On Mon, Dec 5, 2016 at 10:35 AM, Nikos Mavrogiannopoulos <nmav@xxxxxxxxxx> wrote: > On Mon, 2016-12-05 at 10:23 -0500, Nathaniel McCallum wrote: > >> > Indeed, in the case where one has both ykcs11 and opensc, he would >> > have >> > to supply --detailed-urls to p11tool to be able to distinguish >> > between >> > objects. That is, because they will have identical URLs except for >> > the >> > library-description and library-manufacturer fields, which are not >> > normally printed. >> > >> > That would be a bit more than just inconvenience because of the >> > duplicate listings, it would be that if you don't specify the >> > library >> > fields on the URL, you wouldn't know which module was used for the >> > operation. >> >> They don't, in fact, have different URIs. If I add a .module file for >> ykcs11.so, I get the attached output for p11tool --list-tokens. > > You forgot to attach it :) Let's try again. :) >> > We should ping yubico on that. Is there some reason they didn't >> > implement the key generation on opensc? Ideally we won't ship that >> > additional module. >> >> I don't know. But I suspect it would require hardware change. There >> are a lot of existing YubiKeys out there. > > opensc-pkcs11 is an alternative driver for the same hardware, the same > as ykcs11. As it is now, it seems that opensc misses only the > generation part, and I think it would be preferable to pointing yubico > in adding that functionality in opensc, rather than shipping a separate > driver in fedora. I agree. However, I suspect that the two drivers are using two different hardware interfaces. And I suspect that YubiKeys may not implement key creation through the SC hardware interface. I may misunderstand this. Corrections are welcome. If key creation is only supported by a proprietary YubiKey interface, then I'm not sure we have much choice but to support two drivers (one for the SC interface, one for the YK interface). We should note that we are already shipping two drivers and what we need to do now is define the relationship between them.
Token 0: URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust Label: System Trust Type: Trust module Manufacturer: PKCS#11 Kit Model: p11-kit-trust Serial: 1 Module: p11-kit-trust.so Token 1: URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust Label: Default Trust Type: Trust module Manufacturer: PKCS#11 Kit Model: p11-kit-trust Serial: 1 Module: p11-kit-trust.so Token 2: URL: pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aSSH%3aHOME;token=SSH%20Keys Label: SSH Keys Type: Generic token Manufacturer: Gnome Keyring Model: 1.0 Serial: 1:SSH:HOME Module: gnome-keyring-pkcs11.so Token 3: URL: pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aSECRET%3aMAIN;token=Secret%20Store Label: Secret Store Type: Generic token Manufacturer: Gnome Keyring Model: 1.0 Serial: 1:SECRET:MAIN Module: gnome-keyring-pkcs11.so Token 4: URL: pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aUSER%3aDEFAULT;token=Gnome2%20Key%20Storage Label: Gnome2 Key Storage Type: Generic token Manufacturer: Gnome Keyring Model: 1.0 Serial: 1:USER:DEFAULT Module: gnome-keyring-pkcs11.so Token 5: URL: pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aXDG%3aDEFAULT;token=User%20Key%20Storage Label: User Key Storage Type: Generic token Manufacturer: Gnome Keyring Model: 1.0 Serial: 1:XDG:DEFAULT Module: gnome-keyring-pkcs11.so Token 6: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29 Label: PIV_II (PIV Card Holder pin) Type: Hardware token Manufacturer: piv_II Model: PKCS#15 emulated Serial: 00000000 Module: opensc-pkcs11.so Token 7: URL: pkcs11:model=YubiKey%20NEO;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV Label: YubiKey PIV Type: Hardware token Manufacturer: Yubico Model: YubiKey NEO Serial: 1234 Module: /usr/lib64/libykcs11.so.1 Token 8: URL: pkcs11:model=YubiKey%20NEO;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV Label: YubiKey PIV Type: Hardware token Manufacturer: Yubico Model: YubiKey NEO Serial: 1234 Module: /usr/lib64/libykcs11.so.1 Token 9: URL: pkcs11:model=YubiKey%20NEO;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV Label: YubiKey PIV Type: Hardware token Manufacturer: Yubico Model: YubiKey NEO Serial: 1234 Module: /usr/lib64/libykcs11.so.1 Token 10: URL: pkcs11:model=YubiKey%20NEO;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV Label: YubiKey PIV Type: Hardware token Manufacturer: Yubico Model: YubiKey NEO Serial: 1234 Module: /usr/lib64/libykcs11.so.1 Token 11: URL: pkcs11:model=YubiKey%20NEO;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV Label: YubiKey PIV Type: Hardware token Manufacturer: Yubico Model: YubiKey NEO Serial: 1234 Module: /usr/lib64/libykcs11.so.1 Token 12: URL: pkcs11:model=YubiKey%20NEO;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV Label: YubiKey PIV Type: Hardware token Manufacturer: Yubico Model: YubiKey NEO Serial: 1234 Module: /usr/lib64/libykcs11.so.1 Token 13: URL: pkcs11:model=YubiKey%20NEO;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV Label: YubiKey PIV Type: Hardware token Manufacturer: Yubico Model: YubiKey NEO Serial: 1234 Module: /usr/lib64/libykcs11.so.1
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
