Nils,
I agree with you but I do not see a precise topic about multiply defined
ID's covered in PKCS#15 and PKCS#11. I did have the documents, btw.
Anyway, I think I found in PKCS#11 what I was looking for...
For openswan to work as expected, they need to
C_FindObjectsInit (ID=2)
then loop on
C_FindObjects () until the cert subject name is the right one
C_FindObjectsFinal ()
(the question is whether pkcs15-tool is supposed to rely on pkcs#11 to
display all those objects, and if not, how it is supposed to do).
Btw, seemingly, one could search for a private key with a given ID and
stop the search when the key has an interesting attribute (e.g. the
right modulus, generation type, etc...). My assumption about the
uniqueness of the private key ID was thus incorrect... there could be
many (albeit that seems odd).
So again, there is what _can_ be done and what _should_ be done. I was
hoping the ISO specs would be more precise about this or provide
guidance.
thx,
fred
On Wed, 2006-02-08 at 09:16 +0100, Nils Larsch wrote:
> Frederic Detienne wrote:
> > Hi Nils,
> >
> > Now, I am getting really curious about what document precludes or allows
> > several similar object per ID.
>
> have a look at the pkcs15 or pkcs11 standard (both are free :)
>
> >
> > In fact, I even wonder what it would mean to have several private keys
> > sharing the same ID.
>
> The primary use of the pkcs15 (or pkcs11) id seems to be the assignment
> of a private key to the different cert und public key objects for this
> private key (and of course it can make sense to have more than one cert
> for a given private key).
>
> > You can't retrieve them and figure which one you
> > prefer... the key is used by the card and all you get is a result
> > (signature). This makes me doubting that various similar objects could
> > share an ID.
> >
> > Would (AuthID | ID) be a unique identifier ?
>
> for a private key ? almost certainly as every private key should
> have unique id
>
> > I.e. the right object with
> > the desired ID would be unique for a given AuthID (but there could be
> > several objects with the same ID and a different AuthID)...
>
> most cards have just one user pin
>
> >
> > This way, selecting the right object becomes a matter of logging in
> > (with an AuthID) and then selecting an object (by ID).
>
> normally the application chooses a certificate which it would like
> to use for a certain. The next step would be find the private key
> for this certificate, but this should be easy as there should be only
> one private key with a specific id (pkcs11 recommends to use the value
> of the subjectPublicKeyIdentifier for the id). Whether or not there
> several certificates with the same id doesn't matter here ...
>
> >
> > I am just guessing here as I do not have access to ISO 7816-[4,5] to
> > verify and I can't find relevant information in PKCS#15.
>
> http://www.rsasecurity.com/rsalabs/node.asp?id=2124
>
> Cheers,
> Nils
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
