Support for private keys that do not need login #22
Comments
|
Now that I think of it, shouldn't this be handled by pkcs11-module-login-behavior = auto (or never) ? There is a token info flags on PKCS#11 tokens that tells whether login is required: CKF_LOGIN_REQUIRED |
|
Uhmm I mixed projects ... remind me again why should we care for odd behaviors in kryoptic itself ? |
If we will want the kryoptic to be a FIPS module handling the operations on files loaded from plaintext PEM files, it will basically be this mode of operation on a token without login. Or is there some other plan to handle this use case?
I hope not. |
|
Ah yeah, but in FIPS mode I expect most application to basically import a key in a session object ... |
|
We should definitely have a mode where CKF_LOGIN_REQUIRED is not set an is_logged_in() always return true |
In most of the reasonable cases (and as implemented now), the login is required to do private key operations on a token. But there is at least a PIV token (at least as implemented in yubikey), which has a certificate slot 9e not requiring the login for the operations:
https://developers.yubico.com/PIV/Introduction/Certificate_slots.html
I am not sure if there is a good way to represent this on the PKCS#11 level though.
Originally posted by @Jakuje in #17 (comment)
The text was updated successfully, but these errors were encountered: