* allowed to change attributes of DSA, ECC, DH, etc. keys. RSA doesn't really allow these attributes to change either. > > Could you, please, advice, how this code was designed, and how > legacydb *should* grant access to key's attributes ? Following the ECC and DSA examples should be correct.
The only attributes you really only need to deal with on update is CKA_LABEL and CKA_ID, both of which is handled in the key type independent portion of the code (so you shouldn't have to do anything special. bob > > Best regards, > -- > Konstantin Andreev, software engineer. > Swemel JSC
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
