Alessandro Premoli wrote:
Nils Larsch wrote:
that's not surprising. old cardos cards couldn't sign and decrypt with
the same key
Do you mean that new cardos cards don't have this limit? From what
version?
yes and no. You still can't create a signature with the PSO command
if you use a decryption key. To create a signature with such a key
cardos since afaik 4.01 has a command "SIGN BY DECRYPTION KEY"
with which one could create a signature with a decryption key (the
command is optional (needs a package) in m4.01 but should be
included in cardos >= 4.2).
Of course another way to create signatures with a decryption key
is, if the key supports 'pure' RSA, simply to 'decrypt' the
padded digestInfo structure ...
Is anyone aware of the reason of this limit?
security as it's in general not a good idea to use the same the key
for signature creation and decryption.
and for these keys it was necessary to create signature
with the DECIPHER command.
One could implement a workaround in the cardos driver that would try
to create a signature with the decipher command if the COMPUTE SIGNATURE
doesn't work.
The same workaround could be implemented in the keypair generation
process, in such a way that all-purpose key generation operation will be
converted to decipher-only key generation if the first fails.
perhaps
This will fix mozilla PKCS#11 keypair generation with cardos cards.
Cheers,
Nils
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
