I wanted to know if there is a way a disable a particular operation on a PKCS#11 Object. For instance, I create an Object (AES Key) using C_CreateObject. I would want to set some property in this object that pauses/ disables the use of this object for any encryption/ decryption use. Is this possible ? Can we set the CKA_DECRYPT value to CK_FALSE to disable Decrypt operations? Also can this be changed multiple times using C_SetAttributeValue
Theoretically PKCS#11 standard don't restrict your from changing values of properties.
Practically your possibility to change the values after object created dependent on your PKCS#11 provider.
My suggestion that this property is immutable.
Try to set this values during creation of key or change values during copying of key object using C_CopyObject.
Another solution is to implement your own PKCS#11 proxy library with custom logic inside of PKCS#11 exported functions.
Related
Does the KeyValuePairs struct have a similar property to what 'default' does in an enum, i.e. a catch-all value in case a given key is not found? Or is there a way to recreate the same effect without built in functionality?
I need this to work with some data I'm fetching from an API (and I think I have to rely on KeyValuePairs as this is what Swift's new charts library uses for custom colouring of charts).
In our implementation of the Rules Engine we have a test form similar to Rule Test Form on the online demo on "Business Rules Engine Demo". What we would like to do is conditionally show only the Test Fields for the items in use in the rule. We are doing this by grabbing the rule.definition JSON from the ruleeditor then look for the items which we can conditionally create using AngularJS's ng-if directive. This works great with Fields. If the user selects a method, our method of parsing the string is failing. What it appears is the Field Names are stored in the JSON as plain text however the Method Names are not. Is there a way we can configure the control to either A not encrypt the method names or is there a way that we can tap into the encryption to identify if a method is in use in our rule? Thanks in advance.
Methods and actions can have overloads which the Code Effects rule editor supports. Therefore, we can't have multiple menu entries with the same name. Instead, we use a signature hash on all in-rule methods and rule actions regardless of whether it has an overload or not to make them unique on the client.
You need to have either the Full Source or the Editor Source license in order to change the code to either stop that hashing, or tap into the process, or implement it your own way. You don't have that option with any other Code Effects perpetual license.
I am working on a library which follows PKCS#11 standard.
https://www.cryptsoft.com/pkcs11doc/v220/
The library can generate RSA Keypair in token by the function C_GenerateKeyPair and returns appropriate object handles with return value CKR_OK.
The token(applet) not supports load of private/public key except generate key pair. What will be the appropriate return value of create RSA private/public key using C_CreateObject?
Now I am returning CKR_GENERAL_ERROR, is it okay?
Allowed return values are
CKR_ARGUMENTS_BAD, CKR_ATTRIBUTE_READ_ONLY,
CKR_ATTRIBUTE_TYPE_INVALID, CKR_ATTRIBUTE_VALUE_INVALID,
CKR_CRYPTOKI_NOT_INITIALIZED, CKR_DEVICE_ERROR, CKR_DEVICE_MEMORY,
CKR_DEVICE_REMOVED, CKR_DOMAIN_PARAMS_INVALID, CKR_FUNCTION_FAILED,
CKR_GENERAL_ERROR, CKR_HOST_MEMORY, CKR_OK, CKR_PIN_EXPIRED,
CKR_SESSION_CLOSED, CKR_SESSION_HANDLE_INVALID, CKR_SESSION_READ_ONLY,
CKR_TEMPLATE_INCOMPLETE, CKR_TEMPLATE_INCONSISTENT,
CKR_TOKEN_WRITE_PROTECTED, CKR_USER_NOT_LOGGED_IN.
Thanks for your help
Update
I have two types of applet, one supports load of RSA private/public key to token and another not supports. It can only possible to identify if the token supports load of key is the response of transmitted APDU. So I can't take decision only to check the class attribute of C_CreateObject.
If your library does not support C_CreateObject at all then the best choice IMO is CKR_FUNCTION_NOT_SUPPORTED.
Chapter 11 in PKCS#11 v2.20 states:
A Cryptoki library need not support every function in the Cryptoki API. However, even an unsupported function must have a "stub" in the library which simply returns the value CKR_FUNCTION_NOT_SUPPORTED.
If your library does support C_CreateObject for creation of other object types (e.g. certificates, data objects etc.) then the best choice IMO is CKR_ATTRIBUTE_VALUE_INVALID.
Chapter 10.1.1 in PKCS#11 v2.20 states:
If the supplied template specifies an invalid value for a valid attribute, then the attempt should fail with the error code CKR_ATTRIBUTE_VALUE_INVALID.
UPDATE
Now that you have shared more details about your library in the comments I can add more detailed explanation:
It seems I can call your implementation of C_CreateObject with template containing CKA_CLASS=CKO_CERTIFICATE and it will create certificate object on this particular token and return CKR_OK. If I call it with template containing CKA_CLASS=CKO_PRIVATE_KEY then your code will decide to return an error right after the evaluation of the supplied value of this attribute. IMO there is no doubt that chapter 10.1.1 of PKCS#11 v2.20 recommends you to return CKR_ATTRIBUTE_VALUE_INVALID in this case.
However if are not willing to follow behavior recommended by the specification and there is no predefined error code you like, you can introduce your own vendor defined code (see my older answer for more details):
#define CKR_TOKEN_OPERATION_NOT_SUPPORTED (CKR_VENDOR_DEFINED|0x0000001)
IMO confusion level for inexperienced developer will be the same regardless of error code you return. In the end he/she will need to consult your documentation or logs produced by your library to find out the real reason why he/she received the error.
I would like to read Key value from a KEY/Data object of PKCS11 into a local variable.
I observe that Key is stored in CKA_VALUE of Key object.
Which is the ideal function to be used to get this value to my local variable?
I have used C_GetAttributeValue it but doesn't help.
Please guide me.
Thanks
Harsha
Private keys of assymmetric algorithms and symmetric keys usually can not be extracted from the hardware device. This is a protection measure. That's why you can't get the value.
There exist exceptions (some implementations allow you to add the key and explicitly mark it as not protected, in which case the key can be read later) but this reduces security and other user benefits, so this not popular.
In some implementation, if you set the CKA.CKA_SENSITIVE to false, yes you can read the value.
If CKA_EXTRACTABLE is set to CK_FALSE on a key then the value cannot be extracted using PKCS#11.
IF CKA_SENSITIVE is set to CK_TRUE then a key cannot be extracted in plain text.
However,
If CKA_EXTRACTABLE is CK_TRUE, and CKA_SENSITIVE is CK_FALSE the key can be extracted using CKA_VALUE.
If CKA_EXTRACTABLE is CK_TRUE, and CKA_SENSITIVE is CK_TRUE the key can be extracted by wrapping the key using C_WrapKey, then unwrapping the wrapped key outside the unit.
In this question, someone asked how to write a validation method for Core Data. I did that, and it looks cool. But one thing doesn't happen: The validation. I can easily set any "bad" value and this method doesn't get called automatically. What's the concept behind this? Must I always first call the validation method before setting any value? So would I write setter methods which call the appropriate validation method first?
And if yes, what's the point of following a strict convention in how to write the validation method signature? I guess there's also some automatic way of validation, then. How to activate this?
Validation is not "automatic" especially on iOS. On the desktop you will have the UI elements handling the call to validation. On iOS you should be calling validateValue:forKey:error: with the appropriate key and dealing with the error should there be one. The reason for this is the lack of a standard error display on iOS and the overhead of validating all values.
Note this comment in the documentation:
If you do implement custom validation methods, you should typically not invoke them directly. Instead you should call validateValue:forKey:error: with the appropriate key. This ensures that any constraints defined in the managed object model are also applied.