Use cardholder name in the PIN prompt (PIV)

[Jakuje]

The current PIN prompt for PIV cards is not very informative. It says either of the following:

token label        : PIV Card Holder pin (PIV_II)
token label        : Global PIN (PIV_II)

It answers the simple question if the user should use Global or Application PIN, but it does not say what card is that. Based on the report in RH bugzilla [1] and further discussion on mailing list [2] I decided to make two changes, hopefully to better:

• Use shorter name for the PIV Card Holder pin, such as App PIN to make some space for the actual cardholder name (I was considering Application PIN, but it would not fit most of the names next to that). The name is abbreviation from PIV Card Application PIN referenced in the NIST documentation [3]
• Replace the PIV_II string with the cardholder name (it is usually not important for users to hear that it is PIV card), if there is CN in the first (assuming AUTH) certificate read from the card.

The current prompt for the NIST test cards look like this:

token label        : App PIN (Test Cardholder X)
token label        : Global PIN (Test Cardholder VII)

This is also simple way for the end-application to fast recognize that the same/different card was inserted (as used in GNOME).

The code is mostly copied from CAC driver, which already does the same.

Yubikey PIV applets work the same way and report what is written in the certificate. In my case, I have some bar certificate:

token label        : App PIN (bar)

Suggestions for better naming or other improvements are welcomed.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1449740
[2] https://sourceforge.net/p/opensc/mailman/message/35898117/
[3] http:https://csrc.nist.gov/groups/SNS/piv/documents/test-piv-card-data-specifications.pdf

Checklist

• Tested with the following card: PIV-II card (NIST test cards, Yubikey NEO)
  • tested PKCS#11
  • tested Windows Minidriver
  • tested macOS Tokend

[mouse07410]

Frankly, I don't see much benefit in shortening the prompt. And "App" is far more confusing/ambiguous than "PIV Card Holder". The only reason to do that would be to match what NIST is doing.

In any case, the word "pin" should be all capital ("PIN").

[frankmorgner]

I'm not familiar with the PIV's terms, but App is ambiguous indeed.

[Jakuje]

This part of prompt is shortened to fit the cardholder name into it. It is passed through the Label of the CK_TOKEN_INFO structure, which is limited to 32 characters.
http:https://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cs01/pkcs11-curr-v2.40-cs01.html

[mouse07410]

And I'm certainly eager to see a14e5b7 reviewed and merged. Users would appreciate it.

[dengert]

I have some concerns:

• PIV CN names tend to be long. Based on the DOE issued certificates I used to work with the CN was "Firstname Lastname (Affiliate)" The lab was considered a DOE contractor, so (Affiliate) was added.
  With the few DOD certs I have seen, they used "lastname.Fristname.inital.nnnnnnnnnn.
  framework-pkcs11.c then only takes 32 bytes.
  strcpy_bp(slot->token_info.label, label, 32);

• The token_info.label may be used in a URI (p11-kit?) or script so some existing scripts may fail.

• The "App PIN " could be could be NULL, as most cards (only have) and users (only know) one PIN for the card and the Discovery object defines how to present it to the card.

So if these are not a concern to you, the code looks good.

[Jakuje]

@dengert thank you for comments.

• Yes, I know that the names can be long. From 32 chars we have already 13 gone for Global PIN so we are left with ~19. There should most of (at least) first names fit to give some idea whose card is that.

• The usage in PKCS11 URI was my initial concern and it was why I posted the mail in the mailing list two months ago. So far I didn't get any answer on that so I progressed here. If it is going to change, it should change for better and just once. I would like to avoid some more changes in future so I would not hurry with merging this yet.

• Using NULL instead of "App PIN" is actually a clever idea, since the General PIN should not be too commonly used. If this will be considered as a good idea by others too, I will try that.

[Jakuje]

On the second look, setting "App PIN" to NULL, would cause the "PKCS#15 layer" would see unnamed PIN, which does not look like an improvement.

The other solution to avoid ambiguity, would be to name the PIN just "PIN" (see the first modified commit). Possibly, we can also drop this "PIN" from token label, if it is the only thing in there, because it does not bring any useful information, that could be used by the user authenticating to this token.

Edit: The current labels look like this for Application PIN:

./src/tools/pkcs11-tool -L --module `pwd`/src/pkcs11/.libs/opensc-pkcs11.so
[..]
  token label        : Test Cardholder X

and for Global PIN

  token label        : Global PIN (Test Cardholder VII)