On 12/16/2010 10:46 AM, Andre Zepezauer wrote:
> Hello Douglas,
>
> good catch. You should come up with it on the mailing list. For me, the
> following patch works too.
That will work. But there might be cards or devices that can do hashing
on the card as part of a combined crypto operation, like CKM_SHA1_RSA_PKCS
but it can not do CKM_SHA1 as a separate operation.
So without OpenSSL sc_pkcs11_register_sign_and_hash_mechanisum should
still register CKM_SHA1_RSA_PKCS, as the card will do it all.
The code in framework-pkcs15.c needs a lot of work to register
the card mechanisums, as well as combining software hashing (using OpenSSL)
with card mechanisums.
For example:
CKM_SHA1_RSA_PKCS = software SHA1 + CKM_RSA_PKCS
CKM_SHA1_RSA_PKCS = software SHA1 + software PKCS + CKM_RSA_X_509
_sc_card_add_rsa_alg(...,flags,...) gives what the card can do in the flag,
then framework-pkcs15 lumps all the algs together then tries to break them
apart. The patch I sent you earlier tried to address some of these issues.
You had said something about PKCS#15 CommonKeyAttributes.algReference and
PrivateAbcKeyAttributes.keyInfo.reference might be usable.
Would this provide a better way to handle the capabilities of individual
cards then the _sc_card_rsa_alg?
If so what would an emulated card have to provide?
>
> Regards
> Andre
>
> Index: pkcs11/framework-pkcs15.c
> ===================================================================
> --- pkcs11/framework-pkcs15.c (revision 4960)
> +++ pkcs11/framework-pkcs15.c (working copy)
> @@ -3375,11 +3375,13 @@
> if (rc != CKR_OK)
> return rc;
>
> +#ifdef ENABLE_OPENSSL
> /* If the card supports RAW, it should by all means
> * have registered everything else, too. If it didn't
> * we help it a little
> */
> flags |= SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_RSA_HASHES;
> +#endif
> }
>
> /* Check for PKCS1 */
> @@ -3389,10 +3391,12 @@
> if (rc != CKR_OK)
> return rc;
>
> +#ifdef ENABLE_OPENSSL
> /* if the driver doesn't say what hashes it supports,
> * claim we will do all of them */
> if (!(flags& SC_ALGORITHM_RSA_HASHES))
> flags |= SC_ALGORITHM_RSA_HASHES;
> +#endif
>
> if (flags& SC_ALGORITHM_RSA_HASH_SHA1) {
> rc =
> sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_SHA1_RSA_PKCS,
> CKM_SHA_1, mt);
>
>
> On Thu, 2010-12-16 at 09:17 -0600, Douglas E. Engert wrote:
>> I was looking at that too, and have a patch.
>> Its not EC specific, Its is related to software hashes,
>> and framework-pkcs15 assuming they can be simulated.
>> I see you commited a partial fix earlier today.
>>
>> Without OpenSSL, framework-pkcs15.c fails,
>> as sc_pkcs11_register_sign_and_hash_mechanisum fails if the hash
>> is not available. Then register_mechanisum fails, and
>> pkcsd15_bind fails without an error message.
>>
>> Attached is the first cut of a patch I was working on yesterday.
>>
>> I am busy all day, If you want to look this over please make
>> additional changes and commit.
>>
>>
>>
>>
>> On 12/15/2010 10:17 PM, Andre Zepezauer wrote:
>>> Hello Douglas,
>>>
>>> your EC stuff has broken something. Please do:
>>>
>>> ./configure --disable-openssl
>>>
>>> r4953 should help.
>>>
>>> Regards
>>> Andre
>>>
>>>
>>
>
>
--
Douglas E. Engert <[email protected]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
