pkcs15(7)
DESCRIPTION
The PKCS #15 standard is available from http://www.rsase
curity.com/rsalabs/pkcs. This document does not try to
cover PKCS #15 in detail; it just tries to give readers
not familiar with the standard a brief overview.
PKCS #15 defines a standard how to store keys, certifi
cates and possibly other data on a smart card, and how to
describe certain meta information (such as what PIN the
user needs to present before he's allowed to use a certain
private key).
A PKCS #15 compliant smart card can contain one or more
applications. There is one ``meta directory'' that con
tains a list of all applications. On cards that support an
ISO 7816 compatible file system, each application usually
resides in a directory of its own.
Within each application directory, PKCS #15 defines a
structure of meta files (also called Directory Files) that
contain information on objects stored on the card. For
instance, there is a private key directory file (or PrKDF
for short) that contains a list of private keys stored on
the card. Likewise, there's a public key directory file
(PuKDF) and a certificate directory file (CDF).
One fairly important PKCS #15 directory file is the AODF,
or authorization object directory file, which describes
the PINs held by the card. Note the AODF does not contain
the PINs themselves; this is something that is highly card
specific. What the AODF does contain however is a descrip
tive label for each PIN, and additional information
required to authenticate against this PIN (sorry if this
is very vague, but unless you really want to know, we'll
better leave it at that, for the sake of your and my san
ity :-).
Each object stored in a PKCS #15 structure has an ID
assigned to it, so that related objects can reference one
another. For instance, if a private key is protected by a
PIN, the PrKDF entry for this key will contain an Authen
tication ID field that points to the AODF entry for this
PIN.
Similarly, if the card contains a certificate correspond
ing to a private key stored on this card, the CDF entry
for the certificate will have the same ID as the PrKDF
entry for the private key. The same is true of public key
objects.
BUGS
This manual page is a little terse.
The use of the term Directory File in PKCS #15 is somewhat
unfortunate. Normally, a PKCS #15 DF is just a plain (ele
mentary) file, not a directory file in the sense of ISO
7816.