Skip to content

Modify CKR_ATTRIBUTE_READ_ONLY Error when generating ML-DSA key pair using pkcs11-tool #850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bgkim-ictk wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Modify CKR_ATTRIBUTE_READ_ONLY Error when generating ML-DSA key pair using pkcs11-tool #850

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,8 @@ enable_testing()

# config.h include path
include_directories(${CMAKE_BINARY_DIR})
include_directories(${CMAKE_SOURCE_DIR}/src/lib/slot_mgr)
include_directories(${CMAKE_SOURCE_DIR}/src/lib/object_store)

add_subdirectory(src)

Expand Down
8 changes: 8 additions & 0 deletions cmake/modules/CompilerOptions.cmake
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,10 @@ if(WITH_CRYPTO_BACKEND STREQUAL "botan")
message(STATUS "Botan: Support for EDDSA is disabled")
endif(ENABLE_EDDSA)

if(ENABLE_MLDSA)
set(WITH_ML_DSA 1)
endif(ENABLE_MLDSA)
Comment on lines +222 to +224
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== ML-DSA capability tests in cmake/modules/tests =="
fd -HI 'test_.*mldsa\.(c|cpp)$' cmake/modules/tests || true

echo
echo "== WITH_ML_DSA / ENABLE_MLDSA references =="
rg -n --type=cmake 'WITH_ML_DSA|ENABLE_MLDSA|mldsa' cmake/modules/CompilerOptions.cmake cmake/modules/tests config.h.in.cmake

Repository: softhsm/SoftHSMv2

Length of output: 603

🏁 Script executed:

# Show context around MLDSA blocks and identify backend probes for other algorithms
head -n 430 cmake/modules/CompilerOptions.cmake | tail -n 230

Repository: softhsm/SoftHSMv2

Length of output: 8909

🏁 Script executed:

# Search for ECC/EDDSA probes and check if there are example probe patterns
rg -n -A 5 'ECC|EDDSA|try_compile|try_run' cmake/modules/CompilerOptions.cmake | head -n 100

Repository: softhsm/SoftHSMv2

Length of output: 4197

🏁 Script executed:

# List all files in cmake/modules/tests to see what probes exist
ls -la cmake/modules/tests/

Repository: softhsm/SoftHSMv2

Length of output: 1088

🏁 Script executed:

# Verify the OpenSSL MLDSA section around line 377
sed -n '370,385p' cmake/modules/CompilerOptions.cmake

Repository: softhsm/SoftHSMv2

Length of output: 595

Add ML-DSA backend capability probes for both OpenSSL and Botan, following the pattern used for ECC, EDDSA, and GOST.

Lines 222–224 (Botan) and 377–379 (OpenSSL) set WITH_ML_DSA unconditionally when ENABLE_MLDSA is ON. If the selected backend lacks ML-DSA support, configuration succeeds but compilation or linking fails later. Create test files (test_openssl_mldsa.c and test_botan_mldsa.cpp) and use try_run probes with FATAL_ERROR on failure, matching the existing pattern for ECC, EDDSA, and GOST.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@cmake/modules/CompilerOptions.cmake` around lines 222 - 224, When
ENABLE_MLDSA is set, don't unconditionally set WITH_ML_DSA; instead add backend
capability probes like the ECC/EDDSA/GOST sections: create test_openssl_mldsa.c
and test_botan_mldsa.cpp that attempt to compile/link a minimal ML-DSA usage,
and replace the unconditional set(WITH_ML_DSA 1) with try_run checks that set
WITH_ML_DSA only on success and call FATAL_ERROR if the probe fails when the
backend is selected; use the same try_run/ALIAS pattern and variable names as
the existing ECC/EDDSA/GOST probes so ENABLE_MLDSA triggers a proper
compile/link test for both OpenSSL and Botan.

Comment on lines +222 to +224
Copy link
Copy Markdown
Member

@bukka bukka Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MLDSA currently does not work with Botan so this should be removed

Copy link
Copy Markdown
Contributor

@antoinelochet antoinelochet Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We would need Botan3 for that which is not currently supported. It will fail with Botan2.


# acx_botan_gost.m4
if(ENABLE_GOST)
set(testfile ${CMAKE_SOURCE_DIR}/cmake/modules/tests/test_botan_gost.cpp)
Expand Down Expand Up @@ -370,6 +374,10 @@ elseif(WITH_CRYPTO_BACKEND STREQUAL "openssl")
message(STATUS "OpenSSL: Support for EDDSA is disabled")
endif(ENABLE_EDDSA)

if(ENABLE_MLDSA)
set(WITH_ML_DSA 1)
endif(ENABLE_MLDSA)

# acx_openssl_gost.m4
if(ENABLE_GOST)
set(testfile ${CMAKE_SOURCE_DIR}/cmake/modules/tests/test_openssl_gost.c)
Expand Down
9 changes: 6 additions & 3 deletions src/lib/P11Attributes.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -440,8 +440,11 @@ CK_RV P11Attribute::update(Token* token, bool isPrivate, CK_VOID_PTR pValue, CK_
{
if (OBJECT_OP_GENERATE==op)
{
ERROR_MSG("Prohibited attribute was passed to key generation function");
return CKR_ATTRIBUTE_READ_ONLY;
if (type != CKA_PARAMETER_SET)
Copy link
Copy Markdown
Member

@bukka bukka Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems a bit hacky. I might need to debug it to see what the actual reason for this.

{
ERROR_MSG("Prohibited attribute was passed to key generation function");
return CKR_ATTRIBUTE_READ_ONLY;
}
}
}

Expand Down Expand Up @@ -2593,4 +2596,4 @@ CK_RV P11AttrSeed::updateAttr(Token *token, bool isPrivate, CK_VOID_PTR pValue,
osobject->setAttribute(type, value);

return CKR_OK;
}
}