Does OpenSC PKCS#11 support the creation of session objects?
Has anyone looked at doing this?
I bring this up as I am testing EC mods to OpenSC using
Thunderbird to sign e-mail as a test. In my case, the user certificate
is using ECDSA with a named curve, and the test CA is also using
ECDSA to sign the user's certificate.
Thunderbird 3.1.4 with NSS-3.12.x (x is at least 3) on Solaris 10
tries to create a session public key, where the key is the public
key of the CA. I think NSS is going to use this public key to verify
the signature of the user's certificate asking the OpenSC PKCS#11
ECDSA to do the verify. Depending on the card, this may have to be
done in software.
See the attached edited PKCS11-SPY output, showing mechanisms,
open session, session info, and failed create object. Not shown
are pin/login, and retrieval of the user certificate.
PKCS#11 2.20 says : Table 4 "R/O Public Session"
"The application has opened a read-only session. The application
has read-only access to public token objects and read/write access
to public session objects."
I don't think NSS does this if the CA is using RSA to sign
the certificates, and I will try that next. (But eventually
some CA will start using ECDSA to sign certificates.)
Even if the ECDSA verify was to be added to OpenSC PKCS11,
to be done in software, I would expect it might have to use
OpenSSL to do the verification.
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
9: C_GetMechanismList
[in] slotID = 0x1
[out] pMechanismList[14]:
CKM_SHA_1
CKM_SHA256
CKM_SHA384
CKM_SHA512
CKM_MD5
CKM_RIPEMD160
Unknown Mechanism (00001210)
CKM_ECDSA
CKM_RSA_X_509
CKM_RSA_PKCS
CKM_SHA1_RSA_PKCS
CKM_MD5_RSA_PKCS
CKM_RIPEMD160_RSA_PKCS
CKM_RSA_PKCS_KEY_PAIR_GEN
Returned: 0 CKR_OK
10: C_OpenSession
[in] slotID = 0x1
[in] flags = 0x4
pApplication=f61afc00
Notify=fe0dbb30
[out] *phSession = 0xf6175700
Returned: 0 CKR_OK
242: C_GetSessionInfo
[in] hSession = 0xf6175700
[out] pInfo:
slotID: 1
state: ' CKS_RO_USER_FUNCTIONS'
flags: 4
CKF_SERIAL_SESSION
ulDeviceError: 0
Returned: 0 CKR_OK
260: C_CreateObject
[in] hSession = 0xf6175700
[in] pTemplate[7]:
CKA_CLASS CKO_PUBLIC_KEY
CKA_KEY_TYPE CKK_EC
CKA_TOKEN False
CKA_VERIFY True
CKA_DERIVE True
CKA_ECDSA_PARAMS [size : 0xA (10)]
06082A86 48CE3D03 0107
CKA_EC_POINT [size : 0x43 (67)]
04410431 88665C1D CD6565F1 1B9C300E 7731B630 177FD19D 53E33F33 A20C1798
B82BA3CA 251EBD29 5F28AB22 F7794FBF 3CB32A41 BF22FD7B 8E47233F 40ECE85C
10FC2B
Returned: 181 CKR_SESSION_READ_ONLY
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
