Hello, On Apr 27, 2011, at 02:57 , Juan Antonio Martinez wrote: > El mar, 26-04-2011 a las 22:53 +0200, Juan Antonio Martinez escribió: > [...] >>> One option would be to remove public key files from emulation >>> (like the Estonian eID), >> Perhaps I'll need some help: pkcs15-dnie.c just parses pkcs15 data >> from card, and patches some file paths and ID's... no clear idea >> about how to remove found entries from pkcs15 opensc's structures > > Ok, I finally did it. pkcs15-tool -D no longer shows "public keys" > on my DNIe card > > pkcs15-tool trace says that no public key found, so looks for > keys in cert, find it, tries to read certificate... > ... And dies with "security status not satisfied": > > Remember that DNIe requires pin to read certificates, > but sc_pkcs15_read_certificate() seems that does not take > care on it and dies on -1211 error...
pkcs15-tool recently got --verify-pin option to verify a PIN before anything else. That might work for pkcs15-tool, if documented. You could re-use PIN cache inside sc_pkcs15_read_certificate, much like everything else in libopensc/pkcs15-sec.c does as well (the actual usefulness of it might be questionable for *certificates* though, they are usually read only once) I'm not sure if there is a silver bullet solution, eventually calling application must consider the requirement a PIN code before being able to read certificates. And ideally provide a tunable for this (like what NSS does but applications don't support very well) But as I understand, *listing* certificates (not reading them, but becoming aware of their existence) works without PIN codes? This should probably help a little (compared to a situation where even becoming aware of the existence of certificates requires a PIN code) >>> and to move the handling of certificate->pubkey to generic >>> libopensc code. This would require filtering for duplicate objects. > > There is already a sc_pkcs15_pubkey_from_cert() function. ¿are you > taking about that?. If yes I could try to write a patch... > ... but no idea on how to handle "pin required" previous error. When binding to the card, looping all certificates and creating public key objects, then filtering for duplicates in the pubkey file and having fake pubkey objects after binding to the card already (so that other pieces like pkcs15-tool or PKCS#11 module would not have to do that separately) But yes, that would probably not solve the PIN issue. Best, Martin -- @MartinPaljak.net +3725156495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
