On 2/22/2011 1:16 AM, Martin Paljak wrote: > Hello, > On Feb 21, 2011, at 10:23 PM, Douglas E. Engert wrote: > >> I would like to C_DeriveKey support to OpenSC, to the derivation >> capabilities of a smartcard. Although RSA can do key derivation, >> I am interested in CKM_ECDH1_COFACTOR_DERIVE which is supported >> in the newer PIV cards. (There is also some EDDH support in NSS >> to use with Thunderbird for encrypted mail.) >> >> EC can only do encryption using key derivation, so to use card >> with EC keys will require a minimal implementation of C_DervieKey. >> >> The output of C_DeriveKey is a key object. This looks like a >> PKCS#11public session object with: >> CK_EXTRACTABLE = TRUE > Also CK_SENSITIVE = FALSE probably. > >> CK_LOCAL = FALSE >> CK_VALUE = the derived key >> CK_KEY_TYPE = CKK_GENERIC_SECRET >> >> So to add this will require the ability to return >> a session key object and to delete or clean it up after >> after the session is closed. >> >> At one time did OpenSC have any KDF code? >> If so did it have any PKCS#11 session key object code? > > I can't identify any at first sight, nor do I know about it ever existing > before.
At one time there was some Secure Messaging code in OpenSC, which as I understad it, was removed because the the intent of OpenSC is to support only the crypto that is available on the card. Since this uses secret keys, I was not sure if that code tried to define a sc_pkcs15_secretkey_obj (or something like that.) It looks like OpenSC will need a sc_pkcs15_secretkey_obj, with native=FALSE to allow PKCS#11 to create a session object even with a R/O session. PKCS#15 defines the SecretKeys type. Is there any intent with OpenSC to support secretkey crypto using the card? Some HSM could take advantage of this. In this case the object would not be a session object. -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
