-------- Original Message --------
Subject: opensc ID issue
Date: Mon, 9 Nov 2009 11:14:44 +0100
From: Vital Schonkeren <vital.schonke...@be.zetes.com>
To: <viktor.tara...@opentrust.com>
Hi,
I’ve also been looking at the same problem.
In my case, the problem occurs when I have also private keys on the card
without a corresponding public key.
The problem is simple and and the solution too I guess. There is a
function in opensc that selects an ID based on existing private keys
when importing a private key.
The same function is called when importing the public key, while it
should actually copy the id of the private key.
In the same piece of code, I also added another function. In my project
I need to store the key on a cardos card, and for general purpose keys
or keys with signing and encryption purpose, you need to store the key
twice on the card, once for signing and once for encryption.
(The Mozilla option for id generation would solve another problem I have
with splitted keys. Once I create a key in firefox, Firefox engine
changes the ID of the private key to find it back when importing the
certificate. But as you can imagine the second part of the splited key
(the encryption key) is not update so the link (id) between the signing
key and encryption key is lost). After that, only signing is possible
with the card since the link is gone between certificate and private
encryption key. So the Mozilla option would be nice since then the link
is correct from the beginning, unless Mozilla changes this sometime again)
In framework-pkcs15.c, I changed the following to support splitkeys.
After this #if #else #endif section, the ID should be copied from
&keygen_args.prkey_args to &pub_args
…
else {
/* 3.b Try key pair generation in software, if allowed */
if (!sc_pkcs11_conf.soft_keygen_allowed) {
sc_debug(context, "On card keypair gen not supported, software keypair
gen not allowed");
rv = CKR_FUNCTION_FAILED;
goto kpgen_done;
}
sc_debug(context, "Doing key pair generation in software\n");
rv = sc_pkcs11_gen_keypair_soft(keytype, keybits,
&keygen_args.prkey_args.key, &pub_args.key);
if (rv != CKR_OK) {
sc_debug(context, "sc_pkcs11_gen_keypair_soft failed: 0x%0x\n", rv);
goto kpgen_done;
}
/* Write the new public and private keys to the pkcs15 files */
//VSC 09/2009: to support cardos
#if 1
if (sc_pkcs15init_requires_restrictive_usage(p15card,
&keygen_args.prkey_args, 0))
{
sc_debug(context, "store split key required for this card", rv);
rc = sc_pkcs15init_store_split_key(p15card, profile,
&keygen_args.prkey_args, NULL, &priv_key_obj); //second key is the
signature keyobject
}
else
{
rc = sc_pkcs15init_store_private_key(p15card, profile,
&keygen_args.prkey_args, &priv_key_obj);
}
#else
rc = sc_pkcs15init_store_private_key(p15card, profile,
&keygen_args.prkey_args, &priv_key_obj);
#endif
if (rc >= 0)
//VSC todo: USE same ID as private key(s) here to avoid bad link between
private and public key !!!
//VSC test with firefox and Iexplore (CSP)
rc = sc_pkcs15init_store_public_key(p15card, profile, &pub_args,
&pub_key_obj);
if (rc < 0) {
sc_debug(context, "private/public keys not stored: %d\n", rc);
rv = sc_to_cryptoki_error(rc, p11card->reader);
goto kpgen_done;
}
}
Kind regards,
Vital Schonkeren
_____________________________________
ZETES BE- Rue de Strasbourg 3, 1130 Brussels
Tel.: +32 2 728 37 11
+++ mailto: vital.schonke...@be.zetes.com
<mailto:vital.schonke...@be.zetes.com>
_______________________________________
*WWW.ZETES.COM <http://www.zetes.com/>* *| **ALWAYS A GOOD ID***
/# Do not print this e-mail unless absolutely necessary #/
/ /
--
Viktor Tarasov <viktor.tara...@opentrust.com>
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
