Re: [opensc-devel] [opensc-commits] svn opensc changed [3757] add GOST R 34.10-2001 algorithm (only PKCS#11) by Aktiv Co.
The pkcs11.h hank looks right. On Tue, Oct 6, 2009 at 8:08 AM, Andreas Jellinghaus wrote: >> When updating pkcs11.h, please sync with scut [1] >> Maintainer is at [2]. > > no worries, I will take care of that. is the patch ok > otherwise? then I will apply it. > > Regards, Andreas > ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new opensc 0.11.* release?
Am Samstag 03 Oktober 2009 10:05:37 schrieb Andreas Jellinghaus: > Hi, > > shall we create a new opensc 0.11.* release? things to wait for > before we create such a release? Aleksey commited the latest rutoken changes for GOST algorithm, I added the pending patches for westcos driver and GemsafeV2 emulation. Is there anything else? Shall we create a new 0.11.* release? Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new opensc 0.11.* release?
Am Montag 05 Oktober 2009 08:48:07 schrieb François Leblanc: > >Hi, > > > >shall we create a new opensc 0.11.* release? things to wait for > >before we create such a release? > > Hi Andreas, > > Maybe you should add my patch to permit building opensc without openssl and > patch from Aktiv Co. Aleksey Samsonov before to make a new release. > > This two patch concern the westcos card. thanks, both commited. Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-commits] svn opensc changed [3757] add GOST R 34.10-2001 algorithm (only PKCS#11) by Aktiv Co.
> When updating pkcs11.h, please sync with scut [1] > Maintainer is at [2]. no worries, I will take care of that. is the patch ok otherwise? then I will apply it. Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] [PATCH] pam_pkcs11: fix buildsystem
Hi, I'm a Gentoo Linux developer and I recently got my hands on a token that works with opensc, so I started looking into improving our support for it in PAM (I'm the maintainer of the PAM packages). Looking at pam_pkcs11 I found that the build system is slightly sub-optimal, in the sense that it builds, by default, static objects for plugins (like the PAM module itself), and uses a custom override rule for install to avoid installing the static version. It also install the examples in the datadir instead of the docdir (which is what you would probably want, even the manual on the site refers to /usr/share/doc). The attached patch fixes both problems, and at the same time defines a pamdir variable that can be used to select a different location for the PAM module (not all systems use the same path). HTH! -- Diego Elio Pettenò — “Flameeyes” http://blog.flameeyes.eu/ If you found a .asc file in this mail and know not what it is, it's a GnuPG digital signature: http://www.gnupg.org/ Index: pam_pkcs11-0.6.1/etc/Makefile.am === --- pam_pkcs11-0.6.1.orig/etc/Makefile.am +++ pam_pkcs11-0.6.1/etc/Makefile.am @@ -10,4 +10,4 @@ EXTRA_DIST = pam_pkcs11.conf.example \ pkcs11_eventmgr.conf.example \ card_eventmgr.conf.example -pkgdata_DATA = $(EXTRA_DIST) +doc_DATA = $(EXTRA_DIST) Index: pam_pkcs11-0.6.1/src/pam_pkcs11/Makefile.am === --- pam_pkcs11-0.6.1.orig/src/pam_pkcs11/Makefile.am +++ pam_pkcs11-0.6.1/src/pam_pkcs11/Makefile.am @@ -5,17 +5,15 @@ MAINTAINERCLEANFILES = Makefile.in AM_CFLAGS = -Wall -fno-strict-aliasing $(CRYPTO_CFLAGS) AM_CPPFLAGS = -Wall -fno-strict-aliasing $(CRYPTO_CFLAGS) -lib_LTLIBRARIES = pam_pkcs11.la +pamdir=$(libdir)/security + +pam_LTLIBRARIES = pam_pkcs11.la pam_pkcs11_la_SOURCES = pam_pkcs11.c \ mapper_mgr.c mapper_mgr.h \ pam_config.c pam_config.h -pam_pkcs11_la_LDFLAGS = -module -avoid-version +pam_pkcs11_la_LDFLAGS = -module -avoid-version -shared pam_pkcs11_la_LIBADD = $(LIBMAPPERS) $(CRYPTO_LIBS) -install: - $(mkinstalldirs) $(DESTDIR)/$(libdir)/security - $(libLTLIBRARIES_INSTALL) $(top_builddir)/src/pam_pkcs11/.libs/pam_pkcs11.so $(DESTDIR)/$(libdir)/security - format: indent *.c *.h Index: pam_pkcs11-0.6.1/src/mappers/Makefile.am === --- pam_pkcs11-0.6.1.orig/src/mappers/Makefile.am +++ pam_pkcs11-0.6.1/src/mappers/Makefile.am @@ -52,56 +52,56 @@ lib_LTLIBRARIES = opensc_mapper.la opens endif openssh_mapper_la_SOURCES = openssh_mapper.c openssh_mapper.h -openssh_mapper_la_LDFLAGS = -module -avoid-version +openssh_mapper_la_LDFLAGS = -module -avoid-version -shared openssh_mapper_la_LIBADD = libmappers.la # generic_mapper_la_SOURCES = generic_mapper.c generic_mapper.h -# generic_mapper_la_LDFLAGS = -module -avoid-version +# generic_mapper_la_LDFLAGS = -module -avoid-version -shared # generic_mapper_la_LIBADD = libmappers.la # subject_mapper_la_SOURCES = subject_mapper.c subject_mapper.h -# subject_mapper_la_LDFLAGS = -module -avoid-version +# subject_mapper_la_LDFLAGS = -module -avoid-version -shared # subject_mapper_la_LIBADD = libmappers.la if HAVE_LDAP ldap_mapper_la_SOURCES = ldap_mapper.c ldap_mapper.h -ldap_mapper_la_LDFLAGS = -module -avoid-version +ldap_mapper_la_LDFLAGS = -module -avoid-version -shared ldap_mapper_la_LIBADD = libmappers.la endif opensc_mapper_la_SOURCES = opensc_mapper.c opensc_mapper.h -opensc_mapper_la_LDFLAGS = -module -avoid-version +opensc_mapper_la_LDFLAGS = -module -avoid-version -shared opensc_mapper_la_LIBADD = libmappers.la # mail_mapper_la_SOURCES = mail_mapper.c mail_mapper.h -# mail_mapper_la_LDFLAGS = -module -avoid-version +# mail_mapper_la_LDFLAGS = -module -avoid-version -shared # mail_mapper_la_LIBADD = libmappers.la # ms_mapper_la_SOURCES = ms_mapper.c ms_mapper.h -# ms_mapper_la_LDFLAGS = -module -avoid-version +# ms_mapper_la_LDFLAGS = -module -avoid-version -shared # ms_mapper_la_LIBADD = libmappers.la # krb_mapper_la_SOURCES = krb_mapper.c krb_mapper.h -# krb_mapper_la_LDFLAGS = -module -avoid-version +# krb_mapper_la_LDFLAGS = -module -avoid-version -shared # krb_mapper_la_LIBADD = libmappers.la # cn_mapper_la_SOURCES = cn_mapper.c cn_mapper.h -# cn_mapper_la_LDFLAGS = -module -avoid-version +# cn_mapper_la_LDFLAGS = -module -avoid-version -shared # cn_mapper_la_LIBADD = libmappers.la # uid_mapper_la_SOURCES = uid_mapper.c uid_mapper.h -# uid_mapper_la_LDFLAGS = -module -avoid-version +# uid_mapper_la_LDFLAGS = -module -avoid-version -shared # uid_mapper_la_LIBADD = libmappers.la # pwent_mapper_la_SOURCES = pwent_mapper.c pwent_mapper.h -# pwent_mapper_la_LDFLAGS = -module -avoid-version +# pwent_mapper_la_LDFLAGS = -module -avoid-version -shared # pwent_mapper_la_LIBADD = libmappers.la # digest_mapper_la_SOURCES = digest_mapper.c digest_mapper.h -#
Re: [opensc-devel] [opensc-commits] svn opensc changed [3757] add GOST R 34.10-2001 algorithm (only PKCS#11) by Aktiv Co.
On Mon, Oct 5, 2009 at 8:40 PM, wrote: > Modified: trunk/src/pkcs11/pkcs11.h > === > --- trunk/src/pkcs11/pkcs11.h 2009-10-03 17:04:32 UTC (rev 3756) > +++ trunk/src/pkcs11/pkcs11.h 2009-10-05 18:40:51 UTC (rev 3757) > @@ -356,6 +356,7 @@ > #define CKK_AES (0x1fUL) > #define CKK_BLOWFISH (0x20UL) > #define CKK_TWOFISH (0x21UL) > +#define CKK_GOSTR3410 (0x30UL) > #define CKK_VENDOR_DEFINED (1UL << 31) > > > @@ -433,6 +434,9 @@ > #define CKA_AUTH_PIN_FLAGS (0x201UL) > #define CKA_ALWAYS_AUTHENTICATE (0x202UL) > #define CKA_WRAP_WITH_TRUSTED (0x210UL) > +#define CKA_GOSTR3410_PARAMS (0x250UL) > +#define CKA_GOSTR3411_PARAMS (0x251UL) > +#define CKA_GOST28147_PARAMS (0x252UL) > #define CKA_HW_FEATURE_TYPE (0x300UL) > #define CKA_RESET_ON_INIT (0x301UL) > #define CKA_HAS_RESET (0x302UL) > @@ -669,6 +673,10 @@ > #define CKM_AES_MAC (0x1083UL) > #define CKM_AES_MAC_GENERAL (0x1084UL) > #define CKM_AES_CBC_PAD (0x1085UL) > +#define CKM_GOSTR3410_KEY_PAIR_GEN (0x1200UL) > +#define CKM_GOSTR3410 (0x1201UL) > +#define CKM_GOSTR3410_WITH_GOSTR3411 (0x1202UL) > +#define CKM_GOSTR3411 (0x1210UL) > #define CKM_DSA_PARAMETER_GEN (0x2000UL) > #define CKM_DH_PKCS_PARAMETER_GEN (0x2001UL) > #define CKM_X9_42_DH_PARAMETER_GEN (0x2002UL) When updating pkcs11.h, please sync with scut [1] Maintainer is at [2]. Submit patches to them so eventually we maintain only one oss version. Thanks! [1] http://www.scute.org/ [2] http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/trunk/src/pkcs11.h?rev=96&root=Scute&view=auto ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] add new public key algorithm (GOSTR3410)
Hello, Patch applied in revision 3757. Aleksey Samsonov wrote: > Hello! > I propose a patch for add GOST R 34.10-2001 algorithm (only PKCS#11 for > the present). PKCS#11 and GOST: > ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-30/pkcs-11v2-30m1-d7.pdf > This patch is first step. If it OK, I'll do: > - cleanup code > - add support to tools (pkcs15-init pkcs15-tool pkcs11-tool) > - add off-card GOSTR3410 keypair generation > - add GOST R 34.11-94 (CKM_GOSTR3410) > Patch for trunk revision 3743 attached. Could you please add it? > Thanks ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PKCS#11 and PKCS#15 with cyberflex 32k or 64k
Peter Stuge wrote: > gilles Bernabé wrote: >> when i load it on the card, in the fieds of the certificate : E:..., >> CN:.., ., i've got "OID.2.5.4.0" on the card and just "O" (for >> organisation) when i load it in the webbrowser in format pkcs12, > > So is this a bug in something ASN.1 in OpenSC, or in the applet? > Sounds like a malformed or unusual certificate. OID 2.5.4.0 is for objectClass which is not normally use in a DN. So different applications might print different strings(or the OID number) for this OID. (O= for objectClass could be used, but is misleading as O= is usuall used for Organization.) See: http://www.alvestrand.no/objectid/2.5.4.0.html Can you send the certificate?(PEM encodeing would be best.) > > //Peter > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [PATCH] Fix OpenSC PKCS#11 object grouping
On Mon, 5 Oct 2009 11:28:12 +0300 Martin Paljak wrote: > > On 05.10.2009, at 11:01, Pierre Ossman wrote: > > New attempt, this time against r3756 (r18006 was our internal repo, > > for > > those curious :)), as an attachment and without a signature on the > > mail. Hopefully everyone can read it this time. > Applies and works for me. > Glad to hear it. Does that also mean it will get merged in trunk? > > > Oh yeah, I also forgot to mention that this patch also adds some more > > debug output. I found it helpful to see how the library chooses to > > associate objects, even though it currently only prints the index > > number. > Maybe you can improve it so that it would log object/auth IDs? This > would facilitate better debugging by looking at pkcs15-tool -D and > then pkcs#11 debug log? > Sure. Included patch gives this debug output: [opensc-pkcs11] framework-pkcs15.c:559:pkcs15_bind_related_objects: Looking for objects related to object 0 [opensc-pkcs11] framework-pkcs15.c:467:__pkcs15_prkey_bind_related: Object is a private key and has id 45 [opensc-pkcs11] framework-pkcs15.c:559:pkcs15_bind_related_objects: Looking for objects related to object 1 [opensc-pkcs11] framework-pkcs15.c:467:__pkcs15_prkey_bind_related: Object is a private key and has id 46 [opensc-pkcs11] framework-pkcs15.c:559:pkcs15_bind_related_objects: Looking for objects related to object 2 [opensc-pkcs11] framework-pkcs15.c:509:__pkcs15_cert_bind_related: Object is a certificate and has id 45 [opensc-pkcs11] framework-pkcs15.c:538:__pkcs15_cert_bind_related: Associating object 0 as private key [opensc-pkcs11] framework-pkcs15.c:559:pkcs15_bind_related_objects: Looking for objects related to object 3 [opensc-pkcs11] framework-pkcs15.c:559:pkcs15_bind_related_objects: Looking for objects related to object 4 [opensc-pkcs11] framework-pkcs15.c:509:__pkcs15_cert_bind_related: Object is a certificate and has id 46 [opensc-pkcs11] framework-pkcs15.c:538:__pkcs15_cert_bind_related: Associating object 1 as private key [opensc-pkcs11] framework-pkcs15.c:559:pkcs15_bind_related_objects: Looking for objects related to object 5 [opensc-pkcs11] framework-pkcs15.c:559:pkcs15_bind_related_objects: Looking for objects related to object 6 [opensc-pkcs11] framework-pkcs15.c:509:__pkcs15_cert_bind_related: Object is a certificate and has id 45 [opensc-pkcs11] framework-pkcs15.c:538:__pkcs15_cert_bind_related: Associating object 0 as private key [opensc-pkcs11] framework-pkcs15.c:528:__pkcs15_cert_bind_related: Associating object 10 (id 47) as issuer [opensc-pkcs11] framework-pkcs15.c:559:pkcs15_bind_related_objects: Looking for objects related to object 7 [opensc-pkcs11] framework-pkcs15.c:559:pkcs15_bind_related_objects: Looking for objects related to object 8 [opensc-pkcs11] framework-pkcs15.c:509:__pkcs15_cert_bind_related: Object is a certificate and has id 46 [opensc-pkcs11] framework-pkcs15.c:538:__pkcs15_cert_bind_related: Associating object 1 as private key [opensc-pkcs11] framework-pkcs15.c:528:__pkcs15_cert_bind_related: Associating object 10 (id 47) as issuer [opensc-pkcs11] framework-pkcs15.c:559:pkcs15_bind_related_objects: Looking for objects related to object 9 [opensc-pkcs11] framework-pkcs15.c:559:pkcs15_bind_related_objects: Looking for objects related to object 10 [opensc-pkcs11] framework-pkcs15.c:509:__pkcs15_cert_bind_related: Object is a certificate and has id 47 [opensc-pkcs11] framework-pkcs15.c:559:pkcs15_bind_related_objects: Looking for objects related to object 11 Note that several certificates share id, which means that id isn't enough to distinguish them (which also means that the opensc tools are unable to properly use this card since they use ids heavily :/). Rgds -- Pierre OssmanOpenSource-based Thin Client Technology System Developer Telephone: +46-13-21 46 00 Cendio ABWeb: http://www.cendio.com Index: src/pkcs11/framework-pkcs15.c === --- src/pkcs11/framework-pkcs15.c (revision 18042) +++ src/pkcs11/framework-pkcs15.c (working copy) @@ -463,6 +463,9 @@ sc_pkcs15_id_t *id = &pk->prv_info->id; unsigned int i; + sc_debug(context, "Object is a private key and has id %s", + sc_pkcs15_print_id(id)); + for (i = 0; i < fw_data->num_objects; i++) { struct pkcs15_any_object *obj = fw_data->objects[i]; @@ -502,21 +505,27 @@ sc_pkcs15_id_t *id = &cert->cert_info->id; unsigned int i; + sc_debug(context, "Object is a certificate and has id %s", + sc_pkcs15_print_id(id)); + /* Loop over all objects to see if we find the certificate of * the issuer and the associated private key */ for (i = 0; i < fw_data->num_objects; i++) { struct pkcs15_any_object *obj = fw_data->objects[i]; if (is_cert(obj) && obj != (struct pkcs15_any_object *) cert) { + struct pkcs15_cert_object *cert2; struct sc_pkcs15_cert *c2; - c2 = ((struct pkcs15_cert_obje
Re: [opensc-devel] [PATCH] Fix OpenSC PKCS#11 object grouping
On 05.10.2009, at 11:01, Pierre Ossman wrote: > New attempt, this time against r3756 (r18006 was our internal repo, > for > those curious :)), as an attachment and without a signature on the > mail. Hopefully everyone can read it this time. Applies and works for me. > Oh yeah, I also forgot to mention that this patch also adds some more > debug output. I found it helpful to see how the library chooses to > associate objects, even though it currently only prints the index > number. Maybe you can improve it so that it would log object/auth IDs? This would facilitate better debugging by looking at pkcs15-tool -D and then pkcs#11 debug log? Thanks, -- Martin Paljak http://martin.paljak.pri.ee +372.515.6495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [PATCH] Fix OpenSC PKCS#11 object grouping
On Sat, 3 Oct 2009 11:00:16 +0300 Martin Paljak wrote: > Hi, > > I can't use it: > > $ patch -p0 < ../pkcs11.diff > patching file src/pkcs11/framework-pkcs15.c > patch: malformed patch at line 10: struct pkcs15_prkey_object { > > Please provide a new patch against trunk (which is not @ r18006) as an > attachment. > New attempt, this time against r3756 (r18006 was our internal repo, for those curious :)), as an attachment and without a signature on the mail. Hopefully everyone can read it this time. Oh yeah, I also forgot to mention that this patch also adds some more debug output. I found it helpful to see how the library chooses to associate objects, even though it currently only prints the index number. Rgds -- Pierre OssmanOpenSource-based Thin Client Technology System Developer Telephone: +46-13-21 46 00 Cendio ABWeb: http://www.cendio.com Index: src/pkcs11/framework-pkcs15.c === --- src/pkcs11/framework-pkcs15.c (revision 3756) +++ src/pkcs11/framework-pkcs15.c (working copy) @@ -82,6 +82,7 @@ #define cert_p15obj base.p15_object #define cert_pubkey base.related_pubkey #define cert_issuer base.related_cert +#define cert_prvkey base.related_privkey struct pkcs15_prkey_object { struct pkcs15_any_object base; @@ -91,7 +92,6 @@ #define prv_flags base.base.flags #define prv_p15obj base.p15_object #define prv_pubkey base.related_pubkey -#define prv_cert base.related_cert #define prv_next base.related_privkey struct pkcs15_pubkey_object { @@ -102,7 +102,7 @@ }; #define pub_flags base.base.flags #define pub_p15obj base.p15_object -#define pub_cert base.related_cert +#define pub_genfrom base.related_cert #define __p15_type(obj) (((obj) && (obj)->p15_object)? ((obj)->p15_object->type) : (unsigned int)-1) #define is_privkey(obj) (__p15_type(obj) == SC_PKCS15_TYPE_PRKEY_RSA) @@ -346,7 +346,7 @@ } else obj2->pub_data = NULL; /* will copy from cert when cert is read */ - obj2->pub_cert = object; + obj2->pub_genfrom = object; object->cert_pubkey = obj2; if (cert_object != NULL) @@ -484,18 +484,12 @@ *pp = (struct pkcs15_prkey_object *) obj; } } else - if (is_cert(obj) && !pk->prv_cert) { - struct pkcs15_cert_object *cert; - - cert = (struct pkcs15_cert_object *) obj; - if (sc_pkcs15_compare_id(&cert->cert_info->id, id)) -pk->prv_cert = cert; - } else if (is_pubkey(obj) && !pk->prv_pubkey) { struct pkcs15_pubkey_object *pubkey; pubkey = (struct pkcs15_pubkey_object *) obj; if (sc_pkcs15_compare_id(&pubkey->pub_info->id, id)) { +sc_debug(context, "Associating object %d as public key", i); pk->prv_pubkey = pubkey; if (pk->prv_info->modulus_length == 0) pk->prv_info->modulus_length = pubkey->pub_info->modulus_length; @@ -507,25 +501,37 @@ static void __pkcs15_cert_bind_related(struct pkcs15_fw_data *fw_data, struct pkcs15_cert_object *cert) { - struct sc_pkcs15_cert *c1 = cert->cert_data, *c2; + struct sc_pkcs15_cert *c1 = cert->cert_data; + sc_pkcs15_id_t *id = &cert->cert_info->id; unsigned int i; - /* Loop over all certificates see if we find the certificate of - * the issuer */ + /* Loop over all objects to see if we find the certificate of + * the issuer and the associated private key */ for (i = 0; i < fw_data->num_objects; i++) { struct pkcs15_any_object *obj = fw_data->objects[i]; - if (!is_cert(obj) || obj == (struct pkcs15_any_object *) cert) - continue; + if (is_cert(obj) && obj != (struct pkcs15_any_object *) cert) { + struct sc_pkcs15_cert *c2; - c2 = ((struct pkcs15_cert_object *) obj)->cert_data; + c2 = ((struct pkcs15_cert_object *) obj)->cert_data; - if (!c1 || !c2 || !c1->issuer_len || !c2->subject_len) - continue; - if (c1->issuer_len == c2->subject_len - && !memcmp(c1->issuer, c2->subject, c1->issuer_len)) { - cert->cert_issuer = (struct pkcs15_cert_object *) obj; - return; + if (!c1 || !c2 || !c1->issuer_len || !c2->subject_len) +continue; + if (c1->issuer_len == c2->subject_len + && !memcmp(c1->issuer, c2->subject, c1->issuer_len)) { +sc_debug(context, "Associating object %d as issuer", i); +cert->cert_issuer = (struct pkcs15_cert_object *) obj; +return; + } + } else + if (is_privkey(obj) && !cert->cert_prvkey) { + struct pkcs15_prkey_object *pk; + + pk = (struct pkcs15_prkey_object *) obj; + if (sc_pkcs15_compare_id(&pk->prv_info->id, id)) { +sc_debug(context, "Associating object %d as private key", i); +cert->cert_prvkey = pk; + } } } } @@ -543,6 +549,9 @@ if (obj->base.flags & SC_PKCS11_OBJECT_HIDDEN) continue; + + sc_debug(context, "Looking for objects related to object %d", i); + if (is_privkey(obj)) { __pkcs15_prkey_bind_related(fw_data, (struct pkcs15_prkey_object *) obj); } else if (is_cert(obj)) { @@ -609,6 +618,9 @@ struct pkcs15_any_object *obj,