Service Développement wrote:
...
I agree with you that objects are created with PIN protection if auth_id is empty. But, it's not the goal of this modification.

The pkcs#11 documentation says that "The common Objects attributes CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_LABEL must be specified when object is created."

So, my application have to create some data objects with the attribute CKA_PRIVATE to TRUE, and others with CKA_PRIVATE to FALSE. Without this modification (flag receive SC_PKCS15_CO_FLAG_PRIVATE), when this application list the differents created data objects, all of them have the CKA_PRIVATE attribute to FALSE !! Why ? Because, by default, data objects in pkcs#15 are created with DEFAULT_DATA_FLAGS (0x02) in the function sc_pkcs15init_new_object. The CKA_PRIVATE attribute is not managed between the opensc pkcs#11 structure and the differents pkcs#15 structures. there is no parameter to change it.

what about this quick hack in sc_pkcs15init_new_object()

Index: src/pkcs15init/pkcs15-lib.c
===================================================================
--- src/pkcs15init/pkcs15-lib.c (Revision 3115)
+++ src/pkcs15init/pkcs15-lib.c (Arbeitskopie)
@@ -2711,6 +2712,8 @@
                break;
        case SC_PKCS15_TYPE_DATA_OBJECT:
                object->flags = DEFAULT_DATA_FLAGS;
+               if (auth_id->len != 0)
+                       object->flags |= SC_PKCS15_CO_FLAG_PRIVATE;
                data_size = sizeof(sc_pkcs15_data_info_t);
                break;
        }

Btw: in your patch the label of the data object is always set
but the label attribute is afaik optional (if the oid is set)
so it might be better not to set it all if it hasn't been
specified (I know that the current code has the same behaviour
but that doesn't mean that it is correct).

Cheers,
Nils
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to