I am trying to understand the logic in the framework-pkcs15.c
which uses two (or more) slots for objects that require a PIN,
and an additional slot for all remaining objects that don't.

That makes some sense espeicall with multiple PINS, but why then
is the certificate (which does not require a PIN,) placed in the
first slot with the objects that do?  (I suspect to get it to work...)

On my card, one of the certs and its prvkey do not require a PIN,
as they can be used to authenticate the card, and as expected they
are placed in the last slot.

The 3 private data objects on the card are placed in the first slot,
and the 3 public data objects are placed in the last slot.

WHAT I WOULD LIKE TO DO IS ADD ALL PUBLIC OBJECTS TO ALL THE SLOTS.

Does any one see a problem with this?

The SC_PKCS15_CO_FLAG_PRIVATE appears to be used to set the PKCS#11
CKA_PRIVATE attribute so an application  calling PKCS#11 can tell if an
object needs to use a PIN or not before trying to use the object.

Looks like someone has though about this, with the onepin-opensc-pkcs11.so
which uses hack-enable.c (hack_enable=1) and only uses one slot, but adds
all the certs, pubkey, and prvkeys but not the data objects to the slot!.

(The use of the word "hack" implies this may have been a temporary solution.)

If I added the code to add all public objects to all the slots, for cards
with only one PIN, I believe the calling  application would see no difference
between the opensc-pkcs11.so and the onepin-opensc-pkcs11.so. Thus the code to
support the onepin-opensc-pkcs11.so could be dropped.



I have a card (PIV) with 4 certs, 4 prvkeys, 3 public data
objects, and 3 private data object requiring the PIN.

(I am cleaning up the code that calls in pkcs15-piv.c to sc_PKCS15emu...
to create the objects and run into the problems of how to handle the
objects, and get pkcs15-tool and pkcs11-tool to list and read them.)

-- 

  Douglas E. Engert  <[EMAIL PROTECTED]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to