> >> As the wrapper is used for built-in APDU ciphering and mac-ing, you should > >> instead propose a solution for the secure messaging infrastructure in > >> OpenSC > >> (ItaCNS, DNIe, IAS/ECC, Feitian have code that deals with it). As you use > >> builtin keys for only specific APDU-s this should be the simplest case. > > > > Yes, you're right. > > Juan's proposal is very neat: > > http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015199.html > > Thanks to him, I'm implementing similar infrastructure in new model driver.
Notice that the patch you refers is not the current solution for DNIe. Current solution is like shown: http://forja.cenatic.es/plugins/scmsvn/viewcvs.php/opensc-opendnie/trunk/?root=opendnie --------------- src/libopensc/apdu.c ------------------- /* take care on apdu wrapping card routine */ int sc_transmit_apdu(sc_card_t *card, sc_apdu_t *apdu) { int r = SC_SUCCESS; if (card == NULL || apdu == NULL) return SC_ERROR_INVALID_ARGUMENTS; SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); /* check for need of apdu wrapping */ if (card->ops->wrap_apdu) { r= card->ops->wrap_apdu(card,apdu); /* if result==0 means process done, return * on result<0 some error happened, abort and return * on result>0 continue normal sc_transmit_apdu * processing */ if (r<=0) LOG_FUNC_RETURN(card->ctx,r); } LOG_FUNC_RETURN(card->ctx,_sc_transmit_apdu(card,apdu)); } /* original sc_transmit_apdu follows. Also needs to be exported */ int _sc_transmit_apdu(sc_card_t *card, sc_apdu_t *apdu) { ..... --------------------------------------------- DNIe needs two different operations with SM: encode/decode APDUs, and handle envelope_transmit() with securized messages. But apud.c::sc_transmit_apdu() does not handle envelope_tx (as standard requires for SM), just apdu chaining And when no SM is active, DNIe reverts to original OpenSC's transmit_apdu routine, so _sc_transmit_apdu() needs to be exported I'm not sure on this solution. It avoids the use of 13 calls to "dnie_transmit_apdu()", as shown in entersafe driver, but requires an extra card_operation entry and two different entry points for sc_transmit_apdu to take care or ignore apdu pre/post processing. Anyway, it works :-) Juan Antonio. PS: Martin: as you requested, I've removed all libassuan references on DNIe code. Now I use a bidirectional pipe to call an external program (definable in /etc/opensc.conf) to handle graphical user consent for signature confirmation. Think that is cleaner, and lets OpenSC free of other external dll dependencies than OpenSSL
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel