Le 14/08/2011 13:57, Jean-Michel Pouré - GOOZE a écrit : >> PKCS#15 card producers resolve this problem by >> creating parallel CSP file system, invisible for PKCS#15, >> or by creating 'DATA' objects with the common 'application' attribute, >> for ex. "BaseCSP". >> >> I guess that this second approach is more appropriate for the OpenSC >> minidriver. >> >> The capability of the card to support 'write' minidriver mode will be >> declared in 'card_atr' section of opensc.conf. >> It presumes that card supports the pkcd15-init. >> For such card all pkcs15-init operations (executed by tools, pkcs#11 >> or minidriver) will try to update the BaseCSP 'DATA' objects. >> >> What do you think about? > Dear Viktor, > > IMHO this is a very interesting way to go. > > When using OpenSC under Mac OS X or GNU/Linux, it also assumes that > OpenSC should write these invisible information to preserve > compatibility under all systems. > > I presume this would make OpenSC a universal platform.
I committed the initial version of the minidriver in 'write' mode. https://github.com/viktorTarasov/OpenSC/commits/minidriver-write-mode There are some changes that concerns both 'write' and 'read-only' modes: -- the content of 'cardcf' is created with the first successfull method in the following order: --- the on-card pkcs#15 DATA object (application:'CSP',label:'cardcf'); --- 'lastUpdate' attribute of tokenInfo. As a 'freshness' value the CRC-32 calculated on 'lastUpdate' is used; --- random value. -- 'cmapfile' (containers) is emulated from existing privateKey pkcs#15 objects. If the on-card pkcs#15 DATA object (application:'CSP',label:'cmapfile') is accessible, then it's content used to update the non-pkcs#15 attributes of emulated containers. In 'write' mode: - 'write' mode is activated by setting to 'false' the 'md_read_only' option in the 'card_atr' section of OpenSC configuration file; -- every 'WriteFile' on 'cardcf' updates the on-card pkcs#15 DATA object 'CSP':'cardcf'. -- the 'WriteFile' on the 'cmapfile' is stored in memory and is encoded and written into the on-card pkcs#15 DATA object (application:'CSP',label:'cmapfile') when 'Deauthenticate' procedure is called by BaseCSP. Tested with 'AMOS IAS/ECC' card in IE on Windows XP platform. Test consisted in the decentralized card enrollment, followed by the authentication to access the protected Web page. For the unknown (for me) reasons, when generating key in IE, BaseCSP tries firstly to import the 'soft' key, instead of generating one on-card. If minidriver refuse this attempt, BaseCSP generates key on-card. This 'feature' gave the possibility to test key generation and key import . (For a while I do not managed to import P#12 with the 'CSP' attribute pointing to BaseCSP using IE or certmgr.msc). No other application where used for tests. Still needs to be tested on the other windows versions. Kind regards, Viktor. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
