Le 04/09/2011 21:43, Viktor Tarasov a écrit : > Le 01/09/2011 20:04, Martin Paljak a écrit : >> Hello, >> On Aug 29, 2011, at 7:53 , Viktor Tarasov wrote: >>> I committed the initial version of the minidriver in 'write' mode. >>> https://github.com/viktorTarasov/OpenSC/commits/minidriver-write-mode >>> >>> >>> There are some changes that concerns both 'write' and 'read-only' modes: >>> >>> -- the content of 'cardcf' is created with the first successfull method in >>> the following order: >>> --- the on-card pkcs#15 DATA object (application:'CSP',label:'cardcf'); >>> --- 'lastUpdate' attribute of tokenInfo. As a 'freshness' value the CRC-32 >>> calculated on 'lastUpdate' is used; >>> --- random value. >>> >>> -- 'cmapfile' (containers) is emulated from existing privateKey pkcs#15 >>> objects. >>> If the on-card pkcs#15 DATA object (application:'CSP',label:'cmapfile') >>> is accessible, then it's content used to update the non-pkcs#15 attributes >>> of emulated containers. >>> >>> >>> >>> In 'write' mode: >>> - 'write' mode is activated by setting to 'false' the 'md_read_only' option >>> in >>> the 'card_atr' section of OpenSC configuration file; >>> >>> -- every 'WriteFile' on 'cardcf' updates the on-card pkcs#15 DATA object >>> 'CSP':'cardcf'. >>> >>> -- the 'WriteFile' on the 'cmapfile' is stored in memory and is encoded and >>> written into the on-card pkcs#15 DATA object >>> (application:'CSP',label:'cmapfile') when 'Deauthenticate' procedure is >>> called by BaseCSP. >>> >>> >>> Tested with 'AMOS IAS/ECC' card in IE on Windows XP platform. >>> Test consisted in the decentralized card enrollment, followed by the >>> authentication to access the protected Web page. >>> >>> >>> >>> For the unknown (for me) reasons, when generating key in IE, BaseCSP tries >>> firstly to import the 'soft' key, instead of generating one on-card. >>> If minidriver refuse this attempt, BaseCSP generates key on-card. >>> >>> This 'feature' gave the possibility to test key generation and key import . >>> (For a while I do not managed to import P#12 with the 'CSP' attribute >>> pointing to BaseCSP using IE or certmgr.msc). >>> >>> No other application where used for tests. >>> Still needs to be tested on the other windows versions. >> Interesting. I'll give Windows 7/64 a try. > > Ok, thanks. > It's roughly 'works-for-me', but I need to test it a bit more, as well as to > test non-regression with the cards and read-only mode.
I've done a few non-regression tests for the 'read-only' mode on XP with RutokenECP and Athena-ASEPCOS cards -- smartcard logon, authentication in IE. There are was no problems. The only thing is: when importing with the OpenSC pkcs15-init tools the smartcard-logon pkcs#12, that do not have 'encipherment' key usage in the certificate, the 'decrypt' usage has to be explicitly added with the help of 'key-usage' argument of pkcs15-init tool . That's because during smartcard-logon, for some reason, Windows&BaseCSP executes 'CardRSADecrypt' on minidriver. This operation needs the SC_PKCS15_PRKEY_USAGE_DECRYPT flag to be set for the smartcard-logon key on the PKCS#15 side . So, Martin, it would be wonderful, if you could test this MD on Windows 7/64 . Kind regards, Viktor. > > > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
