On Wed, Oct 28, 2009 at 05:08:42PM -0500, Douglas E. Engert wrote: > > > Will Fiveash wrote: > > On Wed, Oct 28, 2009 at 05:24:42PM -0400, Wyllys Ingersoll wrote: > >> Will Fiveash wrote: > >>> On Wed, Oct 28, 2009 at 05:14:27PM -0400, Wyllys Ingersoll wrote: > >>>>>> The problem is that when you query the token and check the flags, > >>>>>> the token has no way to know if you want to read the private or > >>>>>> public areas so it cannot have any logic to indicate whether or > >>>>>> not to set the login bitfield in the flags. pktool defaults to the > >>>>>> safest method, which is to prompt always (we ran into trouble > >>>>>> when we did not do this on some devices other than softtoken). > >>>>> Looking at the spec there is support for different session types > >>>>> including the default of CKS_RO_PUBLIC_SESSION. Why can't the token > >>>>> use > >>>>> this to determine what the app wants to read and whether login is > >>>>> necessary? > >>>> That sounds like it should be possible but I haven't looked at the code > >>>> to check. You should be discussing this with the EF iteam or > >>>> crypto-discuss at opensolaris.org . > >>> I've been cc'ing crypto-discuss at opensolaris.org on this thread. > >> > >> > >> C_GetTokenInfo does not take a session handle as an argument, so the > >> token has no idea if you will be opening a readonly public session > >> or not and thus cannot tailor the info that it gives you. > > Fair enough but given this from the PKCS#11 v2.20 spec: > > After it opens a session, an application has access to the token?s > > public objects. All threads of a given application have access to > > exactly the same sessions and the same session objects. To gain > > access to the token?s private objects, the normal user must log in > > and be authenticated. > > it seems like our implementation of softtoken, which has C_GetTokenInfo > > setting CKF_LOGIN_REQUIRED regardless of the type of object that is > > going to be accessed, is violating the spec. Should I open a bug > > against the pkcs11_softtoken.so? > > No, the CFK_LOGIN_REQUIRED says "True if there are some cryptographic > functions that a user must be logged it to preform." Its more or less > telling you that if you want to see/use everything you will have to login. > > > If you just use C_OpenSession it will be in R/O to the token objects. > If you then use the C_Login the session will change an can then have > R/W access to token objects. > > PKCS#11 2.01 section 5.6 Sessions talks about this.
Yep, I was just talking to Nico Williams about this and he convinced me that the problem is not that pkcs11_softtoken is setting CFK_LOGIN_REQUIRED but rather that the applications like pktool and the pkinit preauth plugin are prompting for login if that flag is set regardless of whether the softtoken object to be accessed is public or not. This seems crude and unnecessary. Note that in the case of the pkinit plugin this can cause a prompt for the user's PIN even if there are no certs in the user's softtoken. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ Sent from mutt, a sweet ASCII MUA
