Will Fiveash wrote:
> In regards to pktool I think the problem is that:
>
> list_pk11_objects() calls token_auth_needed() which does:
>
> ckrv = C_GetTokenInfo(slot, &info);
> if (ckrv != KMF_OK)
> return (KMF_ERR_INTERNAL);
>
> *auth = (info.flags & CKF_LOGIN_REQUIRED);
>
> and later in list_pk11_objects() there is:
>
> if (oclass & (PK_CERT_OBJ | PK_PUBLIC_OBJ)) {
> kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
> &kstype, sizeof (kstype));
>
> numattr++;
> if (auth > 0 && (cred.cred == NULL)) {
> (void) get_token_password(kstype, token, &cred);
> }
>
> I don't think the logic that checks auth for PK_CERT_OBJ and
> PK_PUBLIC_OBJ class objects is correct.
I agree that looks suspect to me. While not strictly wrong according to
the letter of the spec I think it is against the intent of it, and it
certainly isn't a great UI experience for pktool. I'd support chaning
that.
--
Darren J Moffat
