Hello, PKCS#11 is an API for cryptographic devices that perform cryptographic operations. The API itself does not mandate the use of hardware (in fact, there are several competing software PKCS#11 modules) but in the context of OpenSC, a smart card library, it is obvious that the interface provided by OpenSC deals exclusively with smart cards. It would be reasonable to expect that all of the operations exposed via PKCS#11 take place inside the security boundaries of the cryptographic smart card module.
Most of the time, if smart cards are used, they are used because they can generate keys on the card that never leave the card. Sometimes pre-generated keys are loaded to smart cards for transportation or use. But usually smart cards are used for security reasons and the only security smart cards provide is the physical and logical access control to the plaintext key material. OpenSC has currently a very lax implementation of the actual functionality as well as for the flags that should signal the difference. These flags are: (from PKCS#15) native, sensitive, extractable, alwaysSensitive, neverExtractable and local related PKCS#11 functions: C_WrapKey C_UnwrapKey and usage flags: wrap, unwrap and also includes transparent key generation in software. To make it clear and meet the expectations of the user, I would like to suggest to remove all code from OpenSC that would generate or reveal plaintext key material in software, outside the smart card. If keys are to be generated somewhere else and transfered in plaintext, then there are tools that can do it (like openssl genrsa) and OpenSC can limit itself to implementing only functionality that really deals with the smart card, inside the crypto module. In addition to my interest in using key wrapping functionality I found the code behind pkcs15-init --extractable and --insecure somewhat odd. What do you think? -- Martin Paljak http://martin.paljak.pri.ee +3725156495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
