Hi, The 2.20 spec is the same. I was wondering what the hardware was coded for and figured that would be the nail in the coffin.. thanks for looking at that.. No matter what the framework did, the hardware would stop the setting of the attribute
thanks Tony Misaki Miyashita wrote: > Hi Tony, > > Changing the CKA_PRIVATE attribute with C_SetAttributeValue fails for > sca4000. > > In PKCS#11 v2.11 section 10.4, it talks about common storage object > attributes (CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL). Right > below the table 19, it says that "Only the CKA_LABEL attribute can be > modified after the object is created." So I think PKCS#11 says that > CKA_PRIVATE cannot be modified after the object is created. As you > mentioned, it says that CKA_PRIVATE can be changed in the process of > copying an object. > > I don't know about the latest spec, but it's probably safer to duplicate > the object using C_CopyObject, and delete the original one. > > -- misaki > > > Garrett D'Amore wrote On 2007?01?31? 16:35,: > >> Anthony Scarpino wrote: >> >> >>> Garrett D'Amore wrote: >>> >>> >>>> Anthony Scarpino wrote: >>>> >>>> >>>>> I want to use C_SetAttributeValue to set CKA_PRIVATE from false to >>>>> true. The spec doesn't call that out as an allowed operation, but it >>>>> does say you can us C_CopyObject in that way. That seems a bit odd to >>>>> me. The spec does spell out that one can set CKA_SENSITIVE to true via >>>>> C_SetAttributeValue. I'm a bit surprised one can set an object >>>>> sensitive but not private. This is in 10.1.2 and 10.1.3 of the PKCS >>>>> #11 v2.20 spec. >>>>> >>>>> What is other people's take on this and do other implementations >>>>> prevent this attribute from being set? >>>>> >>>>> >>>> I thought CKA_PRIVATE was intended to indicate that the object in >>>> question was a private key, i.e. the (normally confidential) piece of a >>>> public/private key pair. >>>> >>>> >>> That would be CKA_CLASS = CKO_PRIVATE_KEY. CKA_PRIVATE is used for >>> C_Login requirements.. >>> >>> >>> >>>> CKA_SENSITIVE, on the other hand, is used to manage key policy. >>>> >>>> >>> Yeah.. If it's sensitive, certain attributes can not be >>> C_GetAttributeValue'ed; otherwise, they can all be retrieved.. >>> >>> >> Ah, tickling the brain. Thanks for that, and sorry for the confusion. >> (I feel stupid now.) >> >> IIRC, CKA_PRIVATE is allowed to be set by copy, but not by >> C_SetAttribute, because the object may have to be copied to a different >> storage area. >> >> Also, setting CKA_PRIVATE could create problems when another application >> (or user!) already has the object in use as a public object. >> >> There are also considerations for what happens to an object on logout. >> Its a bit complicated as I recall. >> >> I believe that it is also not possible to take a PRIVATE object and make >> it public, either. >> >> -- Garrett >> >> >> > > > ------------------------------------------------------------------------ > > _______________________________________________ > crypto-discuss mailing list > crypto-discuss at opensolaris.org > http://opensolaris.org/mailman/listinfo/crypto-discuss
