opensc-onepin

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

opensc-onepin

Nikos Mavrogiannopoulos-2
Hello,
 The commit linked below, dropped the pkcs11-onepin additional library
and replaced it with a configuration option.

I am not really aware of how the onepin library was being used, but my
understanding is that it was required in some 'special' smart cards. I
am wondering how would that configuration option is expected to work
when one wants to use multiple smart cards in a single system? Is the
idea to have multiple opensc libraries available with different
configuration files?

https://github.com/OpenSC/OpenSC/commit/d1cf65754b9326c09213f151b7ee2f19f4037730#diff-0c902b5507a77653d4597dfeb4e4f80cR440



I've also submitted a pull request that makes clear in the .conf file
what option should be used to get a pkcs11 module that simulates the
onepin:
https://github.com/OpenSC/OpenSC/pull/226

regards,
Nikos

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-onepin

Martin Paljak-4
Hello,

On 17/03/14 13:01 , Nikos Mavrogiannopoulos wrote:
> Hello, The commit linked below, dropped the pkcs11-onepin
> additional library and replaced it with a configuration option.
Yes, and that was an unfortunate regression.


> I am not really aware of how the onepin library was being used, but
> my understanding is that it was required in some 'special' smart
> cards.

Not with "special smart cards" but with "special applications" like
NSS+Firefox (or generally speaking, NSS, as it also affects Chrome).
While there is some special flag to be used when loading a module into
NSS, the flag doesn't stick across sessions.

https://www.opensc-project.org/opensc/ticket/132

It turned out to work extremely well for eID cards that had
predictable object orders and largely similar requirements with a
single authentication key used most of the time in most of usecases
and a digital signature key reserved for legally binding signatures.



> I am wondering how would that configuration option is expected to
> work when one wants to use multiple smart cards in a single system?
> Is the idea to have multiple opensc libraries available with
> different configuration files?

While I agree that the openpin "hack" is far from elegant, it worked
for many users.

The requirement is to have different modules, on a single system, with
different behavior, without requiring the user to do any changes.

This is not possible with a configuration file that changes the whole
OpenSC PKCS#11 module.

I wish it was possible to dynamically check the name how a module was
dlopen()-ed so that one module could be only a symlink, but AFAIK this
is not possible (or even if possible via another hack, not reliable)

It is necessary to fix the regression and I believe the best is to:
1. make "alternative-module" with a complete set of separate options
  and default options that mimicks the previous "onepin" module
2. re-create onepin-opensc-pkcs11 as a symlink to the alternative-module.

Another option would be for someone to either patch Mozilla/NSS and/or
explain to their devs why they should either change their defaults or
provide user-visible buttons to switch the behavior is necessary. I
gave up.

It is important to note that by removing libopensc as an external
interface and making PKCS#11 the "public API", removing a module from
a known location/with a known name is a regression that gets noticed
by users ("upgraded, does not work, no manual mentions this, there is
no such file, using an alternative makes serious usability problems")


> https://github.com/OpenSC/OpenSC/commit/d1cf65754b9326c09213f151b7ee2f19f4037730#diff-0c902b5507a77653d4597dfeb4e4f80cR440
>
>
>
>
> I've also submitted a pull request that makes clear in the .conf
> file what option should be used to get a pkcs11 module that
> simulates the onepin: https://github.com/OpenSC/OpenSC/pull/226
>
> regards, Nikos

Cheers,

--
Martin
+372 515 6495

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-onepin

Nikos Mavrogiannopoulos
On Mon, 2014-03-17 at 14:26 +0000, Martin Paljak wrote:

> > I am wondering how would that configuration option is expected to
> > work when one wants to use multiple smart cards in a single system?
> > Is the idea to have multiple opensc libraries available with
> > different configuration files?
> While I agree that the openpin "hack" is far from elegant, it worked
> for many users.
>
> The requirement is to have different modules, on a single system, with
> different behavior, without requiring the user to do any changes.
>
> This is not possible with a configuration file that changes the whole
> OpenSC PKCS#11 module.
> I wish it was possible to dynamically check the name how a module was
> dlopen()-ed so that one module could be only a symlink, but AFAIK this
> is not possible (or even if possible via another hack, not reliable)

Actually I think it is possible using dladdr that provides the path (and
name) of the shared object. If I dlopen /lib/x86_64-linux-gnu/libc.so.6,
which is a symlink to /lib/x86_64-linux-gnu/libc-2.17.so in my system, I
see the first path in Dl_info.

This is a glibc extension, but I think it is good enough for the
majority of the onepin uses.

regards,
Nikos



------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-onepin

Martin Paljak-4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 17/03/14 18:07 , Nikos Mavrogiannopoulos wrote:

> Actually I think it is possible using dladdr that provides the path
> (and name) of the shared object. If I dlopen
> /lib/x86_64-linux-gnu/libc.so.6, which is a symlink to
> /lib/x86_64-linux-gnu/libc-2.17.so in my system, I see the first
> path in Dl_info.
>
> This is a glibc extension, but I think it is good enough for the
> majority of the onepin uses.

Okay, some googling gave this:

http://libsylph.sourceforge.net/wiki/Full_path_to_binary


This would probably cover Windows, OSX and Linux and thus might be OK.
Need to investigate.

- --
Martin
+372 515 6495
-----BEGIN PGP SIGNATURE-----
Comment: Pretty good, eh?

iQEcBAEBCAAGBQJTJ0trAAoJEKzwIt3aPjKjgkoIAJug0V28mLn6xlubaLopCRHw
kLNWFa5vqDhLG2pZqFJhAoWy/S7/SUCr7bvZ4b3ZkY8fM30qffAUb6USQzKR/w8+
yXSzXmDVG69VPtjfjqfmGuQwshJzp5FVxdVPt2Jz6fNYvfi+ndrFDcW2XDWzZmhW
m1m0r1wGy8iof4B+Pw2YQZmIZYViskcLhyh5oAzhbn795wD3i0NuH5fnCTTwq1pX
Vn187NCIQAu6glbhxjf+fRZoCoJCgjWo5r9AxLjrPmR730XCKLalQDELunenJBr/
psbvZp4ArR6fzhxBzBFrXcnI6A2uVGN8IKzOOV6IIhC+9MNePKizJJRnSYBhS1U=
=OIc2
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel