Am Mittwoch 10 März 2010 18:00:15 schrieb Benoit Ferson: > ... OK ; I had missed that (which is why I did not understand the > "adherence" of pkcs11-tool to PKCS15).
pkcs11 is the software interface (e.g. firefox loads pkcs#11 plugins like "opensc-pkcs11.so"). it is not an alternative to pkcs#15. > OK, so I guess I have two options : > - I could write the pkcs#15 emulation layer ; do you have working code as > a reference to do this? douglas suggested the piv driver, so have a look at that one. > - or use another PKCS#11 implementation that does not make the assumption > that the card is PKCS#15-compliant. coolkey or javacardsign are alternatives. but they implement only support for their applet each, as far as I know. so if you look for a flexible software that can work with different cards/applets, opensc is your best choice I think. > My first objective is to allow users to use the smartcard for > authentication on their (Linux) computer. I would like to use pam-pkcs11 > module to do that, which is why I planned to integrate my smartcard with > opensc, as many application rely on it. I am also planning to use the card > to store a secret that will ultimately be used to decrypt the users home > directory content. > > Right now, I am not concerned by the smartcard personalization and I do not > need PKCS#15 support. This might change in the future, but at the moment, I > would just like to use basic services provided by the card (i.e., user > login, signature, random number generation, etc.). to access a card via pkcs#11 api and use it that you need a lot of infrastructure. for example applications expect x.509 certificates on the card, not only an rsa key. applications want to know how many certificates/rsa keys/data objects there are and get information about each. you need a pin that protects private keys and private data, and apps might want meta information about the pin too (how long is it, only numbers or also characters etc.). if you use the infrastructure opensc provides you already have most of that for free. you can start with a simple driver, that emulates everything / not uses anything from the card. and then add some stuff that is backed by the card, such as a pin, a certificate or an rsa key. Regards, Andreas _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
