Re: [opensc-devel] PKCS15init profile to omit a part of path
Martin Paljak wrote: Maybe it would be better to have a single sticky pkcs15-ish mapping for a fixed profile card in a single location (like the pkcs15 emulation drivers) and allow pkcs15-tool (which does not try to create any PKCS#15 structures) to re-generate exposed key slots and replace exposed certificate slots. And extend that API as needed. Yes, absolutely. //Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PKCS15init profile to omit a part of path
Nguyễn Hồng Quân wrote: I'm starting from the current codebase, which uses a emulation layer, so I don't know other choice than continue with this approach. First create the improved infrastructure in OpenSC that your work needs. Maybe it would be better to have a single sticky pkcs15-ish mapping for a fixed profile card in a single location (like the pkcs15 emulation drivers) and allow pkcs15-tool (which does not try to create any PKCS#15 structures) to re-generate exposed key slots and replace exposed certificate slots. And extend that API as needed. I don't really understand this idea. - Now, to solve the problem of the path I mentioned at the beginning of this mail thread, I change a bit in gpg_select_file, to automatically ignore the part of DF PKCS15-AppDF (5015). Does it resemble the idea sticky pkcs15-ish mapping for a fixed profile card? Yes and no. The point is that mapping between card layout and p15 will happen only in a single place. - What re-generate exposed key slots and replace exposed certificate slots is for? Code working with keys and certificates should never work with p15 operations for modifying structure, but be restricted to the structure exposed by the p15 mapping. Modifying that (virtual) p15 structure would use another API. //Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PKCS15init profile to omit a part of path
Hi,
On Friday, 25. May 2012, Martin Paljak wrote:
In the long run, I don't think that it helps to emulate a filesystem
on top of non-filesystem cards (like OpenPGP or Muscle). Or to try to
make it fit into the filesystem-oriented stack of OpenSC.
Why?
If it works (even in a limited/restricted way), it is better than not having
any support at all.
After all the openPGP card / GPF Cryptostick os one of those smartcards /
tokens that can be bought by individuals in small quantities.
It is nice to be able to poke around with opensc-explorer, but the
notion of a file and a path should mean that the file is actually
selectable with ISO SELECT command. Which is not true (a plain APDU,
outside of the libopensc emulation layer, would fail).
I do not understand that argument, especially if we're talking about
an emulation within the opensc software stack.
Why should it matter that the emulation does not exist outside opensc?
When it works (even only partiallly) with opensc, it works.
When it does not work with opensc it works nowhere.
In case of OpenPGP, where no files or PKCS#15 data structures are
written to the card (the card already has a fixed profile, with fixed
data slots), it makes no sense. The main utility of pkcs15-init is
creating (and storing) PKCS#15 ASN.1 structures to the card, when such
slots for keys or certificates are created as a side-product. If ASN.
shall not be created, pcks15-init should IMHO not be used.
Well, pkcs15-init might not be the tool suitable for the job.
But please, let Quân continue trying - maybe he can make the emulation work.
All his changes were in files specific to the OpenPGP cards only (card-
openpgp.c, pkcs15-openpgp.c).
If his approach (try to make the emulation so good that it allows using the
standard tools) does not work out, extending the new openpgp-tool to do what
he wants, should be even easier.
The fact that pkcs15-init is the main interface for generating
keys/storing certificates, is thus somewhat misleading. You can't
create more keys than 3 on OpenPGP, nor can you write more
certificates. You can't create additional arbitrary slots on the
card.
Yes, but you can (re)create any of the three keys and import keys into any of
the three existing slots.
If the emulation becomes good enough to support that, then why not use it?
Maybe it would be better to have a single sticky pkcs15-ish mapping
for a fixed profile card in a single location (like the pkcs15
emulation drivers) and allow pkcs15-tool (which does not try to create
any PKCS#15 structures) to re-generate exposed key slots and replace
exposed certificate slots. And extend that API as needed.
As I explained above: all of Quân's changes for OpenPGP card support
are limited to the files responsible for OpenPGP cards:
src/lib/opensc/{card,pkcs15}-openpgp.c
Any other changes he made, fix omissions in existing tools, e.g. he made
opensc-explorer's do_put command really functional instead of only printing
the usage message.
Best
Peter
--
Peter Marschall
pe...@adpm.de
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PKCS15init profile to omit a part of path
Hi all, On Friday, 18. May 2012, Nguyễn Hồng Quân wrote: I need a help to create pkcs15init profile structure so that I can change/rewrite the canonical path. All, please note, Quân is looking for something that shall be specific to OpenPGP. He I do not want to change the pkcs15 part of opensc, unless it is broken ;-) In general, the path to a file AABB in PKCS15 is as: 3F005015AABB, in which 3F00 is the MF, 5015 is the PKCS15-AppDF's file-id. Is it possible to have a PKCS#15-compliant card without the DF 5015? (I did not find the string 5015 in the PKCS#15 spec) If not, the question below is moot, and we will need to resort to changes in OpenPGP's file system emulation layer. If yes, is it possible in opensc? Now, because the virtual file system of my OpenPGP card (which is non-pkcs15) is constructed as: MF (3F00) +-- File_1 (AABB) +-- File_2 (AACC) +--- Directory (DDCC) +-- File_3 (CCEE) the real path to the file is 3F00AABB. How would I define the profile file to omit the PKCS15-AppDF, i.e. the 5015, in the path? Thanks in advance for your answers. Best Peter -- Peter Marschall pe...@adpm.de ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PKCS15init profile to omit a part of path
Hi Peter On 05/27/2012 03:50 PM, Peter Stuge wrote: Nguyễn Hồng Quân wrote: I'm starting from the current codebase, which uses a emulation layer, so I don't know other choice than continue with this approach. First create the improved infrastructure in OpenSC that your work needs. Now I haven't understood the OpenSC core very well, so I choose the solution of following the current infrastructure of OpenSC, to avoid making it a mess. Later, when I would understand OpenSC well, I will switch to other approach. Maybe it would be better to have a single sticky pkcs15-ish mapping for a fixed profile card in a single location (like the pkcs15 emulation drivers) and allow pkcs15-tool (which does not try to create any PKCS#15 structures) to re-generate exposed key slots and replace exposed certificate slots. And extend that API as needed. I don't really understand this idea. - Now, to solve the problem of the path I mentioned at the beginning of this mail thread, I change a bit in gpg_select_file, to automatically ignore the part of DF PKCS15-AppDF (5015). Does it resemble the idea sticky pkcs15-ish mapping for a fixed profile card? Yes and no. The point is that mapping between card layout and p15 will happen only in a single place. The mapping I done happens in card driver code (card-openpgp.c) (earlier I wanted it to happen in *.profile file, but found no way). Is it considered single place? - What re-generate exposed key slots and replace exposed certificate slots is for? Code working with keys and certificates should never work with p15 operations for modifying structure, but be restricted to the structure exposed by the p15 mapping. Modifying that (virtual) p15 structure would use another API. Thanks, It seems that my initial question is not clear, leading to misunderstanding. I need a help to create pkcs15init profile structure so that I can change/rewrite the canonical path. I meant to create a *.profile (sructure here is not pkcs15 structure, but the *.profile structure) so that the path understood by PKCS15, after go through this profile to down to driver, will be modifiedto be understandable by the driver. PKCS15 (3F00:5015:AABB) | +--+ | profile file | +--+ | Card driver (3F00:AABB) However, at this time of my writing, this is no longer needed. I brought the role of translating path from profile file to the card driver itself. -- Regards, Quân ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PKCS15init profile to omit a part of path
Hello, On Fri, May 18, 2012 at 12:59 PM, Nguyễn Hồng Quân quanngu...@mbm.vn wrote: Hello all, I need a help to create pkcs15init profile structure so that I can change/rewrite the canonical path. In general, the path to a file AABB in PKCS15 is as: 3F005015AABB, in which 3F00 is the MF, 5015 is the PKCS15-AppDF's file-id. Now, because the virtual file system of my OpenPGP card (which is non-pkcs15) is constructed as: MF (3F00) | +-- File_1 (AABB) | +-- File_2 (AACC) | +--- Directory (DDCC) | +-- File_3 (CCEE) the real path to the file is 3F00AABB. How would I define the profile file to omit the PKCS15-AppDF, i.e. the 5015, in the path? In the long run, I don't think that it helps to emulate a filesystem on top of non-filesystem cards (like OpenPGP or Muscle). Or to try to make it fit into the filesystem-oriented stack of OpenSC. It is nice to be able to poke around with opensc-explorer, but the notion of a file and a path should mean that the file is actually selectable with ISO SELECT command. Which is not true (a plain APDU, outside of the libopensc emulation layer, would fail). In case of OpenPGP, where no files or PKCS#15 data structures are written to the card (the card already has a fixed profile, with fixed data slots), it makes no sense. The main utility of pkcs15-init is creating (and storing) PKCS#15 ASN.1 structures to the card, when such slots for keys or certificates are created as a side-product. If ASN. shall not be created, pcks15-init should IMHO not be used. The fact that pkcs15-init is the main interface for generating keys/storing certificates, is thus somewhat misleading. You can't create more keys than 3 on OpenPGP, nor can you write more certificates. You can't create additional arbitrary slots on the card. Maybe it would be better to have a single sticky pkcs15-ish mapping for a fixed profile card in a single location (like the pkcs15 emulation drivers) and allow pkcs15-tool (which does not try to create any PKCS#15 structures) to re-generate exposed key slots and replace exposed certificate slots. And extend that API as needed. Martin ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PKCS15init profile to omit a part of path
Hello Martin, On Fri 25 May 2012 03:40:31 PM ICT, Martin Paljak wrote: Hello, In the long run, I don't think that it helps to emulate a filesystem on top of non-filesystem cards (like OpenPGP or Muscle). Or to try to make it fit into the filesystem-oriented stack of OpenSC. Has OpenSC project defines another approach to deal with these cards (non-filesystem)? I'm starting from the current codebase, which uses a emulation layer, so I don't know other choice than continue with this approach. In case of OpenPGP, where no files or PKCS#15 data structures are written to the card (the card already has a fixed profile, with fixed data slots), it makes no sense. The main utility of pkcs15-init is creating (and storing) PKCS#15 ASN.1 structures to the card, when such slots for keys or certificates are created as a side-product. If ASN. shall not be created, pcks15-init should IMHO not be used. I want to store certificate via PKCS#11 interface, and this interface invokes pkcs15-init to do that. If you know there is other way to redirect PKCS#11 to use directly the card driver, instead of going through pkcs15-init, please tell me. Maybe it would be better to have a single sticky pkcs15-ish mapping for a fixed profile card in a single location (like the pkcs15 emulation drivers) and allow pkcs15-tool (which does not try to create any PKCS#15 structures) to re-generate exposed key slots and replace exposed certificate slots. And extend that API as needed. I don't really understand this idea. - Now, to solve the problem of the path I mentioned at the beginning of this mail thread, I change a bit in gpg_select_file, to automatically ignore the part of DF PKCS15-AppDF (5015). Does it resemble the idea sticky pkcs15-ish mapping for a fixed profile card? - What re-generate exposed key slots and replace exposed certificate slots is for? Thank you. -- Regards, Quân ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PKCS15init profile to omit a part of path
Hello Nguyễn, Le 18/05/2012 11:59, Nguyễn Hồng Quân a écrit : I need a help to create pkcs15init profile structure so that I can change/rewrite the canonical path. In general, the path to a file AABB in PKCS15 is as: 3F005015AABB, in which 3F00 is the MF, 5015 is the PKCS15-AppDF's file-id. Now, because the virtual file system of my OpenPGP card (which is non-pkcs15) is constructed as: MF (3F00) | +-- File_1 (AABB) | +-- File_2 (AACC) | +--- Directory (DDCC) | +-- File_3 (CCEE) the real path to the file is 3F00AABB. How would I define the profile file to omit the PKCS15-AppDF, i.e. the 5015, in the path? In OpenSC the pkcs15-init part is used mostly by cards that can natively support the on-card PKCS#15 file system. The only exception is the Oberthur's card, that has producer specific on-card file system and data encoding. In the OpenSC this card uses the emulator in its 'pkcs15-libopensc' part (like the openpgp card), and uses extended pkcs15init API to implement the emulator of 'pkcs15-init' part . The 'emulator' extension of the pkcs15init API consists in the 'emu_*' sc_pkcs15init_operations handlers (src/libopensc/pkcs15-init.h). You can look into oberthur.profile and src/pkcs15init/pkcs15-oberthur.c with the card's pkcs15init handlers. No look too close into the src/pkcs15init/pkcs15-oberthur-awp.c. This file contains the implementing of the producer specific data encoding/decoding. Unfortunately there is no more or less full documentation on the profiles, other then the comments in profile files itself or in the sources. Kind regards, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PKCS15init profile to omit a part of path
Hi, This is not directly related to your question, but more general: You wrote about implementing write support for OpenPGP cards. Is there a chance to see the code you already have? maybe e.g. on github ;-) Best Peter -- Peter Marschall pe...@adpm.de ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PKCS15init profile to omit a part of path
Hi Peter, Le 20/05/2012 19:19, Peter Marschall a écrit : This is not directly related to your question, but more general: You wrote about implementing write support for OpenPGP cards. Is there a chance to see the code you already have? maybe e.g. on github ;-) You can look onto 'secure-messaging' branch of my OpenSC github project, forked from OpenSC/OpenSC. https://github.com/viktorTarasov/OpenSC-SM/tree/secure-messaging In my Jenkins (https://opensc.fr/jenkins/) this branch is continuously built on multiple platforms; packages are created for win32, win64, debian, suse, mac (package for SuSE is published onto the OpenSuSE build platform); some (at the moment rudimentary) automatic tests are executed with the real card; coverity scan performed. CI service is still under development. There is some CI support for OpenSC/OpenSC/staging also. Now I gradually start the merging of this branch into 'staging' of OpenSC/OpenSC. I hope to merge all. After that the CI service will be concentrated on OpenSC staging and master. In that way I hope to revive release process of OpenSC. Best Peter Kind regards, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PKCS15init profile to omit a part of path
Hi Peter, My implementation of write support for OpenPGP card is placed here https://github.com/hongquan/OpenSC-OpenPGP/commits/openpgp (the openpgp branch) On 05/21/2012 12:19 AM, Peter Marschall wrote: Hi, This is not directly related to your question, but more general: You wrote about implementing write support for OpenPGP cards. Is there a chance to see the code you already have? maybe e.g. on github ;-) Best Peter -- Regards, Quân ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
