Martin Paljak wrote:
>
> On 08.06.2007, at 21:38, Douglas E. Engert wrote:
>> The SC_PKCS15_CO_FLAG_PRIVATE appears to be used to set the PKCS#11
>> CKA_PRIVATE attribute so an application calling PKCS#11 can tell if an
>> object needs to use a PIN or not before trying to use the object.
> ...
>> Looks like someone has though about this, with the
>> onepin-opensc-pkcs11.so
>> which uses hack-enable.c (hack_enable=1) and only uses one slot, but adds
>> all the certs, pubkey, and prvkeys but not the data objects to the slot!.
>>
>> (The use of the word "hack" implies this may have been a temporary
>> solution.)
>
> The hack is there to trick Mozilla/NSS into the right behavior - asking
> only the PIN needed to do SSL authentication.
>
> Estonian eID (and many others I assume) do notconsider the certificate
> as private thing - you don't need to provide a PIN to read the certificate.
> Even without CKA_PRIVATE attribute, pkcs11 modules loaded into mozilla
> without the "friendly" bit set in loading javascript/modutil command
> (not available via normal GUI) assume that certificates are private
> objects that require a PIN to be read.
>
> There were issues where the wrong (certificate without SSL client
> authentication purpose) was selected by Mozilla.
>
> See tickets #132 and #70.
>
> Things might have changed in past few months (latest firefox beta can be
> OK for example)
Thanks, for the explanation. I Goolged for NSS certificates CKA_PRIVATE and
found the thread:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg01083.html
with your note from Wed, 08 Nov 2006 23:01:12 -0800 and the web page.
In the thread Bob Relyea thinks the problem was fixed in FireFox 2.0
> and as you later mail notices - code might have bugs as well :)
OK, so do you have any comments about adding all public objects to
all slots? Based on how I read PKCS#11, there should be one slot
for each auth PIN, and it should have the private objects that need
that PIN and all the public objects. The way the code is now, The public
objects are added to an extra slot, unless the auth_count=1 and
the hide_empty_slots = yes. This works for my card with its one auth PIN
but does not look correct for the more general case.
Maybe something like this where the auth_id.len==0 says there
is notauth PIN for the object. Needs to be tested.
--- framework-pkcs15.c Mon Jun 11 11:07:50 2007
+++ framework-pkcs15.c.add.ro.to.all Tue Jun 12 09:38:56 2007
@@ -785,12 +785,14 @@
return CKR_OK; /* no more slots available for this card
*/
/* Add all objects related to this pin */
+ /* and all public objects to */
for (j=0; j < fw_data->num_objects; j++) {
struct pkcs15_any_object *obj = fw_data->objects[j];
if (__p15_type(obj) == (unsigned int)-1)
continue;
- else if (!sc_pkcs15_compare_id(&pin_info->auth_id,
&obj->p15_object->auth_id))
+ else if (obj->p15_object->auth_id.len > 0 &&
+
!sc_pkcs15_compare_id(&pin_info->auth_id, &obj->p15_object->auth_id))
continue;
if (is_privkey(obj)) {
The /* Add all the remaining objects */ loop could also be dropped.
>
> m.
> --Martin Paljak
> http://martin.paljak.pri.ee
>
>
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
