-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Private key access flags inconsistent based on key source #26
Comments
These are PKCS#15/11 attributes that are stored in the file system for OpenSC, they are not interpreted by the applet and have no security implications. CKA_ALWAYS_SENSITIVE set to false for imported keys is correct IMO, as the key has been exposed outside the card prior to the import... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There appears to be a difference in how IsoApplet handles setting the access flags on private key objects depending on if the private key is imported from an externally generated source or generated on-card. Externally loaded keys become set with 0x01, and internal keys are set with 0x1D.
Reproduction case:
Shouldn't the access flags on the private key always be 0x1D regardless of how the private key is loaded?
I'm not sure if there are any additional security implications because of this, but it seems most other JC applets (PIV,etc) always set anything related to private keys to the more restrictive access flag set.
The text was updated successfully, but these errors were encountered: