Menu
▾
▴
Re: [Opensc-devel] PKCS#11 token label for PIV
|
From: Douglas E E. <dee...@gm...> - 2017-06-16 19:28:53
|
On 6/16/2017 7:48 AM, Jakub Jelen wrote: > Hello, > during our testing we noticed that PIV token labels are in OpenSC used as a simple driver identification (PIV_II) [1]. Coolkey module supporting PIV cards used this field to copy the cardholder name > (if available) and from there GDM was using this name on various places, such as greeting after login [2] or identifying a unique card (very non-ideal). The question is: Does anyone use the token label in a P11 URI? I Bcc'ed one person who may be doing that. The pkcs15-piv.c sets the sc_pkcs15_auth_info label to "PIV Card Holder pin" or "Global PIN" depending on the Discovery Object flags. Then p15card->tokeninfo->label = "PIV_II"; framework-pkcs15.c then does: snprintf(label, sizeof(label), "%.*s (%s)", (int) sizeof auth->label, auth->label, p15card->tokeninfo->label); So the C_GetTokenInfo has one of these: token label : PIV Card Holder pin (PIV_II) token label : Global PIN (PIV_II) I suppose the CN from the AUTH certificate could replace the p15card->tokeninfo->label. But there would only be 10 characters left. The "PIV Card Holder pin" or "Global PIN" could be shorter too. The setting of the p15card->tokeninfo->label could be replaced around line 768,769 before the comment :"* get keyUsage if present save in ckis[i]" and this was the AUTH cert and the CN could be found. > > I would not consider this a a bug in OpenSC, but more like a potential room for improvement in OpenSC. I am posting here on ML to get some ideas if it is a feature you would be interesting for you or > if it would be considered as a change of behavior and API (PKCS#11 URI), before I will put together a PR implementing this change. > > The idea why this label should be more card-specific is from the PKCS#11 specification: > > > application-defined label, assigned during token initialization. Must be padded with the blank character (‘ ‘). Should not be null-terminated. > > This does not say anything about the content, but cardholder name in PIV case sounds little bit more useful than just a string PIV_II. > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1449740 > [2] https://bugzilla.redhat.com/show_bug.cgi?id=1462000 > > Thank you for comments and regards, -- Douglas E. Engert <DEE...@gm...> |
