diff options
| author | Rob Austein <sra@hactrn.net> | 2016-05-25 21:40:18 -0400 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2016-05-25 21:40:18 -0400 |
| commit | 083d01731ffebb348c749ad6ccdb0256571835c7 (patch) | |
| tree | f883802139fa0938cfcb6784201dad80fd9e64fa /rpc_pkey.c | |
| parent | ce4d1c7a8103be09bcee64b055408a901d068c34 (diff) | |
Start cleaning up PIN code.
Diffstat (limited to 'rpc_pkey.c')
| -rw-r--r-- | rpc_pkey.c | 14 |
1 files changed, 14 insertions, 0 deletions
@@ -123,6 +123,20 @@ static inline pkey_slot_t *find_handle(const hal_pkey_handle_t handle) return NULL; } +#warning Still need access control on pkey objects based on current login state +/* + * This would be simple, except for PKCS #11 non-token objects (CKA_TOKEN = CK_FALSE). + * Need to check detailed PKCS #11 rules, but, from memory, we may be supposed to allow + * access to non-token objects even when not logged in. Maybe. Rules are complex. + * + * I think the libhal translation of this resolves around what we've + * been calling the PROXIMATE flags (which probably ought to be + * renamed to *_NONTOKEN_*, slightly less confusing name). For token + * objects, we insist on being logged in properly; for non-token + * objects, we do whatever silly thing PKCS #11 wants us to do, + * probably defaulting to requiring login if PKCS #11 gives us a choice. + */ + /* * Construct a PKCS #1 DigestInfo object. This requires some (very * basic) ASN.1 encoding, which we perform inline. |