Edited according to PR review: CKA_ALWAYS_AUTHENTICATE only associated with private keys. Defined a custom attribute to achieve same functionality with secret keys. Updated man pages.
This commit is contained in:
parent
ee8c80af4f
commit
9e5a324903
|
@ -444,6 +444,15 @@
|
|||
viewable after a login).</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>
|
||||
<option>--always-auth</option>
|
||||
</term>
|
||||
<listitem><para>Set the CKA_ALWAYS_AUTHENTICATE attribute to a private key object.
|
||||
If set, the user has to supply the PIN for each use (sign or decrypt) with the key.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>
|
||||
<option>--test-ec</option>
|
||||
|
|
|
@ -873,6 +873,20 @@ puk 87654321
|
|||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>
|
||||
<option>--user-consent</option> <replaceable>arg</replaceable>
|
||||
</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specify user-consent. <replaceable>arg</replaceable> is an integer value.
|
||||
If > 0, the value specifies how many times the
|
||||
object can be accessed before a new authentication is required.
|
||||
If zero, the object does not require re-authentication.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>
|
||||
<option>--insecure</option>
|
||||
|
|
|
@ -2323,7 +2323,7 @@ pkcs15_create_secret_key(struct sc_pkcs11_slot *slot, struct sc_profile *profile
|
|||
if (pkcs15_check_bool_cka(attr, 1))
|
||||
args.access_flags |= SC_PKCS15_PRKEY_ACCESS_EXTRACTABLE;
|
||||
break;
|
||||
case CKA_ALWAYS_AUTHENTICATE:
|
||||
case CKA_OPENSC_ALWAYS_AUTH_ANY_OBJECT:
|
||||
args.user_consent = (int) (pkcs15_check_bool_cka(attr, 1));
|
||||
break;
|
||||
default:
|
||||
|
@ -4845,9 +4845,9 @@ pkcs15_skey_get_attribute(struct sc_pkcs11_session *session,
|
|||
&& (skey->base.p15_object->flags & SC_PKCS15_PRKEY_ACCESS_NEVEREXTRACTABLE) == 0
|
||||
&& (skey->base.p15_object->flags & SC_PKCS15_PRKEY_ACCESS_ALWAYSSENSITIVE) == 0) ? CK_TRUE : CK_FALSE;
|
||||
break;
|
||||
case CKA_ALWAYS_AUTHENTICATE:
|
||||
case CKA_OPENSC_ALWAYS_AUTH_ANY_OBJECT:
|
||||
check_attribute_buffer(attr, sizeof(CK_BBOOL));
|
||||
*(CK_BBOOL*)attr->pValue = skey->base.p15_object->user_consent;
|
||||
*(CK_BBOOL*)attr->pValue = skey->base.p15_object->user_consent == 1 ? CK_TRUE : CK_FALSE;
|
||||
break;
|
||||
case CKA_VALUE_LEN:
|
||||
check_attribute_buffer(attr, sizeof(CK_ULONG));
|
||||
|
|
|
@ -20,4 +20,10 @@
|
|||
|
||||
#define CKA_SPKI (CKA_VENDOR_DEFINED | SC_VENDOR_DEFINED | 2UL)
|
||||
|
||||
/* In PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute is only associated with private keys.
|
||||
* The corresponding userConsent field in PKCS#15 is allowed for any object type. This attribute can be used
|
||||
* to set userConsent=1 for other objects than private keys via PKCS#11. */
|
||||
#define CKA_OPENSC_ALWAYS_AUTH_ANY_OBJECT (CKA_VENDOR_DEFINED | SC_VENDOR_DEFINED | 3UL)
|
||||
|
||||
|
||||
#endif
|
||||
|
|
|
@ -217,12 +217,12 @@ static const struct option options[] = {
|
|||
{ "verbose", 0, NULL, 'v' },
|
||||
{ "private", 0, NULL, OPT_PRIVATE },
|
||||
{ "sensitive", 0, NULL, OPT_SENSITIVE },
|
||||
{ "always-auth", 0, NULL, OPT_ALWAYS_AUTH },
|
||||
{ "test-ec", 0, NULL, OPT_TEST_EC },
|
||||
#ifndef _WIN32
|
||||
{ "test-fork", 0, NULL, OPT_TEST_FORK },
|
||||
#endif
|
||||
{ "generate-random", 1, NULL, OPT_GENERATE_RANDOM },
|
||||
{ "always-auth", 0, NULL, OPT_ALWAYS_AUTH },
|
||||
|
||||
{ NULL, 0, NULL, 0 }
|
||||
};
|
||||
|
@ -289,12 +289,12 @@ static const char *option_help[] = {
|
|||
"Verbose operation. (Set OPENSC_DEBUG to enable OpenSC specific debugging)",
|
||||
"Set the CKA_PRIVATE attribute (object is only viewable after a login)",
|
||||
"Set the CKA_SENSITIVE attribute (object cannot be revealed in plaintext)",
|
||||
"Set the CKA_ALWAYS_AUTHENTICATE attribute to a key object (require PIN verification for each use)",
|
||||
"Test EC (best used with the --login or --pin option)",
|
||||
#ifndef _WIN32
|
||||
"Test forking and calling C_Initialize() in the child",
|
||||
#endif
|
||||
"Generate given amount of random data",
|
||||
"Set the CKA_ALWAYS_AUTHENTICATE attribute to a key object (require PIN verification for each use)",
|
||||
"Generate given amount of random data"
|
||||
};
|
||||
|
||||
static const char * app_name = "pkcs11-tool"; /* for utils.c */
|
||||
|
@ -2511,12 +2511,6 @@ gen_key(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hSecretKey
|
|||
FILL_ATTR(keyTemplate[n_attr], CKA_VALUE_LEN, &key_length, sizeof(key_length));
|
||||
n_attr++;
|
||||
|
||||
if (opt_always_auth != 0) {
|
||||
FILL_ATTR(keyTemplate[n_attr], CKA_ALWAYS_AUTHENTICATE,
|
||||
&_true, sizeof(_true));
|
||||
n_attr++;
|
||||
}
|
||||
|
||||
mechanism.mechanism = opt_mechanism;
|
||||
}
|
||||
|
||||
|
|
|
@ -206,6 +206,7 @@ const struct option options[] = {
|
|||
{ "update-existing", no_argument, NULL, OPT_UPDATE_EXISTING},
|
||||
|
||||
{ "extractable", no_argument, NULL, OPT_EXTRACTABLE },
|
||||
{ "user-consent", required_argument, NULL, OPT_USER_CONSENT},
|
||||
{ "insecure", no_argument, NULL, OPT_INSECURE },
|
||||
{ "use-default-transport-keys",
|
||||
no_argument, NULL, 'T' },
|
||||
|
@ -219,7 +220,6 @@ const struct option options[] = {
|
|||
{ "wait", no_argument, NULL, 'w' },
|
||||
{ "help", no_argument, NULL, 'h' },
|
||||
{ "verbose", no_argument, NULL, 'v' },
|
||||
{ "user-consent", required_argument, NULL, OPT_USER_CONSENT},
|
||||
|
||||
/* Hidden options for testing */
|
||||
{ "assert-pristine", no_argument, NULL, OPT_ASSERT_PRISTINE },
|
||||
|
@ -273,6 +273,7 @@ static const char * option_help[] = {
|
|||
"Store or update existing certificate",
|
||||
|
||||
"Private key stored as an extractable key",
|
||||
"Set userConsent. Default = 0",
|
||||
"Insecure mode: do not require a PIN for private key",
|
||||
"Do not ask for transport keys if the driver thinks it knows the key",
|
||||
"Do not prompt the user; if no PINs supplied, pinpad will be used",
|
||||
|
@ -285,7 +286,6 @@ static const char * option_help[] = {
|
|||
"Wait for card insertion",
|
||||
"Display this message",
|
||||
"Verbose operation. Use several times to enable debug output.",
|
||||
"Set userConsent. Default = 0",
|
||||
|
||||
NULL,
|
||||
NULL,
|
||||
|
|
Loading…
Reference in New Issue