Open Jakuje opened 5 months ago
simo5
commented
5 months ago Now that I think of it, shouldn't this be handled by pkcs11-module-login-behavior = auto (or never) ?
There is a token info flags on PKCS#11 tokens that tells whether login is required: CKF_LOGIN_REQUIRED
simo5
commented
5 months ago Uhmm I mixed projects ... remind me again why should we care for odd behaviors in kryoptic itself ? Do you expect some applications to depend on login-less operations ? And should we actually support them ?
Jakuje
commented
5 months ago Uhmm I mixed projects ... remind me again why should we care for odd behaviors in kryoptic itself ?
If we will want the kryoptic to be a FIPS module handling the operations on files loaded from plaintext PEM files, it will basically be this mode of operation on a token without login. Or is there some other plan to handle this use case?
Do you expect some applications to depend on login-less operations ? And should we actually support them ?
I hope not.
simo5
commented
5 months ago Ah yeah, but in FIPS mode I expect most application to basically import a key in a session object ... For keys created in the token we need to figure out what we want to do, NSS stores the PIN in a text file next to the DB file IIRC.
simo5
commented
5 months ago We should definitely have a mode where CKF_LOGIN_REQUIRED is not set an is_logged_in() always return true
In most of the reasonable cases (and as implemented now), the login is required to do private key operations on a token. But there is at least a PIV token (at least as implemented in yubikey), which has a certificate slot 9e not requiring the login for the operations:
https://developers.yubico.com/PIV/Introduction/Certificate_slots.html
I am not sure if there is a good way to represent this on the PKCS#11 level though.
_Originally posted by @Jakuje in https://github.com/latchset/kryoptic/pull/17#discussion_r1536904302_