RE: [pkcs11-comment] Profile objects and C_FindObjects

[Dieter Bong <Dieter.Bong@utimaco.com>]

Dear Michael,

 

Thank you very much for your question about the expected behavior wrt. Profile objects in case of C_FindObjectInit with empty template.

 

In our last meeting on October 12, the PKCS11 TC has discussed this question and come to the conclusion that the note in sections 4.3.2 and 4.12.2 should be removed, resulting in a consistent treatment of all object types. This has been filed on our Wiki page https://wiki.oasis-open.org/pkcs11/3.2WorkItems , see item #4 in section Items from public comments â . Weâll work towards such update in PKCS #11 specification v3.2. You can follow the progress of our activities on that Wiki page and in our meeting minutes https://wiki.oasis-open.org/pkcs11/MeetingMinutes.

 

Best regards,

Dieter Bong

 

From: Dieter Bong
Sent: Monday, October 10, 2022 12:38 PM
To: pkcs11@lists.oasis-open.org
Cc: 'Michael Jung' <michael.jung@secore.ly>
Subject: FW: [pkcs11-comment] Profile objects and C_FindObjects

 

Forwarding Michael Jungâs request to our mailing list pkcs11@lists.oasis-open.org to make sure it comes to the attention of all TC members, and asking to be put on the agenda of our upcoming TC meeting on Wed Oct 12.

 

Best regards,

Dieter

 

From: pkcs11-comment@lists.oasis-open.org <pkcs11-comment@lists.oasis-open.org> On Behalf Of Michael Jung
Sent: Tuesday, October 4, 2022 3:04 PM
To: pkcs11-comment@lists.oasis-open.org
Subject: [pkcs11-comment] Profile objects and C_FindObjects

 

Hello everybody,

 

For Hardware Feature and Mechanism Object [PKCS11-Spec-v3.1] states in section 4.3.2 and section 4.12.2, respectively:

 

When searching for objects using C_FindObjectsInit and C_FindObjects, mechanism objects are not returned unless the CKA_CLASS attribute in the template has the value [CKO_HW_FEATURE | CKO_MECHANISM]. This protects applications written to previous versions of Cryptoki from finding objects that they do not understand.

 

I would have expected to find a similar paragraph for Profile Objects in section 4.13.2, but there is none.  Is this intentional?  I.e. are Profile Objects meant to be returned when C_FindObjectInit was called with an empty template (i.e. ulCount = 0)?

 

Thanks for your help,

Michael Jung

 

---

Utimaco IS GmbH
Germanusstr. 4, D.52080 Aachen, Germany, Tel: +49-241-1696-0, www.utimaco.com
Seat: Aachen â Registergericht Aachen HRB 18922
VAT ID No.: DE 815 496 496
Managementboard: Stefan Auerbach (Chairman) CEO, Malte Pollmann CSO, Martin Stamm CFO

This communication is confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Please inform us immediately and destroy the email.