remove old documentation (replaced by wiki).
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2812 c6295689-39f2-0310-b995-f0e70906c6a9
This commit is contained in:
parent
de4b5c280f
commit
8fac2eaac2
|
@ -1,6 +1,6 @@
|
||||||
# Process this file with automake to create Makefile.in
|
# Process this file with automake to create Makefile.in
|
||||||
|
|
||||||
SUBDIRS = . old
|
SUBDIRS = .
|
||||||
|
|
||||||
MAINTAINERCLEANFILES = Makefile.in $(HTML) ChangeLog
|
MAINTAINERCLEANFILES = Makefile.in $(HTML) ChangeLog
|
||||||
|
|
||||||
|
@ -14,7 +14,6 @@ XML = $(shell ls $(srcdir)/tools/*.xml $(srcdir)/api/*.xml $(srcdir)/api/*/*.xml
|
||||||
index.html:
|
index.html:
|
||||||
sh $(srcdir)/export-wiki.sh $(srcdir)
|
sh $(srcdir)/export-wiki.sh $(srcdir)
|
||||||
sh $(srcdir)/generate-man.sh $(srcdir)
|
sh $(srcdir)/generate-man.sh $(srcdir)
|
||||||
sh $(srcdir)/old/generate.sh $(srcdir)/old
|
|
||||||
|
|
||||||
ChangeLog:
|
ChangeLog:
|
||||||
sh $(srcdir)/changelog.sh $(srcdir)
|
sh $(srcdir)/changelog.sh $(srcdir)
|
||||||
|
|
|
@ -1,11 +0,0 @@
|
||||||
# Process this file with automake to create Makefile.in
|
|
||||||
|
|
||||||
XSLTPROC = @XSLTPROC@
|
|
||||||
SOURCE = opensc.xml opensc.xsl opensc-es.xml opensc.css opensc.xsl
|
|
||||||
GENERATE = opensc.html opensc-es.html
|
|
||||||
NILS = init_perso_guide.html init_perso_guide.txt
|
|
||||||
|
|
||||||
MAINTAINERCLEANFILES = Makefile.in $(GENERATE)
|
|
||||||
|
|
||||||
EXTRA_DIST = pkcs-15v1_1.asn $(NILS) $(SOURCE) $(GENERATE) doxygen.conf generate.sh
|
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
INPUT = ../src/libopensc
|
|
||||||
FILE_PATTERNS = *.h
|
|
||||||
PROJECT_NAME = OpenSC
|
|
||||||
PROJECT_NUMBER = 0.10.0
|
|
||||||
HIDE_UNDOC_MEMBERS = YES
|
|
||||||
SORT_MEMBER_DOCS = NO
|
|
||||||
OPTIMIZE_OUTPUT_FOR_C = YES
|
|
|
@ -1,22 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
SRCDIR=.
|
|
||||||
|
|
||||||
if test -n "$1"
|
|
||||||
then
|
|
||||||
SRCDIR="$1"
|
|
||||||
fi
|
|
||||||
|
|
||||||
test -f "$SRCDIR"/`basename $0`
|
|
||||||
|
|
||||||
if ! test -w "$SRCDIR"
|
|
||||||
then
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
xsltproc -o "$SRCDIR"/opensc.html "$SRCDIR"/opensc.xsl "$SRCDIR/"opensc.xml
|
|
||||||
tidy -im -utf8 -xml "$SRCDIR"/opensc.html || true
|
|
||||||
xsltproc -o "$SRCDIR"/opensc-es.html "$SRCDIR"/opensc.xsl "$SRCDIR"/opensc-es.xml
|
|
||||||
tidy -im -utf8 -xml "$SRCDIR"/opensc-es.html || true
|
|
|
@ -1,466 +0,0 @@
|
||||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
||||||
<html><head>
|
|
||||||
<meta content="text/html; charset=ISO-8859-1" http-equiv="content-type"><title>init_perso_guide</title></head>
|
|
||||||
|
|
||||||
<body>
|
|
||||||
<h1>OpenSC card init and perso guide</h1>
|
|
||||||
<h2>1. Introduction</h2>
|
|
||||||
<div style="text-align: center;"><span style="font-style: italic;">Nothing
|
|
||||||
is impossible for the man who doesn't</span><br style="font-style: italic;">
|
|
||||||
|
|
||||||
<span style="font-style: italic;">have
|
|
||||||
to do it himself. -- A.H. Weiler</span><br>
|
|
||||||
</div>
|
|
||||||
<br>
|
|
||||||
This guide is about initialising and personalising (no distinction
|
|
||||||
made) cards with the OpenSC library and tools (mostly pkcs15-init).<br>
|
|
||||||
<br>
|
|
||||||
Some knowlegde about smart cards is assumed. Below is a short overview
|
|
||||||
of some key words and concepts. For more info, see the opensc.html
|
|
||||||
manual.<br>
|
|
||||||
<br>
|
|
||||||
<span style="font-weight: bold;">Filesystem - MF - DF - EF - FID</span><br>
|
|
||||||
A smart cards has a non-volatile memory (EEPROM) in which usually
|
|
||||||
a PC-like file system is implemented. The directories are called
|
|
||||||
Dedicated Files (DF) and the files are called Elementary Files (EF).
|
|
||||||
They are
|
|
||||||
identified by a File ID (FID) on 2 bytes. For example, the root of
|
|
||||||
the file system
|
|
||||||
(called Master File or MF) has FID = 3F 00 (hex).<br>
|
|
||||||
<br>
|
|
||||||
<span style="font-weight: bold;">Commands - APDUs</span><br>
|
|
||||||
It is possible to send commands (APDUs) to the card to select, read,
|
|
||||||
write, create, list, delete, ... EFs and DFs (not all cards allow all
|
|
||||||
commands).<br>
|
|
||||||
<br>
|
|
||||||
<span style="font-weight: bold;">Access control, PIN, PUK</span><br>
|
|
||||||
The file system usually implements some sort of access control on EFs
|
|
||||||
and DFs.<br>
|
|
||||||
This is usually done by PINs or Keys: you have to provide a PIN or show
|
|
||||||
knowledge of a key before you can perform some command on some EF/DF. A
|
|
||||||
PIN is usually accompanied by a PUK (Pin Unblock Key), which can be
|
|
||||||
used to
|
|
||||||
reset (or unblock) that PIN.<br>
|
|
||||||
<br>
|
|
||||||
<span style="font-weight: bold;">Cryptographic keys</span><br>
|
|
||||||
On crypto cards, it is also possible to sign, decrypt, key(pair)
|
|
||||||
generation (what can be done exactly depends on the card). on some
|
|
||||||
cards, key
|
|
||||||
and/or PINs are files in the filesystem, on other cards, they don't
|
|
||||||
exist in the filesystem but are referenced through an ID.<br>
|
|
||||||
<br>
|
|
||||||
<span style="font-weight: bold;">Reader - PC/SC - OpenCT - CT-API</span><br>
|
|
||||||
Smart card readers come with a library that can be used on a PC to send
|
|
||||||
APDUs to the card. Commonly used APIs for those libraries are PC/SC,
|
|
||||||
OpenCT
|
|
||||||
and CT-API.<br>
|
|
||||||
<br>
|
|
||||||
<span style="font-weight: bold;">PKCS15</span><br>
|
|
||||||
There are standards (e.g. ISO7816, parts 4-...) that specify how to
|
|
||||||
select, read, write, EFs and DFs, and how to sign, decrypt, login, ...<br>
|
|
||||||
However, there is also a need to know which files contain what, or
|
|
||||||
where the keys, PINs, .. can be found.<br>
|
|
||||||
For crypto cards, PCKS15 adresses this need by defining some files that
|
|
||||||
contain info on where to find keys, certificates, PINs, and other data.
|
|
||||||
For
|
|
||||||
example, there is a PrKDF (Private Key Directory File) that contains
|
|
||||||
the EFs or
|
|
||||||
ID of the private keys, what those keys can be used for, by which PINs
|
|
||||||
they
|
|
||||||
are protected, ... So a "PCKS15 card" is nothing but any other card on
|
|
||||||
which the right set
|
|
||||||
of files has been added.<br>
|
|
||||||
In short: PKCS15 allows you to describe where to find PINS, keys,
|
|
||||||
certificates and data on a card, plus all the info that is needed to
|
|
||||||
use them.<br>
|
|
||||||
<h3>A little PKCS15 example:</h3>
|
|
||||||
Here's the textual contents of 3 PKCS15 files: the AODF (Authentication
|
|
||||||
Object Directory File), PrKDF (Private Key Directory File) and CDF
|
|
||||||
(Certificate Directory File) that contain info on resp. the PINs,
|
|
||||||
private keys and certificates. Each of them contains 1 entry.<br>
|
|
||||||
<br>
|
|
||||||
AODF:
|
|
||||||
<pre> Com. Flags : private, modifiable<br> Auth ID : 01<br> Flags : [0x32], local, initialized, needs-padding<br> Length : min_len:4, max_len:8, stored_len:8<br> Pad char : 0x00<br> Reference : 1<br> Encoding : ASCII-numeric<br> Path : 3F005015<br></pre>
|
|
||||||
PrKDF:
|
|
||||||
<pre> Com. Flags : private, modifiable<br> Com. Auth ID: 01<br> Usage : [0x32E], decrypt, sign, signRecover, unwrap, derive, nonRep<br> Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local<br> ModLength : 1024<br> Key ref : 0<br> Native : yes<br> Path : 3F00501530450012<br> ID : 45<br></pre>
|
|
||||||
X.509 Certificate [/C=BE/ST=...]
|
|
||||||
<pre> Com. Flags : modifiable<br> Authority : no<br> Path : 3f0050154545<br> ID : 45</pre>
|
|
||||||
Some things to note:<br>
|
|
||||||
<ul>
|
|
||||||
<li>The Auth ID (01) of the private key is the same as the one of the
|
|
||||||
PIN which
|
|
||||||
means
|
|
||||||
that you first have to do a login with this PIN before
|
|
||||||
you can use this key.</li>
|
|
||||||
<li>The key is in an EF with ID = 0012 in the DF with ID = 3045,
|
|
||||||
which
|
|
||||||
on it is turn is a DF with ID 5015, which on it is turn is a DF of
|
|
||||||
the MF (3F00).</li>
|
|
||||||
<li>The private key and certificates share the same ID (45), which
|
|
||||||
means that they
|
|
||||||
belong together.</li>
|
|
||||||
<li>The certificate is in the EF with as path: 3F00\5015\3045
|
|
||||||
and is no CA
|
|
||||||
certificate.</li>
|
|
||||||
</ul>
|
|
||||||
Use the <span style="font-weight: bold;">tests/p15dump</span> tool to
|
|
||||||
see yourself what pkcs15 data is on your card, or <span style="font-weight: bold;">tools/opensc-explorer</span> to browse
|
|
||||||
through the files.<br>
|
|
||||||
<br>
|
|
||||||
Have the PKCS15 files a fixed place so everyone can find them? No,
|
|
||||||
there's only one: the EF(DIR) in the MF and with ID 2F00. That's the
|
|
||||||
starting
|
|
||||||
place.<br>
|
|
||||||
<br>
|
|
||||||
<h2>2. The OpenSC pkcs15-init library and profiles</h2>
|
|
||||||
Reading and writing files, PIN verification, signing and decryption
|
|
||||||
happen in much the same way on all cards. Therefore, the "normal life"
|
|
||||||
commands have been implemented in OpenSC for all supported cards.<br>
|
|
||||||
<br>
|
|
||||||
However, creating and deleting files, PINs and keys is very card
|
|
||||||
specific and has not yet been implemented for all cards.
|
|
||||||
Currently, pkcs15-init is implemented for: Cryptoflex, Cyberflex,
|
|
||||||
CardOS (etoken), GPK, Miocos, Starcos JCOP and Oberthur. (Check
|
|
||||||
src/pkcs15-init/pkcs15-*.c for possible updates). Because of this, and
|
|
||||||
because
|
|
||||||
pkcs15-init is not necessary for "normal life" operations, it has been
|
|
||||||
put in a separate library and in a separate directory.<br>
|
|
||||||
<br>
|
|
||||||
<span style="font-weight: bold;">Profile</span><br>
|
|
||||||
Because the initialisation/personalisation is so card-specific, it
|
|
||||||
would be very hard to make a tool or API that accepts all parameters
|
|
||||||
for all current and future cards.<br>
|
|
||||||
Therefore, a profile file has been made in OpenSC that contains all the
|
|
||||||
card-specific parameters. This card-specific profile is read by
|
|
||||||
card-specific code in the pkcs15-init library each time this library is
|
|
||||||
used on
|
|
||||||
that card.<br>
|
|
||||||
See the *.profile files in src/pkcs15-init/. There is one general file
|
|
||||||
(pkcs15.profile) and one card-specific profile for each card.<br>
|
|
||||||
<br>
|
|
||||||
<span style="font-weight: bold;">Profile options</span><br>
|
|
||||||
There are currently 3 options you can specify to modify a profile:<br>
|
|
||||||
<ul>
|
|
||||||
<li>default: creation/deletion/generation is controlled by the SO PIN
|
|
||||||
(SO = Security Officer, different from the regular user of the card)</li>
|
|
||||||
<li>onepin: creation/deletion/generation is controlled by the user
|
|
||||||
PIN and thus by the user. As a result, only 1 user PIN is possible</li>
|
|
||||||
<li>small: like default, but suitable for card with little memory</li>
|
|
||||||
</ul>
|
|
||||||
<h2>3. pkcs15-init tool</h2>
|
|
||||||
This is a command-line tool that uses the pkcs15-init library. It
|
|
||||||
allows you to do all the init/perso things, e.g. add/delete keys,
|
|
||||||
certificates, PINs and data, generate keys, ... while specifying key
|
|
||||||
usage, which PIN protects which key, ...<br>
|
|
||||||
<br>
|
|
||||||
As said before, not all cards are supported in the pkcs15-init library.
|
|
||||||
In
|
|
||||||
that case, the pkcs15-init tool won't work (top 5 questions on the
|
|
||||||
mailing list:-). To find out which card you have, try "<span style="font-style: italic;">opensc-tool -n</span>"<br>
|
|
||||||
<br>
|
|
||||||
Below is explained how to do the operations that are supported by
|
|
||||||
pkcs15-tool.<br>
|
|
||||||
Not all options are explained (run "<span style="font-style: italic;">pkcs15-tool
|
|
||||||
-h</span>" to see them) because some are card-specific or obsolete (or
|
|
||||||
we don't know about them). Feel free to experiment and explain them
|
|
||||||
here.<br>
|
|
||||||
<br>
|
|
||||||
So the things in this section are fairly general but not guaranteed to
|
|
||||||
work for all cards. See also the section on "card-specific issues".<br>
|
|
||||||
<br>
|
|
||||||
The --reader or -r can be given with any command. By default the first
|
|
||||||
reader is used. Do "<span style="font-style: italic;">opensc-tool -l</span>"
|
|
||||||
to see the list of available readers.<br>
|
|
||||||
<br>
|
|
||||||
To see the results of what you did, you can do one of the following:<br>
|
|
||||||
<span style="font-style: italic;">pkcs15-tool --list-pins
|
|
||||||
--list-public-keys -k -c -C</span><br>
|
|
||||||
<span style="font-style: italic;">p15dump</span> (in the
|
|
||||||
src/tests directory)<br>
|
|
||||||
To see/dump the content of any file, use the <span style="font-style: italic;">opensc-explorer</span> tool.<br>
|
|
||||||
<h3>* Create the PKCS15 files</h3>
|
|
||||||
<span style="font-style: italic;">pkcs15-init
|
|
||||||
-C {-T} {-p <profile>} </span><span style="font-style: italic;">--so-pin
|
|
||||||
<PIN> --so-puk <PUK> | --no-so-pin | --pin <PIN>
|
|
||||||
--puk <PUK><br>
|
|
||||||
<br>
|
|
||||||
</span>This will create the PKCS15 DF (5015) and all the PKCS15 files
|
|
||||||
(some of which will be empty until a key, PIN, ... will be added). It
|
|
||||||
must be done before you can do any of the operations below.<br>
|
|
||||||
<ul>
|
|
||||||
<li>This operation usually requires a 'transport' key. pkcs15-init
|
|
||||||
will ask you for this key and propose the default one for that card.
|
|
||||||
With -T, the default will be used without asking. NOTE: if you get a
|
|
||||||
"Failed to erase card: PIN code or key incorrect", the transport key is
|
|
||||||
wrong. Find this key and then try again, DO NOT try the default key
|
|
||||||
again!</li>
|
|
||||||
<li>If you want an SO PIN and PUK, do so with the --so-pin and
|
|
||||||
--so-puk options, or specify --no-so-pin if you don't want to. If you
|
|
||||||
use
|
|
||||||
the onpin profile, there is no SO PIN so you should specify --pin and
|
|
||||||
--puk instead. (So you get: pkcs15-init -CT -p pkcs15+onepin --pin
|
|
||||||
<PIN> --puk <PUK>)</li>
|
|
||||||
<li>To specify the profile file + option. The profile file can only
|
|
||||||
be "pkcs15" for the moment, so you can have:<br>
|
|
||||||
pkcs15+default : the default (not needed to
|
|
||||||
specify it)<br>
|
|
||||||
pkcs15+onepin: for the onepin profile
|
|
||||||
option<br>
|
|
||||||
pkcs15+small: for the small
|
|
||||||
profile option</li>
|
|
||||||
</ul>
|
|
||||||
<h3>* Erase the card's content</h3>
|
|
||||||
<span style="font-style: italic;">pkcs15-init
|
|
||||||
-E {-T}</span><br>
|
|
||||||
<br>
|
|
||||||
This will delete all keys, PINS, certificates, data that were listed in
|
|
||||||
PKCS15
|
|
||||||
files, along with the PKCS15 files themselves.<br>
|
|
||||||
<ul>
|
|
||||||
<li>This operation usually requires a 'transport' key. pkcs15-init
|
|
||||||
will ask you for this key and propose the default one for that card.
|
|
||||||
With -T, the default will be used without asking. NOTE: if you get a
|
|
||||||
"Failed to erase card: PIN code or key incorrect", the transport key is
|
|
||||||
wrong. Find this key and then try again, DO NOT try the default key
|
|
||||||
again!</li>
|
|
||||||
</ul>
|
|
||||||
Note: you can combine erase/create (-E -C or -EC) to erase and then
|
|
||||||
create<br>
|
|
||||||
the card's contents, except when you change the profile option.<br>
|
|
||||||
<h3>* Add a PIN (not possible with the onepin profile option)</h3>
|
|
||||||
<span style="font-style: italic;">pkcs15-init
|
|
||||||
-P {-a <AuthID>} {--pin <PIN>} {--puk <PUK>} {-l
|
|
||||||
<label>}</span><br>
|
|
||||||
<ul>
|
|
||||||
<li>You can specify the AuthID with -a, if you don't do so, a value
|
|
||||||
that didn't exist yet on the card will be chosen.</li>
|
|
||||||
<li>Specify the PIN and PUK with --pin and --puk, if you don't do so,
|
|
||||||
the tool will prompt you for one.</li>
|
|
||||||
<li>Specify the label (name) of the PIN with -l, or accept the
|
|
||||||
default label.</li>
|
|
||||||
</ul>
|
|
||||||
<h3>* Generate a key pair (on card or in software on the PC)</h3>
|
|
||||||
<span style="font-style: italic;">pkcs15-init
|
|
||||||
-G <keyspec> -a <AuthID> --insecure {-i <ID>}
|
|
||||||
{--soft}{-u <keyusage>}{-l <privkeylabel>}
|
|
||||||
{--public-key-label <pubkeylabel>}</span><br>
|
|
||||||
<br>
|
|
||||||
This will generate a public and private key pair.<br>
|
|
||||||
<ul>
|
|
||||||
<li>The keyspec consist of the key type, rsa or dsa (depends on what
|
|
||||||
your cards supports), and optinally a slash followed by the keysize in
|
|
||||||
bits. E.g. "rsa/1024" specifies a 1024 bit RSA key pair. Note: dsa is
|
|
||||||
not
|
|
||||||
fully supported.</li>
|
|
||||||
<li>Specify the AuthID of the PIN that protects this key (from being
|
|
||||||
used in a signature or decryption operation) with -a; or specify
|
|
||||||
--insecure if you want the private key to be used without first
|
|
||||||
providing a PIN.</li>
|
|
||||||
<li>Specify the ID of the key with -i, otherwise the tool with choose
|
|
||||||
one.</li>
|
|
||||||
<li>Specify --soft if you don't want the key pair to be generated
|
|
||||||
on-chip.</li>
|
|
||||||
<li>Specify the usage of the private key with -u; if you add a
|
|
||||||
corresponding certificate later, it should have the same key usage. (Do
|
|
||||||
"pkcs15-init -u help" for help).</li>
|
|
||||||
<li>Specify the label (name) of the private key with -l, or accept
|
|
||||||
the default label.</li>
|
|
||||||
<li>Specify the label (name) of the public key with
|
|
||||||
--public-key-label, or accept the default label if you don't do so.</li>
|
|
||||||
<li>Depending on your card and profile option, you will be prompted
|
|
||||||
to provide your SO PIN and/or PIN; if you don't want to be prompted,
|
|
||||||
add them to the command line with --so-pin <SOPIN> and/or --pin
|
|
||||||
<PIN>.</li>
|
|
||||||
</ul>
|
|
||||||
NOTE: see the SSL engines (below) on how to make a certificate request
|
|
||||||
with the key you generated.<br>
|
|
||||||
<h3>* Add a private key</h3>
|
|
||||||
<span style="font-style: italic;">pkcs15-init
|
|
||||||
-S <keyfile> {-f <keyformat>} -a <AuthID> --insecure
|
|
||||||
{-i <ID>} {-u <keyusage>} {--passphrase <password>}
|
|
||||||
{-l <label>}</span><br>
|
|
||||||
<ul>
|
|
||||||
<li>The keyfile should be in DER (binary) or PEM format.</li>
|
|
||||||
<li>The keyformat should be PEM (default) or DER.</li>
|
|
||||||
<li>Specify the AuthID of the PIN that protects this key (from being
|
|
||||||
used in a signature or decryption operation) with -a; or specify
|
|
||||||
--insecure if you want the private key to be used without first
|
|
||||||
providing a PIN.</li>
|
|
||||||
<li>Specify the ID of the key with -i</li>
|
|
||||||
<>Specify the usage of the private key with -u; if you add a
|
|
||||||
corresponding certificate later, it should have the same key usage. (Do
|
|
||||||
"pkcs15-init -u help" for help). <li>Specify the label (name) of
|
|
||||||
the with -l, or accept the
|
|
||||||
default label.</li>
|
|
||||||
<li>Depending on your card and profile option, you will be prompted
|
|
||||||
to provide your SO PIN and/or PIN; if you don't want to be prompted,
|
|
||||||
add them to the command line with --so-pin <SOPIN> and/or --pin
|
|
||||||
<PIN>.</li>
|
|
||||||
</ul>
|
|
||||||
<h3>* Add a private key + certificate(s) (in a pkcs12 file)</h3>
|
|
||||||
<span style="font-style: italic;">pkcs15-init
|
|
||||||
-S <pkcs12file> -f PKCS12 -a <AuthID> {--insecure} {-i
|
|
||||||
<ID>} {-u <keyusage>} {--passphrase <password>} {-l
|
|
||||||
<privkeylabel>} {--cert-label <usercertlabel>}</span><br>
|
|
||||||
<br>
|
|
||||||
This adds the private key and certificate chain to the card. If a
|
|
||||||
certificate already exists on the card, it won't be added again.<br>
|
|
||||||
<ul>
|
|
||||||
<li>Specify the AuthID of the PIN that protects this key (from being
|
|
||||||
used in a signature or decryption operation) with -a; or specify
|
|
||||||
--insecure if you want the private key to be used without first
|
|
||||||
providing a PIN.</li>
|
|
||||||
<li>Specify the ID of the key and the corresponding certificate with
|
|
||||||
-i,
|
|
||||||
otherwise the tool with choose one; only the 'user cert' will get the
|
|
||||||
same ID as the key, the other certificates will get 'authority' status
|
|
||||||
and
|
|
||||||
another ID.</li>
|
|
||||||
<li>You can specify the key-usage, but it is not advised to do this
|
|
||||||
so the key usage from the certificate is used.</li>
|
|
||||||
<li>Specify the password of the pkcs12 key file if you don't want to
|
|
||||||
be prompted for one.</li>
|
|
||||||
<li>Specify the label (name) of the private key with -l, or accept
|
|
||||||
the default label.</li>
|
|
||||||
<li>Specify the label (name) of the user certificate with
|
|
||||||
--cert-label, or accept the default label.</li>
|
|
||||||
<li>Depending on your card and profile option, you will be prompted
|
|
||||||
to provide your SO PIN and/or PIN; if you don't want to be prompted,
|
|
||||||
add them to the command line with --so-pin <SOPIN> and/or --pin
|
|
||||||
<PIN>.</li>
|
|
||||||
</ul>
|
|
||||||
<h3>* Add a certificate</h3>
|
|
||||||
<span style="font-style: italic;">
|
|
||||||
pkcs15-init -W <certfile> {-f <certformat>} {-i <ID>}
|
|
||||||
{--authority}</span><br>
|
|
||||||
<ul>
|
|
||||||
<li>The certfile should be in DER (binary) or PEM format</li>
|
|
||||||
<li>The certformat should be PEM (default) or DER</li>
|
|
||||||
<li>Specify the ID of the certificate with -i, otherwise the tool
|
|
||||||
with
|
|
||||||
choose one; if the certificate corresponds to a private and/or public
|
|
||||||
key, you
|
|
||||||
should specify the same ID as that key.</li>
|
|
||||||
<li>Specify --authority if it is a CA certificate.</li>
|
|
||||||
<li>Depending on your card and profile option, you will be prompted
|
|
||||||
to
|
|
||||||
provide your SO PIN and/or PIN; if you don't want to be prompted, add
|
|
||||||
them to the command line with --so-pin <SOPIN> and/or --pin
|
|
||||||
<PIN>.</li>
|
|
||||||
</ul>
|
|
||||||
<h3>* Add a public key</h3>
|
|
||||||
<span style="font-style: italic;">pkcs15-init
|
|
||||||
--store-public-key <keyfile> {-f <keyformat>} {-i
|
|
||||||
<ID>} {-l <label>}</span><br>
|
|
||||||
<ul>
|
|
||||||
<li>The keyfile should be in DER (binary) or PEM format</li>
|
|
||||||
<li>The keyformat should be PEM (default) or DER</li>
|
|
||||||
<li>Specify the ID of the key with -i, otherwise the tool with choose
|
|
||||||
one; if the key corresponds to a private key and/or certificate, you
|
|
||||||
should
|
|
||||||
specify the same ID as that private key and/or certificate.</li>
|
|
||||||
<li>Specify the label (name) of the with -l, or accept the
|
|
||||||
default label.</li>
|
|
||||||
<li>Depending on your card and profile option, you will be prompted
|
|
||||||
to
|
|
||||||
provide your SO PIN and/or PIN; if you don't want to be prompted, add
|
|
||||||
them to the command line with --so-pin <SOPIN> and/or --pin
|
|
||||||
<PIN>.</li>
|
|
||||||
</ul>
|
|
||||||
<h3>* Add data</h3>
|
|
||||||
<span style="font-style: italic;">pkcs15-init
|
|
||||||
-W <datafile> {-i <ID>} {-l <label>}</span><br>
|
|
||||||
<ul>
|
|
||||||
<li>The datafile is stored "as is" onto the card.</li>
|
|
||||||
<li>Specify the ID of the data with -i, or accept the default ID.</li>
|
|
||||||
<li>Specify the label (name) of the with -l, or accept the
|
|
||||||
default label.</li>
|
|
||||||
<li>Depending on your card and profile option, you will be prompted
|
|
||||||
to
|
|
||||||
provide your SO PIN and/or PIN; if you don't want to be prompted, add
|
|
||||||
them to the command line with --so-pin <SOPIN> and/or --pin
|
|
||||||
<PIN>.</li>
|
|
||||||
</ul>
|
|
||||||
<h2>4. Other tools</h2>
|
|
||||||
<h3>* SSL-engines</h3>
|
|
||||||
These libraries can be loaded in OpenSSL so you can do a certificate
|
|
||||||
request with the openssl tool; the signature on the certificate request
|
|
||||||
will
|
|
||||||
then be made with the smart card. The result can then be sent to a CA
|
|
||||||
for certification, the resulting certificate can be put on the card
|
|
||||||
with
|
|
||||||
pkcs15-init or pkcs11-tool.<br>
|
|
||||||
<ul>
|
|
||||||
<li>Run openssl</li>
|
|
||||||
<li>On the openssl command prompt, type<br>
|
|
||||||
<span style="font-style: italic;">engine dynamic
|
|
||||||
-pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD</span><br>
|
|
||||||
or<br>
|
|
||||||
<span style="font-style: italic;">engine dynamic
|
|
||||||
-pre
|
|
||||||
SO_PATH:engine_opensc -pre ID:opensc -pre LIST_ADD:1 -pre LOAD</span><br>
|
|
||||||
depending on which one of the 2 engines (pkcs11 or opensc) you want to
|
|
||||||
use.</li>
|
|
||||||
</ul>
|
|
||||||
<ul>
|
|
||||||
<li>Then type (on the openssl command prompt)<br>
|
|
||||||
<span style="font-style: italic;">req -engine
|
|
||||||
pkcs11 -new -key <ID> -keyform engine -out <cert_req></span><br>
|
|
||||||
or<span style="font-style: italic;"><br>
|
|
||||||
</span><span style="font-style: italic;">
|
|
||||||
req -engine opensc -new -key <ID> -keyform engine -out
|
|
||||||
<cert_req></span><br>
|
|
||||||
in which ID is the slot+ID in the following format:<br>
|
|
||||||
<span style="font-style: italic;">[slot_<slotID>][-][id_<ID>]</span>,
|
|
||||||
e.g. <span style="font-style: italic;">id_45</span> or <span style="font-style: italic;">slot_0-id_45</span><br>
|
|
||||||
</li>
|
|
||||||
</ul>
|
|
||||||
<h3>* pkcs11-tool and Mozilla/Netscape</h3>
|
|
||||||
You can use the OpenSC pkcs11 library to generate a keypair in Mozilla
|
|
||||||
or Netscape, and let the browser generate a certificate request that
|
|
||||||
is sent to an on-line CA to issue and send you a certificate that is
|
|
||||||
then added to the card.<br>
|
|
||||||
<br>
|
|
||||||
Just go to an online CA (Globalsign, Thawte, ...) and follow their
|
|
||||||
guidelines. Because such a request either costs you or at least
|
|
||||||
requires you to provide a valid mail address, it is advisable to first
|
|
||||||
try you card with "<span style="font-weight: bold;">pkcs11-tool
|
|
||||||
--moz-cert
|
|
||||||
<cert_file_in_der_format> --login</span>".<br>
|
|
||||||
<br>
|
|
||||||
NOTE: This can only be done with the onepin profile option (because the
|
|
||||||
browser won't ask for an SO PIN, only for the user PIN).<br>
|
|
||||||
<br>
|
|
||||||
<h2>5. Card-specific issues</h2>
|
|
||||||
<div style="text-align: center;"><span style="font-style: italic;">Experience
|
|
||||||
is that marvelous thing that enables you to recognize</span><br style="font-style: italic;">
|
|
||||||
<span style="font-style: italic;">a mistake when you make it again. --
|
|
||||||
Franklin P. Jones</span><br>
|
|
||||||
</div>
|
|
||||||
<br>
|
|
||||||
<span style="font-weight: bold;">Cryptoflex:</span><br>
|
|
||||||
<ul>
|
|
||||||
<li>DFs and EFs in a DF have to be deleted in reverse order of
|
|
||||||
creation.<br>
|
|
||||||
OpenSC relies on this fact for security, but also has some downsides.
|
|
||||||
For example, if you did a "pkcs15-init -C" and then added some EFs or
|
|
||||||
DFs in the MF, you won't be able to do a "pkcs15-init -E" afterwards to
|
|
||||||
remove the PKCS15 DF (5015). So you'll first have to manually remove
|
|
||||||
all EFs/DFs you created in the MF before being able remove the pkcs15
|
|
||||||
DF.<br>
|
|
||||||
</li>
|
|
||||||
</ul>
|
|
||||||
<span style="font-weight: bold;">Starcos SPK 2.3:</span><br>
|
|
||||||
<ul>
|
|
||||||
<li>Due to the way Starcos SPK 2.3 manages access rights it is
|
|
||||||
necessary to manually call "pkcs15-init --finalize" after card
|
|
||||||
personalization if no SO-PIN has been specified. Once the card has been
|
|
||||||
finalized it is no possible to add new private/secrets keys or PINs. If
|
|
||||||
a SO-PIN is used the card will automatically be finalized after the
|
|
||||||
SO-PIN has been stored.</li>
|
|
||||||
<li>If an SO-PIN is used and if there is enough space in the key file
|
|
||||||
left, then the owner of the SO-PIN can access/use every protected item
|
|
||||||
by creating a PIN for the necessary state.</li>
|
|
||||||
</ul>
|
|
||||||
<br>
|
|
||||||
</body></html>
|
|
|
@ -1,380 +0,0 @@
|
||||||
1. Introduction
|
|
||||||
===============
|
|
||||||
|
|
||||||
Nothing is impossible for the man who doesn't
|
|
||||||
have to do it himself. -- A.H. Weiler
|
|
||||||
|
|
||||||
This guide is about initialising and personalising (no distinction made) cards
|
|
||||||
with the OpenSC library and tools (mostly pkcs15-init).
|
|
||||||
|
|
||||||
Some knowlegde about smart cards is assumed. Below is a short overview of some
|
|
||||||
key words and concepts. For more info, see the opensc.html manual.
|
|
||||||
|
|
||||||
Filesystem - MF - DF - EF - FID
|
|
||||||
A smart cards has a non-volatile memory (EEPROM) in which usually a
|
|
||||||
PC-like file system is implemented. The directories are called Dedicated Files
|
|
||||||
(DF) and the files are called Elementary Files (EF). They are identified by a
|
|
||||||
a File ID (FID) on 2 bytes. For example, the root of the file system (called
|
|
||||||
Master File or MF) has FID = 3F 00 (hex).
|
|
||||||
|
|
||||||
Commands - APDUs
|
|
||||||
It is possible to send commands (APDUs) to the card to select, read, write,
|
|
||||||
create, list, delete, ... EFs and DFs (not all cards allow all commands).
|
|
||||||
|
|
||||||
Access control, PIN, PUK
|
|
||||||
The file system usually implements some sort of access control on EFs and DFs.
|
|
||||||
This is usually done by PINs or Keys: you have to provide a PIN or show
|
|
||||||
knowledge of a key before you can perform some command on some EF/DF. A PIN
|
|
||||||
is usually accompanied by a PUK (Pin Unblock Key), which can be used to reset
|
|
||||||
(or unblock) that PIN.
|
|
||||||
|
|
||||||
Cryptographic keys
|
|
||||||
On crypto cards, it is also possible to sign, decrypt, generate a key pair
|
|
||||||
(what can be done exactly depends on the card). on some cards, key and/or PINs
|
|
||||||
are files in the filesystem, on other cards, they don't exist in the
|
|
||||||
filesystem but are referenced through an ID.
|
|
||||||
|
|
||||||
Reader - PC/SC - OpenCT - CT-API
|
|
||||||
Smart card readers come with a library that can be used on a PC to send APDUs
|
|
||||||
to the card. Commonly used APIs for those libraries are PC/SC, OpenCT and
|
|
||||||
CT-API.
|
|
||||||
|
|
||||||
PKCS15
|
|
||||||
There are standards (e.g. ISO7816, parts 4-...) that specify how to select,
|
|
||||||
read, write, EFs and DFs, and how to sign, decrypt, login, ...
|
|
||||||
However, there is also a need to know which files contain what, or where the
|
|
||||||
keys, PINs, .. can be found.
|
|
||||||
For crypto cards, PCKS15 adresses this need by defining some files that contain
|
|
||||||
info on where to find keys, certificates, PINs, and other data. For example,
|
|
||||||
there is a PrKDF (Private Key Directory File) that contains the EFs or ID of
|
|
||||||
the private keys, what those keys can be used for, by which PINs they are
|
|
||||||
protected, ...
|
|
||||||
So a "PCKS15 card" is nothing but any other card on which the right set of
|
|
||||||
files has been added.
|
|
||||||
In short: PKCS15 allows you to describe where to find PINs, keys, certificates
|
|
||||||
and data on a card, plus all the info that is needed to use them.
|
|
||||||
|
|
||||||
A little PKCS15 example:
|
|
||||||
|
|
||||||
Here's the textual contents of 3 PKCS15 files: the AODF (Authentication
|
|
||||||
Object Directory File), PrKDF (Private Key Directory File) and CDF
|
|
||||||
(Certificate Directory File) that contain info on resp. the PINs, private
|
|
||||||
keys and certificates. Each of them contains 1 entry.
|
|
||||||
|
|
||||||
AODF:
|
|
||||||
Com. Flags : private, modifiable
|
|
||||||
Auth ID : 01
|
|
||||||
Flags : [0x32], local, initialized, needs-padding
|
|
||||||
Length : min_len:4, max_len:8, stored_len:8
|
|
||||||
Pad char : 0x00
|
|
||||||
Reference : 1
|
|
||||||
Encoding : ASCII-numeric
|
|
||||||
Path : 3F005015
|
|
||||||
|
|
||||||
PrKDF:
|
|
||||||
Com. Flags : private, modifiable
|
|
||||||
Com. Auth ID: 01
|
|
||||||
Usage : [0x32E], decrypt, sign, signRecover, unwrap, derive, nonRep
|
|
||||||
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
|
|
||||||
ModLength : 1024
|
|
||||||
Key ref : 0
|
|
||||||
Native : yes
|
|
||||||
Path : 3F00501530450012
|
|
||||||
ID : 45
|
|
||||||
|
|
||||||
X.509 Certificate [/C=BE/ST=...]
|
|
||||||
Com. Flags : modifiable
|
|
||||||
Authority : no
|
|
||||||
Path : 3f0050154545
|
|
||||||
ID : 45
|
|
||||||
|
|
||||||
Some things to note:
|
|
||||||
- The Auth ID (01) of the private key is the same as the one of the PIN which
|
|
||||||
means that you first have to do a login with this PIN before you can use
|
|
||||||
this key.
|
|
||||||
- The key is in an EF with ID = 0012 in the DF with ID = 3045, which on its
|
|
||||||
turn is a DF with ID = 5015, which on its turn is a DF of the MF (3F00).
|
|
||||||
- The private key and certificate share the same ID (45), which means that they
|
|
||||||
belong together.
|
|
||||||
- The cert is in the EF with as path: 3F00\5015\4545 and is no CA cert.
|
|
||||||
|
|
||||||
Use the tests/p15dump tool to see yourself what pkcs15 data is on
|
|
||||||
your card, or tools/opensc-explorer to browse through the files.
|
|
||||||
|
|
||||||
Have the PKCS15 files a fixed place so everyone can find them? No, there's
|
|
||||||
only one: the EF(DIR) in the MF and with ID 2F00. That's the starting place.
|
|
||||||
|
|
||||||
|
|
||||||
2. The OpenSC pkcs15-init library and profiles
|
|
||||||
==============================================
|
|
||||||
|
|
||||||
Reading and writing files, PIN verification, signing and decryption happen in
|
|
||||||
much the same way on all cards. Therefore, the "normal life" commands have
|
|
||||||
been implemented in OpenSC for all supported cards.
|
|
||||||
|
|
||||||
However, creating and deleting files, PINs and keys is very card specific and
|
|
||||||
has not yet been implemented for all cards. Currently, pkcs15-init is
|
|
||||||
implemented for: Cryptoflex, Cyberflex, CardOS (etoken), GPK, Miocos, Starcos
|
|
||||||
JCOP and Oberthur. (Check src/pkcs15init/pkcs15-*.c for possible updates).
|
|
||||||
Because of this, and because pkcs15-init is not necessary for "normal life"
|
|
||||||
operations, it has been put in a separate library and in a separate directory.
|
|
||||||
|
|
||||||
Profile
|
|
||||||
Because the initialisation/personalisation is so card-specific, it would be
|
|
||||||
very hard to make a tool or API that accepts all parameters for all current
|
|
||||||
and future cards. Therefore, a profile file has been made in OpenSC that
|
|
||||||
contains all the card-specific parameters. This card-specific profile is read
|
|
||||||
by card-specific code in the pkcs15-init library each time this library is
|
|
||||||
used on that card.
|
|
||||||
See the *.profile files in src/pkcs15init/. There is one general file
|
|
||||||
(pkcs15.profile) and one card-specific profile for each card.
|
|
||||||
|
|
||||||
Profile options
|
|
||||||
There are currently 3 options you can specify to modify a profile:
|
|
||||||
- default: creation/deletion/generation is controlled by the SO PIN (SO =
|
|
||||||
Security Officer, different from the regular user of the card)
|
|
||||||
- onepin: creation/deletion/generation is controlled by the user PIN and thus
|
|
||||||
by the user. As a result, only 1 user PIN is possible
|
|
||||||
- small: like default, but suitable for card with little memory
|
|
||||||
|
|
||||||
|
|
||||||
3. pkcs15-init tool
|
|
||||||
===================
|
|
||||||
|
|
||||||
This is a command-line tool that uses the pkcs15-init library. It allows you
|
|
||||||
to do all the init/perso things, e.g. add/delete keys, certificates, PINs and
|
|
||||||
data, generate keys, ... while specifying key usage, which PIN protects
|
|
||||||
which key, ...
|
|
||||||
|
|
||||||
As said before, not all cards are supported in the pkcs15-init library. In that
|
|
||||||
case, the pkcs15-init tool won't work (top 5 questions on the mailing list :-).
|
|
||||||
To find out which card you have, try "opensc-tool -n"
|
|
||||||
|
|
||||||
Below is explained how to do the operations that are supported by pkcs15-tool.
|
|
||||||
Not all options are explained (run "pkcs15-tool -h" to see them) because some
|
|
||||||
are card-specific or obsolete (or we don't know about them). Feel free to
|
|
||||||
experiment and explain them here.
|
|
||||||
|
|
||||||
So the things in this section are fairly general but not guaranteed to work
|
|
||||||
for all cards. See also the section on "card-specific issues".
|
|
||||||
|
|
||||||
The --reader or -r can be given with any command. By default the first reader
|
|
||||||
is used. Do "opensc-tool -l" to see the list of available readers.
|
|
||||||
|
|
||||||
To see the results of what you did, you can do one of the following:
|
|
||||||
pkcs15-tool --list-pins --list-public-keys -k -c -C
|
|
||||||
p15dump (in the src/tests directory)
|
|
||||||
To see/dump the content of any file, use the opensc-explorer tool.
|
|
||||||
|
|
||||||
* Create the PKCS15 files
|
|
||||||
pkcs15-init -C {-T} {-p <profile>}
|
|
||||||
--so-pin <PIN> --so-puk <PUK> | --no-so-pin | --pin <PIN> --puk <PUK>
|
|
||||||
This will create the PKCS15 DF (5015) and all the PKCS15 files (some of which
|
|
||||||
will be empty until a key, PIN, ... will be added). It must be done before you
|
|
||||||
can do any of the operations below.
|
|
||||||
- This operation usually requires a 'transport' key. pkcs15-init will ask you
|
|
||||||
for this key and propose the default one for that card. With -T, the default
|
|
||||||
key will be used without asking. NOTE: if you get a "Failed to erase card:
|
|
||||||
PIN code or key incorrect", the transport key is wrong. Find this key and
|
|
||||||
then try again, DO NOT try with the default key again!
|
|
||||||
- If you want an SO PIN and PUK, do so with the --so-pin and --so-puk options,
|
|
||||||
or specify --no-so-pin if you don't want them. If you use the onepin profile,
|
|
||||||
there is no SO PIN so you should specify --pin and --puk instead.
|
|
||||||
(So you get: pkcs15-init -CT -p pkcs15+onepin --pin <PIN> --puk <PUK>)
|
|
||||||
- To specify the profile file + option. The profile file can only be "pkcs15"
|
|
||||||
for the moment, so you can have:
|
|
||||||
pkcs15+default : the default (not needed to specify it)
|
|
||||||
pkcs15+onepin : for the onepin profile option
|
|
||||||
pkcs15+small : for the small profile option
|
|
||||||
|
|
||||||
* Erase the card's content
|
|
||||||
pkcs15-init -E {-T}
|
|
||||||
This will delete all keys, PINs, certificates, data that were listed in PKCS15
|
|
||||||
files, along with the PKCS15 files themselves.
|
|
||||||
- This operation usually requires a 'transport' key. pkcs15-init will ask you
|
|
||||||
for this key and propose the default one for that card. With -T, the default
|
|
||||||
key will be used without asking. NOTE: if you get a "Failed to erase card:
|
|
||||||
PIN code or key incorrect", the transport key is wrong. Find this key and
|
|
||||||
then try again, DO NOT try the default key again!
|
|
||||||
|
|
||||||
Note: you can combine erase/create (-E -C or -EC) to erase and then create
|
|
||||||
the card's contents, except when you change the profile option.
|
|
||||||
|
|
||||||
* Add a PIN (not possible with the onepin profile option)
|
|
||||||
pkcs15-init -P {-a <AuthID>} {--pin <PIN>} {--puk <PUK>} {-l <label>}
|
|
||||||
- You can specify the AuthID with -a, if you don't do so, a value that didn't
|
|
||||||
exist yet on the card will be used.
|
|
||||||
- Specify the PIN and PUK with --pin and --puk, if you don't do so, the tool
|
|
||||||
will prompt you for one.
|
|
||||||
- Specify the label (name) of the PIN with -l, or accept the default label.
|
|
||||||
|
|
||||||
* Generate a key pair (on card or in software on the PC)
|
|
||||||
pkcs15-init -G <keyspec> -a <AuthID> --insecure {-i <ID>} {--soft}
|
|
||||||
{-u <keyusage>}
|
|
||||||
{-l <privkeylabel>} {--public-key-label <pubkeylabel>}
|
|
||||||
This will generate a public and private key pair.
|
|
||||||
- The keyspec consist of the key type, rsa or dsa (depends on what your card
|
|
||||||
supports), and optinally a slash followed by the keysize in bits. E.g.
|
|
||||||
"rsa/1024" specifies a 1024-bit RSA key pair. Note: dsa is not fully
|
|
||||||
supported.
|
|
||||||
- Specify the AuthID of the PIN that protects this key (protect from being
|
|
||||||
used in a signature or decryption operation) with -a; or specify --insecure
|
|
||||||
if you want the private key to be used without first providing a PIN.
|
|
||||||
- Specify the ID of the key with -i, otherwise the tool will choose one.
|
|
||||||
- Specify --soft if you don't want the key pair to be generated on card.
|
|
||||||
- Specify the usage of the private key with -u; if you add a
|
|
||||||
corresponding certificate later, it should have the same key usage.
|
|
||||||
(Do "pkcs15-init -u help" for help).
|
|
||||||
- Specify the label (name) of the private key with -l, or accept the default
|
|
||||||
label.
|
|
||||||
- Specify the label (name) of the public key with --public-key-label, or
|
|
||||||
accept the default label.
|
|
||||||
- Depending on your card and profile option, you will be prompted to provide
|
|
||||||
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
|
|
||||||
command line with --so-pin <SOPIN> and/or --pin <PIN>.
|
|
||||||
NOTE: see the SSL engines (below) on how to make a certificate request with
|
|
||||||
the key you generated.
|
|
||||||
|
|
||||||
* Add a private key
|
|
||||||
pkcs15-init -S <keyfile> {-f <keyformat>} -a <AuthID> --insecure
|
|
||||||
{-i <ID>} {-u <keyusage>} {--passphrase <password>}
|
|
||||||
{-l <label>}
|
|
||||||
- The keyfile should be in DER (binary) or PEM format.
|
|
||||||
- The keyformat should be PEM (default) or DER.
|
|
||||||
- Specify the AuthID of the PIN that protects the private key (from being used
|
|
||||||
in a signature or decryption operation) with -a; or specify --insecure if
|
|
||||||
you want the private key to be used without first providing a PIN
|
|
||||||
- Specify the ID of the key with -i
|
|
||||||
- Specify the usage of the private key with -u; if you add a
|
|
||||||
corresponding certificate later, it should have the same key usage.
|
|
||||||
(Do "pkcs15-init -u help" for help).
|
|
||||||
- Specify the label (name) of the with -l, or accept the default label if
|
|
||||||
you don't do so.
|
|
||||||
- Depending on your card and profile option, you will be prompted to provide
|
|
||||||
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
|
|
||||||
command line with --so-pin <SOPIN> and/or --pin <PIN>.
|
|
||||||
|
|
||||||
* Add a private key + certificate(s) (in a pkcs12 file)
|
|
||||||
pkcs15-init -S <pkcs12file> -f PKCS12 -a <AuthID> {--insecure} {-i <ID>}
|
|
||||||
{-u <keyusage>} {--passphrase <password>}
|
|
||||||
{-l <privkeylabel>} {--cert-label <usercertlabel>}
|
|
||||||
This adds the private key and certificate chain to the card. If a certificate
|
|
||||||
already exists in the card, it won't be added again.
|
|
||||||
- Specify the AuthID of the PIN that protects this key (protect from being
|
|
||||||
used in a signature or decryption operation) with -a; or specify --insecure
|
|
||||||
if you want the private key to be used without first providing a PIN.
|
|
||||||
- Specify the ID of the key and the corresponding certificate with -i,
|
|
||||||
otherwise the tool with choose one; only the 'user cert' will get the same
|
|
||||||
ID as the key,
|
|
||||||
the other certificates will get 'authority' status and another ID.
|
|
||||||
- You can specify the key-usage, but it is advised not to do this so the key
|
|
||||||
usage is fetched from the certificate.
|
|
||||||
- Specify the password of the pkcs12 key file if you don't want to be prompted
|
|
||||||
for one.
|
|
||||||
- Specify the label (name) of the private key with -l, or accept the default
|
|
||||||
label if you don't do so.
|
|
||||||
- Specify the label (name) of the user certificate with --cert-label, or
|
|
||||||
accept the default label if you don't do so.
|
|
||||||
- Depending on your card and profile option, you will be prompted to provide
|
|
||||||
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
|
|
||||||
command line with --so-pin <SOPIN> and/or --pin <PIN>.
|
|
||||||
|
|
||||||
* Add a certificate
|
|
||||||
pkcs15-init -W <certfile> {-f <certformat>} {-i <ID>} {--authority}
|
|
||||||
- The certfile should be in DER (binary) or PEM format
|
|
||||||
- The certformat should be PEM (default) or DER
|
|
||||||
- Specify the ID of the certificate with -i, otherwise the tool with choose
|
|
||||||
one; if the certificate corresponds to a private and/or public key, you
|
|
||||||
should specify the same ID as that key.
|
|
||||||
- Specify --authority if it is a CA certificate.
|
|
||||||
- Depending on your card and profile option, you will be prompted to provide
|
|
||||||
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
|
|
||||||
command line with --so-pin <SOPIN> and/or --pin <PIN>.
|
|
||||||
|
|
||||||
* Add a public key
|
|
||||||
pkcs15-init --store-public-key <keyfile> {-f <keyformat>} {-i <ID>}
|
|
||||||
{-l <label>}
|
|
||||||
- The keyfile should be in DER (binary) or PEM format
|
|
||||||
- The keyformat should be PEM (default) or DER
|
|
||||||
- Specify the ID of the key with -i, otherwise the tool with choose one;
|
|
||||||
if the key corresponds to a private key and/or certificate, you should
|
|
||||||
specify the same ID as that private key and/or certificate.
|
|
||||||
- Specify the label (name) of the with -l, or accept the default label if
|
|
||||||
you don't do so.
|
|
||||||
- Depending on your card and profile option, you will be prompted to provide
|
|
||||||
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
|
|
||||||
command line with --so-pin <SOPIN> and/or --pin <PIN>.
|
|
||||||
|
|
||||||
* Add data
|
|
||||||
pkcs15-init -W <datafile> {-i <ID>} {-l <label>}
|
|
||||||
- The datafile is stored "as is" onto the card.
|
|
||||||
- Specify the ID of the data with -i, or accept the default ID.
|
|
||||||
- Specify the label (name) of the data with -l, or accept the default label.
|
|
||||||
- Depending on your card and profile option, you will be prompted to provide
|
|
||||||
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
|
|
||||||
command line with --so-pin <SOPIN> and/or --pin <PIN>.
|
|
||||||
|
|
||||||
|
|
||||||
4. Other tools
|
|
||||||
==============
|
|
||||||
|
|
||||||
* SSL-engines
|
|
||||||
|
|
||||||
These libraries can be loaded in OpenSSL so you can do a certificate request
|
|
||||||
with the openssl tool; the signature of the certificate request will then be
|
|
||||||
made using the smart card. The result can then be sent to a CA for
|
|
||||||
certification or the resulting certificate can be put on the card with pkcs15-init
|
|
||||||
or pkcs11-tool.
|
|
||||||
- Run openssl
|
|
||||||
- On the openssl command prompt, type
|
|
||||||
engine dynamic -pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD
|
|
||||||
or
|
|
||||||
engine dynamic -pre SO_PATH:engine_opensc -pre ID:opensc -pre LIST_ADD:1 -pre LOAD
|
|
||||||
depending on which one of the 2 engines (pkcs11 or opensc) you want to use.
|
|
||||||
- Then type (on the openssl command prompt)
|
|
||||||
req -engine pkcs11 -new -key <ID> -keyform engine -out <cert_req>
|
|
||||||
or
|
|
||||||
req -engine opensc -new -key <ID> -keyform engine -out <cert_req>
|
|
||||||
in which ID is the slot+ID in the following format:
|
|
||||||
[slot_<slotID>][-][id_<ID>], e.g. id_45 or slot_0-id_45
|
|
||||||
|
|
||||||
* pkcs11-tool and Mozilla/Netscape
|
|
||||||
|
|
||||||
You can use the OpenSC pkcs11 library to generate a key pair in Mozilla or
|
|
||||||
Netscape, and let the browser generate a certificate request that is sent
|
|
||||||
to an on-line CA to issue and send you a certificate that is then added to the
|
|
||||||
card.
|
|
||||||
|
|
||||||
Just go to an online CA (Globalsign, Thawte, ...) and follow their guidelines.
|
|
||||||
Because such a request either costs you or at least requires you to provide a
|
|
||||||
valid mail address, it is advisable to first try you card with
|
|
||||||
"pkcs11-tool --moz-cert <cert_file_in_der_format> --login".
|
|
||||||
|
|
||||||
NOTE: This can only be done with the onepin profile option (because the browser
|
|
||||||
won't ask for an SO PIN, only for the user PIN).
|
|
||||||
|
|
||||||
|
|
||||||
5. Card-specific issues
|
|
||||||
=======================
|
|
||||||
|
|
||||||
Experience is that marvelous thing that enables you to recognize
|
|
||||||
a mistake when you make it again. -- Franklin P. Jones
|
|
||||||
|
|
||||||
Cryptoflex:
|
|
||||||
- DFs and EFs in a DF have to be deleted in reverse order of creation.
|
|
||||||
OpenSC relies on this fact for security, but also has some downsides. For
|
|
||||||
example, if you did a "pkcs15-init -C" and then added some EFs or DFs in the
|
|
||||||
MF, you won't be able to do a "pkcs15-init -E" afterwards to remove the
|
|
||||||
PKCS15 DF (5015). So you'll first have to manually remove all EFs/DFs you
|
|
||||||
created in the MF before being able remove the pkcs15 DF.
|
|
||||||
|
|
||||||
Starcos SPK 2.3:
|
|
||||||
- Due to the way Starcos SPK 2.3 manages access rights it is necessary
|
|
||||||
to manually call "pkcs15-init --finalize" after card personalization
|
|
||||||
if no SO-PIN has been specified. Once the card has been finalized it is
|
|
||||||
not possible to add new private/secret keys or PINs. If a SO-PIN is
|
|
||||||
used the card will automatically be finalized after the SO-PIN has
|
|
||||||
been stored.
|
|
||||||
- If an SO-PIN is used and if there is enough space in the key file left,
|
|
||||||
then the owner of the SO-PIN can access/use every protected item by
|
|
||||||
creating a PIN for the necessary state.
|
|
File diff suppressed because it is too large
Load Diff
|
@ -1,23 +0,0 @@
|
||||||
.screen {
|
|
||||||
background-color: #dddddd;
|
|
||||||
cellspacing:"1";
|
|
||||||
cellpadding:"1";
|
|
||||||
}
|
|
||||||
|
|
||||||
.prompt {
|
|
||||||
background-color: #dddddd;
|
|
||||||
}
|
|
||||||
|
|
||||||
.command {
|
|
||||||
background-color: #dddddd;
|
|
||||||
}
|
|
||||||
|
|
||||||
.title {
|
|
||||||
}
|
|
||||||
|
|
||||||
.toc {
|
|
||||||
}
|
|
||||||
|
|
||||||
.book {
|
|
||||||
width: 630pt
|
|
||||||
}
|
|
1518
doc/old/opensc.xml
1518
doc/old/opensc.xml
File diff suppressed because it is too large
Load Diff
|
@ -1,11 +0,0 @@
|
||||||
<?xml version='1.0'?>
|
|
||||||
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
|
|
||||||
|
|
||||||
<xsl:import href="/usr/share/sgml/docbook/stylesheet/xsl/nwalsh/xhtml/docbook.xsl"/>
|
|
||||||
|
|
||||||
<xsl:param name="html.stylesheet" select="'opensc.css'"/>
|
|
||||||
<xsl:param name="shade.verbatim" select="1"/>
|
|
||||||
<xsl:param name="html.cleanup" select="1" />
|
|
||||||
<xsl:param name="generate.section.toc.level" select="0" />
|
|
||||||
|
|
||||||
</xsl:stylesheet>
|
|
|
@ -1,869 +0,0 @@
|
||||||
PKCS-15 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
|
|
||||||
pkcs-15(15) modules(1) pkcs-15(1)}
|
|
||||||
|
|
||||||
-- $Revision$ --
|
|
||||||
|
|
||||||
DEFINITIONS IMPLICIT TAGS ::=
|
|
||||||
|
|
||||||
BEGIN
|
|
||||||
|
|
||||||
IMPORTS
|
|
||||||
|
|
||||||
informationFramework, authenticationFramework, certificateExtensions
|
|
||||||
FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
|
|
||||||
usefulDefinitions(0) 3}
|
|
||||||
|
|
||||||
Name, Attribute
|
|
||||||
FROM InformationFramework informationFramework
|
|
||||||
|
|
||||||
Certificate, AttributeCertificate, CertificateSerialNumber,
|
|
||||||
SubjectPublicKeyInfo
|
|
||||||
FROM AuthenticationFramework authenticationFramework
|
|
||||||
|
|
||||||
GeneralNames, KeyUsage
|
|
||||||
FROM CertificateExtensions certificateExtensions
|
|
||||||
|
|
||||||
RecipientInfos, RecipientInfo, OriginatorInfo, sha-1,
|
|
||||||
id-alg-CMS3DESwrap, id-alg-CMSRC2wrap, hMAC-SHA1, des-ede3-cbc
|
|
||||||
FROM CryptographicMessageSyntax {iso(1) member-body(2)
|
|
||||||
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0)
|
|
||||||
cms(1)}
|
|
||||||
|
|
||||||
RSAPublicKey
|
|
||||||
FROM PKCS-1 {iso(1) member-body(2) us(840) rsadsi(113549)
|
|
||||||
pkcs(1) pkcs-1(1) modules(0) pkcs-1(1)}
|
|
||||||
|
|
||||||
AlgorithmIdentifier, SupportingAlgorithms, PBKDF2Algorithms,
|
|
||||||
ALGORITHM-IDENTIFIER, id-hmacWithSHA1
|
|
||||||
FROM PKCS-5 {iso(1) member-body(2) us(840) rsadsi(113549)
|
|
||||||
pkcs(1) pkcs-5(5) modules(16) pkcs-5(1)}
|
|
||||||
|
|
||||||
ECPoint, Parameters
|
|
||||||
FROM ANSI-X9-62 {iso(1) member-body(2) us(840)
|
|
||||||
ansi-x962(10045) module(4) 1}
|
|
||||||
|
|
||||||
DiffieHellmanPublicNumber, DomainParameters
|
|
||||||
FROM ANSI-X9-42 {iso(1) member-body(2) us(840)
|
|
||||||
ansi-x942(10046) module(5) 1}
|
|
||||||
|
|
||||||
OOBCertHash
|
|
||||||
FROM PKIXCMP {iso(1) identified-organization(3) dod(6)
|
|
||||||
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
|
|
||||||
id-mod-cmp(9)};
|
|
||||||
|
|
||||||
-- Constants
|
|
||||||
|
|
||||||
pkcs15-ub-identifier INTEGER ::= 255
|
|
||||||
pkcs15-ub-reference INTEGER ::= 255
|
|
||||||
pkcs15-ub-index INTEGER ::= 65535
|
|
||||||
pkcs15-ub-label INTEGER ::= pkcs15-ub-identifier
|
|
||||||
pkcs15-lb-minPinLength INTEGER ::= 4
|
|
||||||
pkcs15-ub-minPinLength INTEGER ::= 8
|
|
||||||
pkcs15-ub-storedPinLength INTEGER ::= 64
|
|
||||||
pkcs15-ub-recordLength INTEGER ::= 16383
|
|
||||||
pkcs15-ub-userConsent INTEGER ::= 15
|
|
||||||
pkcs15-ub-securityConditions INTEGER ::= 255
|
|
||||||
pkcs15-ub-seInfo INTEGER ::= 255
|
|
||||||
|
|
||||||
-- Object Identifiers
|
|
||||||
|
|
||||||
pkcs15 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
|
|
||||||
rsadsi(113549) pkcs(1) pkcs-15(15)}
|
|
||||||
pkcs15-mo OBJECT IDENTIFIER ::= {pkcs15 1} -- Modules branch
|
|
||||||
pkcs15-at OBJECT IDENTIFIER ::= {pkcs15 2} -- Attribute branch
|
|
||||||
pkcs15-ct OBJECT IDENTIFIER ::= {pkcs15 3} -- Content type branch
|
|
||||||
|
|
||||||
-- Content Types
|
|
||||||
|
|
||||||
pkcs15-ct-PKCS15Token OBJECT IDENTIFIER ::= {pkcs15-ct 1}
|
|
||||||
|
|
||||||
-- Basic types
|
|
||||||
|
|
||||||
Identifier ::= OCTET STRING (SIZE (0..pkcs15-ub-identifier))
|
|
||||||
|
|
||||||
Reference ::= INTEGER (0..pkcs15-ub-reference)
|
|
||||||
|
|
||||||
Label ::= UTF8String (SIZE(0..pkcs15-ub-label))
|
|
||||||
|
|
||||||
KEY-IDENTIFIER ::= CLASS {
|
|
||||||
&id INTEGER UNIQUE,
|
|
||||||
&Value
|
|
||||||
} WITH SYNTAX {
|
|
||||||
SYNTAX &Value IDENTIFIED BY &id
|
|
||||||
}
|
|
||||||
|
|
||||||
CredentialIdentifier {KEY-IDENTIFIER : IdentifierSet} ::= SEQUENCE {
|
|
||||||
idType KEY-IDENTIFIER.&id ({IdentifierSet}),
|
|
||||||
idValue KEY-IDENTIFIER.&Value ({IdentifierSet}{@idType})
|
|
||||||
}
|
|
||||||
|
|
||||||
KeyIdentifiers KEY-IDENTIFIER ::= {
|
|
||||||
issuerAndSerialNumber|
|
|
||||||
issuerAndSerialNumberHash|
|
|
||||||
subjectKeyId|
|
|
||||||
subjectKeyHash |
|
|
||||||
issuerKeyHash |
|
|
||||||
issuerNameHash |
|
|
||||||
subjectNameHash,
|
|
||||||
...
|
|
||||||
}
|
|
||||||
|
|
||||||
issuerAndSerialNumber KEY-IDENTIFIER::=
|
|
||||||
{SYNTAX PKCS15-OPAQUE.&Type IDENTIFIED BY 1}
|
|
||||||
-- As defined in RFC 2630
|
|
||||||
subjectKeyId KEY-IDENTIFIER ::=
|
|
||||||
{SYNTAX OCTET STRING IDENTIFIED BY 2}
|
|
||||||
-- From x509v3 certificate extension
|
|
||||||
issuerAndSerialNumberHash KEY-IDENTIFIER ::=
|
|
||||||
{SYNTAX OCTET STRING IDENTIFIED BY 3}
|
|
||||||
-- Assumes SHA-1 hash of DER encoding of IssuerAndSerialNumber
|
|
||||||
subjectKeyHash KEY-IDENTIFIER ::=
|
|
||||||
{SYNTAX OCTET STRING IDENTIFIED BY 4}
|
|
||||||
issuerKeyHash KEY-IDENTIFIER ::=
|
|
||||||
{SYNTAX OCTET STRING IDENTIFIED BY 5}
|
|
||||||
issuerNameHash KEY-IDENTIFIER ::=
|
|
||||||
{SYNTAX OCTET STRING IDENTIFIED BY 6}
|
|
||||||
-- SHA-1 hash of DER-encoded issuer name
|
|
||||||
subjectNameHash KEY-IDENTIFIER ::=
|
|
||||||
{SYNTAX OCTET STRING IDENTIFIED BY 7}
|
|
||||||
-- SHA-1 hash of DER-encoded subject name
|
|
||||||
|
|
||||||
ReferencedValue {Type} ::= CHOICE {
|
|
||||||
path Path,
|
|
||||||
url URL
|
|
||||||
} (CONSTRAINED BY {-- 'path' or 'url' shall point to an object of
|
|
||||||
-- type -- Type})
|
|
||||||
|
|
||||||
URL ::= CHOICE {
|
|
||||||
url PrintableString,
|
|
||||||
urlWithDigest [3] SEQUENCE {
|
|
||||||
url IA5String,
|
|
||||||
digest DigestInfoWithDefault
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
alg-id-sha1 AlgorithmIdentifier {{DigestAlgorithms}} ::= {
|
|
||||||
algorithm sha-1,
|
|
||||||
parameters SHA1Parameters : NULL}
|
|
||||||
|
|
||||||
SHA1Parameters ::= NULL
|
|
||||||
|
|
||||||
DigestInfoWithDefault ::= SEQUENCE {
|
|
||||||
digestAlg AlgorithmIdentifier {{DigestAlgorithms}} DEFAULT alg-id-sha1,
|
|
||||||
digest OCTET STRING (SIZE(8..128))
|
|
||||||
}
|
|
||||||
|
|
||||||
Path ::= SEQUENCE {
|
|
||||||
path OCTET STRING,
|
|
||||||
index INTEGER (0..pkcs15-ub-index) OPTIONAL,
|
|
||||||
length [0] INTEGER (0..pkcs15-ub-index) OPTIONAL
|
|
||||||
}( WITH COMPONENTS {..., index PRESENT, length PRESENT}|
|
|
||||||
WITH COMPONENTS {..., index ABSENT, length ABSENT})
|
|
||||||
|
|
||||||
ObjectValue { Type } ::= CHOICE {
|
|
||||||
indirect ReferencedValue {Type},
|
|
||||||
direct [0] Type,
|
|
||||||
indirect-protected [1] ReferencedValue {EnvelopedData {Type}},
|
|
||||||
direct-protected [2] EnvelopedData {Type}
|
|
||||||
}(CONSTRAINED BY {-- if indirection is being used, then it is
|
|
||||||
-- expected that the reference points either to a (possibly
|
|
||||||
-- enveloped) object of type -- Type -- or (key case) to a card-
|
|
||||||
-- specific key file --})
|
|
||||||
|
|
||||||
PathOrObjects {ObjectType} ::= CHOICE {
|
|
||||||
path Path,
|
|
||||||
objects [0] SEQUENCE OF ObjectType,
|
|
||||||
...,
|
|
||||||
indirect-protected [1] ReferencedValue {EnvelopedData {SEQUENCE OF ObjectType}},
|
|
||||||
direct-protected [2] EnvelopedData {SEQUENCE OF ObjectType}
|
|
||||||
}
|
|
||||||
|
|
||||||
CommonObjectAttributes ::= SEQUENCE {
|
|
||||||
label Label OPTIONAL,
|
|
||||||
flags CommonObjectFlags OPTIONAL,
|
|
||||||
authId Identifier OPTIONAL,
|
|
||||||
...,
|
|
||||||
userConsent INTEGER (1..pkcs15-ub-userConsent) OPTIONAL,
|
|
||||||
accessControlRules SEQUENCE SIZE (1..MAX) OF AccessControlRule OPTIONAL
|
|
||||||
} (CONSTRAINED BY {-- authId should be present in the IC card case if
|
|
||||||
-- flags.private is set. It must equal an authID in one AuthRecord
|
|
||||||
-- in the AODF -- })
|
|
||||||
|
|
||||||
CommonObjectFlags ::= BIT STRING {
|
|
||||||
private (0),
|
|
||||||
modifiable (1)
|
|
||||||
}
|
|
||||||
|
|
||||||
AccessControlRule ::= SEQUENCE {
|
|
||||||
accessMode AccessMode,
|
|
||||||
securityCondition SecurityCondition,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
AccessMode ::= BIT STRING {
|
|
||||||
read (0),
|
|
||||||
update (1),
|
|
||||||
execute (2)
|
|
||||||
}
|
|
||||||
|
|
||||||
SecurityCondition ::= CHOICE {
|
|
||||||
authId Identifier,
|
|
||||||
not [0] SecurityCondition,
|
|
||||||
and [1] SEQUENCE SIZE (2..pkcs15-ub-securityConditions)
|
|
||||||
OF SecurityCondition,
|
|
||||||
or [2] SEQUENCE SIZE (2..pkcs15-ub-securityConditions)
|
|
||||||
OF SecurityCondition,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
CommonKeyAttributes ::= SEQUENCE {
|
|
||||||
iD Identifier,
|
|
||||||
usage KeyUsageFlags,
|
|
||||||
native BOOLEAN DEFAULT TRUE,
|
|
||||||
accessFlags KeyAccessFlags OPTIONAL,
|
|
||||||
keyReference Reference OPTIONAL,
|
|
||||||
startDate GeneralizedTime OPTIONAL,
|
|
||||||
endDate [0] GeneralizedTime OPTIONAL,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
KeyUsageFlags ::= BIT STRING {
|
|
||||||
encrypt (0),
|
|
||||||
decrypt (1),
|
|
||||||
sign (2),
|
|
||||||
signRecover (3),
|
|
||||||
wrap (4),
|
|
||||||
unwrap (5),
|
|
||||||
verify (6),
|
|
||||||
verifyRecover (7),
|
|
||||||
derive (8),
|
|
||||||
nonRepudiation (9)
|
|
||||||
}
|
|
||||||
|
|
||||||
KeyAccessFlags ::= BIT STRING {
|
|
||||||
sensitive (0),
|
|
||||||
extractable (1),
|
|
||||||
alwaysSensitive (2),
|
|
||||||
neverExtractable (3),
|
|
||||||
local (4)
|
|
||||||
}
|
|
||||||
|
|
||||||
CommonPrivateKeyAttributes ::= SEQUENCE {
|
|
||||||
subjectName Name OPTIONAL,
|
|
||||||
keyIdentifiers [0] SEQUENCE OF CredentialIdentifier
|
|
||||||
{{KeyIdentifiers}} OPTIONAL,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
CommonPublicKeyAttributes ::= SEQUENCE {
|
|
||||||
subjectName Name OPTIONAL,
|
|
||||||
...,
|
|
||||||
trustedUsage [0] Usage OPTIONAL
|
|
||||||
}
|
|
||||||
|
|
||||||
CommonSecretKeyAttributes ::= SEQUENCE {
|
|
||||||
keyLen INTEGER OPTIONAL, -- keylength (in bits)
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
KeyInfo {ParameterType, OperationsType} ::= CHOICE {
|
|
||||||
reference Reference,
|
|
||||||
paramsAndOps SEQUENCE {
|
|
||||||
parameters ParameterType,
|
|
||||||
supportedOperations OperationsType OPTIONAL
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
CommonCertificateAttributes ::= SEQUENCE {
|
|
||||||
iD Identifier,
|
|
||||||
authority BOOLEAN DEFAULT FALSE,
|
|
||||||
identifier CredentialIdentifier {{KeyIdentifiers}} OPTIONAL,
|
|
||||||
certHash [0] OOBCertHash OPTIONAL,
|
|
||||||
...,
|
|
||||||
trustedUsage [1] Usage OPTIONAL,
|
|
||||||
identifiers [2] SEQUENCE OF CredentialIdentifier{{KeyIdentifiers}} OPTIONAL,
|
|
||||||
implicitTrust [3] BOOLEAN DEFAULT FALSE
|
|
||||||
}
|
|
||||||
|
|
||||||
Usage ::= SEQUENCE {
|
|
||||||
keyUsage KeyUsage OPTIONAL,
|
|
||||||
extKeyUsage SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER OPTIONAL
|
|
||||||
}(WITH COMPONENTS {..., keyUsage PRESENT} |
|
|
||||||
WITH COMPONENTS {..., extKeyUsage PRESENT})
|
|
||||||
|
|
||||||
CommonDataObjectAttributes ::= SEQUENCE {
|
|
||||||
applicationName Label OPTIONAL,
|
|
||||||
applicationOID OBJECT IDENTIFIER OPTIONAL,
|
|
||||||
... -- For future extensions
|
|
||||||
} (WITH COMPONENTS {..., applicationName PRESENT}|
|
|
||||||
WITH COMPONENTS {..., applicationOID PRESENT})
|
|
||||||
|
|
||||||
CommonAuthenticationObjectAttributes ::= SEQUENCE {
|
|
||||||
authId Identifier,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
PKCS15Object {ClassAttributes, SubClassAttributes, TypeAttributes}
|
|
||||||
::= SEQUENCE {
|
|
||||||
commonObjectAttributes CommonObjectAttributes,
|
|
||||||
classAttributes ClassAttributes,
|
|
||||||
subClassAttributes [0] SubClassAttributes OPTIONAL,
|
|
||||||
typeAttributes [1] TypeAttributes
|
|
||||||
}
|
|
||||||
|
|
||||||
PKCS15Objects ::= CHOICE {
|
|
||||||
privateKeys [0] PrivateKeys,
|
|
||||||
publicKeys [1] PublicKeys,
|
|
||||||
trustedPublicKeys [2] PublicKeys,
|
|
||||||
secretKeys [3] SecretKeys,
|
|
||||||
certificates [4] Certificates,
|
|
||||||
trustedCertificates [5] Certificates,
|
|
||||||
usefulCertificates [6] Certificates,
|
|
||||||
dataObjects [7] DataObjects,
|
|
||||||
authObjects [8] AuthObjects,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
PrivateKeys ::= PathOrObjects {PrivateKeyType}
|
|
||||||
|
|
||||||
SecretKeys ::= PathOrObjects {SecretKeyType}
|
|
||||||
|
|
||||||
PublicKeys ::= PathOrObjects {PublicKeyType}
|
|
||||||
|
|
||||||
Certificates ::= PathOrObjects {CertificateType}
|
|
||||||
|
|
||||||
DataObjects ::= PathOrObjects {DataType}
|
|
||||||
|
|
||||||
AuthObjects ::= PathOrObjects {AuthenticationType}
|
|
||||||
|
|
||||||
PrivateKeyType ::= CHOICE {
|
|
||||||
privateRSAKey PrivateKeyObject {PrivateRSAKeyAttributes},
|
|
||||||
privateECKey [0] PrivateKeyObject {PrivateECKeyAttributes},
|
|
||||||
privateDHKey [1] PrivateKeyObject {PrivateDHKeyAttributes},
|
|
||||||
privateDSAKey [2] PrivateKeyObject {PrivateDSAKeyAttributes},
|
|
||||||
privateKEAKey [3] PrivateKeyObject {PrivateKEAKeyAttributes},
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
PrivateKeyObject {KeyAttributes} ::= PKCS15Object {
|
|
||||||
CommonKeyAttributes, CommonPrivateKeyAttributes, KeyAttributes}
|
|
||||||
|
|
||||||
PrivateRSAKeyAttributes ::= SEQUENCE {
|
|
||||||
value ObjectValue {RSAPrivateKeyObject},
|
|
||||||
modulusLength INTEGER, -- modulus length in bits, e.g. 1024
|
|
||||||
keyInfo KeyInfo {NULL, PublicKeyOperations} OPTIONAL,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
RSAPrivateKeyObject ::= SEQUENCE {
|
|
||||||
modulus [0] INTEGER OPTIONAL, -- n
|
|
||||||
publicExponent [1] INTEGER OPTIONAL, -- e
|
|
||||||
privateExponent [2] INTEGER OPTIONAL, -- d
|
|
||||||
prime1 [3] INTEGER OPTIONAL, -- p
|
|
||||||
prime2 [4] INTEGER OPTIONAL, -- q
|
|
||||||
exponent1 [5] INTEGER OPTIONAL, -- d mod (p-1)
|
|
||||||
exponent2 [6] INTEGER OPTIONAL, -- d mod (q-1)
|
|
||||||
coefficient [7] INTEGER OPTIONAL -- inv(q) mod p
|
|
||||||
} (CONSTRAINED BY {-- must be possible to reconstruct modulus and
|
|
||||||
-- privateExponent from selected fields --})
|
|
||||||
|
|
||||||
PrivateECKeyAttributes ::= SEQUENCE {
|
|
||||||
value ObjectValue {ECPrivateKey},
|
|
||||||
keyInfo KeyInfo {Parameters, PublicKeyOperations} OPTIONAL,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
ECPrivateKey ::= INTEGER
|
|
||||||
|
|
||||||
PrivateDHKeyAttributes ::= SEQUENCE {
|
|
||||||
value ObjectValue {DHPrivateKey},
|
|
||||||
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
DHPrivateKey ::= INTEGER -- Diffie-Hellman exponent
|
|
||||||
|
|
||||||
PrivateDSAKeyAttributes ::= SEQUENCE {
|
|
||||||
value ObjectValue {DSAPrivateKey},
|
|
||||||
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
DSAPrivateKey ::= INTEGER
|
|
||||||
|
|
||||||
PrivateKEAKeyAttributes ::= SEQUENCE {
|
|
||||||
value ObjectValue {KEAPrivateKey},
|
|
||||||
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
KEAPrivateKey ::= INTEGER
|
|
||||||
|
|
||||||
PublicKeyType ::= CHOICE {
|
|
||||||
publicRSAKey PublicKeyObject {PublicRSAKeyAttributes},
|
|
||||||
publicECKey [0] PublicKeyObject {PublicECKeyAttributes},
|
|
||||||
publicDHKey [1] PublicKeyObject {PublicDHKeyAttributes},
|
|
||||||
publicDSAKey [2] PublicKeyObject {PublicDSAKeyAttributes},
|
|
||||||
publicKEAKey [3] PublicKeyObject {PublicKEAKeyAttributes},
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
PublicKeyObject {KeyAttributes} ::= PKCS15Object {
|
|
||||||
CommonKeyAttributes, CommonPublicKeyAttributes, KeyAttributes}
|
|
||||||
|
|
||||||
PublicRSAKeyAttributes ::= SEQUENCE {
|
|
||||||
value ObjectValue {RSAPublicKeyChoice},
|
|
||||||
modulusLength INTEGER, -- modulus length in bits, e.g. 1024
|
|
||||||
keyInfo KeyInfo {NULL, PublicKeyOperations} OPTIONAL,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
RSAPublicKeyChoice ::= CHOICE {
|
|
||||||
raw RSAPublicKey,
|
|
||||||
spki [1] SubjectPublicKeyInfo, -- See X.509. Must contain a
|
|
||||||
-- public RSA key
|
|
||||||
...
|
|
||||||
}
|
|
||||||
|
|
||||||
PublicECKeyAttributes ::= SEQUENCE {
|
|
||||||
value ObjectValue {ECPublicKeyChoice},
|
|
||||||
keyInfo KeyInfo {Parameters, PublicKeyOperations} OPTIONAL,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
ECPublicKeyChoice ::= CHOICE {
|
|
||||||
raw ECPoint,
|
|
||||||
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public EC key
|
|
||||||
...
|
|
||||||
}
|
|
||||||
|
|
||||||
PublicDHKeyAttributes ::= SEQUENCE {
|
|
||||||
value ObjectValue {DHPublicKeyChoice},
|
|
||||||
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
DHPublicKeyChoice ::= CHOICE {
|
|
||||||
raw DiffieHellmanPublicNumber,
|
|
||||||
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public D-H key
|
|
||||||
...
|
|
||||||
}
|
|
||||||
|
|
||||||
PublicDSAKeyAttributes ::= SEQUENCE {
|
|
||||||
value ObjectValue {DSAPublicKeyChoice},
|
|
||||||
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
DSAPublicKeyChoice ::= CHOICE {
|
|
||||||
raw INTEGER,
|
|
||||||
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public DSA key.
|
|
||||||
...
|
|
||||||
}
|
|
||||||
|
|
||||||
PublicKEAKeyAttributes ::= SEQUENCE {
|
|
||||||
value ObjectValue {KEAPublicKeyChoice},
|
|
||||||
keyInfo KeyInfo {DomainParameters, PublicKeyOperations} OPTIONAL,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
KEAPublicKeyChoice ::= CHOICE {
|
|
||||||
raw INTEGER,
|
|
||||||
spki SubjectPublicKeyInfo, -- See X.509. Must contain a public KEA key
|
|
||||||
...
|
|
||||||
}
|
|
||||||
|
|
||||||
SecretKeyType ::= CHOICE {
|
|
||||||
genericSecretKey SecretKeyObject {GenericSecretKeyAttributes},
|
|
||||||
rc2key [0] SecretKeyObject {GenericSecretKeyAttributes},
|
|
||||||
rc4key [1] SecretKeyObject {GenericSecretKeyAttributes},
|
|
||||||
desKey [2] SecretKeyObject {GenericSecretKeyAttributes},
|
|
||||||
des2Key [3] SecretKeyObject {GenericSecretKeyAttributes},
|
|
||||||
des3Key [4] SecretKeyObject {GenericSecretKeyAttributes},
|
|
||||||
castKey [5] SecretKeyObject {GenericSecretKeyAttributes},
|
|
||||||
cast3Key [6] SecretKeyObject {GenericSecretKeyAttributes},
|
|
||||||
cast128Key [7] SecretKeyObject {GenericSecretKeyAttributes},
|
|
||||||
rc5Key [8] SecretKeyObject {GenericSecretKeyAttributes},
|
|
||||||
ideaKey [9] SecretKeyObject {GenericSecretKeyAttributes},
|
|
||||||
skipjackKey [10] SecretKeyObject {GenericSecretKeyAttributes},
|
|
||||||
batonKey [11] SecretKeyObject {GenericSecretKeyAttributes},
|
|
||||||
juniperKey [12] SecretKeyObject {GenericSecretKeyAttributes},
|
|
||||||
rc6Key [13] SecretKeyObject {GenericSecretKeyAttributes},
|
|
||||||
otherKey [14] OtherKey,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
SecretKeyObject {KeyAttributes} ::= PKCS15Object {
|
|
||||||
CommonKeyAttributes, CommonSecretKeyAttributes, KeyAttributes}
|
|
||||||
|
|
||||||
OtherKey ::= SEQUENCE {
|
|
||||||
keyType OBJECT IDENTIFIER,
|
|
||||||
keyAttr SecretKeyObject {GenericSecretKeyAttributes}
|
|
||||||
}
|
|
||||||
|
|
||||||
GenericSecretKeyAttributes ::= SEQUENCE {
|
|
||||||
value ObjectValue { OCTET STRING },
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
CertificateType ::= CHOICE {
|
|
||||||
x509Certificate CertificateObject { X509CertificateAttributes},
|
|
||||||
x509AttributeCertificate [0] CertificateObject
|
|
||||||
{X509AttributeCertificateAttributes},
|
|
||||||
spkiCertificate [1] CertificateObject {SPKICertificateAttributes},
|
|
||||||
pgpCertificate [2] CertificateObject {PGPCertificateAttributes},
|
|
||||||
wtlsCertificate [3] CertificateObject {WTLSCertificateAttributes},
|
|
||||||
x9-68Certificate [4] CertificateObject {X9-68CertificateAttributes},
|
|
||||||
...,
|
|
||||||
cvCertificate [5] CertificateObject {CVCertificateAttributes}
|
|
||||||
}
|
|
||||||
|
|
||||||
CertificateObject {CertAttributes} ::= PKCS15Object {
|
|
||||||
CommonCertificateAttributes, NULL, CertAttributes}
|
|
||||||
|
|
||||||
X509CertificateAttributes ::= SEQUENCE {
|
|
||||||
value ObjectValue { Certificate },
|
|
||||||
subject Name OPTIONAL,
|
|
||||||
issuer [0] Name OPTIONAL,
|
|
||||||
serialNumber CertificateSerialNumber OPTIONAL,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
X509AttributeCertificateAttributes ::= SEQUENCE {
|
|
||||||
value ObjectValue { AttributeCertificate },
|
|
||||||
issuer GeneralNames OPTIONAL,
|
|
||||||
serialNumber CertificateSerialNumber OPTIONAL,
|
|
||||||
attrTypes [0] SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
SPKICertificateAttributes ::= SEQUENCE {
|
|
||||||
value ObjectValue { PKCS15-OPAQUE.&Type },
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
PGPCertificateAttributes ::= SEQUENCE {
|
|
||||||
value ObjectValue { PKCS15-OPAQUE.&Type },
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
WTLSCertificateAttributes ::= SEQUENCE {
|
|
||||||
value ObjectValue { PKCS15-OPAQUE.&Type },
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
X9-68CertificateAttributes ::= SEQUENCE {
|
|
||||||
value ObjectValue { PKCS15-OPAQUE.&Type },
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
CVCertificateAttributes ::= SEQUENCE {
|
|
||||||
value ObjectValue { PKCS15-OPAQUE.&Type},
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
DataType ::= CHOICE {
|
|
||||||
opaqueDO DataObject {Opaque},
|
|
||||||
externalIDO [0] DataObject {ExternalIDO},
|
|
||||||
oidDO [1] DataObject {OidDO},
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
DataObject {DataObjectAttributes} ::= PKCS15Object {
|
|
||||||
CommonDataObjectAttributes, NULL, DataObjectAttributes}
|
|
||||||
|
|
||||||
Opaque ::= ObjectValue {PKCS15-OPAQUE.&Type}
|
|
||||||
|
|
||||||
ExternalIDO ::= ObjectValue {PKCS15-OPAQUE.&Type}
|
|
||||||
(CONSTRAINED BY {-- All data objects must be defined in
|
|
||||||
-- accordance with ISO/IEC 7816-6 --})
|
|
||||||
|
|
||||||
OidDO ::= SEQUENCE {
|
|
||||||
id OBJECT IDENTIFIER,
|
|
||||||
value ObjectValue {PKCS15-OPAQUE.&Type}
|
|
||||||
}
|
|
||||||
|
|
||||||
AuthenticationType ::= CHOICE {
|
|
||||||
pin AuthenticationObject { PinAttributes },
|
|
||||||
...,
|
|
||||||
biometricTemplate [0] AuthenticationObject {BiometricAttributes},
|
|
||||||
authKey [1] AuthenticationObject {AuthKeyAttributes},
|
|
||||||
external [2] AuthenticationObject {ExternalAuthObjectAttributes}
|
|
||||||
}
|
|
||||||
|
|
||||||
AuthenticationObject {AuthObjectAttributes} ::= PKCS15Object {
|
|
||||||
CommonAuthenticationObjectAttributes, NULL, AuthObjectAttributes}
|
|
||||||
|
|
||||||
PinAttributes ::= SEQUENCE {
|
|
||||||
pinFlags PinFlags,
|
|
||||||
pinType PinType,
|
|
||||||
minLength INTEGER (pkcs15-lb-minPinLength..pkcs15-ub-minPinLength),
|
|
||||||
storedLength INTEGER (0..pkcs15-ub-storedPinLength),
|
|
||||||
maxLength INTEGER OPTIONAL,
|
|
||||||
pinReference [0] Reference DEFAULT 0,
|
|
||||||
padChar OCTET STRING (SIZE(1)) OPTIONAL,
|
|
||||||
lastPinChange GeneralizedTime OPTIONAL,
|
|
||||||
path Path OPTIONAL,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
PinFlags ::= BIT STRING {
|
|
||||||
case-sensitive (0),
|
|
||||||
local (1),
|
|
||||||
change-disabled (2),
|
|
||||||
unblock-disabled (3),
|
|
||||||
initialized (4),
|
|
||||||
needs-padding (5),
|
|
||||||
unblockingPin (6),
|
|
||||||
soPin (7),
|
|
||||||
disable-allowed (8),
|
|
||||||
integrity-protected (9),
|
|
||||||
confidentiality-protected (10),
|
|
||||||
exchangeRefData (11)
|
|
||||||
} (CONSTRAINED BY { -- 'unblockingPin' and 'soPIN' cannot both be set -- })
|
|
||||||
|
|
||||||
PinType ::= ENUMERATED {bcd, ascii-numeric, utf8, ...,
|
|
||||||
half-nibble-bcd, iso9564-1}
|
|
||||||
|
|
||||||
BiometricAttributes ::= SEQUENCE {
|
|
||||||
bioFlags BiometricFlags,
|
|
||||||
templateId OBJECT IDENTIFIER,
|
|
||||||
bioType BiometricType,
|
|
||||||
bioReference Reference DEFAULT 0,
|
|
||||||
lastChange GeneralizedTime OPTIONAL,
|
|
||||||
path Path OPTIONAL,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
BiometricFlags ::= BIT STRING {
|
|
||||||
local (1),
|
|
||||||
change-disabled (2),
|
|
||||||
unblock-disabled (3),
|
|
||||||
initialized (4),
|
|
||||||
disable-allowed (8),
|
|
||||||
integrity-protected (9),
|
|
||||||
confidentiality-protected (10)
|
|
||||||
} -- Note: bits 0, 5, 6, and 7 are reserved for future use
|
|
||||||
|
|
||||||
BiometricType ::= CHOICE {
|
|
||||||
fingerPrint FingerPrint,
|
|
||||||
irisScan [0] IrisScan,
|
|
||||||
-- Possible extensions:
|
|
||||||
-- voiceScan VoiceScan,
|
|
||||||
-- faceScan FaceScan,
|
|
||||||
-- retinaScan Retinascan,
|
|
||||||
-- handGeometry HandGeometry,
|
|
||||||
-- writeDynamics WriteDynamics,
|
|
||||||
-- keyStrokeDynamicsKeyStrokeDynamics,
|
|
||||||
-- lipDynamics LipDynamics,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
FingerPrint ::= SEQUENCE {
|
|
||||||
hand ENUMERATED {left, right},
|
|
||||||
finger ENUMERATED {thumb, pointerFinger, middleFinger,
|
|
||||||
ringFinger, littleFinger},
|
|
||||||
...
|
|
||||||
}
|
|
||||||
|
|
||||||
IrisScan ::= SEQUENCE {
|
|
||||||
eye ENUMERATED {left, right},
|
|
||||||
...
|
|
||||||
}
|
|
||||||
|
|
||||||
ExternalAuthObjectAttributes ::= CHOICE {
|
|
||||||
authKeyAttributes AuthKeyAttributes,
|
|
||||||
certBasedAttributes [0] CertBasedAuthenticationAttributes,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
AuthKeyAttributes ::= SEQUENCE {
|
|
||||||
derivedKey BOOLEAN DEFAULT TRUE,
|
|
||||||
authKeyId Identifier,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
CertBasedAuthenticationAttributes ::= SEQUENCE {
|
|
||||||
cha OCTET STRING,
|
|
||||||
...
|
|
||||||
}
|
|
||||||
|
|
||||||
TokenInfo ::= SEQUENCE {
|
|
||||||
version INTEGER {v1(0)} (v1,...),
|
|
||||||
serialNumber OCTET STRING,
|
|
||||||
manufacturerID Label OPTIONAL,
|
|
||||||
label [0] Label OPTIONAL,
|
|
||||||
tokenflags TokenFlags,
|
|
||||||
seInfo SEQUENCE OF SecurityEnvironmentInfo OPTIONAL,
|
|
||||||
recordInfo [1] RecordInfo OPTIONAL,
|
|
||||||
supportedAlgorithms [2] SEQUENCE OF AlgorithmInfo OPTIONAL,
|
|
||||||
...,
|
|
||||||
issuerId [3] Label OPTIONAL,
|
|
||||||
holderId [4] Label OPTIONAL,
|
|
||||||
lastUpdate [5] LastUpdate OPTIONAL,
|
|
||||||
preferredLanguage PrintableString OPTIONAL -- In accordance with
|
|
||||||
-- IETF RFC 1766
|
|
||||||
} (CONSTRAINED BY { -- Each AlgorithmInfo.reference value must be unique --})
|
|
||||||
|
|
||||||
TokenFlags ::= BIT STRING {
|
|
||||||
readonly (0),
|
|
||||||
loginRequired (1),
|
|
||||||
prnGeneration (2),
|
|
||||||
eidCompliant (3)
|
|
||||||
}
|
|
||||||
|
|
||||||
SecurityEnvironmentInfo ::= SEQUENCE {
|
|
||||||
se INTEGER (0..pkcs15-ub-seInfo),
|
|
||||||
owner OBJECT IDENTIFIER,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
RecordInfo ::= SEQUENCE {
|
|
||||||
oDFRecordLength [0] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
|
||||||
prKDFRecordLength [1] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
|
||||||
puKDFRecordLength [2] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
|
||||||
sKDFRecordLength [3] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
|
||||||
cDFRecordLength [4] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
|
||||||
dODFRecordLength [5] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL,
|
|
||||||
aODFRecordLength [6] INTEGER (0..pkcs15-ub-recordLength) OPTIONAL
|
|
||||||
}
|
|
||||||
|
|
||||||
AlgorithmInfo ::= SEQUENCE {
|
|
||||||
reference Reference,
|
|
||||||
algorithm PKCS15-ALGORITHM.&id({AlgorithmSet}),
|
|
||||||
parameters PKCS15-ALGORITHM.&Parameters({AlgorithmSet}{@algorithm}),
|
|
||||||
supportedOperations
|
|
||||||
PKCS15-ALGORITHM.&Operations({AlgorithmSet}{@algorithm}),
|
|
||||||
algId PKCS15-ALGORITHM.&objectIdentifier({AlgorithmSet}{@algorithm})
|
|
||||||
OPTIONAL,
|
|
||||||
algRef Reference OPTIONAL
|
|
||||||
}
|
|
||||||
|
|
||||||
PKCS15-ALGORITHM ::= CLASS {
|
|
||||||
&id INTEGER UNIQUE,
|
|
||||||
&Parameters,
|
|
||||||
&Operations Operations,
|
|
||||||
&objectIdentifier OBJECT IDENTIFIER OPTIONAL
|
|
||||||
} WITH SYNTAX {
|
|
||||||
PARAMETERS &Parameters OPERATIONS &Operations ID &id [OID &objectIdentifier]}
|
|
||||||
|
|
||||||
PKCS15-OPAQUE ::= TYPE-IDENTIFIER
|
|
||||||
|
|
||||||
PublicKeyOperations ::= Operations
|
|
||||||
|
|
||||||
Operations ::= BIT STRING {
|
|
||||||
compute-checksum (0), -- H/W computation of checksum
|
|
||||||
compute-signature (1), -- H/W computation of signature
|
|
||||||
verify-checksum (2), -- H/W verification of checksum
|
|
||||||
verify-signature (3), -- H/W verification of signature
|
|
||||||
encipher (4), -- H/W encryption of data
|
|
||||||
decipher (5), -- H/W decryption of data
|
|
||||||
hash (6), -- H/W hashing
|
|
||||||
generate-key (7) -- H/W key generation
|
|
||||||
}
|
|
||||||
|
|
||||||
pkcs15-alg-null PKCS15-ALGORITHM ::= {
|
|
||||||
PARAMETERS NULL OPERATIONS {{generate-key}} ID -1}
|
|
||||||
|
|
||||||
AlgorithmSet PKCS15-ALGORITHM ::= {
|
|
||||||
pkcs15-alg-null,
|
|
||||||
... -- See PKCS #11 for values for the &id field (and parameters)
|
|
||||||
}
|
|
||||||
|
|
||||||
LastUpdate ::= CHOICE {
|
|
||||||
generalizedTime GeneralizedTime,
|
|
||||||
referencedTime ReferencedValue {GeneralizedTime},
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Soft token related types and objects
|
|
||||||
|
|
||||||
EnvelopedData {Type} ::= SEQUENCE {
|
|
||||||
version INTEGER{v0(0),v1(1),v2(2),v3(3),v4(4)}(v0|v1|v2,...),
|
|
||||||
originatorInfo [0] OriginatorInfo OPTIONAL,
|
|
||||||
recipientInfos RecipientInfos,
|
|
||||||
encryptedContentInfo EncryptedContentInfo{Type},
|
|
||||||
unprotectedAttrs [1] SET SIZE (1..MAX) OF Attribute OPTIONAL
|
|
||||||
}
|
|
||||||
|
|
||||||
EncryptedContentInfo {Type} ::= SEQUENCE {
|
|
||||||
contentType OBJECT IDENTIFIER,
|
|
||||||
contentEncryptionAlgorithm AlgorithmIdentifier {{KeyDerivationAlgorithms}},
|
|
||||||
encryptedContent [0] OCTET STRING OPTIONAL
|
|
||||||
}(CONSTRAINED BY {-- 'encryptedContent' shall be the result of
|
|
||||||
-- encrypting DER-encoded value of type -- Type})
|
|
||||||
|
|
||||||
PKCS15Token ::= SEQUENCE {
|
|
||||||
version INTEGER {v1(0)} (v1,...),
|
|
||||||
keyManagementInfo [0] KeyManagementInfo OPTIONAL,
|
|
||||||
pkcs15Objects SEQUENCE OF PKCS15Objects
|
|
||||||
}
|
|
||||||
|
|
||||||
KeyManagementInfo ::= SEQUENCE OF SEQUENCE {
|
|
||||||
keyId Identifier,
|
|
||||||
keyInfo CHOICE {
|
|
||||||
recipientInfo RecipientInfo,
|
|
||||||
passwordInfo [0] PasswordInfo
|
|
||||||
}
|
|
||||||
} (CONSTRAINED BY {-- Each keyID must be unique --})
|
|
||||||
|
|
||||||
PasswordInfo ::= SEQUENCE {
|
|
||||||
hint Label OPTIONAL,
|
|
||||||
algId AlgorithmIdentifier {{KeyDerivationAlgorithms}},
|
|
||||||
...
|
|
||||||
} (CONSTRAINED BY {--keyID shall point to a KEKRecipientInfo--})
|
|
||||||
|
|
||||||
KeyDerivationAlgorithms ALGORITHM-IDENTIFIER ::= {
|
|
||||||
PBKDF2Algorithms,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
CMS3DESwrap ::= NULL
|
|
||||||
|
|
||||||
KeyEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
|
|
||||||
{CMS3DESwrap IDENTIFIED BY id-alg-CMS3DESwrap} |
|
|
||||||
{INTEGER IDENTIFIED BY id-alg-CMSRC2wrap},
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
DES-IV ::= OCTET STRING (SIZE(8))
|
|
||||||
|
|
||||||
ContentEncryptionAlgorithms ALGORITHM-IDENTIFIER ::= {
|
|
||||||
SupportingAlgorithms EXCEPT {NULL IDENTIFIED BY id-hmacWithSHA1},
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
MACAlgorithms ALGORITHM-IDENTIFIER ::= {
|
|
||||||
{NULL IDENTIFIED BY hMAC-SHA1},
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
DigestAlgorithms ALGORITHM-IDENTIFIER ::= {
|
|
||||||
{NULL IDENTIFIED BY sha-1},
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Misc
|
|
||||||
|
|
||||||
DDO ::= SEQUENCE {
|
|
||||||
oid OBJECT IDENTIFIER,
|
|
||||||
odfPath Path OPTIONAL,
|
|
||||||
tokenInfoPath [0] Path OPTIONAL,
|
|
||||||
unusedPath [1] Path OPTIONAL,
|
|
||||||
... -- For future extensions
|
|
||||||
}
|
|
||||||
|
|
||||||
DIRRecord ::= [APPLICATION 1] SEQUENCE {
|
|
||||||
aid [APPLICATION 15] OCTET STRING,
|
|
||||||
label [APPLICATION 16] UTF8String OPTIONAL,
|
|
||||||
path [APPLICATION 17] OCTET STRING,
|
|
||||||
ddo [APPLICATION 19] DDO OPTIONAL
|
|
||||||
}
|
|
||||||
|
|
||||||
UnusedSpace ::= SEQUENCE {
|
|
||||||
path Path (WITH COMPONENTS {..., index PRESENT, length PRESENT}),
|
|
||||||
authId Identifier OPTIONAL,
|
|
||||||
...,
|
|
||||||
accessControlRules SEQUENCE OF AccessControlRule OPTIONAL
|
|
||||||
}
|
|
||||||
|
|
||||||
END
|
|
Loading…
Reference in New Issue