Re: [opensc-devel] Patch to make pkcs11 pin cache working
>> As for me, the 'p15card->pin_cache[]' system is more attractive. >> Somebody have the reasons for the other or for the both ? > >There's another option: take the part that deals with PIN codes in >keycache.c >and make it use libopensc PIN cache and leave the keycache.c in >pkcs15init? > > >The old "bridge" that currently is left commented out, as said in the >commit >message of changeset 3784, is at >http://www.opensc->project.org/opensc/browser/trunk/src/pkcs11/framework-pkcs15.c#L3070 > >The simplest and shortest way is to re-implement that piece. But it still >>leaves two issues: 1) no way of using a pinpad for initialization 2) >>separate copies of PIN values without much control (which was the original I don't understand why pinpad caching mechanism is not compatible with pinpad readers. The problem that I see is with pkcs11 it's the application witch asking for pin and call C_Login and after when needing pin again for internal use you can't ask for pin yourself in pkcs11 module since you don't known if you have windows or text screen or other... With pinpad reader you don't have this problem since it's reader interface that will be used you can ask for pin at any time. The only sad effect is that you need to provide pin multiple times ( but you don't initialise card or create object every days so it maybe acceptable ). Perhaps I miss something with pinpad readers use? François. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Patch to make pkcs11 pin cache working
Hi. On 20.11.2009, at 11:18, Viktor TARASOV wrote: >>> For now I propose this small patch to permit "generate_key" with >>> pkcs11-tool. >>> >> >> More universal (but not full and not good for future) patch is here: >> http://www.opensc-project.org/pipermail/opensc-devel/2009-November/012863.html >> > > What for there are two PIN cache systems? > Why do not use the unique one? There used to be 3 places for PIN caching: PKCS#11, Tokend, pkcs15init/keycache.c. Two have been reduced to one(PKCS#11 and Tokend) I'm in the process of fixing the third option as well. But it tries to handle more things than just PIN caching, like transport keys. > As for me, the 'p15card->pin_cache[]' system is more attractive. > Somebody have the reasons for the other or for the both ? There's another option: take the part that deals with PIN codes in keycache.c and make it use libopensc PIN cache and leave the keycache.c in pkcs15init? The old "bridge" that currently is left commented out, as said in the commit message of changeset 3784, is at http://www.opensc-project.org/opensc/browser/trunk/src/pkcs11/framework-pkcs15.c#L3070 The simplest and shortest way is to re-implement that piece. But it still leaves two issues: 1) no way of using a pinpad for initialization 2) separate copies of PIN values without much control (which was the original reason of consolidation, based on a security audit) Martin -- Martin Paljak http://martin.paljak.pri.ee +372.515.6495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Patch to make pkcs11 pin cache working
>What for there are two PIN cache systems? >Why do not use the unique one? Probably historic reasons... > >As for me, the 'p15card->pin_cache[]' system is more attractive. >Somebody have the reasons for the other or for the both ? I agree, "p15card->pin_cache" seems more interesting. François. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Patch to make pkcs11 pin cache working
Aleksey Samsonov wrote: > François Leblanc wrote: > >> For now I propose this small patch to permit "generate_key" with pkcs11-tool. >> > > More universal (but not full and not good for future) patch is here: > http://www.opensc-project.org/pipermail/opensc-devel/2009-November/012863.html > What for there are two PIN cache systems? Why do not use the unique one? As for me, the 'p15card->pin_cache[]' system is more attractive. Somebody have the reasons for the other or for the both ? > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Viktor Tarasov ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Patch to make pkcs11 pin cache working
François Leblanc wrote: > For now I propose this small patch to permit "generate_key" with pkcs11-tool. More universal (but not full and not good for future) patch is here: http://www.opensc-project.org/pipermail/opensc-devel/2009-November/012863.html ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Patch to make pkcs11 pin cache working
For now I propose this small patch to permit "generate_key" with pkcs11-tool. There are two cache one using pkcs15-pin.c with functions like sc_pkcs15_pincache_add and another one in keycache.c with functions like sc_keycache_put_pin. Opensc switch between the two style, pkcs15-pin seems more robust but sc_keycache_put_pin more convenient since pkcs15-pin refer to object and keycache use OP (SC_AC_OP_WRITE, SC_AC_OP_READ...) The challenge will be to group the two in one... They are still pkcs11 function not working properly (for me at least) pkcs11-tool -init-token return an error for me. François. opensc-pkcs11-framework-pkcs15.patch Description: opensc-pkcs11-framework-pkcs15.patch ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel