Henryk Plötz wrote:
Moin,
Am Mon, 24 Jul 2006 20:26:03 +0200 schrieb Nils Larsch:
actually relative paths shouldn't a problem if we change do not
unnecessarily change the working DF
But exactly that is what happens. The private key path is stored as
50724B015501 and the certificate path is stored as 43044301. So when
you select either one as a relative path you can't select the other one
unless you first reselect the DF(PKCS#15).
yes
One could implement a workaround in the cardos driver that would try
to create a signature with the decipher command if the COMPUTE
SIGNATURE doesn't work.
Hmm, where would one do that? I see that cardos_compute_signature()
already does try some different approaches.
what cardos_compute_signature() currently tries is to determine
which mechanism for signature generation is supported and not
whether to use decrypt or not.
However, IMHO we can't
switch from trying SIGNATURE to DECIPHER in there because decipher
needs a different security environment. So the fallback to deciphering
would need to happen in sc_pkcs15_compute_signature() where the
security environments are set. But that is not cardos-specific code.
or we could defer the call to MSE but that would be rather inelegant.
Does your card always use decryption for signature generation or does
this depend on the specifed key usage of the key ?
Cheers,
Nils
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
