[opensc-devel] pkcs15-piv update for dropping the pin protected cert requirement

Wed, 22 Feb 2006 09:00:43 -0800 

NIST 800-73-1 is going to drop the requirement for pin protected certificates
on the PIV cards. This was the single biggest complaint. This change makes this
the default, but does allow for continued testing with current cards that do
enforce the 800-73 requirement of pin protected certs by adding flags=10 to
the card_atr section in the opensc.conf file. Eventially this code could be
removed in some future release.



--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444

Index: src/libopensc/pkcs15-piv.c
===================================================================
--- src/libopensc/pkcs15-piv.c  (revision 2851)
+++ src/libopensc/pkcs15-piv.c  (working copy)
@@ -175,18 +175,22 @@
                {NULL, NULL, NULL, 0, NULL, 0}
        };
 
-       /* PIV certs are not modifiable by the user, and need PIN control */
-       /* But not all beta cards enforce this, and  most applications cant 
handle */
-       /* code later will turn off the SC_PKCS15_CO_FLAG_PRIVATE */
+       /* 
+        * NIST 800-73-1 is proposing to lift the restriction on 
+        * requering pin protected certs. Thus the default will be to 
+        * not require this. But there are a number of test cards 
+        * that do enforce it. Code later on will allow 
SC_PKCS15_CO_FLAG_PRIVATE
+        * to be set. 
+        */
        const cdata certs[] = {
                {"1", "Certificate for PIV Authentication",
-                               0, "0101", SC_PKCS15_CO_FLAG_PRIVATE},
+                               0, "0101", 0},
                {"2", "Certificate for Digital Signature",
-                               0, "0100", SC_PKCS15_CO_FLAG_PRIVATE},
+                               0, "0100", 0},
                {"3", "Certificate for Key Management",
-                               0, "0102", SC_PKCS15_CO_FLAG_PRIVATE},
+                               0, "0102", 0},
                {"4", "Certificate for Card Authentication",
-                               0, "0500", SC_PKCS15_CO_FLAG_PRIVATE},
+                               0, "0500", 0},
                {NULL, NULL, 0, NULL, 0}
        };
 
@@ -302,6 +306,12 @@
                strncpy(cert_obj.label, certs[i].label, 
SC_PKCS15_MAX_LABEL_SIZE - 1);
                cert_obj.flags = certs[i].obj_flags;
 
+               /* Cards based on NIST 800-73 may enforce pin protected certs */
+               /* But this is being dropped in 800-73-1 */
+               if (card->flags & 0x10) {
+                       cert_obj.flags |=  SC_PKCS15_CO_FLAG_PRIVATE;
+               }
+
                r = sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info);
                if (r < 0)
                        SC_FUNC_RETURN(card->ctx, 1, r);

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to