On Mon, 2010-11-01 at 23:53 +0000, Mr Dash Four wrote: > >> As an aside question: when I create a data token I could specify > >> "--auth-id" (I normally chose "--auth-id=01" if I need that data token > >> to be private), which, to me, implies that I could register more than > >> one "auth-id". > >> > > > > Do you use auth-id with pkcs15-init? If true, then you could specify > > more than one. Each auth-id correlates to an authentication object, > > which in turn defines a protection domain and has its own PIN. But the > > PKCS#11 API maps each protection domain to a different token. > > > > Compare output of "pkcs15-tool -D" and "pkcs11-tool -L". > > > OK, my Aladdin token had to be initialised using pkcs15-init (with > "-ECl" and then again with "-P --auth-id 01 --label 'zeek PIN'"), during > which I registered one pin (SO pin was NOT registered). I have given > this pin auth-id 01 (I was under the impression that I can have, at > most, two PIN numbers: one SO and one user, but reading your post above > that is obviously not the case). Reading back my previous system/audit > logs, as well as the syntax of pkcs15-init, I now realise that I can > have more than one pin stored on the card and associate a different > --auth-id to a data object when it is stored. Interesting! > > pkcs15-tool also gives me a lot more information then I expected to see > when I execute "pkcs15-tool -D". It lists my private data objects as > well as the required auth-id to use to see their content (so much for > privacy and that the 'object doesn't exist unless you log in' mantra). > > I wonder if I create a different pin (say auth-id=02), then store a > different data object with this auth-id (02) and check to see whether > pkcs11-tool would ask me for the right pin (auth-id=02) in order to read > the data? > > I avoid using pkcs15-tool in my module up until now simply because I > didn't like its output - when I ask it to display a data object it > displays data in a "user-firendly" format (with bytes encoded with 00-FF > notation with space in between) and it also includes "helpful" messages > like "Data Object (XXX bytes)" which does not allow me to capture the > output and dump it directly into LUKS as a key without processing it > further. From what I can see there is no way it can show me the raw data.
pkcs15-tool -r 1f645352 | grep -v '\-' | base64 -d _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
