Andreas Jellinghaus wrote: > hmm. my vague memory tells me with some cards you generate a private key, > and only then - right after generating - you get the public key as response. > so it needs to be saved right away as rsa public key object or a certificate > signing requests needs to be generated, else you can't download the public > key again.
The PIV card works like this. The piv-tool can tell the card to generate a key pair the returns the pubkey that is saved to a file. The pubkey can then be used in a certificate request, and the piv-tool can write the certificate to the card. The pkcs15-piv.c will then emulate a public key object by reading the certificate. > > but maybe was only a very strange card or library, and I guess usualy > it is not the case. > > I too expect that most software library + card combinations will have > rsa public keys, and even if not, that you can get the public parts from > the private key object (maybe a login is required first). > > I only wanted to note that some strange software/card might be quite > limited and cause problems. > > my advice would be: if people had a certificate on the card, the > public key can be read from that. if not, maybe there is a rsa public > key that can be used as source. This is what the PIV driver does when signing the certificate request. It get the pub key from the file saved by piv-tool. > if not maybe the rsa secret key will give you the public key details. > > I'm not sure if the extra work for those two "if not" is worth the work, > but our pam_p11 bug we had these days shows that users expect a card to > work without certificates, even though that is very strange for us > developers. To bad. If they are trying to use these cards for SSH the certificate could be self signed, just used to hold the public key. > > Regards, Andreas > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel