remove old documentation (replaced by wiki).
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2812 c6295689-39f2-0310-b995-f0e70906c6a9
This commit is contained in:
parent
de4b5c280f
commit
8fac2eaac2
|
@ -1,6 +1,6 @@
|
|||
# Process this file with automake to create Makefile.in
|
||||
|
||||
SUBDIRS = . old
|
||||
SUBDIRS = .
|
||||
|
||||
MAINTAINERCLEANFILES = Makefile.in $(HTML) ChangeLog
|
||||
|
||||
|
@ -14,7 +14,6 @@ XML = $(shell ls $(srcdir)/tools/*.xml $(srcdir)/api/*.xml $(srcdir)/api/*/*.xml
|
|||
index.html:
|
||||
sh $(srcdir)/export-wiki.sh $(srcdir)
|
||||
sh $(srcdir)/generate-man.sh $(srcdir)
|
||||
sh $(srcdir)/old/generate.sh $(srcdir)/old
|
||||
|
||||
ChangeLog:
|
||||
sh $(srcdir)/changelog.sh $(srcdir)
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
# Process this file with automake to create Makefile.in
|
||||
|
||||
XSLTPROC = @XSLTPROC@
|
||||
SOURCE = opensc.xml opensc.xsl opensc-es.xml opensc.css opensc.xsl
|
||||
GENERATE = opensc.html opensc-es.html
|
||||
NILS = init_perso_guide.html init_perso_guide.txt
|
||||
|
||||
MAINTAINERCLEANFILES = Makefile.in $(GENERATE)
|
||||
|
||||
EXTRA_DIST = pkcs-15v1_1.asn $(NILS) $(SOURCE) $(GENERATE) doxygen.conf generate.sh
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
INPUT = ../src/libopensc
|
||||
FILE_PATTERNS = *.h
|
||||
PROJECT_NAME = OpenSC
|
||||
PROJECT_NUMBER = 0.10.0
|
||||
HIDE_UNDOC_MEMBERS = YES
|
||||
SORT_MEMBER_DOCS = NO
|
||||
OPTIMIZE_OUTPUT_FOR_C = YES
|
|
@ -1,22 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
SRCDIR=.
|
||||
|
||||
if test -n "$1"
|
||||
then
|
||||
SRCDIR="$1"
|
||||
fi
|
||||
|
||||
test -f "$SRCDIR"/`basename $0`
|
||||
|
||||
if ! test -w "$SRCDIR"
|
||||
then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
xsltproc -o "$SRCDIR"/opensc.html "$SRCDIR"/opensc.xsl "$SRCDIR/"opensc.xml
|
||||
tidy -im -utf8 -xml "$SRCDIR"/opensc.html || true
|
||||
xsltproc -o "$SRCDIR"/opensc-es.html "$SRCDIR"/opensc.xsl "$SRCDIR"/opensc-es.xml
|
||||
tidy -im -utf8 -xml "$SRCDIR"/opensc-es.html || true
|
|
@ -1,466 +0,0 @@
|
|||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html><head>
|
||||
<meta content="text/html; charset=ISO-8859-1" http-equiv="content-type"><title>init_perso_guide</title></head>
|
||||
|
||||
<body>
|
||||
<h1>OpenSC card init and perso guide</h1>
|
||||
<h2>1. Introduction</h2>
|
||||
<div style="text-align: center;"><span style="font-style: italic;">Nothing
|
||||
is impossible for the man who doesn't</span><br style="font-style: italic;">
|
||||
|
||||
<span style="font-style: italic;">have
|
||||
to do it himself. -- A.H. Weiler</span><br>
|
||||
</div>
|
||||
<br>
|
||||
This guide is about initialising and personalising (no distinction
|
||||
made) cards with the OpenSC library and tools (mostly pkcs15-init).<br>
|
||||
<br>
|
||||
Some knowlegde about smart cards is assumed. Below is a short overview
|
||||
of some key words and concepts. For more info, see the opensc.html
|
||||
manual.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Filesystem - MF - DF - EF - FID</span><br>
|
||||
A smart cards has a non-volatile memory (EEPROM) in which usually
|
||||
a PC-like file system is implemented. The directories are called
|
||||
Dedicated Files (DF) and the files are called Elementary Files (EF).
|
||||
They are
|
||||
identified by a File ID (FID) on 2 bytes. For example, the root of
|
||||
the file system
|
||||
(called Master File or MF) has FID = 3F 00 (hex).<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Commands - APDUs</span><br>
|
||||
It is possible to send commands (APDUs) to the card to select, read,
|
||||
write, create, list, delete, ... EFs and DFs (not all cards allow all
|
||||
commands).<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Access control, PIN, PUK</span><br>
|
||||
The file system usually implements some sort of access control on EFs
|
||||
and DFs.<br>
|
||||
This is usually done by PINs or Keys: you have to provide a PIN or show
|
||||
knowledge of a key before you can perform some command on some EF/DF. A
|
||||
PIN is usually accompanied by a PUK (Pin Unblock Key), which can be
|
||||
used to
|
||||
reset (or unblock) that PIN.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Cryptographic keys</span><br>
|
||||
On crypto cards, it is also possible to sign, decrypt, key(pair)
|
||||
generation (what can be done exactly depends on the card). on some
|
||||
cards, key
|
||||
and/or PINs are files in the filesystem, on other cards, they don't
|
||||
exist in the filesystem but are referenced through an ID.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Reader - PC/SC - OpenCT - CT-API</span><br>
|
||||
Smart card readers come with a library that can be used on a PC to send
|
||||
APDUs to the card. Commonly used APIs for those libraries are PC/SC,
|
||||
OpenCT
|
||||
and CT-API.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">PKCS15</span><br>
|
||||
There are standards (e.g. ISO7816, parts 4-...) that specify how to
|
||||
select, read, write, EFs and DFs, and how to sign, decrypt, login, ...<br>
|
||||
However, there is also a need to know which files contain what, or
|
||||
where the keys, PINs, .. can be found.<br>
|
||||
For crypto cards, PCKS15 adresses this need by defining some files that
|
||||
contain info on where to find keys, certificates, PINs, and other data.
|
||||
For
|
||||
example, there is a PrKDF (Private Key Directory File) that contains
|
||||
the EFs or
|
||||
ID of the private keys, what those keys can be used for, by which PINs
|
||||
they
|
||||
are protected, ... So a "PCKS15 card" is nothing but any other card on
|
||||
which the right set
|
||||
of files has been added.<br>
|
||||
In short: PKCS15 allows you to describe where to find PINS, keys,
|
||||
certificates and data on a card, plus all the info that is needed to
|
||||
use them.<br>
|
||||
<h3>A little PKCS15 example:</h3>
|
||||
Here's the textual contents of 3 PKCS15 files: the AODF (Authentication
|
||||
Object Directory File), PrKDF (Private Key Directory File) and CDF
|
||||
(Certificate Directory File) that contain info on resp. the PINs,
|
||||
private keys and certificates. Each of them contains 1 entry.<br>
|
||||
<br>
|
||||
AODF:
|
||||
<pre> Com. Flags : private, modifiable<br> Auth ID : 01<br> Flags : [0x32], local, initialized, needs-padding<br> Length : min_len:4, max_len:8, stored_len:8<br> Pad char : 0x00<br> Reference : 1<br> Encoding : ASCII-numeric<br> Path : 3F005015<br></pre>
|
||||
PrKDF:
|
||||
<pre> Com. Flags : private, modifiable<br> Com. Auth ID: 01<br> Usage : [0x32E], decrypt, sign, signRecover, unwrap, derive, nonRep<br> Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local<br> ModLength : 1024<br> Key ref : 0<br> Native : yes<br> Path : 3F00501530450012<br> ID : 45<br></pre>
|
||||
X.509 Certificate [/C=BE/ST=...]
|
||||
<pre> Com. Flags : modifiable<br> Authority : no<br> Path : 3f0050154545<br> ID : 45</pre>
|
||||
Some things to note:<br>
|
||||
<ul>
|
||||
<li>The Auth ID (01) of the private key is the same as the one of the
|
||||
PIN which
|
||||
means
|
||||
that you first have to do a login with this PIN before
|
||||
you can use this key.</li>
|
||||
<li>The key is in an EF with ID = 0012 in the DF with ID = 3045,
|
||||
which
|
||||
on it is turn is a DF with ID 5015, which on it is turn is a DF of
|
||||
the MF (3F00).</li>
|
||||
<li>The private key and certificates share the same ID (45), which
|
||||
means that they
|
||||
belong together.</li>
|
||||
<li>The certificate is in the EF with as path: 3F00\5015\3045
|
||||
and is no CA
|
||||
certificate.</li>
|
||||
</ul>
|
||||
Use the <span style="font-weight: bold;">tests/p15dump</span> tool to
|
||||
see yourself what pkcs15 data is on your card, or <span style="font-weight: bold;">tools/opensc-explorer</span> to browse
|
||||
through the files.<br>
|
||||
<br>
|
||||
Have the PKCS15 files a fixed place so everyone can find them? No,
|
||||
there's only one: the EF(DIR) in the MF and with ID 2F00. That's the
|
||||
starting
|
||||
place.<br>
|
||||
<br>
|
||||
<h2>2. The OpenSC pkcs15-init library and profiles</h2>
|
||||
Reading and writing files, PIN verification, signing and decryption
|
||||
happen in much the same way on all cards. Therefore, the "normal life"
|
||||
commands have been implemented in OpenSC for all supported cards.<br>
|
||||
<br>
|
||||
However, creating and deleting files, PINs and keys is very card
|
||||
specific and has not yet been implemented for all cards.
|
||||
Currently, pkcs15-init is implemented for: Cryptoflex, Cyberflex,
|
||||
CardOS (etoken), GPK, Miocos, Starcos JCOP and Oberthur. (Check
|
||||
src/pkcs15-init/pkcs15-*.c for possible updates). Because of this, and
|
||||
because
|
||||
pkcs15-init is not necessary for "normal life" operations, it has been
|
||||
put in a separate library and in a separate directory.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Profile</span><br>
|
||||
Because the initialisation/personalisation is so card-specific, it
|
||||
would be very hard to make a tool or API that accepts all parameters
|
||||
for all current and future cards.<br>
|
||||
Therefore, a profile file has been made in OpenSC that contains all the
|
||||
card-specific parameters. This card-specific profile is read by
|
||||
card-specific code in the pkcs15-init library each time this library is
|
||||
used on
|
||||
that card.<br>
|
||||
See the *.profile files in src/pkcs15-init/. There is one general file
|
||||
(pkcs15.profile) and one card-specific profile for each card.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Profile options</span><br>
|
||||
There are currently 3 options you can specify to modify a profile:<br>
|
||||
<ul>
|
||||
<li>default: creation/deletion/generation is controlled by the SO PIN
|
||||
(SO = Security Officer, different from the regular user of the card)</li>
|
||||
<li>onepin: creation/deletion/generation is controlled by the user
|
||||
PIN and thus by the user. As a result, only 1 user PIN is possible</li>
|
||||
<li>small: like default, but suitable for card with little memory</li>
|
||||
</ul>
|
||||
<h2>3. pkcs15-init tool</h2>
|
||||
This is a command-line tool that uses the pkcs15-init library. It
|
||||
allows you to do all the init/perso things, e.g. add/delete keys,
|
||||
certificates, PINs and data, generate keys, ... while specifying key
|
||||
usage, which PIN protects which key, ...<br>
|
||||
<br>
|
||||
As said before, not all cards are supported in the pkcs15-init library.
|
||||
In
|
||||
that case, the pkcs15-init tool won't work (top 5 questions on the
|
||||
mailing list:-). To find out which card you have, try "<span style="font-style: italic;">opensc-tool -n</span>"<br>
|
||||
<br>
|
||||
Below is explained how to do the operations that are supported by
|
||||
pkcs15-tool.<br>
|
||||
Not all options are explained (run "<span style="font-style: italic;">pkcs15-tool
|
||||
-h</span>" to see them) because some are card-specific or obsolete (or
|
||||
we don't know about them). Feel free to experiment and explain them
|
||||
here.<br>
|
||||
<br>
|
||||
So the things in this section are fairly general but not guaranteed to
|
||||
work for all cards. See also the section on "card-specific issues".<br>
|
||||
<br>
|
||||
The --reader or -r can be given with any command. By default the first
|
||||
reader is used. Do "<span style="font-style: italic;">opensc-tool -l</span>"
|
||||
to see the list of available readers.<br>
|
||||
<br>
|
||||
To see the results of what you did, you can do one of the following:<br>
|
||||
<span style="font-style: italic;">pkcs15-tool --list-pins
|
||||
--list-public-keys -k -c -C</span><br>
|
||||
<span style="font-style: italic;">p15dump</span> (in the
|
||||
src/tests directory)<br>
|
||||
To see/dump the content of any file, use the <span style="font-style: italic;">opensc-explorer</span> tool.<br>
|
||||
<h3>* Create the PKCS15 files</h3>
|
||||
<span style="font-style: italic;">pkcs15-init
|
||||
-C {-T} {-p <profile>} </span><span style="font-style: italic;">--so-pin
|
||||
<PIN> --so-puk <PUK> | --no-so-pin | --pin <PIN>
|
||||
--puk <PUK><br>
|
||||
<br>
|
||||
</span>This will create the PKCS15 DF (5015) and all the PKCS15 files
|
||||
(some of which will be empty until a key, PIN, ... will be added). It
|
||||
must be done before you can do any of the operations below.<br>
|
||||
<ul>
|
||||
<li>This operation usually requires a 'transport' key. pkcs15-init
|
||||
will ask you for this key and propose the default one for that card.
|
||||
With -T, the default will be used without asking. NOTE: if you get a
|
||||
"Failed to erase card: PIN code or key incorrect", the transport key is
|
||||
wrong. Find this key and then try again, DO NOT try the default key
|
||||
again!</li>
|
||||
<li>If you want an SO PIN and PUK, do so with the --so-pin and
|
||||
--so-puk options, or specify --no-so-pin if you don't want to. If you
|
||||
use
|
||||
the onpin profile, there is no SO PIN so you should specify --pin and
|
||||
--puk instead. (So you get: pkcs15-init -CT -p pkcs15+onepin --pin
|
||||
<PIN> --puk <PUK>)</li>
|
||||
<li>To specify the profile file + option. The profile file can only
|
||||
be "pkcs15" for the moment, so you can have:<br>
|
||||
pkcs15+default : the default (not needed to
|
||||
specify it)<br>
|
||||
pkcs15+onepin: for the onepin profile
|
||||
option<br>
|
||||
pkcs15+small: for the small
|
||||
profile option</li>
|
||||
</ul>
|
||||
<h3>* Erase the card's content</h3>
|
||||
<span style="font-style: italic;">pkcs15-init
|
||||
-E {-T}</span><br>
|
||||
<br>
|
||||
This will delete all keys, PINS, certificates, data that were listed in
|
||||
PKCS15
|
||||
files, along with the PKCS15 files themselves.<br>
|
||||
<ul>
|
||||
<li>This operation usually requires a 'transport' key. pkcs15-init
|
||||
will ask you for this key and propose the default one for that card.
|
||||
With -T, the default will be used without asking. NOTE: if you get a
|
||||
"Failed to erase card: PIN code or key incorrect", the transport key is
|
||||
wrong. Find this key and then try again, DO NOT try the default key
|
||||
again!</li>
|
||||
</ul>
|
||||
Note: you can combine erase/create (-E -C or -EC) to erase and then
|
||||
create<br>
|
||||
the card's contents, except when you change the profile option.<br>
|
||||
<h3>* Add a PIN (not possible with the onepin profile option)</h3>
|
||||
<span style="font-style: italic;">pkcs15-init
|
||||
-P {-a <AuthID>} {--pin <PIN>} {--puk <PUK>} {-l
|
||||
<label>}</span><br>
|
||||
<ul>
|
||||
<li>You can specify the AuthID with -a, if you don't do so, a value
|
||||
that didn't exist yet on the card will be chosen.</li>
|
||||
<li>Specify the PIN and PUK with --pin and --puk, if you don't do so,
|
||||
the tool will prompt you for one.</li>
|
||||
<li>Specify the label (name) of the PIN with -l, or accept the
|
||||
default label.</li>
|
||||
</ul>
|
||||
<h3>* Generate a key pair (on card or in software on the PC)</h3>
|
||||
<span style="font-style: italic;">pkcs15-init
|
||||
-G <keyspec> -a <AuthID> --insecure {-i <ID>}
|
||||
{--soft}{-u <keyusage>}{-l <privkeylabel>}
|
||||
{--public-key-label <pubkeylabel>}</span><br>
|
||||
<br>
|
||||
This will generate a public and private key pair.<br>
|
||||
<ul>
|
||||
<li>The keyspec consist of the key type, rsa or dsa (depends on what
|
||||
your cards supports), and optinally a slash followed by the keysize in
|
||||
bits. E.g. "rsa/1024" specifies a 1024 bit RSA key pair. Note: dsa is
|
||||
not
|
||||
fully supported.</li>
|
||||
<li>Specify the AuthID of the PIN that protects this key (from being
|
||||
used in a signature or decryption operation) with -a; or specify
|
||||
--insecure if you want the private key to be used without first
|
||||
providing a PIN.</li>
|
||||
<li>Specify the ID of the key with -i, otherwise the tool with choose
|
||||
one.</li>
|
||||
<li>Specify --soft if you don't want the key pair to be generated
|
||||
on-chip.</li>
|
||||
<li>Specify the usage of the private key with -u; if you add a
|
||||
corresponding certificate later, it should have the same key usage. (Do
|
||||
"pkcs15-init -u help" for help).</li>
|
||||
<li>Specify the label (name) of the private key with -l, or accept
|
||||
the default label.</li>
|
||||
<li>Specify the label (name) of the public key with
|
||||
--public-key-label, or accept the default label if you don't do so.</li>
|
||||
<li>Depending on your card and profile option, you will be prompted
|
||||
to provide your SO PIN and/or PIN; if you don't want to be prompted,
|
||||
add them to the command line with --so-pin <SOPIN> and/or --pin
|
||||
<PIN>.</li>
|
||||
</ul>
|
||||
NOTE: see the SSL engines (below) on how to make a certificate request
|
||||
with the key you generated.<br>
|
||||
<h3>* Add a private key</h3>
|
||||
<span style="font-style: italic;">pkcs15-init
|
||||
-S <keyfile> {-f <keyformat>} -a <AuthID> --insecure
|
||||
{-i <ID>} {-u <keyusage>} {--passphrase <password>}
|
||||
{-l <label>}</span><br>
|
||||
<ul>
|
||||
<li>The keyfile should be in DER (binary) or PEM format.</li>
|
||||
<li>The keyformat should be PEM (default) or DER.</li>
|
||||
<li>Specify the AuthID of the PIN that protects this key (from being
|
||||
used in a signature or decryption operation) with -a; or specify
|
||||
--insecure if you want the private key to be used without first
|
||||
providing a PIN.</li>
|
||||
<li>Specify the ID of the key with -i</li>
|
||||
<>Specify the usage of the private key with -u; if you add a
|
||||
corresponding certificate later, it should have the same key usage. (Do
|
||||
"pkcs15-init -u help" for help). <li>Specify the label (name) of
|
||||
the with -l, or accept the
|
||||
default label.</li>
|
||||
<li>Depending on your card and profile option, you will be prompted
|
||||
to provide your SO PIN and/or PIN; if you don't want to be prompted,
|
||||
add them to the command line with --so-pin <SOPIN> and/or --pin
|
||||
<PIN>.</li>
|
||||
</ul>
|
||||
<h3>* Add a private key + certificate(s) (in a pkcs12 file)</h3>
|
||||
<span style="font-style: italic;">pkcs15-init
|
||||
-S <pkcs12file> -f PKCS12 -a <AuthID> {--insecure} {-i
|
||||
<ID>} {-u <keyusage>} {--passphrase <password>} {-l
|
||||
<privkeylabel>} {--cert-label <usercertlabel>}</span><br>
|
||||
<br>
|
||||
This adds the private key and certificate chain to the card. If a
|
||||
certificate already exists on the card, it won't be added again.<br>
|
||||
<ul>
|
||||
<li>Specify the AuthID of the PIN that protects this key (from being
|
||||
used in a signature or decryption operation) with -a; or specify
|
||||
--insecure if you want the private key to be used without first
|
||||
providing a PIN.</li>
|
||||
<li>Specify the ID of the key and the corresponding certificate with
|
||||
-i,
|
||||
otherwise the tool with choose one; only the 'user cert' will get the
|
||||
same ID as the key, the other certificates will get 'authority' status
|
||||
and
|
||||
another ID.</li>
|
||||
<li>You can specify the key-usage, but it is not advised to do this
|
||||
so the key usage from the certificate is used.</li>
|
||||
<li>Specify the password of the pkcs12 key file if you don't want to
|
||||
be prompted for one.</li>
|
||||
<li>Specify the label (name) of the private key with -l, or accept
|
||||
the default label.</li>
|
||||
<li>Specify the label (name) of the user certificate with
|
||||
--cert-label, or accept the default label.</li>
|
||||
<li>Depending on your card and profile option, you will be prompted
|
||||
to provide your SO PIN and/or PIN; if you don't want to be prompted,
|
||||
add them to the command line with --so-pin <SOPIN> and/or --pin
|
||||
<PIN>.</li>
|
||||
</ul>
|
||||
<h3>* Add a certificate</h3>
|
||||
<span style="font-style: italic;">
|
||||
pkcs15-init -W <certfile> {-f <certformat>} {-i <ID>}
|
||||
{--authority}</span><br>
|
||||
<ul>
|
||||
<li>The certfile should be in DER (binary) or PEM format</li>
|
||||
<li>The certformat should be PEM (default) or DER</li>
|
||||
<li>Specify the ID of the certificate with -i, otherwise the tool
|
||||
with
|
||||
choose one; if the certificate corresponds to a private and/or public
|
||||
key, you
|
||||
should specify the same ID as that key.</li>
|
||||
<li>Specify --authority if it is a CA certificate.</li>
|
||||
<li>Depending on your card and profile option, you will be prompted
|
||||
to
|
||||
provide your SO PIN and/or PIN; if you don't want to be prompted, add
|
||||
them to the command line with --so-pin <SOPIN> and/or --pin
|
||||
<PIN>.</li>
|
||||
</ul>
|
||||
<h3>* Add a public key</h3>
|
||||
<span style="font-style: italic;">pkcs15-init
|
||||
--store-public-key <keyfile> {-f <keyformat>} {-i
|
||||
<ID>} {-l <label>}</span><br>
|
||||
<ul>
|
||||
<li>The keyfile should be in DER (binary) or PEM format</li>
|
||||
<li>The keyformat should be PEM (default) or DER</li>
|
||||
<li>Specify the ID of the key with -i, otherwise the tool with choose
|
||||
one; if the key corresponds to a private key and/or certificate, you
|
||||
should
|
||||
specify the same ID as that private key and/or certificate.</li>
|
||||
<li>Specify the label (name) of the with -l, or accept the
|
||||
default label.</li>
|
||||
<li>Depending on your card and profile option, you will be prompted
|
||||
to
|
||||
provide your SO PIN and/or PIN; if you don't want to be prompted, add
|
||||
them to the command line with --so-pin <SOPIN> and/or --pin
|
||||
<PIN>.</li>
|
||||
</ul>
|
||||
<h3>* Add data</h3>
|
||||
<span style="font-style: italic;">pkcs15-init
|
||||
-W <datafile> {-i <ID>} {-l <label>}</span><br>
|
||||
<ul>
|
||||
<li>The datafile is stored "as is" onto the card.</li>
|
||||
<li>Specify the ID of the data with -i, or accept the default ID.</li>
|
||||
<li>Specify the label (name) of the with -l, or accept the
|
||||
default label.</li>
|
||||
<li>Depending on your card and profile option, you will be prompted
|
||||
to
|
||||
provide your SO PIN and/or PIN; if you don't want to be prompted, add
|
||||
them to the command line with --so-pin <SOPIN> and/or --pin
|
||||
<PIN>.</li>
|
||||
</ul>
|
||||
<h2>4. Other tools</h2>
|
||||
<h3>* SSL-engines</h3>
|
||||
These libraries can be loaded in OpenSSL so you can do a certificate
|
||||
request with the openssl tool; the signature on the certificate request
|
||||
will
|
||||
then be made with the smart card. The result can then be sent to a CA
|
||||
for certification, the resulting certificate can be put on the card
|
||||
with
|
||||
pkcs15-init or pkcs11-tool.<br>
|
||||
<ul>
|
||||
<li>Run openssl</li>
|
||||
<li>On the openssl command prompt, type<br>
|
||||
<span style="font-style: italic;">engine dynamic
|
||||
-pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD</span><br>
|
||||
or<br>
|
||||
<span style="font-style: italic;">engine dynamic
|
||||
-pre
|
||||
SO_PATH:engine_opensc -pre ID:opensc -pre LIST_ADD:1 -pre LOAD</span><br>
|
||||
depending on which one of the 2 engines (pkcs11 or opensc) you want to
|
||||
use.</li>
|
||||
</ul>
|
||||
<ul>
|
||||
<li>Then type (on the openssl command prompt)<br>
|
||||
<span style="font-style: italic;">req -engine
|
||||
pkcs11 -new -key <ID> -keyform engine -out <cert_req></span><br>
|
||||
or<span style="font-style: italic;"><br>
|
||||
</span><span style="font-style: italic;">
|
||||
req -engine opensc -new -key <ID> -keyform engine -out
|
||||
<cert_req></span><br>
|
||||
in which ID is the slot+ID in the following format:<br>
|
||||
<span style="font-style: italic;">[slot_<slotID>][-][id_<ID>]</span>,
|
||||
e.g. <span style="font-style: italic;">id_45</span> or <span style="font-style: italic;">slot_0-id_45</span><br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>* pkcs11-tool and Mozilla/Netscape</h3>
|
||||
You can use the OpenSC pkcs11 library to generate a keypair in Mozilla
|
||||
or Netscape, and let the browser generate a certificate request that
|
||||
is sent to an on-line CA to issue and send you a certificate that is
|
||||
then added to the card.<br>
|
||||
<br>
|
||||
Just go to an online CA (Globalsign, Thawte, ...) and follow their
|
||||
guidelines. Because such a request either costs you or at least
|
||||
requires you to provide a valid mail address, it is advisable to first
|
||||
try you card with "<span style="font-weight: bold;">pkcs11-tool
|
||||
--moz-cert
|
||||
<cert_file_in_der_format> --login</span>".<br>
|
||||
<br>
|
||||
NOTE: This can only be done with the onepin profile option (because the
|
||||
browser won't ask for an SO PIN, only for the user PIN).<br>
|
||||
<br>
|
||||
<h2>5. Card-specific issues</h2>
|
||||
<div style="text-align: center;"><span style="font-style: italic;">Experience
|
||||
is that marvelous thing that enables you to recognize</span><br style="font-style: italic;">
|
||||
<span style="font-style: italic;">a mistake when you make it again. --
|
||||
Franklin P. Jones</span><br>
|
||||
</div>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Cryptoflex:</span><br>
|
||||
<ul>
|
||||
<li>DFs and EFs in a DF have to be deleted in reverse order of
|
||||
creation.<br>
|
||||
OpenSC relies on this fact for security, but also has some downsides.
|
||||
For example, if you did a "pkcs15-init -C" and then added some EFs or
|
||||
DFs in the MF, you won't be able to do a "pkcs15-init -E" afterwards to
|
||||
remove the PKCS15 DF (5015). So you'll first have to manually remove
|
||||
all EFs/DFs you created in the MF before being able remove the pkcs15
|
||||
DF.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<span style="font-weight: bold;">Starcos SPK 2.3:</span><br>
|
||||
<ul>
|
||||
<li>Due to the way Starcos SPK 2.3 manages access rights it is
|
||||
necessary to manually call "pkcs15-init --finalize" after card
|
||||
personalization if no SO-PIN has been specified. Once the card has been
|
||||
finalized it is no possible to add new private/secrets keys or PINs. If
|
||||
a SO-PIN is used the card will automatically be finalized after the
|
||||
SO-PIN has been stored.</li>
|
||||
<li>If an SO-PIN is used and if there is enough space in the key file
|
||||
left, then the owner of the SO-PIN can access/use every protected item
|
||||
by creating a PIN for the necessary state.</li>
|
||||
</ul>
|
||||
<br>
|
||||
</body></html>
|
|
@ -1,380 +0,0 @@
|
|||
1. Introduction
|
||||
===============
|
||||
|
||||
Nothing is impossible for the man who doesn't
|
||||
have to do it himself. -- A.H. Weiler
|
||||
|
||||
This guide is about initialising and personalising (no distinction made) cards
|
||||
with the OpenSC library and tools (mostly pkcs15-init).
|
||||
|
||||
Some knowlegde about smart cards is assumed. Below is a short overview of some
|
||||
key words and concepts. For more info, see the opensc.html manual.
|
||||
|
||||
Filesystem - MF - DF - EF - FID
|
||||
A smart cards has a non-volatile memory (EEPROM) in which usually a
|
||||
PC-like file system is implemented. The directories are called Dedicated Files
|
||||
(DF) and the files are called Elementary Files (EF). They are identified by a
|
||||
a File ID (FID) on 2 bytes. For example, the root of the file system (called
|
||||
Master File or MF) has FID = 3F 00 (hex).
|
||||
|
||||
Commands - APDUs
|
||||
It is possible to send commands (APDUs) to the card to select, read, write,
|
||||
create, list, delete, ... EFs and DFs (not all cards allow all commands).
|
||||
|
||||
Access control, PIN, PUK
|
||||
The file system usually implements some sort of access control on EFs and DFs.
|
||||
This is usually done by PINs or Keys: you have to provide a PIN or show
|
||||
knowledge of a key before you can perform some command on some EF/DF. A PIN
|
||||
is usually accompanied by a PUK (Pin Unblock Key), which can be used to reset
|
||||
(or unblock) that PIN.
|
||||
|
||||
Cryptographic keys
|
||||
On crypto cards, it is also possible to sign, decrypt, generate a key pair
|
||||
(what can be done exactly depends on the card). on some cards, key and/or PINs
|
||||
are files in the filesystem, on other cards, they don't exist in the
|
||||
filesystem but are referenced through an ID.
|
||||
|
||||
Reader - PC/SC - OpenCT - CT-API
|
||||
Smart card readers come with a library that can be used on a PC to send APDUs
|
||||
to the card. Commonly used APIs for those libraries are PC/SC, OpenCT and
|
||||
CT-API.
|
||||
|
||||
PKCS15
|
||||
There are standards (e.g. ISO7816, parts 4-...) that specify how to select,
|
||||
read, write, EFs and DFs, and how to sign, decrypt, login, ...
|
||||
However, there is also a need to know which files contain what, or where the
|
||||
keys, PINs, .. can be found.
|
||||
For crypto cards, PCKS15 adresses this need by defining some files that contain
|
||||
info on where to find keys, certificates, PINs, and other data. For example,
|
||||
there is a PrKDF (Private Key Directory File) that contains the EFs or ID of
|
||||
the private keys, what those keys can be used for, by which PINs they are
|
||||
protected, ...
|
||||
So a "PCKS15 card" is nothing but any other card on which the right set of
|
||||
files has been added.
|
||||
In short: PKCS15 allows you to describe where to find PINs, keys, certificates
|
||||
and data on a card, plus all the info that is needed to use them.
|
||||
|
||||
A little PKCS15 example:
|
||||
|
||||
Here's the textual contents of 3 PKCS15 files: the AODF (Authentication
|
||||
Object Directory File), PrKDF (Private Key Directory File) and CDF
|
||||
(Certificate Directory File) that contain info on resp. the PINs, private
|
||||
keys and certificates. Each of them contains 1 entry.
|
||||
|
||||
AODF:
|
||||
Com. Flags : private, modifiable
|
||||
Auth ID : 01
|
||||
Flags : [0x32], local, initialized, needs-padding
|
||||
Length : min_len:4, max_len:8, stored_len:8
|
||||
Pad char : 0x00
|
||||
Reference : 1
|
||||
Encoding : ASCII-numeric
|
||||
Path : 3F005015
|
||||
|
||||
PrKDF:
|
||||
Com. Flags : private, modifiable
|
||||
Com. Auth ID: 01
|
||||
Usage : [0x32E], decrypt, sign, signRecover, unwrap, derive, nonRep
|
||||
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
|
||||
ModLength : 1024
|
||||
Key ref : 0
|
||||
Native : yes
|
||||
Path : 3F00501530450012
|
||||
ID : 45
|
||||
|
||||
X.509 Certificate [/C=BE/ST=...]
|
||||
Com. Flags : modifiable
|
||||
Authority : no
|
||||
Path : 3f0050154545
|
||||
ID : 45
|
||||
|
||||
Some things to note:
|
||||
- The Auth ID (01) of the private key is the same as the one of the PIN which
|
||||
means that you first have to do a login with this PIN before you can use
|
||||
this key.
|
||||
- The key is in an EF with ID = 0012 in the DF with ID = 3045, which on its
|
||||
turn is a DF with ID = 5015, which on its turn is a DF of the MF (3F00).
|
||||
- The private key and certificate share the same ID (45), which means that they
|
||||
belong together.
|
||||
- The cert is in the EF with as path: 3F00\5015\4545 and is no CA cert.
|
||||
|
||||
Use the tests/p15dump tool to see yourself what pkcs15 data is on
|
||||
your card, or tools/opensc-explorer to browse through the files.
|
||||
|
||||
Have the PKCS15 files a fixed place so everyone can find them? No, there's
|
||||
only one: the EF(DIR) in the MF and with ID 2F00. That's the starting place.
|
||||
|
||||
|
||||
2. The OpenSC pkcs15-init library and profiles
|
||||
==============================================
|
||||
|
||||
Reading and writing files, PIN verification, signing and decryption happen in
|
||||
much the same way on all cards. Therefore, the "normal life" commands have
|
||||
been implemented in OpenSC for all supported cards.
|
||||
|
||||
However, creating and deleting files, PINs and keys is very card specific and
|
||||
has not yet been implemented for all cards. Currently, pkcs15-init is
|
||||
implemented for: Cryptoflex, Cyberflex, CardOS (etoken), GPK, Miocos, Starcos
|
||||
JCOP and Oberthur. (Check src/pkcs15init/pkcs15-*.c for possible updates).
|
||||
Because of this, and because pkcs15-init is not necessary for "normal life"
|
||||
operations, it has been put in a separate library and in a separate directory.
|
||||
|
||||
Profile
|
||||
Because the initialisation/personalisation is so card-specific, it would be
|
||||
very hard to make a tool or API that accepts all parameters for all current
|
||||
and future cards. Therefore, a profile file has been made in OpenSC that
|
||||
contains all the card-specific parameters. This card-specific profile is read
|
||||
by card-specific code in the pkcs15-init library each time this library is
|
||||
used on that card.
|
||||
See the *.profile files in src/pkcs15init/. There is one general file
|
||||
(pkcs15.profile) and one card-specific profile for each card.
|
||||
|
||||
Profile options
|
||||
There are currently 3 options you can specify to modify a profile:
|
||||
- default: creation/deletion/generation is controlled by the SO PIN (SO =
|
||||
Security Officer, different from the regular user of the card)
|
||||
- onepin: creation/deletion/generation is controlled by the user PIN and thus
|
||||
by the user. As a result, only 1 user PIN is possible
|
||||
- small: like default, but suitable for card with little memory
|
||||
|
||||
|
||||
3. pkcs15-init tool
|
||||
===================
|
||||
|
||||
This is a command-line tool that uses the pkcs15-init library. It allows you
|
||||
to do all the init/perso things, e.g. add/delete keys, certificates, PINs and
|
||||
data, generate keys, ... while specifying key usage, which PIN protects
|
||||
which key, ...
|
||||
|
||||
As said before, not all cards are supported in the pkcs15-init library. In that
|
||||
case, the pkcs15-init tool won't work (top 5 questions on the mailing list :-).
|
||||
To find out which card you have, try "opensc-tool -n"
|
||||
|
||||
Below is explained how to do the operations that are supported by pkcs15-tool.
|
||||
Not all options are explained (run "pkcs15-tool -h" to see them) because some
|
||||
are card-specific or obsolete (or we don't know about them). Feel free to
|
||||
experiment and explain them here.
|
||||
|
||||
So the things in this section are fairly general but not guaranteed to work
|
||||
for all cards. See also the section on "card-specific issues".
|
||||
|
||||
The --reader or -r can be given with any command. By default the first reader
|
||||
is used. Do "opensc-tool -l" to see the list of available readers.
|
||||
|
||||
To see the results of what you did, you can do one of the following:
|
||||
pkcs15-tool --list-pins --list-public-keys -k -c -C
|
||||
p15dump (in the src/tests directory)
|
||||
To see/dump the content of any file, use the opensc-explorer tool.
|
||||
|
||||
* Create the PKCS15 files
|
||||
pkcs15-init -C {-T} {-p <profile>}
|
||||
--so-pin <PIN> --so-puk <PUK> | --no-so-pin | --pin <PIN> --puk <PUK>
|
||||
This will create the PKCS15 DF (5015) and all the PKCS15 files (some of which
|
||||
will be empty until a key, PIN, ... will be added). It must be done before you
|
||||
can do any of the operations below.
|
||||
- This operation usually requires a 'transport' key. pkcs15-init will ask you
|
||||
for this key and propose the default one for that card. With -T, the default
|
||||
key will be used without asking. NOTE: if you get a "Failed to erase card:
|
||||
PIN code or key incorrect", the transport key is wrong. Find this key and
|
||||
then try again, DO NOT try with the default key again!
|
||||
- If you want an SO PIN and PUK, do so with the --so-pin and --so-puk options,
|
||||
or specify --no-so-pin if you don't want them. If you use the onepin profile,
|
||||
there is no SO PIN so you should specify --pin and --puk instead.
|
||||
(So you get: pkcs15-init -CT -p pkcs15+onepin --pin <PIN> --puk <PUK>)
|
||||
- To specify the profile file + option. The profile file can only be "pkcs15"
|
||||
for the moment, so you can have:
|
||||
pkcs15+default : the default (not needed to specify it)
|
||||
pkcs15+onepin : for the onepin profile option
|
||||
pkcs15+small : for the small profile option
|
||||
|
||||
* Erase the card's content
|
||||
pkcs15-init -E {-T}
|
||||
This will delete all keys, PINs, certificates, data that were listed in PKCS15
|
||||
files, along with the PKCS15 files themselves.
|
||||
- This operation usually requires a 'transport' key. pkcs15-init will ask you
|
||||
for this key and propose the default one for that card. With -T, the default
|
||||
key will be used without asking. NOTE: if you get a "Failed to erase card:
|
||||
PIN code or key incorrect", the transport key is wrong. Find this key and
|
||||
then try again, DO NOT try the default key again!
|
||||
|
||||
Note: you can combine erase/create (-E -C or -EC) to erase and then create
|
||||
the card's contents, except when you change the profile option.
|
||||
|
||||
* Add a PIN (not possible with the onepin profile option)
|
||||
pkcs15-init -P {-a <AuthID>} {--pin <PIN>} {--puk <PUK>} {-l <label>}
|
||||
- You can specify the AuthID with -a, if you don't do so, a value that didn't
|
||||
exist yet on the card will be used.
|
||||
- Specify the PIN and PUK with --pin and --puk, if you don't do so, the tool
|
||||
will prompt you for one.
|
||||
- Specify the label (name) of the PIN with -l, or accept the default label.
|
||||
|
||||
* Generate a key pair (on card or in software on the PC)
|
||||
pkcs15-init -G <keyspec> -a <AuthID> --insecure {-i <ID>} {--soft}
|
||||
{-u <keyusage>}
|
||||
{-l <privkeylabel>} {--public-key-label <pubkeylabel>}
|
||||
This will generate a public and private key pair.
|
||||
- The keyspec consist of the key type, rsa or dsa (depends on what your card
|
||||
supports), and optinally a slash followed by the keysize in bits. E.g.
|
||||
"rsa/1024" specifies a 1024-bit RSA key pair. Note: dsa is not fully
|
||||
supported.
|
||||
- Specify the AuthID of the PIN that protects this key (protect from being
|
||||
used in a signature or decryption operation) with -a; or specify --insecure
|
||||
if you want the private key to be used without first providing a PIN.
|
||||
- Specify the ID of the key with -i, otherwise the tool will choose one.
|
||||
- Specify --soft if you don't want the key pair to be generated on card.
|
||||
- Specify the usage of the private key with -u; if you add a
|
||||
corresponding certificate later, it should have the same key usage.
|
||||
(Do "pkcs15-init -u help" for help).
|
||||
- Specify the label (name) of the private key with -l, or accept the default
|
||||
label.
|
||||
- Specify the label (name) of the public key with --public-key-label, or
|
||||
accept the default label.
|
||||
- Depending on your card and profile option, you will be prompted to provide
|
||||
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
|
||||
command line with --so-pin <SOPIN> and/or --pin <PIN>.
|
||||
NOTE: see the SSL engines (below) on how to make a certificate request with
|
||||
the key you generated.
|
||||
|
||||
* Add a private key
|
||||
pkcs15-init -S <keyfile> {-f <keyformat>} -a <AuthID> --insecure
|
||||
{-i <ID>} {-u <keyusage>} {--passphrase <password>}
|
||||
{-l <label>}
|
||||
- The keyfile should be in DER (binary) or PEM format.
|
||||
- The keyformat should be PEM (default) or DER.
|
||||
- Specify the AuthID of the PIN that protects the private key (from being used
|
||||
in a signature or decryption operation) with -a; or specify --insecure if
|
||||
you want the private key to be used without first providing a PIN
|
||||
- Specify the ID of the key with -i
|
||||
- Specify the usage of the private key with -u; if you add a
|
||||
corresponding certificate later, it should have the same key usage.
|
||||
(Do "pkcs15-init -u help" for help).
|
||||
- Specify the label (name) of the with -l, or accept the default label if
|
||||
you don't do so.
|
||||
- Depending on your card and profile option, you will be prompted to provide
|
||||
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
|
||||
command line with --so-pin <SOPIN> and/or --pin <PIN>.
|
||||
|
||||
* Add a private key + certificate(s) (in a pkcs12 file)
|
||||
pkcs15-init -S <pkcs12file> -f PKCS12 -a <AuthID> {--insecure} {-i <ID>}
|
||||
{-u <keyusage>} {--passphrase <password>}
|
||||
{-l <privkeylabel>} {--cert-label <usercertlabel>}
|
||||
This adds the private key and certificate chain to the card. If a certificate
|
||||
already exists in the card, it won't be added again.
|
||||
- Specify the AuthID of the PIN that protects this key (protect from being
|
||||
used in a signature or decryption operation) with -a; or specify --insecure
|
||||
if you want the private key to be used without first providing a PIN.
|
||||
- Specify the ID of the key and the corresponding certificate with -i,
|
||||
otherwise the tool with choose one; only the 'user cert' will get the same
|
||||
ID as the key,
|
||||
the other certificates will get 'authority' status and another ID.
|
||||
- You can specify the key-usage, but it is advised not to do this so the key
|
||||
usage is fetched from the certificate.
|
||||
- Specify the password of the pkcs12 key file if you don't want to be prompted
|
||||
for one.
|
||||
- Specify the label (name) of the private key with -l, or accept the default
|
||||
label if you don't do so.
|
||||
- Specify the label (name) of the user certificate with --cert-label, or
|
||||
accept the default label if you don't do so.
|
||||
- Depending on your card and profile option, you will be prompted to provide
|
||||
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
|
||||
command line with --so-pin <SOPIN> and/or --pin <PIN>.
|
||||
|
||||
* Add a certificate
|
||||
pkcs15-init -W <certfile> {-f <certformat>} {-i <ID>} {--authority}
|
||||
- The certfile should be in DER (binary) or PEM format
|
||||
- The certformat should be PEM (default) or DER
|
||||
- Specify the ID of the certificate with -i, otherwise the tool with choose
|
||||
one; if the certificate corresponds to a private and/or public key, you
|
||||
should specify the same ID as that key.
|
||||
- Specify --authority if it is a CA certificate.
|
||||
- Depending on your card and profile option, you will be prompted to provide
|
||||
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
|
||||
command line with --so-pin <SOPIN> and/or --pin <PIN>.
|
||||
|
||||
* Add a public key
|
||||
pkcs15-init --store-public-key <keyfile> {-f <keyformat>} {-i <ID>}
|
||||
{-l <label>}
|
||||
- The keyfile should be in DER (binary) or PEM format
|
||||
- The keyformat should be PEM (default) or DER
|
||||
- Specify the ID of the key with -i, otherwise the tool with choose one;
|
||||
if the key corresponds to a private key and/or certificate, you should
|
||||
specify the same ID as that private key and/or certificate.
|
||||
- Specify the label (name) of the with -l, or accept the default label if
|
||||
you don't do so.
|
||||
- Depending on your card and profile option, you will be prompted to provide
|
||||
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
|
||||
command line with --so-pin <SOPIN> and/or --pin <PIN>.
|
||||
|
||||
* Add data
|
||||
pkcs15-init -W <datafile> {-i <ID>} {-l <label>}
|
||||
- The datafile is stored "as is" onto the card.
|
||||
- Specify the ID of the data with -i, or accept the default ID.
|
||||
- Specify the label (name) of the data with -l, or accept the default label.
|
||||
- Depending on your card and profile option, you will be prompted to provide
|
||||
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
|
||||
command line with --so-pin <SOPIN> and/or --pin <PIN>.
|
||||
|
||||
|
||||
4. Other tools
|
||||
==============
|
||||
|
||||
* SSL-engines
|
||||
|
||||
These libraries can be loaded in OpenSSL so you can do a certificate request
|
||||
with the openssl tool; the signature of the certificate request will then be
|
||||
made using the smart card. The result can then be sent to a CA for
|
||||
certification or the resulting certificate can be put on the card with pkcs15-init
|
||||
or pkcs11-tool.
|
||||
- Run openssl
|
||||
- On the openssl command prompt, type
|
||||
engine dynamic -pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD
|
||||
or
|
||||
engine dynamic -pre SO_PATH:engine_opensc -pre ID:opensc -pre LIST_ADD:1 -pre LOAD
|
||||
depending on which one of the 2 engines (pkcs11 or opensc) you want to use.
|
||||
- Then type (on the openssl command prompt)
|
||||
req -engine pkcs11 -new -key <ID> -keyform engine -out <cert_req>
|
||||
or
|
||||
req -engine opensc -new -key <ID> -keyform engine -out <cert_req>
|
||||
in which ID is the slot+ID in the following format:
|
||||
[slot_<slotID>][-][id_<ID>], e.g. id_45 or slot_0-id_45
|
||||
|
||||
* pkcs11-tool and Mozilla/Netscape
|
||||
|
||||
You can use the OpenSC pkcs11 library to generate a key pair in Mozilla or
|
||||
Netscape, and let the browser generate a certificate request that is sent
|
||||
to an on-line CA to issue and send you a certificate that is then added to the
|
||||
card.
|
||||
|
||||
Just go to an online CA (Globalsign, Thawte, ...) and follow their guidelines.
|
||||
Because such a request either costs you or at least requires you to provide a
|
||||
valid mail address, it is advisable to first try you card with
|
||||
"pkcs11-tool --moz-cert <cert_file_in_der_format> --login".
|
||||
|
||||
NOTE: This can only be done with the onepin profile option (because the browser
|
||||
won't ask for an SO PIN, only for the user PIN).
|
||||
|
||||
|
||||
5. Card-specific issues
|
||||
=======================
|
||||
|
||||
Experience is that marvelous thing that enables you to recognize
|
||||
a mistake when you make it again. -- Franklin P. Jones
|
||||
|
||||
Cryptoflex:
|
||||
- DFs and EFs in a DF have to be deleted in reverse order of creation.
|
||||
OpenSC relies on this fact for security, but also has some downsides. For
|
||||
example, if you did a "pkcs15-init -C" and then added some EFs or DFs in the
|
||||
MF, you won't be able to do a "pkcs15-init -E" afterwards to remove the
|
||||
PKCS15 DF (5015). So you'll first have to manually remove all EFs/DFs you
|
||||
created in the MF before being able remove the pkcs15 DF.
|
||||
|
||||
Starcos SPK 2.3:
|
||||
- Due to the way Starcos SPK 2.3 manages access rights it is necessary
|
||||
to manually call "pkcs15-init --finalize" after card personalization
|
||||
if no SO-PIN has been specified. Once the card has been finalized it is
|
||||
not possible to add new private/secret keys or PINs. If a SO-PIN is
|
||||
used the card will automatically be finalized after the SO-PIN has
|
||||
been stored.
|
||||
- If an SO-PIN is used and if there is enough space in the key file left,
|
||||
then the owner of the SO-PIN can access/use every protected item by
|
||||
creating a PIN for the necessary state.
|
File diff suppressed because it is too large
Load Diff
|
@ -1,23 +0,0 @@
|
|||
.screen {
|
||||
background-color: #dddddd;
|
||||
cellspacing:"1";
|
||||
cellpadding:"1";
|
||||
}
|
||||
|
||||
.prompt {
|
||||
background-color: #dddddd;
|
||||
}
|
||||
|
||||
.command {
|
||||
background-color: #dddddd;
|
||||
}
|
||||
|
||||
.title {
|
||||
}
|
||||
|
||||
.toc {
|
||||
}
|
||||
|
||||
.book {
|
||||
width: 630pt
|
||||
}
|
1518
doc/old/opensc.xml
1518
doc/old/opensc.xml
File diff suppressed because it is too large
Load Diff
|
@ -1,11 +0,0 @@
|
|||
<?xml version='1.0'?>
|
||||
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
|
||||
|
||||
<xsl:import href="/usr/share/sgml/docbook/stylesheet/xsl/nwalsh/xhtml/docbook.xsl"/>
|
||||
|
||||
<xsl:param name="html.stylesheet" select="'opensc.css'"/>
|
||||
<xsl:param name="shade.verbatim" select="1"/>
|
||||
<xsl:param name="html.cleanup" select="1" />
|
||||
<xsl:param name="generate.section.toc.level" select="0" />
|
||||
|
||||
</xsl:stylesheet>
|
|
@ -1,869 +0,0 @@
|
|||
PKCS-15 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
|
||||
pkcs-15(15) modules(1) pkcs-15(1)}
|
||||
|
||||
-- $Revision$ --
|
||||
|
||||
DEFINITIONS IMPLICIT TAGS ::=
|
||||
|
||||
BEGIN
|
||||
|
||||
IMPORTS
|
||||
|
||||
informationFramework, authenticationFramework, certificateExtensions
|
||||
FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
|
||||
usefulDefinitions(0) 3}
|
||||
|
||||
Name, Attribute
|
||||
FROM InformationFramework informationFramework
|
||||
|
||||
Certificate, AttributeCertificate, CertificateSerialNumber,
|
||||
SubjectPublicKeyInfo
|
||||
FROM AuthenticationFramework authenticationFramework
|
||||
|
||||
GeneralNames, KeyUsage
|
||||
FROM CertificateExtensions certificateExtensions
|
||||
|
||||
RecipientInfos, RecipientInfo, OriginatorInfo, sha-1,
|
||||
id-alg-CMS3DESwrap, id-alg-CMSRC2wrap, hMAC-SHA1, des-ede3-cbc
|
||||
FROM CryptographicMessageSyntax {iso(1) member-body(2)
|
||||
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0)
|
||||
cms(1)}
|
||||
|
||||
RSAPublicKey
|
||||
FROM PKCS-1 {iso(1) member-body(2) us(840) rsadsi(113549)
|
||||
pkcs(1) pkcs-1(1) modules(0) pkcs-1(1)}
|
||||
|
||||
AlgorithmIdentifier, SupportingAlgorithms, PBKDF2Algorithms,
|
||||
ALGORITHM-IDENTIFIER, id-hmacWithSHA1
|
||||
FROM PKCS-5 {iso(1) member-body(2) us(840) rsadsi(113549)
|
||||
pkcs(1) pkcs-5(5) modules(16) pkcs-5(1)}
|
||||
|
||||
ECPoint, Parameters
|
||||
FROM ANSI-X9-62 {iso(1) member-body(2) us(840)
|
||||
ansi-x962(10045) module(4) 1}
|
||||
|
||||
DiffieHellmanPublicNumber, DomainParameters
|
||||
FROM ANSI-X9-42 {iso(1) member-body(2) us(840)
|
||||
ansi-x942(10046) module(5) 1}
|
||||
|
||||
OOBCertHash
|
||||
FROM PKIXCMP {iso(1) identified-organization(3) dod(6)
|
||||
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
|
||||
id-mod-cmp(9)};
|
||||
|
||||
-- Constants
|
||||
|
||||
pkcs15-ub-identifier INTEGER ::= 255
|
||||
pkcs15-ub-reference INTEGER ::= 255
|
||||
pkcs15-ub-index INTEGER ::= 65535
|
||||
pkcs15-ub-label INTEGER ::= pkcs15-ub-identifier
|
||||
pkcs15-lb-minPinLength INTEGER ::= 4
|
||||
pkcs15-ub-minPinLength INTEGER ::= 8
|
||||
pkcs15-ub-storedPinLength INTEGER ::= 64
|
||||
pkcs15-ub-recordLength INTEGER ::= 16383
|
||||
pkcs15-ub-userConsent INTEGER ::= 15
|
||||
pkcs15-ub-securityConditions INTEGER ::= 255
|
||||
pkcs15-ub-seInfo INTEGER ::= 255
|
||||
|
||||
-- Object Identifiers
|
||||
|
||||
pkcs15 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
|
||||
rsadsi(113549) pkcs(1) pkcs-15(15)}
|
||||
pkcs15-mo OBJECT IDENTIFIER ::= {pkcs15 1} -- Modules branch
|
||||
pkcs15-at OBJECT IDENTIFIER ::= {pkcs15 2} -- Attribute branch
|
||||
pkcs15-ct OBJECT IDENTIFIER ::= {pkcs15 3} -- Content type branch
|
||||
|
||||
-- Content Types
|
||||
|
||||
pkcs15-ct-PKCS15Token OBJECT IDENTIFIER ::= {pkcs15-ct 1}
|
||||
|
||||
-- Basic types
|
||||
|
||||
Identifier ::= OCTET STRING (SIZE (0..pkcs15-ub-identifier))
|
||||
|
||||
Reference ::= INTEGER (0..pkcs15-ub-reference)
|
||||
|
||||
Label ::= UTF8String (SIZE(0..pkcs15-ub-label))
|
||||
|
||||
KEY-IDENTIFIER ::= CLASS {
|
||||
&id INTEGER UNIQUE,
|
||||
&Value
|
||||
} WITH SYNTAX {
|
||||
SYNTAX &Value IDENTIFIED BY &id
|
||||
}
|
||||
|
||||
CredentialIdentifier {KEY-IDENTIFIER : IdentifierSet} ::= SEQUENCE {
|
||||
idType KEY-IDENTIFIER.&id ({IdentifierSet}),
|
||||
idValue KEY-IDENTIFIER.&Value ({IdentifierSet}{@idType})
|
||||
}
|
||||
|
||||
KeyIdentifiers KEY-IDENTIFIER ::= {
|
||||
issuerAndSerialNumber|
|
||||
issuerAndSerialNumberHash|
|
||||
subjectKeyId|
|
||||
subjectKeyHash |
|
||||
issuerKeyHash |
|
||||
issuerNameHash |
|
||||
subjectNameHash,
|
||||
...
|
||||
}
|
||||
|
||||
issuerAndSerialNumber KEY-IDENTIFIER::=
|
||||
{SYNTAX PKCS15-OPAQUE.&Type IDENTIFIED BY 1}
|
||||
-- As defined in RFC 2630
|
||||
subjectKeyId KEY-IDENTIFIER ::=
|
||||
{SYNTAX OCTET STRING IDENTIFIED BY 2}
|
||||
-- From x509v3 certificate extension
|
||||
issuerAndSerialNumberHash KEY-IDENTIFIER ::=
|
||||
{SYNTAX OCTET STRING IDENTIFIED BY 3}
|
||||
-- Assumes SHA-1 hash of DER encoding of IssuerAndSerialNumber
|
||||
subjectKeyHash KEY-IDENTIFIER ::=
|
||||
{SYNTAX OCTET STRING IDENTIFIED BY 4}
|
||||
issuerKeyHash KEY-IDENTIFIER ::=
|
||||
{SYNTAX OCTET STRING IDENTIFIED BY 5}
|
||||
issuerNameHash KEY-IDENTIFIER ::=
|
||||
{SYNTAX OCTET STRING IDENTIFIED BY 6}
|
||||
-- SHA-1 hash of DER-encoded issuer name
|
||||
subjectNameHash KEY-IDENTIFIER ::=
|
||||
{SYNTAX OCTET STRING IDENTIFIED BY 7}
|
||||
-- SHA-1 hash of DER-encoded subject name
|
||||
|
||||
ReferencedValue {Type} ::= CHOICE {
|
||||
path Path,
|
||||
url URL
|
||||
} (CONSTRAINED BY {-- 'path' or 'url' shall point to an object of
|
||||
-- type -- Type})
|
||||
|
||||
URL ::= CHOICE {
|
||||
url PrintableString,
|
||||
urlWithDigest [3] SEQUENCE {
|
||||
url IA5String,
|
||||
digest DigestInfoWithDefault
|
||||
}
|
||||
}
|
||||
|
||||
alg-id-sha1 AlgorithmIdentifier {{DigestAlgorithms}} ::= {
|
||||
algorithm sha-1,
|
||||
parameters SHA1Parameters : NULL}
|
||||
|
||||
SHA1Parameters ::= NULL
|
||||
|
||||
DigestInfoWithDefault ::= SEQUENCE {
|
||||
digestAlg AlgorithmIdentifier {{DigestAlgorithms}} DEFAULT alg-id-sha1,
|
||||
digest OCTET STRING (SIZE(8..128))
|
||||
}
|
||||
|
||||
Path ::= SEQUENCE {
|
||||
path OCTET STRING,
|
||||
index INTEGER (0..pkcs15-ub-index) OPTIONAL,
|
||||
length [0] INTEGER (0..pkcs15-ub-index) OPTIONAL
|
||||
}( WITH COMPONENTS {..., index PRESENT, length PRESENT}|
|
||||
WITH COMPONENTS {..., index ABSENT, length ABSENT})
|
||||
|
||||
ObjectValue { Type } ::= CHOICE {
|
||||
indirect ReferencedValue {Type},
|
||||
direct [0] Type,
|
||||
indirect-protected [1] ReferencedValue {EnvelopedData {Type}},
|
||||
direct-protected [2] EnvelopedData {Type}
|
||||
}(CONSTRAINED BY {-- if indirection is being used, then it is
|
||||
-- expected that the reference points either to a (possibly
|
||||
-- enveloped) object of type -- Type -- or (key case) to a card-
|
||||
-- specific key file --})
|
||||
|
||||
PathOrObjects {ObjectType} ::= CHOICE {
|
||||
path Path,
|
||||
objects [0] SEQUENCE OF ObjectType,
|
||||
...,
|
||||
indirect-protected [1] ReferencedValue {EnvelopedData {SEQUENCE OF ObjectType}},
|
||||
direct-protected [2] EnvelopedData {SEQUENCE OF ObjectType}
|
||||
}
|
||||
|
||||
CommonObjectAttributes ::= SEQUENCE {
|
||||
label Label OPTIONAL,
|
||||
flags CommonObjectFlags OPTIONAL,
|
||||
authId Identifier OPTIONAL,
|
||||
...,
|
||||
userConsent INTEGER (1..pkcs15-ub-userConsent) OPTIONAL,
|
||||
accessControlRules SEQUENCE SIZE (1..MAX) OF AccessControlRule OPTIONAL
|
||||
} (CONSTRAINED BY {-- authId should be present in the IC card case if
|
||||
-- flags.private is set. It must equal an authID in one AuthRecord
|
||||
-- in the AODF -- })
|
||||
|
||||
CommonObjectFlags ::= BIT STRING {
|
||||
private (0),
|
||||
modifiable (1)
|
||||
}
|
||||
|
||||
AccessControlRule ::= SEQUENCE {
|
||||
accessMode AccessMode,
|
||||
securityCondition SecurityCondition,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
AccessMode ::= BIT STRING {
|
||||
read (0),
|
||||
update (1),
|
||||
execute (2)
|
||||
}
|
||||
|
||||
SecurityCondition ::= CHOICE {
|
||||
authId Identifier,
|
||||
not [0] SecurityCondition,
|
||||
and [1] SEQUENCE SIZE (2..pkcs15-ub-securityConditions)
|
||||
OF SecurityCondition,
|
||||
or [2] SEQUENCE SIZE (2..pkcs15-ub-securityConditions)
|
||||
OF SecurityCondition,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
CommonKeyAttributes ::= SEQUENCE {
|
||||
iD Identifier,
|
||||
usage KeyUsageFlags,
|
||||
native BOOLEAN DEFAULT TRUE,
|
||||
accessFlags KeyAccessFlags OPTIONAL,
|
||||
keyReference Reference OPTIONAL,
|
||||
startDate GeneralizedTime OPTIONAL,
|
||||
endDate [0] GeneralizedTime OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
KeyUsageFlags ::= BIT STRING {
|
||||
encrypt (0),
|
||||
decrypt (1),
|
||||
sign (2),
|
||||
signRecover (3),
|
||||
wrap (4),
|
||||
unwrap (5),
|
||||
verify (6),
|
||||
verifyRecover (7),
|
||||
derive (8),
|
||||
nonRepudiation (9)
|
||||
}
|
||||
|
||||
KeyAccessFlags ::= BIT STRING {
|
||||
sensitive (0),
|
||||
extractable (1),
|
||||
alwaysSensitive (2),
|
||||
neverExtractable (3),
|
||||
local (4)
|
||||
}
|
||||
|
||||
CommonPrivateKeyAttributes ::= SEQUENCE {
|
||||
subjectName Name OPTIONAL,
|
||||
keyIdentifiers [0] SEQUENCE OF CredentialIdentifier
|
||||
{{KeyIdentifiers}} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
CommonPublicKeyAttributes ::= SEQUENCE {
|
||||
subjectName Name OPTIONAL,
|
||||
...,
|
||||
trustedUsage [0] Usage OPTIONAL
|
||||
}
|
||||
|
||||
CommonSecretKeyAttributes ::= SEQUENCE {
|
||||
keyLen INTEGER OPTIONAL, -- keylength (in bits)
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
KeyInfo {ParameterType, OperationsType} ::= CHOICE {
|
||||
reference Reference,
|
||||
paramsAndOps SEQUENCE {
|
||||
parameters ParameterType,
|
||||
supportedOperations OperationsType OPTIONAL
|
||||
}
|
||||
}
|
||||
|
||||
CommonCertificateAttributes ::= SEQUENCE {
|
||||
iD Identifier,
|
||||
authority BOOLEAN DEFAULT FALSE,
|
||||
identifier CredentialIdentifier {{KeyIdentifiers}} OPTIONAL,
|
||||
certHash [0] OOBCertHash OPTIONAL,
|
||||
...,
|
||||
trustedUsage [1] Usage OPTIONAL,
|
||||
identifiers [2] SEQUENCE OF CredentialIdentifier{{KeyIdentifiers}} OPTIONAL,
|
||||
implicitTrust [3] BOOLEAN DEFAULT FALSE
|
||||
}
|
||||
|
||||
Usage ::= SEQUENCE {
|
||||
keyUsage KeyUsage OPTIONAL,
|
||||
extKeyUsage SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER OPTIONAL
|
||||
}(WITH COMPONENTS {..., keyUsage PRESENT} |
|
||||
WITH COMPONENTS {..., extKeyUsage PRESENT})
|
||||
|
||||
CommonDataObjectAttributes ::= SEQUENCE {
|
||||
applicationName Label OPTIONAL,
|
||||
applicationOID OBJECT IDENTIFIER OPTIONAL,
|
||||
... -- For future extensions
|
||||
} (WITH COMPONENTS {..., applicationName PRESENT}|
|
||||
WITH COMPONENTS {..., applicationOID PRESENT})
|
||||
|
||||
CommonAuthenticationObjectAttributes ::= SEQUENCE {
|
||||
authId Identifier,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
PKCS15Object {ClassAttributes, SubClassAttributes, TypeAttributes}
|
||||
::= SEQUENCE {
|
||||
commonObjectAttributes CommonObjectAttributes,
|
||||
classAttributes ClassAttributes,
|
||||
subClassAttributes [0] SubClassAttributes OPTIONAL,
|
||||
typeAttributes [1] TypeAttributes
|
||||
}
|
||||
|
||||
PKCS15Objects ::= CHOICE {
|
||||
privateKeys [0] PrivateKeys,
|
||||
publicKeys [1] PublicKeys,
|
||||
trustedPublicKeys [2] PublicKeys,
|
||||
secretKeys [3] SecretKeys,
|
||||
certificates [4] Certificates,
|
||||
trustedCertificates [5] Certificates,
|
||||
usefulCertificates [6] Certificates,
|
||||
dataObjects [7] DataObjects,
|
||||
authObjects [8] AuthObjects,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
PrivateKeys ::= PathOrObjects {PrivateKeyType}
|
||||
|
||||
SecretKeys ::= PathOrObjects {SecretKeyType}
|
||||
|
||||
PublicKeys ::= PathOrObjects {PublicKeyType}
|
||||
|
||||
Certificates ::= PathOrObjects {CertificateType}
|
||||
|
||||
DataObjects ::= PathOrObjects {DataType}
|
||||
|
||||
AuthObjects ::= PathOrObjects {AuthenticationType}
|
||||
|
||||
PrivateKeyType ::= CHOICE {
|
||||
privateRSAKey PrivateKeyObject {PrivateRSAKeyAttributes},
|
||||
privateECKey [0] PrivateKeyObject {PrivateECKeyAttributes},
|
||||
privateDHKey [1] PrivateKeyObject {PrivateDHKeyAttributes},
|
||||
privateDSAKey [2] PrivateKeyObject {PrivateDSAKeyAttributes},
|
||||
privateKEAKey [3] PrivateKeyObject {PrivateKEAKeyAttributes},
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
PrivateKeyObject {KeyAttributes} ::= PKCS15Object {
|
||||
CommonKeyAttributes, CommonPrivateKeyAttributes, KeyAttributes}
|
||||
|
||||
PrivateRSAKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {RSAPrivateKeyObject},
|
||||
modulusLength INTEGER, -- modulus length in bits, e.g. 1024
|
||||
keyInfo KeyInfo {NULL, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
RSAPrivateKeyObject ::= SEQUENCE {
|
||||
modulus [0] INTEGER OPTIONAL, -- n
|
||||
publicExponent [1] INTEGER OPTIONAL, -- e
|
||||
privateExponent [2] INTEGER OPTIONAL, -- d
|
||||
prime1 [3] INTEGER OPTIONAL, -- p
|
||||
prime2 [4] INTEGER OPTIONAL, -- q
|
||||
exponent1 [5] INTEGER OPTIONAL, -- d mod (p-1)
|
||||
exponent2 [6] INTEGER OPTIONAL, -- d mod (q-1)
|
||||
coefficient [7] INTEGER OPTIONAL -- inv(q) mod p
|
||||
} (CONSTRAINED BY {-- must be possible to reconstruct modulus and
|
||||
-- privateExponent from selected fields --})
|
||||
|
||||
PrivateECKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {ECPrivateKey},
|
||||
keyInfo KeyInfo {Parameters, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
ECPrivateKey ::= INTEGER
|
||||
|
||||
PrivateDHKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {DHPrivateKey},
|
||||
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
DHPrivateKey ::= INTEGER -- Diffie-Hellman exponent
|
||||
|
||||
PrivateDSAKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {DSAPrivateKey},
|
||||
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
DSAPrivateKey ::= INTEGER
|
||||
|
||||
PrivateKEAKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {KEAPrivateKey},
|
||||
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
KEAPrivateKey ::= INTEGER
|
||||
|
||||
PublicKeyType ::= CHOICE {
|
||||
publicRSAKey PublicKeyObject {PublicRSAKeyAttributes},
|
||||
publicECKey [0] PublicKeyObject {PublicECKeyAttributes},
|
||||
publicDHKey [1] PublicKeyObject {PublicDHKeyAttributes},
|
||||
publicDSAKey [2] PublicKeyObject {PublicDSAKeyAttributes},
|
||||
publicKEAKey [3] PublicKeyObject {PublicKEAKeyAttributes},
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
PublicKeyObject {KeyAttributes} ::= PKCS15Object {
|
||||
CommonKeyAttributes, CommonPublicKeyAttributes, KeyAttributes}
|
||||
|
||||
PublicRSAKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {RSAPublicKeyChoice},
|
||||
modulusLength INTEGER, -- modulus length in bits, e.g. 1024
|
||||
keyInfo KeyInfo {NULL, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
RSAPublicKeyChoice ::= CHOICE {
|
||||
raw RSAPublicKey,
|
||||
spki [1] SubjectPublicKeyInfo, -- See X.509. Must contain a
|
||||
-- public RSA key
|
||||
...
|
||||
}
|
||||
|
||||
PublicECKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {ECPublicKeyChoice},
|
||||
keyInfo KeyInfo {Parameters, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
ECPublicKeyChoice ::= CHOICE {
|
||||
raw ECPoint,
|
||||
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public EC key
|
||||
...
|
||||
}
|
||||
|
||||
PublicDHKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {DHPublicKeyChoice},
|
||||
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
DHPublicKeyChoice ::= CHOICE {
|
||||
raw DiffieHellmanPublicNumber,
|
||||
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public D-H key
|
||||
...
|
||||
}
|
||||
|
||||
PublicDSAKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {DSAPublicKeyChoice},
|
||||
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
DSAPublicKeyChoice ::= CHOICE {
|
||||
raw INTEGER,
|
||||
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public DSA key.
|
||||
...
|
||||
}
|
||||
|
||||
PublicKEAKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue {KEAPublicKeyChoice},
|
||||
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
KEAPublicKeyChoice ::= CHOICE {
|
||||
raw INTEGER,
|
||||
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public KEA key
|
||||
...
|
||||
}
|
||||
|
||||
SecretKeyType ::= CHOICE {
|
||||
genericSecretKey SecretKeyObject {GenericSecretKeyAttributes},
|
||||
rc2key [0] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
rc4key [1] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
desKey [2] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
des2Key [3] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
des3Key [4] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
castKey [5] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
cast3Key [6] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
cast128Key [7] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
rc5Key [8] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
ideaKey [9] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
skipjackKey [10] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
batonKey [11] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
juniperKey [12] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
rc6Key [13] SecretKeyObject {GenericSecretKeyAttributes},
|
||||
otherKey [14] OtherKey,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
SecretKeyObject {KeyAttributes} ::= PKCS15Object {
|
||||
CommonKeyAttributes, CommonSecretKeyAttributes, KeyAttributes}
|
||||
|
||||
OtherKey ::= SEQUENCE {
|
||||
keyType OBJECT IDENTIFIER,
|
||||
keyAttr SecretKeyObject {GenericSecretKeyAttributes}
|
||||
}
|
||||
|
||||
GenericSecretKeyAttributes ::= SEQUENCE {
|
||||
value ObjectValue { OCTET STRING },
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
CertificateType ::= CHOICE {
|
||||
x509Certificate CertificateObject { X509CertificateAttributes},
|
||||
x509AttributeCertificate [0] CertificateObject
|
||||
{X509AttributeCertificateAttributes},
|
||||
spkiCertificate [1] CertificateObject {SPKICertificateAttributes},
|
||||
pgpCertificate [2] CertificateObject {PGPCertificateAttributes},
|
||||
wtlsCertificate [3] CertificateObject {WTLSCertificateAttributes},
|
||||
x9-68Certificate [4] CertificateObject {X9-68CertificateAttributes},
|
||||
...,
|
||||
cvCertificate [5] CertificateObject {CVCertificateAttributes}
|
||||
}
|
||||
|
||||
CertificateObject {CertAttributes} ::= PKCS15Object {
|
||||
CommonCertificateAttributes, NULL, CertAttributes}
|
||||
|
||||
X509CertificateAttributes ::= SEQUENCE {
|
||||
value ObjectValue { Certificate },
|
||||
subject Name OPTIONAL,
|
||||
issuer [0] Name OPTIONAL,
|
||||
serialNumber CertificateSerialNumber OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
X509AttributeCertificateAttributes ::= SEQUENCE {
|
||||
value ObjectValue { AttributeCertificate },
|
||||
issuer GeneralNames OPTIONAL,
|
||||
serialNumber CertificateSerialNumber OPTIONAL,
|
||||
attrTypes [0] SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
SPKICertificateAttributes ::= SEQUENCE {
|
||||
value ObjectValue { PKCS15-OPAQUE.&Type },
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
PGPCertificateAttributes ::= SEQUENCE {
|
||||
value ObjectValue { PKCS15-OPAQUE.&Type },
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
WTLSCertificateAttributes ::= SEQUENCE {
|
||||
value ObjectValue { PKCS15-OPAQUE.&Type },
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
X9-68CertificateAttributes ::= SEQUENCE {
|
||||
value ObjectValue { PKCS15-OPAQUE.&Type },
|
||||
... -- For future extensions
|
||||
}
|
||||
CVCertificateAttributes ::= SEQUENCE {
|
||||
value ObjectValue { PKCS15-OPAQUE.&Type},
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
DataType ::= CHOICE {
|
||||
opaqueDO DataObject {Opaque},
|
||||
externalIDO [0] DataObject {ExternalIDO},
|
||||
oidDO [1] DataObject {OidDO},
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
DataObject {DataObjectAttributes} ::= PKCS15Object {
|
||||
CommonDataObjectAttributes, NULL, DataObjectAttributes}
|
||||
|
||||
Opaque ::= ObjectValue {PKCS15-OPAQUE.&Type}
|
||||
|
||||
ExternalIDO ::= ObjectValue {PKCS15-OPAQUE.&Type}
|
||||
(CONSTRAINED BY {-- All data objects must be defined in
|
||||
-- accordance with ISO/IEC 7816-6 --})
|
||||
|
||||
OidDO ::= SEQUENCE {
|
||||
id OBJECT IDENTIFIER,
|
||||
value ObjectValue {PKCS15-OPAQUE.&Type}
|
||||
}
|
||||
|
||||
AuthenticationType ::= CHOICE {
|
||||
pin AuthenticationObject { PinAttributes },
|
||||
...,
|
||||
biometricTemplate [0] AuthenticationObject {BiometricAttributes},
|
||||
authKey [1] AuthenticationObject {AuthKeyAttributes},
|
||||
external [2] AuthenticationObject {ExternalAuthObjectAttributes}
|
||||
}
|
||||
|
||||
AuthenticationObject {AuthObjectAttributes} ::= PKCS15Object {
|
||||
CommonAuthenticationObjectAttributes, NULL, AuthObjectAttributes}
|
||||
|
||||
PinAttributes ::= SEQUENCE {
|
||||
pinFlags PinFlags,
|
||||
pinType PinType,
|
||||
minLength INTEGER (pkcs15-lb-minPinLength..pkcs15-ub-minPinLength),
|
||||
storedLength INTEGER (0..pkcs15-ub-storedPinLength),
|
||||
maxLength INTEGER OPTIONAL,
|
||||
pinReference [0] Reference DEFAULT 0,
|
||||
padChar OCTET STRING (SIZE(1)) OPTIONAL,
|
||||
lastPinChange GeneralizedTime OPTIONAL,
|
||||
path Path OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
PinFlags ::= BIT STRING {
|
||||
case-sensitive (0),
|
||||
local (1),
|
||||
change-disabled (2),
|
||||
unblock-disabled (3),
|
||||
initialized (4),
|
||||
needs-padding (5),
|
||||
unblockingPin (6),
|
||||
soPin (7),
|
||||
disable-allowed (8),
|
||||
integrity-protected (9),
|
||||
confidentiality-protected (10),
|
||||
exchangeRefData (11)
|
||||
} (CONSTRAINED BY { -- 'unblockingPin' and 'soPIN' cannot both be set -- })
|
||||
|
||||
PinType ::= ENUMERATED {bcd, ascii-numeric, utf8, ...,
|
||||
half-nibble-bcd, iso9564-1}
|
||||
|
||||
BiometricAttributes ::= SEQUENCE {
|
||||
bioFlags BiometricFlags,
|
||||
templateId OBJECT IDENTIFIER,
|
||||
bioType BiometricType,
|
||||
bioReference Reference DEFAULT 0,
|
||||
lastChange GeneralizedTime OPTIONAL,
|
||||
path Path OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
BiometricFlags ::= BIT STRING {
|
||||
local (1),
|
||||
change-disabled (2),
|
||||
unblock-disabled (3),
|
||||
initialized (4),
|
||||
disable-allowed (8),
|
||||
integrity-protected (9),
|
||||
confidentiality-protected (10)
|
||||
} -- Note: bits 0, 5, 6, and 7 are reserved for future use
|
||||
|
||||
BiometricType ::= CHOICE {
|
||||
fingerPrint FingerPrint,
|
||||
irisScan [0] IrisScan,
|
||||
-- Possible extensions:
|
||||
-- voiceScan VoiceScan,
|
||||
-- faceScan FaceScan,
|
||||
-- retinaScan Retinascan,
|
||||
-- handGeometry HandGeometry,
|
||||
-- writeDynamics WriteDynamics,
|
||||
-- keyStrokeDynamicsKeyStrokeDynamics,
|
||||
-- lipDynamics LipDynamics,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
FingerPrint ::= SEQUENCE {
|
||||
hand ENUMERATED {left, right},
|
||||
finger ENUMERATED {thumb, pointerFinger, middleFinger,
|
||||
ringFinger, littleFinger},
|
||||
...
|
||||
}
|
||||
|
||||
IrisScan ::= SEQUENCE {
|
||||
eye ENUMERATED {left, right},
|
||||
...
|
||||
}
|
||||
|
||||
ExternalAuthObjectAttributes ::= CHOICE {
|
||||
authKeyAttributes AuthKeyAttributes,
|
||||
certBasedAttributes [0] CertBasedAuthenticationAttributes,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
AuthKeyAttributes ::= SEQUENCE {
|
||||
derivedKey BOOLEAN DEFAULT TRUE,
|
||||
authKeyId Identifier,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
CertBasedAuthenticationAttributes ::= SEQUENCE {
|
||||
cha OCTET STRING,
|
||||
...
|
||||
}
|
||||
|
||||
TokenInfo ::= SEQUENCE {
|
||||
version INTEGER {v1(0)} (v1,...),
|
||||
serialNumber OCTET STRING,
|
||||
manufacturerID Label OPTIONAL,
|
||||
label [0] Label OPTIONAL,
|
||||
tokenflags TokenFlags,
|
||||
seInfo SEQUENCE OF SecurityEnvironmentInfo OPTIONAL,
|
||||
recordInfo [1] RecordInfo OPTIONAL,
|
||||
supportedAlgorithms [2] SEQUENCE OF AlgorithmInfo OPTIONAL,
|
||||
...,
|
||||
issuerId [3] Label OPTIONAL,
|
||||
holderId [4] Label OPTIONAL,
|
||||
lastUpdate [5] LastUpdate OPTIONAL,
|
||||
preferredLanguage PrintableString OPTIONAL -- In accordance with
|
||||
-- IETF RFC 1766
|
||||
} (CONSTRAINED BY { -- Each AlgorithmInfo.reference value must be unique --})
|
||||
|
||||
TokenFlags ::= BIT STRING {
|
||||
readonly (0),
|
||||
loginRequired (1),
|
||||
prnGeneration (2),
|
||||
eidCompliant (3)
|
||||
}
|
||||
|
||||
SecurityEnvironmentInfo ::= SEQUENCE {
|
||||
se INTEGER (0..pkcs15-ub-seInfo),
|
||||
owner OBJECT IDENTIFIER,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
RecordInfo ::= SEQUENCE {
|
||||
oDFRecordLength [0] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
||||
prKDFRecordLength [1] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
||||
puKDFRecordLength [2] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
||||
sKDFRecordLength [3] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
||||
cDFRecordLength [4] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
||||
dODFRecordLength [5] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
||||
aODFRecordLength [6] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL
|
||||
}
|
||||
|
||||
AlgorithmInfo ::= SEQUENCE {
|
||||
reference Reference,
|
||||
algorithm PKCS15-ALGORITHM.&id({AlgorithmSet}),
|
||||
parameters PKCS15-ALGORITHM.&Parameters({AlgorithmSet}{@algorithm}),
|
||||
supportedOperations
|
||||
PKCS15-ALGORITHM.&Operations({AlgorithmSet}{@algorithm}),
|
||||
algId PKCS15-ALGORITHM.&objectIdentifier({AlgorithmSet}{@algorithm})
|
||||
OPTIONAL,
|
||||
algRef Reference OPTIONAL
|
||||
}
|
||||
|
||||
PKCS15-ALGORITHM ::= CLASS {
|
||||
&id INTEGER UNIQUE,
|
||||
&Parameters,
|
||||
&Operations Operations,
|
||||
&objectIdentifier OBJECT IDENTIFIER OPTIONAL
|
||||
} WITH SYNTAX {
|
||||
PARAMETERS &Parameters OPERATIONS &Operations ID &id [OID &objectIdentifier]}
|
||||
|
||||
PKCS15-OPAQUE ::= TYPE-IDENTIFIER
|
||||
|
||||
PublicKeyOperations ::= Operations
|
||||
|
||||
Operations ::= BIT STRING {
|
||||
compute-checksum (0), -- H/W computation of checksum
|
||||
compute-signature (1), -- H/W computation of signature
|
||||
verify-checksum (2), -- H/W verification of checksum
|
||||
verify-signature (3), -- H/W verification of signature
|
||||
encipher (4), -- H/W encryption of data
|
||||
decipher (5), -- H/W decryption of data
|
||||
hash (6), -- H/W hashing
|
||||
generate-key (7) -- H/W key generation
|
||||
}
|
||||
|
||||
pkcs15-alg-null PKCS15-ALGORITHM ::= {
|
||||
PARAMETERS NULL OPERATIONS {{generate-key}} ID -1}
|
||||
|
||||
AlgorithmSet PKCS15-ALGORITHM ::= {
|
||||
pkcs15-alg-null,
|
||||
... -- See PKCS #11 for values for the &id field (and parameters)
|
||||
}
|
||||
|
||||
LastUpdate ::= CHOICE {
|
||||
generalizedTime GeneralizedTime,
|
||||
referencedTime ReferencedValue {GeneralizedTime},
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
-- Soft token related types and objects
|
||||
|
||||
EnvelopedData {Type} ::= SEQUENCE {
|
||||
version INTEGER{v0(0),v1(1),v2(2),v3(3),v4(4)}(v0|v1|v2,...),
|
||||
originatorInfo [0] OriginatorInfo OPTIONAL,
|
||||
recipientInfos RecipientInfos,
|
||||
encryptedContentInfo EncryptedContentInfo{Type},
|
||||
unprotectedAttrs [1] SET SIZE (1..MAX) OF Attribute OPTIONAL
|
||||
}
|
||||
|
||||
EncryptedContentInfo {Type} ::= SEQUENCE {
|
||||
contentType OBJECT IDENTIFIER,
|
||||
contentEncryptionAlgorithm AlgorithmIdentifier {{KeyDerivationAlgorithms}},
|
||||
encryptedContent [0] OCTET STRING OPTIONAL
|
||||
}(CONSTRAINED BY {-- 'encryptedContent' shall be the result of
|
||||
-- encrypting DER-encoded value of type -- Type})
|
||||
|
||||
PKCS15Token ::= SEQUENCE {
|
||||
version INTEGER {v1(0)} (v1,...),
|
||||
keyManagementInfo [0] KeyManagementInfo OPTIONAL,
|
||||
pkcs15Objects SEQUENCE OF PKCS15Objects
|
||||
}
|
||||
|
||||
KeyManagementInfo ::= SEQUENCE OF SEQUENCE {
|
||||
keyId Identifier,
|
||||
keyInfo CHOICE {
|
||||
recipientInfo RecipientInfo,
|
||||
passwordInfo [0] PasswordInfo
|
||||
}
|
||||
} (CONSTRAINED BY {-- Each keyID must be unique --})
|
||||
|
||||
PasswordInfo ::= SEQUENCE {
|
||||
hint Label OPTIONAL,
|
||||
algId AlgorithmIdentifier {{KeyDerivationAlgorithms}},
|
||||
...
|
||||
} (CONSTRAINED BY {--keyID shall point to a KEKRecipientInfo--})
|
||||
|
||||
KeyDerivationAlgorithms ALGORITHM-IDENTIFIER ::= {
|
||||
PBKDF2Algorithms,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
CMS3DESwrap ::= NULL
|
||||
|
||||
KeyEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
|
||||
{CMS3DESwrap IDENTIFIED BY id-alg-CMS3DESwrap} |
|
||||
{INTEGER IDENTIFIED BY id-alg-CMSRC2wrap},
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
DES-IV ::= OCTET STRING (SIZE(8))
|
||||
|
||||
ContentEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
|
||||
SupportingAlgorithms EXCEPT {NULL IDENTIFIED BY id-hmacWithSHA1},
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
MACAlgorithms ALGORITHM-IDENTIFIER ::= {
|
||||
{NULL IDENTIFIED BY hMAC-SHA1},
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
DigestAlgorithms ALGORITHM-IDENTIFIER ::= {
|
||||
{NULL IDENTIFIED BY sha-1},
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
-- Misc
|
||||
|
||||
DDO ::= SEQUENCE {
|
||||
oid OBJECT IDENTIFIER,
|
||||
odfPath Path OPTIONAL,
|
||||
tokenInfoPath [0] Path OPTIONAL,
|
||||
unusedPath [1] Path OPTIONAL,
|
||||
... -- For future extensions
|
||||
}
|
||||
|
||||
DIRRecord ::= [APPLICATION 1] SEQUENCE {
|
||||
aid [APPLICATION 15] OCTET STRING,
|
||||
label [APPLICATION 16] UTF8String OPTIONAL,
|
||||
path [APPLICATION 17] OCTET STRING,
|
||||
ddo [APPLICATION 19] DDO OPTIONAL
|
||||
}
|
||||
|
||||
UnusedSpace ::= SEQUENCE {
|
||||
path Path (WITH COMPONENTS {..., index PRESENT, length PRESENT}),
|
||||
authId Identifier OPTIONAL,
|
||||
...,
|
||||
accessControlRules SEQUENCE OF AccessControlRule OPTIONAL
|
||||
}
|
||||
|
||||
END
|
Loading…
Reference in New Issue