On 08 December 2011 11:03 Viktor Tarasov wrote: > Le 07/12/2011 15:24, Hunter William a écrit : > >> Is it happens for you to have the accessControlRule that protects by > >> the different 'PIN' objects the IntrenalAuth, Decipher and Sign > >> operations of the same key ? > >> Could we assume, that only one 'PIN' type auth.object is present in > >> 'accessControlRules' of one key ? > > It seems to me that both PKCS#11 and the minidriver only support one > > (user) PIN per card, so this has to be so for these modules to work? > > However, the specifications support multiple PIN objects, so a card > may > > in theory have different PIN's for different operations. It just > isn't > > clear to me how this would then work? The pkcs15-crypt tool may be > able > > to get it right, but how would you support this for the PKCS#11 > module or > > the minidriver? > > > > I'm happy to implement this, but do you (or anyone else) have any > > suggestions on how to do it properly? > > > My first suggestion is to set authId when parsing the contents of PrKDF.
Ok, for now that should work fine, although longer term a better solution may be needed. Note that the AuthID may also be specified in terms of a security environment, which makes things a lot more complicated... It's probably best not to worry about that for now. (Would have to go from the AuthReference -> SE info -> PIN reference -> EF.AOD -> AuthID - it's a bit circular!) I'll try and make the change for the parsing of the PrKDF. Cheers, Will _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
