Re: [opensc-devel] [opensc-commits] svn opensc changed[5006] 'AuthentIC': basic support of Oberthur's 'COSMO.v7 /AuthentIC.v3.2' ...

Thu, 30 Dec 2010 07:43:32 -0800 

Martin Paljak wrote:
> Hello,
>
> Somme thoughts.
>
> On Thu, Dec 30, 2010 at 16:40,  <webmas...@opensc-project.org> wrote:
>   
>> Log Message:
>> -----------
>> 'AuthentIC': basic support of Oberthur's 'COSMO.v7/AuthentIC.v3.2' ...
>> Added Paths:
>> -----------
>>    trunk/src/libopensc/card-authentic.c
>>     
>
> It contains a fair amount of commented out (#if 0) code, better not
> let that creep in.
>   

It's a temporary (really temporary) measure.
This part needs more intervention into the common part, and so,
need to be more discussed.

I'll do it in a 'gradual' manner.

>> +struct authentic_ac_access_usage authentic_v3_rsa_map_attributes[7]  = {
>> +       {SC_AC_OP_PSO_DECRYPT, SC_PKCS15_ACCESS_RULE_MODE_PSO_DECRYPT,
>> +                       SC_PKCS15_PRKEY_USAGE_DECRYPT | 
>> SC_PKCS15_PRKEY_USAGE_UNWRAP},
>>     
>
> I think that the blind mapping of UNWRAP to decrypt operations is not correct.
>
> PKCS#15 v1.1 tells:
> """
> The usage field (encrypt, decrypt, sign, signRecover, wrap, unwrap,
> verify, verifyRecover, derive
> and nonRepudiation) signals the intended usage of the key as defined
> in PKCS #11.
> """
> and
> """
> The semantics of the accessFlags field’s sensitive, extractable,
> alwaysSensitive,
> neverExtractable and local identifiers is the same as in PKCS #11.
> """
>
> Wrapping and unwrapping are IMHO orthogonal to "sensitive" and
> "extractable", meaning that sensitive extractable keys can leave the
> security boundary of the module only in encrypted (wrapped) form. But
> OpenSC, as it is now, can not perform to my knowledge on-board
> wrapping (what should be the natural boundary for operations) or
> unwrapping of keys. So IMHO standard "decrypt" (where the outcome of
> the operation is the decrypted plaintext, returned to the host) should
> not deal at all with attributes that talk about unwrapping.
>   

OK, thanks, I'll revisit it.

> Other than that,
> where can these cards be bought? :)
>   

Probably you can try the local Oberthur's contacts:
http://www.oberthur.com/content/233/europe
> Best wishes,
> Martin
>   
Kind wishes,
Viktor.

> _______________________________________________
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
-- 
Viktor Tarasov  <viktor.tara...@opentrust.com>

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to