Hello, On Jan 8, 2011, at 12:13 AM, Douglas E. Engert wrote: > On 1/7/2011 3:21 PM, Jean-Michel Pouré - GOOZE wrote: >> It seems that initializing a Feitian PKI on Windows 7 64bits (CSP), you >> are able to use the card on GNU/Linux (OpenSC). But the converse is not >> always true. Windows may not accept the PIN code or declare certificates >> invalid. > > Is this a Windows issue or a Feitian windows CSP/mindriver issue? It might > be that the Feitian driver code is not as flexible as the OpenSC code, and > does not look at the pin flags at all, assuming that its their card > issued by their code. It may have problems handling the flags as set by > OpenSC that it is not expecting or never tested. We can't vouch for what a proprietary driver or CSP can or should do with cards initialized with OpenSC. If the proprietary software does not claim PKCS#15 conformance, there's nothing to do.
>> My questions are: >> 1) Should the PIN and RSA/certificate flags consistent for all drivers. > > I would think so as some vendor drivers may not handle all the possible flags. Consistent for all drivers in OpenSC? Not necessarily. But they should be correct nevertheless. >> 2) If the flags are important, could we consider some kind of >> initialization option like --windows, which would add the same flags as >> if initialized by proprietary drivers. > > Yes, but I would not call it --windows, but something like > --vendor-driver-compatible-flags. Probably code modifications for better cross-platform compatibility could be needed, as well as a profile modification or a special profile. Changing such flags should be possible via profile. Feitian is a proprietary card with no documentation, so it will be difficult unless they provide a patch. >> 3) Can the flags be modified after a card is initialized by OpenSC. I >> would like to study the importance of flags. No, changing them is not necessarily possible or straightforward. You can read PKCS#15 spec for details for the semantics of the flags. >> 4) The PIN flags are from OpenSC. >> 5) Most flags are from RSA/X.509 certs. Do OpenSC or Firefox add flags >> during transfer of certs. > > The OpenSC flags for the public key don't look correct. It says "sign". > Public RSA keys can encrypt, wrap, verify or verifyRecover but not sign. > So if the Feitian looks for a verify flag, it won't find one. > > The OpenSC driver may ignore the public key or its flags and just use > the key in the certificate. This looks incorrect, indeed. Requiring proper usage flags would be useful when generating or importing keys. > What is the ID being used by the Feitian code? Is it being use to store > some other information that their driver might be using? It looks like > an ASCI string: 7E68517B-8A13-4F79-8138-A67EEA146EF21 Could this mean > anything to their driver? This is UUID format, it should be just an opaque unique identifier. >> Basically, I would like to be able to initialize cards and users are >> never aware this was OpenSC and not the proprietary drivers. Is that >> possible? > > I would think it should be possible. The trick is to know what the vendor's > driver is expecting in the flags, and other fields. If the proprietary driver implements PKCS#15, it should be possible and is one of the goals of OpenSC. -- @MartinPaljak.net +3725156495 _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
