Frederic Detienne wrote:
Nils,
I agree with you but I do not see a precise topic about multiply defined
ID's covered in PKCS#15 and PKCS#11. I did have the documents, btw.
Anyway, I think I found in PKCS#11 what I was looking for...
For openswan to work as expected, they need to
C_FindObjectsInit (ID=2)
then loop on
C_FindObjects () until the cert subject name is the right one
I guess the subject name should be the same (at least almost
always) for certs for a specific key, however some cert
extensions or attributes might be different (for example a
specific subjectAltName extension ...)
C_FindObjectsFinal ()
(the question is whether pkcs15-tool is supposed to rely on pkcs#11 to
display all those objects, and if not, how it is supposed to do).
if pkcs15-tool is asked to return the certificate objects with
a certain attribute (in this case the id) it should return all
objects that have the attribute.
Btw, seemingly, one could search for a private key with a given ID and
stop the search when the key has an interesting attribute (e.g. the
right modulus, generation type, etc...). My assumption about the
uniqueness of the private key ID was thus incorrect... there could be
many
yep
(albeit that seems odd).
actually it's not that odd. For example cardos m4 smartcards normally
only allow either signing or decryption with a specific key, hence in
order to able to use a key for both operation you need two copies
of this key (with different attributes)
So again, there is what _can_ be done and what _should_ be done. I was
hoping the ISO specs would be more precise about this or provide
guidance.
sorry don't have a copy of iso7816-15
Cheers,
Nils
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
