Aventra development wrote:
Hi,
I don’t have any objections on the change you proposed Andre. I have also
prepared and attached to this message a patch, please review and commit. It
adds the following features to the MyEID driver (based on trunk) includes also
some fixes on whitespace:
- Card initialization and finalization (activation)
- Key generation (thanks to Viktor, however now I have some problem with pcsc
transmit failing after some time while the card is generating the key)
- PIN change and unblock (code added to MyEID driver, but it does not work with pkcs15-tool (does nothing),
There is little 'copy&past' issue in your patch.
It's corrected in r4682.
pkcs11-tool works, but pkcs#11 module does not when using Firefox).
Other problems with firefox is that certificate enrollment does not work when
using the pkcs#11 module, e.g. when using this site: pkitest.gdm.de/starsign
Actually in MyEID profile some operations that should be executed during
the card enrollment are protected
by SOPIN.
It's rather difficult to supply SOPIN for PKCS#11 module inside the User
session.
Here is patch with the working version of MyEID profile.
Not all changes in this patch are justified, but it can be tuned later.
There is also the problem of 'Multiple ACLs'
http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014803.html
Here is also the patch that allows (in a temporary manner) to pass-by
the problem of 'Multiple ACLs'.
With these two patchs I can import pkcs12 with Firefox in Windows.
PIN change/unblock with pkcs15-tool also 'working for me'.
Omnikey CardMan 3121 has been used in my tests.
Anyway it's a step forward. If somebody is able to help with the Firefox
problem or knows why the pkcs15-tool does not work, feel free to edit the code
or send some information to me so we will get also these working.
Kind regards,
Toni
Kind wishes,
Viktor.
-----Original Message-----
From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc-devel-
boun...@lists.opensc-project.org] On Behalf Of Andre Zepezauer
Sent: 31. elokuuta 2010 21:02
To: Viktor TARASOV
Cc: 'OpenSC-devel'
Subject: Re: [opensc-devel] Problem with 2K keys and MyEID
On Tue, 2010-08-31 at 18:40 +0200, Viktor TARASOV wrote:
Andre Zepezauer wrote:
On Mon, 2010-08-30 at 15:19 +0200, Viktor TARASOV wrote:
Aventra development wrote:
The 1K key generation works nicely, but we are having a problem
generating a 2K key using OpenSC 0.11.13 and our own MyEID card.
OpenSC correctly finds a new file id and creates the file, and after
that it tries to store the key to that file.
The issue is that the created file’s size is only 1024 bytes, so the
card will answer with 67 00 (Wrong length).
Some code in OpenSC decides to create the wrong sized file, but I have
not been able to find it.
Now I’m curious that, does other cards work when generating (or just
loading) 2048 byte keys?
For me, to generate the 2048 bits key on the Aventra card,
the following path was needed to be applied to the OpenSC trunk.
If no objection, I'll commit this patch to trunk.
Hello Viktor,
I would write the check for supported modulus length a bit more generic.
But it's functional the same like yours, because myeid supports only
1024 and 2048 bit (at least the driver does). Therefore it doesn't
matter a lot.
#include "internal.h"
pkcs15init/pkcs15-myeid.c:513
/* check that the card supports the requested modulus length */
if (_sc_card_find_rsa_alg(p15card->card, keybits) == NULL)
SC_TEST_RET(ctx, LEVEL, ERROR, MSG);
Agree, it's much better.
I hope that Toni (maintainer of myEID driver) have no objections.
On the other hand it would be fine to give a good example, because
someone may want to copy+paste your code. See copy+paste in the card
drivers [1].
The same check also occurs in line 427, 514, 574, 637. And interestingly
_always_ some lines below there is the following conditional assignment:
if (file->size < 1024)
file->size = 1024;
Will you prepare the patch?
Haven't the required hardware, therefore testing isn't possible to me.
But if someone would send me some pieces of these cards, I could do it
myself the next time.
Regards
Andre
Kind wishes,
Viktor.
[1]http://www.opensc-project.org/pipermail/opensc-devel/2010-
August/014615.html
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
--
Viktor Tarasov <viktor.tara...@opentrust.com>
Index: src/pkcs15init/profile.c
===================================================================
--- src/pkcs15init/profile.c (révision 4692)
+++ src/pkcs15init/profile.c (copie de travail)
@@ -1355,7 +1355,7 @@
if (map_str2int(cur, oper, &op, fileOpNames))
goto bad;
acl = sc_file_get_acl_entry(file, op);
- if (acl->method == SC_AC_NEVER
+ if (1 || acl->method == SC_AC_NEVER
|| acl->method == SC_AC_NONE
|| acl->method == SC_AC_UNKNOWN)
sc_file_clear_acl_entries(file, op);
Index: src/pkcs15init/myeid.profile
===================================================================
--- src/pkcs15init/myeid.profile (révision 4692)
+++ src/pkcs15init/myeid.profile (copie de travail)
@@ -92,13 +92,13 @@
DF PKCS15-AppDF {
type = DF;
file-id = 5015;
- acl = DELETE=NONE, CREATE=$SOPIN;
+ acl = DELETE=NONE, CREATE=$PIN;
EF PKCS15-ODF {
file-id = 5031;
structure = transparent;
size = $odf-size;
- acl = READ=NONE, UPDATE=$SOPIN, DELETE=$SOPIN;
+ acl = READ=NONE, UPDATE=$PIN, DELETE=$PIN;
}
EF PKCS15-TokenInfo {
@@ -125,28 +125,28 @@
file-id = 4402;
structure = transparent;
size = $prkdf-size;
- acl = READ=NONE, UPDATE=$PIN, DELETE=$SOPIN;
+ acl = READ=NONE, UPDATE=$PIN, DELETE=$PIN;
}
EF PKCS15-PuKDF {
file-id = 4403;
structure = transparent;
size = $pukdf-size;
- acl = READ=NONE, UPDATE=$PIN, DELETE=$SOPIN;
+ acl = READ=NONE, UPDATE=$PIN, DELETE=$PIN;
}
EF PKCS15-CDF {
file-id = 4404;
structure = transparent;
size = $cdf-size;
- acl = READ=NONE, UPDATE=$PIN, DELETE=$SOPIN;
+ acl = READ=NONE, UPDATE=$PIN, DELETE=$PIN;
}
EF PKCS15-DODF {
file-id = 4405;
structure = transparent;
size = $dodf-size;
- acl = READ=NONE, UPDATE=$PIN, DELETE=$SOPIN;
+ acl = READ=NONE, UPDATE=$PIN, DELETE=$PIN;
}
EF template-private-key {
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
