[strongSwan] migrating from swanctl to networkmanager

Tobias Brunner tobias at strongswan.org
Thu May 20 17:26:08 CEST 2021


Hi Marc,

> The line C_GetAttributeValue(NULL) error: ATTRIBUTE_TYPE_INVALID might
> be the root cause

Seems likely as it apparently happens when enumerating the certificates
on the token.

The attributes we request from the token when enumerating certificate
objects are CKA_VALUE, CKA_LABEL and CKA_TRUSTED, it might be the latter
that causes the error.

Currently, there is a check that disables requesting the attribute for
PKCS#11 libraries that announce a version < 2.20.  But there is probably
no guarantee that the attribute can be provided even for current
implementations (the spec lists it in a table of "common" certificate
object attributes without a default value).

However, according to the PKCS#11 spec, the observed return value is not
an actual error.  It just indicates that at least one attribute was
invalid and could not be retrieved from the object (those attributes are
marked with CK_UNAVAILABLE_INFORMATION via their length field).  The
token still must have processed all other requested attributes (i.e. we
should get the certificate and label back anyway).  So I guess we could
handle this a bit more lenient.

I pushed a potential fix to the pkcs11-attributes branch.

Regards,
Tobias


More information about the Users mailing list