On 1/7/2011 3:21 PM, Jean-Michel Pouré - GOOZE wrote: > Dear all, > > Because users have smartcards in the wallet and need to connect from any > computer, including Mac OS X, Windows and GNU/Linux, and they don't know > in advance which framework is installed, it seems important that card > initialization is consistent between proprietary drivers and OpenSC. > > I tried different scenarios with the Feitian PKI. > > It seems that initializing a Feitian PKI on Windows 7 64bits (CSP), you > are able to use the card on GNU/Linux (OpenSC). But the converse is not > always true. Windows may not accept the PIN code or declare certificates > invalid.
Is this a Windows issue or a Feitian windows CSP/mindriver issue? It might be that the Feitian driver code is not as flexible as the OpenSC code, and does not look at the pin flags at all, assuming that its their card issued by their code. It may have problems handling the flags as set by OpenSC that it is not expecting or never tested. > > So I did a simple test: > * Under Windows 7 64 bit: use only Feitian tools. > * Under GNU/Linux: use only OpenSC 0.10.0 + Firefox. > > I initialized a card with PIN code 0000 and transferred a certificate > using Firefox. This is what users are going to do if they enroll on > online servers, which I expect. > > Please find hereafter a compared dump of the cards. > > My questions are: > 1) Should the PIN and RSA/certificate flags consistent for all drivers. I would think so as some vendor drivers may not handle all the possible flags. > Is that important for Windows 7 or OpenSC? Please notice the difference > in the PIN flags. > 2) If the flags are important, could we consider some kind of > initialization option like --windows, which would add the same flags as > if initialized by proprietary drivers. Yes, but I would not call it --windows, but something like --vendor-driver-compatible-flags. > 3) Can the flags be modified after a card is initialized by OpenSC. I > would like to study the importance of flags. > 4) The PIN flags are from OpenSC. > 5) Most flags are from RSA/X.509 certs. Do OpenSC or Firefox add flags > during transfer of certs. The OpenSC flags for the public key don't look correct. It says "sign". Public RSA keys can encrypt, wrap, verify or verifyRecover but not sign. So if the Feitian looks for a verify flag, it won't find one. The OpenSC driver may ignore the public key or its flags and just use the key in the certificate. What is the ID being used by the Feitian code? Is it being use to store some other information that their driver might be using? It looks like an ASCI string: 7E68517B-8A13-4F79-8138-A67EEA146EF21 Could this mean anything to their driver? > > Basically, I would like to be able to initialize cards and users are > never aware this was OpenSC and not the proprietary drivers. Is that > possible? I would think it should be possible. The trick is to know what the vendor's driver is expecting in the flags, and other fields. > > Sorry for all these questions, I hope this can be useful for basic > users. > > Kind regards, -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
