General Questions about PKCS11

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

General Questions about PKCS11

Josef Windorfer
Hi All,

I have few basic questions about PKCS11 and the application side of this
specification.

For example, a application use openssl for authorisation.
Am I right with this flowchart:
|||Application|||--->|||OpenSSL API|||-->|||PKCS11 API|||

The API of openssl describe prototypes with return value and arguments.
The functions of the prototypes itself use prototypes of pkcs11.
My question is where can I see which functions of openssl call which
functions of pkcs11?

Thank your for your help.

Kind Regard
Josef
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: General Questions about PKCS11

Alon Bar-Lev
OpenSSL does not use PKCS#11.
OpenSSL provides interface for external engines.
The engine interface is minimalistic, and does not support many
required features, such as fetching certificates.
There are several implementations of PKCS#11 engine for OpenSSL, one
of them is engine_pkcs11 of OpenSC.

so you have Application->OpenSSL->Engine->PKCS#11

On Wed, Apr 28, 2010 at 9:48 AM, Josef Windorfer
<[hidden email]> wrote:

> Hi All,
>
> I have few basic questions about PKCS11 and the application side of this
> specification.
>
> For example, a application use openssl for authorisation.
> Am I right with this flowchart:
> |||Application|||--->|||OpenSSL API|||-->|||PKCS11 API|||
>
> The API of openssl describe prototypes with return value and arguments.
> The functions of the prototypes itself use prototypes of pkcs11.
> My question is where can I see which functions of openssl call which
> functions of pkcs11?
>
> Thank your for your help.
>
> Kind Regard
> Josef
> _______________________________________________
> opensc-user mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-user
>
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: General Questions about PKCS11

Andreas Jellinghaus-2
In reply to this post by Josef Windorfer
Am Mittwoch 28 April 2010 08:48:34 schrieb Josef Windorfer:
> Am I right with this flowchart:
> |||Application|||--->|||OpenSSL API|||-->|||PKCS11 API|||
>
> The API of openssl describe prototypes with return value and arguments.
> The functions of the prototypes itself use prototypes of pkcs11.
> My question is where can I see which functions of openssl call which
> functions of pkcs11?

sure. in fact your chain is
app -> openssl -> engine_pkcs11 -> libp11 -> opensc-pkcs11.so
-> libopensc -> winscard.so -> pcscd -> libccid -> kernel -> hardware
-> usb port -> reader -> card.

with this chain you can insert between libp11 and opensc-pkcs11.so
another layer: "pkcs11-spy.so". this is done by
1.) change openssl.conf / your application code to load
    "pkcs11spy.so" instead of "opensc-pkcs11.so"
and 2.) set the PKCS11SPY environment vairables to point to
opensc-pkcs11.so (with full path) and set the other variable
to your log file.

you need to google to find out the exact variables to set on
linux (they work on windows too, or you use some registry
key on windows).

good luck.

Regards, Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Maximum Length of Labels and IDs

Josef Windorfer
Hi,

Does someone know the maximum length of the labels of the private key,
public key, card, etc.?
What is the maximum length of the key's id?

I found in the source code only a length of the files (e.g. pukdf-size)

Thanks!

Kind Regards
Josef
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Maximum Length of Labels and IDs

Martin Paljak-2
Helo,

On Jul 28, 2010, at 12:26 PM, Josef Windorfer wrote:
> Does someone know the maximum length of the labels of the private key,
> public key, card, etc.?
> What is the maximum length of the key's id?
>
> I found in the source code only a length of the files (e.g. pukdf-size)

From the header file for PKCS#15 [1]
#define SC_PKCS15_MAX_LABEL_SIZE    255
#define SC_PKCS15_MAX_ID_SIZE       255

That's the theoretical global upper limit.

[1] http://www.opensc-project.org/opensc/browser/trunk/src/libopensc/pkcs15.h#L34
--
Martin Paljak
@martinpaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Maximum Length of Labels and IDs

Josef Windorfer
Hi,

Am 14.08.2010 14:43, schrieb Martin Paljak:

> Helo,
>
> On Jul 28, 2010, at 12:26 PM, Josef Windorfer wrote:
>> Does someone know the maximum length of the labels of the private key,
>> public key, card, etc.?
>> What is the maximum length of the key's id?
>>
>> I found in the source code only a length of the files (e.g. pukdf-size)
>
>  From the header file for PKCS#15 [1]
> #define SC_PKCS15_MAX_LABEL_SIZE    255
> #define SC_PKCS15_MAX_ID_SIZE       255
>
> That's the theoretical global upper limit.

I think this is a only theoretical upper limit, because the size of the
files in the card are limited. E.g. for the AODF will be reserved 256
Bytes. (For Feitian PKI Card)


>
> [1] http://www.opensc-project.org/opensc/browser/trunk/src/libopensc/pkcs15.h#L34
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user