Hi. There seem to be two targets: a) How to accomplish all functionality via PKCS#11 interface b) How to remain compatible with as many as possible / select existing application implementations.
IMHO, Exploiting C_Login(CKU_CONTEXT_SPECIFIC) + SetPIN() to achieve target a seems reasonably valid, as it does not seem to contradict the 2.20 spec. Achieving b will be probably anyway difficult, as there are different cards and different applications, which most probably have quirks themselves as well or work in a specific combination only. Is there a real life test-case or usage scenario (some "respectable" and common application used in the wild)? To me, C_SetPIN without a logged in user seems somewhat OK solution, even though I agree with the possible PUK counter decrease problem. Thus implementing the context specific trick for target a is OK, achieving target b requires a real life application example and investigation, what other implementations do (also to notice that proprietary pkcs#11 interfaces are usually tuned to the the specific hardware they support and thus probably can't be copied 1:1 into OpensC) Martin. On 04.01.2010, at 11:03, Pierre Ossman wrote: > >> On Thu, 03 Dec 2009 14:57:34 +0100 >> Viktor TARASOV <viktor.tara...@opentrust.com> wrote: >> >>> >>> Another possible, 'alternative to alternative' scheme is to use C_SetPin() >>> in the specific context (after C_Login(CKU_SPECIFIC_CONTEXT)). >>> >>> So, in CKU_USER_PIN context C_SetPin() is used to change user PIN, >>> in CKU_CONTEXT_SPECIFIC it's used to unblock user PIN. >>> >>> Afais, CKU_CONTEXT_SPECIFIC is not actually used. >>> >> >> The problem here is that this is not something that's specified in the >> standard, and it's not the system existing implementations use. >> >> I think that as far as the interface goes, C_Login(CKU_SO) followed by >> C_InitPin() is set in stone as we want to be compatible with what's >> already out there. On Fri, 04 Dec 2009 09:44:36 +0100 Viktor TARASOV <viktor.tara...@opentrust.com> wrote: > -- if C_SetPIN() is not preceded by C_Login then it's implicitly the > User PIN is going to be changed. > In this case the 'pOldPin' argument is the unblocking code. > For me it's quite logical, because, as you've told, > we do not have or cannot use the actual PIN value. > -- Martin Paljak http://martin.paljak.pri.ee +372.515.6495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
