On 05/30/2014 11:55 AM, Jonathan Schulze-Hewett wrote: > Another bit of oddness. I can put the PKCS#11 device into "read only" mode > where it only supports CKS_RO_PUBLIC_SESSION and CKS_RO_USER_FUNCTIONS > states and asserts the CKF_WRITE_PROTECTED flag. In this state Firefox > attempts to call C_CreateObject to create an ECC public key on the device > which fails. Firefox returns sec_error_bad_signature to the user in this > case stating "Peer's certificate has an invalid signature." RO only affects Token objects. > > Perhaps I misunderstand the meaning of those state and flag values and that > read only/write protected means that callers can still make objects as long > as CKA_TOKEN=false? yes, those are ephemeral objects. In general, read only tokens need to be to create those (sometimes explictily, like C_CreateObject, sometimes implicitly, like C_Derive or C_Unwrap). These objects disappear if the token is 'powered down', shutdown, removed, or all the sessions are closed. Token objects stay on, thus require tokens that can be writeable.
bob > > Jonathan > > > > > -- > View this message in context: > http://mozilla.6506.n7.nabble.com/ECC-FIPS-Mode-and-PKCS-11-devices-tp316591p316609.html > Sent from the Mozilla - Cryptography mailing list archive at Nabble.com.
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
