OpenSC is getting some bad press. (See below)
The line in libp11 p11_key.c says:
111 * FIXME: We should check first whether the token supports
112 * on-board key generation, and if it does, use its own algorithm
Thats a pretty major "FIXME", if the caller is expecting the card to do
key generation, then it should be doing it!
-------- Original Message --------
Subject: [OpenCA-Devel] PKCS11 - The disturbing Truth about libp11 and OpenSC!
Date: Tue, 27 Jan 2009 13:13:54 -0600
From: Massimiliano Pala <[email protected]>
Reply-To: OpenCA Developers <[email protected]>
Organization: Dartmouth College - Computer Science Department
To: LibPKI Users <[email protected]>
CC: OpenCA Devel <[email protected]>, LibPKI Devel
<[email protected]>, Openca Users
<[email protected]>
Hi all,
I am developing the PKCS#11 driver for LibPKI and I am playing around with
some other code - especially the libp11 which is used by many software:
- OpenSSL's ENGINE for PKCS#11
- OpenSC
When creating the key, the behaviour a user would expect from these driver
is to generate the keypair in the device and then, eventually, export the
public part. However, the libp11 behaves differently. What it really does
is generating the key is software and then import it into the device - which
totally invalidates the assumptions made when using a PKCS#11 device!
Therefore, my advice is: do not use OpenSC + libp11 (for PKCS#11 access) if
you are concerned about the security of your private key!
I will develop an application that will print out the "properties" of
public/private keys in a PKCS#11 device so that you can check out what
the status of your generated keys is - the tool will probably be part
of the LibPKI package.
Later,
Max
--
Douglas E. Engert <[email protected]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
