Only 9C key needs "Pin Always" i.e. user_consent
The 9D key does not nee the user_consent flag, as the PIV card only enforces the "PIN Always" for the 9C signing key. Various comments cleaned up.
This commit is contained in:
parent
4035245649
commit
4e44cabcf0
@ -512,7 +512,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
|
||||
{ "3", "KEY MAN key",
|
||||
/*RSA*/SC_PKCS15_PRKEY_USAGE_DECRYPT | SC_PKCS15_PRKEY_USAGE_UNWRAP,
|
||||
/*EC*/SC_PKCS15_PRKEY_USAGE_DERIVE,
|
||||
"", 0x9D, "1", SC_PKCS15_CO_FLAG_PRIVATE, 1},
|
||||
"", 0x9D, "1", SC_PKCS15_CO_FLAG_PRIVATE, 0},
|
||||
{ "4", "CARD AUTH key",
|
||||
/*RSA*/SC_PKCS15_PRKEY_USAGE_SIGN |
|
||||
SC_PKCS15_PRKEY_USAGE_SIGNRECOVER,
|
||||
@ -664,15 +664,17 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card)
|
||||
if (r < 0)
|
||||
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, r);
|
||||
/* TODO
|
||||
* PIV keys 9C and 9D require the pin verify be done just befor any
|
||||
* crypto operation using these keys.
|
||||
* PIV key 9C requires the pin verify be done just before any
|
||||
* crypto operation using the key.
|
||||
*
|
||||
* Nss 3.12.7 does not check the CKA_ALWAYS_AUTHENTICATE attribute of a key
|
||||
* and will do a C_FindObjects with only CKA_VALUE looking for a certificate
|
||||
* it had found earlier after c_Login. The template does not add CKA_TYPE=cert.
|
||||
* This will cause the card-piv to read all the objects and will reset
|
||||
* the security status for the 9C and 9D keys.
|
||||
* Mozilla Bug 457025
|
||||
* the security status for the 9C key.
|
||||
* Mozilla Bug 357025
|
||||
* Mozilla Bug 613507
|
||||
* on 5/16/2012, both scheduled for NSS 3.14
|
||||
*
|
||||
* We can not read all the objects, as some need the PIN!
|
||||
*/
|
||||
|
Loading…
Reference in New Issue
Block a user