Re: [opensc-devel] Possible issue with pkcs15 emulation
François Leblanc wrote: Hello Victor, I’m playing with opensc and find that when we use pkcs15 emulation sc_pkcs15_verify_pin fails, this is due to 'auth_method' not set by emulation layer (and use to be set by 'sc_pkcs15_verify_pin' before changeset 4048). For real pkcs15 card it seems that 'sc_pkcs15_decode_aodf_entry' set this to SC_AC_CHV. What we should do for emulation, I guess we have to set 'auth_method' to SC_AC_CHV for all cards? Perhaps set it on 'sc_pkcs15emu_add_pin_obj' ? What do you think? Well, the shortest way is to add it to 'sc_pkcs15emu_add_pin_obj', but, imho, it should be added into the every card 'emu' driver where pin_info is initialized. Regards, François. Kind wishes, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Possible issue with pkcs15 emulation
On Feb 23, 2010, at 12:39 , Viktor TARASOV wrote: François Leblanc wrote: Hello Victor, I’m playing with opensc and find that when we use pkcs15 emulation sc_pkcs15_verify_pin fails, this is due to 'auth_method' not set by emulation layer (and use to be set by 'sc_pkcs15_verify_pin' before changeset 4048). For real pkcs15 card it seems that 'sc_pkcs15_decode_aodf_entry' set this to SC_AC_CHV. What we should do for emulation, I guess we have to set 'auth_method' to SC_AC_CHV for all cards? Perhaps set it on 'sc_pkcs15emu_add_pin_obj' ? What do you think? Well, the shortest way is to add it to 'sc_pkcs15emu_add_pin_obj', but, imho, it should be added into the every card 'emu' driver where pin_info is initialized. I'm a bit lost with the abundance of SC_AC_* variables, especially when compared to PKCS#15 v1.1 page 69. But for a PIN object, SC_AC_NONE does not seem as a sensible value? So only setting it in sc_pkcs15emu_add_pin_obj() if auth_method is 0 would make sense. No? -- Martin Paljak http://martin.paljak.pri.ee +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Possible issue with pkcs15 emulation
Martin Paljak wrote: On Feb 23, 2010, at 12:39 , Viktor TARASOV wrote: François Leblanc wrote: Hello Victor, I’m playing with opensc and find that when we use pkcs15 emulation sc_pkcs15_verify_pin fails, this is due to 'auth_method' not set by emulation layer (and use to be set by 'sc_pkcs15_verify_pin' before changeset 4048). For real pkcs15 card it seems that 'sc_pkcs15_decode_aodf_entry' set this to SC_AC_CHV. What we should do for emulation, I guess we have to set 'auth_method' to SC_AC_CHV for all cards? Perhaps set it on 'sc_pkcs15emu_add_pin_obj' ? What do you think? Well, the shortest way is to add it to 'sc_pkcs15emu_add_pin_obj', but, imho, it should be added into the every card 'emu' driver where pin_info is initialized. I'm a bit lost with the abundance of SC_AC_* variables, especially when compared to PKCS#15 v1.1 page 69. But for a PIN object, SC_AC_NONE does not seem as a sensible value? So only setting it in sc_pkcs15emu_add_pin_obj() if auth_method is 0 would make sense. No? Probably, a little confusing comes from the fact, that, for the new PIN's authentication method values, I tried to reuse the existing authentication methods encoded by ACL. Maybe, for the first one the specially dedicated macros should be defined. In fact, by definition, the authentication method of the AUTH PKCS#15 object cannot be SC_AC_NONE (method 'not none' is it's reason for existence). Actually, the only AUTH method fully implemented in OpenSC-PKCS#15 is the PIN (CHV) -- that's why by default it should be initialized with SC_AC_CHV (or some specially dedicated macro). Sure, we can do it in 'sc_pkcs15emu_add_pin_obj', but it will overwrite the (actually hypothetic) setting from the card 'emu' driver . Kind wishes, Viktor. -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Possible issue with pkcs15 emulation
Ok so Can I apply joined patch? Tested only with Westcos Card... Hope I forget nobody... No objections? François. emulation-set-auth-method.patch Description: Binary data smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Possible issue with pkcs15 emulation
On Feb 23, 2010, at 14:18 , Viktor TARASOV wrote: Maybe, for the first one the specially dedicated macros should be defined. First what? Please explain. In fact, by definition, the authentication method of the AUTH PKCS#15 object cannot be SC_AC_NONE (method 'not none' is it's reason for existence). Actually, the only AUTH method fully implemented in OpenSC-PKCS#15 is the PIN (CHV) -- that's why by default it should be initialized with SC_AC_CHV (or some specially dedicated macro). Sure, we can do it in 'sc_pkcs15emu_add_pin_obj', but it will overwrite the (actually hypothetic) setting from the card So the following is a safe and sane assumption as well: (until there is a different authentication method implemented other than a PIN) The idea of the helper objects in pkcs15-syn.c are meant to simplify the emulation writing experience (you don't have to call the _add_pin_obj wrapper) Index: pkcs15-syn.c === --- pkcs15-syn.c(revision 4063) +++ pkcs15-syn.c(working copy) @@ -316,6 +316,8 @@ sc_pkcs15_pin_info_t pin = *in_pin; pin.magic = SC_PKCS15_PIN_MAGIC; + if (!pin.auth_method) /* or SC_AC_NONE */ + pin.auth_method = SC_AC_CHV; return sc_pkcs15emu_object_add(p15card, SC_PKCS15_TYPE_AUTH_PIN, obj, pin); } -- Martin Paljak http://martin.paljak.pri.ee +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Possible issue with pkcs15 emulation
François Leblanc wrote: Ok so Can I apply joined patch? Tested only with Westcos Card... As for me, 'yes, you can'. Later, probably, we will introduce specially dedicated macros for the PIN auth. method values . François. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Possible issue with pkcs15 emulation
On Feb 23, 2010, at 14:40 , François Leblanc wrote: No objections? Yes. The wrappers in pcks15-syn.c are supposed to simplify the creation of PKCS#15 emulation drivers. Until other than PIN authentication is implemented, it is safe to say that the _add_pin_object wrapper can set the auth method to PIN (CHV) if it is not set before. Less code. -- Martin Paljak http://martin.paljak.pri.ee +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Possible issue with pkcs15 emulation
Martin Paljak wrote: On Feb 23, 2010, at 14:18 , Viktor TARASOV wrote: Maybe, for the first one the specially dedicated macros should be defined. First what? Please explain. I mean the macros for the possible values of AUTH object authentication method. In fact, by definition, the authentication method of the AUTH PKCS#15 object cannot be SC_AC_NONE (method 'not none' is it's reason for existence). Actually, the only AUTH method fully implemented in OpenSC-PKCS#15 is the PIN (CHV) -- that's why by default it should be initialized with SC_AC_CHV (or some specially dedicated macro). Sure, we can do it in 'sc_pkcs15emu_add_pin_obj', but it will overwrite the (actually hypothetic) setting from the card So the following is a safe and sane assumption as well: (until there is a different authentication method implemented other than a PIN) The idea of the helper objects in pkcs15-syn.c are meant to simplify the emulation writing experience (you don't have to call the _add_pin_obj wrapper) Agree. Index: pkcs15-syn.c === --- pkcs15-syn.c (revision 4063) +++ pkcs15-syn.c (working copy) @@ -316,6 +316,8 @@ sc_pkcs15_pin_info_t pin = *in_pin; pin.magic = SC_PKCS15_PIN_MAGIC; + if (!pin.auth_method) /* or SC_AC_NONE */ + pin.auth_method = SC_AC_CHV; return sc_pkcs15emu_object_add(p15card, SC_PKCS15_TYPE_AUTH_PIN, obj, pin); } -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Possible issue with pkcs15 emulation
Index: pkcs15-syn.c === --- pkcs15-syn.c (revision 4063) +++ pkcs15-syn.c (working copy) @@ -316,6 +316,8 @@ sc_pkcs15_pin_info_t pin = *in_pin; pin.magic = SC_PKCS15_PIN_MAGIC; + if (!pin.auth_method) /* or SC_AC_NONE */ + pin.auth_method = SC_AC_CHV; return sc_pkcs15emu_object_add(p15card, SC_PKCS15_TYPE_AUTH_PIN, obj, pin); } Viktor are you ok for Martin's solution? For my point of view both solutions are acceptable... but we have to choice. François. smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Possible issue with pkcs15 emulation
François Leblanc wrote: Index: pkcs15-syn.c === --- pkcs15-syn.c (revision 4063) +++ pkcs15-syn.c (working copy) @@ -316,6 +316,8 @@ sc_pkcs15_pin_info_t pin = *in_pin; pin.magic = SC_PKCS15_PIN_MAGIC; +if (!pin.auth_method) /* or SC_AC_NONE */ +pin.auth_method = SC_AC_CHV; return sc_pkcs15emu_object_add(p15card, SC_PKCS15_TYPE_AUTH_PIN, obj, pin); } Viktor are you ok for Martin's solution? For my point of view both solutions are acceptable... but we have to choice. It's OK for me. François. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
