-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use cardholder name in the PIN prompt (PIV) #1133
Conversation
src/libopensc/pkcs15-piv.c
Outdated
@@ -359,7 +359,7 @@ static int sc_pkcs15emu_piv_init(sc_pkcs15_card_t *p15card) | |||
}; | |||
|
|||
static const pindata pins[] = { | |||
{ "01", "PIV Card Holder pin", "", 0x80, | |||
{ "01", "App PIN", "", 0x80, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Frankly, I don't see much benefit in shortening the prompt. And "App" is far more confusing/ambiguous than "PIV Card Holder". The only reason to do that would be to match what NIST is doing.
In any case, the word "pin" should be all capital ("PIN").
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not familiar with the PIV's terms, but App is ambiguous indeed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This part of prompt is shortened to fit the cardholder name into it. It is passed through the Label of the CK_TOKEN_INFO
structure, which is limited to 32 characters.
http:https://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cs01/pkcs11-curr-v2.40-cs01.html
And I'm certainly eager to see a14e5b7 reviewed and merged. Users would appreciate it. |
I have some concerns:
So if these are not a concern to you, the code looks good. |
@dengert thank you for comments.
|
a14e5b7
to
1f14f49
Compare
On the second look, setting "App PIN" to The other solution to avoid ambiguity, would be to name the PIN just "PIN" (see the first modified commit). Possibly, we can also drop this "PIN" from token label, if it is the only thing in there, because it does not bring any useful information, that could be used by the user authenticating to this token. Edit: The current labels look like this for Application PIN:
and for Global PIN
|
1f14f49
to
78c2b7b
Compare
The current PIN prompt for PIV cards is not very informative. It says either of the following:
It answers the simple question if the user should use Global or Application PIN, but it does not say what card is that. Based on the report in RH bugzilla [1] and further discussion on mailing list [2] I decided to make two changes, hopefully to better:
PIV Card Holder pin
, such asApp PIN
to make some space for the actual cardholder name (I was consideringApplication PIN
, but it would not fit most of the names next to that). The name is abbreviation fromPIV Card Application PIN
referenced in the NIST documentation [3]PIV_II
string with the cardholder name (it is usually not important for users to hear that it is PIV card), if there is CN in the first (assuming AUTH) certificate read from the card.The current prompt for the NIST test cards look like this:
This is also simple way for the end-application to fast recognize that the same/different card was inserted (as used in GNOME).
The code is mostly copied from CAC driver, which already does the same.
Yubikey PIV applets work the same way and report what is written in the certificate. In my case, I have some
bar
certificate:Suggestions for better naming or other improvements are welcomed.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1449740
[2] https://sourceforge.net/p/opensc/mailman/message/35898117/
[3] http:https://csrc.nist.gov/groups/SNS/piv/documents/test-piv-card-data-specifications.pdf
Checklist