Edited according to PR review: CKA_ALWAYS_AUTHENTICATE only associated with private keys. Defined a custom attribute to achieve same functionality with secret keys. Updated man pages.
This commit is contained in:
Hannu Honkanen
Frank Morgner
parent
ee8c80af4f
commit
9e5a324903
|
|
@ -444,6 +444,15 @@
|
||||||
viewable after a login).</para></listitem>
|
viewable after a login).</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>
|
||||||
|
<option>--always-auth</option>
|
||||||
|
</term>
|
||||||
|
<listitem><para>Set the CKA_ALWAYS_AUTHENTICATE attribute to a private key object.
|
||||||
|
If set, the user has to supply the PIN for each use (sign or decrypt) with the key.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>
|
<term>
|
||||||
<option>--test-ec</option>
|
<option>--test-ec</option>
|
||||||
|
|
|
||||||
|
|
@ -873,6 +873,20 @@ puk 87654321
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>
|
||||||
|
<option>--user-consent</option> <replaceable>arg</replaceable>
|
||||||
|
</term>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
Specify user-consent. <replaceable>arg</replaceable> is an integer value.
|
||||||
|
If > 0, the value specifies how many times the
|
||||||
|
object can be accessed before a new authentication is required.
|
||||||
|
If zero, the object does not require re-authentication.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>
|
<term>
|
||||||
<option>--insecure</option>
|
<option>--insecure</option>
|
||||||
|
|
|
||||||
|
|
@ -2323,7 +2323,7 @@ pkcs15_create_secret_key(struct sc_pkcs11_slot *slot, struct sc_profile *profile
|
||||||
if (pkcs15_check_bool_cka(attr, 1))
|
if (pkcs15_check_bool_cka(attr, 1))
|
||||||
args.access_flags |= SC_PKCS15_PRKEY_ACCESS_EXTRACTABLE;
|
args.access_flags |= SC_PKCS15_PRKEY_ACCESS_EXTRACTABLE;
|
||||||
break;
|
break;
|
||||||
case CKA_ALWAYS_AUTHENTICATE:
|
case CKA_OPENSC_ALWAYS_AUTH_ANY_OBJECT:
|
||||||
args.user_consent = (int) (pkcs15_check_bool_cka(attr, 1));
|
args.user_consent = (int) (pkcs15_check_bool_cka(attr, 1));
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
|
|
@ -4845,9 +4845,9 @@ pkcs15_skey_get_attribute(struct sc_pkcs11_session *session,
|
||||||
&& (skey->base.p15_object->flags & SC_PKCS15_PRKEY_ACCESS_NEVEREXTRACTABLE) == 0
|
&& (skey->base.p15_object->flags & SC_PKCS15_PRKEY_ACCESS_NEVEREXTRACTABLE) == 0
|
||||||
&& (skey->base.p15_object->flags & SC_PKCS15_PRKEY_ACCESS_ALWAYSSENSITIVE) == 0) ? CK_TRUE : CK_FALSE;
|
&& (skey->base.p15_object->flags & SC_PKCS15_PRKEY_ACCESS_ALWAYSSENSITIVE) == 0) ? CK_TRUE : CK_FALSE;
|
||||||
break;
|
break;
|
||||||
case CKA_ALWAYS_AUTHENTICATE:
|
case CKA_OPENSC_ALWAYS_AUTH_ANY_OBJECT:
|
||||||
check_attribute_buffer(attr, sizeof(CK_BBOOL));
|
check_attribute_buffer(attr, sizeof(CK_BBOOL));
|
||||||
*(CK_BBOOL*)attr->pValue = skey->base.p15_object->user_consent;
|
*(CK_BBOOL*)attr->pValue = skey->base.p15_object->user_consent == 1 ? CK_TRUE : CK_FALSE;
|
||||||
break;
|
break;
|
||||||
case CKA_VALUE_LEN:
|
case CKA_VALUE_LEN:
|
||||||
check_attribute_buffer(attr, sizeof(CK_ULONG));
|
check_attribute_buffer(attr, sizeof(CK_ULONG));
|
||||||
|
|
|
||||||
|
|
@ -20,4 +20,10 @@
|
||||||
|
|
||||||
#define CKA_SPKI (CKA_VENDOR_DEFINED | SC_VENDOR_DEFINED | 2UL)
|
#define CKA_SPKI (CKA_VENDOR_DEFINED | SC_VENDOR_DEFINED | 2UL)
|
||||||
|
|
||||||
|
/* In PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute is only associated with private keys.
|
||||||
|
* The corresponding userConsent field in PKCS#15 is allowed for any object type. This attribute can be used
|
||||||
|
* to set userConsent=1 for other objects than private keys via PKCS#11. */
|
||||||
|
#define CKA_OPENSC_ALWAYS_AUTH_ANY_OBJECT (CKA_VENDOR_DEFINED | SC_VENDOR_DEFINED | 3UL)
|
||||||
|
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
|
||||||
|
|
@ -217,12 +217,12 @@ static const struct option options[] = {
|
||||||
{ "verbose", 0, NULL, 'v' },
|
{ "verbose", 0, NULL, 'v' },
|
||||||
{ "private", 0, NULL, OPT_PRIVATE },
|
{ "private", 0, NULL, OPT_PRIVATE },
|
||||||
{ "sensitive", 0, NULL, OPT_SENSITIVE },
|
{ "sensitive", 0, NULL, OPT_SENSITIVE },
|
||||||
|
{ "always-auth", 0, NULL, OPT_ALWAYS_AUTH },
|
||||||
{ "test-ec", 0, NULL, OPT_TEST_EC },
|
{ "test-ec", 0, NULL, OPT_TEST_EC },
|
||||||
#ifndef _WIN32
|
#ifndef _WIN32
|
||||||
{ "test-fork", 0, NULL, OPT_TEST_FORK },
|
{ "test-fork", 0, NULL, OPT_TEST_FORK },
|
||||||
#endif
|
#endif
|
||||||
{ "generate-random", 1, NULL, OPT_GENERATE_RANDOM },
|
{ "generate-random", 1, NULL, OPT_GENERATE_RANDOM },
|
||||||
{ "always-auth", 0, NULL, OPT_ALWAYS_AUTH },
|
|
||||||
|
|
||||||
{ NULL, 0, NULL, 0 }
|
{ NULL, 0, NULL, 0 }
|
||||||
};
|
};
|
||||||
|
|
@ -289,12 +289,12 @@ static const char *option_help[] = {
|
||||||
"Verbose operation. (Set OPENSC_DEBUG to enable OpenSC specific debugging)",
|
"Verbose operation. (Set OPENSC_DEBUG to enable OpenSC specific debugging)",
|
||||||
"Set the CKA_PRIVATE attribute (object is only viewable after a login)",
|
"Set the CKA_PRIVATE attribute (object is only viewable after a login)",
|
||||||
"Set the CKA_SENSITIVE attribute (object cannot be revealed in plaintext)",
|
"Set the CKA_SENSITIVE attribute (object cannot be revealed in plaintext)",
|
||||||
|
"Set the CKA_ALWAYS_AUTHENTICATE attribute to a key object (require PIN verification for each use)",
|
||||||
"Test EC (best used with the --login or --pin option)",
|
"Test EC (best used with the --login or --pin option)",
|
||||||
#ifndef _WIN32
|
#ifndef _WIN32
|
||||||
"Test forking and calling C_Initialize() in the child",
|
"Test forking and calling C_Initialize() in the child",
|
||||||
#endif
|
#endif
|
||||||
"Generate given amount of random data",
|
"Generate given amount of random data"
|
||||||
"Set the CKA_ALWAYS_AUTHENTICATE attribute to a key object (require PIN verification for each use)",
|
|
||||||
};
|
};
|
||||||
|
|
||||||
static const char * app_name = "pkcs11-tool"; /* for utils.c */
|
static const char * app_name = "pkcs11-tool"; /* for utils.c */
|
||||||
|
|
@ -2511,12 +2511,6 @@ gen_key(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hSecretKey
|
||||||
FILL_ATTR(keyTemplate[n_attr], CKA_VALUE_LEN, &key_length, sizeof(key_length));
|
FILL_ATTR(keyTemplate[n_attr], CKA_VALUE_LEN, &key_length, sizeof(key_length));
|
||||||
n_attr++;
|
n_attr++;
|
||||||
|
|
||||||
if (opt_always_auth != 0) {
|
|
||||||
FILL_ATTR(keyTemplate[n_attr], CKA_ALWAYS_AUTHENTICATE,
|
|
||||||
&_true, sizeof(_true));
|
|
||||||
n_attr++;
|
|
||||||
}
|
|
||||||
|
|
||||||
mechanism.mechanism = opt_mechanism;
|
mechanism.mechanism = opt_mechanism;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -206,6 +206,7 @@ const struct option options[] = {
|
||||||
{ "update-existing", no_argument, NULL, OPT_UPDATE_EXISTING},
|
{ "update-existing", no_argument, NULL, OPT_UPDATE_EXISTING},
|
||||||
|
|
||||||
{ "extractable", no_argument, NULL, OPT_EXTRACTABLE },
|
{ "extractable", no_argument, NULL, OPT_EXTRACTABLE },
|
||||||
|
{ "user-consent", required_argument, NULL, OPT_USER_CONSENT},
|
||||||
{ "insecure", no_argument, NULL, OPT_INSECURE },
|
{ "insecure", no_argument, NULL, OPT_INSECURE },
|
||||||
{ "use-default-transport-keys",
|
{ "use-default-transport-keys",
|
||||||
no_argument, NULL, 'T' },
|
no_argument, NULL, 'T' },
|
||||||
|
|
@ -219,7 +220,6 @@ const struct option options[] = {
|
||||||
{ "wait", no_argument, NULL, 'w' },
|
{ "wait", no_argument, NULL, 'w' },
|
||||||
{ "help", no_argument, NULL, 'h' },
|
{ "help", no_argument, NULL, 'h' },
|
||||||
{ "verbose", no_argument, NULL, 'v' },
|
{ "verbose", no_argument, NULL, 'v' },
|
||||||
{ "user-consent", required_argument, NULL, OPT_USER_CONSENT},
|
|
||||||
|
|
||||||
/* Hidden options for testing */
|
/* Hidden options for testing */
|
||||||
{ "assert-pristine", no_argument, NULL, OPT_ASSERT_PRISTINE },
|
{ "assert-pristine", no_argument, NULL, OPT_ASSERT_PRISTINE },
|
||||||
|
|
@ -273,6 +273,7 @@ static const char * option_help[] = {
|
||||||
"Store or update existing certificate",
|
"Store or update existing certificate",
|
||||||
|
|
||||||
"Private key stored as an extractable key",
|
"Private key stored as an extractable key",
|
||||||
|
"Set userConsent. Default = 0",
|
||||||
"Insecure mode: do not require a PIN for private key",
|
"Insecure mode: do not require a PIN for private key",
|
||||||
"Do not ask for transport keys if the driver thinks it knows the key",
|
"Do not ask for transport keys if the driver thinks it knows the key",
|
||||||
"Do not prompt the user; if no PINs supplied, pinpad will be used",
|
"Do not prompt the user; if no PINs supplied, pinpad will be used",
|
||||||
|
|
@ -285,7 +286,6 @@ static const char * option_help[] = {
|
||||||
"Wait for card insertion",
|
"Wait for card insertion",
|
||||||
"Display this message",
|
"Display this message",
|
||||||
"Verbose operation. Use several times to enable debug output.",
|
"Verbose operation. Use several times to enable debug output.",
|
||||||
"Set userConsent. Default = 0",
|
|
||||||
|
|
||||||
NULL,
|
NULL,
|
||||||
NULL,
|
NULL,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue