Le 15/12/2011 18:29, Douglas E. Engert a écrit : > > > On 12/15/2011 4:47 AM, Viktor Tarasov wrote: >> Le 15/12/2011 09:21, Viktor Tarasov a écrit : >>> Hello Douglas, >>> >>> >>> Le 14/12/2011 23:11, Douglas E. Engert a écrit : >>>> >>>> On 12/14/2011 2:14 PM, Douglas E. Engert wrote: >>>>> >>>>> I am able to use the: >>>>> https://www.opensc-project.org/codereview/ >>>>> and login with the Google account from work. >>>>> Then find the changes from 12/8, which include Viktor's SM code that has >>>>> my ECDH >>>>> code included: >>>>> >>>>> git clone -b staging >>>>> https://myuse...@www.opensc-project.org/codereview/p/OpenSC some_dir >>>>> and >>>>> git fetch https://myuse...@www.opensc-project.org/codereview/p/OpenSC >>>>> refs/changes/10/210/1 >>>>> >>>>> Am testing it right now. There are some issues with the sc_app_info being >>>>> null. >>>>> Hope to have a patch later today. >>>> >>>> Attached is a patch to Viktor's code as found on Gerrit I258bde6a. I added >>>> a review >>>> to this but being new to Gerrit, I was not sure how to add the patch, of >>>> if Viktor >>>> should add it, or if this is the right change to start with. >>>> >>>> I needed this patch to allow the PIV card with RSA to work with this code >>>> base. >>>> it would not work with PKCS#11 as the framework->bind was not being called. >>>> After fixing that, there were a number of places where a NULL appl_info >>>> would cause a segfault. There may be other places too. >>>> >>>> I expect other cards that do not have an application to also fail. >>>> >>>> I started with this base because it has my ECDH code included, that I >>>> still need to test. >>> >>> >>> Ok, thanks. >>> I will look, test and apply it into SM branch. >> >> https://github.com/viktorTarasov/OpenSC/commit/4352d9aed483010762c575b8bf09ae3023cb1b72 >> https://github.com/viktorTarasov/OpenSC/commit/4a6e0d779578d009ebac7d3246a9a3a8e37eab14 >> >> By the way, IMHO, the PIN flags of the PIV PKCS#15 emulated card should be >> reconsidered. >> I would suggest to: >> - add 'INITIALIZED' flag; >> - remove 'LOCAL' (look "ISO 7816-15 8.9.2 Password attributes"). As for me, >> every PIN without path has to be the 'global' one. > > The newer cards may have a "Discovery Object" that can specify > if the Global PIN and/or the PIV card application PIN can be used, > and which one the card holder prefers. NIST 800-73-3 Part 1 Section 3.2.6. > > The default if no Discovery object is found is LOCAL. > What I should do is turn off the LOCAL bit, if the Discovery object says > the Global PIN can be used. I already change the label, in pkcs15-piv.c > if the Discovery object says use the Global PIN. > > I will add the INITIALIZED flag. > > NIST has looked at PIV vs PKCS15/ISO 7816-15 cards in 2006, but > has not done anything about it: > > http://csrc.nist.gov/publications/nistir/ir7284/nistir-7284.pdf
Ok, essential in 'INITIALIZED' flag. With 'LOCAL' flags as you like. Just one note, currently in restricted opensc-pkcs11 configuration (one slot for 'UserPIN') the 'UserPIN' is selected by pkcs11's 'pkcs15' framework following the rules: - first 'global' PIN; - if no 'global' PINs found -- first 'local' PIN. These rules could not satisfy all card configurations, and so, are opened for suggestions. > >> >> Kind regards, >> Viktor. >> > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel