Re[2]: Details of saving pkcs#11 attribs to the default {cert8, key3} database.

Wed, 28 Oct 2009 15:00:08 -0700 

Hello, Robert.

On Wed, 28 Oct 2009, Robert Relyea wrote:

On 10/28/2009 02:25 AM, Konstantin Andreev wrote:


It looks somewhat strange how default (so-called legacydb) database allows 
upper layer (softoken) to manipulate key's attributes.

Yes, the mapping between what the database could store and change versus what 
the PKCS #11 expected to store and change wasn't always very clean.


http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/softoken/legacydb/lgattr.c&rev=1.9&mark=1630-1641#1601

---- lg_SetPrivateKeyAttribute() @ lib/softoken/legacydb/lgattr.c ----
    case CKA_VALUE: case CKA_PRIVATE_EXPONENT: case CKA_PRIME_1:
    case CKA_PRIME_2: case CKA_EXPONENT_1: case CKA_EXPONENT_2: case 
CKA_COEFFICIENT:
    /* We aren't really changing these values, we are just triggering the 
database to update it's entry */
    *writePrivate = PR_TRUE;
    crv = CKR_OK;
    break;
-------------------------------------
One can see that softoken is allowed to change attributes of a RSA key, but 
*NOT* allowed to change attributes of DSA, ECC, DH, etc. keys.


RSA doesn't really allow these attributes to change either.


Could you, please, advice, how this code was designed, and how legacydb 
*should* grant access to key's attributes ?

Following the ECC and DSA examples should be correct.

The only attributes you really only need to deal with on update is CKA_LABEL 
and CKA_ID, both of which is handled in the key type independent portion of the 
code (so you shouldn't have to do anything special.


Oh, no, no. I am not talking about attributes which 'softoken' allows to change 
to PKCS#11 users.

I am talking about attributes, which 'softoken' itself can change on it's own. 
Certainly, inside itself 'softoken' could do what it wants: add, delete 
attributes, change their values. This is how it works.

However, the legacydb, softoken's myrmidon, serves well only part of attributes 
that it stores (cite above and link above). Why legacydb's boss can change 
CKA_PRIVATE_EXPONENT, but can't CKA_PRIME ?

Indeed, if there is no need for softoken to change attributes cited above, 
should we delete them from code for consistency ?

Best regards,
--
Konstantin Andreev, software engineer.
Swemel JSC
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to