MD: add msroots file #990
MD: add msroots file #990
Conversation
src/minidriver/minidriver.c
Outdated
| cont->size_key_exchange = prkey_info->field_length; | ||
| else if (prkey_info->usage & USAGE_ANY_SIGN) | ||
| else if ((prkey_info->usage & USAGE_ANY_SIGN) == USAGE_ANY_SIGN) |
There was a problem hiding this comment.
Your change forces both flags to be set: SC_PKCS15_PRKEY_USAGE_SIGN and SC_PKCS15_PRKEY_USAGE_NONREPUDIATION. The current logic only enforced at least one flag to be set. I think this is not intended and your changes about checking the key usage should be removed also in the other cases.
There was a problem hiding this comment.
agreed: this is a breaking change. I think you meant != 0 instead.
There was a problem hiding this comment.
Our JPKI card has two keys:
% pkcs15-tool -D
Private RSA Key [User Authentication Key]
Object Flags : [0x1], private
Usage : [0x4], sign
Private RSA Key [Digital Signature Key]
Object Flags : [0x1], private
Usage : [0x204], sign, nonRepudiation
The first key for authentication such as TLS client auth, and second one for signature.
Also other national cards are roughly similar.
But minidriver would handle both key as signature(set size_sign and not set size_key_exchange)
Is this expected behavior?
Thanks for your comment.
There was a problem hiding this comment.
Yes, exactly. Key exchange = sign + decryption. If it does not decrypt, it is a sign key.
There was a problem hiding this comment.
@vletoux Thanks for your help.
I'll drop the patch.
| @@ -1402,7 +1402,7 @@ md_fs_add_msroot(PCARD_DATA pCardData, struct md_file **head) | |||
| for(ii = 0; ii < cert_num; ii++) { | |||
| struct sc_pkcs15_cert_info *cert_info = (struct sc_pkcs15_cert_info *) prkey_objs[ii]->data; | |||
| if (cert_info->authority) { | |||
| dwret = md_fs_add_file(pCardData, head, "msroot", EveryoneReadUserWriteAc, NULL, 0, NULL); | |||
| dwret = md_fs_add_file(pCardData, head, "msroots", EveryoneReadUserWriteAc, NULL, 0, NULL); | |||
There was a problem hiding this comment.
Although you're certainly right about the documentation, I didn't experience any problems with the current setup, did you? @vletoux do you have an opinion on that?
There was a problem hiding this comment.
@hamano is right: in all my projects, I'm using either szROOT_STORE_FILE or directly the string "msroots". I may have done the typo in my test program and then reported it in the source code. Sorry.
There was a problem hiding this comment.
ok, thanks for your feedback
|
Now, I confirmed that CA certificate are available in "Smart Card Trusted Roots". |
|
OK, thanks |
MSDN spec say "mscp\msroots" not "mscp\msroot".
https://msdn.microsoft.com/windows/hardware/drivers/smartcard/file-system-requirements
I'm testing now.