Hello,
On Thu, Oct 7, 2010 at 17:10, Andre Zepezauer
<andre.zepeza...@student.uni-halle.de> wrote:
>> That's OK for a RC though. If you have the energy, removal of password
>> protected private keys (and pkcs15-wrap) should also go.
>
> Seems that pkcs15-wrap is related only to section "6.1.6 ObjectValue" of
> PKCS#15. If my understanding is right, then the protected alternatives
> are used only for software-tokens (Section 7). BTW the type ObjectValue
> of 7816-15 is defined as follows:
>
> ObjectValue { Type } := CHOICE {
> indirect ReferencedValue,
> direct [0] Type,
> ... --- For future extensions
> }
>
> Thus the protected alternatives are gone. So, what's the plan?
> Completely removing this (anti) feature?
Yes.
> Attached is a first draft. Don't know what gets broken, but the compiler
> is happy with it.
the --insecure (opt_unprotected) should not relate to or require
extractable keys. "insecure" (no PIN) non-extractable keys (generated
on board) make perfect sense for internet services key containers.
Index: src/tools/pkcs15-init.c
===================================================================
--- src/tools/pkcs15-init.c (revision 4798)
+++ src/tools/pkcs15-init.c (working copy)
@@ -1457,18 +1457,11 @@
return SC_ERROR_INVALID_ARGUMENTS;
}
if (opt_extractable) {
- args->access_flags |= SC_PKCS15_PRKEY_ACCESS_EXTRACTABLE;
- if (opt_passphrase) {
- args->passphrase = opt_passphrase;
+ if (opt_unprotected) {
+ args->access_flags |= SC_PKCS15_PRKEY_ACCESS_EXTRACTABLE;
} else {
- if (!opt_unprotected) {
- util_error("no pass phrase given for key - "
- "either use --insecure or\n"
- "specify a pass phrase using "
- "--passphrase");
- return SC_ERROR_PASSPHRASE_REQUIRED;
- }
- args->flags |= SC_PKCS15INIT_NO_PASSPHRASE;
+ util_error("use --insecure with extractable keys\n");
+ return SC_ERROR_INVALID_ARGUMENTS;
}
}
args->label = opt_label;
Index: src/pkcs15init/pkcs15-lib.c
===================================================================
--- src/pkcs15init/pkcs15-lib.c (revision 4798)
+++ src/pkcs15init/pkcs15-lib.c (working copy)
@@ -1245,8 +1245,7 @@
struct sc_pkcs15_object *object;
struct sc_pkcs15_prkey_info *key_info;
struct sc_pkcs15_prkey key;
- struct sc_pkcs15_pubkey pubkey;
- int keybits, idx, r = 0;
+ int keybits, r = 0;
SC_FUNC_CALLED(ctx, SC_LOG_DEBUG_NORMAL);
/* Create a copy of the key first */
@@ -1261,14 +1260,7 @@
/* Now check whether the card is able to handle this key */
if (!check_key_compatibility(p15card, &key,
keyargs->x509_usage, keybits, 0)) {
- /* Make sure the caller explicitly tells us to store
- * the key as extractable. */
- if (!(keyargs->access_flags & SC_PKCS15_PRKEY_ACCESS_EXTRACTABLE))
SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_INCOMPATIBLE_KEY, "Card does not support this key.");
-
- if (!keyargs->passphrase
- && !(keyargs->flags & SC_PKCS15INIT_NO_PASSPHRASE))
- SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_PASSPHRASE_REQUIRED, "No key encryption passphrase given.");
}
/* Select a intrinsic Key ID if user didn't specify one */
@@ -1280,52 +1272,15 @@
SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "Failed to initialize private key object");
key_info = (struct sc_pkcs15_prkey_info *) object->data;
- pubkey.algorithm = key.algorithm;
- pubkey.u.rsa.modulus = key.u.rsa.modulus;
- pubkey.u.rsa.exponent = key.u.rsa.exponent;
-
- r = sc_pkcs15_encode_pubkey(ctx, &pubkey, &object->content.value, &object->content.len);
- SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "Failed to encode public key");
-
- /* Get the number of private keys already on this card */
- idx = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_PRKEY, NULL, 0);
- if (!(keyargs->access_flags & SC_PKCS15_PRKEY_ACCESS_EXTRACTABLE)) {
+ if (key_info->native) {
r = profile->ops->create_key(profile, p15card, object);
SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "Card specific 'create key' failed");
r = profile->ops->store_key(profile, p15card, object, &key);
SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "Card specific 'store key' failed");
} else {
- struct sc_pkcs15_der encoded, wrapped, *der = &encoded;
- struct sc_context *ctx = p15card->card->ctx;
-
- /* DER encode the private key */
- encoded.value = wrapped.value = NULL;
- r = sc_pkcs15_encode_prkey(ctx, &key, &encoded.value, &encoded.len);
- SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "Failed to encode private key");
-
- if (keyargs->passphrase) {
- r = sc_pkcs15_wrap_data(ctx, keyargs->passphrase,
- der->value, der->len,
- &wrapped.value, &wrapped.len);
- if (r < 0) {
- free(der->value);
- SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "Failed to wrap private key data");
- }
- der = &wrapped;
- }
-
- r = sc_pkcs15init_store_data(p15card, profile, object, der, &key_info->path);
-
- /* If the key is encrypted, flag the PrKDF entry as
- * indirect-protected */
- if (keyargs->passphrase)
- key_info->path.type = SC_PATH_TYPE_PATH_PROT;
-
- free(encoded.value);
- free(wrapped.value);
-
- SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "Failed to store private key data");
+ SC_TEST_RET(ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_INCOMPATIBLE_KEY,
+ "Key is not native"); // and thus, the card can't operate on it
}
/* Now update the PrKDF */
Index: src/pkcs15init/pkcs15-init.h
===================================================================
--- src/pkcs15init/pkcs15-init.h (revision 4798)
+++ src/pkcs15init/pkcs15-init.h (working copy)
@@ -206,9 +206,6 @@
struct sc_pkcs15init_keyarg_gost_params gost_params;
struct sc_pkcs15_prkey key;
-
- /* support for non-native keys */
- char * passphrase;
};
struct sc_pkcs15init_keygen_args {
Index: src/libopensc/pkcs15-prkey.c
===================================================================
--- src/libopensc/pkcs15-prkey.c (revision 4798)
+++ src/libopensc/pkcs15-prkey.c (working copy)
@@ -428,28 +428,6 @@
return r;
}
- /* Is this a protected file? */
- if (info->path.type == SC_PATH_TYPE_PATH_PROT) {
- u8 *clear;
- size_t clear_len;
-
- if (passphrase == NULL) {
- r = SC_ERROR_PASSPHRASE_REQUIRED;
- goto fail;
- }
- r = sc_pkcs15_unwrap_data(ctx,
- passphrase,
- data, len,
- &clear, &clear_len);
- if (r < 0) {
- sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Failed to unwrap privat key.");
- goto fail;
- }
- free(data);
- data = clear;
- len = clear_len;
- }
-
r = sc_pkcs15_decode_prkey(ctx, &key, data, len);
if (r < 0) {
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Unable to decode private key");
Index: src/libopensc/pkcs15.h
===================================================================
--- src/libopensc/pkcs15.h (revision 4798)
+++ src/libopensc/pkcs15.h (working copy)
@@ -705,16 +705,6 @@
void sc_pkcs15_free_pin_info(sc_pkcs15_pin_info_t *pin);
void sc_pkcs15_free_object(sc_pkcs15_object_t *obj);
-/* File content wrapping */
-int sc_pkcs15_wrap_data(struct sc_context *ctx,
- const char *passphrase,
- const u8 *in, size_t in_len,
- u8 **out, size_t *out_len);
-int sc_pkcs15_unwrap_data(struct sc_context *ctx,
- const char *passphrase,
- const u8 *in, size_t in_len,
- u8 **out, size_t *out_len);
-
/* Generic file i/o */
int sc_pkcs15_read_file(struct sc_pkcs15_card *p15card,
const struct sc_path *path,
Index: src/libopensc/Makefile.am
===================================================================
--- src/libopensc/Makefile.am (revision 4798)
+++ src/libopensc/Makefile.am (working copy)
@@ -23,7 +23,7 @@
\
pkcs15.c pkcs15-cert.c pkcs15-data.c pkcs15-pin.c \
pkcs15-prkey.c pkcs15-pubkey.c pkcs15-sec.c \
- pkcs15-wrap.c pkcs15-algo.c pkcs15-cache.c pkcs15-syn.c \
+ pkcs15-algo.c pkcs15-cache.c pkcs15-syn.c \
pkcs15-gemsafeV1.c \
\
muscle.c muscle-filesystem.c \
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
