Chaps is a PKCS #11 implementation for Chromium OS. This document clarifies how the PKCS #11 standard is supported for TPM-backed tokens and what a calling application can expect from Chaps.
Token initialization is performed on demand and does not need to be initiated by any application. If files associated with a token are corrupt that token will be reinitialized automatically.
Chaps does not manage roles or authentication. Rather, it integrates with other parts of the Chromium OS system which manages the authentication of users. A user does not log in or log out of an inserted token; instead an inserted token implies that a user has logged in and now their token is available. Since users are managed outside of Chaps, there is no need for a Security Officer (SO) role and so Chaps has no notion of a SO.
This approach has the following implications for PKCS #11 applications:
C_GetTokenInforeports the flag
C_Loginwill return success if the protected authentication path is used (i.e. the PIN argument is NULL). It will also return success if the legacy PIN ‘111111’ is used. Otherwise, it will return
CKR_PIN_INCORRECT. In any case the call has no effect and the token remains logged in. When the user actually logs out of the system, that user's token will be removed.
C_Logoutalways returns success but has no effect.
Operation state cannot be saved and restored. Operation state information is never provided to calling applications.
The following functions are not supported and will always return