The Chrysalis driver returns CKR_TEMPLATE_INCOMPLETE when we try to generate a triple-DES key on their token. According to them, we need to specify CKA_SENSITIVE=TRUE on keys on their token. I have not tested this yet to see if it fixes the problem.
If making this change fixes the problem on Chrysalis, and enables Chrysalis to perform SecretDecoderRing correctly, and we decide that we want the fix, we may want to squeeze it into the 3.7.1 release. Provisionally setting target milestone to 3.7.1.
Target Milestone: --- → 3.7.1
Bob, C_GenerateKey is failing on Chrysalis with CKR_TEMPLATE_INCOMPLETE. They say we must set CKA_SENSITIVE to TRUE on their token. This sounds like a proprietary requirement that is not in the spec. Assuming this change fixes the problem, do you think we should go ahead and make it, or push back on them to take out their proprietary requirement?
Push back. Other things fail if we always force SENSITIVE to TRUE. We specifically do not set the attribute so that the token can default to value to what ever is natural for that token. If we needed it to be a specific value, we would have specified it. bob
Should we mark this bug invalid then?
I sent mail to Chrysalis explaining our position on Friday, and I'm waiting to hear back from them. Perhaps they'll point something out that we hadn't considered.
Jamie, have you received a reply?
Priority: -- → P1
Target Milestone: 3.7.1 → 3.8
Yes, they said they are going to fix it. They will let us know when they have a patch available.
Given that, we should mark this bug invalid, correct?
OK, marked as invalid.
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.