[Opensc-devel] MyEID and PIV

[Douglas E E. <dee...@gm...>]

This is a follow on question to that raised in
https://github.com/OpenSC/OpenSC/pull/926

As the MyEID and PIV compatibility are not related to the PR.

If I read your command correctly:
00 DA 01 50  14     80  11 1F FF   4B 01   43 04   00 00   00 00   00 00   00 00   00 00   00 00 90 00

0x14 bytes
80 is flag
11 1F FF is ACL?
4B 01     is  PIV auth key FID
43 04     is  PIV auth cert FID
No other keys or certs are mapped.
90 00 is status bytes


The OpenSC PIV card driver is based on NIST 800-73-3 which defines more objects then
4 keys and 4 certs on the card. It only uses the APDU commands defined in NIST 800-73-3.
There is no requirement that a PIV card support any other commands.

Having experience with other PIV-want-to-be cards such as the NEO, being PIV compliant
is not an easy task. (as the primary OpenSC PIV developer, I had to add code to
card-piv.c and pkcs15-piv.c to handle NEO issues.

Can you or will your documentation answer these questions:

All versions of 800-73 define the CHUID object. Do you?
Windows requires a CHUID (or used to require it). OpenSC uses the FASCN or GUID from
the CHUID to derive a card serial number as NIST 800-73 does not define or require a
serial number.  (For both Windows and OpenSC the CHUID does not need to be signed.)
How would one write a CHUID and how is it mapped?
Without a CHUID OpenSC uses 00000000 making using multiple cards on the same machine
a problem.

What version of NIST 800-73 is the card code based on?

NIST 800-73-3 introduced the History object and retired keys and certs.
Do you support these?
How would these be mapped?

800-73 requires the Signature key  to be "PIN Always" and the card enforces it.
Does your card enforce it?
(This is equivalent to  PKCS#15 user_consent or PKCS#11 CKA_ALWAYS_AUTHENTICATE.)

800-73 also says the Card Management key does not require the PIN. I only see one ACL in your command,
how do you handle this?

When in PIV mode, What is the ATR?  Most approved PIV cards put the AID in the
historical bytes making it easy to identify.

Is there any other way to determine this is a MyEID running in PIV mode?
The OpenSC card-piv.c does a SELECT of the PIV AID and then tries to determine if this
is a true PIV or a PIV-want-to-be card that needs special handling.

Look at the card-piv.c line 202:
  /* card_issues - bugs in PIV implementations requires special handling */
and code starting at line 3006 or grep card_issues card-piv.c
for other issues I have seen with PIV compatibility issues.

Any way to get one of these card for testing?

-- 

  Douglas E. Engert  <DEE...@gm...>