On 2/14/2011 5:22 AM, jons...@terra.es wrote: > In the testing process of OpenDNIe I've found a problem related with > concurrent > access to opensc-pkcs11 library. > > In short: as DNIe can only handle one SM at a time (no virtual channel > support), > there is no (known) way to get concurrent pkcs11 access
The next question would be, how long does the PKC#11 libraries have to keep the SM connected to the card? If the PKCS#11 opened a SM connection to the card, did some processing, like caching certificates, then drop the SM connection, some other application could then do the same. (I am not familiar with the DNIe cards.) So is this a problem with the OpenSC implementation of a SM to these cards? > > This "feature" makes unusable most of signing applets commonly used in many > official sites Does the card impose some CKA_ALWAYS_AUTHENTICATE restriction, such as the PIN must be presented before each crypto operation for some private key, with no intervening operations? > > Afaik opensc-pkcs11 is thread/process aware, and non-sm based cards can > successfully > handle "n" processes without any problem noticed. but for DNIe, I need some > way > to "centralize" all SM task in a single process/thread > > I'm thinking on a sort of "SM daemon" to take care on apdu encoding/decoding > > What do you feel on this approach? What are the security implications in the daemon approach? Did the card developers define the SM to avoid separate processes from accessing a card? How would you protect access to the card on a multi-user system? > > btw, most of cryptoapplet jarfiles I know can handle access to card by mean > of CSP, PKCS#11 and NSS interfaces. Can you confirm me that selecting NSS > as interface instead pkcs#11 would solve this problem ? > I don't thing NSS would help. AFAIK it is a set of libraries used by an application. Applications can share the databases, but the security devices are PKCS#11 modules, so the problem till goes back to PKCS#11. You can use pkcs11-spy as security device, to see what is going on. > Juan Antonio > > > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel