NIST 800-73-1 is going to drop the requirement for pin protected certificates on the PIV cards. This was the single biggest complaint. This change makes this the default, but does allow for continued testing with current cards that do enforce the 800-73 requirement of pin protected certs by adding flags=10 to the card_atr section in the opensc.conf file. Eventially this code could be removed in some future release.
-- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
Index: src/libopensc/pkcs15-piv.c =================================================================== --- src/libopensc/pkcs15-piv.c (revision 2851) +++ src/libopensc/pkcs15-piv.c (working copy) @@ -175,18 +175,22 @@ {NULL, NULL, NULL, 0, NULL, 0} }; - /* PIV certs are not modifiable by the user, and need PIN control */ - /* But not all beta cards enforce this, and most applications cant handle */ - /* code later will turn off the SC_PKCS15_CO_FLAG_PRIVATE */ + /* + * NIST 800-73-1 is proposing to lift the restriction on + * requering pin protected certs. Thus the default will be to + * not require this. But there are a number of test cards + * that do enforce it. Code later on will allow SC_PKCS15_CO_FLAG_PRIVATE + * to be set. + */ const cdata certs[] = { {"1", "Certificate for PIV Authentication", - 0, "0101", SC_PKCS15_CO_FLAG_PRIVATE}, + 0, "0101", 0}, {"2", "Certificate for Digital Signature", - 0, "0100", SC_PKCS15_CO_FLAG_PRIVATE}, + 0, "0100", 0}, {"3", "Certificate for Key Management", - 0, "0102", SC_PKCS15_CO_FLAG_PRIVATE}, + 0, "0102", 0}, {"4", "Certificate for Card Authentication", - 0, "0500", SC_PKCS15_CO_FLAG_PRIVATE}, + 0, "0500", 0}, {NULL, NULL, 0, NULL, 0} }; @@ -302,6 +306,12 @@ strncpy(cert_obj.label, certs[i].label, SC_PKCS15_MAX_LABEL_SIZE - 1); cert_obj.flags = certs[i].obj_flags; + /* Cards based on NIST 800-73 may enforce pin protected certs */ + /* But this is being dropped in 800-73-1 */ + if (card->flags & 0x10) { + cert_obj.flags |= SC_PKCS15_CO_FLAG_PRIVATE; + } + r = sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info); if (r < 0) SC_FUNC_RETURN(card->ctx, 1, r);
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel