Hi,
On Friday, 25. May 2012, Martin Paljak wrote:
> In the long run, I don't think that it helps to emulate a filesystem
> on top of non-filesystem cards (like OpenPGP or Muscle). Or to try to
> make it fit into the filesystem-oriented stack of OpenSC.
Why?
If it works (even in a limited/restricted way), it is better than not having
any support at all.
After all the openPGP card / GPF Cry<ptostick os one of those smartcards /
tokens that can be bought by individuals in small quantities.
> It is nice to be able to poke around with opensc-explorer, but the
> notion of a file and a path should mean that the file is actually
> selectable with ISO SELECT command. Which is not true (a plain APDU,
> outside of the libopensc emulation layer, would fail).
I do not understand that argument, especially if we're talking about
an emulation within the opensc software stack.
Why should it matter that the emulation does not exist outside opensc?
When it works (even only partiallly) with opensc, it works.
When it does not work with opensc it works nowhere.
> In case of OpenPGP, where no files or PKCS#15 data structures are
> written to the card (the card already has a fixed profile, with fixed
> data slots), it makes no sense. The main utility of pkcs15-init is
> creating (and storing) PKCS#15 ASN.1 structures to the card, when such
> slots for keys or certificates are created as a side-product. If ASN.
> shall not be created, pcks15-init should IMHO not be used.
Well, pkcs15-init might not be the tool suitable for the job.
But please, let Quân continue trying - maybe he can make the emulation work.
All his changes were in files specific to the OpenPGP cards only (card-
openpgp.c, pkcs15-openpgp.c).
If his approach ("try to make the emulation so good that it allows using the
standard tools") does not work out, extending the new openpgp-tool to do what
he wants, should be even easier.
> The fact that pkcs15-init is the main interface for generating
> keys/storing certificates, is thus somewhat misleading. You can't
> create more keys than 3 on OpenPGP, nor can you write more
> certificates. You can't create additional arbitrary "slots" on the
> card.
Yes, but you can (re)create any of the three keys and import keys into any of
the three existing slots.
If the emulation becomes good enough to support that, then why not use it?
> Maybe it would be better to have a single "sticky pkcs15-ish mapping
> for a fixed profile card" in a single location (like the pkcs15
> emulation drivers) and allow pkcs15-tool (which does not try to create
> any PKCS#15 structures) to re-generate exposed key slots and replace
> exposed certificate slots. And extend that API as needed.
As I explained above: all of Quân's changes for OpenPGP card support
are limited to the files responsible for OpenPGP cards:
src/lib/opensc/{card,pkcs15}-openpgp.c
Any other changes he made, fix omissions in existing tools, e.g. he made
opensc-explorer's do_put command really functional instead of only printing
the usage message.
Best
Peter
--
Peter Marschall
pe...@adpm.de
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
