On 9/29/2010 9:51 AM, Andre Zepezauer wrote: > Hello Douglas, > > in my opinion the usage of OpenSSL in libopensc.so should be removed > altogether. If cryptography is needed by some cards (i.e. for > ), then this should be done by dedicated > tools. CardOS is a good example. It requires encrypted APDU:s for the > delete_MF and create_MF commands. This is done by cardos-tool, which has > to be executed only before personalisation. Looking at the code of > entersafe, gpk and oberthur I came to the conclusion, that a similar > approach could work for these drivers too.
I agree. The PIV card only needs 3DES for initialization/personalization today. The piv-tool was designed to allow for initializing test cards, with the intent that production cards would be issued by card management stations run by others as the NIST standards only cover a few of the commands needed for initialization, leaving the rest up to the card vendors. (i.e. one can generate a key ipair on the card, but you can not load a private key on the card.) Thus the ordinary user would not require OpenSSL. > > If parsing of certificates is the reason for using OpenSSL, then the > missing functionality of pkcs15-cert.c should be determined and > corresponding tickets should be created. What has happened as some card driver authors have found it easier to just use OpenSSL, and have added routines like: sc_pkcs15_pubkey_from_cert into pkcs11-pubkey.c Because the parse_x509_cert only works with RSA. But to get this code replaced, will take the will of the community to get this done. > > Kind Regards > Andre Zepezauer > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel