SmartCard PIV

[SmartCard PIV]
:AllowAnyNewKeyId=0
:CertificateIsPrivate=0
:CompressCertificate=1
CheckFIPS=1
:KeepCardNumber=0
RequireDigits=0
:ShowObjects=0
:UpdateByUser=0
UpdateCardHolderGUID=1
UseCardNumber=0

AllowAnyNewKeyId

When generating a key, it is possible to specify key ID, that is, 1 byte with 9A, 9C, etc. It is also possible to specify an empty key ID, that is, 0 byte. If the parameter is set to 1, active, all non-one-byte key IDs will be classified as empty. That is, the first possible will be used.

[SmartCard PIV]
AllowAnyNewKeyId=0

Values

0

Inactive

1

Active

CertificateIsPrivate

CertificateIsPrivate is used to tell if certificate is read protected with the user PIN, default 0 (not protected). This will allow reading of those certificates to investigate the smart card.

[SmartCard PIV]
CertificateIsPrivate=0

Values

0

Not protected

1

Protected

Example 1. Set behavior for specified card models by using ATR/TokenName.
[SmartCard PIV]
CertificateIsPrivate=1,3B8880017661756C746974325C;0,*

CompressCertificate

The CompressCertificate parameter tells if certificate should be encoded using compression when writing certificate or not. Reading certificate will always handle both compressed and not compressed. The parameter can be set based on specific ATR/Token.

[SmartCard PIV]
CompressCertificate=1,<ATR>;0,*

Values

0

Uncompress only.

1

Compress.

Disable CompressCertificate for compability with Yubico minidriver.

CheckFIPS

Do a check if a YubiKey is a FIPS 140-2 device or not, and then print this information to trace.

[SmartCard PIV]
CheckFIPS=0

Values

0

No FIPS check is done. This is the default value.

1

Do a FIPS check.

3

Do a FIPS check and update model to YubiKey FIPS.

KeepCardNumber

The card number can be stored in the PIV profile. Net iD Client can generate a new random token number at C_InitToken when initializing a token. But it can also keep the current number. Activate the KeepCardNumber parameter to keep the old number.

[SmartCard PIV]
KeepCardNumber=0

Values

0

Generate a new number.

1

Keep the current number.

ShowObjects

There are a number of PIV data objects that can be shown as PKCS#11 data objects. We try to avoid reading unnecessary objects, so only those configured are read. This value contains a bitmask for the objects that can be read.

BITMASK;NAME;OID
0x0000000001;Card Capability Container;2.16.840.1.101.3.7.2.219.0
0x0000000002;Card Holder Unique Identifier;2.16.840.1.101.3.7.2.48.0
0x0000000004;X.509 Certificate for PIV Authentication;2.16.840.1.101.3.7.2.1.1
0x0000000008;Cardholder Fingerprints;2.16.840.1.101.3.7.2.96.16
0x0000000010;Security Object;2.16.840.1.101.3.7.2.144.0
0x0000000020;Cardholder Facial Image;2.16.840.1.101.3.7.2.96.48
0x0000000040;Printed Information;2.16.840.1.101.3.7.2.48.1
0x0000000080;X.509 Certificate for Digital Signature;2.16.840.1.101.3.7.2.1.0
0x0000000100;X.509 Certificate for Key Management;2.16.840.1.101.3.7.2.1.2
0x0000000200;X.509 Certificate for Card Authentication;2.16.840.1.101.3.7.2.5.0
0x0000000400;Discovery Object;2.16.840.1.101.3.7.2.96.80
0x0000000800;Key History Object;2.16.840.1.101.3.7.2.96.96
0x0000001000;Retired X.509 Certificate for Key Management 1;2.16.840.1.101.3.7.2.16.1
0x0000002000;Retired X.509 Certificate for Key Management 2;2.16.840.1.101.3.7.2.16.2
0x0000004000;Retired X.509 Certificate for Key Management 3;2.16.840.1.101.3.7.2.16.3
0x0000008000;Retired X.509 Certificate for Key Management 4;2.16.840.1.101.3.7.2.16.4
0x0000010000;Retired X.509 Certificate for Key Management 5;2.16.840.1.101.3.7.2.16.5
0x0000020000;Retired X.509 Certificate for Key Management 6;2.16.840.1.101.3.7.2.16.6
0x0000040000;Retired X.509 Certificate for Key Management 7;2.16.840.1.101.3.7.2.16.7
0x0000080000;Retired X.509 Certificate for Key Management 8;2.16.840.1.101.3.7.2.16.8
0x0000100000;Retired X.509 Certificate for Key Management 9;2.16.840.1.101.3.7.2.16.9
0x0000200000;Retired X.509 Certificate for Key Management 10;2.16.840.1.101.3.7.2.16.10
0x0000400000;Retired X.509 Certificate for Key Management 11;2.16.840.1.101.3.7.2.16.11
0x0000800000;Retired X.509 Certificate for Key Management 12;2.16.840.1.101.3.7.2.16.12
0x0001000000;Retired X.509 Certificate for Key Management 13;2.16.840.1.101.3.7.2.16.13
0x0002000000;Retired X.509 Certificate for Key Management 14;2.16.840.1.101.3.7.2.16.14
0x0004000000;Retired X.509 Certificate for Key Management 15;2.16.840.1.101.3.7.2.16.15
0x0008000000;Retired X.509 Certificate for Key Management 16;2.16.840.1.101.3.7.2.16.16
0x0010000000;Retired X.509 Certificate for Key Management 17;2.16.840.1.101.3.7.2.16.17
0x0020000000;Retired X.509 Certificate for Key Management 18;2.16.840.1.101.3.7.2.16.18
0x0040000000;Retired X.509 Certificate for Key Management 19;2.16.840.1.101.3.7.2.16.19
0x0080000000;Retired X.509 Certificate for Key Management 20;2.16.840.1.101.3.7.2.16.20
0x0100000000;Cardholder Iris Images;2.16.840.1.101.3.7.2.16.21
Example 2. Default value and bitmask explained
[SmartCard PIV]
ShowObjects=0x0000000797 (1)
1 The bitmask value 0x0000000797 corresponds to:
0x0000000001;Card Capability Container;2.16.840.1.101.3.7.2.219.0
0x0000000002;Card Holder Unique Identifier;2.16.840.1.101.3.7.2.48.0
0x0000000004;X.509 Certificate for PIV Authentication;2.16.840.1.101.3.7.2.1.1
0x0000000010;Security Object;;2.16.840.1.101.3.7.2.144.0
0x0000000080;X.509 Certificate for Digital Signature;2.16.840.1.101.3.7.2.1.0
0x0000000100;X.509 Certificate for Key Management;2.16.840.1.101.3.7.2.1.2
0x0000000200;X.509 Certificate for Card Authentication;2.16.840.1.101.3.7.2.5.0
0x0000000400;Discovery Object;2.16.840.1.101.3.7.2.96.80

RequireDigits

The PIV specification requires that the PIN only contains digits, but there are PIV implementations that allow non-digits. The RequireDigits parameter can disable the requirement and allow all characters.

[SmartCard PIV]
RequireDigits=0

UpdateByUser

The PIV specification specifies that all updates of PIV token require administrator (CKU_SO), using AdminKey. But some PIV implementations allow User PIN for updates.

[SmartCard PIV]
UpdateByUser=0

Values

The default value depends on the token. Crescendo Key will update by User PIN. All other PIV tokens use AdminKey.

0

AdminKey update

1

PIN update

UpdateCardHolderGUID

If CHUID exist on PIV token, the UpdateCardHolderGUID parameter will update with a new random value on token changes. This enables cache compatibility with other minidrivers.

[SmartCard PIV]
UpdateCardHolderGUID=1

Values

0

Inactive

1

Active, update CHUID

UseCardNumber

The PIV specification defines a GUID as the token identifier, but some tokens have a shorter, more user-friendly number. This parameter tells if to use the shorter token number.

[SmartCard PIV]
UseCardNumber=1

Values

The default value depends on the token. The tokens with implementation support for the shorter number will use it, and all others will use the GUID. Normal GUID is used if it is impossible to read any shorter number.

0

GUID

1

Shorter number