Martin Paljak wrote: > On 27.11.2009, at 17:31, Andreas Jellinghaus wrote: > >> Am Donnerstag 26 November 2009 19:55:02 schrieb Viktor TARASOV: >>> But before, I would like to know if there are any objections for >>> the following changes to calls of do_change() and do_unblock() in >>> opensc-explorer. >>> >> I like the changes. opensc-explorer is only meant as debug tool, >> but still each function could be improved so it can implement >> the various card commans. >> >> one question: unblock always works with puk? >> is there a way to use so-pin for unblocking too? >> > > You refer to the same issue I pointed out before: concepts like "so-pin" > don't exist in low level ISO specs. It is a PKCS#15/#11 level concept. > > >From PKCS#15 spec v1.1 page 44: > """ > PinAttributes.pinFlags: This field signals whether the PIN: .. is a soPin, > meaning that the PIN is a Security Officer PIN (in the PKCS #11 sense) > """ > opensc-explorer (I guess) is supposed to be a ISO (card driver) level utility > which does not know such things, it just handles PINs with numeric indexes. > I don't see why pkcs15-tool --change-pin/--unblock-pin can not be used as > debug tools, especially because they also reveal issues other applications > using pkcs#11, Tokend or CSP interfaces would encounter once they use the > pkcs15 API (like pkcs#11 and tokend currently do) > > > I don't mind extending opensc-explorer but the "right place" for PIN > operations, IMHO, is in pkcs15-tool. And it can be called with command line > parameters (which is not trivial for explorer)! >
IMHO, there should be the possibility to test the different PIN operations modes with the different OpenSC tools, because these tools do not covering the same usage cases. There are some reflexions: - as for me, opensc-explorer is not only an ISO tool; it should also help to develop the card-specific aspects in a more direct manner, then it can be done with the high-level tools; - I do not think that all 'pkcs15-emu' drivers exports all the card functionalities. Card can be formatted with the non-OpenSC tools. In these cases, card can be not completely accessible with the 'high-level' OpenSC tools, but still it can be accessible with opensc-explorer; - all the OpenSC high-level tools are non-interactive, 'stateless' or have some predefined operations order; they have no possibility to prepare some test 'in a fine manner', as it's the case with opensc-explorer; - actually pkcs15-tool do not have the 'pinpad' notion; opensc-explorer already accepts pinpad for the PIN verifying -- it seems quite logical to have this support for the other operations; - anyway, the actual opensc-explorer API is not complete; for ex. it covers ony two modes of ISO's 'reset retry counter'. ISO defines four of them; - 'unlock code' versus 'sopin' is rather card specific question. For some cards, after initialization, SOPIN is used only to unblock user PIN. For the other cards, SOPIN have UNBLOCK power and other functions -- in PKCS#15 the same PIN object cannot have both 'unblockingPin' and 'soPin' flags activated; - 'SOPIN' do not exists for ISO; 'UNBLOCK CODE' do not exists for PKCS#11; both exists at PKCS#15 level but cannot be mixed, ... The situation is not quite well defined and some of solutions are up to card-specific part -- IMHO, the OpenSC tools should have enough of flexibility and to help the card-specific part; - pinpad has to be also accepted by pkcs11 tool. > >> and the text in the examples has "Set PIN" where >> I wonder if "unblock pin" wouldn't be better - the >> texts are a bit confusing right now. >> >> or do the "Set PIN" operations require a "verify" command >> to be executed first? >> > I believe this would be card specific. See the changeset 3744 and the way it > is used by Portugese eID in card-ias.c > http://www.opensc-project.org/opensc/browser/branches/martin/0.12/src/libopensc/card-ias.c?rev=3755#L207 > > Martin. Kind wishes, Viktor. -- Viktor Tarasov <viktor.tara...@opentrust.com> _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
