On Mon, Dec 5, 2016 at 10:35 AM, Nikos Mavrogiannopoulos
<n...@redhat.com> wrote:
> On Mon, 2016-12-05 at 10:23 -0500, Nathaniel McCallum wrote:
>
>> > Indeed, in the case where one has both ykcs11 and opensc, he would
>> > have
>> > to supply --detailed-urls to p11tool to be able to distinguish
>> > between
>> > objects. That is, because they will have identical URLs except for
>> > the
>> > library-description and library-manufacturer fields, which are not
>> > normally printed.
>> >
>> > That would be a bit more than just inconvenience because of the
>> > duplicate listings, it would be that if you don't specify the
>> > library
>> > fields on the URL, you wouldn't know which module was used for the
>> > operation.
>>
>> They don't, in fact, have different URIs. If I add a .module file for
>> ykcs11.so, I get the attached output for p11tool --list-tokens.
>
> You forgot to attach it :)
Let's try again. :)
>> > We should ping yubico on that. Is there some reason they didn't
>> > implement the key generation on opensc? Ideally we won't ship that
>> > additional module.
>>
>> I don't know. But I suspect it would require hardware change. There
>> are a lot of existing YubiKeys out there.
>
> opensc-pkcs11 is an alternative driver for the same hardware, the same
> as ykcs11. As it is now, it seems that opensc misses only the
> generation part, and I think it would be preferable to pointing yubico
> in adding that functionality in opensc, rather than shipping a separate
> driver in fedora.
I agree. However, I suspect that the two drivers are using two
different hardware interfaces. And I suspect that YubiKeys may not
implement key creation through the SC hardware interface. I may
misunderstand this. Corrections are welcome.
If key creation is only supported by a proprietary YubiKey interface,
then I'm not sure we have much choice but to support two drivers (one
for the SC interface, one for the YK interface).
We should note that we are already shipping two drivers and what we
need to do now is define the relationship between them.
Token 0:
URL:
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
Label: System Trust
Type: Trust module
Manufacturer: PKCS#11 Kit
Model: p11-kit-trust
Serial: 1
Module: p11-kit-trust.so
Token 1:
URL:
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
Label: Default Trust
Type: Trust module
Manufacturer: PKCS#11 Kit
Model: p11-kit-trust
Serial: 1
Module: p11-kit-trust.so
Token 2:
URL:
pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aSSH%3aHOME;token=SSH%20Keys
Label: SSH Keys
Type: Generic token
Manufacturer: Gnome Keyring
Model: 1.0
Serial: 1:SSH:HOME
Module: gnome-keyring-pkcs11.so
Token 3:
URL:
pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aSECRET%3aMAIN;token=Secret%20Store
Label: Secret Store
Type: Generic token
Manufacturer: Gnome Keyring
Model: 1.0
Serial: 1:SECRET:MAIN
Module: gnome-keyring-pkcs11.so
Token 4:
URL:
pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aUSER%3aDEFAULT;token=Gnome2%20Key%20Storage
Label: Gnome2 Key Storage
Type: Generic token
Manufacturer: Gnome Keyring
Model: 1.0
Serial: 1:USER:DEFAULT
Module: gnome-keyring-pkcs11.so
Token 5:
URL:
pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aXDG%3aDEFAULT;token=User%20Key%20Storage
Label: User Key Storage
Type: Generic token
Manufacturer: Gnome Keyring
Model: 1.0
Serial: 1:XDG:DEFAULT
Module: gnome-keyring-pkcs11.so
Token 6:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29
Label: PIV_II (PIV Card Holder pin)
Type: Hardware token
Manufacturer: piv_II
Model: PKCS#15 emulated
Serial: 00000000
Module: opensc-pkcs11.so
Token 7:
URL:
pkcs11:model=YubiKey%20NEO;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV
Label: YubiKey PIV
Type: Hardware token
Manufacturer: Yubico
Model: YubiKey NEO
Serial: 1234
Module: /usr/lib64/libykcs11.so.1
Token 8:
URL:
pkcs11:model=YubiKey%20NEO;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV
Label: YubiKey PIV
Type: Hardware token
Manufacturer: Yubico
Model: YubiKey NEO
Serial: 1234
Module: /usr/lib64/libykcs11.so.1
Token 9:
URL:
pkcs11:model=YubiKey%20NEO;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV
Label: YubiKey PIV
Type: Hardware token
Manufacturer: Yubico
Model: YubiKey NEO
Serial: 1234
Module: /usr/lib64/libykcs11.so.1
Token 10:
URL:
pkcs11:model=YubiKey%20NEO;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV
Label: YubiKey PIV
Type: Hardware token
Manufacturer: Yubico
Model: YubiKey NEO
Serial: 1234
Module: /usr/lib64/libykcs11.so.1
Token 11:
URL:
pkcs11:model=YubiKey%20NEO;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV
Label: YubiKey PIV
Type: Hardware token
Manufacturer: Yubico
Model: YubiKey NEO
Serial: 1234
Module: /usr/lib64/libykcs11.so.1
Token 12:
URL:
pkcs11:model=YubiKey%20NEO;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV
Label: YubiKey PIV
Type: Hardware token
Manufacturer: Yubico
Model: YubiKey NEO
Serial: 1234
Module: /usr/lib64/libykcs11.so.1
Token 13:
URL:
pkcs11:model=YubiKey%20NEO;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV
Label: YubiKey PIV
Type: Hardware token
Manufacturer: Yubico
Model: YubiKey NEO
Serial: 1234
Module: /usr/lib64/libykcs11.so.1
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
