Ensure token store objects can be extracted if the right booleans are set #194
Conversation
This is needed to be able to make proper access control decisions in upper layers when the object is stored in a token. Signed-off-by: Simo Sorce <[email protected]>
Signed-off-by: Simo Sorce <[email protected]>
Jakuje
left a comment
Jakuje
left a comment
There was a problem hiding this comment.
you were faster :)
lgtm. I just wanted to make sure we do not need some more in different code paths, but that can be done later if needed.
Reasonably confident this is all we need, but we can always add more patches later indeed. Thanks for the review and all these bugs, each fix make kryoptic more robust and compliant, which I like. |
|
Thinking if this is the right place to add these though. In |
No, this is the correct place, the one you see in get_objects_attr() is only for the case where a user is not logged in and mixing the use cases would be confusing. |
|
Ok. Went through the places where else we fetch the data from db and this is the only one where we missed something, I think. |
2 participants
Description
The database optimized code was not sourcing the CKA_SENSITIVE/CKA_EXTRACTABLE attributes for token objects, this would cause subsequent checks on these attributes to use the object defaults rather than what was actually stored.
Session objects did not suffer from this issue because all attributes are always available for those.
Fixes: #193
Checklist
[ ] Documentation was updated[ ] This is not a code changeReviewer's checklist: