El mar, 26-04-2011 a las 22:37 +0300, Martin Paljak escribió: > Hello, > On Apr 26, 2011, at 18:21 , Juan Antonio Martinez wrote: > > As you can see in wiki [1] DNIe pkcs15 stores same DF in EF(PubK) and > > EF(PrivK). So pkcs15-tool --read-public-keys fails with an "access > > denied" when trying to read public keys. The only way to retrieve > > public keys is from certificate files > > > > > So what's the correct way to work: > > - Take care on pkcs15-tool on read failures, and asume that private > > and public key are stored together, so then go to parse certificates > > - Use the pkcs15 emulation layer to hide pubk data from pkcs15, and > > leave pkcs15-tool untouched > > Is the file not readable even after a PIN verification > (I guess so, given that it shares the path with private key)?
You're right: even after entering PIN, read_binary() to any pukdf, respose is "access denied". My first idea was caught read_binary, detect access to puk and return proper data from certificate, but seemed too dirty... > This should be handled not in pkcs15-tool but in the card driver > (emulation layer) *if possible*. pkcs15-tool should deal only with (correctly) > defined objects in a very simple "list them all" manner. That was my feeling, but as you were talking about way of handling pubk I was unsure on how it could affect DNIe > One option would be to remove public key files from emulation > (like the Estonian eID), Perhaps I'll need some help: pkcs15-dnie.c just parses pkcs15 data from card, and patches some file paths and ID's... no clear idea about how to remove found entries from pkcs15 opensc's structures > and to move the handling of certificate->pubkey to generic libopensc code. > This would require filtering for duplicate objects. That's so far away from my knowledge... :-) > I would resort to patching pkcs15-tool as the last option. Agree Thanks for your suggestions Cheers Juan Antonio _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
