Hi list, I have met with a problem when enroll more than one certificates using firefox(3.0.7). I traced the process, and found what happend. Here is the steps:
1.sc_pkcs15init_generate_key was called to generate a keypair, let us name it KEYPAIR_A. Firefox didn't give it CKA_ID attribute, so we(opensc) give it one (in function sc_pkcs15init_init_prkdf via select_id, in pkcs15-lib.c line 1237). The plicy we alloc new ID is, picking a number in range from DEFAULT_ID(0x45) to 0xFF, if there is no object using it. Thus the ID is 0x45 because the key is the first object. We determine the path of the public key using object ID and template defined in card's specific dot profile file. For example, for entersafe cards, the path is 0x3048 ( that is 0x3003 defined in profile plus 0x45 the object ID). Let's write down the value of 0x3048, we will meet it again soon. 2.Firefox modifies the KEYPAIR_A's ID according it's own policy,so KEYPAIR_A's ID changed from 0x45 to other value, let's assume it's "12345678abcdef". So it is not 0x45 any longer. This step is important. 3.We are happy, everything is OK till now. 4.The user want a second keypair(KEYPAIR_B), so we will alloc a new ID for it. We, again, start from DEFAULT_ID(0x45) to 0xFF, pick a number, because KEYPAIR_A's ID is not DEFAULT_ID(0x45), we pick 0x45 again. 5.Now give the public key a path, 0x3003 plus 0x45 the result is........WOW.. the path for public key of KEYPAIR_B is 0x3048, again. The two paths are the same now for public key of KEYPAIR_A and KEYPAIR_B. We are in hell. I hope the situation has been clearly illustrated. I don't know how to solve this problem. -- Weitao Sun <wei...@ftsafe.com> TEL:+86 010 62304466 ext. 585 FAX:+86 010 62304477 Entersafe R&D Dep.<www.entersafe.com> Feitian Technologies Co., Ltd.<www.ftsafe.com> 5th Floor, Building 7A, No.40 Xueyuan Road Haidian District, Beijing, P.R. China, 100083 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
