-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MD: add msroots file #990
MD: add msroots file #990
Conversation
src/minidriver/minidriver.c
Outdated
cont->size_key_exchange = prkey_info->field_length; | ||
else if (prkey_info->usage & USAGE_ANY_SIGN) | ||
else if ((prkey_info->usage & USAGE_ANY_SIGN) == USAGE_ANY_SIGN) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Your change forces both flags to be set: SC_PKCS15_PRKEY_USAGE_SIGN
and SC_PKCS15_PRKEY_USAGE_NONREPUDIATION
. The current logic only enforced at least one flag to be set. I think this is not intended and your changes about checking the key usage should be removed also in the other cases.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agreed: this is a breaking change. I think you meant != 0 instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Our JPKI card has two keys:
% pkcs15-tool -D
Private RSA Key [User Authentication Key]
Object Flags : [0x1], private
Usage : [0x4], sign
Private RSA Key [Digital Signature Key]
Object Flags : [0x1], private
Usage : [0x204], sign, nonRepudiation
The first key for authentication such as TLS client auth, and second one for signature.
Also other national cards are roughly similar.
But minidriver would handle both key as signature(set size_sign and not set size_key_exchange)
Is this expected behavior?
Thanks for your comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, exactly. Key exchange = sign + decryption. If it does not decrypt, it is a sign key.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@vletoux Thanks for your help.
I'll drop the patch.
@@ -1402,7 +1402,7 @@ md_fs_add_msroot(PCARD_DATA pCardData, struct md_file **head) | |||
for(ii = 0; ii < cert_num; ii++) { | |||
struct sc_pkcs15_cert_info *cert_info = (struct sc_pkcs15_cert_info *) prkey_objs[ii]->data; | |||
if (cert_info->authority) { | |||
dwret = md_fs_add_file(pCardData, head, "msroot", EveryoneReadUserWriteAc, NULL, 0, NULL); | |||
dwret = md_fs_add_file(pCardData, head, "msroots", EveryoneReadUserWriteAc, NULL, 0, NULL); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Although you're certainly right about the documentation, I didn't experience any problems with the current setup, did you? @vletoux do you have an opinion on that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hamano is right: in all my projects, I'm using either szROOT_STORE_FILE or directly the string "msroots". I may have done the typo in my test program and then reported it in the source code. Sorry.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, thanks for your feedback
Now, I confirmed that CA certificate are available in "Smart Card Trusted Roots". |
OK, thanks |
MSDN spec say "mscp\msroots" not "mscp\msroot".
https://msdn.microsoft.com/windows/hardware/drivers/smartcard/file-system-requirements
I'm testing now.