Only 9C key needs "Pin Always" i.e. user_consent
The 9D key does not nee the user_consent flag, as the PIV card only enforces the "PIN Always" for the 9C signing key. Various comments cleaned up.
This commit is contained in:
parent
4035245649
commit
4e44cabcf0
@ -512,7 +512,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
|
|||||||
{ "3", "KEY MAN key",
|
{ "3", "KEY MAN key",
|
||||||
/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
|
/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
|
||||||
/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
|
/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
|
||||||
"", 0x9D, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
|
"", 0x9D, "1", SC_PKCS15_CO_FLAG_PRIVATE, 0},
|
||||||
{ "4", "CARD AUTH key",
|
{ "4", "CARD AUTH key",
|
||||||
/*RSA*/SC_PKCS15_PRKEY_USAGE_SIGN |
|
/*RSA*/SC_PKCS15_PRKEY_USAGE_SIGN |
|
||||||
SC_PKCS15_PRKEY_USAGE_SIGNRECOVER,
|
SC_PKCS15_PRKEY_USAGE_SIGNRECOVER,
|
||||||
@ -664,15 +664,17 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
|
|||||||
if (r < 0)
|
if (r < 0)
|
||||||
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
||||||
/* TODO
|
/* TODO
|
||||||
* PIV keys 9C and 9D require the pin verify be done just befor any
|
* PIV key 9C requires the pin verify be done just before any
|
||||||
* crypto operation using these keys.
|
* crypto operation using the key.
|
||||||
*
|
*
|
||||||
* Nss 3.12.7 does not check the CKA_ALWAYS_AUTHENTICATE attribute of a key
|
* Nss 3.12.7 does not check the CKA_ALWAYS_AUTHENTICATE attribute of a key
|
||||||
* and will do a C_FindObjects with only CKA_VALUE looking for a certificate
|
* and will do a C_FindObjects with only CKA_VALUE looking for a certificate
|
||||||
* it had found earlier after c_Login. The template does not add CKA_TYPE=cert.
|
* it had found earlier after c_Login. The template does not add CKA_TYPE=cert.
|
||||||
* This will cause the card-piv to read all the objects and will reset
|
* This will cause the card-piv to read all the objects and will reset
|
||||||
* the security status for the 9C and 9D keys.
|
* the security status for the 9C key.
|
||||||
* Mozilla Bug 457025
|
* Mozilla Bug 357025
|
||||||
|
* Mozilla Bug 613507
|
||||||
|
* on 5/16/2012, both scheduled for NSS 3.14
|
||||||
*
|
*
|
||||||
* We can not read all the objects, as some need the PIN!
|
* We can not read all the objects, as some need the PIN!
|
||||||
*/
|
*/
|
||||||
|
Loading…
Reference in New Issue
Block a user