On Tue, 2010-11-02 at 18:01 +0000, Mr Dash Four wrote: > > Should be the same for all cards. But it's better to use --slot-label > > instead of --slot. Because slot numbering may vary depending on reader > > configuration (i.e. different amount of readers attached to systems). > > > Noted! I assume --slot-label is [a-zA-Z0-9] with no spaces, is that right? > > > >> 2) Is the method of retrieval of data on this object the same regardless > >> of the card used (i.e. executing pkcs11-tool with the above parameters > >> and then either no PIN prompt if the object is public or a PIN prompt if > >> the object has been stored with its --auth-id set)? > >> > > > > Not sure. Different card drivers may produce different results. The > > decision on asking for a PIN or not, is based solely on flags. These > > flags may be set by different card drivers in different ways. > > > > (for the purpose of this thread, card driver refers also to > > pkcs15-emulators) > > > I presume if the token was created with auth-id (which exist) that > token's private flag is set?
Data objects have a private flag too. But that doesn't matter a lot, because everything is meta-data. That meas, the whole pkcs15 magic is only a description of the card in question (i.e. storage location of data objects and access rules of the same). ***The actual behaviour of cards is completely independent. It isn't based on meta-data.*** On the other hand, the behaviour of tools is completely based on meta-data. Therefore pkcs15-tool will ask you for a PIN, even if the object could be read without pin-verification. This will be always the case, when meta-data doesn't reflect the actual behaviour of cards. That's not a bug, really. That's the way PKCS#15 works. Therefore you have to check the actual access rules enforced by the card. And you should never rely on the behaviour of the tools !!!!!!!!!!!! > >> The reason I ask this is because I would like the module I am developing > >> to work on (at least the majority of) cards which are (at least) > >> supported on OpenCT. > >> > > > > At first you should check how private the objects are! > > > About 1.5 hours away from checking this...Even if they are not 'private' > in the true sense of that word, storing them and only displaying the > data when the proper PIN is entered is good enough I think, but I am > speculating - will check this in a while... > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
