G'day,
Stef Hoeben wrote:
don't know if the muscle pkcs11 shows info on private keys without
logging in first.
Muscle PKCS#11 appears to reveal non-sensitive attribute values if the
PIN has not been presented. After the call to PKCS11_enumerate_keys in
pkc11_load_key, I can get various private key attribute values (such as
CKA_SENSITIVE, etc) without error, before a PIN is presented.
On opensc we've considered it as well: there's nothing secret about
the info on private keys, it can be a nuissance to enter your PIN too
much and it's even better for security to enter your PIN (and hence
open your card) only when it's realy needed.
But there's of course the problem with the part in the pkcs11
standard, as you quoted, allthough IMHO it depends on how to
interprete "access" (is providing non-sensitive info about the
private key the same as accessing it?)
But the pkcs11_load_key function assumes that if you can get a private
key via the PKCS11_enumerate_keys function, then you do not need to
provide a PIN. So "access" has been interpreted in the code to mean that
the private key is visible to the application.
I'm now not sure what is the correct interpretation of CKA_PRIVATE. All
I know is that opensc PKCS#11 wrapper and libmusclepkcs11 do not agree
on whether a PIN is required.
About the certs: it's a nice way to overcome the above problem: user
certs on a pkcs11 token have most often the same ID as the
corresponding private key (not enforced by the standard, but everyone
does it) so it's a nice work-around to get info on private keys
without having to log in. (Not sure if that's why it's used in
pkcs11_load_key function())
The only benefit I can see is in verbose mode: get the certificates, and
print out the IDs. You can assume that there is a corresponding private
key on the token with the same ID.
However, two changes should be made here:
* The pkcs11_load_key function should not fail if certificates cannot
be enumerated. If enumerating certificates fails, then there's a
good chance that enumerating keys will also fail, but I still like
to keep the distinction, just in case.
* The certificate enumeration itself should only be performed if
'verbose' is true.
-- Geoff
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
