Wyllys Ingersoll wrote:
> Darren J Moffat wrote:
>> Will Fiveash wrote:
>>> In regards to pktool I think the problem is that:
>>>
>>> list_pk11_objects() calls token_auth_needed() which does:
>>>
>>> ckrv = C_GetTokenInfo(slot, &info);
>>> if (ckrv != KMF_OK)
>>> return (KMF_ERR_INTERNAL);
>>>
>>> *auth = (info.flags & CKF_LOGIN_REQUIRED);
>>>
>>> and later in list_pk11_objects() there is:
>>>
>>> if (oclass & (PK_CERT_OBJ | PK_PUBLIC_OBJ)) {
>>> kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
>>> &kstype, sizeof (kstype));
>>>
>>> numattr++;
>>> if (auth > 0 && (cred.cred == NULL)) {
>>> (void) get_token_password(kstype, token, &cred);
>>> }
>>>
>>> I don't think the logic that checks auth for PK_CERT_OBJ and
>>> PK_PUBLIC_OBJ class objects is correct.
>>
>> I agree that looks suspect to me. While not strictly wrong according
>> to the letter of the spec I think it is against the intent of it, and
>> it certainly isn't a great UI experience for pktool. I'd support
>> chaning that.
>>
>
> The problem I recall is that I think the SCA6000 requires login even for
> accessing public objects and "pktool list" without the logging in
> resulted in no objects being found.
Hmn, okay at least if I remove CKF_LOGIN_REQUIRED from softtoken that
fixes the most common use case. So maybe leave pktool alone then.
--
Darren J Moffat
