123 lines
3.1 KiB
Plaintext
123 lines
3.1 KiB
Plaintext
#
|
|
# General purpose PKCS15 profile for Cryptoflex cards
|
|
#
|
|
cardinfo {
|
|
max-pin-length = 8;
|
|
pin-encoding = ascii-numeric;
|
|
pin-pad-char = 0x00;
|
|
pin-domains = yes;
|
|
}
|
|
|
|
# Define reasonable limits for PINs and PUK
|
|
# The user pin must always be CHV1, otherwise things
|
|
# won't work (crypto operations are protected by CHV1)
|
|
PIN user-pin {
|
|
attempts = 3;
|
|
}
|
|
PIN user-puk {
|
|
attempts = 10;
|
|
}
|
|
|
|
# Additional filesystem info.
|
|
# This is added to the file system info specified in the
|
|
# main profile.
|
|
filesystem {
|
|
# Define default ACLs and file ids for CHV1/CHV2
|
|
EF CHV1 {
|
|
file-id = 0000;
|
|
ACL = *=NEVER, UPDATE=CHV1;
|
|
size = 23;
|
|
}
|
|
EF CHV2 {
|
|
file-id = 0100;
|
|
ACL = *=NEVER, UPDATE=CHV2;
|
|
size = 23;
|
|
}
|
|
|
|
DF MF {
|
|
ACL = *=AUT1;
|
|
|
|
# The DELETE=NONE ACLs will go away once the code
|
|
# works. It's here to make sure I can erase the card
|
|
# even if I mess up big time.
|
|
#
|
|
# If you have a 16K card and wish to store
|
|
# two cert/key pairs.
|
|
# Note if you want the two keys to be protected by the
|
|
# same pin, you need to increase the size of the pin-dir.
|
|
DF PKCS15-AppDF {
|
|
ACL = *=$SOPIN, FILES=NONE, DELETE=NONE;
|
|
#size = 7500;
|
|
size = 12000;
|
|
|
|
# This "pin-domain" DF is a template that is
|
|
# instantiated for each PIN created on the card.
|
|
#
|
|
# When instantiating the template, each file id will be
|
|
# combined with the last octet of the object's pkcs15 id
|
|
# to form a unique file ID. That is, PIN 01 will reside
|
|
# in 4b01, PIN 02 will reside in 4b02, etc.
|
|
template pin-domain {
|
|
DF pin-dir {
|
|
ACL = *=$SOPIN, FILES=NONE, DELETE=NONE;
|
|
file-id = 4B00;
|
|
|
|
# The minimum size for a 2048 bit key is 1396
|
|
#size = 1396;
|
|
size = 2792;
|
|
}
|
|
}
|
|
|
|
# For PIN-protected files, instantiate this template
|
|
# below the pin directory.
|
|
# For unprotected objects, install within the application DF.
|
|
#
|
|
# When instantiating the template, each file id will be
|
|
# combined with the last octet of the object's pkcs15 id
|
|
# to form a unique file ID.
|
|
#
|
|
# VT: The ACLs of the public objects (certificate, public key, non-protected data)
|
|
# are set to 'NONE'. You can change it and protect operations of your choice
|
|
# by $SOPIN, but not by $PIN.
|
|
template key-domain {
|
|
# In order to support more than one key per PIN,
|
|
# each key must be within its own subdirectory.
|
|
DF key-directory {
|
|
ACL = *=$PIN, FILES=NONE;
|
|
file-id = 3000;
|
|
size = 1332;
|
|
|
|
EF private-key {
|
|
file-id = 0012;
|
|
ACL = *=NEVER, CRYPTO=$PIN, UPDATE=$PIN;
|
|
}
|
|
EF internal-pubkey-file {
|
|
file-id = 1012;
|
|
ACL = *=$PIN, READ=NONE;
|
|
}
|
|
}
|
|
EF extractable-key {
|
|
file-id = 4300;
|
|
ACL = *=NEVER, READ=$PIN, UPDATE=$PIN;
|
|
}
|
|
EF public-key {
|
|
file-id = 4800;
|
|
ACL = *=NONE;
|
|
}
|
|
EF certificate {
|
|
file-id = 4500;
|
|
ACL = *=NONE;
|
|
}
|
|
EF data {
|
|
file-id = 4600;
|
|
ACL = *=NONE;
|
|
}
|
|
EF privdata {
|
|
file-id = 4700;
|
|
ACL = *=$PIN;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|