On 10/6/2010 12:11 PM, Andre Zepezauer wrote:
> Hello Douglas,
>
>> One of the operations I need for the PIV card is to get the public
>> key from the certificate, as pubkey needs to be emulated for thes cards.
>
> Please could you explain, why it is required to extract the public key
> from the certificate within OpenSC. I know that other emulators do it,
> but I don't know why.
The PIV card does not contain separate pubkey or privkey objects. It has
private keys, but you can only refer to them by using the APDU P1 and P2.
Where P2 is the key reference, and P1 is the algorithm identifier:
05 = RSA-3072
06 = RSA-1024
07 = RSA-2048
11 = EC-prime256v1
14 = EC-secp384r1
See NIST 800-78-2 tables 6.1 and 6.2
So the only way to figure out what P1 should be is to read the certificate
and get the pubkey and its sizes.
The pkcs15-piv.c then emulates a public key, and a private key,
where a PKCS#11 application could for example request the CKA_MODULUS
from the emulated public key.
(When generating a public-private key-pair on the card, the operation
returns the modules and exponent, or the ec-point, which can then be
used during a certificate request signing operation. But this is the
only time the card will send this information. (Not covered in the NIST
specifications but left up to card vendors, is the ability to write
a private key to a card so this operation was not added to OpenSC.)
>
> Kind Regards
> Andre Zepezauer
>
>
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
