>> As an aside question: when I create a data token I could specify >> "--auth-id" (I normally chose "--auth-id=01" if I need that data token >> to be private), which, to me, implies that I could register more than >> one "auth-id". >> > > Do you use auth-id with pkcs15-init? If true, then you could specify > more than one. Each auth-id correlates to an authentication object, > which in turn defines a protection domain and has its own PIN. But the > PKCS#11 API maps each protection domain to a different token. > > Compare output of "pkcs15-tool -D" and "pkcs11-tool -L". > OK, my Aladdin token had to be initialised using pkcs15-init (with "-ECl" and then again with "-P --auth-id 01 --label 'zeek PIN'"), during which I registered one pin (SO pin was NOT registered). I have given this pin auth-id 01 (I was under the impression that I can have, at most, two PIN numbers: one SO and one user, but reading your post above that is obviously not the case). Reading back my previous system/audit logs, as well as the syntax of pkcs15-init, I now realise that I can have more than one pin stored on the card and associate a different --auth-id to a data object when it is stored. Interesting!
pkcs15-tool also gives me a lot more information then I expected to see when I execute "pkcs15-tool -D". It lists my private data objects as well as the required auth-id to use to see their content (so much for privacy and that the 'object doesn't exist unless you log in' mantra). I wonder if I create a different pin (say auth-id=02), then store a different data object with this auth-id (02) and check to see whether pkcs11-tool would ask me for the right pin (auth-id=02) in order to read the data? I avoid using pkcs15-tool in my module up until now simply because I didn't like its output - when I ask it to display a data object it displays data in a "user-firendly" format (with bytes encoded with 00-FF notation with space in between) and it also includes "helpful" messages like "Data Object (XXX bytes)" which does not allow me to capture the output and dump it directly into LUKS as a key without processing it further. From what I can see there is no way it can show me the raw data. pkcs11-tool on the other hand shows me what I want (raw data) and even allows me to store it as a file (which I won't because that is a security issue I do not wish to have). _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
