On 30/05/14 19:55, Jonathan Schulze-Hewett wrote:
Another bit of oddness. I can put the PKCS#11 device into "read only" mode
where it only supports CKS_RO_PUBLIC_SESSION and CKS_RO_USER_FUNCTIONS
states and asserts the CKF_WRITE_PROTECTED flag. In this state Firefox
attempts to call C_CreateObject to create an ECC public key on the device
which fails. Firefox returns sec_error_bad_signature to the user in this
case stating "Peer's certificate has an invalid signature."
Perhaps I misunderstand the meaning of those state and flag values and that
read only/write protected means that callers can still make objects as long
as CKA_TOKEN=false?
The _RO_ session state doesn't disable creation of session objects, but
PKCS#11 says "Exactly what the CKF_WRITE_PROTECTED flag means is not
specified in Cryptoki. An application may be unable to perform certain
actions on a write-protected token; these actions can include any of
the following, among others:
∙ Creating/modifying/deleting any object on the token.
∙ Creating/modifying/deleting a token object on the token."
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
