beidPkcs11 C_FindObjectsInit to find all objects

443 views
Skip to first unread message

Pierre De Boeck

unread,
Jun 6, 2014, 11:08:07 AM6/6/14
to eid-middl...@googlegroups.com
Hi all,

I have a C++ app that reads id data and certificates using the pkcs11 library. 

In total I have to read 5 certificates (auth/sign/Ca/Root/Rnn) plus about 15 CKO_DATA objects like
surname,...

Currently I call for each object
- C_FindObjectsInit with the specific filter
- C_FindObjects, C_GetAttributeValue to read the object
- C_FindObjectsFinal

That works fine but take about 7/8 secs after the popup warning.

As an alternative, I also tried reading

- all the CKO_DATA objects in one shot ( C_FindObjectsInit  then a loop for each object then C_FindObjectsFinal)
- then all the CKO_CERTIFICATE objects in the same manner

Also works fine but not faster (even a little slower).

Then a last test was to call C_FindObjectsInit(m_vCK_SESSION_HANDLE, NULL,0) to retrieve all the objects, as specified by the
PKCS 11 API. 

What is strange is that in that case, 
- I have no warning message
- and only 8 objects are returned.

Any idea how to retrieve all the objects with just one C_FindObjectsInit call?

Frederik Vernelen

unread,
Jun 10, 2014, 3:58:17 AM6/10/14
to Pierre De Boeck, eID Middleware Dev
Hello Pierre,

The reason you see no time difference between scenario 1 and 2 is that we cache the parsed results.
e.g. if you search for the surname, we retrieve the identity file from the eID card, parse it, and cache all identity data in memory.
If you search for date of birth after that, we just return the cached date of birth.

So I'm afraid the bottleneck is the eID card, and there won't be much you can do to lower these reading times.

Regarding the  C_FindObjectsInit(m_vCK_SESSION_HANDLE, NULL,0) :
We do indeed only return the certificates and key related objects then (no id, address or photo related data).
This behaviour was created for third party applications (e.g. firefox, which asks for all carddata, but only uses the certificates and key objects).
And we don't want e.g. firefox to take 6-8 seconds reading all the card data, let alone asking for read permission, just to read the certificates.










--
You received this message because you are subscribed to the Google Groups "eID Middleware Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to eid-middleware-...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Pierre De Boeck

unread,
Jun 10, 2014, 5:13:27 AM6/10/14
to eid-middl...@googlegroups.com, pierre....@gmail.com
OK, thanks a lot for your fast and very clear answer. In fact, apparently the relative slowness is more due to
some specific readers, as we see sometimes 30% diff between them (from 5 to 10secs)
To unsubscribe from this group and stop receiving emails from it, send an email to eid-middleware-dev+unsub...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages