Darren J Moffat wrote:
> Will Fiveash wrote:
>> In regards to pktool I think the problem is that:
>>
>> list_pk11_objects() calls token_auth_needed() which does:
>>
>> ckrv = C_GetTokenInfo(slot, &info);
>> if (ckrv != KMF_OK)
>> return (KMF_ERR_INTERNAL);
>>
>> *auth = (info.flags & CKF_LOGIN_REQUIRED);
>>
>> and later in list_pk11_objects() there is:
>>
>> if (oclass & (PK_CERT_OBJ | PK_PUBLIC_OBJ)) {
>> kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
>> &kstype, sizeof (kstype));
>>
>> numattr++;
>> if (auth > 0 && (cred.cred == NULL)) {
>> (void) get_token_password(kstype, token, &cred);
>> }
>>
>> I don't think the logic that checks auth for PK_CERT_OBJ and
>> PK_PUBLIC_OBJ class objects is correct.
>
> I agree that looks suspect to me. While not strictly wrong according to
> the letter of the spec I think it is against the intent of it, and it
> certainly isn't a great UI experience for pktool. I'd support chaning
> that.
>
The problem I recall is that I think the SCA6000 requires login even for
accessing public objects and "pktool list" without the logging in
resulted in no objects being found.
-Wyllys
