Re: [opensc-devel] cardos split-key

Sun, 15 Nov 2009 06:49:05 -0800 

Andreas Jellinghaus wrote:

btw, if anyone wants to touch the cardos/splitkey code:
we could as well remove it and simply store "sign,decrypt" as "decrypt" key
and do the signing internaly. 
after a few years, I think the hack to copy the key didn't work out so well,
and if you can use card+pin for decrypt'ing, there is no security benefit
in not using it.

Hi,
I would like to do it, if you are not particularly in a hurry. My motivation is to finalize the 'intrinsic_ID' and 'dissociate_ID_and_file_index'. The actual concept of 'splitted key' is not quite compatible with key's 'intrinsic ID', neither it's compatible with PKCS#15 standard -- it states the uniqueness of the key ID. 

About 're-use object' used by CardOS . (Is it the only one?)
See http://www.opensc-project.org/pipermail/opensc-devel/2009-November/012854.html . IMHO, pkcs15 level should not bother to keep the traces of the deleted objects. It's up to card-specific level to find out free index(s) -- re-use the old or create a new one. 

Will we keep 'splitted key' or not,
it can be implemented at the card specific level, with the help of some additional pkcs15_init_operation like get_free_index(). (Method will be also useful for the others cards.) This method will find out free BS index(s); if there is a possibility, it can create a new one(s), 
and will store key index(s) in key_info.
Afterwards, card specific store_key() will store key into the once (or twice). 

(In a background, I have a thought about card IAS-ECC.
In it's the last specification there is no possibility to create new BSs -- all BS slots are pre-allocated . 
It's up to card specific level, when importing a BS object,
to discover a suitable slot with a proper size, algo, ACLs, ...)


we should stay compatible with cards initialized with old opensc however.
I would try to prepare patch, but actually I have no CardOS card recognized by OpenSC . 
The card CardOS that I have is:
3b:fb:18:00:02:c1:0a:31:fe:58:56:44:53:43:34:c8:08:00:00:00:01:4a
Info : CardOS V4.3B (C) Siemens AG 1994-2004
Chip type: 124

Any help would be greatly appreciated.


Regards, Andreas


Kind wishes,
Viktor Tarasov.

--
Viktor Tarasov  <viktor.tara...@opentrust.com>


_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to