Re: [Opensc-devel] PKCS#11 token label for PIV

[Jakub J. <jj...@re...>]

On Fri, 2017-06-16 at 14:28 -0500, Douglas E Engert wrote:
> 
> On 6/16/2017 7:48 AM, Jakub Jelen wrote:
> > Hello,
> > during our testing we noticed that PIV token labels are in OpenSC
> > used as a simple driver identification (PIV_II) [1]. Coolkey module
> > supporting PIV cards used this field to copy the cardholder name 
> > (if available) and from there GDM was using this name on various
> > places, such as greeting after login [2] or identifying a unique
> > card (very non-ideal).
> 
> The question is: Does anyone use the token label in a P11 URI?
> I Bcc'ed one person who may be doing that.
> 
> The pkcs15-piv.c sets the sc_pkcs15_auth_info label to "PIV Card
> Holder pin" or "Global PIN" depending on the Discovery Object flags.
> Then p15card->tokeninfo->label = "PIV_II";
> framework-pkcs15.c then  does:
> snprintf(label, sizeof(label), "%.*s (%s)", (int) sizeof auth->label, 
> auth->label, p15card->tokeninfo->label);
> 
> So the C_GetTokenInfo has one of these:
> token label        : PIV Card Holder pin (PIV_II)
> token label        : Global PIN (PIV_II)
> 
> I suppose the CN from the AUTH certificate could replace the p15card-
> >tokeninfo->label. But there would only be 10 characters left.
> The "PIV Card Holder pin" or "Global PIN" could be shorter too.
> 
> The setting of the p15card->tokeninfo->label could be
> replaced  around line 768,769 before the comment :"* get keyUsage if
> present save in ckis[i]"
> and this was the AUTH cert and the CN could be found.

Thank you for the pointers and comments.

I just filled a PR on Github [1] with this feature (sorry it took so
long, but other things pilled up). The PR should say everything. This
is more like another heads up for the ones who might be using these
labels and who expect some significance from them.

[1] https://github.com/OpenSC/OpenSC/pull/1133

Regards,
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.