diff --git a/doc/Makefile.am b/doc/Makefile.am
index ebcc1ee2..302fa381 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -1,6 +1,6 @@
# Process this file with automake to create Makefile.in
-SUBDIRS = . old
+SUBDIRS = .
MAINTAINERCLEANFILES = Makefile.in $(HTML) ChangeLog
@@ -14,7 +14,6 @@ XML = $(shell ls $(srcdir)/tools/*.xml $(srcdir)/api/*.xml $(srcdir)/api/*/*.xml
index.html:
sh $(srcdir)/export-wiki.sh $(srcdir)
sh $(srcdir)/generate-man.sh $(srcdir)
- sh $(srcdir)/old/generate.sh $(srcdir)/old
ChangeLog:
sh $(srcdir)/changelog.sh $(srcdir)
diff --git a/doc/old/Makefile.am b/doc/old/Makefile.am
deleted file mode 100644
index fae45a8d..00000000
--- a/doc/old/Makefile.am
+++ /dev/null
@@ -1,11 +0,0 @@
-# Process this file with automake to create Makefile.in
-
-XSLTPROC = @XSLTPROC@
-SOURCE = opensc.xml opensc.xsl opensc-es.xml opensc.css opensc.xsl
-GENERATE = opensc.html opensc-es.html
-NILS = init_perso_guide.html init_perso_guide.txt
-
-MAINTAINERCLEANFILES = Makefile.in $(GENERATE)
-
-EXTRA_DIST = pkcs-15v1_1.asn $(NILS) $(SOURCE) $(GENERATE) doxygen.conf generate.sh
-
diff --git a/doc/old/doxygen.conf b/doc/old/doxygen.conf
deleted file mode 100644
index b6931725..00000000
--- a/doc/old/doxygen.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-INPUT = ../src/libopensc
-FILE_PATTERNS = *.h
-PROJECT_NAME = OpenSC
-PROJECT_NUMBER = 0.10.0
-HIDE_UNDOC_MEMBERS = YES
-SORT_MEMBER_DOCS = NO
-OPTIMIZE_OUTPUT_FOR_C = YES
diff --git a/doc/old/generate.sh b/doc/old/generate.sh
deleted file mode 100644
index 66979d6c..00000000
--- a/doc/old/generate.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-
-set -e
-
-SRCDIR=.
-
-if test -n "$1"
-then
- SRCDIR="$1"
-fi
-
-test -f "$SRCDIR"/`basename $0`
-
-if ! test -w "$SRCDIR"
-then
- exit 0
-fi
-
- xsltproc -o "$SRCDIR"/opensc.html "$SRCDIR"/opensc.xsl "$SRCDIR/"opensc.xml
- tidy -im -utf8 -xml "$SRCDIR"/opensc.html || true
- xsltproc -o "$SRCDIR"/opensc-es.html "$SRCDIR"/opensc.xsl "$SRCDIR"/opensc-es.xml
- tidy -im -utf8 -xml "$SRCDIR"/opensc-es.html || true
diff --git a/doc/old/init_perso_guide.html b/doc/old/init_perso_guide.html
deleted file mode 100644
index 75363466..00000000
--- a/doc/old/init_perso_guide.html
+++ /dev/null
@@ -1,466 +0,0 @@
-
-
- init_perso_guide
-
-
-OpenSC card init and perso guide
-1. Introduction
-Nothing
-is impossible for the man who doesn't have
-to do it himself. -- A.H. Weiler
-Filesystem - MF - DF - EF - FID Commands - APDUs Access control, PIN, PUK Cryptographic keys Reader - PC/SC - OpenCT - CT-API PKCS15 A little PKCS15 example:
-Here's the textual contents of 3 PKCS15 files: the AODF (Authentication
-Object Directory File), PrKDF (Private Key Directory File) and CDF
-(Certificate Directory File) that contain info on resp. the PINs,
-private keys and certificates. Each of them contains 1 entry. Com. Flags : private, modifiable
-PrKDF:
- Com. Flags : private, modifiable
-X.509 Certificate [/C=BE/ST=...]
- Com. Flags : modifiable
-Some things to note:
- The Auth ID (01) of the private key is the same as the one of the
-PIN which
-means
-that you first have to do a login with this PIN before
-you can use this key.
- The key is in an EF with ID = 0012 in the DF with ID = 3045,
-which
-on it is turn is a DF with ID 5015, which on it is turn is a DF of
-the MF (3F00).
- The private key and certificates share the same ID (45), which
-means that they
-belong together.
- The certificate is in the EF with as path: 3F00\5015\3045
-and is no CA
-certificate.
-
-Use the tests/p15dump tool to
-see yourself what pkcs15 data is on your card, or tools/opensc-explorer to browse
-through the files.2. The OpenSC pkcs15-init library and profiles
-Reading and writing files, PIN verification, signing and decryption
-happen in much the same way on all cards. Therefore, the "normal life"
-commands have been implemented in OpenSC for all supported cards.Profile Profile options
- default: creation/deletion/generation is controlled by the SO PIN
-(SO = Security Officer, different from the regular user of the card)
- onepin: creation/deletion/generation is controlled by the user
-PIN and thus by the user. As a result, only 1 user PIN is possible
- small: like default, but suitable for card with little memory
-
-3. pkcs15-init tool
-This is a command-line tool that uses the pkcs15-init library. It
-allows you to do all the init/perso things, e.g. add/delete keys,
-certificates, PINs and data, generate keys, ... while specifying key
-usage, which PIN protects which key, ...opensc-tool -n "pkcs15-tool
--h " to see them) because some are card-specific or obsolete (or
-we don't know about them). Feel free to experiment and explain them
-here.opensc-tool -l "
-to see the list of available readers.pkcs15-tool --list-pins
---list-public-keys -k -c -C p15dump (in the
-src/tests directory)opensc-explorer tool.* Create the PKCS15 files
- pkcs15-init
--C {-T} {-p <profile>} --so-pin
-<PIN> --so-puk <PUK> | --no-so-pin | --pin <PIN>
---puk <PUK> This will create the PKCS15 DF (5015) and all the PKCS15 files
-(some of which will be empty until a key, PIN, ... will be added). It
-must be done before you can do any of the operations below.
- This operation usually requires a 'transport' key. pkcs15-init
-will ask you for this key and propose the default one for that card.
-With -T, the default will be used without asking. NOTE: if you get a
-"Failed to erase card: PIN code or key incorrect", the transport key is
-wrong. Find this key and then try again, DO NOT try the default key
-again!
- If you want an SO PIN and PUK, do so with the --so-pin and
---so-puk options, or specify --no-so-pin if you don't want to. If you
-use
-the onpin profile, there is no SO PIN so you should specify --pin and
---puk instead. (So you get: pkcs15-init -CT -p pkcs15+onepin --pin
-<PIN> --puk <PUK>)
- To specify the profile file + option. The profile file can only
-be "pkcs15" for the moment, so you can have:
-
-* Erase the card's content
- pkcs15-init
--E {-T}
- This operation usually requires a 'transport' key. pkcs15-init
-will ask you for this key and propose the default one for that card.
-With -T, the default will be used without asking. NOTE: if you get a
-"Failed to erase card: PIN code or key incorrect", the transport key is
-wrong. Find this key and then try again, DO NOT try the default key
-again!
-
-Note: you can combine erase/create (-E -C or -EC) to erase and then
-create* Add a PIN (not possible with the onepin profile option)
- pkcs15-init
--P {-a <AuthID>} {--pin <PIN>} {--puk <PUK>} {-l
-<label>}
- You can specify the AuthID with -a, if you don't do so, a value
-that didn't exist yet on the card will be chosen.
- Specify the PIN and PUK with --pin and --puk, if you don't do so,
-the tool will prompt you for one.
- Specify the label (name) of the PIN with -l, or accept the
-default label.
-
-* Generate a key pair (on card or in software on the PC)
- pkcs15-init
--G <keyspec> -a <AuthID> --insecure {-i <ID>}
-{--soft}{-u <keyusage>}{-l <privkeylabel>}
-{--public-key-label <pubkeylabel>}
- The keyspec consist of the key type, rsa or dsa (depends on what
-your cards supports), and optinally a slash followed by the keysize in
-bits. E.g. "rsa/1024" specifies a 1024 bit RSA key pair. Note: dsa is
-not
-fully supported.
- Specify the AuthID of the PIN that protects this key (from being
-used in a signature or decryption operation) with -a; or specify
---insecure if you want the private key to be used without first
-providing a PIN.
- Specify the ID of the key with -i, otherwise the tool with choose
-one.
- Specify --soft if you don't want the key pair to be generated
-on-chip.
- Specify the usage of the private key with -u; if you add a
-corresponding certificate later, it should have the same key usage. (Do
-"pkcs15-init -u help" for help).
- Specify the label (name) of the private key with -l, or accept
-the default label.
- Specify the label (name) of the public key with
---public-key-label, or accept the default label if you don't do so.
- Depending on your card and profile option, you will be prompted
-to provide your SO PIN and/or PIN; if you don't want to be prompted,
-add them to the command line with --so-pin <SOPIN> and/or --pin
-<PIN>.
-
-NOTE: see the SSL engines (below) on how to make a certificate request
-with the key you generated.* Add a private key
- pkcs15-init
--S <keyfile> {-f <keyformat>} -a <AuthID> --insecure
-{-i <ID>} {-u <keyusage>} {--passphrase <password>}
-{-l <label>}
- The keyfile should be in DER (binary) or PEM format.
- The keyformat should be PEM (default) or DER.
- Specify the AuthID of the PIN that protects this key (from being
-used in a signature or decryption operation) with -a; or specify
---insecure if you want the private key to be used without first
-providing a PIN.
- Specify the ID of the key with -i
- <>Specify the usage of the private key with -u; if you add a
-corresponding certificate later, it should have the same key usage. (Do
-"pkcs15-init -u help" for help). Specify the label (name) of
-the with -l, or accept the
-default label.
- Depending on your card and profile option, you will be prompted
-to provide your SO PIN and/or PIN; if you don't want to be prompted,
-add them to the command line with --so-pin <SOPIN> and/or --pin
-<PIN>.
-
-* Add a private key + certificate(s) (in a pkcs12 file)
- pkcs15-init
--S <pkcs12file> -f PKCS12 -a <AuthID> {--insecure} {-i
-<ID>} {-u <keyusage>} {--passphrase <password>} {-l
-<privkeylabel>} {--cert-label <usercertlabel>}
- Specify the AuthID of the PIN that protects this key (from being
-used in a signature or decryption operation) with -a; or specify
---insecure if you want the private key to be used without first
-providing a PIN.
- Specify the ID of the key and the corresponding certificate with
--i,
-otherwise the tool with choose one; only the 'user cert' will get the
-same ID as the key, the other certificates will get 'authority' status
-and
-another ID.
- You can specify the key-usage, but it is not advised to do this
-so the key usage from the certificate is used.
- Specify the password of the pkcs12 key file if you don't want to
-be prompted for one.
- Specify the label (name) of the private key with -l, or accept
-the default label.
- Specify the label (name) of the user certificate with
---cert-label, or accept the default label.
- Depending on your card and profile option, you will be prompted
-to provide your SO PIN and/or PIN; if you don't want to be prompted,
-add them to the command line with --so-pin <SOPIN> and/or --pin
-<PIN>.
-
-* Add a certificate
-
-pkcs15-init -W <certfile> {-f <certformat>} {-i <ID>}
-{--authority}
- The certfile should be in DER (binary) or PEM format
- The certformat should be PEM (default) or DER
- Specify the ID of the certificate with -i, otherwise the tool
-with
-choose one; if the certificate corresponds to a private and/or public
-key, you
-should specify the same ID as that key.
- Specify --authority if it is a CA certificate.
- Depending on your card and profile option, you will be prompted
-to
-provide your SO PIN and/or PIN; if you don't want to be prompted, add
-them to the command line with --so-pin <SOPIN> and/or --pin
-<PIN>.
-
-* Add a public key
- pkcs15-init
---store-public-key <keyfile> {-f <keyformat>} {-i
-<ID>} {-l <label>}
- The keyfile should be in DER (binary) or PEM format
- The keyformat should be PEM (default) or DER
- Specify the ID of the key with -i, otherwise the tool with choose
-one; if the key corresponds to a private key and/or certificate, you
-should
-specify the same ID as that private key and/or certificate.
- Specify the label (name) of the with -l, or accept the
-default label.
- Depending on your card and profile option, you will be prompted
-to
-provide your SO PIN and/or PIN; if you don't want to be prompted, add
-them to the command line with --so-pin <SOPIN> and/or --pin
-<PIN>.
-
-* Add data
- pkcs15-init
--W <datafile> {-i <ID>} {-l <label>}
- The datafile is stored "as is" onto the card.
- Specify the ID of the data with -i, or accept the default ID.
- Specify the label (name) of the with -l, or accept the
-default label.
- Depending on your card and profile option, you will be prompted
-to
-provide your SO PIN and/or PIN; if you don't want to be prompted, add
-them to the command line with --so-pin <SOPIN> and/or --pin
-<PIN>.
-
-4. Other tools
-* SSL-engines
-These libraries can be loaded in OpenSSL so you can do a certificate
-request with the openssl tool; the signature on the certificate request
-will
-then be made with the smart card. The result can then be sent to a CA
-for certification, the resulting certificate can be put on the card
-with
-pkcs15-init or pkcs11-tool.
- Run openssl
- On the openssl command prompt, typeengine dynamic
--pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD engine dynamic
--pre
-SO_PATH:engine_opensc -pre ID:opensc -pre LIST_ADD:1 -pre LOAD
-
-
- Then type (on the openssl command prompt)req -engine
-pkcs11 -new -key <ID> -keyform engine -out <cert_req>
-req -engine opensc -new -key <ID> -keyform engine -out
-<cert_req> [slot_<slotID>][-][id_<ID>] ,
-e.g. id_45 or slot_0-id_45
-
-* pkcs11-tool and Mozilla/Netscape
-You can use the OpenSC pkcs11 library to generate a keypair in Mozilla
-or Netscape, and let the browser generate a certificate request that
-is sent to an on-line CA to issue and send you a certificate that is
-then added to the card.pkcs11-tool
---moz-cert
-<cert_file_in_der_format> --login ".5. Card-specific issues
-Experience
-is that marvelous thing that enables you to recognize a mistake when you make it again. --
-Franklin P. Jones
-Cryptoflex:
- DFs and EFs in a DF have to be deleted in reverse order of
-creation.
-
-Starcos SPK 2.3:
- Due to the way Starcos SPK 2.3 manages access rights it is
-necessary to manually call "pkcs15-init --finalize" after card
-personalization if no SO-PIN has been specified. Once the card has been
-finalized it is no possible to add new private/secrets keys or PINs. If
-a SO-PIN is used the card will automatically be finalized after the
-SO-PIN has been stored.
- If an SO-PIN is used and if there is enough space in the key file
-left, then the owner of the SO-PIN can access/use every protected item
-by creating a PIN for the necessary state.
-
-}
- --so-pin --so-puk | --no-so-pin | --pin --puk
-This will create the PKCS15 DF (5015) and all the PKCS15 files (some of which
-will be empty until a key, PIN, ... will be added). It must be done before you
-can do any of the operations below.
-- This operation usually requires a 'transport' key. pkcs15-init will ask you
- for this key and propose the default one for that card. With -T, the default
- key will be used without asking. NOTE: if you get a "Failed to erase card:
- PIN code or key incorrect", the transport key is wrong. Find this key and
- then try again, DO NOT try with the default key again!
-- If you want an SO PIN and PUK, do so with the --so-pin and --so-puk options,
- or specify --no-so-pin if you don't want them. If you use the onepin profile,
- there is no SO PIN so you should specify --pin and --puk instead.
- (So you get: pkcs15-init -CT -p pkcs15+onepin --pin --puk )
-- To specify the profile file + option. The profile file can only be "pkcs15"
- for the moment, so you can have:
- pkcs15+default : the default (not needed to specify it)
- pkcs15+onepin : for the onepin profile option
- pkcs15+small : for the small profile option
-
-* Erase the card's content
- pkcs15-init -E {-T}
-This will delete all keys, PINs, certificates, data that were listed in PKCS15
-files, along with the PKCS15 files themselves.
-- This operation usually requires a 'transport' key. pkcs15-init will ask you
- for this key and propose the default one for that card. With -T, the default
- key will be used without asking. NOTE: if you get a "Failed to erase card:
- PIN code or key incorrect", the transport key is wrong. Find this key and
- then try again, DO NOT try the default key again!
-
-Note: you can combine erase/create (-E -C or -EC) to erase and then create
-the card's contents, except when you change the profile option.
-
-* Add a PIN (not possible with the onepin profile option)
- pkcs15-init -P {-a } {--pin } {--puk } {-l }
-- You can specify the AuthID with -a, if you don't do so, a value that didn't
- exist yet on the card will be used.
-- Specify the PIN and PUK with --pin and --puk, if you don't do so, the tool
- will prompt you for one.
-- Specify the label (name) of the PIN with -l, or accept the default label.
-
-* Generate a key pair (on card or in software on the PC)
- pkcs15-init -G -a --insecure {-i } {--soft}
- {-u }
- {-l } {--public-key-label }
-This will generate a public and private key pair.
-- The keyspec consist of the key type, rsa or dsa (depends on what your card
- supports), and optinally a slash followed by the keysize in bits. E.g.
- "rsa/1024" specifies a 1024-bit RSA key pair. Note: dsa is not fully
- supported.
-- Specify the AuthID of the PIN that protects this key (protect from being
- used in a signature or decryption operation) with -a; or specify --insecure
- if you want the private key to be used without first providing a PIN.
-- Specify the ID of the key with -i, otherwise the tool will choose one.
-- Specify --soft if you don't want the key pair to be generated on card.
-- Specify the usage of the private key with -u; if you add a
- corresponding certificate later, it should have the same key usage.
- (Do "pkcs15-init -u help" for help).
-- Specify the label (name) of the private key with -l, or accept the default
- label.
-- Specify the label (name) of the public key with --public-key-label, or
- accept the default label.
-- Depending on your card and profile option, you will be prompted to provide
- your SO PIN and/or PIN; if you don't want to be prompted, add them to the
- command line with --so-pin and/or --pin .
-NOTE: see the SSL engines (below) on how to make a certificate request with
-the key you generated.
-
-* Add a private key
- pkcs15-init -S {-f } -a --insecure
- {-i } {-u } {--passphrase }
- {-l }
-- The keyfile should be in DER (binary) or PEM format.
-- The keyformat should be PEM (default) or DER.
-- Specify the AuthID of the PIN that protects the private key (from being used
- in a signature or decryption operation) with -a; or specify --insecure if
- you want the private key to be used without first providing a PIN
-- Specify the ID of the key with -i
-- Specify the usage of the private key with -u; if you add a
- corresponding certificate later, it should have the same key usage.
- (Do "pkcs15-init -u help" for help).
-- Specify the label (name) of the with -l, or accept the default label if
- you don't do so.
-- Depending on your card and profile option, you will be prompted to provide
- your SO PIN and/or PIN; if you don't want to be prompted, add them to the
- command line with --so-pin and/or --pin .
-
-* Add a private key + certificate(s) (in a pkcs12 file)
- pkcs15-init -S -f PKCS12 -a {--insecure} {-i }
- {-u } {--passphrase }
- {-l } {--cert-label }
-This adds the private key and certificate chain to the card. If a certificate
-already exists in the card, it won't be added again.
-- Specify the AuthID of the PIN that protects this key (protect from being
- used in a signature or decryption operation) with -a; or specify --insecure
- if you want the private key to be used without first providing a PIN.
-- Specify the ID of the key and the corresponding certificate with -i,
- otherwise the tool with choose one; only the 'user cert' will get the same
- ID as the key,
- the other certificates will get 'authority' status and another ID.
-- You can specify the key-usage, but it is advised not to do this so the key
- usage is fetched from the certificate.
-- Specify the password of the pkcs12 key file if you don't want to be prompted
- for one.
-- Specify the label (name) of the private key with -l, or accept the default
- label if you don't do so.
-- Specify the label (name) of the user certificate with --cert-label, or
- accept the default label if you don't do so.
-- Depending on your card and profile option, you will be prompted to provide
- your SO PIN and/or PIN; if you don't want to be prompted, add them to the
- command line with --so-pin and/or --pin .
-
-* Add a certificate
- pkcs15-init -W {-f } {-i } {--authority}
-- The certfile should be in DER (binary) or PEM format
-- The certformat should be PEM (default) or DER
-- Specify the ID of the certificate with -i, otherwise the tool with choose
- one; if the certificate corresponds to a private and/or public key, you
- should specify the same ID as that key.
-- Specify --authority if it is a CA certificate.
-- Depending on your card and profile option, you will be prompted to provide
- your SO PIN and/or PIN; if you don't want to be prompted, add them to the
- command line with --so-pin and/or --pin .
-
-* Add a public key
- pkcs15-init --store-public-key {-f } {-i }
- {-l }
-- The keyfile should be in DER (binary) or PEM format
-- The keyformat should be PEM (default) or DER
-- Specify the ID of the key with -i, otherwise the tool with choose one;
- if the key corresponds to a private key and/or certificate, you should
- specify the same ID as that private key and/or certificate.
-- Specify the label (name) of the with -l, or accept the default label if
- you don't do so.
-- Depending on your card and profile option, you will be prompted to provide
- your SO PIN and/or PIN; if you don't want to be prompted, add them to the
- command line with --so-pin and/or --pin .
-
-* Add data
- pkcs15-init -W {-i } {-l }
-- The datafile is stored "as is" onto the card.
-- Specify the ID of the data with -i, or accept the default ID.
-- Specify the label (name) of the data with -l, or accept the default label.
-- Depending on your card and profile option, you will be prompted to provide
- your SO PIN and/or PIN; if you don't want to be prompted, add them to the
- command line with --so-pin and/or --pin .
-
-
-4. Other tools
-==============
-
-* SSL-engines
-
-These libraries can be loaded in OpenSSL so you can do a certificate request
-with the openssl tool; the signature of the certificate request will then be
-made using the smart card. The result can then be sent to a CA for
-certification or the resulting certificate can be put on the card with pkcs15-init
-or pkcs11-tool.
-- Run openssl
-- On the openssl command prompt, type
- engine dynamic -pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD
- or
- engine dynamic -pre SO_PATH:engine_opensc -pre ID:opensc -pre LIST_ADD:1 -pre LOAD
- depending on which one of the 2 engines (pkcs11 or opensc) you want to use.
-- Then type (on the openssl command prompt)
- req -engine pkcs11 -new -key -keyform engine -out
- or
- req -engine opensc -new -key -keyform engine -out
- in which ID is the slot+ID in the following format:
- [slot_][-][id_], e.g. id_45 or slot_0-id_45
-
-* pkcs11-tool and Mozilla/Netscape
-
-You can use the OpenSC pkcs11 library to generate a key pair in Mozilla or
-Netscape, and let the browser generate a certificate request that is sent
-to an on-line CA to issue and send you a certificate that is then added to the
-card.
-
-Just go to an online CA (Globalsign, Thawte, ...) and follow their guidelines.
-Because such a request either costs you or at least requires you to provide a
-valid mail address, it is advisable to first try you card with
-"pkcs11-tool --moz-cert --login".
-
-NOTE: This can only be done with the onepin profile option (because the browser
-won't ask for an SO PIN, only for the user PIN).
-
-
-5. Card-specific issues
-=======================
-
- Experience is that marvelous thing that enables you to recognize
- a mistake when you make it again. -- Franklin P. Jones
-
-Cryptoflex:
-- DFs and EFs in a DF have to be deleted in reverse order of creation.
- OpenSC relies on this fact for security, but also has some downsides. For
- example, if you did a "pkcs15-init -C" and then added some EFs or DFs in the
- MF, you won't be able to do a "pkcs15-init -E" afterwards to remove the
- PKCS15 DF (5015). So you'll first have to manually remove all EFs/DFs you
- created in the MF before being able remove the pkcs15 DF.
-
-Starcos SPK 2.3:
-- Due to the way Starcos SPK 2.3 manages access rights it is necessary
- to manually call "pkcs15-init --finalize" after card personalization
- if no SO-PIN has been specified. Once the card has been finalized it is
- not possible to add new private/secret keys or PINs. If a SO-PIN is
- used the card will automatically be finalized after the SO-PIN has
- been stored.
-- If an SO-PIN is used and if there is enough space in the key file left,
- then the owner of the SO-PIN can access/use every protected item by
- creating a PIN for the necessary state.
diff --git a/doc/old/opensc-es.xml b/doc/old/opensc-es.xml
deleted file mode 100644
index eee08169..00000000
--- a/doc/old/opensc-es.xml
+++ /dev/null
@@ -1,2077 +0,0 @@
-
-
- Manual de OpenSC
-
-
- OpenSC Development Team
- opensc-devel@opensc.org
-
-
- Traducción: Juan Antonio Martínez
- jonsito@teleline.es
-
-
-
-
- Introducción
-
-
-
- libopensc es una biblioteca de acceso a dispositivos tipo Tarjeta Inteligente (SmartCards). Cualquier tarjeta que soporte el estandard ISO 7816-4 deberia poder ser utilizada para las funcionalidades básicas ( manejo de ficheros ). Si además la tarjeta es compatible con el standard PKCS#15, la biblioteca ofrece a estas tarjetas el soporte de diversas funciones criptográficas
-
-
-
-
- Autores y Colaboradores
-
-
-
- Se adjunta la lista de todos los autores y colaboradores de OpenSC en orden alfabético
-
-
-
-
- Robert Bihlmeyer robbe@orcus.priv.at
-
-
-
- Stef Hoeben Hoeben.S@Zetes.com
-
-
-
- Andreas Jellinghaus aj@dungeon.inka.de
-
-
-
- Olaf Kirch okir@suse.de
-
-
-
- Nils Larsch larsch@trustcenter.de
-
-
-
- Juan Antonio Martinez jonsito@teleline.es
-
-
-
- Ville Skyttä
-
-
-
- Kevin Stefanik kstef@mtppi.org
-
-
-
- Antti Tapaninen aet@cc.hut.fi
-
-
-
- Timo Teräs timo.teras@iki.fi
-
-
-
- Juha Yrjölä juha.yrjola@iki.fi
-
-
-
- Jörn Zukowski zukowski@trustcenter.de
-
-
-
-
- Agradecimientos
-
-
-
- Las siguientes personas an aportado ideas, apoyo y/o información para el desarrollo de OpenSC
-
-
-
-
- Antti Partanen
- antti.partanen@vrk.intermin.fi
-
-
-
- David Corcoran corcoran@linuxnet.com
-
-
-
-
-
- OpenSC no ha inventado la rueda ni escrito el código desde cero. Se ha usado código de otros proyectos, principalmente para desarrollar el interfaz con éstos. Los autores originales son:
-
-
-
-
- Matthias Brüstle
-
-
-
- Markus Friedl
-
-
-
- Geoff Thrope geoff@geoffthorpe.net
-
-
-
-
-
-
- Licencia. Copyright
-
-
-OpenSC smart card library
-Copyright (C) OpenSC developers
-
-This library is free software; you can redistribute it and/or
-modify it under the terms of the GNU Lesser General Public
-License as published by the Free Software Foundation; either
-version 2.1 of the License, or (at your option) any later version.
-
-This library is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-Lesser General Public License for more details.
-
-You should have received a copy of the GNU Lesser General Public
-License along with this library; if not, write to the Free Software
-Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-
-
-
-
- Introducción
-
-
-
- OpenSC está basado en diversos componentes.
-El principal es la biblioteca OpenSC, a su vez dividida en tres capas, cada una con diversos drivers
-Otros componentes son: la biblioteca PKCS#11, el módulo PAM, diversos plugins para OpenSSL... Adicionalmente, se incluyen diversas utilidades y aplicaciones de test que usan estas bibliotecas
-
-
-
-
-El objetivo de este capítulo es proporcionar información sobre el funcionamiento interno de la biblioteca OpenSC, cómo funciona, y finalmente qué ofrecen las utilidades. Cada una de éstas, así como las bibliotecas, tienen su propia pagina de manual, y su sección en este documento
-
-
-
- Estructura de OpenSC
-
-
-
-La biblioteca básica de OpenSC es libopensc. Ofrece tanto funcionalidades básicas para la comunicación con las tarjetas inteligentes, como avanzadas, (eg. generar claves RSA en una tarjeta)
-
-
-
-
-Para ello, libopensc está estructurado en diversas capas, a su vez implementadas mediante uno o más drivers. Estas capas son:
-
-
-
-
-
- Lector
-
-
- OpenSc necesita poder enlazar con los diversos manejadores de lectores de tarjetas. Dado que cada uno tiene su propio software (CT-api, PC/SC, etc), OpenSC provee un módulo específico para cada uno
-
-
-
-
- Tarjetas
-
-
- Idealmente, todas las tarjetas inteligentes, de berían implementar el standard ISO 7816 de la misma forma, y aceptar y generar los mismos comandos y respuestas. Desafortunadamente, este no es el caso. OpenSC ofrece pues un módulo específico por cada tarjeta (o familia de tarjetas)
-
-
-
-
- pkcs15init
-
-
-Las tarjetas inteligentes suelen incorporar un sistema de ficheros, donde almacenar claves y certificados. Asímismo incorporan comandos para crear directorios y ficheros, ajustar permisos y seguridad, etc. En función de la tarjeta no solo los comandos son distintos, sino que incluso la estructura de ficheros y modelo de seguridad difieren. El módulo pkcs15init esconde estas diferencias al resto de la aplicación
-
-
-
-
- La infraestructura PKCS #15
-
-
- PKCS #15
-
- Es el estandard de manejo y almacenamiento de claves y certificados en un dispositivo criptográfico. A pesar de ello, muchos fabricantes de tarjetas implementan sus propios mecanismos, por ejemplo especificando diferentes directorios. OpenSC implementa el estandard PKCS#15, existiendo un módulo de emulación para aquellas tarjetas que se apartan del estandard
-
-
-
-
- De hecho es posible elaborar una infraestructura nueva para implementar compatibilidad con sistemas que no cumplan dicho estandard
-
-
-
-
-
-
-
- El módulo lector
-
-
-
- PC/SC Lite es una aplicación middleware que sirve para interactuar, por un lado con los drivers para lectores de tarjetas, y por otro con las aplicaciones que las manejan. OpenSC puede usar PC/SC Lite mediante el modulo lector pcsc, aunque soporta otras alternativas
-
-
-
-
- PC/SC es un API estandard entre aplicaciones, como gestor de recursos para lectores de tarjetas inteligentes. Es muy popular en el entorno operativo Windows. La documentación está disponible en:
-
-
-
-
- PC/SC Lite es la implementación del estandard PCSC para sistemas Linux, Unix, Windows y MacOS X, realizada por David Corcoran corcoran@linuxnet.com . La aplicación está disponible como software libre y gratuíto. Para descargar esta aplicación, refierase a la página web del Movimiento para el Uso de SmartCards en Entornos Linux ( M.U.S.C.L.E )
-
-
-
-
- Para instalar el soporte de OpenSC para pcsc-lite, es necesario instalar PCSCLite primero, y seguidamente configurar OpenSC especificando la ubicación de la instalación de PCSC
-
-$ cd opensc-<version>
-$ ./configure --with-pcsclite=/path/to/pcsclite
-
-
-
-
-
- OpenCT es una nueva aplicación para manejo de tarjetas inteligentes, lectores y terminales de acceso. OpenCT ha sido escrito desde cero , constituyendo un entorno muy ligero, e incluyendo todos los drivers. Está dispobible para sistemas Linux, pero si se desea su uso en otros entornos Unix o BSD, por favor consulte en la lista de correo de opensc-devel
-
-
-
-
- OpenCT es software libre. El código fuente está disponible de manera gratuita. OpenCT es desarrollado conjuntamente con OpenSC y se recomienda su uso preferente para entornos Linux. OpenCT está disponible en la página web de OpenSC opensc-devel@opensc.org
-
-
-
-
- Para compilar OpenSC con soporte OpenCT, es necesario tener instalado éste primero. La documentación de OpenCT está incluída en el código fuente, así como disponible en línea a través del enlace:
-
-$ cd opensc-<version>
-$ ./configure --with-openct=/path/to/openct
-
-
-
-
-
-CT-API es un estandard para manejadores de tarjetas inteligentes.
-Fué desarrollado en la década de los 80, para aplicaciones MS-Dos,
-y quizás no sea muy conocido en los ambientes multi-usuario y multi-tarea
-de la actualidad. Sin embargo, CT-API está muy extendido y muchos
-lectores proveen soporte para este estándard incluso bajo Linux.
-
-
-
-
- OpenSC puede usar drivers CT-API directamente.
-No obstante su uso se reserva para aplicaciones de depuración y no se
-recomienda en instalaciones multi-usuario o con múltiples aplicaciones
-que usen el lector
-
-
-
-
-El soporte CT-API en OpenSC no necesita párametros especiales a la hora de
-recompilar. Léase el fichero de configuración opensc.conf para saber como configurar el driver CT-API bajo OpenSC
-
-
-
-
-
-
-
-
- Compilación e Instalación de libopensc
-
-
- Linux
-
-
- Lea el fichero INSTALL para ver las instrucciones de compilación. Si se está partiendo de una versión descargada del CVS, necesitará ejecutar previamente el script 'bootstrap' antes de ejecutar 'configure'. Del mismo modo, deberá tener versiones actualizadas de Autoconf, Automake, y Libtool
-
-
-
-
- Windows
-
-
-
-Ejecute "nmake -f makefile.mak" en el directorio opensc para compilar
-
-
-
-
-Además de nmake, deberá tener perl y flex instalados para poder realizar la
-compilación
-
-
-
-
-El fichero Makefile.mak no incorpora mecanismos para "make install", por lo que deberá realizar la instalación de manera manual
-
-
-
-
-
-Copiar opensc.conf al directorio Windows ( generalmente C:\WINDOWS o C:\WINNT). Esta operación es opcional
-
-
-
-
-Copiar opensc.dll y opensc-pkcs11.dll a una ubicación dentro del path
-
-
-
-
-Si se quiere utilizar el comando pkcs15-init.exe, asegurese de que los ficheros *.profile residentes en el directorio src\pkcs15init\ están en el mismo directorio que pkcs15-init.exe, o en el directorio Windows
-
-
-
-
-
- Windows con soporte OpenSSL
-
-
-
-Esta opción añade funcionalidad extra (por ejemplo PKCS#11 hash y mecanismos de firmas pkcs#11 adicionales
-
-
-
-
-
- Descargar y compilar los fuentes de OpenSSL de:
-
-
-
-
-Añadir el directorio \inc32 al include_path, y el \out32dll
-al library_path y exec_path
-
-set include=%include%;.....\inc32
-set lib=%lib%;.....\out32dll
-set path=%path%;....\out32dll
-
-
-
-
-
-En el fichero src\tools\Makefile.mak descomentar "pkcs15-init.exe en la línea
-"TARGETS", y (opcionalmente) añadir "libeay32.lib" y "gdi32.lib" al la línea marcada como "link" (enlace)
-
-
-
-
-En el fichero src\libopensc\Makefile.mak, añadir "libeay32.dll" y "gdi32.dll"
-a la línea marcada como "link" (enlace)
-
-
-
-
-Realizar la misma inclusión en el fichero src\pkcs11\Makefile.mak en las
-entradas "link" de las secciones "TARGET" y "TARGET3"
-
-
-
-
-En el fichero win32\Make.rules.mak, añadir /DHAVE_OPENSSL a la línea "COPTS"
-
-
-
-
-
-Para no necesitar las librerías dinámicas: compilar OpenSSL estáticamente y substituír los ficheros gdi32.dll y libeay32.dll por los ficheros gdi32.lib t libeay32.lib, respectivamente, en los tres ficheros Makefile.mak anteriormente indicados
-
-
-
-
-
-
-
- Estado del desarrollo
-
-
-
- Tarjetas
-
-
-
-
-
- CryptoFlex
-
-
-
-
- Soporta firma/desencriptación e inicialización
-
-
-
-
- Gemplus PK 4K, 8K, 16K
-
-
-
- Soporta firma/desencriptación e inicialización
-
-
-
-
-
- Nota: no le será posible inicializar una tarjeta GemSafe - estas tarjetas vienen personalizadas por GemPlus y no se pueden borrar o añadir nuevos ficheros de claves en ellas
-
- Aladdin eToken PRO
-
-
-
- Soporta firma/desencriptación e inicialización
-
-
-
-
-
- Nota: CardOS solo soporta claves para firmado, o desencriptación, pero no para ambas. Esta limitación puede ser evitada creando/almacenando claves con la opción "--split-keys"
-
- Eutron CryptoIdendity IT-SEC
-
-
-
- Soporta firma/desencriptación e inicialización
-
-
-
-
-
- Nota: CardOS solo soporta claves para firmado, o desencriptación, pero no para ambas. Esta limitación puede ser evitada creando/almacenando claves con la opción "--split-keys"
-
- Micardo
-
-
-
- Soportada ( TODO: incluir detalles )
-
-
- Miocos
-
-
-
- Soportada ( TODO: incluir detalles )
-
-
- Setcos
-
-
-
- Soportada ( TODO: incluir detalles )
-
-
- Tcos
-
-
-
- Soportada ( TODO: incluir detalles )
-
-
-
-
-
-
- Windows
-
-
-
-Actualmente, solo han sido portados a Windows: libopensc.dll, pkcs11-spy.dll, opensc-pkcs11.dll y la mayor parte de los ejecutables del directorio \tools y \tests. Estas bibliotecas han sido testeadas en Win98, WinNT, Win2000 y WinXP
-
-
-
-
- Módulo PKCS #11 en Netscape y Mozilla
-
-
-
- Netscape parece mostrar más información acerca de sus módulos de seguridad que Mozilla. No obstante el soporte no ha sido testeado
-
-
-
-
-Notas sobre threads en Linux y MacOS X:
-Netscape y Mozilla usan el parámetro CKF_OS_LOCKING_OK en la función
-C_Initialize(). Como resultado, el thread del navegador no termina cuando se cierra éste, y debe ser abortado manualmente. Esto es debido a que el navegador no invoca C_Finalize, que liberaría los locks, tal y como especifica el estandard
-
-
-
-
-Por consiguiente OpenSC no utiliza los mecanismos de bloqueos de threads,
-incluso aunque sean solicitados. Esto parece funcionar en Mozilla, pero puede
-causar problemas en aplicaciones que utilicen múltiples hilos que accedan
-simultáneamente a la librería pkcs11
-
-
-
-
-Si se desea utilizar los mecanismos de threading, recompilar con la opción
--DPKCS11_THREAD_LOCKING. En Windows no se usan hilos, y por consiguiente este
-problema no existe, por lo que se usa el mecanismo de bloqueos del sistema
-
-
-
-
-
- Uso de OpenSC
-
-
- OpenSC y Netscape
-
-
-
- Seleccionar: Communicator -> Tools -> Security Info
-
-
-
- Seleccionar: Cryptographic Modules
-
-
-
- Pulsar: Add
-
-
-
- Indicar nombre del módulo: "OpenSC PKCS #11 Module"
- Indicar ubicación del fichero: /path/to/opensc/lib/pkcs11/opensc-pkcs11.so
-
-
-
-
-
-Para que el módulo funcione adecuadamente, es necesario activarlo: En el Menú
-"Cryptographic Modules" Seleccionar la tarjeta OpenSC, y pulsando en "Config",
-activar los botones "Enable this token" y "Publicly readable Certs"
-
-
-
-
-Con esto se garantiza que Netscape utilizará la tarjeta cuando intente mostrar
-mensajes encriptados en el Netscape Messenger. Del mismo modo habilitar "Publicly readable Certs" evitará que Netscape nos pida el PIN cada vez que se acceda a una página que requiera autenticación del Cliente
-
-
-
-
-El boton "RSA" NO DEBE ser activado. En caso contrario, Netscape intentará usar
-la tarjeta cada vez que vaya a generar claves públicas, y fallará (no todas las tarjetas soportan esta funcionalidad)
-
-
-
- FIXME: Especificar versión de Netscape a la que se aplican estas instrucciones
-
-
-
-
- OpenSC y Mozilla
-
-
-
-
-Asegurese que el Personal Security Manager (PSM) está instalado (paquete mozilla-psm)
-
-
-
- Seleccionar menú: Edit -> Preferences
-
-
-
- Seleccionar Categoría: Privacy & Security ->
- Certificates
-
-
-
- Pulsar en: "Manage Security Devices"
-
-
-
- Seleccionar: Load
-
-
-
- Indicar nombre del módulo: "OpenSC PKCS #11 Module"
- y ubicación del fichero: /path/to/opensc/lib/pkcs11/opensc-pkcs11.so
-
-
-
-
-
- OpenSC y OpenSSL
-
-
-
-OpenSSL es una potente utilidad que implementa los protocolos SSL,
-así como una biblioteca criptográfica de uso general.
-Entre sus características, se incluye la posibilidad de incluir "al vuelo"
-capacidades criptográficas adicionales (engines), como pueda ser la adicción
-de hardware criptográfico
-
-
-
-
-OpenSC incluye dos "engines" para OpenSSL. Esto permite el uso de OpenSSL y sus
-diversas utilidades asociadas en combinación con las capacidades criptográficas de las tarjetas inteligentes
-
-
-
-
-Para utilizar estas habilidades, es preciso cargar el "engine" dentro de OpenSSL, y luego utilizar de la manera habitual las aplicaciones. He aquí un ejemplo de utilización desde el comando openssl :
-
-
-
- Ejemplo de cómo cargar el "engine" OpenSC
-
-aj@simulacron:~$ openssl
-OpenSSL> engine dynamic -pre SO_PATH:/home/aj/opensc/lib/opensc/engine_opensc.so -pre ID:opensc -pre LIST_ADD:1 -pre LOAD
-(dynamic) Dynamic engine loading support
-[Success]: SO_PATH:/home/aj/opensc/lib/opensc/engine_opensc.so
-[Success]: ID:opensc
-[Success]: LIST_ADD:1
-[Success]: LOAD
-Loaded: (opensc) opensc engine
-OpenSSL>
-
-
-
-
-
-Un comando OpenSSL típico puede ser la recuperación de un certificado:
- req -engine opensc -new -key key -keyform engine -out req.pem -text .
-
- Consulte la documentación de OpenSSL para detalles adicionales
-
-
-
-- key
-
- Especifica el identificador de una clave en Hexadecimal. - por ejemplo "45" corresponde al la clave con ID="0x45"
-
-
-
-
- OpenSC incluye dos "engines" para OpenSSL:
- engine_opensc.so y
- engine_pkcs11.so .
-
-
-
-
-El módulo engine_opensc.so sólo funciona bajo OpenSC, y no funcionará cuando
-haya múltiples aplicaciones accediendo concurrentemente a la tarjeta, o existan en la tarjeta varios certificados. Pero en los casos simples: (una aplicación, una tarjeta, un certificado) es el módulo indicado por su simplicidad
-
-
-
-
-El módulo engine_pkcs11.so es mucho mas genérico y flexible.
-funcionará en todos los casos, incluídos aquellos en que existan múltiples
-tarjetas, claves, certificados, con aplicaciones concurrentes.
-Además está basado en el estandard PKCS#11, por lo que no solo puede usar la
-biblioteca OpenSC (como hace por defecto), sino cualquier otra implementación
-de PKCS#11
-
-
-
-
- Para cargar dicho "engine", ejecutar el comando:
-
-aj@simulacron:~$ openssl
-OpenSSL> engine dynamic -pre SO_PATH:/home/aj/opensc/lib/opensc/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/home/aj/opensc/lib/pkcs11/opensc-pkcs11.so
-(dynamic) Dynamic engine loading support
-[Success]: SO_PATH:/home/aj/opensc/lib/opensc/engine_pkcs11.so
-[Success]: ID:pkcs11
-[Success]: LIST_ADD:1
-[Success]: LOAD
-[Success]: MODULE_PATH:/home/aj/opensc/pkcs11/opensc-pkcs11.so
-Loaded: (pkcs11) pkcs11 engine
-OpenSSL>
-
-
- Y luego proceda normalmente
-
-
-
-
-Un comando típico OpenSSL puede ser la recuperación de un certificado:
- req -engine pkcs11 -new -key key -keyform engine -out req.pem -text .
-
-Consulte la documentación de OpenSSL para más detalles
-
-
-
- key tiene el formato ][-][id_]]]>, donde
-
-
-
- El parámetro (opcional) slotNr indica el slot PKCS#11 a usar (empezando por cero, que es el valor por defecto
-
-
-
- keyID es el identificador de clave en notación hexadecimal
-
-
- Ejemplos:
-
-
- id_45 => clave privada con ID = 0x45 en el primer slot disponible
-
-
- slot_2-id_46 => clave privada con ID = 0x46 en el tercer slot
-
-
-
-
-
-
- En sistemas Windows, solo está portado el módulo pkcs11. Al cargar dicho engine, utilize el nombre "engine_pkcs11" en lugar de "engine_pkcs11.so"
-
-
-
-
-
- OpenSC y OpenSSH
-
-
-
-La versión 3.6.1p2 de OpenSSH necesita un parche para compilar con soporte
-OpenSC. Encontrará dicho parche en el directorio src/openssh
-
-
-
-
-Para compilar OpenSSH, ejecute el comando "configure" de la siguiente manera:
- ./configure --with-opensc=/path/to/opensc
-
-
-
-
-Necesitará tener certificados en su tarjeta: un par de claves no es suficiente.
-Descargue el certificado en formato OpenSSH con el comando:
- ssh-keygen -D reader :certificate ID > file
-
-
-
-
- Reemplace reader
- con el número del lector que desea ( por defecto 0).
- El comando opensc-tool -l
- le proporcionará la lista de lectores disponibles.
-
- Añada el identificador del certificado en caso necesario
- ( por defecto ID=45 ).
- El comando pkcs11-tool -O le indica
- la lista de certificados y sus identificadores
-
-
-
-
- Una vez realizada la extracción del certificado, copielo al servidor e incluyalo en el fichero ~/.ssh/authorized_keys tal y como se hace habitualmente
-
-
-
- Para usar una tarjeta con OpenSSH, ejecute:
- ssh -I reader :certificate ID
-
-
-
-
- Del mismo modo se puede usar la utilidad ssh-agent
- con OpenSC. para ello use el comando:
- ssh-add -s reader
-
-
-
-
- Pluggable Authentication Module
-
-
-
- El sistema PAM (Pluggable authentication modules)
-es el mecanismo por el que Linux, y otros sistemas Unix utilizan para los
-procedimientos de autentificación de usuarios.
-OpenSC incluye un módulo que permite añadir la autentificación mediante
-tarjetas inteligentes: "pam_opensc"
-
-
-
- pam_opensc identifica las siguientes opciones:
-
-
- debug
- registra información para depuración
-
-
-
- audit
- registra información sobre trazas
-
-
-
- use_first_pass
- No solicita contraseñas al usuario, sino que utiliza los elementos definidos en la configuración de los módulos PAM
-
-
-
-
-
- try_first_pass
- No solicita contraseña, a menos que la opción PAM_(OLD)AUTHOK esté especificada
-
-
-
- use_authtok
- Exige la opción PAM_AUTHOK, fallando en caso contrario
-
-
-
- set_pass
- Ajusta las opciones PAM_ con las contraseñas usadas en éste módulo
-
-
-
- nodelay
- Elimina el retardo de un segundo en caso de autenticación fallida
-
-
-
- auth_method=X
- Selecciona entre pkcs15-ldap o pkcs15-eid (opción por defecto) como modo de funcionamiento del módulo
-
-
-
-
-
- Opciones Genéricas:
-
-
- -h
- muestra ayuda
-
-
-
- -r reader
- Nombre del lector (FIXME: not number?)
-
-
-
-
-
- eid based authentication
-
-
-
- Este es el método de autentificación por defecto: Cree un directorio .eid en su directorio raíz y copie su certificado (en formato PEM) en el fichero
- .eid/authorized_certificates .
-
-
-
-
-Nota: pkcs15-tool -c le mostrará los certificados y sus identificadores. El comando pkcs15-tool -r ID -o ~/.eid/authorized_certificates le permitirá recuperar y guardar el certificado en el fichero deseado
-
-
-
-
- Autenticación basada en LDAP
-
-
-
- Si escogemos la opción auth_metod=pkcs15-ldap,
-se activará el soporte LDAP para autenticación a través de OpenSC. Las siguientes opciones están contempladas:
-
-
-
-
- -L ldap.conf
- especifica el fichero de configuración a usar
-
-
-
- -A entry
- Añadir nueva entrada
-
-
-
- -E entry
- Activar entrada actual
-
-
-
- -H hostname
- Nombre del servidor LDAP
-
-
-
- -P port
- Puerto en el que el servidor está escuchando
-
-
-
- -S scope
- Ambito (scope) del servidor
-
-
-
- -b binddn
- binddn de la conexión
-
-
-
- -p passwd
- contraseña del binding LDAP
-
-
-
- -B base
- base del binding LDAP
-
-
-
- -a attributes
- Atributos a recuperar
-
-
-
- -f filter
- filtro de búsqueda
-
-
-
-
-
-FIXME: incluir un ejemplo de estructura de datos LDAP: fichero de configuración, etc
-
-
-
-
-
-
-
- The OpenSC PKCS #11 library
-
-
- Qué es PKCS #11
-
-
- PKCS #11
-
-es el API estandard para el acceso a dispositivos criptográficos, tales como
-tarjetas inteligentes, modulos de seguridad hardware, etc... El API está definido mediante funciones como:
- C_GetSlotList(), C_OpenSession(), C_FindObjects(),
- C_Login(), C_Sign(), C_GenerateKeyPair(), ...
-
-
-
-
- Algo de terminología básica de PKCS #11
-
-
-
-Slot: ubicación en la que se puede insertar una tarjeta inteligente. Normalmente se corresponde con un lector de tarjetas ( ver "slots virtual" )
-
-
-
-Token: elemento que se sitúa en un slot. Habitualmente se refiere a una SmartCard (ver slots virtual)
-
-
-
-Objeto (Object) una clave, certificado, datos, etc.
-Puede ser un objeto referido a un token (eg. un certificado
-residente en la tarjeta) o bien un objeto referido a la sesion
-(eg. un dato a firmar/encriptar )
-
-
-
-Sesión: antes de poder operar con un token, es necesario abrir una sesión y asociarla con él
-
-
-
-Operación: una firma, una desencriptación, etc que puede conllevar
-una o varias llamadas a la biblioteca. Solo se puede realizar una operación por cada sesion, pero pueden ser abiertas múltiples sesiones sobre el mismo token
-
-
-
-
-
-
- Slots Virtuales
-
-
-
-PKCS#11 define que cada token tiene asociado dos PIN's (Personal
-Identification Number): el del usuario (User PIN) y el del administrador
-(Security Officer PIN). A pesar de ello muchas tarjetas soportan más de un PIN
-de usuario (eg PIN1 y PIN2 en tarjetas de telefonos móviles). La manera de
-resolver este problema es la de proveer de múltiples "slots virtuales"
-( definidos en el apéndice D del
-
-estándard PKCS #11 .
-Por ello cada lector simula uno o varios slots. Si se inserta una tarjeta,
-aparecerán tantos slots como PIN's disponibles. En cada slot aparecerá un
-token que contiene los objetos asociados a cada PIN. Es el equivalente
-a disponer de "varias tarjetas en una", cada una con su PIN
-
-
-
-
-OpenSC puede trabajar simultáneamente con varias tarjetas, y no sabe
-a priori cuantos slots se crean por cada tarjeta. Por ello se crean por
-defecto 4 slots virtuales. Se puede cambiar dicho número en el parámetro
-"num_slots" del fichero /etc/opensc.conf
-
-
-
-
-Para numerar los slots, OpenSC adopta el siguiente convenio: por cada PIN,
-sus claves, y certificados, se le asigna un slot virtual.
-Si hay más objetos son asignados al siguiente slot libre.
-Si quedan slots libres se crean en ellos slots adicionales marcados como
-vacíos donde pueden ser insertados tanto un nuevo PIN como sus
-objetos asociados.
-Si no se desea añadir nuevos objetos, la directiva "hide_empty_tokens"
-del fichero de configuración esconde los slots libres
-
-
-
-
-Ejemplo. Sea un sistema con dos lectores.
-Sea una tarjeta con dos PINs. Cada PIN proteje una clave privada y
-un certificado. Además existen tres certificados raíz no asociados a dicho
-PIN.
-Si tenemos la configuracion num_slots=4 , hide_empty_tokens=false, e
-insertamos la tarjeta en el segundo lector, obtendremos lo siguiente:
-
-
- token en slot 4: PIN 1, key 1, cert 1
-
-
- token en slot 5: PIN 2, key 2, cert 2
-
-
- token en slot 6: los 3 certificados raíz
-
-
- token en slot 7: vacío
-
-
-
-Si se hubiera especificado "hide_empty_tokens=false", el slot 7 no contendría ningún token
-
-
-
-
-Nota: si en el anterior ejemplo, la cadena de certificados contuviera
-algún certificado común, dicho certificado aparecería duplicado en los slots
-4 y 5 (lo que causaría problemas si se intentara borrar. Este problema
-no está aún resuelto en OpenSC )
-
-
-
-
-Otra cosa a recordar: OpenSC tiene prefijado el número máximo de slots
-virtuales a 8. por ello, si se selecciona "num_slots = 4" solo se podrán
-manejar dos lectores. O, por ejemplo, si se seleciona "num_slots = 3",
-los dos primeros lectores verán 3 slots, mientras que el tercero verá
-solo 2
-
-
-
-
-
- Seguridad
-
-
- Ordenes desde línea de Comandos
-
-
-
-OpenSC permite especificar el PIN y las claves como argumentos en la línea de comandos. Esta operación sólo es recomendable en casos de test o cuando se es el único usuario del sistema. En sistemas multiusuario, los otros usuarios pueden ejecutar comandos como "ps" o "top", y probablemente puedan ver los argumentos asociados al comando en ejecución. Del mismo modo, dichos comandos suelen quedar registrados en los archivos "history"
-
-
-
-
-La solución pasa por usar un script, o en el caso del comando pkcs15-init,
-especificar los PINS y claves en un fichero, e indicar el nombre de éste
-con la opción "--options-file"
-
-
-
-
-
- Acceso a la card
-
-
-
-Pueden aparecer otros problemas en entornos multiusuario donde más de un usuario tenga acceso al lector:
-
-
-
-Si el usuario deja la tarjeta insertada con la sesion abierta, otro usuario podría modificar el pin, bloquearlo, o incluso anular la tarjeta
-
-
-
-Si la sesión realiza caché de PIN's o claves, otro usuario podría usar nuestra tarjeta y suplantar nuestra personalidad
-
-
-
-
-
-
-Una solución puede ser crear un usuario/grupo "scard/scard" bajo el que se ejecuta el servidor pcscd y al que solo se puede acceder desde xdm. No es una solución perfecta, pero funciona en estaciones que solo disponen de un lector
-
-
-
-
-En el caso de que las aplicaciones utilicen la biblioteca PKCS#11, el sistema
-garantiza acceso exclusivo una vez que se proporciona el PIN. Esta es la configuración por defecto. Si se desea que múltiples aplicaciones puedan trabajar a la vez con dicha biblioteca, es necesario especificar la opción "lock_login = false" en el fichero /etc/opensc.conf; pero en este caso la tarjeta quedará accesible por terceros
-
-
-
-
-Las otras aplicaciones OpenSC no garantizan el acceso exclusivo
-
-
-
-
-
- Protegiendo tarjetas con la utilidad pkcs15-init
-
-
-
-Muchas tarjetas incorporan una clave "de fábrica", que se usa para crear el sistema de ficheros inicial en la tarjeta. Una vez creado el sistema de ficheros se protege mediante PIN, con lo que dicha clave ya no es válida
-
-
-
-
-Esto significa que los datos del usuario no son accesibles para nadie que posea la clave de fábrica, en el sentido de que no pueden ser accedidos o usados
-
-
-
-
-No obstante, con dicha clave, otro usuario podría destruír el sistema de ficheros, borrando todo su contenido
-
-
-
-
-En si mismo esto es positivo: en el caso de pérdida de tarjeta, los datos solo
-pueden ser destruídos, no leídos. Pero puede darse otro problema:
-los certificados pueden ser substituídos por otros falsos.
-Por consiguiente: sea muy cuidadoso cuando utilice las tarjetas en entornos
-hostiles, y proteja SIEMPRE los certificados con PIN
-
-
-
-
-
- Protección de los ficheros de configuración, profiles, y caché
-
-
-
-Aunque por sí mismos, los ficheros opensc.conf y xxx.profile no contienen
-información sensible, es muy importante garantizar que no son modificados
-
-
-
-
-Algunos ejemplos de lo que se puede hacer modificando dichos ficheros:
-
-
-
-Ajustar el nivel de depuración a un nivel mayor o igual a 6, con lo que la información sensible (PINs) queda registrada
-
-
-
-Cambiar los permisos de acceso del sistema de ficheros, con lo que la tarjeta
-quedaría "abierta"
-
-
-
-Cambiar los certificados en el directorio caché
-
-
-
-
-
-
-Por defecto, el fichero de configuración y los ficheros profiles deberían
-ser propiedad del administrador, con permisos 644. Del mismo modo,
-el caché de certificados debería residir en el directorio $HOME del
-usuario con permisos 600. No obstante, si el directorio en el que se ejecutan
-tiene ficheros profile, estos toman precedencia sobre los del sistema
-
-
-
-
-
-
- Acceso como administrador (root)
-
-
-
-De lo anterior se deduce que no se puede proteger la tarjeta ante alguien
-que tenga permisos de root, que pueda cambiar los profiles, o que pueda
-modificar los ejecutables o supervisar las comunicaciones con las tarjetas
-
-
-
-
-
-
-
-
- Tareas pendientes de desarrollo
-
-
- General
-
-
-
-* Generación de paquetes Debian
-* Aplicaciones gráficas
-* Soporte de tarjetas EMV, GSM y JavaCards ( algún voluntario? )
-
-
-
-
-* incluir funciones de (de)codificación PEM en LibOpenSC
-* pkcs11: soporte de desencriptación en aquellas tarjetas que lo soportan
-* pkcs11: asegurarse que todas las operaciones de manejo de PIN se gestionan a través del API pkcs11
-* pkcs11: gestion de desbloqueo de PIN's mediante PUK
-* general: soporte de operaciones RSA-PSS
-* pkcs15-init: soporte de SOPIN en CryptoFlex
-* pkcs15-init: al generar claves, comprobar que las claves son correctas
-* pkcs15-init: al manejar PUK crear la entrada AODF asociada
- ( alternativamente, ajustar unblockDisabled para aquellos PIN's sin PUK )
-* pkcs15: corregir sc_pkcs15_change_reference_data: añadir funcion de desbloqueo
-
-
-
-
-
-
- Windows
-
-
-
-Toda la funcionalidad de OpenSC debería ser portada a Windows.
-Del mismo modo se debería implementar una biblioteca para que OpenSC actue
-como CryptoAPI Provider, implementar mecanismos de autenticación (login), y
-controles ActiveX para que Internet Explorer pueda realizar signados
-
-
-
-
-
-
- Resolución de problemas
-
-
-
-Existe una lista de correo para soporte y discusión en el proyecto OpenSC.
-Información adicional sobre el proyecto se puede encontrar en el
- sitio Web .
-
-
-
-Se pueden seguir los siguientes procedimientos para comprobar qué es lo
-que falla:
-
-
-
-Comprobar que se encuentra el lector
- opensc-tool -l
-
-
-
-Comprobar que se reconoce la tarjeta: opensc-tool -a debería mostrar el ATR de ésta
-
-
-
-Comprobar que la tarjeta soporta el estandard pkcs15, obteniendo la lista de objetos almacenados:
- pkcs15-tool -C -c -k --list-public-keys
-
-
-
-
-
-Ajustando el nivel de depuración a valores superiores a 5, y especificando los ficheros de error y log en el fichero de configuración
-
-
-
-
- Recursos y enlaces
-
-
- La página web del proyecto OpenSC
-
-
-
- Información sobre los proyectos Assuan y Ägypten:
-
-
-
-
- Modulo de firmado
-
-
-
- OpenSC Signer es un plugin para Netscape/Mozilla, que puede
-generar firmas digitales a partir de tarjetas inteligentes. Se utiliza para
-el firmado de páginas web ( mimetype .sgn )
-
-
-
- Compilando e instalando el Módulo signer
-
-
-
-Especifique el directorio de instalación para el módulo al ejecutar "configure":
- $ configure --with-plugin-dir=<directory>
-
-
-
- Directorios típicos son
- /usr/lib/mozilla/plugins y
- /usr/lib/netscape/plugins.
-
-
-
- Consulte el fichero INSTALL para instrucciones adicionales
-
-
-
-
- Nota: este módulo necesita abrir ventanas de diálogo para introducir el PIN. Dichas ventanas se generan con la biblioteca libassuan, del proyecto Ägypten. Si no las tiene instaladas, deberá hacerlo antes de proceder a compilar OpenSC
-
-
-
-
-
- Notas sobre DocBook
-
-
-
-Este documento está realizado y mantenido con DocBook XML. A continuación
-se indican algunos enlaces de introducción
-
-
-
-
-Este documento ha sido escrito como XML, no SGML. Para convertirlo,
-utilice una hoja de estilo XSL, no DSSSL. Rechace el uso de utilidades
-que manejen SGML o DSSSL. Ya no son usadas y se consideran obsoletas
-
-
-
- El enlace
- DocBook
- Open Repository project
-en SourceForge, contiene las hojas de estilo necesarias para convertir
-este documentos a otros formatos
-
-
-
- El libro
- DocBook: The
- Definitive Guide (O'Reilly Book)
-
- ilustra DocBook, es muy manejable, y puede ser utilizado
-como herramienta en línea de manera gratuita
-
-
-
- El libro
- DocBook
- XSL: The Complete Guide
-
- Contiene una buena introducción sobre como crear y manejar
-documentos, dónde obtener el software y las utilidades, y como procesar
-los textos. Es un libro muy recomendable
-
-
-
-
-Este documento es demasiado engorroso. Si sabe HTML, por favor ayúdenos a mejorarlo. Algunas partes deberían ser ajustadas mediante hotas de estilo (Reference for the HTML stylesheet parameters ), pero la mayor parte puede ser hecha con CSS. !Ayúdanos!
-
-
-
diff --git a/doc/old/opensc.css b/doc/old/opensc.css
deleted file mode 100644
index f902b082..00000000
--- a/doc/old/opensc.css
+++ /dev/null
@@ -1,23 +0,0 @@
-.screen {
- background-color: #dddddd;
- cellspacing:"1";
- cellpadding:"1";
-}
-
-.prompt {
- background-color: #dddddd;
-}
-
-.command {
- background-color: #dddddd;
-}
-
-.title {
-}
-
-.toc {
-}
-
-.book {
- width: 630pt
-}
diff --git a/doc/old/opensc.xml b/doc/old/opensc.xml
deleted file mode 100644
index 2c665ed2..00000000
--- a/doc/old/opensc.xml
+++ /dev/null
@@ -1,1518 +0,0 @@
-
-
- OpenSC Manual
-
-
- OpenSC Development Team
- opensc-devel@opensc.org
-
-
-
-
- Introduction
-
-
- libopensc is a library for accessing smart card devices. It is also
- the core library of the OpenSC project. libopensc also supports usb
- crypto tokens (they usualy have a smart card inside).
- Basic functionality (e.g.
- SELECT FILE, READ BINARY) should work on any ISO 7816-4 compatible
- smart card. Encryption and decryption using private keys on the
- smart card is possible with PKCS #15 compatible cards, such as
- the FINEID (Finnish Electronic IDentity) card.
-
-
-
-
- Authors and Contributors
-
-
- Here is a list of all Authors and Contributors
- of OpenSC in alphabetical order:
-
-
-
-
- Robert Bihlmeyer robbe@orcus.priv.at
-
-
-
- Stef Hoeben Hoeben.S@Zetes.com
-
-
-
- Andreas Jellinghaus aj@dungeon.inka.de
-
-
-
- Olaf Kirch okir@suse.de
-
-
-
- Nils Larsch larsch@trustcenter.de
-
-
-
- Juan Antonio Martinez jonsito@teleline.es
-
-
-
- Ville Skyttä
-
-
-
- Kevin Stefanik kstef@mtppi.org
-
-
-
- Antti Tapaninen aet@cc.hut.fi
-
-
-
- Timo Teräs timo.teras@iki.fi
-
-
-
- Juha Yrjölä juha.yrjola@iki.fi
-
-
-
- Jörn Zukowski zukowski@trustcenter.de
-
-
-
-
- Thanks
-
-
- The following people provided inspiration,
- moral support and/or valuable information
- during the development of OpenSC:
-
-
-
-
- Antti Partanen
- antti.partanen@vrk.intermin.fi
-
-
-
- David Corcoran corcoran@linuxnet.com
-
-
-
-
- OpenSC did neither invent the wheel nor
- write all code from scratch. We could
- reuse some code from other projects
- mostly to interface with these projects.
- Thanks to the original authors:
-
-
-
-
- Matthias Brüstle
-
-
-
- Markus Friedl
-
-
-
- Geoff Thrope geoff@geoffthorpe.net
-
-
-
-
-
-
- Copyright and License
-
-
-OpenSC smart card library
-Copyright (C) OpenSC developers
-
-This library is free software; you can redistribute it and/or
-modify it under the terms of the GNU Lesser General Public
-License as published by the Free Software Foundation; either
-version 2.1 of the License, or (at your option) any later version.
-
-This library is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-Lesser General Public License for more details.
-
-You should have received a copy of the GNU Lesser General Public
-License along with this library; if not, write to the Free Software
-Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-
-
-
-
- Overview
-
-
- OpenSC is a large toolkit. The main building
- block is the opensc library. It has three layers
- of code, each with several drivers in it.
- Other libraries are the PKCS #11 module,
- a PAM module, two engines for OpenSSL.
- In addition there are several tools to test and
- use these tools and libraries.
-
-
-
- Purpose of this chapter is to give an overview
- of the inner workings of the opensc library,
- to give a short presentation what the other
- libraries do, and finally what the opensc toolchest
- has to offer. Each tool has it's own man page,
- each library it's own section in this document.
-
-
-
- Layers in libopensc
-
-
- libopensc is the basic library used by
- everything else. It offer basic
- functionality like talking to smart
- cards, but also advances functions
- like generating RSA keys on a smart card.
-
-
-
- libopensc has several layers of functionality,
- each implemented by one or several drivers.
- The layers are:
-
-
-
-
-
- reader
-
- OpenSC needs some way to talk to
- smart card readers and cards in
- the smart card readers. Different
- software can be used for that purpose,
- each software has it's own reader
- module so OpenSC can use that software.
-
-
-
-
- card
-
- In a perfect world all smart cards
- would implement ISO 7816 standard,
- and thus accept the same commands
- and give the same answers. Unfortunately
- most cards have their own commands,
- syntax and responses. The card modules
- in libopensc implement these different
- commands.
-
-
-
-
- pkcs15init
-
- Smart cards usually have a file system.
- To store or create keys or certificates
- on a smart card one needs to format
- the card, create directories and objects
- and set permissions in a secure way.
- Not only are the commands to do this
- different from card to card, also the
- security model is often very different.
- These pkcs15init modules implement
- these differences.
-
-
-
-
- PKCS #15 framework
-
-
- PKCS #15 is the standard on how to
- store certificates and keys on a
- smart card or crypto token. But many
- vendors have their own proprietary
- mechanism for storing these
- informations, for example in different
- directories. OpenSC implements
- the PKCS #15 standard, but there is
- also an emulation module for a
- slightly incompatible storage mechanism
- in the works.
-
-
- It should be possible to implement a
- completely different framework
- for compatibility with a non
- PKCS #15 way of storing and accessing
- keys and certificates.
-
-
-
-
-
-
- The reader layer
-
-
- PC/SC Lite is well known as smart card
- middleware. It interacts with drivers for
- the smart card readers on the bottom,
- and with smart card applications on the top.
- OpenSC can use PC/SC Lite via the pcsc
- reader module, but also supports a number
- of alternatives.
-
-
-
- PC/SC is a standard with interfaces between
- applications, a resource manager and drivers
- for smart card readers. This standard is
- very popular on the Windows operating System.
- The documents are available from
-
-
-
- PC/SC Lite is an implementation of the
- PC/SC standard for Linux, Unix, Mac OS X
- and Windows by David Corcoran
- corcoran@linuxnet.com . The
- software is available with full source code and
- available for free. To download the software,
- please visit the website of the Movement
- for the use of smart cards in a Linux
- environment (M.U.S.C.L.E.) at
-
-
- To install OpenSC with support for PC/SC Lite,
- please install PC/SC Lite first. Then configure
- OpenSC to use PC/SC Lite and specify the
- location where PC/SC Lite is installed like
- this:
-
-$ cd opensc-<version>
-$ ./configure --with-pcsclite=/path/to/pcsclite
-
-
-
-
- OpenCT is a new framework for accessing
- smart cards, card readers and card terminals.
- It was written from scratch, already includes
- all drivers, and is very lightweight. OpenCT
- is available for Linux, but if you want to
- use it on other Unix or BSD operating systems,
- please ask for help on the opensc-devel mailing
- list.
-
-
-
- OpenCT is open source software. As such
- it is available with full source code for
- free. OpenCT is a software companion
- to OpenSC and the preferred way of accessing
- smart cards under Linux. OpenCT is available
- from the OpenSC website opensc-devel@opensc.org mailing
- list.
-
-
-
- To compile OpenSC with support for OpenCT,
- please install OpenCT first. Documentation
- on OpenCT is part of the source code, and
- also available online at
-$ cd opensc-<version>
-$ ./configure --with-openct=/path/to/openct
-
-
-
-
- CT-API is a standard format for
- drivers for smart card readers. It was
- invented in the eighties for DOS applications
- and is maybe not very fit for todays
- multiuser multitasking applications.
- However CT-API is still quite popular,
- and many smart card readers have drivers
- in CT-API format even for Linux. It is
- recommended to use these drivers if
- the PC/SC Lite middleware described above.
-
-
-
- But OpenSC can also use CT-API drivers
- directly. This is meant for debugging mostly
- and not recommended in a multi user or
- multi application environment.
-
-
-
- OpenSC includes always support for drivers
- in CT-API format, you don't need to do
- anything special for compiling.
- See the opensc.conf
- configuration file on how to configure
- an CT-API driver with OpenSC.
-
-
-
-
-
-
-
-
- Building and Installing libopensc
-
-
- See the INSTALL file for instructions. If you are
- using the CVS version, you have to run the 'bootstrap'
- script before running configure. Please note, that for
- bootstrap to work, you have to have the correct
- versions of Autoconf, Automake and Libtool installed.
-
-
-
- Windows
-
-
- Type "nmake -f makefile.mak" in the opensc\
- dir to compile.
-
-
-
- You need also perl and flex installed for the
- compile process to complete successfully.
-
-
-
- No installation script has been provided, so
- you have to do this manually:
-
-
-
-
- Copy opensc.conf to your Windows
- directory (usually C:\WINDOWS or
- C:\WINNT). This is optional.
-
-
-
- Copy opensc.dll and opensc-pkcs11.dll
- to your path.
-
-
-
- If you want to use pkcs15-init.exe,
- make sure the *.profile files in the
- pkcs15-init\ dir are in the same
- directory as pkcs15-init.exe, or in
- your Windows directory.
-
-
-
-
-
- Windows with OpenSSL
-
-
- This adds extended functionality. E.g. the
- pkcs15-init tool, PKCS #11 hash mechanisms and
- more PKCS #11 signature mechanisms.
-
-
-
-
- Download and compile the OpenSSL
- sources from
-
-
- Add the inc32\ dir to your include
- path, the out32dll\ to your lib path
- and your executable path
-
-set include=%include%;.....\inc32
-set lib=%lib%;.....\out32dll
-set path=%path%;....\out32dll
-
-
-
-
- In src/tools/Makefile.mak uncomment
- pkcs15-init.exe in the "TARGETS" line
- (optionally) and add libeay32.lib (and
- gdi32.lib) to the "link" line
-
-
-
- In src/libopensc/Makefile.mak add
- libeay32.lib (and gdi32.lib) to the
- "link" line
-
-
-
- In src/pkcs11/Makefile.mak add
- libeay32.lib (and gdi32.lib) to the
- "link" lines of TARGET and TARGET3.
-
-
-
- In win32/Make.rules.mak add
- /DHAVE_OPENSSL to the "COPTS" line
-
-
-
-
- To add the OpenSSL code to the DLLs (so you
- won't need libeay32.dll anymore): statically
- compile OpenSSL and add gdi32.lib next to
- libeay32.lib in the 3 Makefile.mak files above.
-
-
-
-
-
-
-
- Status
-
-
-
- Card Status
-
-
-
-
-
- CryptoFlex
-
-
-
-
- Support signing/decrypting, and initialization
-
-
-
- Gemplus PK 4K, 8K, 16K
-
-
-
- Support signing/decrypting, and initialization.
-
-
-
- NOTE: You will not be able to initialize a
- GemSafe cards - these card already have been
- personalized by Gemplus, and you cannot erase
- them or create new key files on them.
-
- Aladdin eToken PRO
-
-
-
- Support signing/decrypting, and initialization.
-
-
-
- NOTE: CardOS only supports keys for
- decryption or signing, but not both.
- If you create/store keys with "--split-keys"
- OpenSC will work around this limitation.
-
- Eutron CryptoIdendity IT-SEC
-
-
-
- Support signing/decrypting, and initialization.
-
-
-
- NOTE: CardOS only supports keys for
- decryption or signing, but not both.
- If you create/store keys with "--split-keys"
- OpenSC will work around this limitation.
-
- Micardo
-
-
-
- Supported - need to fill in the details
-
- Miocos
-
-
-
- Supported - need to fill in the details
-
- Setcos
-
-
-
- Supported - need to fill in the details
-
- Tcos
-
-
-
- Supported - need to fill in the details
-
-
-
-
-
- Windows
-
-
- At the moment only libopensc.dll, pkcs11-spy.dll
- opensc-pkcs11.dll, and most executables in the
- tools\ and tests\ dir have been ported. They
- are tested on Win98, WinNT, Win2000 and WinXP.
-
-
-
-
- PKCS #11 Module in Netscape and Mozilla
-
-
- Netscape seems to show more information about
- the security module than Mozilla. Otherwise all
- stuff is untested.
-
-
-
- Thread safety on Linux and Mac OS X:
- Netscape/Mozilla uses the CKF_OS_LOCKING_OK
- flag in C_Initialize(). The result is that the
- browser process doesn't end when closing the
- browser, so you have to kill the process
- yourself. (If the browser would do a
- C_Finalize, the sc_pkcs11_free_lock() would be
- called and there wouldn't be a problem.)
-
-
-
- Therefore, we don't use the PTHREAD locking
- mechanisms, even if they are requested. This
- seems to work fine for Mozilla, BUT will cause
- problems for apps that use multiple threads to
- access this lib simultaneously.
-
-
-
- If you do want to use OS threading, compile
- with -DPKCS11_THREAD_LOCKING On Windows, no
- PTHREAD lib is used and there the problem
- doesn't occur. So there the OS locking is
- enabled.
-
-
-
-
-
- Using OpenSC
-
-
- OpenSC and Netscape
-
-
-
- Select menu: Communicator -> Tools -> Security Info
-
-
-
- Select Cryptographic Modules
-
-
-
- Click: Add
-
-
-
- Fill in module name: "OpenSC PKCS #11 Module"
- and module file: /path/to/opensc/lib/pkcs11/opensc-pkcs11.so
-
-
-
-
- For proper operation, you also need to configure the
- module: In the Cryptographic Modules dialog, select
- the OpenSC card, and click on the "Config" button to
- the right. Select the "Enable this token" radio button,
- and select the "Publicly readable Certs" button.
-
-
-
- This will ensure that Netscape uses the card when
- trying to display encrypted messages in Netscape
- messenger. Setting "Publicly readable Certs" will also
- stop a pretty annoying habit of Netscape which is to
- ask for all PINs when browsing sites requiring client
- authentication.
-
-
-
- You should _not_ select the "RSA" button. If this
- option is selected, Netscape will try to use the card
- for all public key operations, and will fail horribly.
-
-
-
- FIXME: this is for which versions of Netscape?
-
-
-
-
- OpenSC and Mozilla
-
-
-
- Make sure Personal Security Manager (PSM) is
- installed (eg. mozilla-psm package is
- installed).
-
-
-
- Select menu: Edit -> Preferences
-
-
-
- Select category: Privacy & Security ->
- Certificates
-
-
-
- Click: Manage Security Devices
-
-
-
- Click: Load
-
-
-
- Fill in module name: "OpenSC PKCS #11 Module"
- and module file: /path/to/opensc/lib/pkcs11/opensc-pkcs11.so
-
-
-
-
-
- OpenSC and OpenSSL
-
-
- OpenSSL is a robust, full-featured toolkit
- implementing the SSL protocols as well as
- a general purpose cryptography library.
- It features a so called engine interface
- to combine the toolkit with the cryptographic
- abilities of some hardware.
-
-
-
- OpenSC includes an engine for OpenSSL. This
- allows to use the OpenSSL library and command line
- utilities in combination with smart card cryptography.
-
-
-
- Here is an example how it works with the command
- line tool openssl . You need
- to load the opensc engine first, and then can
- enter any command as usual (e.g. create or sign
- a certificate).
-
-
-
- Here is an example of how to load the engine.
-
-aj@simulacron:~$ openssl
-OpenSSL> engine dynamic -pre SO_PATH:/home/aj/opensc/lib/opensc/engine_opensc.so -pre ID:opensc -pre LIST_ADD:1 -pre LOAD
-(dynamic) Dynamic engine loading support
-[Success]: SO_PATH:/home/aj/opensc/lib/opensc/engine_opensc.so
-[Success]: ID:opensc
-[Success]: LIST_ADD:1
-[Success]: LOAD
-Loaded: (opensc) opensc engine
-OpenSSL>
-
-
-
-
- A typical OpenSSL command might be to make a certificate request:
- req -engine opensc -new -key key -keyform engine -out req.pem -text .
- See the OpenSSL documentation for details.
-
-
-
-- key can specify the ID of a key in hex,
-- e.g. "45" would be key 0x45.
--
-
-
- Actually OpenSC has even two engines for OpenSSL:
- engine_opensc.so and
- engine_pkcs11.so .
-
-
-
- The opensc engine does only work with OpenSC.
- It will not work, if several applications
- try to use the smart card at the same time
- or one applications tries to use several
- smart cards at the same time. Or several
- certificates or keys within one card.
- But for the simple case (one app, one cert, one
- smart card) it is working very fine.
-
-
-
- The PKCS #11 engine is very generic and flexible.
- It will always work, even in complex situations
- involving several cards, keys, objects, certificates
- or concurrent applications. Also it is fully based
- on PKCS #11 and that way it can use the OpenSC
- PKCS #11 library (and does so by default), but
- it will work with any other PKCS #11 library,
- too.
-
-
-
- To load the PKCS #11 engine, issue this command:
-
-aj@simulacron:~$ openssl
-OpenSSL> engine dynamic -pre SO_PATH:/home/aj/opensc/lib/opensc/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/home/aj/opensc/lib/pkcs11/opensc-pkcs11.so
-(dynamic) Dynamic engine loading support
-[Success]: SO_PATH:/home/aj/opensc/lib/opensc/engine_pkcs11.so
-[Success]: ID:pkcs11
-[Success]: LIST_ADD:1
-[Success]: LOAD
-[Success]: MODULE_PATH:/home/aj/opensc/pkcs11/opensc-pkcs11.so
-Loaded: (pkcs11) pkcs11 engine
-OpenSSL>
-
- and then proceed as normal.
-
-
-
- A typical OpenSSL command might be to make a certificate request:
- req -engine pkcs11 -new -key key -keyform engine -out req.pem -text .
- See the OpenSSL documentation for details.
-
-
-
- key has the format ][-][id_]]]>, in which
-
-
- the optional slotNr indicates which PKCS #11 slot to take
- (starting from 0, which is also the default)
-
-
- keyID is the key ID in hex notation
-
-
- Examples:
-
-
- id_45 => private key with ID = 0x45 in the first 'suited' slot
-
-
- slot_2-id_46 => private key with ID = 0x46 in the third slot
-
-
-
-
-
- For Windows, only the PKCS #11 engine (not the OpenSC engine) has been ported;
- use "engine_pkcs11" instead of "engine_pkcs11.so".
-
-
-
-
-
- OpenSC and OpenSSH
-
-
- Version 3.6.1p2 of OpenSSH needs a patch to
- compile with OpenSC. You will find this patch
- in src/openssh/.
-
-
-
- When compiling OpenSSH you need to run configure like
- this:
- ./configure --with-opensc=/path/to/opensc
-
-
-
- You need to have a certificate on your smart card.
- A key is not enough. Download the public key
- of your certificate in Openssh format with
- this command:
- ssh-keygen -D reader :certificate ID > file
-
-
-
- Replace reader with the
- number of the reader you want to use, default it 0.
- opensc-tool -l will give you a list
- of available readers. Add the certificate ID
- if you need to select one. Default is 45.
- pkcs11-tool -O will give you a list
- of available certificates and their IDs.
-
-
-
- Then transfer the public key to the desired server
- and add it to ~/.ssh/authorized_keys as usual.
-
-
-
- To use a smart card with Openssh run
- ssh -I reader :certificate ID
-
-
-
- You can also use the OpenSSH ssh-agent tool
- with OpenSC. If you want to do so, use
- ssh-add -s reader
-
-
-
-
- Pluggable Authentication Module
-
-
- Pluggable authentication modules (PAM) is
- the default way under Linux and other Unix
- operating systems to configure authentication.
- OpenSC includes a module to allow smart card
- based authentication: pam_opensc.
-
-
-
- The following options are recognized:
-
-
- debug
- log more debugging info
-
-
-
- audit
- a little more extreme than debug
-
-
-
- use_first_pass
- don't prompt the user for passwords, take them from PAM_ items instead
-
-
-
- try_first_pass
- don't prompt the user for passwords unless PAM_(OLD)AUTHTOK in used
-
-
-
- use_authtok
- require PAM_AUTHTOK set, use it, fail otherwise
-
-
-
- set_pass
- set the PAM_ item with the passwords used by this module
-
-
-
- nodelay
- used to prevent failed authentication resulting in a delay of about 1 second.
-
-
-
- auth_method=X
- choose either pkcs15-ldap or pkcs15-eid authentication. pkcs15-eid is the default.
-
-
-
-
-
- Generic options:
-
-
- -h
- Show help
-
-
-
- -r reader
- Reader name (FIXME: not number?)
-
-
-
-
-
- eid based authentication
-
-
- This is the default authentication
- method. Create a directory
- .eid in your home
- directory and copy your PEM encoded
- certificate to the file
- .eid/authorized_certificates .
-
-
-
- Note: pkcs15-tool -c
- will show you all certificates and
- their ID, pkcs15-tool -r ID -o
- ~/.eid/authorized_certificates
- will save the certificate
- ID to that
- file.
-
-
-
-
- LDAP based authentication
-
-
- Setting auth_method to pkcs15-ldap will
- enable LDAP based authentication.
- These options are supported:
-
-
-
-
- -L ldap.conf
- Configuration file to load
-
-
-
- -A entry
- Add new entry
-
-
-
- -E entry
- Set current entry
-
-
-
- -H hostname
- hostname of LDAP server
-
-
-
- -P port
- port or LDAP server
-
-
-
- -S scope
- scope of LDAP server
-
-
-
- -b binddn
- binddn for LDAP connection
-
-
-
- -p passwd
- password for LDAP bind
-
-
-
- -B base
- base for LDAP bind
-
-
-
- -a attributes
- attributes to fetch
-
-
-
- -f filter
- filter in LDAP search
-
-
-
-
- FIXME: provide an example
- of LDAP data structure, config
- file etc.
-
-
-
-
-
-
- The OpenSC PKCS #11 library
-
-
- What is PKCS #11
-
-
- PKCS #11 is a standard API for accessing cryptographic tokens
- such as smart cards, Hardware Security Modules, ...
- It contains functions like C_GetSlotList(), C_OpenSession(),
- C_FindObjects(), C_Login(), C_Sign(), C_GenerateKeyPair(), ...
-
-
-
- Some core concepts of PKCS #11 are:
-
-
- slot: the place in which a smart card can be put. Usually this
- corresponds with a card reader (but: see below, Virtual slots).
-
-
- token: the thing that is put in a slot. Usually this corresponds
- with a smart card (but: see below, virtual slots).
-
-
- object: a key, a certificate, some data, ... Is either a token
- object (if it resides on the card) or a session object (if it
- doesn't reside on the card, e.g. a certificate given to the
- PKCS #11 library to do a verification).
-
-
- session: before you can do anything with a token, you have to
- open a session on it.
-
-
- operation: a signature, decryption, digest, ... operation, that
- can consist of multiple function calls. Example: C_SignInit(),
- C_SignUpdate(), C_SignFinal(); here the first function starts
- the operation, the third one ends it. Only one operation can be
- done in the same session, but multiple sessions can be opened
- on the same token.
-
-
-
-
-
-
- Virtual slots
-
-
- Per token, only 2 PINs can be given: the SO (Security Officer) PIN
- and the user PIN. However, smart cards can have more than 1 user
- PIN.
- A way to this solve problem is to have multiple 'virtual' slots,
- as explained in appendix D of the PKCS #11 standard . So per physical
- reader, you have a number of virtual slots. If you insert a card
- in the reader, a token will appear in all the virtual slots,
- and each token will contain 1 PIN along with the private keys
- it protects and certificates corresponding to those private keys.
-
-
-
- Because OpenSC supports multiple cards, it is not known in advance
- how many PINs a smart card will have. Therefore, a default number
- of 4 virtual slots is used. You can change this default in the
- pkcs11 section of opensc.conf: num_slots.
-
-
-
- OpenSC implements the following behaviour: for each PIN, its
- private keys and corresponding certs, there is 1 virtual slot
- allocated. If there are any objects left, they are put in the
- next free virtual slot. And if there are some virtual slots left,
- an 'empty' token is 'put' in them; on this empty token a PIN and
- data can then be put. If you find this too confusing, you
- can hide empty tokens with the hide_empty_tokens option in
- the config file.
-
-
-
- Example:
- Take a card with 2 PINs. Each PIN protects a private key and
- each private key has a corresponding cert chain. And then there
- are 3 other roots certs that have nothing to do with the other
- data.
- Now if num_slots = 4, hide_empty_tokens = false; and if you put
- the card your second card reader, you'll get the following:
-
-
- token in slot 4: PIN 1, key 1, cert chain 1
-
-
- token in slot 5: PIN 2, key 2, cert chain 2
-
-
- token in slot 6: the 3 other root certs
-
-
- token in slot 7: no data
-
-
- If hide_empty_tokens would have been true, slot 7 wouldn't show
- a token.
-
-
-
- Note: if in the example the 2 cert chain would have common
- certificates, those certificates would appear in the tokens
- in slots 4 and 5. (Which would cause a problem if those
- certs were deleted, this hasn't been solved yet in OpenSC).
-
-
-
- Another good-to-know: the number of virtual slots has been
- hard-coded (it is 8 at the moment). So if num_slots = 4,
- only the first 2 readers will be visible. Or if you'd put
- num_slots to 3, the first 2 readers will have 3 virtual
- slots and the third reader will have 2.
-
-
-
-
-
- Security
-
-
- Command line arguments
-
-
- The OpenSC tools allow you to specify PINs and keys on the command line.
- This is only suitable for testing or when you are the only user of the machine.
- If there are multiple users, other users usually are able to run things like 'ps'
- or 'top', and probably are able to see the arguments given to some process, too.
- Also, the arguments probably get logged to some shell history file like ~/.bash_history.
-
-
-
- The solution is to use a script or, in the case of the pkcs15-init tool to put PINS
- and keys into a file and used through the --options-file options.
-
-
-
-
-
- Access to the card
-
-
- Some other problems if multiple users have access to the reader(s):
-
-
- If the user forgets a card to the reader while the session isn't locked, a malicious
- other user could run PIN verify commands to the card and probably lock the PIN, or even
- lock the card for good.
-
-
- If a user is logged in to the card but the session isn't locked, a malicious user could
- use the previliged functionality (e.g. doing a signature, writing data to the card).
-
-
-
-
-
- A solution is to add the user to a specific "scard" group after they've logged in through
- xdm. pcsc-lite's pcscd runs as pseudouser/group scard/scard, and limit the access to the
- server socket (pcscd.comm) as 770 scard:scard. This way, other possible users that may
- have logged in through ssh won't have any access to the local card readers. Not a perfect
- solution, but works for single-reader workstations well enough.
-
-
-
- In case your application uses the pkcs11 library, that application will have, exclusive
- access access to the card once you provided a PIN. This is the default setting. If you would
- like multiple apps to use the pkcs11 library, you can set 'lock_login = false;' in the
- opensc.conf file, but this leaves your card open to other user's applications as well.
-
-
-
- Other tools/libs (signer, openssh, pam) don't provide unique access once you are logged in.
-
-
-
-
-
- Protection of cards made with the pkcs15-init tool
-
-
- Most cards have a default transport key that is used to create a pkcs15 directory on the card.
- Within the pkcs15 directory, files and keys are protected by PINs so the transport key has
- no power there.
-
-
-
- This means that your keys and sensitive data are safe against others (who know the default
- transport key), in the sense that they can't be read or used.
-
-
-
- However,anyone knowing the transport key and who has access to your card can delete the
- pkcs15 directory with all its keys, certs, data, ...
-
-
-
- On itself, that may be a good thing if you lost your card, but there's another problem:
- If your card contains trusted certificates, and an adversary steals your card, puts another
- pkcs15 dir with other certs on the card and puts it back without you knowing, you may not
- find out until you put trust in those untrusted certs.
- Bottomline: be very carefull when using the card as a tamper-resistant storage -- make
- them PIN-protected for example. (Note: this if often not the case: the trusted certificates
- are stored usually stored in the application using them.)
-
-
-
-
-
- Storing config, profile and pkcs15 cache files
-
-
- While the opensc.conf and xxx.profile files don't contain any sensitive information, it
- is very important that they are not tampered with.
-
-
-
- Some examples of what an adversary with write access to those files or an absent-minded
- administrator could do:
-
-
- Set the debug level to 6, which means all sensitive info (like PINs) is logged
-
-
- Change the access conditions in the profiles, so that a card that is initialised
- with pkcs15-init will be wide open for anyone to read/write/sign
-
-
- Change trusted certs in the pkcs15 cache
-
-
-
-
-
- By default, the config and profile files can only be written by root/Adminstrator and
- the cache files are in the user home dir, so this is OK. Note however, that if there
- are profile files in the current dir, it will be those files that are used instead of
- the ones that were installed in a system dir!
-
-
-
-
-
- Root access
-
-
- From the above, it follows that you can't protect your card, nor use your card to
- protect something against someone with root access or who can change the config/profile
- files, binaries or sniff/modify the communication with the card.
-
-
-
-
-
-
-
- What needs to be done
-
-
- In general
-
-
-* GUI applications
-* Add support for EMV, GSM and Java cards (anyone?)
-
-
-
-* put generic PEM encoding/decoding functions into libopensc?
-* pkcs11: support decrypt for those cards that have it
-* pkcs11: make sure all PIN ops work through pkcs11
-* pkcs11: unblock pins: check for unblock pins in AODF
-* all: support for RSA-PSS
-* pkcs15-init: support SOPIN on Cryptoflex
-* pkcs15-init: use max. possible usage by default
-* pkcs15-init: during keygen, make sure the pubkey usage is right
-* pkcs15-init: when using an unblock PIN, write an AODF entry for it
- (alternatively: set unblockDisabled flag for those PINs that have no PUK?)
-* pkcs15: fix sc_pkcs15_change_reference_data; add unblock function
-
-
-
-
-
- Windows
-
-
- Other parts of OpenSC be should ported as well.
- Also we should implement native Win32 APIs such
- as CryptoAPI Provider, some login stuff and
- ActiveX plugin for Internet Explorer to do the
- signing.
-
-
-
-
-
-
- Troubleshooting
-
-
- A mailing list has been set up for support and
- discussion about the OpenSC project. Additional info is
- available at the
- OpenSC web site .
-
-
- You could follow these steps to get a first idea about what
- is going wrong:
-
-
- See if any readers can be found:
- opensc-tool -l
-
-
- See if your smart card can be found with
- opensc-tool -a (this
- should show the ATR of the card).
-
-
- See if your card is a pkcs15 card, and which
- pkcs15 objects are on it:
- pkcs15-tool -C -c -k --list-public-keys
-
-
-
-
- You can turn on debugging by setting "debug = 5;" in the
- opensc.conf file and un-commenting the names of the debug
- and error files.
-
-
-
-
- Resources
-
-
- See the OpenSC web site at
-
-
-
- Information about Assuan and project Ägypten:
-
-
-
-
- Signer
-
-
- OpenSC Signer is a Netscape plugin that will generate
- digital signatures using facilities on PKI-capable
- smart cards.
-
-
-
- Building and installing the OpenSC Signer
-
-
- You should specify your plugin directory with:
- $ configure --with-plugin-dir=<directory>
-
-
-
- Common plugin directories are
- /usr/lib/mozilla/plugins and
- /usr/lib/netscape/plugins.
-
-
-
- See the INSTALL file for more instructions.
-
-
-
- NOTE: PIN code dialog is done through libassuan
- from Project Ägypten. If you don't have it
- installed already, download it from the link
- below.
-
-
-
-
-
- A few hints on DocBook documents
-
-
- This document is maintained as DocBook XML
- document. Here are some hints and links for
- newcomers.
-
-
-
- This document is written in XML not SGML.
- To convert it, use a XSL stylesheet, not
- an DSSSL stylesheet. Ignore all tools and
- web pages talking about SGML or DSSSL, those
- talk about legacy technology no longer used
- and no longer up to date.
-
-
-
- DocBook
- Open Repository project at SourceForge has the
- XSL stylesheet used to convert this XML document
- to other formats.
-
-
-
- DocBook: The
- Definitive Guide (O'Reilly Book) documents
- DocBook, is very handy as reference and available
- online for free.
-
-
-
- DocBook
- XSL: The Complete Guide is a book
- with a great introduction on how to create a document,
- how to convert it, where to get the software, tools
- and everything. It you a fast road to editing this
- document, look at this book.
-
-
-
- This document might be ugly. If you know html,
- please help us to improve it. Some stuff can
- be tuned in the XSL stylesheet (see Reference for the HTML stylesheet parameters ), but most stuff can be improved via CSS
- styles. We need help on this !
-
-
-
diff --git a/doc/old/opensc.xsl b/doc/old/opensc.xsl
deleted file mode 100644
index dca69a98..00000000
--- a/doc/old/opensc.xsl
+++ /dev/null
@@ -1,11 +0,0 @@
-
-
-
-
diff --git a/doc/old/pkcs-15v1_1.asn b/doc/old/pkcs-15v1_1.asn
deleted file mode 100644
index 5ef2122d..00000000
--- a/doc/old/pkcs-15v1_1.asn
+++ /dev/null
@@ -1,869 +0,0 @@
-PKCS-15 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
- pkcs-15(15) modules(1) pkcs-15(1)}
-
--- $Revision$ --
-
-DEFINITIONS IMPLICIT TAGS ::=
-
-BEGIN
-
-IMPORTS
-
-informationFramework, authenticationFramework, certificateExtensions
- FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
- usefulDefinitions(0) 3}
-
-Name, Attribute
- FROM InformationFramework informationFramework
-
-Certificate, AttributeCertificate, CertificateSerialNumber,
- SubjectPublicKeyInfo
- FROM AuthenticationFramework authenticationFramework
-
-GeneralNames, KeyUsage
- FROM CertificateExtensions certificateExtensions
-
-RecipientInfos, RecipientInfo, OriginatorInfo, sha-1,
- id-alg-CMS3DESwrap, id-alg-CMSRC2wrap, hMAC-SHA1, des-ede3-cbc
- FROM CryptographicMessageSyntax {iso(1) member-body(2)
- us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0)
- cms(1)}
-
-RSAPublicKey
- FROM PKCS-1 {iso(1) member-body(2) us(840) rsadsi(113549)
- pkcs(1) pkcs-1(1) modules(0) pkcs-1(1)}
-
-AlgorithmIdentifier, SupportingAlgorithms, PBKDF2Algorithms,
- ALGORITHM-IDENTIFIER, id-hmacWithSHA1
- FROM PKCS-5 {iso(1) member-body(2) us(840) rsadsi(113549)
- pkcs(1) pkcs-5(5) modules(16) pkcs-5(1)}
-
-ECPoint, Parameters
- FROM ANSI-X9-62 {iso(1) member-body(2) us(840)
- ansi-x962(10045) module(4) 1}
-
-DiffieHellmanPublicNumber, DomainParameters
- FROM ANSI-X9-42 {iso(1) member-body(2) us(840)
- ansi-x942(10046) module(5) 1}
-
-OOBCertHash
- FROM PKIXCMP {iso(1) identified-organization(3) dod(6)
- internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
- id-mod-cmp(9)};
-
--- Constants
-
-pkcs15-ub-identifier INTEGER ::= 255
-pkcs15-ub-reference INTEGER ::= 255
-pkcs15-ub-index INTEGER ::= 65535
-pkcs15-ub-label INTEGER ::= pkcs15-ub-identifier
-pkcs15-lb-minPinLength INTEGER ::= 4
-pkcs15-ub-minPinLength INTEGER ::= 8
-pkcs15-ub-storedPinLength INTEGER ::= 64
-pkcs15-ub-recordLength INTEGER ::= 16383
-pkcs15-ub-userConsent INTEGER ::= 15
-pkcs15-ub-securityConditions INTEGER ::= 255
-pkcs15-ub-seInfo INTEGER ::= 255
-
--- Object Identifiers
-
-pkcs15 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
- rsadsi(113549) pkcs(1) pkcs-15(15)}
-pkcs15-mo OBJECT IDENTIFIER ::= {pkcs15 1} -- Modules branch
-pkcs15-at OBJECT IDENTIFIER ::= {pkcs15 2} -- Attribute branch
-pkcs15-ct OBJECT IDENTIFIER ::= {pkcs15 3} -- Content type branch
-
--- Content Types
-
-pkcs15-ct-PKCS15Token OBJECT IDENTIFIER ::= {pkcs15-ct 1}
-
--- Basic types
-
-Identifier ::= OCTET STRING (SIZE (0..pkcs15-ub-identifier))
-
-Reference ::= INTEGER (0..pkcs15-ub-reference)
-
-Label ::= UTF8String (SIZE(0..pkcs15-ub-label))
-
-KEY-IDENTIFIER ::= CLASS {
- &id INTEGER UNIQUE,
- &Value
-} WITH SYNTAX {
- SYNTAX &Value IDENTIFIED BY &id
-}
-
-CredentialIdentifier {KEY-IDENTIFIER : IdentifierSet} ::= SEQUENCE {
- idType KEY-IDENTIFIER.&id ({IdentifierSet}),
- idValue KEY-IDENTIFIER.&Value ({IdentifierSet}{@idType})
-}
-
-KeyIdentifiers KEY-IDENTIFIER ::= {
- issuerAndSerialNumber|
- issuerAndSerialNumberHash|
- subjectKeyId|
- subjectKeyHash |
- issuerKeyHash |
- issuerNameHash |
- subjectNameHash,
- ...
-}
-
-issuerAndSerialNumber KEY-IDENTIFIER::=
- {SYNTAX PKCS15-OPAQUE.&Type IDENTIFIED BY 1}
- -- As defined in RFC 2630
-subjectKeyId KEY-IDENTIFIER ::=
- {SYNTAX OCTET STRING IDENTIFIED BY 2}
- -- From x509v3 certificate extension
-issuerAndSerialNumberHash KEY-IDENTIFIER ::=
- {SYNTAX OCTET STRING IDENTIFIED BY 3}
- -- Assumes SHA-1 hash of DER encoding of IssuerAndSerialNumber
-subjectKeyHash KEY-IDENTIFIER ::=
- {SYNTAX OCTET STRING IDENTIFIED BY 4}
-issuerKeyHash KEY-IDENTIFIER ::=
- {SYNTAX OCTET STRING IDENTIFIED BY 5}
-issuerNameHash KEY-IDENTIFIER ::=
- {SYNTAX OCTET STRING IDENTIFIED BY 6}
- -- SHA-1 hash of DER-encoded issuer name
-subjectNameHash KEY-IDENTIFIER ::=
- {SYNTAX OCTET STRING IDENTIFIED BY 7}
- -- SHA-1 hash of DER-encoded subject name
-
-ReferencedValue {Type} ::= CHOICE {
- path Path,
- url URL
-} (CONSTRAINED BY {-- 'path' or 'url' shall point to an object of
- -- type -- Type})
-
-URL ::= CHOICE {
- url PrintableString,
- urlWithDigest [3] SEQUENCE {
- url IA5String,
- digest DigestInfoWithDefault
- }
-}
-
-alg-id-sha1 AlgorithmIdentifier {{DigestAlgorithms}} ::= {
- algorithm sha-1,
- parameters SHA1Parameters : NULL}
-
-SHA1Parameters ::= NULL
-
-DigestInfoWithDefault ::= SEQUENCE {
- digestAlg AlgorithmIdentifier {{DigestAlgorithms}} DEFAULT alg-id-sha1,
- digest OCTET STRING (SIZE(8..128))
-}
-
-Path ::= SEQUENCE {
- path OCTET STRING,
- index INTEGER (0..pkcs15-ub-index) OPTIONAL,
- length [0] INTEGER (0..pkcs15-ub-index) OPTIONAL
- }( WITH COMPONENTS {..., index PRESENT, length PRESENT}|
- WITH COMPONENTS {..., index ABSENT, length ABSENT})
-
-ObjectValue { Type } ::= CHOICE {
- indirect ReferencedValue {Type},
- direct [0] Type,
- indirect-protected [1] ReferencedValue {EnvelopedData {Type}},
- direct-protected [2] EnvelopedData {Type}
- }(CONSTRAINED BY {-- if indirection is being used, then it is
- -- expected that the reference points either to a (possibly
- -- enveloped) object of type -- Type -- or (key case) to a card-
- -- specific key file --})
-
-PathOrObjects {ObjectType} ::= CHOICE {
- path Path,
- objects [0] SEQUENCE OF ObjectType,
- ...,
- indirect-protected [1] ReferencedValue {EnvelopedData {SEQUENCE OF ObjectType}},
- direct-protected [2] EnvelopedData {SEQUENCE OF ObjectType}
- }
-
-CommonObjectAttributes ::= SEQUENCE {
- label Label OPTIONAL,
- flags CommonObjectFlags OPTIONAL,
- authId Identifier OPTIONAL,
- ...,
- userConsent INTEGER (1..pkcs15-ub-userConsent) OPTIONAL,
- accessControlRules SEQUENCE SIZE (1..MAX) OF AccessControlRule OPTIONAL
-} (CONSTRAINED BY {-- authId should be present in the IC card case if
- -- flags.private is set. It must equal an authID in one AuthRecord
- -- in the AODF -- })
-
-CommonObjectFlags ::= BIT STRING {
- private (0),
- modifiable (1)
-}
-
-AccessControlRule ::= SEQUENCE {
- accessMode AccessMode,
- securityCondition SecurityCondition,
- ... -- For future extensions
-}
-
-AccessMode ::= BIT STRING {
- read (0),
- update (1),
- execute (2)
-}
-
-SecurityCondition ::= CHOICE {
- authId Identifier,
- not [0] SecurityCondition,
- and [1] SEQUENCE SIZE (2..pkcs15-ub-securityConditions)
- OF SecurityCondition,
- or [2] SEQUENCE SIZE (2..pkcs15-ub-securityConditions)
- OF SecurityCondition,
- ... -- For future extensions
-}
-
-CommonKeyAttributes ::= SEQUENCE {
- iD Identifier,
- usage KeyUsageFlags,
- native BOOLEAN DEFAULT TRUE,
- accessFlags KeyAccessFlags OPTIONAL,
- keyReference Reference OPTIONAL,
- startDate GeneralizedTime OPTIONAL,
- endDate [0] GeneralizedTime OPTIONAL,
- ... -- For future extensions
-}
-
-KeyUsageFlags ::= BIT STRING {
- encrypt (0),
- decrypt (1),
- sign (2),
- signRecover (3),
- wrap (4),
- unwrap (5),
- verify (6),
- verifyRecover (7),
- derive (8),
- nonRepudiation (9)
-}
-
-KeyAccessFlags ::= BIT STRING {
- sensitive (0),
- extractable (1),
- alwaysSensitive (2),
- neverExtractable (3),
- local (4)
-}
-
-CommonPrivateKeyAttributes ::= SEQUENCE {
- subjectName Name OPTIONAL,
- keyIdentifiers [0] SEQUENCE OF CredentialIdentifier
- {{KeyIdentifiers}} OPTIONAL,
- ... -- For future extensions
-}
-
-CommonPublicKeyAttributes ::= SEQUENCE {
- subjectName Name OPTIONAL,
- ...,
- trustedUsage [0] Usage OPTIONAL
-}
-
-CommonSecretKeyAttributes ::= SEQUENCE {
- keyLen INTEGER OPTIONAL, -- keylength (in bits)
- ... -- For future extensions
-}
-
-KeyInfo {ParameterType, OperationsType} ::= CHOICE {
- reference Reference,
- paramsAndOps SEQUENCE {
- parameters ParameterType,
- supportedOperations OperationsType OPTIONAL
- }
-}
-
-CommonCertificateAttributes ::= SEQUENCE {
- iD Identifier,
- authority BOOLEAN DEFAULT FALSE,
- identifier CredentialIdentifier {{KeyIdentifiers}} OPTIONAL,
- certHash [0] OOBCertHash OPTIONAL,
- ...,
- trustedUsage [1] Usage OPTIONAL,
- identifiers [2] SEQUENCE OF CredentialIdentifier{{KeyIdentifiers}} OPTIONAL,
- implicitTrust [3] BOOLEAN DEFAULT FALSE
-}
-
-Usage ::= SEQUENCE {
- keyUsage KeyUsage OPTIONAL,
- extKeyUsage SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER OPTIONAL
- }(WITH COMPONENTS {..., keyUsage PRESENT} |
- WITH COMPONENTS {..., extKeyUsage PRESENT})
-
-CommonDataObjectAttributes ::= SEQUENCE {
- applicationName Label OPTIONAL,
- applicationOID OBJECT IDENTIFIER OPTIONAL,
- ... -- For future extensions
- } (WITH COMPONENTS {..., applicationName PRESENT}|
- WITH COMPONENTS {..., applicationOID PRESENT})
-
-CommonAuthenticationObjectAttributes ::= SEQUENCE {
- authId Identifier,
- ... -- For future extensions
-}
-
-PKCS15Object {ClassAttributes, SubClassAttributes, TypeAttributes}
- ::= SEQUENCE {
- commonObjectAttributes CommonObjectAttributes,
- classAttributes ClassAttributes,
- subClassAttributes [0] SubClassAttributes OPTIONAL,
- typeAttributes [1] TypeAttributes
-}
-
-PKCS15Objects ::= CHOICE {
- privateKeys [0] PrivateKeys,
- publicKeys [1] PublicKeys,
- trustedPublicKeys [2] PublicKeys,
- secretKeys [3] SecretKeys,
- certificates [4] Certificates,
- trustedCertificates [5] Certificates,
- usefulCertificates [6] Certificates,
- dataObjects [7] DataObjects,
- authObjects [8] AuthObjects,
- ... -- For future extensions
-}
-
-PrivateKeys ::= PathOrObjects {PrivateKeyType}
-
-SecretKeys ::= PathOrObjects {SecretKeyType}
-
-PublicKeys ::= PathOrObjects {PublicKeyType}
-
-Certificates ::= PathOrObjects {CertificateType}
-
-DataObjects ::= PathOrObjects {DataType}
-
-AuthObjects ::= PathOrObjects {AuthenticationType}
-
-PrivateKeyType ::= CHOICE {
- privateRSAKey PrivateKeyObject {PrivateRSAKeyAttributes},
- privateECKey [0] PrivateKeyObject {PrivateECKeyAttributes},
- privateDHKey [1] PrivateKeyObject {PrivateDHKeyAttributes},
- privateDSAKey [2] PrivateKeyObject {PrivateDSAKeyAttributes},
- privateKEAKey [3] PrivateKeyObject {PrivateKEAKeyAttributes},
- ... -- For future extensions
-}
-
-PrivateKeyObject {KeyAttributes} ::= PKCS15Object {
- CommonKeyAttributes, CommonPrivateKeyAttributes, KeyAttributes}
-
-PrivateRSAKeyAttributes ::= SEQUENCE {
- value ObjectValue {RSAPrivateKeyObject},
- modulusLength INTEGER, -- modulus length in bits, e.g. 1024
- keyInfo KeyInfo {NULL, PublicKeyOperations} OPTIONAL,
- ... -- For future extensions
-}
-
-RSAPrivateKeyObject ::= SEQUENCE {
- modulus [0] INTEGER OPTIONAL, -- n
- publicExponent [1] INTEGER OPTIONAL, -- e
- privateExponent [2] INTEGER OPTIONAL, -- d
- prime1 [3] INTEGER OPTIONAL, -- p
- prime2 [4] INTEGER OPTIONAL, -- q
- exponent1 [5] INTEGER OPTIONAL, -- d mod (p-1)
- exponent2 [6] INTEGER OPTIONAL, -- d mod (q-1)
- coefficient [7] INTEGER OPTIONAL -- inv(q) mod p
-} (CONSTRAINED BY {-- must be possible to reconstruct modulus and
- -- privateExponent from selected fields --})
-
-PrivateECKeyAttributes ::= SEQUENCE {
- value ObjectValue {ECPrivateKey},
- keyInfo KeyInfo {Parameters, PublicKeyOperations} OPTIONAL,
- ... -- For future extensions
-}
-
-ECPrivateKey ::= INTEGER
-
-PrivateDHKeyAttributes ::= SEQUENCE {
- value ObjectValue {DHPrivateKey},
- keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
- ... -- For future extensions
-}
-
-DHPrivateKey ::= INTEGER -- Diffie-Hellman exponent
-
-PrivateDSAKeyAttributes ::= SEQUENCE {
- value ObjectValue {DSAPrivateKey},
- keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
- ... -- For future extensions
-}
-
-DSAPrivateKey ::= INTEGER
-
-PrivateKEAKeyAttributes ::= SEQUENCE {
- value ObjectValue {KEAPrivateKey},
- keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
- ... -- For future extensions
-}
-
-KEAPrivateKey ::= INTEGER
-
-PublicKeyType ::= CHOICE {
- publicRSAKey PublicKeyObject {PublicRSAKeyAttributes},
- publicECKey [0] PublicKeyObject {PublicECKeyAttributes},
- publicDHKey [1] PublicKeyObject {PublicDHKeyAttributes},
- publicDSAKey [2] PublicKeyObject {PublicDSAKeyAttributes},
- publicKEAKey [3] PublicKeyObject {PublicKEAKeyAttributes},
- ... -- For future extensions
-}
-
-PublicKeyObject {KeyAttributes} ::= PKCS15Object {
- CommonKeyAttributes, CommonPublicKeyAttributes, KeyAttributes}
-
-PublicRSAKeyAttributes ::= SEQUENCE {
- value ObjectValue {RSAPublicKeyChoice},
- modulusLength INTEGER, -- modulus length in bits, e.g. 1024
- keyInfo KeyInfo {NULL, PublicKeyOperations} OPTIONAL,
- ... -- For future extensions
-}
-
-RSAPublicKeyChoice ::= CHOICE {
- raw RSAPublicKey,
- spki [1] SubjectPublicKeyInfo, -- See X.509. Must contain a
- -- public RSA key
- ...
-}
-
-PublicECKeyAttributes ::= SEQUENCE {
- value ObjectValue {ECPublicKeyChoice},
- keyInfo KeyInfo {Parameters, PublicKeyOperations} OPTIONAL,
- ... -- For future extensions
-}
-
-ECPublicKeyChoice ::= CHOICE {
- raw ECPoint,
- spki SubjectPublicKeyInfo, -- See X.509. Must contain a public EC key
- ...
-}
-
-PublicDHKeyAttributes ::= SEQUENCE {
- value ObjectValue {DHPublicKeyChoice},
- keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
- ... -- For future extensions
-}
-
-DHPublicKeyChoice ::= CHOICE {
- raw DiffieHellmanPublicNumber,
- spki SubjectPublicKeyInfo, -- See X.509. Must contain a public D-H key
- ...
-}
-
-PublicDSAKeyAttributes ::= SEQUENCE {
- value ObjectValue {DSAPublicKeyChoice},
- keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
- ... -- For future extensions
-}
-
-DSAPublicKeyChoice ::= CHOICE {
- raw INTEGER,
- spki SubjectPublicKeyInfo, -- See X.509. Must contain a public DSA key.
- ...
-}
-
-PublicKEAKeyAttributes ::= SEQUENCE {
- value ObjectValue {KEAPublicKeyChoice},
- keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
- ... -- For future extensions
-}
-
-KEAPublicKeyChoice ::= CHOICE {
- raw INTEGER,
- spki SubjectPublicKeyInfo, -- See X.509. Must contain a public KEA key
- ...
-}
-
-SecretKeyType ::= CHOICE {
- genericSecretKey SecretKeyObject {GenericSecretKeyAttributes},
- rc2key [0] SecretKeyObject {GenericSecretKeyAttributes},
- rc4key [1] SecretKeyObject {GenericSecretKeyAttributes},
- desKey [2] SecretKeyObject {GenericSecretKeyAttributes},
- des2Key [3] SecretKeyObject {GenericSecretKeyAttributes},
- des3Key [4] SecretKeyObject {GenericSecretKeyAttributes},
- castKey [5] SecretKeyObject {GenericSecretKeyAttributes},
- cast3Key [6] SecretKeyObject {GenericSecretKeyAttributes},
- cast128Key [7] SecretKeyObject {GenericSecretKeyAttributes},
- rc5Key [8] SecretKeyObject {GenericSecretKeyAttributes},
- ideaKey [9] SecretKeyObject {GenericSecretKeyAttributes},
- skipjackKey [10] SecretKeyObject {GenericSecretKeyAttributes},
- batonKey [11] SecretKeyObject {GenericSecretKeyAttributes},
- juniperKey [12] SecretKeyObject {GenericSecretKeyAttributes},
- rc6Key [13] SecretKeyObject {GenericSecretKeyAttributes},
- otherKey [14] OtherKey,
-... -- For future extensions
-}
-
-SecretKeyObject {KeyAttributes} ::= PKCS15Object {
- CommonKeyAttributes, CommonSecretKeyAttributes, KeyAttributes}
-
-OtherKey ::= SEQUENCE {
- keyType OBJECT IDENTIFIER,
- keyAttr SecretKeyObject {GenericSecretKeyAttributes}
-}
-
-GenericSecretKeyAttributes ::= SEQUENCE {
- value ObjectValue { OCTET STRING },
- ... -- For future extensions
-}
-
-CertificateType ::= CHOICE {
- x509Certificate CertificateObject { X509CertificateAttributes},
- x509AttributeCertificate [0] CertificateObject
- {X509AttributeCertificateAttributes},
- spkiCertificate [1] CertificateObject {SPKICertificateAttributes},
- pgpCertificate [2] CertificateObject {PGPCertificateAttributes},
- wtlsCertificate [3] CertificateObject {WTLSCertificateAttributes},
- x9-68Certificate [4] CertificateObject {X9-68CertificateAttributes},
- ...,
- cvCertificate [5] CertificateObject {CVCertificateAttributes}
-}
-
-CertificateObject {CertAttributes} ::= PKCS15Object {
- CommonCertificateAttributes, NULL, CertAttributes}
-
-X509CertificateAttributes ::= SEQUENCE {
- value ObjectValue { Certificate },
- subject Name OPTIONAL,
- issuer [0] Name OPTIONAL,
- serialNumber CertificateSerialNumber OPTIONAL,
- ... -- For future extensions
-}
-
-X509AttributeCertificateAttributes ::= SEQUENCE {
- value ObjectValue { AttributeCertificate },
- issuer GeneralNames OPTIONAL,
- serialNumber CertificateSerialNumber OPTIONAL,
- attrTypes [0] SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
- ... -- For future extensions
-}
-
-SPKICertificateAttributes ::= SEQUENCE {
- value ObjectValue { PKCS15-OPAQUE.&Type },
- ... -- For future extensions
-}
-
-PGPCertificateAttributes ::= SEQUENCE {
- value ObjectValue { PKCS15-OPAQUE.&Type },
- ... -- For future extensions
-}
-
-WTLSCertificateAttributes ::= SEQUENCE {
- value ObjectValue { PKCS15-OPAQUE.&Type },
- ... -- For future extensions
-}
-
-X9-68CertificateAttributes ::= SEQUENCE {
- value ObjectValue { PKCS15-OPAQUE.&Type },
- ... -- For future extensions
-}
-CVCertificateAttributes ::= SEQUENCE {
- value ObjectValue { PKCS15-OPAQUE.&Type},
- ... -- For future extensions
-}
-
-DataType ::= CHOICE {
- opaqueDO DataObject {Opaque},
- externalIDO [0] DataObject {ExternalIDO},
- oidDO [1] DataObject {OidDO},
- ... -- For future extensions
-}
-
-DataObject {DataObjectAttributes} ::= PKCS15Object {
- CommonDataObjectAttributes, NULL, DataObjectAttributes}
-
-Opaque ::= ObjectValue {PKCS15-OPAQUE.&Type}
-
-ExternalIDO ::= ObjectValue {PKCS15-OPAQUE.&Type}
- (CONSTRAINED BY {-- All data objects must be defined in
- -- accordance with ISO/IEC 7816-6 --})
-
-OidDO ::= SEQUENCE {
- id OBJECT IDENTIFIER,
- value ObjectValue {PKCS15-OPAQUE.&Type}
-}
-
-AuthenticationType ::= CHOICE {
- pin AuthenticationObject { PinAttributes },
- ...,
- biometricTemplate [0] AuthenticationObject {BiometricAttributes},
- authKey [1] AuthenticationObject {AuthKeyAttributes},
- external [2] AuthenticationObject {ExternalAuthObjectAttributes}
-}
-
-AuthenticationObject {AuthObjectAttributes} ::= PKCS15Object {
- CommonAuthenticationObjectAttributes, NULL, AuthObjectAttributes}
-
-PinAttributes ::= SEQUENCE {
- pinFlags PinFlags,
- pinType PinType,
- minLength INTEGER (pkcs15-lb-minPinLength..pkcs15-ub-minPinLength),
- storedLength INTEGER (0..pkcs15-ub-storedPinLength),
- maxLength INTEGER OPTIONAL,
- pinReference [0] Reference DEFAULT 0,
- padChar OCTET STRING (SIZE(1)) OPTIONAL,
- lastPinChange GeneralizedTime OPTIONAL,
- path Path OPTIONAL,
- ... -- For future extensions
-}
-
-PinFlags ::= BIT STRING {
- case-sensitive (0),
- local (1),
- change-disabled (2),
- unblock-disabled (3),
- initialized (4),
- needs-padding (5),
- unblockingPin (6),
- soPin (7),
- disable-allowed (8),
- integrity-protected (9),
- confidentiality-protected (10),
- exchangeRefData (11)
-} (CONSTRAINED BY { -- 'unblockingPin' and 'soPIN' cannot both be set -- })
-
-PinType ::= ENUMERATED {bcd, ascii-numeric, utf8, ...,
- half-nibble-bcd, iso9564-1}
-
-BiometricAttributes ::= SEQUENCE {
- bioFlags BiometricFlags,
- templateId OBJECT IDENTIFIER,
- bioType BiometricType,
- bioReference Reference DEFAULT 0,
- lastChange GeneralizedTime OPTIONAL,
- path Path OPTIONAL,
-... -- For future extensions
-}
-
-BiometricFlags ::= BIT STRING {
- local (1),
- change-disabled (2),
- unblock-disabled (3),
- initialized (4),
- disable-allowed (8),
- integrity-protected (9),
- confidentiality-protected (10)
- } -- Note: bits 0, 5, 6, and 7 are reserved for future use
-
-BiometricType ::= CHOICE {
- fingerPrint FingerPrint,
- irisScan [0] IrisScan,
- -- Possible extensions:
- -- voiceScan VoiceScan,
- -- faceScan FaceScan,
- -- retinaScan Retinascan,
- -- handGeometry HandGeometry,
- -- writeDynamics WriteDynamics,
- -- keyStrokeDynamicsKeyStrokeDynamics,
- -- lipDynamics LipDynamics,
- ... -- For future extensions
-}
-
-FingerPrint ::= SEQUENCE {
- hand ENUMERATED {left, right},
- finger ENUMERATED {thumb, pointerFinger, middleFinger,
- ringFinger, littleFinger},
- ...
-}
-
-IrisScan ::= SEQUENCE {
- eye ENUMERATED {left, right},
- ...
-}
-
-ExternalAuthObjectAttributes ::= CHOICE {
- authKeyAttributes AuthKeyAttributes,
- certBasedAttributes [0] CertBasedAuthenticationAttributes,
- ... -- For future extensions
-}
-
-AuthKeyAttributes ::= SEQUENCE {
- derivedKey BOOLEAN DEFAULT TRUE,
- authKeyId Identifier,
- ... -- For future extensions
-}
-
-CertBasedAuthenticationAttributes ::= SEQUENCE {
- cha OCTET STRING,
- ...
-}
-
-TokenInfo ::= SEQUENCE {
- version INTEGER {v1(0)} (v1,...),
- serialNumber OCTET STRING,
- manufacturerID Label OPTIONAL,
- label [0] Label OPTIONAL,
- tokenflags TokenFlags,
- seInfo SEQUENCE OF SecurityEnvironmentInfo OPTIONAL,
- recordInfo [1] RecordInfo OPTIONAL,
- supportedAlgorithms [2] SEQUENCE OF AlgorithmInfo OPTIONAL,
- ...,
- issuerId [3] Label OPTIONAL,
- holderId [4] Label OPTIONAL,
- lastUpdate [5] LastUpdate OPTIONAL,
- preferredLanguage PrintableString OPTIONAL -- In accordance with
- -- IETF RFC 1766
-} (CONSTRAINED BY { -- Each AlgorithmInfo.reference value must be unique --})
-
-TokenFlags ::= BIT STRING {
- readonly (0),
- loginRequired (1),
- prnGeneration (2),
- eidCompliant (3)
-}
-
-SecurityEnvironmentInfo ::= SEQUENCE {
- se INTEGER (0..pkcs15-ub-seInfo),
- owner OBJECT IDENTIFIER,
- ... -- For future extensions
-}
-
-RecordInfo ::= SEQUENCE {
- oDFRecordLength [0] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
- prKDFRecordLength [1] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
- puKDFRecordLength [2] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
- sKDFRecordLength [3] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
- cDFRecordLength [4] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
- dODFRecordLength [5] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
- aODFRecordLength [6] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL
-}
-
-AlgorithmInfo ::= SEQUENCE {
- reference Reference,
- algorithm PKCS15-ALGORITHM.&id({AlgorithmSet}),
- parameters PKCS15-ALGORITHM.&Parameters({AlgorithmSet}{@algorithm}),
- supportedOperations
- PKCS15-ALGORITHM.&Operations({AlgorithmSet}{@algorithm}),
- algId PKCS15-ALGORITHM.&objectIdentifier({AlgorithmSet}{@algorithm})
- OPTIONAL,
- algRef Reference OPTIONAL
-}
-
-PKCS15-ALGORITHM ::= CLASS {
- &id INTEGER UNIQUE,
- &Parameters,
- &Operations Operations,
- &objectIdentifier OBJECT IDENTIFIER OPTIONAL
-} WITH SYNTAX {
- PARAMETERS &Parameters OPERATIONS &Operations ID &id [OID &objectIdentifier]}
-
-PKCS15-OPAQUE ::= TYPE-IDENTIFIER
-
-PublicKeyOperations ::= Operations
-
-Operations ::= BIT STRING {
- compute-checksum (0), -- H/W computation of checksum
- compute-signature (1), -- H/W computation of signature
- verify-checksum (2), -- H/W verification of checksum
- verify-signature (3), -- H/W verification of signature
- encipher (4), -- H/W encryption of data
- decipher (5), -- H/W decryption of data
- hash (6), -- H/W hashing
- generate-key (7) -- H/W key generation
- }
-
-pkcs15-alg-null PKCS15-ALGORITHM ::= {
- PARAMETERS NULL OPERATIONS {{generate-key}} ID -1}
-
-AlgorithmSet PKCS15-ALGORITHM ::= {
- pkcs15-alg-null,
- ... -- See PKCS #11 for values for the &id field (and parameters)
- }
-
-LastUpdate ::= CHOICE {
- generalizedTime GeneralizedTime,
- referencedTime ReferencedValue {GeneralizedTime},
- ... -- For future extensions
- }
-
--- Soft token related types and objects
-
-EnvelopedData {Type} ::= SEQUENCE {
- version INTEGER{v0(0),v1(1),v2(2),v3(3),v4(4)}(v0|v1|v2,...),
- originatorInfo [0] OriginatorInfo OPTIONAL,
- recipientInfos RecipientInfos,
- encryptedContentInfo EncryptedContentInfo{Type},
- unprotectedAttrs [1] SET SIZE (1..MAX) OF Attribute OPTIONAL
-}
-
-EncryptedContentInfo {Type} ::= SEQUENCE {
- contentType OBJECT IDENTIFIER,
- contentEncryptionAlgorithm AlgorithmIdentifier {{KeyDerivationAlgorithms}},
- encryptedContent [0] OCTET STRING OPTIONAL
-}(CONSTRAINED BY {-- 'encryptedContent' shall be the result of
- -- encrypting DER-encoded value of type -- Type})
-
-PKCS15Token ::= SEQUENCE {
- version INTEGER {v1(0)} (v1,...),
- keyManagementInfo [0] KeyManagementInfo OPTIONAL,
- pkcs15Objects SEQUENCE OF PKCS15Objects
-}
-
-KeyManagementInfo ::= SEQUENCE OF SEQUENCE {
- keyId Identifier,
- keyInfo CHOICE {
- recipientInfo RecipientInfo,
- passwordInfo [0] PasswordInfo
- }
-} (CONSTRAINED BY {-- Each keyID must be unique --})
-
-PasswordInfo ::= SEQUENCE {
- hint Label OPTIONAL,
- algId AlgorithmIdentifier {{KeyDerivationAlgorithms}},
- ...
-} (CONSTRAINED BY {--keyID shall point to a KEKRecipientInfo--})
-
-KeyDerivationAlgorithms ALGORITHM-IDENTIFIER ::= {
- PBKDF2Algorithms,
- ... -- For future extensions
-}
-
-CMS3DESwrap ::= NULL
-
-KeyEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
- {CMS3DESwrap IDENTIFIED BY id-alg-CMS3DESwrap} |
- {INTEGER IDENTIFIED BY id-alg-CMSRC2wrap},
- ... -- For future extensions
-}
-
-DES-IV ::= OCTET STRING (SIZE(8))
-
-ContentEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
- SupportingAlgorithms EXCEPT {NULL IDENTIFIED BY id-hmacWithSHA1},
- ... -- For future extensions
-}
-
-MACAlgorithms ALGORITHM-IDENTIFIER ::= {
- {NULL IDENTIFIED BY hMAC-SHA1},
- ... -- For future extensions
-}
-
-DigestAlgorithms ALGORITHM-IDENTIFIER ::= {
- {NULL IDENTIFIED BY sha-1},
- ... -- For future extensions
-}
-
--- Misc
-
-DDO ::= SEQUENCE {
- oid OBJECT IDENTIFIER,
- odfPath Path OPTIONAL,
- tokenInfoPath [0] Path OPTIONAL,
- unusedPath [1] Path OPTIONAL,
- ... -- For future extensions
-}
-
-DIRRecord ::= [APPLICATION 1] SEQUENCE {
- aid [APPLICATION 15] OCTET STRING,
- label [APPLICATION 16] UTF8String OPTIONAL,
- path [APPLICATION 17] OCTET STRING,
- ddo [APPLICATION 19] DDO OPTIONAL
-}
-
-UnusedSpace ::= SEQUENCE {
- path Path (WITH COMPONENTS {..., index PRESENT, length PRESENT}),
- authId Identifier OPTIONAL,
- ...,
- accessControlRules SEQUENCE OF AccessControlRule OPTIONAL
-}
-
-END