New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PKCS15 framework influence PKCS11 interface #3059
Comments
Or maybe a better question: Could there be a way to provide info from driver or settings which app/token is for authentication and which for signing? |
Have you looked at: https://github.com/OpenSC/OpenSC/blob/master/etc/opensc.conf.example.in#L214-L227 I have never used it, but it might allow changing the order of pins. In addition: The OpenSC PKCS11 implementation can present every reader as a slot and virtual slots used when an applet has more then one PIN where each virtual slot is used to access objects protected by its PIN. (PKCS11 has the limitation of only defining CKU_SO, CKU_USER, and CKU_CONTEXT_SPECIFIC per token.) Code was never added to allow OpenSC PKCS11 to treat each applet on a card as a separate token. PKCS15 is at the card level (or applet level) To further isolate cards, tokens and applets, OpenSC can restrict which card driver(s) can be used via p11kit can be used with OpenSC PKCS11 module selecting one applet and using some other PKCS11 module for a different applet on the card. |
Thank you for your explanation. I was fishing for a solution. |
I have a card with 2 apps. One should be without login and one with login. First app is not login, second app should be used with login. First app has one token, the second has 2.
WIthout modifications, PKCS11 lists all tokens, but PKCS15 shows only the token in the first app ( #2986 ) . For browser users (nss ot firefox) the first token in second app is useful.
Currently I apply settings for PKCS15 framework that nss uses that disables the first app, but PKCS11 also hides token in first app. Is this realy needed? Should PKCS11 and PKCS15 be connected in this way.
The card driver is EOI.
The text was updated successfully, but these errors were encountered: