Closed motiwardi closed 3 years ago
These are PKCS#15/11 attributes that are stored in the file system for OpenSC, they are not interpreted by the applet and have no security implications.
CKA_ALWAYS_SENSITIVE set to false for imported keys is correct IMO, as the key has been exposed outside the card prior to the import... The same argumentation applies to CKA_NEVER_EXTRACTABLE. CKA_LOCAL should not be set because the domain parameters have been set off-card.
There appears to be a difference in how IsoApplet handles setting the access flags on private key objects depending on if the private key is imported from an externally generated source or generated on-card. Externally loaded keys become set with 0x01, and internal keys are set with 0x1D.
Reproduction case:
Shouldn't the access flags on the private key always be 0x1D regardless of how the private key is loaded?
I'm not sure if there are any additional security implications because of this, but it seems most other JC applets (PIV,etc) always set anything related to private keys to the more restrictive access flag set.