Hello, On Fri, May 18, 2012 at 12:59 PM, Nguyễn Hồng Quân <quanngu...@mbm.vn> wrote: > Hello all, > > I need a help to create pkcs15init profile structure so that I can > change/rewrite the canonical path. > > In general, the path to a file AABB in PKCS15 is as: 3F005015AABB, in > which 3F00 is the MF, 5015 is the PKCS15-AppDF's file-id. > > Now, because the virtual file system of my OpenPGP card (which is > non-pkcs15) is constructed as: > MF (3F00) > | > +-- File_1 (AABB) > | > +-- File_2 (AACC) > | > +--- Directory (DDCC) > | > +-- File_3 (CCEE) > > the real path to the file is 3F00AABB. > How would I define the profile file to omit the PKCS15-AppDF, i.e. the > "5015", in the path?
In the long run, I don't think that it helps to emulate a filesystem on top of non-filesystem cards (like OpenPGP or Muscle). Or to try to make it fit into the filesystem-oriented stack of OpenSC. It is nice to be able to poke around with opensc-explorer, but the notion of a file and a path should mean that the file is actually selectable with ISO SELECT command. Which is not true (a plain APDU, outside of the libopensc emulation layer, would fail). In case of OpenPGP, where no files or PKCS#15 data structures are written to the card (the card already has a fixed profile, with fixed data slots), it makes no sense. The main utility of pkcs15-init is creating (and storing) PKCS#15 ASN.1 structures to the card, when such slots for keys or certificates are created as a side-product. If ASN. shall not be created, pcks15-init should IMHO not be used. The fact that pkcs15-init is the main interface for generating keys/storing certificates, is thus somewhat misleading. You can't create more keys than 3 on OpenPGP, nor can you write more certificates. You can't create additional arbitrary "slots" on the card. Maybe it would be better to have a single "sticky pkcs15-ish mapping for a fixed profile card" in a single location (like the pkcs15 emulation drivers) and allow pkcs15-tool (which does not try to create any PKCS#15 structures) to re-generate exposed key slots and replace exposed certificate slots. And extend that API as needed. Martin _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
