Hi Dave, the third search result for "ck7" will show where it is enforced.
https://github.com/opendnssec/SoftHSMv2/search?q=ck7 // Rickard On Mon, Oct 23, 2017 at 5:13 PM, Dave Fine <[email protected]> wrote: > Thank you for the information. I still don't see where in the code that > any of these `ck` checks are enforced though. For example, who enforces > `ck7` on a P11ECPrivateKeyObj, so that a sensitive key cannot be revealed? > > Thank you, > -Dave > > On Thu, Oct 12, 2017 at 11:09 AM Rickard Bellgrim <[email protected]> > wrote: > >> Hi Dave >> >> The checks comes from PKCS#11 [1] and is enforced according to it. You >> can cross-reference all the attributes with PKCS#11. >> >> ck1 is set for CKA_CLASS [2], but CKA_TOKEN is an optional attribute that >> will default to CK_FALSE and is not required when creating an object. >> >> CKA_CERTIFICATE_TYPE is only used by certificate object and will not be >> required for key objects. You can check how the attributes are used in >> P11Objects.cpp [3] and also in the PKCS#11 standard. >> >> [1] http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/ >> os/pkcs11-base-v2.40-os.html >> [2] https://github.com/opendnssec/SoftHSMv2/blob/ >> develop/src/lib/P11Attributes.h#L140 >> [3] https://github.com/opendnssec/SoftHSMv2/blob/ >> develop/src/lib/P11Objects.cpp >> >> // Rickard >> >> On Wed, Oct 11, 2017 at 11:34 PM, Dave Fine <[email protected]> >> wrote: >> >>> Hello, >>> >>> I have a question regarding P11Attributes.h the SoftHSMv2 code base. In >>> this file, there is an enum that defines a number of `ck` checks. As an >>> example, ck1 seems to be reserved for when an attribute is required while >>> creating an object. Therefore, I would expect ck1 to be set on P11Attribute >>> child classes such as P11AttrClass, and P11AttrToken (to enforce >>> requiring CKA_CLASS and CKA_TOKEN). However, I see that ck1 is not used for >>> P11AttrToken. Instead I see P11AttrCertificateType uses a ck1 check, >>> which is not something I would think be required when creating an object. >>> For example, why would CKA_CERTIFICATE_TYPE be required, if you were >>> creating a key object? >>> >>> Could someone clear up how the `ck` checks are supposed to be used? >>> Perhaps I am not understanding it correctly. >>> >>> Thank you, >>> -Dave >>> >>> _______________________________________________ >>> Opendnssec-user mailing list >>> [email protected] >>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user >>> >>> >>
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
