Le 22/04/2011 22:24, NdK a écrit : > Hello all. > > Since Toni can't look at this issue soon, I'm trying to fix it myself. > The problem is that, at least with Aventra MyEID, every key gets created > in a way that requires CHV1 for crypto ops, even if --insecure is specified. > > It seems the root of the problem lies in the profile: changing > CRYPTO=$PIN to CRYPTO=NONE works around it, but it's surely sub-optimal. > > Another, maybe related, problem is that, IIUC the profile syntax, only > one PIN can be specified, It's not completely true. The ACL profile definition "ACL = *=NEVER,READ=$PIN,READ=$SOPIN;" will define two linked ACL entries for 'READ' operation.
After that it's up to card specific part to encode this case into the FCP of file/object to be created. The encoding is quite different from one card to another . Further arrives the question how to use the combined ACLs (properly parsed by card specific part back into the linked ACL entries.), describe them in PKCS#15, ... Actually the common part of pkcs15init or pkcs15 cannot process combined ACLs where there are more then one authentication method of the same type (for ex. two PINs). > so I can't say that (for example): > - central office handles card initialization (w/ SO-PIN) Central office could be presented by the other authentication method: SM or external authentication. (xPIN authentication is not quite secure for the administration tasks.) Support of these authentication methods is in the road-map of OpenSC. > - a key must be "authorized" (generated in presence of) a delegated > technician (CHV1) -- maybe to later issue a certificate that requires > face-to-face recognition > - doing crypto ops on that key may be protected by a PIN (any CHV, as > specified by -a N) or left unsecured (--insecure) > - more keys can be generated by the user w/o requiring the technician > > While to leave it unprotected I can play with the profile, I don't see > any way to protect it with a different pin (unless I can specify > directly CHVn instead of $PIN, and even then I could think some > scenarios where it would require quite a lot of profiles juggling). > > I still find it quite difficult to follow code flow, even if I'm > beginning to understand it a bit... So any pointer could be helpful. > > Tks, > Diego. Kind wishes, Viktor. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
