A newer version of this documentation is available.

Match

The variables are used in several places, but those variables may also be used for matching. For example, an action should be performed when a specific smart card is inserted.

Variables

The matching is generic. You can match any variable as long as you have something to match with. All matching conditions are named, so the only limitation is that maximum 999 matching conditions are allowed.

Example 1. Common matching conditions

The example below shows the most common matching conditions. The character = is used for equal condition, and you may use the string and or or to create complex matching conditions with other named conditions.

[Match]
01={Pointsharp} {subject:2.5.4.10}=Pointsharp*
02={HoneyR} {subject:2.5.4.3}=Honey R*
03={CTO} {Pointsharp} or {HoneyR}
04={Skatteverket} {subject:2.5.4.10}=Skatteverket*
05={GoodGuys} {Pointsharp} or {Skatteverket}
06={Expire} {expire:days}<30
07={NonRep} {keyusage}&0x40
08={Not-NonRep} {keyusage}!&0x40

The order is important when using matching with other named conditions. When used, it must already be defined.

Example 2. This example does NOT work.

[Match]
01={Pointsharp} {subject:2.5.4.10}=Pointsharp*
02={CTO} {Pointsharp} or {HoneyR} (1)
03={HoneyR} {subject:2.5.4.3}=Honey R*

1	{HoneyR} is not defined yet.

Matching operators

=: EQUAL
!=: NOT EQUAL
>: GREATER THAN
<: SMALLER THAN
&: BITMASK AND
!&: NOT BITMASK AND

Examples

Example 3. URL-encode the matching string.

Since there are several characters that are used for matching, it is also possible to URL-encode the matching string:

01={HoneyR} {subject:2.5.4.42}=Honey%2C Johan%2C Urban

Example 4. Use variables on both sides.

The matching may include variables on both sides:

01={RootCA} {subject}={issuer}

Example 5. Using wildcard.

As seen above, * is used as a wild card for any string. The wild card can be specified both at the start and end.

01={HoneyR} {subject:2.5.4.3}=Honey Ryder
01={HoneyR} {subject:2.5.4.3}=*Honey R*
01={HoneyR} {subject:2.5.4.3}=*Ryder

Example 6. Use ! to set arguments as non-match.

When matching is used as an argument, it is also possible to add ! to a named matching condition to set it as a non-match:

[Match]
01={TokenPresent} {token-present}=yes

[Dialog Image]
01=logo_missing.png -match !{TokenPresent}
02=logo_present.ico -match {TokenPresent}

Tokens

Some special matching is used for tokens in the configuration using the variable AllowToken:

#define MODE_ALLOW_SMART_CARD       0x01
#define MODE_ALLOW_VSC              0x02
#define MODE_ALLOW_LOAD_CSP         0x04
#define MODE_ALLOW_LOAD_TPM         0x08
#define MODE_ALLOW_ALL_TOKEN        0xFF

[CredentialProvider]
AllowToken=0xFF
[CSP]
AllowToken=0xFF
[KSP]
AllowToken=0xFF
[MiniDriver]
AllowToken=0x01

The AllowToken parameter can also be used during installation to limit the registration of smart cards, bit 8—31. The same list of smart cards as License, but translated to a bitmask starting from bit 8, since first byte is already used:

#define CARD_SETEC_SETCOS     0    (0x000001??)
#define CARD_FINEID           1    (0x000002??)
#define CARD_SIEMENS_CARDOS   2    (0x000004??)
#define CARD_GEMPLUS          3    (0x000008??)
#define CARD_DOTNET           4    (0x000010??)
#define CARD_IASECC           5    (0x000020??)
#define CARD_PIV              6    (0x000040??)
#define CARD_YUBIKEY          7    (0x000080??)
#define CARD_BUYPASS          8    (0x000100??)
#define CARD_SND              9    (0x000200??)
#define CARD_MYEID            10   (0x000400??)
#define CARD_ESTEID           11   (0x000800??)
#define CARD_ACTIVID          12   (0x001000??)
#define CARD_JCOP             13   (0x002000??)
#define CARD_FEITIAN          14   (0x004000??)
#define CARD_CRESCENDO        15   (0x008000??)
#define CARD_IDENTIV          16   (0x010000??)

Example 7. To only allow smart cards with YubiKey and Feitian models:

[MiniDriver]
AllowToken=0x00408001