Menu
▾
▴
[Opensc-devel] PKCS#11 token label for PIV
|
From: Jakub J. <jj...@re...> - 2017-06-16 12:48:54
|
Hello, during our testing we noticed that PIV token labels are in OpenSC used as a simple driver identification (PIV_II) [1]. Coolkey module supporting PIV cards used this field to copy the cardholder name (if available) and from there GDM was using this name on various places, such as greeting after login [2] or identifying a unique card (very non-ideal). I would not consider this a a bug in OpenSC, but more like a potential room for improvement in OpenSC. I am posting here on ML to get some ideas if it is a feature you would be interesting for you or if it would be considered as a change of behavior and API (PKCS#11 URI), before I will put together a PR implementing this change. The idea why this label should be more card-specific is from the PKCS#11 specification: > application-defined label, assigned during token initialization. Must be padded with the blank character (‘ ‘). Should not be null-terminated. This does not say anything about the content, but cardholder name in PIV case sounds little bit more useful than just a string PIV_II. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1449740 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1462000 Thank you for comments and regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat |
