You say you are using FF, so have you looked at JSS? http://www.mozilla.org/projects/security/pki/jss/
As I read this, it is a java interface to NSS, and thus avoid the sunPKCS11 and its limitations, but still allow the use of OpenSC. On Windows, you could also use the Windows CAPI via the SunMSCAPI, and OpenSC on Windows can still be used via the OpenSC mindriver. See below. On 8/3/2011 5:52 AM, NdK wrote: > Il 03/08/2011 11:08, helpcrypto helpcrypto ha scritto: > >> As i understand, you want to develop like a wallte, where password >> stored on server (crypted) are copied to clipboard (altough a simply >> CTRL+V will display it), to let the user authenticate in toher >> services. Right? > Yup. Right. Ctrl-V is the smallest problem (a bigger one is KDE's > "cache" in system tray) and should be solved "politically" (even KDE's > cache can be "cleared" inserting enough random strings. But that's > really OT here. > >> You need applets cause the access to this wallet is using smartcard? >> certificate? > The wallet must allow for use of a smart card or a simple password > (obviously highly sensitive passwords will have to be restricted to > stronger method). Not really different at the programmatic level, since > I can store "anything" in the "encryptedPrivateKey" field: an actual key > or a reference to a token. > >>> Known bug in FF, IIUC. When you insert the card (or load opensc-pkcs11) >>> it C_Login to every slot even if you're not accessing certs. So: >>> 1) it asks for EVERY pin (even signature ones) >> Whats IIUC means? > If I Understand Correctly. >> With our company card+spanish ID (dnie) on different readers, while >> doing client auth, it ask for 2 pins (one for each slot), to retrieve >> ALL the certs from all the slots/tokens. > That's exactly what I noticed. Seems the key is the "friendly flag" > that's (IMVHO) badly thought (since I can access both friendly and > unfriendly tokens w/ the same lib). > And (more general question) why a slot identifies a pin? What about > "insecure" keys and their certs? See below. > >> That, let FF to show a windows to select all possible certs. >> Is this the scenario you are pointing? Can you give me the bugzilla number? >> (From my experience, NSS or the part responsible from retrieving the >> certs its not very efficient...for example, it request like 150 times >> for vendor objects on my token, altough the first time i say "i have >> no one") > Well, just searching "smart card" in bugzilla pops up quite a lot of > issues. 460985 e 378476 (always selects the first cert from a card), > 453025 (security devices only loaded on application start) and many more... Here are 3 others: 357025, 613496, 613507, These deal with selecting the "best slot", supporting CK_ALWAYS_AUTHENTICATE if needed, and cutting down on searching for any object when it should be searching for a cert only, which may be your 150 times. > >> I think we should exchange experiences :P > Mine is just: too buggy to be actually used w/ smartcards, useful only > in the simplest scenarios. > >>> 2) while opensc-pkcs11 is loaded in FF, thunderbird (nor any other >>> PKCS11 'client') doesn't "see" the card >> Thats a opensc desired/undesired behaviour. >> If OpenSC did that for any reason, you could ask here (or martin). But >> i can tell you, its not FF the one who locks, cause my smartcard can >> be used and viewed by many at the same time. >> (Thanks god PCSC's BeginTransaction and EndTransaction methods) > I can't retrieve now the bug #, but IIRC it keeps the session to the > token open. Maybe your card allows for more than one channel. > >>> Anyway, auth using 'internal' method is possible only on https sites >>> (unavailable on shared-hosting plans, and it's now giving me headaches >>> since I need to use SNI, that's not supported by IE on XP). >> No idea of what "internal" means, SNI, or what are you taliking about. > "Internal" is when the https server asks for a client cert. SNI is an > extension to TLS that allows more than one https virtual host on an > IP/port by giving the requested server name at the start of the handshake. > >> We have that 3 systems, and support for 3 major browser on each >> Firefox/Chrome/IE/Safari. I thinks thats neough for end users...come >> on, dont make me support "lynx" please. > No, but writing 9 different apps is not the solution, IMVHO. >> BTW, dont expect a friendly environment using Java on OSX, this guys hate >> them. > I'll have to fight whith it, then :) > >>> This assumes that the user: >>> - can install sw >> Copying files its not always needed, but access to the system its. >> Signed applets will let you access the system, and you could whatever >> you want. > Nope. You can install sw only if the policy allows you to do it. And > often (think about a kiosk) it's forbidden. A signed applet can AT MOST > have the same rights of the user, IIRC (I don't remember a poliy to give > an applet more rights than the ones assigned to the user running it...). > >>> - usually uses only one machine >> Not true...it just "extract and run", even better that installing a >> client software. > Uh, right... jnlp headaches... :) Still needs JVM, pcsc, etc... And it's > anyway better if the downloaded app is signed... So I don't see real > dvantages here. > >>> If only SunPKCS11 would be more versatile... Maybe the simplest thing is >>> to get its source and hack it, so that it: >>> - supports plain on-card keypairs >>> - only asks PIN when needed >> AFAIK, both can be done. > Not w/ standard SunPKCS11. See below. > >>> - handles multiple slots >> What you mean with this? > That's something I still couldn't understand well... > Reading PKCS11-v2.30b specs, it seems a slot is just a physical object > where a card can be placed. So a reader should present more than one > slot only if it accepts more than one token: > "Cryptoki provides an interface to one or more cryptographic devices > that are active in the system through a number of “slots”. Each slot, > which corresponds to a physical reader or other device interface, may > contain a token. A token is typically “present in the slot” when a > cryptographic device is present in the reader. Of course, since Cryptoki > provides a logical view of slots and tokens, there may be other physical > interpretations. It is possible that multiple slots may share the same > physical reader. The point is that a system has some number of slots, > and applications can connect to tokens in any or all of > those slots." (page 17). > > Then, on a token, there can be many objects (see page 18). Objects can > be public or private: "Further classification defines access > requirements. Applications are not required to log into the token to > view “public objects”; however, to view “private objects”, a user must > be authenticated to the token by a PIN or some other token-dependent > method (for example, a biometric device)." (page 19) > > So I can understand that when I plug in another reader I get another set > of slots. What I don't understand is why I get a slot for every PIN on > my card, plus a PnP (always empty) slot. > > SunPKCS11 pulls this to the limit that I have: > 1) to know the slot I'll need to use before opening the KeyStore > 2) to supply the PIN to open the KeyStore, even if I only need access to > public objects > >>> - handles certs "outside a slot" (that is: that are not PIN protected) >> Add them to NSS (can have PIN protection), use a PKCS#12(can also have >> PIN protection)... >> >> Again, move this conversation to private if you consider so > At least the PKCS11 part I think is really in topic. But even the rest > could help others. > > BYtE, > Diego. > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
