From 4e44cabcf02dcdb5df33d4d8b7a3ad7dae9a5b28 Mon Sep 17 00:00:00 2001 From: Doug Engert Date: Tue, 7 Aug 2012 13:07:48 -0500 Subject: [PATCH] Only 9C key needs "Pin Always" i.e. user_consent The 9D key does not nee the user_consent flag, as the PIV card only enforces the "PIN Always" for the 9C signing key. Various comments cleaned up. --- src/libopensc/pkcs15-piv.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c index ec58ba7b..a564d241 100644 --- a/src/libopensc/pkcs15-piv.c +++ b/src/libopensc/pkcs15-piv.c @@ -512,7 +512,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) { "3", "KEY MAN key", /*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP, /*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE, - "", 0x9D, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1}, + "", 0x9D, "1", SC_PKCS15_CO_FLAG_PRIVATE, 0}, { "4", "CARD AUTH key", /*RSA*/SC_PKCS15_PRKEY_USAGE_SIGN | SC_PKCS15_PRKEY_USAGE_SIGNRECOVER, @@ -664,15 +664,17 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) if (r < 0) SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r); /* TODO - * PIV keys 9C and 9D require the pin verify be done just befor any - * crypto operation using these keys. + * PIV key 9C requires the pin verify be done just before any + * crypto operation using the key. * * Nss 3.12.7 does not check the CKA_ALWAYS_AUTHENTICATE attribute of a key * and will do a C_FindObjects with only CKA_VALUE looking for a certificate * it had found earlier after c_Login. The template does not add CKA_TYPE=cert. * This will cause the card-piv to read all the objects and will reset - * the security status for the 9C and 9D keys. - * Mozilla Bug 457025 + * the security status for the 9C key. + * Mozilla Bug 357025 + * Mozilla Bug 613507 + * on 5/16/2012, both scheduled for NSS 3.14 * * We can not read all the objects, as some need the PIN! */