Robert Relyea wrote: > Douglas E. Engert wrote: >> >> OK, so do you have any comments about adding all public objects to >> all slots? Based on how I read PKCS#11, there should be one slot >> for each auth PIN, and it should have the private objects that need >> that PIN and all the public objects. The way the code is now, The public >> objects are added to an extra slot, unless the auth_count=1 and >> the hide_empty_slots = yes. This works for my card with its one auth PIN >> but does not look correct for the more general case. >> > If you move the public objects off of the slot, NSS won't be able to > find the corresponding private objects. CKA_ID's are only specified to > be unique across a given slot, so you can't match CKA_ID's from one slot > to the next (so in the general case you can't identify a given private > key with a given cert unless they live in the same slot).
OK, that makes sense for certs. > > Adding all public objects to all slots is reasonably innocuous as long > as it doesn't interfere with the ability to identify which slot has the > private key. If you are depending on NSS's publically readable cert > semantic (for example), then you will not want to include public keys > that don't have the corresponding private keys in the slot. > > In general, an application will either have to authenticate to all slots > first, or have a way of identifying which slot actually holds the > private key. Ideally you would only match up the related certificate, > public key, and private key into the given slot associated with the > private key. Certificates without keys associated with them could live > in any slot (including an 'extra' slot). > > Hope that helps. Yes it does. Thanks. As the cards I have only one auth PIN, and with the patch for ticket #146 all the objects end up in one slot, I don't have a problem. I was asking a more general question, as I could see some application looking in the first slot for a public object, and not finding it. > > bob > > > > bob > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
