From 25dae28ab55c8aa80e323a0bddde9d41bc97dec3 Mon Sep 17 00:00:00 2001 From: Uri Blumenthal Date: Mon, 21 Dec 2015 12:10:46 -0500 Subject: [PATCH 1/3] Access to public key should not be PIN-authenticated. Especially since access to certificate (from which one can get public key) is not currently PIN-authenticated. --- src/tools/pkcs15-tool.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/tools/pkcs15-tool.c b/src/tools/pkcs15-tool.c index 7aa981fe..46892aa5 100644 --- a/src/tools/pkcs15-tool.c +++ b/src/tools/pkcs15-tool.c @@ -688,9 +688,7 @@ static int read_public_key(void) if (r >= 0) { if (verbose) printf("Reading public key with ID '%s'\n", opt_pubkey); - r = authenticate(obj); - if (r >= 0) - r = sc_pkcs15_read_pubkey(p15card, obj, &pubkey); + r = sc_pkcs15_read_pubkey(p15card, obj, &pubkey); } else if (r == SC_ERROR_OBJECT_NOT_FOUND) { /* No pubkey - try if there's a certificate */ r = sc_pkcs15_find_cert_by_id(p15card, &id, &obj); From 2b6b0ee05a0a89af72a9b3cd5bcbc3f32fe495fb Mon Sep 17 00:00:00 2001 From: Uri Blumenthal Date: Mon, 21 Dec 2015 12:11:48 -0500 Subject: [PATCH 2/3] According to PKCS#11 standard, public key should not have the attribute CKA_SENSITIVE set to TRUE. This attribute is for private and secret keys only. --- src/pkcs11/framework-pkcs15.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c index e1035501..e468bd21 100644 --- a/src/pkcs11/framework-pkcs15.c +++ b/src/pkcs11/framework-pkcs15.c @@ -3879,8 +3879,9 @@ pkcs15_pubkey_get_attribute(struct sc_pkcs11_session *session, void *object, CK_ break; case CKA_TOKEN: case CKA_SENSITIVE: + /* By PKCS#11 v2.20 public key cannot have SENSITIVE attr TRUE */ check_attribute_buffer(attr, sizeof(CK_BBOOL)); - *(CK_BBOOL*)attr->pValue = TRUE; + *(CK_BBOOL*)attr->pValue = FALSE; break; case CKA_LOCAL: check_attribute_buffer(attr, sizeof(CK_BBOOL)); From 76ed06981bde35d979754122fc250ccbf854493d Mon Sep 17 00:00:00 2001 From: Uri Blumenthal Date: Tue, 22 Dec 2015 13:31:42 -0500 Subject: [PATCH 3/3] Made sure attribute CKA_TOKEN is set to TRUE. --- src/pkcs11/framework-pkcs15.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c index e468bd21..23249a7c 100644 --- a/src/pkcs11/framework-pkcs15.c +++ b/src/pkcs11/framework-pkcs15.c @@ -3878,6 +3878,9 @@ pkcs15_pubkey_get_attribute(struct sc_pkcs11_session *session, void *object, CK_ *(CK_OBJECT_CLASS*)attr->pValue = CKO_PUBLIC_KEY; break; case CKA_TOKEN: + check_attribute_buffer(attr, sizeof(CK_BBOOL)); + *(CK_BBOOL*)attr->pValue = TRUE; + break; case CKA_SENSITIVE: /* By PKCS#11 v2.20 public key cannot have SENSITIVE attr TRUE */ check_attribute_buffer(attr, sizeof(CK_BBOOL));