Hello Douglas, Le 09/11/2011 20:26, Douglas E. Engert a écrit : > On 11/9/2011 11:39 AM, Viktor Tarasov wrote: >> Hello, >> >> I would like to 'touch' the PKCS#11 module of OpenSC and looking for your >> opinions/suggestions about: >> - removing of 'pkcs15init' framework; > Would you keep the functionality of the pkcs15init, and support it with the > pkcs15 framework? > Parts of the current pkcs15init code that I am interested in is required to > support > for PKCS#11 session objects. For example the C_DeriveKey output is returned > as a session key object. > Session objects may reside on the card or only in the software, depending how > a card > does a key derivation.
Pkcs15init functionalities are supported by pkcs15 framework of OpenSC built with OpenSSL. The main (and it seems the only) functionality of 'pkcs15init' framework is to create pkcs#15 application on the non-initialized card. Do we really need do it with PKCS#11 API? >> - configurable support of the multi on-card applications and multi-pins; >> - removing the 'one-pin' version of pkcs#11 module (or rather replacing it >> with particular case of the configuration); >> - no separate slot for public objects. > The support for mutli on-card applications, would be good. The PIV-card, for > example, is really > an on-card application, and any support to select card/application drivers > based on application > rather then just ATR could be useful. > >> >> The proposed PKCS#11 configuration concerns creating of slots, its >> authentication objects and its content. >> Possibilities are: >> >> - 'all' -- actual behavior -- slot for every non-sopin, non-unblock PINs >> and optionally for PUK; >> All public objects in the limit of one on-card application are >> associated to the first 'User PIN' slot. >> >> - combinations of symbolic PIN names: 'user', 'sign' and 'application', >> where important combination are: >> >> -- if only 'user' (one-pin) used, the unique slot will contains private >> objects from the all on-card applications >> which are protected by corresponding card's PIN. (In the >> multi-application cards, the same global card's PIN could be >> referenced by the pkcs#15 'authentication' object from more then one >> on-card application). >> Other private objects are not visibles (For ex. the ones protected by >> SignPIN). >> To this slot also added all public objects from the all on-card >> applications. >> (This configuration is suitable for FF). >> >> -- 'user' + 'sign' -- the same as previous with exception that second slot >> is created for the >> private object protected by 'sign' PIN and this object's public >> 'friends'. >> (This configuration could be useful for FF, and Thunderbird). >> >> -- 'application' -- one slot per on-card application. So that there is the >> possibility to differentiate >> the on-card application with the PKCS#11 API. (Equivalent of the >> '--aid' option in the pkcs15(init) tools). >> (This configuration mostly for initializing of the on-card >> applications with the PKCS#11 API.) >> >> -- 'application' + 'sign' the same as 'all' without optional slot for PUK. > How would all of this effect existing card drivers? 'All' configuration is destinated to reproduce the actual behavior of pkcs11 module. With an exception of separate slot for all public objects -- do we really need it? Actual 'one-pin' version of pkcs11 module will be presented by new version of pkcs11 module in 'user' configuration -- no need to package two versions of the OpenSC pkcs#11 module. > Are the above configurations based on the card or some configuration file? These configuration options are supposed to be included into 'pkcs11' section of the general OpenSC configuration (opensc.conf file). >> >> Kind wishes, >> Viktor. >> _______________________________________________ >> opensc-devel mailing list >> opensc-devel@lists.opensc-project.org >> http://www.opensc-project.org/mailman/listinfo/opensc-devel >> >> _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
