On Tue, 2010-11-02 at 16:25 +0000, Mr Dash Four wrote: > > @ALL: > > The 'pkcs15-tool' should possibly be changed to output the raw data as > > its default. That would not be that strange, because the unix command > > 'cat' does exactly the same. Therefore users should be prepared for it. > > > That would be very wise! > > > > @MDF: > > Before making even more effort on storing data objects, you should > > definitely check if these objects are really private. My assumption is, > > they are not. > > > OK, prior to last night I've had just one data object created with its > private flag set (using "pkcs15-init -P --auth-id XX" - see one of my > previous posts on this thread for details on how it was created). By the > fact that I cannot see that object with pkcs11-tool and when I list it > with "pkcs15-tool -D" (and see that its private flag is set) - though > without logging in - I assume that the object is private, isn't that so? > > Last night I created 2 additional data objects (one private with a > bigger size - 1k instead of 256 bytes, and one public) to see how > pkcs11-tool uses the private flag and experiment a bit (worthy exercise > as it turned out!). pkcs15-tool -D sees ALL data objects, though > pkcs11-tool sees just the one which is 'public' (and which is stored in > the 'mysterious' 3rd slot which appeared yesterday and I was wondering > what the purpose of this slot is). When I use pkcs11-tool -lO (and log > in properly) I also see ALL objects. > > > > $pkcs15-tool -C > > ... > > Path: 3f0050153303 (read 3f00/5015/3303) > > ... > > $opensc-explorer > > OpenSC [3F00]> cd 5015 > > OpenSC [3F00/5015]> cat 3303 > > ... > > File dump comes here, without pin verification !!!!! > > ... > > OpenSC [3F00/5015]> exit > > > I will try that out when I get home tonight and will let you know. > > Two general questions: > > 1) To retrieve a data object (previously stored with "pkcs15-init -P" > etc) I use "pkcs11-tool -ry data --application-label XXX --slot YYY" (if > this data object is public, if private I add the -l option as well) > where YYY and XXX are specified/known in advance. Is this going to work > on all cards supported by OpenCT; and
Should be the same for all cards. But it's better to use --slot-label instead of --slot. Because slot numbering may vary depending on reader configuration (i.e. different amount of readers attached to systems). > 2) Is the method of retrieval of data on this object the same regardless > of the card used (i.e. executing pkcs11-tool with the above parameters > and then either no PIN prompt if the object is public or a PIN prompt if > the object has been stored with its --auth-id set)? Not sure. Different card drivers may produce different results. The decision on asking for a PIN or not, is based solely on flags. These flags may be set by different card drivers in different ways. (for the purpose of this thread, card driver refers also to pkcs15-emulators) > The reason I ask this is because I would like the module I am developing > to work on (at least the majority of) cards which are (at least) > supported on OpenCT. At first you should check how private the objects are! _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
