Service Développement wrote:
...
> I agree with you that objects are created with PIN
protection if auth_id
> is empty. But, it's not the goal of this modification.
^ a 'not' is missing here
>
> The pkcs#11 documentation says that "The common
Objects attributes
> CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_LABEL must be
specified when
> object is created."
>
> So, my application have to create some data objects
with the attribute
> CKA_PRIVATE to TRUE, and others with CKA_PRIVATE to
FALSE.
> Without this modification (flag receive
SC_PKCS15_CO_FLAG_PRIVATE), when
> this application list the differents created data
objects, all of them
> have the CKA_PRIVATE attribute to FALSE !! Why ?
Because, by default,
> data objects in pkcs#15 are created with
DEFAULT_DATA_FLAGS (0x02) in
> the function sc_pkcs15init_new_object.
> The CKA_PRIVATE attribute is not managed between the
opensc pkcs#11
> structure and the differents pkcs#15 structures. there
is no parameter
> to change it.
one might consider this a bug ... Perhaps one should set
'private'
flag in sc_pkcs15init_new_object() if and only if the
auth_id object
isn't empty (well except for pin objects perhaps ...).
>
> That's why i added this modification. I think that if
PKCS#11 allows the
> management of CKA_PRIVATE attribute, the PKCS#15 have
to manage it too.
> Maybe there is another solution with the existing
parameters, but i
> didn't find how to do it...
>
> So, to conclude, this modification is not made for
protecting the data
> objects, but it allows an application to differentiate
private data and
> public data.
hmmm, "private" data object are by definition
protected
Cheers,
Nils
_______________________________________________
opensc-devel mailing list
opensc-devel lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel
|