On Wed, 2010-09-29 at 13:35 -0500, Douglas E. Engert wrote: > > On 9/29/2010 9:51 AM, Andre Zepezauer wrote: > > Hello Douglas, > > > > in my opinion the usage of OpenSSL in libopensc.so should be removed > > altogether. If cryptography is needed by some cards (i.e. for > > ), then this should be done by dedicated > > tools. CardOS is a good example. It requires encrypted APDU:s for the > > delete_MF and create_MF commands. This is done by cardos-tool, which has > > to be executed only before personalisation. Looking at the code of > > entersafe, gpk and oberthur I came to the conclusion, that a similar > > approach could work for these drivers too. > > I agree. The PIV card only needs 3DES for initialization/personalization > today. The piv-tool was designed to allow for initializing test cards, with > the intent that production cards would be issued by card management stations > run by others as the NIST standards only cover a few of the commands needed > for initialization, leaving the rest up to the card vendors. (i.e. one can > generate a key ipair on the card, but you can not load a private key on the > card.) Thus the ordinary user would not require OpenSSL. > > > > > If parsing of certificates is the reason for using OpenSSL, then the > > missing functionality of pkcs15-cert.c should be determined and > > corresponding tickets should be created. > > What has happened as some card driver authors have found it easier to > just use OpenSSL, and have added routines like: sc_pkcs15_pubkey_from_cert > into pkcs11-pubkey.c Because the parse_x509_cert only works with RSA. > > But to get this code replaced, will take the will of the community > to get this done.
I don't think so, because the function sc_pkcs15_pubkey_from_cert is called only at pkcs15init/pkcs15-lib.c#L2030 The same holds for sc_pkcs15_pubkey_from_prvkey, which is called at pkcs15init/pkcs15-lib.c#L2036 and nowhere else. That shows (at least to me), that these two functions belonging to the tools section of OpenSC and should be placed there. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
