Menu
▾
▴
Re: [Opensc-devel] PKCS#11 Test suite (PIV)
|
From: Jakub J. <jj...@re...> - 2016-05-17 13:55:18
|
Hi, few more notes. On 05/17/2016 02:39 PM, Jakub Jelen wrote: > On 05/16/2016 07:20 PM, Douglas E Engert wrote: >> I would say the closest tool we have is: pkcs11-tool -t -l >> It does some basic tests, but as you may have noted if you try and run it >> with a PIV card, it has some problems, especially with the decryption, as it >> says the user is not logged in when trying to use the Sign key. The key usage >> says it should not be used for decryption. With other cards it may have different problems. > Thanks for mentioning pkcs11-tool test mode. I struggled upon it, but > there were > some problems that prevented me to work with that. I will check what can > be done there. The pkcs11-tool -t has most of the problems with PIV cards I was solving during last weeks: * missing ECDSA mechanisms support (more work) * C_Verify is not implemented in these cards * CKA_ALWAYS_AUTHENTICATE is not respected for decryption (well implemented for signing) The first is expected, the second is soft fail and the last one is hard fail letting down whole test suite (but should be quite easy fix). Otherwise it supports most of the general tests, but bundling inside card-specific initializations or bunches of regression tests (theoretically) does not seem like a way to go. Kind regards, -- Jakub Jelen Security Technologies Red Hat |
