Posted as Bugzilla Bug 218766 on 12/07/06If used via NSS, there is no problem. But as a PKCS library, bug still exists.
Other confusing stuff, not sure if this is CoolKey's area or DoD PKI's area...
1. PKCS11 cert labels are arbitrary: while this is not technically incorrect, it is inconsistent from one PKSC11 library to another. Is there anything _actually_ on the CAC itself that can/should be used as the label? When trying to write code that selects cert based on label, you end up needing different labels for each PKCS11 lib
2. PKCS11 key usage attributes for certificates/keys. While they seem to match the EKUs of the certs (card applets), the SIGN/DECRYPT/ etc. attributes of key objets are hard-coded in the lib.
3. "Other" Mechanism support. Is CKM_RSA_PKCS really the only supported PKCS11 mechanism for CAC?
4. Did the actual CACs recently go from a 1-byte to a 2-byte CKA_ID for cert/key objects or is the size of the CKA_ID value a library- specific thing?
These really come down to support for CAC itself. Is the CAC "middleware" (interface with CAC Java applets) used to its fullest extent? Can info about the labels, and other attributes be looked up from the actual card instead of hard-coded assignments in the CoolKey/ MUSCLE/etc library? Is there even a decent mapping between the CAC applet API and the PKCS11 interface?
I don't know what the CAC applet API looks like, if this is even possible, but looking through the CoolKey code that supports CAC (as well as the code for MUSCLE-based implementations such as MacOS PKCS11), it just seems very arbitrary. If a CAC applet API document exists, I would like to see it.
-Ken On Mar 2, 2007, at 11:53 AM, Bob Relyea wrote:
I would definitely be interested in the problems you have with applications and Coolkey. Especially since I work on both sides of this issue for NSS applications (which include firefox/thunberbird/ and Nalin's mit pkinit code.You can write bugs directly against coolkey by going here:https://bugzilla.redhat.com/bugzilla/enter_bug.cgi?product=Fedora% 20Core&version=devel&component=coolkeybob
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Coolkey-devel mailing list Coolkey-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/coolkey-devel