Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes latchset/pkcs11-provider#502 Explicitly request EcDH derive return key as a session object #505

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fixes latchset/pkcs11-provider#502 Explicitly request EcDH derive return key as a session object #505

wants to merge 1 commit into from

Conversation

tmorlando
Copy link

Bugfix for OpenSC PKCS#11 provider compatibility.

Description

OpenSC PKCS#11 module fail C_DeriveKey operations with CKR_TEMPLATE_INCOMPLETE error code when used with PKCS#15 smart cards unless CKA_TOKEN attribute is set on the request template. Fix by always requesting session keys (CKA_TOKEN=false). This is also supposed to be the default by PKCS#11 v3.1 - thus not changing the existing behavior.

Current test suite does not address the issue, as the subject failure depends on the underlying PKCS#11 module, and the cryptographic token used, thus no changes on tests.

Checklist

Reviewer's checklist:

  • Any issues marked for closing are addressed
  • There is a test suite reasonably covering new functionality or modifications
  • This feature/change has adequate documentation added
  • Code conform to coding style that today cannot yet be enforced via the check style test
  • Commits have short titles and sensible commit messages
  • Coverity Scan has run if needed (code PR) and no new defects were found

Explicitly request EcDH derive return key as a session object
5a20553 
OpenSC PKCS#11 module fail C_DeriveKey operations with
CKR_TEMPLATE_INCOMPLETE error code when used with PKCS#15 smart cards
unless CKA_TOKEN attribute is set on the request template. Fix by
always requesting session keys (CKA_TOKEN=false). This is also
supposed to be the default by PKCS#11 v3.1 - thus not changing the
existing behavior.

Signed-off-by: Tero Mononen <[email protected]>
@tmorlando tmorlando changed the title Explicitly request EcDH derive return key as a session object Fixes latchset/pkcs11-provider#502 Explicitly request EcDH derive return key as a session object Jan 18, 2025
@tmorlando tmorlando mentioned this pull request Jan 18, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tmorlando