Menu
▾
▴
Re: [Opensc-devel] Deprecated tokend API is now replaced
|
From: Douglas E E. <dee...@gm...> - 2016-07-04 19:08:03
|
A quick glance at the web page shows they have been reading NIST 800-73-4 and looks like they support most of the 800-73-3 features. The History object is supported in that as they will read the on-card retired key management certificates. But not off card certificates which have on card keys (as best as I can tell. ) They also mention ECDH and alwaysAuthenticate for the SIGN_KEY, as per standard. They don't need to use some of the other objects, like Printed information, Finger Prints. So no need to have code to read them (The Microsoft PIV driver does not read them either.) They expect the card to have a Card Capability Container object. (Microsoft expects the card to have a CHUID object.) They and Microsoft use these objects to get the equivalent of a card serial number. No support for PKCS#11, pkcs#15 or openssl engine that I can see. Microsoft does not provide these either. So OpenSC still has a niche to fill if these are important for other applications. As they point out: "This sample demonstrates how to write an extension for CryptoTokenKit framework this is an example, which could be used with other smart cards." And as you said, someone might want to write the equivalent of the windows minidriver to support smartcards other then PIV. Its not obvious if or how they handle interference from other smart card middleware running at the same time on the machine. Such as CAC middleware or OpenSC that may change the selected applet or reset the card, or security state. Also not clear if session or transaction locking is used. Just as on Windows, if you stick with PIV cards and the OS vendor's applications or APIs, you would not need OpenSC at all. On 7/4/2016 9:25 AM, Ludovic Rousseau wrote: > Hello, > > Apple provides a sample implementation for PIVToken, a token using the > new API that replaces tokend. > > See http://ludovicrousseau.blogspot.fr/2016/07/macos-sierra-and-pivtoken-source-code.html > > I guess the "OpenSC project" may want to also provide a token for OpenSC. > > I am also interested to know what the PIV experts on this list have to > say about the sample code provided by Apple. > > Bye > -- Douglas E. Engert <DEE...@gm...> |
