Emanuele Pucciarelli wrote: >> Unless somebody has comments or corrections, they'll be merged. The only >> problematic ticket is #177 which is actually a set of patches (that need >> manual merging for now) and that adds a major feature, secure messaging. >> > > My bad. Been meaning to tackle that for more than a year (and I didn't > follow up privately with you on that – writing it here just to > acknowledge that I *did* promise to work on it, but didn't do it :) ) > > >> Basically there's a mini-fork on http://itacns.corp.it/browser (requires >> registration) that should be eliminated better now than never. >> > > Agreed. > > >> Viktor, you had plans with secure messaging as well, I know that this >> specific implementation (it reads keys from a config file or environment, >> IIRC) is not what you have in mind, as it should also support remote >> tunnels. Can you have a look and see if: >> a) parts of it can be integrated anyway >> b) some of the code could be re-used for a better SM implementation >> c) some parts of the design can be upgraded on the way >> > > I'm more than willing to collaborate on this. > Thanks :) >
Great! I propose you to integrate support of the CNS card in two stages. Firstly submit your support without secure messaging (SM). Afterwards submit support of SM. The reason is that, as for me, the SM could be implemented in more general way. SM implemented for CNS is not the only possible SM implementation. There are cards with SM as it defined in GlobalPlatform, the cards with SM that uses session keys (derived from keyset, card/ifd serials, card/ifd randoms), maybe others. Afais, your patch assumes that for all SM operations (SM_[ENC,MAC]_[IN,OUT]) the same SM-BSO is used. For your card these four operations can have different keysets. Also, your implementation assumes that the length of SM key is 24 bytes. Don't know if it could be useful, but your card supports also 16 bytes length . Other remarks after looking through your patches: - afaik, 'give_random' is not in the ISO7816 standard and should no be in ISO7816 driver. If there is no way to hide it completely into the card driver, I guess, you can extend the card operations; - don't found how new flag 'SC_PKCS15_PIN_FLAG_NEEDS_SM' is used. I have the Oberthur's IdOne cards, that seems to be built on the same platform as CNS card, but has a different file system. So, I can test your driver at the libopensc level . Kind wishes, Viktor. -- Viktor Tarasov <[email protected]> _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
