Will Fiveash wrote: > On Wed, Oct 28, 2009 at 05:24:42PM -0400, Wyllys Ingersoll wrote: >> Will Fiveash wrote: >>> On Wed, Oct 28, 2009 at 05:14:27PM -0400, Wyllys Ingersoll wrote: >>>>>> The problem is that when you query the token and check the flags, >>>>>> the token has no way to know if you want to read the private or >>>>>> public areas so it cannot have any logic to indicate whether or >>>>>> not to set the login bitfield in the flags. pktool defaults to the >>>>>> safest method, which is to prompt always (we ran into trouble >>>>>> when we did not do this on some devices other than softtoken). >>>>> Looking at the spec there is support for different session types >>>>> including the default of CKS_RO_PUBLIC_SESSION. Why can't the token use >>>>> this to determine what the app wants to read and whether login is >>>>> necessary? >>>> That sounds like it should be possible but I haven't looked at the code >>>> to check. You should be discussing this with the EF iteam or >>>> crypto-discuss at opensolaris.org . >>> I've been cc'ing crypto-discuss at opensolaris.org on this thread. >> >> >> C_GetTokenInfo does not take a session handle as an argument, so the >> token has no idea if you will be opening a readonly public session >> or not and thus cannot tailor the info that it gives you. > > Fair enough but given this from the PKCS#11 v2.20 spec: > > After it opens a session, an application has access to the token?s > public objects. All threads of a given application have access to > exactly the same sessions and the same session objects. To gain > access to the token?s private objects, the normal user must log in > and be authenticated. > > it seems like our implementation of softtoken, which has C_GetTokenInfo > setting CKF_LOGIN_REQUIRED regardless of the type of object that is > going to be accessed, is violating the spec. Should I open a bug > against the pkcs11_softtoken.so?
No, the CFK_LOGIN_REQUIRED says "True if there are some cryptographic functions that a user must be logged it to preform." Its more or less telling you that if you want to see/use everything you will have to login. If you just use C_OpenSession it will be in R/O to the token objects. If you then use the C_Login the session will change an can then have R/W access to token objects. PKCS#11 2.01 section 5.6 Sessions talks about this. > -- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
