Re: [opensc-devel] Updates to OpenSC signer: use of the nonrepudiating key for signatures

Tue, 10 Oct 2006 15:13:49 -0700 

Hi,
Just to stay on the topic - dealing with the same problem in firefox 2.0. Now you tell me what is right and what is not right (I don't know signer, but where and how the decision should be done for the used certificate?) Is it documented, that nonrep key should be used? Does the signature requester say which certificate it wants to use ? 

https://bugzilla.mozilla.org/show_bug.cgi?id=328346

http://martin.paljak.pri.ee/2006/10/10/sexual-explanation-of-key- 
usage-bits-handling-in-firefox/



But.. AFAIK one of the only users of the signer plugin is Finland  
(some others? please speak up!) and i know it is the right behavior  
for you...


cheers,
m.

On 11.10.2006, at 3:28, Antti S. Lankila wrote:


opensc-signer by default does not use the nonrepudiating key when  
generating digital signature. This is most evident from the fact  
that the PIN code asked by the pinentry is for the "Perustunnus"  
instead of "Allekirjoitustunnus".


To fix this issue, two places need to be changed in opensc-support.c:

#if 0

               if (key->usage &  
SC_PKCS15_PRKEY_USAGE_NONREPUDIATION) {

#endif

                       /* Use the first available non-repudiation  
key */

                       cert_id = key->id;
                       break;
#if 0
               }
#endif

The #if 0 statements are to be removed, so that this test applies.


In opensc-crypto.c, it is required that the function sc_sign to be  
updated here:


       r = sc_pkcs15_find_prkey_by_id_usage(priv->p15card,
                                       &priv->cert_id,
                                       SC_PKCS15_PRKEY_USAGE_SIGN,

This should be changed to SC_PKCS15_PRKEY_USAGE_NONREPUDIATION.


After this, the correct key (allekirjoitustunnus) is requested by  
the browser.


Here is the output from pkcs15-tool -k:

Private RSA Key [todentamis- ja salausavain]
       Com. Flags  : 1
       Usage       : [0x26], decrypt, sign, unwrap

       Access Flags: [0x1D], sensitive, alwaysSensitive,  
neverExtract, local

       ModLength   : 1024
       Key ref     : 0
       Native      : yes
       Path        : 4b01
       Auth ID     : 01
       ID          : 45

Private RSA Key [allekirjoitusavain]
       Com. Flags  : 1
       Usage       : [0x200], nonRepudiation

       Access Flags: [0x1D], sensitive, alwaysSensitive,  
neverExtract, local

       ModLength   : 1024
       Key ref     : 0
       Native      : yes
       Path        : 4b02
       Auth ID     : 02
       ID          : 46

--
Antti
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel


--
Martin Paljak / [EMAIL PROTECTED]
martin.paljak.pri.ee / ideelabor.ee
+372 515 64 95


_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel






















					Reply via email to