On Wed, 2006-02-08 at 12:45 +0100, Nils Larsch wrote:
> Frederic Detienne wrote:
> > Nils,
> >
> > I agree with you but I do not see a precise topic about multiply defined
> > ID's covered in PKCS#15 and PKCS#11. I did have the documents, btw.
> >
> > Anyway, I think I found in PKCS#11 what I was looking for...
> >
> > For openswan to work as expected, they need to
> >
> > C_FindObjectsInit (ID=2)
> > then loop on
> > C_FindObjects () until the cert subject name is the right one
>
> I guess the subject name should be the same (at least almost
> always) for certs for a specific key, however some cert
> extensions or attributes might be different (for example a
> specific subjectAltName extension ...)
typically, the names are different (OU and O in general) but I agree,
other X509 attributes may be useful to check.
> > C_FindObjectsFinal ()
> >
> > (the question is whether pkcs15-tool is supposed to rely on pkcs#11 to
> > display all those objects, and if not, how it is supposed to do).
>
> if pkcs15-tool is asked to return the certificate objects with
> a certain attribute (in this case the id) it should return all
> objects that have the attribute.
back to the original question, then: how ? What is the pure pkcs#15 API
that lets one do this ? (in fact, it has to be an openct or pcsc/lite
api).
> >
> > Btw, seemingly, one could search for a private key with a given ID and
> > stop the search when the key has an interesting attribute (e.g. the
> > right modulus, generation type, etc...). My assumption about the
> > uniqueness of the private key ID was thus incorrect... there could be
> > many
>
> yep
>
> > (albeit that seems odd).
>
> actually it's not that odd. For example cardos m4 smartcards normally
> only allow either signing or decryption with a specific key, hence in
> order to able to use a key for both operation you need two copies
> of this key (with different attributes)
ah but then, the ID has to be different. I do not know for decryption
but Authentication should have ID=45 and Signing should have ID=46.
> >
> > So again, there is what _can_ be done and what _should_ be done. I was
> > hoping the ISO specs would be more precise about this or provide
> > guidance.
>
> sorry don't have a copy of iso7816-15
I was not expecting you to send it to me (they are not free) but just in
case you had browsed to them :)
thx,
fred
> Cheers,
> Nils
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
