Le 14/06/2011 17:05, Douglas E. Engert a écrit : > On 6/14/2011 9:18 AM, Alon Bar-Lev wrote: >> On Tue, Jun 14, 2011 at 5:15 PM, Viktor Tarasov >> <viktor.tara...@gmail.com> wrote: >>> So, if no objections, >>> in the framework-pkcs15 I will set the 'nonRepudiation' PKCS#15 flag, if >>> the key 'create-object' template contains the CKA_ALWAYS_AUTHENTICATE and >>> CKA_SIGN >>> attributes. Thus there is no more need of the vendor specific attribute. >> But this is procedural. >> How can you enforce ALWAYS_AUTHENTICATE on something of your procedure? >> Maybe laws in other countries enables authenticate once in X minutes? > As I understand it, the intent is to pass in some information when creating > the key, not necessarily when it is used. > > The related question: > Viktor, does your card do anything with the nonRepudiation flag when a > sign operation is done?
Yes, it reset the 'verified' flag of the authentication object, that protects the key. Here is the 'always-authenticate' behavior. Normally, nonRepudiation flag is applicated only for the 'c.d.signature' operation (not for the other two ones -- 'authenticate' and 'decrypt'). That's why I proposed to associate (CKA_ALWAYS_AUTH && CKA_SIGN) and 'nonRepudiation'. Another, imho, the most neutral solution could be to introduce a ALWAYS_AUTHENTICATE flag(member) into the internal 'sc_pkcs15init_prkeyargs' and 'sc_pkcs15_prkey_info' data types, to set this flag if template contains the CKA_ALWAYS_AUTH , and to transfer to the card specific part the decision to associate (CKA_ALWAYS_AUTH && CKA_SIGN) with 'nonRepudiation' . In this case the 'nonRepudiation' is not need to be managed in the common pkcs11 and framework-pkcs15 parts. > (The PIV actually has an internal bit that is set to 1 after a verify pin > operation and set to 0 after every other operation. So if a sign operation > using 9C key will only be allowed if the bit is 1.) > > Does any PKCS#15 card support such a bit, and thus require a PKCS#11 > CKA_ALWAYS_AUTHENTICATE attribute? > > As far as I know, AFAIK CKA_ALWAYS_AUTHENTICATE was added after 2004 > and was not a concept in the original PKCS#15 Is it in ISO/IEC 7816-15 > keyUsageFLAGSs or keyAccessFlags? Afais, there is no equivalent in PKCS#15 . _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
