subject:"\[opensc\-devel\] PKCS#11 and read\-only session"

[opensc-devel] PKCS#11 and read-only session

2009-12-08 Thread Aktiv Co. Aleksey Samsonov


Hello,
I propose a patch for PKCS#11

Fix: return CKR_SESSION_READ_ONLY from C_InitPIN, C_SetPIN, 
C_CreateObject, C_CopyObject, C_DestroyObject, C_SetAttributeValue, 
C_GenerateKey, C_GenerateKeyPair, C_UnwrapKey, C_DeriveKey if session is 
read-only.


PKCS#11:
C_InitPIN can only be called in the 'R/W SO Functions' state.

C_SetPIN can only be called in the 'R/W Public Session' state, 'R/W SO 
Functions' state, or 'R/W User Functions' state. An attempt to call it 
from a session in any other state fails with error CKR_SESSION_READ_ONLY.


Only session objects can be created/destroyed/modified 
(C_CreateObject/C_DestroyObject/C_SetAttributeValue) during a read-only 
session.


But,
http://www.opensc-project.org/opensc/browser/trunk/src/pkcs11/pkcs11-session.c?rev=3862#L344
Why does it need (#if 0)?

Any idea?

Index: src/pkcs11/pkcs11-object.c
===
--- src/pkcs11/pkcs11-object.c  (revision 3885)
+++ src/pkcs11/pkcs11-object.c  (working copy)
@@ -46,6 +46,11 @@
if (rv != CKR_OK)
goto out;
 
+   if (!(session-flags  CKF_RW_SESSION)) {
+   rv = CKR_SESSION_READ_ONLY;
+   goto out;
+   }
+
card = session-slot-card;
if (card-framework-create_object == NULL)
rv = CKR_FUNCTION_NOT_SUPPORTED;
@@ -86,6 +91,11 @@
if (rv != CKR_OK)
goto out;
 
+   if (!(session-flags  CKF_RW_SESSION)) {
+   rv = CKR_SESSION_READ_ONLY;
+   goto out;
+   }
+
rv = pool_find_and_delete(session-slot-object_pool, hObject, 
(void**) object);
if (rv != CKR_OK)
goto out;
@@ -193,6 +203,11 @@
if (rv != CKR_OK)
goto out;
 
+   if (!(session-flags  CKF_RW_SESSION)) {
+   rv = CKR_SESSION_READ_ONLY;
+   goto out;
+   }
+
rv = pool_find(session-slot-object_pool, hObject, (void**) object);
if (rv != CKR_OK)
goto out;
@@ -871,6 +886,11 @@
if (rv != CKR_OK)
goto out;
 
+   if (!(session-flags  CKF_RW_SESSION)) {
+   rv = CKR_SESSION_READ_ONLY;
+   goto out;
+   }
+
slot = session-slot;
if (slot-card-framework-gen_keypair == NULL) {
rv = CKR_FUNCTION_NOT_SUPPORTED;
@@ -916,6 +936,11 @@
if (rv != CKR_OK)
goto out;
 
+   if (!(session-flags  CKF_RW_SESSION)) {
+   rv = CKR_SESSION_READ_ONLY;
+   goto out;
+   }
+
rv = pool_find(session-slot-object_pool, hUnwrappingKey,
(void**) object);
if (rv != CKR_OK) {
Index: src/pkcs11/pkcs11-session.c
===
--- src/pkcs11/pkcs11-session.c (revision 3885)
+++ src/pkcs11/pkcs11-session.c (working copy)
@@ -307,6 +307,11 @@
if (rv != CKR_OK)
goto out;
 
+   if (!(session-flags  CKF_RW_SESSION)) {
+   rv = CKR_SESSION_READ_ONLY;
+   goto out;
+   }
+
slot = session-slot;
if (slot-login_user != CKU_SO) {
rv = CKR_USER_NOT_LOGGED_IN;
@@ -341,12 +346,11 @@
goto out;
 
sc_debug(context, Changing PIN (session %d)\n, hSession);
-#if 0
-   if (!(ses-flags  CKF_RW_SESSION)) {
+
+   if (!(session-flags  CKF_RW_SESSION)) {
rv = CKR_SESSION_READ_ONLY;
goto out;
}
-#endif
 
slot = session-slot;
rv = slot-card-framework-change_pin(slot-card, slot-fw_data,
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] PKCS#11 and read-only session

2009-12-08 Thread Martin Paljak

Hi Aleksey,

On 08.12.2009, at 13:23, Aktiv Co. Aleksey Samsonov wrote:
 I propose a patch for PKCS#11
 
 Fix: return CKR_SESSION_READ_ONLY from C_InitPIN, C_SetPIN, C_CreateObject, 
 C_CopyObject, C_DestroyObject, C_SetAttributeValue, C_GenerateKey, 
 C_GenerateKeyPair, C_UnwrapKey, C_DeriveKey if session is read-only.
I don't think that obvious fixes for spec conformance need any vetting period. 
+1 anyway.



 PKCS#11:
 C_InitPIN can only be called in the 'R/W SO Functions' state.
 
 C_SetPIN can only be called in the 'R/W Public Session' state, 'R/W SO 
 Functions' state, or 'R/W User Functions' state. An attempt to call it from a 
 session in any other state fails with error CKR_SESSION_READ_ONLY.
 
 Only session objects can be created/destroyed/modified 
 (C_CreateObject/C_DestroyObject/C_SetAttributeValue) during a read-only 
 session.
 
 But,
 http://www.opensc-project.org/opensc/browser/trunk/src/pkcs11/pkcs11-session.c?rev=3862#L344
 Why does it need (#if 0)?
See svn blame: r164. No further comments needed I guess.


-- 
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495




___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] PKCS#11 and read-only session

2009-12-08 Thread Aktiv Co. Aleksey Samsonov

Martin Paljak:
 I don't think that obvious fixes for spec conformance need any vetting 
 period. +1 anyway.

Thanks. Committed at trunk revision 3886.
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

[opensc-devel] PKCS#11 and read-only session

Re: [opensc-devel] PKCS#11 and read-only session

Re: [opensc-devel] PKCS#11 and read-only session

3 matches

Site Navigation

Mail list logo

Footer information