PK11_CopySymKeyForSigning is used to set the CKA_SIGN attribute on a key, for example so it can be used for HMAC. This should be implemented with a C_SetAttribute, and failing that, a C_CopyObject. Instead, the wrapper layer tries to extract the key value, and if that fails, does a key exchange. Extracting the key value will fail in FIPS mode, so a key exchange will be performed. The key exchange involves a public-key encryption and decryption, and possibly even a key generation. These are very heavy-duty operations, and a big waste of resources when all we want to do is change the value of a flag on a key.
This seems like a reasonable small enhancement for 3.8
Severity: normal → enhancement
Target Milestone: --- → 3.8
Created attachment 112452 [details] [diff] [review] Try just setting the attribute on the key rather than copying it. I've kept the copy code in case the token doesn't allow the attribute to be changed on an existing key.
Fixed in revision 1.64 of pk11skey.c
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.