aboutsummaryrefslogtreecommitdiff
path: root/rpc_pkey.c
diff options
context:
space:
mode:
Diffstat (limited to 'rpc_pkey.c')
-rw-r--r--rpc_pkey.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/rpc_pkey.c b/rpc_pkey.c
index 0cf1a88..6b548d5 100644
--- a/rpc_pkey.c
+++ b/rpc_pkey.c
@@ -123,6 +123,20 @@ static inline pkey_slot_t *find_handle(const hal_pkey_handle_t handle)
return NULL;
}
+#warning Still need access control on pkey objects based on current login state
+/*
+ * This would be simple, except for PKCS #11 non-token objects (CKA_TOKEN = CK_FALSE).
+ * Need to check detailed PKCS #11 rules, but, from memory, we may be supposed to allow
+ * access to non-token objects even when not logged in. Maybe. Rules are complex.
+ *
+ * I think the libhal translation of this resolves around what we've
+ * been calling the PROXIMATE flags (which probably ought to be
+ * renamed to *_NONTOKEN_*, slightly less confusing name). For token
+ * objects, we insist on being logged in properly; for non-token
+ * objects, we do whatever silly thing PKCS #11 wants us to do,
+ * probably defaulting to requiring login if PKCS #11 gives us a choice.
+ */
+
/*
* Construct a PKCS #1 DigestInfo object. This requires some (very
* basic) ASN.1 encoding, which we perform inline.