Only 9C key needs "Pin Always" i.e. user_consent

The 9D key does not nee the user_consent flag, as the PIV card only enforces the "PIN Always" for the 9C signing key. Various comments cleaned up.
2012-08-07 13:07:48 -05:00 · 2012-08-07 13:07:48 -05:00 · 4e44cabcf0
parent 4035245649
commit 4e44cabcf0
1 changed files with 7 additions and 5 deletions
--- a/src/libopensc/pkcs15-piv.c
+++ b/src/libopensc/pkcs15-piv.c
@ -512,7 +512,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
 		{ "3", "KEY MAN key", 
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
 				/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
-			"", 0x9D, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
+			"", 0x9D, "1", SC_PKCS15_CO_FLAG_PRIVATE, 0},
 		{ "4", "CARD AUTH key", 
 				/*RSA*/SC_PKCS15_PRKEY_USAGE_SIGN |
 				SC_PKCS15_PRKEY_USAGE_SIGNRECOVER,
@ -664,15 +664,17 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
 		if (r < 0)
 			SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
 /* TODO
- * PIV keys 9C and 9D require the pin verify be done just befor any
- * crypto operation using these keys. 
+ * PIV key 9C requires the pin verify be done just before any
+ * crypto operation using the key. 
 * 
 * Nss 3.12.7 does not check the CKA_ALWAYS_AUTHENTICATE attribute of a key
 * and will do a C_FindObjects with only CKA_VALUE looking for a certificate
 * it had found earlier after c_Login. The template does not add CKA_TYPE=cert.
 * This will cause the card-piv to read all the objects and will reset
- * the security status for the 9C and 9D keys.
- * Mozilla Bug 457025 
+ * the security status for the 9C key.
+ * Mozilla Bug 357025 
+ * Mozilla Bug 613507
+ * on 5/16/2012, both scheduled for NSS 3.14 
 * 
 * We can not read all the objects, as some need the PIN!
 */