feat(pkcs11-tool): set CKA_PRIVATE=CK_TRUE if the --private option is… #3177
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi,
I noticed that the "--private" option was not considered for private keys.
Maybe it was due to a confusion between the "CKA_PRIVATE" attribute which means that an object is only accessible when the normal user is logged in and the fact that in a key pair, we have a "private" and a "public" key.
The wording can be confusing.
So I am proposing to take into account if the --private option is set when the CKA_PRIVATE is added to the template, like it is done for secret keys or certificates.
This is changing the default behavior when a private key is created. The CKA_PRIVATE attribute used to be always set to CK_TRUE and now the value depends whether the "--private" option is set or not.
The "--private" option was ignored for private key generation.
IMO, with this PR, the behavior is now similar to other object creation or generation.
I checked the patch with the Trustonic TEE HSM.
Regards,
Alexandre.