[opensc-devel] PIV patch for OpenSC and SCA

Larner, Russell rlarner at rsasecurity.com
Thu May 17 15:04:39 UTC 2007 

My company has been working with the PIV functionality in OpenSC and
SCA, and we needed to add a couple of features:

- Individual PIV card serial number calculation (to enable correct cert
caching in SCA)

  This was fairly complex, due to issues in the PIV specifications.  See
the new comments in piv_get_serial_nr for more details.  It is needed in
SCA since the serial number is used to cache certificates.  (I.E. the
Macintosh Keychain would only see certificates from the first card ever
inserted for a given user)

 

- 2048-bit certificate support (should also work for 3072, but not
tested)

  This required exposing the parse_x509_cert method from pkcs15-cert.c
so card-piv.c could parse the certificate to determine the number of
bytes in the public key.

 

- Some cards allowed 4 character and non-numeric PINs; FIPS-201 standard
is 6 character minimum, numeric-only.  (See comments in piv_pin_cmd)

  Added PIN length and type enforcement to the PIV card support, since
not all cards are correctly limiting the PIN.  

 

- Missing unlock in some piv_get_challenge error states.

  This caused problems if the user entered an incorrect PIN - the card
would stay locked and could crash applications when they tried to close
the card.

 

- Added the application name to logging to allow for easier debugging

  Since a lot of testing needed multiple applications to be running, it
became important to know what application was making each log entry.

 

 

SCA changes:

- OpenSCKeyHandle::getKeySize and ::getOutputSize now return actual
values based on key size.

 

Note that these changes have only been tested on the Macintosh.  I've
attached the patches: libopensc.patch is against OpenSC, and
OpenSC.Tokend.patch is against SCA.

 

Sorry for dumping all these at once.  Please let me know if there are
any questions.

 

Russell Larner| Senior Software Engineer| +1781-515-7112| e-Mail 
rlarner at rsa.com <mailto:rlarner at rsa.com> 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.opensc-project.org/pipermail/opensc-devel/attachments/20070517/6d007a46/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1931 bytes
Desc: image001.gif
Url : http://www.opensc-project.org/pipermail/opensc-devel/attachments/20070517/6d007a46/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libopensc.patch.gz
Type: application/x-gzip
Size: 7438 bytes
Desc: libopensc.patch.gz
Url : http://www.opensc-project.org/pipermail/opensc-devel/attachments/20070517/6d007a46/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: opensc.tokend.patch.gz
Type: application/x-gzip
Size: 768 bytes
Desc: opensc.tokend.patch.gz
Url : http://www.opensc-project.org/pipermail/opensc-devel/attachments/20070517/6d007a46/attachment-0001.bin

More information about the opensc-devel mailing list