Henryk Plötz wrote:
...
one more issue I know of is: they use relative paths, we use absolute
paths. we had patches for that too, but my ugly hacked worked, while
the cleaner solutions did not, and I never understood why.
that might be the next issue you can stumble upon.
Indeed. What would be right way to solve this? IMHO all sc_path_t
should be rewritten to be absolute if they are not, so that we don't
have to find all places where the paths are used and rewrite those. But
then I didn't find any single central place where one could handle path
rewriting so I guess that would have to be done in
sc_pkcs15_decode_prkdf_entry etc. Next fun thing: Find out the basedir
of the PKCS#15 application to which the paths are relative to. (Though
I would be content with my simple approach: use the path of EF(ODF) and
strip the final FID.)
actually relative paths shouldn't a problem if we change do not
unnecessarily change the working DF
Oh, and the fun doesn't stop here. I hacked it up so that at least the
private keys are found and tried pkcs15-crypt --sign. Didn't work.
Turns out that pkcs15-crypt uses CLA=00, INS=2A, P1=9E, P2=9A (COMPUTE
DIGITAL SIGNATURE) for signing to which the card responds with SW=6A81
(Function not supported). I tried the proprietory siemens code and that
seems to use CLA=00, INS=2A, P1=80, P2=86 (DECIPHER) to do a signature.
(Or at least I think so. I did send a signed mail using the proprietory
PKCS#11 plugin and this (and the accompanying MANAGE SECURITY
ENVIRONMENT commands) where the only security relevant commands.)
that's not surprising. old cardos cards couldn't sign and decrypt with
the same key and for these keys it was necessary to create signature
with the DECIPHER command.
One could implement a workaround in the cardos driver that would try
to create a signature with the decipher command if the COMPUTE SIGNATURE
doesn't work.
Cheers,
Nils
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
