Timothy J Miller wrote:
> I should point out that this is bad practice for keys used for data > encryption, as loss or damage of the card can result in loss of the > protected data. US DoD, for example, generates the signature keys on > card, but encryption keys off-card and securely injects them, also > saving them in a key escrow system. US Federal PIV recommends the > same to implementers. > > So if OpenSC doesn't have this capability, it sorely needs it. You bring up PIV as an example. NIST 800-73 (and 800-73-1 and 800-73-2) Define the Generate Asymmetric Key Pair, to generate a key on the card, and read the public key as the result. But NIST did not define in the PIV standards how to load a private key on to the card. They left this up to the card vendors, giving them some product differentiation, as the only software that should need to do this is a card activation station. PIV is really an application on a card, and there are currently 4 NIST approved cards. 800-73 defines the application that needs to be stanadardized for end user use. The OpenSC PIV support is currently based on NIST 800-73-1, with some very limited support to use APDU directly to allow for doing some simple card administration to get a key from the card, and load a certificate. The goal was to support the normal use of the NIST standard, for platforms that use Open Source. Not to develop a card administration station for specific cards. This would allow Unix systems to use government issued cards with PKCS11 for login, browser and mail. If you have the card vendor's documentation showing the commands, and you know the transport keys, you could add the capability to write a key. The piv-tool would be the place to start. It has options to authenticate to the card using a 3des key (provided by the card vendor) using mutual or external authentication as required by the card vendor, then to issue a APDU command. For example, since 800-73 does not define how to delete an object one could some thing one of these command to write out a null cert object. PIV_EXT_AUTH_KEY=cards/$1.9B03 export PIV_EXT_AUTH_KEY piv-tool -A M:9B:03 -s 00:DB:3F:FF:07:5C:03:5F:C1:05:53:00 piv-tool -A A:9B:03 -s 00:DB:3F:FF:09:5C:03:5F:C1:05:53:00:00:00 piv-tool -A A:9B:01 -s 00:DB:3F:FF:09:5C:03:5F:C1:05:53:00:00:00 These represent two different card vendors with three beta cards. Or to write out a new 3DES key to a card that has not been finalized: piv-tool -s 00:DB:3F:ff:1D:5C:02:9B:00:53:$NEWKEY > > -- Tim > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
