#
# General purpose PKCS15 profile for Cryptoflex cards
#
cardinfo {
    max-pin-length	= 8;
    pin-encoding	= ascii-numeric;
    pin-pad-char	= 0x00;
    pin-domains		= yes;
}

# Define reasonable limits for PINs and PUK
# The user pin must always be CHV1, otherwise things
# won't work (crypto operations are protected by CHV1)
PIN user-pin {
    attempts	= 3;
}
PIN user-puk {
    attempts	= 10;
}

# Additional filesystem info.
# This is added to the file system info specified in the
# main profile.
filesystem {
    # Define default ACLs and file ids for CHV1/CHV2
    EF CHV1 {
    	file-id	= 0000;
	ACL	= *=NEVER, UPDATE=CHV1;
	size 	= 23;
    }
    EF CHV2 {
    	file-id	= 0100;
	ACL	= *=NEVER, UPDATE=CHV2;
	size 	= 23;
    }

    DF MF {
	ACL	= *=AUT1;

	# The DELETE=NONE ACLs will go away once the code
	# works. It's here to make sure I can erase the card
	# even if I mess up big time.
	#
	# If you have a 16K card and wish to store
	# two cert/key pairs.
	# Note if you want the two keys to be protected by the
	# same pin, you need to increase the size of the pin-dir.
	DF PKCS15-AppDF {
	    ACL		= *=$SOPIN, FILES=NONE, DELETE=NONE;
	    #size	= 7500;
	    size	= 12000;

	    # This "pin-domain" DF is a template that is
	    # instantiated for each PIN created on the card.
	    #
	    # When instantiating the template, each file id will be
	    # combined with the last octet of the object's pkcs15 id
	    # to form a unique file ID. That is, PIN 01 will reside
	    # in 4b01, PIN 02 will reside in 4b02, etc.
    	    template pin-domain {
		DF pin-dir {
		    ACL		= *=$SOPIN, FILES=NONE, DELETE=NONE;
		    file-id	= 4B00;

		    # The minimum size for a 2048 bit key is 1396
		    #size	= 1396;
		    size	= 2792;
		}
	    }

	    # For PIN-protected files, instantiate this template
	    # below the pin directory.
	    # For unprotected objects, install within the application DF.
	    #
	    # When instantiating the template, each file id will be
	    # combined with the last octet of the object's pkcs15 id
	    # to form a unique file ID.
            #
            # VT: The ACLs of the public objects (certificate, public key, non-protected data) 
            #     are set to 'NONE'. You can change it and protect operations of your choice
            #     by $SOPIN, but not by $PIN.
	    template key-domain {
		# In order to support more than one key per PIN,
		# each key must be within its own subdirectory.
	    	DF key-directory {
		    ACL	= *=$PIN, FILES=NONE;
		    file-id	= 3000;
		    size	= 1332;

	            EF private-key {
		        file-id	= 0012;
		        ACL		= *=NEVER, CRYPTO=$PIN, UPDATE=$PIN;
		    }
		    EF internal-pubkey-file {
		        file-id	= 1012;
		        ACL		= *=$PIN, READ=NONE;
		    }
		}
		EF extractable-key {
    	            file-id	= 4300;
    	            ACL		= *=NEVER, READ=$PIN, UPDATE=$PIN;
		}
		EF public-key {
		    file-id	= 4800;
		    ACL		= *=NONE;
		}
		EF certificate {
		    file-id	= 4500;
		    ACL		= *=NONE;
		}
		EF data {
		    file-id	= 4600;
		    ACL		= *=NONE;
		}
		EF privdata {
		    file-id	= 4700;
		    ACL		= *=$PIN;
		}
	    }
	}
    }
}