PKCS#11 token label for PIV

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

PKCS#11 token label for PIV

Jakub Jelen
Hello,
during our testing we noticed that PIV token labels are in OpenSC used
as a simple driver identification (PIV_II) [1]. Coolkey module
supporting PIV cards used this field to copy the cardholder name (if
available) and from there GDM was using this name on various places,
such as greeting after login [2] or identifying a unique card (very
non-ideal).

I would not consider this a a bug in OpenSC, but more like a potential
room for improvement in OpenSC. I am posting here on ML to get some
ideas if it is a feature you would be interesting for you or if it would
be considered as a change of behavior and API (PKCS#11 URI), before I
will put together a PR implementing this change.

The idea why this label should be more card-specific is from the PKCS#11
specification:

 > application-defined label, assigned during token initialization. Must
be padded with the blank character (‘ ‘). Should not be null-terminated.

This does not say anything about the content, but cardholder name in PIV
case sounds little bit more useful than just a string PIV_II.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1449740
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1462000

Thank you for comments and regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PKCS#11 token label for PIV

Douglas E Engert


On 6/16/2017 7:48 AM, Jakub Jelen wrote:
> Hello,
> during our testing we noticed that PIV token labels are in OpenSC used as a simple driver identification (PIV_II) [1]. Coolkey module supporting PIV cards used this field to copy the cardholder name
> (if available) and from there GDM was using this name on various places, such as greeting after login [2] or identifying a unique card (very non-ideal).

The question is: Does anyone use the token label in a P11 URI?
I Bcc'ed one person who may be doing that.

The pkcs15-piv.c sets the sc_pkcs15_auth_info label to "PIV Card Holder pin" or "Global PIN" depending on the Discovery Object flags.
Then p15card->tokeninfo->label = "PIV_II";
framework-pkcs15.c then  does:
snprintf(label, sizeof(label), "%.*s (%s)", (int) sizeof auth->label, auth->label, p15card->tokeninfo->label);

So the C_GetTokenInfo has one of these:
token label        : PIV Card Holder pin (PIV_II)
token label        : Global PIN (PIV_II)

I suppose the CN from the AUTH certificate could replace the p15card->tokeninfo->label. But there would only be 10 characters left.
The "PIV Card Holder pin" or "Global PIN" could be shorter too.

The setting of the p15card->tokeninfo->label could be replaced  around line 768,769 before the comment :"* get keyUsage if present save in ckis[i]"
and this was the AUTH cert and the CN could be found.





>
> I would not consider this a a bug in OpenSC, but more like a potential room for improvement in OpenSC. I am posting here on ML to get some ideas if it is a feature you would be interesting for you or
> if it would be considered as a change of behavior and API (PKCS#11 URI), before I will put together a PR implementing this change.
>
> The idea why this label should be more card-specific is from the PKCS#11 specification:
>
>  > application-defined label, assigned during token initialization. Must be padded with the blank character (‘ ‘). Should not be null-terminated.
>
> This does not say anything about the content, but cardholder name in PIV case sounds little bit more useful than just a string PIV_II.
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1449740
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1462000
>
> Thank you for comments and regards,

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel