Ludovic Rousseau wrote:
On 26/09/06, Ludovic Rousseau <[EMAIL PROTECTED]> wrote:
On 26/09/06, Nils Larsch <[EMAIL PROTECTED]> wrote:
> Ludovic Rousseau wrote:
> > Even if I C_Login() with the correct PIN the protected DF will not be
> > read again. In fact the VERIFY APDU is sent to the card, 90 00 comes
> > back and then no more exchanges with the card.
>
> I guess this is a missing feature of our pkcs11 lib, the list
> of objects isn't really updated once the user has logged in
I see. Some code is missing.
I hacked the code to present the PIN code early (in fact just after
the applet selection) so I do not have any
SC_ERROR_SECURITY_STATUS_NOT_SATISFIED error any more. And I now see
(some of) my objects in slot 0.
I have:
$ ./tools/pkcs11-tool --module ./pkcs11/.libs/opensc-pkcs11.so
--list-objects
Certificate Object, type = X.509 cert
label: Ludovic Rousseau's Test CA ID
ID: e5b8c9d566450b0971df07a191db03b57af893b3
Public Key Object; RSA 1024 bits
label: Ludovic Rousseau's Test CA ID
ID: e5b8c9d566450b0971df07a191db03b57af893b3
Usage: encrypt, verify, wrap
Certificate Object, type = X.509 cert
label: Test CA's Test CA ID
ID: 00
Public Key Object; RSA 1024 bits
label: Test CA's Test CA ID
ID: 00
Usage: encrypt, verify
$ ./tools/pkcs11-tool --module ./pkcs11/.libs/opensc-pkcs11.so
--list-objects --pin=123456
Private Key Object; RSA
label: Ludovic Rousseau's Test CA ID
ID: e5b8c9d566450b0971df07a191db03b57af893b3
Usage: decrypt, sign, unwrap
Certificate Object, type = X.509 cert
label: Ludovic Rousseau's Test CA ID
ID: e5b8c9d566450b0971df07a191db03b57af893b3
Public Key Object; RSA 1024 bits
label: Ludovic Rousseau's Test CA ID
ID: e5b8c9d566450b0971df07a191db03b57af893b3
Usage: encrypt, verify, wrap
Certificate Object, type = X.509 cert
label: Test CA's Test CA ID
ID: 00
Public Key Object; RSA 1024 bits
label: Test CA's Test CA ID
ID: 00
Usage: encrypt, verify
Without the --pin=xxx argument I only see (some of) the public
objects. With the --pin=xxx argument I also see the private key.
In slot 1 I only see (with or without --pin=xxx) the data objects
$ ./tools/pkcs11-tool --module ./pkcs11/.libs/opensc-pkcs11.so
--list-objects --slot=1
Data object 1
label: 'Ludovic Rousseau's Test CA ID'
application: 'CSP'
app_id: -1
flags: modifiable
Data object 2
label: 'Default Key Container'
application: 'CSP'
app_id: -1
flags: modifiable
the current policy afaik is to put everything protected by specific pin
in a separate slot (together with the pin) and all public objects in
a separate slot as well (unless hide_empty_tokens is set).
That is not exactly what I see. Data objects (public data) are only in
slot 1 and certificates and public keys (public data) are only in slot
0.
Do you have a explanation for this behavior?
hmm, I didn't write this code ... you might want to look at
pkcs15_create_tokens() in src/pkcs11/framework-pkcs15.c
Without my early PIN verification I see nothing in slot 0 with or
without --pin=xxx. So my PIN protected files are really disturbing
OpenSC even for public objects.
ideally the pkcs11 lib should re-create the list of objects (including
evaluating all unparsed DFs) after a login
Any idea of where I should look at in OpenSC code to solve this?
src/pkcs11/framework-pkcs15.c
Cheers,
Nils
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
