Martin Paljak wrote:
Hi.
There seem to be two targets:
a) How to accomplish all functionality via PKCS#11 interface
b) How to remain compatible with as many as possible / select existing
application implementations.
IMHO,
Exploiting C_Login(CKU_CONTEXT_SPECIFIC) + SetPIN() to achieve target a seems
reasonably valid, as it does not seem to contradict the 2.20 spec.
Achieving b will be probably anyway difficult, as there are different cards and
different applications, which most probably have quirks themselves as well or
work in a specific combination only.
Is there a real life test-case or usage scenario (some "respectable" and common
application used in the wild)?
To me, C_SetPIN without a logged in user seems somewhat OK solution, even
though I agree with the possible PUK counter decrease problem.
Thus implementing the context specific trick for target a is OK, achieving
target b requires a real life application example and investigation, what other
implementations do (also to notice that proprietary pkcs#11 interfaces are
usually tuned to the the specific hardware they support and thus probably can't
be copied 1:1 into OpensC)
I propose to implement both scenarios and to parametrize their
activating from 'opensc-pkcs11'
section of opensc.conf .
This way, probably, we'll get some return from the actuals OpenSC users
about the preferable one.
Martin.
On 04.01.2010, at 11:03, Pierre Ossman wrote:
On Thu, 03 Dec 2009 14:57:34 +0100
Viktor TARASOV <viktor.tara...@opentrust.com> wrote:
Another possible, 'alternative to alternative' scheme is to use C_SetPin()
in the specific context (after C_Login(CKU_SPECIFIC_CONTEXT)).
So, in CKU_USER_PIN context C_SetPin() is used to change user PIN,
in CKU_CONTEXT_SPECIFIC it's used to unblock user PIN.
Afais, CKU_CONTEXT_SPECIFIC is not actually used.
The problem here is that this is not something that's specified in the
standard, and it's not the system existing implementations use.
I think that as far as the interface goes, C_Login(CKU_SO) followed by
C_InitPin() is set in stone as we want to be compatible with what's
already out there.
On Fri, 04 Dec 2009 09:44:36 +0100
Viktor TARASOV <viktor.tara...@opentrust.com> wrote:
-- if C_SetPIN() is not preceded by C_Login then it's implicitly the
User PIN is going to be changed.
In this case the 'pOldPin' argument is the unblocking code.
For me it's quite logical, because, as you've told,
we do not have or cannot use the actual PIN value.
--
Viktor Tarasov <viktor.tara...@opentrust.com>
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
