On 12/31/08, Jeffrey Hutzelman <jh...@cmu.edu> wrote: > > * private data objects were not implemented securely: the > > old code stored them with a flag "ask for the pin", but did nothing to > > protect the data, thus everyone can read it. The new code sets the > > access control right for such data objects, at least with the cryptoflex > > 32k card I tried. please give the code a try, and let me know, if your > > card still work. > > It's not clear to me what data objects are for.
I use this to hold encryption keys for my harddisk [1]. [1] http://wiki.tuxonice.net/EncryptedSwapAndRoot > Are they actually supposed > to be private, per PKCS#15? None of the profiles I looked at do this; are > you updating them all, or just cryptoflex? The PKCS#15 implementation already supported private data objects, if you set --auth-id when you used the --store-data at pkcs15-init. The problem is that nobody finished the task, and the profile always marked them as public. The above change fixes PKCS#15 too... So that if you use pkcs15-init you can store private and public objects. Andreas changed all the profiles to support the new directory. I checked it also using asepcos. > > note for testing: > > * you need to initialize the card with "pkcs15-init -p pkcs15+onepin" so > > that you can store things with pkcs11-tool. > > Hrm. Ew. But, I suppose this is really just a limitation of PKCS#11. This is not a limitation of PKCS#11 but the PKCS#11 implementation of OpenSC. You can use pkcs15-init to test this. Without reformatting the card, I read the data objects, and stored them using the new version. It is fixed now. > Why the change in fileid? It's not like I have the documentation in front > of me, but I'm pretty sure that's not one of the special ones. In any > case, the fileID's you mention are specific to the cryptoflex profile. Can you please check it out? > This is going to depend on the card. On cryptoflex, I'm pretty sure you > cannot change the ACL on an existing file, but the approach you describe > should work if there is enough room in the PIN directory. You could also > delete the existing data EF, if it was the last thing created in the PIN > directory. I guess you say you need to reinit your token? I had to just recrate the objects and it worked for me. Alon _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel