On Wed, 2010-12-01 at 13:31 -0600, Douglas E. Engert wrote:
>
> On 12/1/2010 12:31 PM, Andre Zepezauer wrote:
> > On Wed, 2010-12-01 at 11:34 -0600, Douglas E. Engert wrote:
> >>
> >> On 12/1/2010 9:10 AM, Andre Zepezauer wrote:
> >>> On Wed, 2010-12-01 at 08:31 -0600, Douglas E. Engert wrote:
> >>>>
> >>>> On 11/30/2010 8:16 PM, Andre Zepezauer wrote:
> >>>>> On Tue, 2010-11-30 at 16:16 -0600, Douglas E. Engert wrote:
> >>>>>>
> >>>>>> On 11/30/2010 3:22 PM, Andre Zepezauer wrote:
> >>>>>>> Hello Douglas,
> >>>>>>>
> >>>>>>> for problem you tried to solve with r4901 there is a more general
> >>>>>>> solution. That solution would involve the mapping of the ASN1 type
> >>>>>>> ObjectValue to the corresponding C-structures.
> >>>>>>>
> >>>>>>> In the case related to r4901, the hook would be
> >>>>>>> sc_pkcs15_pubkey_info_t->path. The underlying ASN1 type of that
> >>>>>>> variable
> >>>>>>> is ObjectValue. Which is defined by PKCS#15 as a CHOICE between PATH,
> >>>>>>> RAW and SubjectPublicKeyInfo. Only the PATH choice is supported yet.
> >>>>>>>
> >>>>>>> In the long term that should be completed and 'path' should be
> >>>>>>> replaced
> >>>>>>> by 'value' with a type capable to hold one of PATH, RAW or
> >>>>>>> SubjectPublicKeyInfo.
> >>>>>>>
> >>>>>>> I could implement that. But not before 0.12 is out. Because it
> >>>>>>> requires
> >>>>>>> some changes on asn1-decoders. In the mean time it's better to place
> >>>>>>> the
> >>>>>>> variable 'emulated' on sc_pkcs15_pubkey_info_t. Then the function
> >>>>>>> sc_pkcs15_read_pubkey could be modified to handle the two cases (path
> >>>>>>> or
> >>>>>>> emulated) transparently.
> >>>>>>
> >>>>>> Sounds interesting, but today, the "emulated" works with the EC code I
> >>>>>> am working on using the PIV card that is emulating the pubkey
> >>>>>
> >>>>> You are going to emulate something that hasn't to be emulated at all.
> >>>>> The use-case where the whole public key is included within the meta-data
> >>>>> is already defined by PKCS#15. Public-key-meta-data is mapped to
> >>>>> sc_pkcs15_pubkey_info_t and so the pubkey as DER-encoded SPKI should
> >>>>> reside there.
> >>>>>
> >>>>>> I would like to leave it the way it is, at least until I get all the EC
> >>>>>> code committed.
> >>>>>
> >>>>> You could commit to a specialised branch and merge to trunk when 0.12 is
> >>>>> released. In the mean time, things could be integrated better if
> >>>>> necessary.
> >>>>
> >>>> Let me point out that no code is using the mod today, and will only
> >>>> be used by the PIV to start with. As you point out the the pubkey
> >>>> for EC at least could be a SPKI, and this looks promising.
> >>>
> >>> SPKI-encoding is common to all keys. In the specific case of EC,
> >>> DER-encoded ECPoint is possible too. See the ASN1 definitions of
> >>> {KEY-TYPE}PublicKeyChoice in PKCS#15.
> >>>
> >>> KEY-TYPE := RSA | EC | DH | DSA | KEA
> >>>
> >>> According to the specs, exactly one out of {path, url, raw, spki} is
> >>> always included in meta-data.
> >>>
> >>
> >> But as I have said, I don't have a true PKCS#15 card that can do EC,
> >> only cards with the PIV applet that is not PKCS#15. I would suggest that
> >> a good test environment using a card with PKCS#15 and EC should be
> >> available
> >> before making that type of change. If you have such a card, then please
> >> propose the change.
> >
> > Look at the beginning of this thread: "for the problem you tried to
> > solve with r4901 there is a more general solution."
> >
> > The problem is, that the card doesn't have a file system. So, why are
> > you always talking about EC?
> >
> >> The PIV card actually has no directory but only a predefined set of objects
> >> including some that contain a certificate. It also have a matching private
> >> key on the card which can not be read. The only way to get any information
> >> about the algorithm, parameters and public key is to read and parse the
> >> certificate which includes the SPKI. During card initialization the
> >> certificates have to be read and cert, pubkey and privkey PKCS#15 objects
> >> are emulated at that time.
> >
> > The dependency on the flag EMULATED clearly indicates that your approach
> > is wrong. No other emulator does something similar!
>
> They all use RSA, where it not an issue. I did not need this with the PIV
> card for the last 5 years as it too was RSA only. Extra code in the pkcs15
> needs to be added to process the PKCS15 pubkey file as an SPKI, and that
> code is not there. (Much of the parsing is there from r4805 on 10/12.)
>
> With a lot of extra code, I think we could do what you want, but not right
> now.
That extra code is attached.
Index: src/pkcs11/framework-pkcs15.c
===================================================================
--- src/pkcs11/framework-pkcs15.c (revision 4904)
+++ src/pkcs11/framework-pkcs15.c (working copy)
@@ -457,24 +457,13 @@
struct sc_pkcs15_pubkey *p15_key;
int rv;
- /* Read public key from card */
- /* Attempt to read pubkey from card or file.
- * During initialization process, the key may have been created
- * and saved as a file before the certificate has been created.
- */
- if (pubkey->flags & SC_PKCS15_CO_FLAG_PRIVATE) /* is the key private? */
- p15_key = NULL; /* will read key when needed */
- else {
- /* if emulation already created pubkey use it */
- if (pubkey->emulated && (fw_data->p15_card->flags & SC_PKCS15_CARD_FLAG_EMULATED)) {
- p15_key = (struct sc_pkcs15_pubkey *) pubkey->emulated;
- sc_debug(context, SC_LOG_DEBUG_NORMAL, "Using emulated pubkey %p", p15_key);
- }
- else {
- if ((rv = sc_pkcs15_read_pubkey(fw_data->p15_card, pubkey, &p15_key)) < 0)
- p15_key = NULL;
- }
- }
+ /* Try to obtain public key. This attempt may fail i.e. the case
+ * where the key isn't available before successful authentication.
+ * If this first attempt fails, it will be retried when needed.
+ */
+ rv = sc_pkcs15_read_pubkey(fw_data->p15_card, pubkey, &p15_key);
+ if (rv != SC_SUCCESS)
+ p15_key = NULL;
/* Public key object */
rv = __pkcs15_create_object(fw_data, (struct pkcs15_any_object **) &object,
Index: src/libopensc/pkcs15-piv.c
===================================================================
--- src/libopensc/pkcs15-piv.c (revision 4904)
+++ src/libopensc/pkcs15-piv.c (working copy)
@@ -770,6 +770,7 @@
* We will cache it using the PKCS15 emulation objects
*/
+ pubkey_info.value = &p15_key->data;
pubkey_info.path.len = 0;
ckis[i].key_alg = p15_key->algorithm;
@@ -788,7 +789,6 @@
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,"Unsupported key_alg %d",p15_key->algorithm);
continue;
}
- pubkey_obj.emulated = p15_key;
p15_key = NULL;
}
Index: src/libopensc/pkcs15-pubkey.c
===================================================================
--- src/libopensc/pkcs15-pubkey.c (revision 4904)
+++ src/libopensc/pkcs15-pubkey.c (working copy)
@@ -614,10 +614,15 @@
}
info = (const struct sc_pkcs15_pubkey_info *) obj->data;
- r = sc_pkcs15_read_file(p15card, &info->path, &data, &len, NULL);
- if (r < 0) {
- sc_debug(p15card->card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read public key file.");
- return r;
+ if (info->value && info->value->len) {
+ data = info->value->value;
+ len = info->value->len;
+ } else {
+ r = sc_pkcs15_read_file(p15card, &info->path, &data, &len, NULL);
+ if (r < 0) {
+ sc_debug(p15card->card->ctx, SC_LOG_DEBUG_NORMAL, "Failed to read public key file.");
+ return r;
+ }
}
pubkey = calloc(1, sizeof(struct sc_pkcs15_pubkey));
@@ -634,7 +639,7 @@
return SC_ERROR_INVALID_ASN1_OBJECT;
}
*out = pubkey;
- return 0;
+ return SC_SUCCESS;
}
static int
Index: src/libopensc/pkcs15.h
===================================================================
--- src/libopensc/pkcs15.h (revision 4904)
+++ src/libopensc/pkcs15.h (working copy)
@@ -341,6 +341,9 @@
void *params;
size_t params_len;
+ /* See PKCS#15 {KEY-TYPE}PublicKeyChoice for allowed encodings. */
+ /* Only raw is supported yet.*/
+ sc_pkcs15_der_t *value;
struct sc_path path;
};
typedef struct sc_pkcs15_pubkey_info sc_pkcs15_pubkey_info_t;
@@ -388,8 +391,6 @@
/* Object type specific data */
void *data;
- /* emulated object pointer */
- void *emulated;
struct sc_pkcs15_df *df; /* can be NULL, if object is 'floating' */
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
