PKCS#11 bugs

Rickard Bellgrim rickard at opendnssec.org
Tue Jun 14 13:56:20 CEST 2011


And it also applies to:

rickard at fou:~/gnutls/lib$ grep -n "unsigned int tval" *
pkcs11.c:1057:  unsigned int tval;
pkcs11_secret.c:61:  unsigned int tval = 1;


On Tue, Jun 14, 2011 at 12:35 PM, Rickard Bellgrim
<rickard at opendnssec.org> wrote:
> Hi
>
> I am testing SoftHSM together with GnuTLS, just to see if the
> certificate parts of SoftHSM works. I found some bugs in GnuTLS and I
> have attached a patch for them.
>
> 1.
> You should change the variable tval to an unsigned char.
> The attributes are of the type CK_BBOOL, which is equal to unsigned char.
>
> 2.
> I think you forgot to save the label for the private key, if it was
> given by the user.
>
> 3.
> The CKA_SUBJECT must be specified for a certificate.
>
> 4.
> The p11tool has an option to mark a certificate as trusted when
> importing it. The problem is that only the Security Officer can set it
> to true. I do not have a patch for it. But the program have to login
> as a SO and change the attribute of this object. Remember that the SO
> can only see public objects. You do not set the CKA_PRIVATE and the
> default value is "token-specific". SoftHSM sets the CKA_PRIVATE to
> true and thus not visible for the SO since it then is a private
> object.
>
> // Rickard Bellgrim
>




More information about the Gnutls-devel mailing list