[Pki-devel] [pki-devel][PATCH]0061-Enhance-tkstool-for-capabilities-and-security.patch
Christina Fu
cfu at redhat.com
Wed Jan 27 18:24:26 UTC 2016
I think I will be more conservative and give conditional ACK to this
patch pending on tests on servers running on both LunaSA and nethsm.
Although the code in the patch might very well work for both, those two
HSM's are known to require different sets of pk11AtrFlags and often one
set would work for one but not the other.
thanks,
Christina
On 01/15/2016 04:24 PM, John Magne wrote:
> Enhance tkstool for capabilities and security
>
> This simple ticket is to fix tkstool to allow it
> to create the master key with the proper flags to make
> the key data private such that it can't be easily viewed when
> using tools to print out sym keys on the token.
>
> Fix tested on the "internal" token by trying the various tkstool
> cmds to make sure having the key private does not cause issues.
> Also tried a simple key changeover operation with tpsclient to make
> sure that symkey can still do what it needs to do witht the master key.
>
> Further testing with a full hsm will be required.
> The goal was the create the key with the same flags that are used with the
> previous "PK11_GenKeyOnToken" (name approx) is used. This version had no
> flags and created a default set. This fix uses the version With flags and
> does what the old one did, but made sure the key is private and sensitive.
>
> Master key can be tested by using the tool:
>
> /usr/lib64/nss/unsupported-tools/symkeyutil -d ./ -L
>
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160127/85762c56/attachment.htm>
More information about the Pki-devel
mailing list