more guidance for CKA_COPYABLE and CKA_DESTROYABLE?

[Dina Kurktchi <dina.kurktchi@oracle.com>]

Hi all,


To follow up with one of my questions from earlier at
today's meeting,  I am asking for perhaps some more
clarification about how CKA_COPYABLE and CKA_DESTROYABLE
interact with existing attributes, like CKA_EXTRACTABLE
and CKA_SENSITIVE, and functions C_WrapKey and C_UnwrapKey.


This is what the text says at the end of section 4.4:

"The value of the CKA_COPYABLE attribute determines whether
or not an object can be copied using C_CopyObject.  This
attribute can be used in conjunction with CKA_MODIFIABLE
to prevent changes to the permitted usages of keys and
other objects.

The value of the CKA_DESTROYABLE attribute determines
whether the object can be destroyed using C_DestroyObject."


The specification as written currently doesn't describe
what should happen if I try to C_WrapKey my sensitive,
extractable token object, which has copyable set to false.
I can wrap it, unwrap it, and now I have more or less a
copy of what should be non-copyable.


How, exactly, do CKA_COPYABLE and CKA_MODIFIABLE both set
to false (presumably) "prevent changes to permitted usages"
of these objects?  Is that a true statement, as written?
They may prevent changes to the *object*, but I'm not
sure I see how they prevent changes to *permitted usages*.


Similarly for destroyable and wrapping/unwrapping:  I'm
guessing that non-destroyability probably doesn't carry
forward to a wrapped-and-later-unwrapped instance of the
object.  Does it?


There seems to be no guidance offered about whether to
create a non-destroyable session object.  Probably should
advise against doing so.


Thoughts?


D.