Hello William, Le 04/01/2012 11:44, Hunter William a écrit : > The commit made on the 25 Dec - "minidriver: allow double key usage", on the > secure-messaging > branch introduced some issues for my testing of an IAS/ECC card. > > The first issue is that as per the IAS/ECC specifications, my key is enabled > for KeyDecipher > or Unwrap usage, and not Decrypt. However, it should still be made available > as an > AT_KEYEXCHANGE key, so that the unwrap is possible.
Sorry, it's my omission. 'ANY_DECIPHER' should be used. > Secondly, I can't see the purpose of allowing one key to be available both as > an AT_SIGNATURE > and as an AT_KEYEXCHANGE key. In fact, in my testing, if this is done, only > signatures work, > decryption fails. I think this is because the keys have the same GUID's (they > are the same > key) and the Microsoft key storage provider cannot handle this - > understandably! My > understanding is that if a key can be used for both signature and decryption > then it > is made available as a AT_KEYEXCHANGE key. If it can only do signatures, then > it is made > available as an AT_SIGNATURE key. This mode of operation works well in the > tests I have done, > both for signing and decrypting. As you see from the comments I have some doubts about this commit. Probably something was rotten in my tests when I was testing your original patch. I'll re-test it. >From the other side, as far as I understand specification, the key container >IS allowed to have both 'signature' and 'keyexchange' keys. And further, there is no formal interdiction to have the same underlying key for the both . That's why, it would be nice to see the logs from the "only signatures work, decryption fails" event. > I've attached a patch to fix these issues. Let me know if you have any > comments/queries. > > I forgot to mention - all of these patches are for the secure-messaging > branch of OpenSC. > > Cheers, > Will Kind regards, Viktor. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
