On Apr 1, 2010, at 23:59 , Martin Paljak wrote: > Hello, > > PKCS#11 is an API for cryptographic devices that perform cryptographic > operations. > The API itself does not mandate the use of hardware (in fact, there are > several competing software PKCS#11 modules) but in the context of OpenSC, a > smart card library, it is obvious that the interface provided by OpenSC deals > exclusively with smart cards. > It would be reasonable to expect that all of the operations exposed via > PKCS#11 take place inside the security boundaries of the cryptographic smart > card module. > > Most of the time, if smart cards are used, they are used because they can > generate keys on the card that never leave the card. Sometimes pre-generated > keys are loaded to smart cards for transportation or use. But usually smart > cards are used for security reasons and the only security smart cards provide > is the physical and logical access control to the plaintext key material. > > OpenSC has currently a very lax implementation of the actual functionality as > well as for the flags that should signal the difference. These flags are: > (from PKCS#15) native, sensitive, extractable, alwaysSensitive, > neverExtractable and local > > related PKCS#11 functions: > C_WrapKey > C_UnwrapKey > > and usage flags: wrap, unwrap > and also includes transparent key generation in software.
Here's a first bunch that removes software key generation. What is changed: * pkcs15-init: remove the possibility to generate keys in the software * PKCS#11: get rid of software secret keys and remove everything related to C_UnwrapKey * PKCS#11: Remove software key generation when generating keypairs
hardware-only.diff
Description: Binary data
Correcting different flags in different cases still needs testing with different tools and different profiles and scenarios. -- Martin Paljak http://martin.paljak.pri.ee +3725156495
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
