Le 09/12/2011 07:55, Hunter William a écrit : > On 08 December 2011 11:03 Viktor Tarasov wrote: > >> Le 07/12/2011 15:24, Hunter William a écrit : >>>> Is it happens for you to have the accessControlRule that protects by >>>> the different 'PIN' objects the IntrenalAuth, Decipher and Sign >>>> operations of the same key ? >>>> Could we assume, that only one 'PIN' type auth.object is present in >>>> 'accessControlRules' of one key ? >>> It seems to me that both PKCS#11 and the minidriver only support one >>> (user) PIN per card, so this has to be so for these modules to work? >>> However, the specifications support multiple PIN objects, so a card >> may >>> in theory have different PIN's for different operations. It just >> isn't >>> clear to me how this would then work? The pkcs15-crypt tool may be >> able >>> to get it right, but how would you support this for the PKCS#11 >> module or >>> the minidriver? >>> >>> I'm happy to implement this, but do you (or anyone else) have any >>> suggestions on how to do it properly? >> >> My first suggestion is to set authId when parsing the contents of PrKDF. > Ok, for now that should work fine, although longer term a better solution > may be needed. Note that the AuthID may also be specified in terms of a > security environment, which makes things a lot more complicated... It's > probably best not to worry about that for now. (Would have to go from the > AuthReference -> SE info -> PIN reference -> EF.AOD -> AuthID - it's a > bit circular!)
Agree -- not to worry for a while. Take also into consideration that for OpenSC pkcs#15 framework, as the base library for pkcs#11 and minidriver, it's only important the protection by 'PIN' authentication object . Other types (SM, Auth.Extern) are not used by pkcs#15 and upper levels (parsed, but not used). As it currently implemented, these types of protections are resolved at the libopensc level. > I'll try and make the change for the parsing of the PrKDF. Fine. > Cheers, > Will Kind wishes, Viktor. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
