Attached is a patch for pkcs15-piv.c against the 0.11.0-rc2 code.
This patch will allow a flag in the opensc.conf file to be set to
only expose the PIV authentication certificate and matching keys.
I would like to see this in the 0.11.0-rc3 release if possible.
There are situations where a PKCS#11 application may try and read
certificates and keys that are not present on the card.
The current PIV code was optimized to not do any card IO if at
all possible, waiting till the last minutes before reading a
certificate. The pkcs15-piv.c would define the 4 certificates and
matching public and private key objects by calling sc_pkcs15emu_add_*
even if they are not present on the card.
The above optimization was done, because the PIV specifications
do not define a directory or any other way to determine if specific
objects are present on the card other then to read the object.
Reading all object or at least all the certificates would
greatly increase the login time.
But there are too many problems with this approach, and this
patch is simple way to avoid most of them yet allow the use
of the authentication certificate that is required.
This would allow for initial testing and use of the PIV card
for authentication in release 0.11.0.
In the next release, I would like to change this behavior
and actually read the objects to determine if they are present,
before calling the sc_pkcs15emu_add_x509_cert so only
objects existing on the are emulated. It might also be possible
to only read the first few bytes to get the length, but further
testing needs to be done to see if the cards will allow this.
Thanks.
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--- ./src/libopensc/,pkcs15-piv.c Tue Mar 14 15:55:39 2006
+++ ./src/libopensc/pkcs15-piv.c Mon May 1 11:38:28 2006
@@ -215,6 +215,7 @@
int r, i;
sc_card_t *card = p15card->card;
+ int exposed_cert[4] = {1, 0, 0, 0};
SC_FUNC_CALLED(card->ctx, 1);
@@ -264,6 +265,9 @@
struct sc_pkcs15_cert_info cert_info;
struct sc_pkcs15_object cert_obj;
+ if ((card->flags & 0x20) && (exposed_cert[i] == 0))
+ continue;
+
memset(&cert_info, 0, sizeof(cert_info));
memset(&cert_obj, 0, sizeof(cert_obj));
@@ -326,6 +330,9 @@
struct sc_pkcs15_pubkey_info pubkey_info;
struct sc_pkcs15_object pubkey_obj;
+ if ((card->flags & 0x20) && (exposed_cert[i] == 0))
+ continue;
+
memset(&pubkey_info, 0, sizeof(pubkey_info));
memset(&pubkey_obj, 0, sizeof(pubkey_obj));
@@ -356,6 +363,9 @@
for (i = 0; prkeys[i].label; i++) {
struct sc_pkcs15_prkey_info prkey_info;
struct sc_pkcs15_object prkey_obj;
+
+ if ((card->flags & 0x20) && (exposed_cert[i] == 0))
+ continue;
memset(&prkey_info, 0, sizeof(prkey_info));
memset(&prkey_obj, 0, sizeof(prkey_obj));
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
