On 4/26/2011 2:25 AM, Jean-Michel Pouré - GOOZE wrote: > Le lundi 25 avril 2011 à 22:53 +0200, NdK a écrit : >> pkcs15-tool -D >> should list 'em all, or not? > > A dump, oh sure, in hexadecimal or better binary. > :) > > On the same vein: > > --list-public-keys > does not read public keys derived from RSA private keys. > > --read-public-key<arg> > reads public keys derived from RSA private keys. > > --read-ssh-key > reads public keys derived from RSA private keys.
Looking at the code, the --read-* options will try and find a pubkey object, and if not found will then read a certificate and extract the public key from the certificate. In some of your earlier notes, I interpreted the term "derive" to be key derivation, as in PKCS#11 C_DeriveKey, and not the process used in pkcs15-tool of obtaining the public key from a certificate. > > All this is confusing for users. At present, --list-public-keys fails to > locate all usable keys. I would say the issue would be the --read-* commands should indicate that either a pubkey file was found, or that it is obraining the pubkey from the matching certificate. Unless you are an expert, you cannot know that. > And pkcs15-tool should not be only for experts. > > I still believe that pkcs15-tool --list-public-keys > is a commitment to list all RSA keys usable as public keys. No, I would say it is listing all pub key *files* found on the card. > Maybe a > switch should indicate "independent object" or "virtual object" when > derived from a private key. This is only an idea. The term should be "public key obtained from certificate". As other e-mails have said its in the documentation, and having pkcs15-tool listing "virtual object" could also be confusing, as an application may not be smart enough to do the same thing and look for a certificate. > > Tell me what I should do. If users really need to read dumps, I will ask > them to read dumps. No kidding this time. > > Kind regards, -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
