Skip to content

pkcs11-tool: consistent handling of secret key attributes #2497

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Jakuje merged 1 commit into from
Feb 8, 2022
Merged

pkcs11-tool: consistent handling of secret key attributes #2497

Jakuje merged 1 commit into from
Feb 8, 2022

Conversation

@LDVG
Copy link
Contributor

@LDVG LDVG commented Jan 26, 2022

When support for unwrapping secret keys was added in 9136878 (as part
of #2268), the --usage-decrypt and --usage-wrap options were used to
toggle the CKA_{ENCRYPT,DECRYPT} and CKA_{WRAP,UNWRAP} attributes in
the object template passed to the PKCS#11 module.

In contrast, when a secret key object is generated (--keygen) or
created (--write-object), the same attributes are unconditionally set
to true or omitted respectively, regardless of any specified --usage-*
option.

To make this handling consistent, use the approach introduced by the unwrap
command and let the user specify the attributes, defaulting to only setting
CKA_{ENCRYPT,DECRYPT} if no usage was specified.

The documentation was amended to reflect the behavior of --usage-decrypt.

Checklist
  • Documentation is added or updated
  • New files have a LGPL 2.1 license statement
  • PKCS#11 module is tested
  • Windows minidriver is tested
  • macOS tokend is tested

@LDVG
pkcs11-tool: consistent handling of secret key attributes
34e96fb 
When support for unwrapping secret keys was added in 9136878 (as part
of OpenSC#2268), the `--usage-decrypt` and `--usage-wrap` options were used to
toggle the `CKA_{ENCRYPT,DECRYPT}` and `CKA_{WRAP,UNWRAP}` attributes in
the object template passed to the module.

In contrast, when a secret key object is generated (`--keygen`) or
created (`--write-object`), the same attributes are unconditionally set
to true or omitted respectively, regardless of any specified `--usage-*`
option.

To make this handling consistent, use the approach introduced by the unwrap
command and let the user specify the attributes, defaulting to only setting
`CKA_{ENCRYPT,DECRYPT}` if no usage was specified.

The documentation was amended to reflect the behavior of `--usage-decrypt`.
@Jakuje Jakuje merged commit ec75651 into OpenSC:master Feb 8, 2022
@LDVG LDVG deleted the attrs branch February 8, 2022 12:30
@xhanulik xhanulik mentioned this pull request Jul 12, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jakuje Jakuje Jakuje approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LDVG @Jakuje