PKCS#11 bugs
Rickard Bellgrim
rickard at opendnssec.org
Tue Jun 14 12:35:17 CEST 2011
Hi
I am testing SoftHSM together with GnuTLS, just to see if the
certificate parts of SoftHSM works. I found some bugs in GnuTLS and I
have attached a patch for them.
1.
You should change the variable tval to an unsigned char.
The attributes are of the type CK_BBOOL, which is equal to unsigned char.
2.
I think you forgot to save the label for the private key, if it was
given by the user.
3.
The CKA_SUBJECT must be specified for a certificate.
4.
The p11tool has an option to mark a certificate as trusted when
importing it. The problem is that only the Security Officer can set it
to true. I do not have a patch for it. But the program have to login
as a SO and change the attribute of this object. Remember that the SO
can only see public objects. You do not set the CKA_PRIVATE and the
default value is "token-specific". SoftHSM sets the CKA_PRIVATE to
true and thus not visible for the SO since it then is a private
object.
// Rickard Bellgrim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Missing-information-in-the-PKCS-11-templates.patch
Type: application/octet-stream
Size: 2127 bytes
Desc: not available
URL: </pipermail/attachments/20110614/8b68b765/attachment.obj>
More information about the Gnutls-devel
mailing list