Chrysalis wants CKA_SENSITIVE=TRUE on keys



16 years ago
15 years ago


(Reporter: Jamie Nicolson, Assigned: Jamie Nicolson)


Firefox Tracking Flags

(Not tracked)




16 years ago
The Chrysalis driver returns CKR_TEMPLATE_INCOMPLETE when we try to generate a
triple-DES key on their token. According to them, we need to specify
CKA_SENSITIVE=TRUE on keys on their token.

I have not tested this yet to see if it fixes the problem.

Comment 1

16 years ago
If making this change fixes the problem on Chrysalis, and enables Chrysalis to
perform SecretDecoderRing correctly, and we decide that we want the fix, we may
want to squeeze it into the 3.7.1 release. Provisionally setting target
milestone to 3.7.1.
Target Milestone: --- → 3.7.1

Comment 2

16 years ago
Bob, C_GenerateKey is failing on Chrysalis with CKR_TEMPLATE_INCOMPLETE. They
say we must set CKA_SENSITIVE to TRUE on their token. This sounds like a
proprietary requirement that is not in the spec. Assuming this change fixes the
problem, do you  think we should go ahead and make it, or push back on them to
take out their proprietary requirement?

Comment 3

16 years ago
Push back. Other things fail if we always force SENSITIVE to TRUE. We
specifically do not set the attribute so that the token can default to value to
what ever is natural for that token. If we needed it to be a specific value, we
would have specified it.


Comment 4

16 years ago
Should we mark this bug invalid then?

Comment 5

16 years ago
I sent mail to Chrysalis explaining our position on Friday, and I'm waiting to
hear back from them. Perhaps they'll point something out that we hadn't considered.

Comment 6

15 years ago
Jamie, have you received a reply?
Priority: -- → P1
Target Milestone: 3.7.1 → 3.8

Comment 7

15 years ago
Yes, they said they are going to fix it. They will let us know when they have a
patch available.

Comment 8

15 years ago
Given that, we should mark this bug invalid, correct?

Comment 9

15 years ago
OK, marked as invalid.
Last Resolved: 15 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.