[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: PKCS#11 Object Uniqueness error codes
For example assuming we are dealing only with symmetric key objects it is perfectly possible and allowed by the specification to have multiple objects that differ only in the key value but otherwise have identical attributes. This makes it impossible for an application to know which one it should be using, eg I have two AES keys of the same length and other attributes and both have a CKA_LABEL of "MyAppKey", which one is the one to use ?
In fact in Solaris we have two providers pkcs11_softtoken, pkcs11_kms that behave quite differently. The former allows you to create any number of PKCS#11 token objects using C_GenerateKey() with the same attributes differing only in value. The later will return the rather unhelpful CKR_ARGUMENTS_BAD when attempting to create an object with a CKA_LABEL attribute if one with that label already exists. The problem with that is the application can't really determine if the arguments were bad or if the keyname they attempted to use already existed.
At the very least I think we need to introduce a new error code CKR_OBJECT_EXISTS or CKR_KEY_EXISTS for those tokens that do have requirements they need to enfore. However it would be better if we could agree on some uniqueness requirements for classes of keys.
I realise that for some objects the label might not be an ideal primary key for determining uniqueness, so maybe this is something that does remain up to each vendor for their libraries/tokens.
-- Darren J Moffat
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]