I am trying to understand the logic in the framework-pkcs15.c which uses two (or more) slots for objects that require a PIN, and an additional slot for all remaining objects that don't.
That makes some sense espeicall with multiple PINS, but why then is the certificate (which does not require a PIN,) placed in the first slot with the objects that do? (I suspect to get it to work...) On my card, one of the certs and its prvkey do not require a PIN, as they can be used to authenticate the card, and as expected they are placed in the last slot. The 3 private data objects on the card are placed in the first slot, and the 3 public data objects are placed in the last slot. WHAT I WOULD LIKE TO DO IS ADD ALL PUBLIC OBJECTS TO ALL THE SLOTS. Does any one see a problem with this? The SC_PKCS15_CO_FLAG_PRIVATE appears to be used to set the PKCS#11 CKA_PRIVATE attribute so an application calling PKCS#11 can tell if an object needs to use a PIN or not before trying to use the object. Looks like someone has though about this, with the onepin-opensc-pkcs11.so which uses hack-enable.c (hack_enable=1) and only uses one slot, but adds all the certs, pubkey, and prvkeys but not the data objects to the slot!. (The use of the word "hack" implies this may have been a temporary solution.) If I added the code to add all public objects to all the slots, for cards with only one PIN, I believe the calling application would see no difference between the opensc-pkcs11.so and the onepin-opensc-pkcs11.so. Thus the code to support the onepin-opensc-pkcs11.so could be dropped. I have a card (PIV) with 4 certs, 4 prvkeys, 3 public data objects, and 3 private data object requiring the PIN. (I am cleaning up the code that calls in pkcs15-piv.c to sc_PKCS15emu... to create the objects and run into the problems of how to handle the objects, and get pkcs15-tool and pkcs11-tool to list and read them.) -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
