Discussion:
[Opendnssec-user] Question about P11Attributes checks
Dave Fine
2017-10-11 21:34:14 UTC
Permalink
Hello,

I have a question regarding P11Attributes.h the SoftHSMv2 code base. In
this file, there is an enum that defines a number of `ck` checks. As an
example, ck1 seems to be reserved for when an attribute is required while
creating an object. Therefore, I would expect ck1 to be set on P11Attribute
child classes such as P11AttrClass, and P11AttrToken (to enforce requiring
CKA_CLASS and CKA_TOKEN). However, I see that ck1 is not used for
P11AttrToken. Instead I see P11AttrCertificateType uses a ck1 check, which
is not something I would think be required when creating an object. For
example, why would CKA_CERTIFICATE_TYPE be required, if you were creating a
key object?

Could someone clear up how the `ck` checks are supposed to be used? Perhaps
I am not understanding it correctly.

Thank you,
-Dave
Rickard Bellgrim
2017-10-12 15:09:34 UTC
Permalink
Hi Dave

The checks comes from PKCS#11 [1] and is enforced according to it. You can
cross-reference all the attributes with PKCS#11.

ck1 is set for CKA_CLASS [2], but CKA_TOKEN is an optional attribute that
will default to CK_FALSE and is not required when creating an object.

CKA_CERTIFICATE_TYPE is only used by certificate object and will not be
required for key objects. You can check how the attributes are used in
P11Objects.cpp [3] and also in the PKCS#11 standard.

[1]
http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html
[2]
https://github.com/opendnssec/SoftHSMv2/blob/develop/src/lib/P11Attributes.h#L140
[3]
https://github.com/opendnssec/SoftHSMv2/blob/develop/src/lib/P11Objects.cpp

// Rickard
Post by Dave Fine
Hello,
I have a question regarding P11Attributes.h the SoftHSMv2 code base. In
this file, there is an enum that defines a number of `ck` checks. As an
example, ck1 seems to be reserved for when an attribute is required while
creating an object. Therefore, I would expect ck1 to be set on P11Attribute
child classes such as P11AttrClass, and P11AttrToken (to enforce
requiring CKA_CLASS and CKA_TOKEN). However, I see that ck1 is not used for
P11AttrToken. Instead I see P11AttrCertificateType uses a ck1 check,
which is not something I would think be required when creating an object.
For example, why would CKA_CERTIFICATE_TYPE be required, if you were
creating a key object?
Could someone clear up how the `ck` checks are supposed to be used?
Perhaps I am not understanding it correctly.
Thank you,
-Dave
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Dave Fine
2017-10-23 15:13:12 UTC
Permalink
Thank you for the information. I still don't see where in the code that any
of these `ck` checks are enforced though. For example, who enforces `ck7`
on a P11ECPrivateKeyObj, so that a sensitive key cannot be revealed?

Thank you,
-Dave
Post by Rickard Bellgrim
Hi Dave
The checks comes from PKCS#11 [1] and is enforced according to it. You can
cross-reference all the attributes with PKCS#11.
ck1 is set for CKA_CLASS [2], but CKA_TOKEN is an optional attribute that
will default to CK_FALSE and is not required when creating an object.
CKA_CERTIFICATE_TYPE is only used by certificate object and will not be
required for key objects. You can check how the attributes are used in
P11Objects.cpp [3] and also in the PKCS#11 standard.
[1]
http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html
[2]
https://github.com/opendnssec/SoftHSMv2/blob/develop/src/lib/P11Attributes.h#L140
[3]
https://github.com/opendnssec/SoftHSMv2/blob/develop/src/lib/P11Objects.cpp
// Rickard
Post by Dave Fine
Hello,
I have a question regarding P11Attributes.h the SoftHSMv2 code base. In
this file, there is an enum that defines a number of `ck` checks. As an
example, ck1 seems to be reserved for when an attribute is required while
creating an object. Therefore, I would expect ck1 to be set on P11Attribute
child classes such as P11AttrClass, and P11AttrToken (to enforce
requiring CKA_CLASS and CKA_TOKEN). However, I see that ck1 is not used for
P11AttrToken. Instead I see P11AttrCertificateType uses a ck1 check,
which is not something I would think be required when creating an object.
For example, why would CKA_CERTIFICATE_TYPE be required, if you were
creating a key object?
Could someone clear up how the `ck` checks are supposed to be used?
Perhaps I am not understanding it correctly.
Thank you,
-Dave
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Rickard Bellgrim
2017-10-23 17:28:02 UTC
Permalink
Hi Dave, the third search result for "ck7" will show where it is enforced.

https://github.com/opendnssec/SoftHSMv2/search?q=ck7

// Rickard
Post by Dave Fine
Thank you for the information. I still don't see where in the code that
any of these `ck` checks are enforced though. For example, who enforces
`ck7` on a P11ECPrivateKeyObj, so that a sensitive key cannot be revealed?
Thank you,
-Dave
Post by Rickard Bellgrim
Hi Dave
The checks comes from PKCS#11 [1] and is enforced according to it. You
can cross-reference all the attributes with PKCS#11.
ck1 is set for CKA_CLASS [2], but CKA_TOKEN is an optional attribute that
will default to CK_FALSE and is not required when creating an object.
CKA_CERTIFICATE_TYPE is only used by certificate object and will not be
required for key objects. You can check how the attributes are used in
P11Objects.cpp [3] and also in the PKCS#11 standard.
[1] http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/
os/pkcs11-base-v2.40-os.html
[2] https://github.com/opendnssec/SoftHSMv2/blob/
develop/src/lib/P11Attributes.h#L140
[3] https://github.com/opendnssec/SoftHSMv2/blob/
develop/src/lib/P11Objects.cpp
// Rickard
Post by Dave Fine
Hello,
I have a question regarding P11Attributes.h the SoftHSMv2 code base. In
this file, there is an enum that defines a number of `ck` checks. As an
example, ck1 seems to be reserved for when an attribute is required while
creating an object. Therefore, I would expect ck1 to be set on P11Attribute
child classes such as P11AttrClass, and P11AttrToken (to enforce
requiring CKA_CLASS and CKA_TOKEN). However, I see that ck1 is not used for
P11AttrToken. Instead I see P11AttrCertificateType uses a ck1 check,
which is not something I would think be required when creating an object.
For example, why would CKA_CERTIFICATE_TYPE be required, if you were
creating a key object?
Could someone clear up how the `ck` checks are supposed to be used?
Perhaps I am not understanding it correctly.
Thank you,
-Dave
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Loading...