[SmartCard] AtrAllow= AtrDeny= :AutoUpdateKeyId=1 :BlockRawAlgorithm=0 :CalculateUsedTime=0 CheckExpire=60 :CommandChaining=0 :CreateUpdateCounter=1 :DefaultProfile= DiskCache=0 :IgnoreEFDIR=0 :KeySizeECC= :KeySizeRSA= :LabelFromEDIR=0 :LoginTimeout=0 :MaxProfiles=3 :MayCreateWithSecondaryPIN= :NoWriteMapping= ObjectSortMode=2 PinExpire=0 PinMaxLen= PinMinLen= PinType= :ProfileOrder= TemporaryModel= TemporaryValidity=30 :UseChallengeResponse= UseInternalUpdate=1 :UseLastUpdate=1 :ValidateUpdateCounter=0
Net iD Client tries to use all smart cards with known ATRs (answer to reset). But there are situations when other clients should handle specific smart cards, so you can add a whitelist or blacklist of supported ATRs.
[SmartCard] AtrAllow= AtrDeny=3BD996FF8131FE454352455343454E444FFF;3BD996FF8131FE454352455343454E444FFE
The AutoUpdateKeyId parameter updates all connecting objects when CKA_ID is updated for an object. CKA_ID is used to connect private-key, public-key, and certificate. When this parameter is activated, an update of a private-key will also update the public-key and certificate.
Net iD Client uses any algorithm supported by the smart card. Some smart cards can configure support of the raw RSA algorithm so that the smart cards look identical. They will sometimes support raw RSA and sometimes not. To tell that raw RSA is supported when it is not can result in applications failing to use the smart card. This parameter disables raw RSA support even when the smart card implementation supports it.
|This setting does not have any effects on smart cards without raw RSA support.|
The CalculateUsedTime adds an internal counter that tracks the execution time and records that to the trace file.
Command chaining is a method of sending data to the smart card that exceed 256 bytes. Normally this is handled by the smart card implementation, so never change this value.
The update counter is needed to track updates of objects or PIN on the smart cards. Some smart cards have a built-in update counter, and other allows the creation of a custom data object that will store this information. This parameter controls the creation and will only create if enabled.
The smart card cache stores all public data from the smart card to avoid reading the same data many times since the reading can be slow. The cache uses the cache service if it is available. It can also store the data on disk to keep the data even if the computer is rebooted.
Default profile is used when it is not possible to identify the smart card profile. It is used to investigate the smart card but should never be used for production environments.
Acceptable values are:
The minimum and maximum sizes of RSA are specified in the smart card implementation. But it is possible to change those values for some smart cards. The upper WORD contains the minimum size, and the lower WORD contains the maximum size.
The minimum and maximum sizes of ECC are specified in the smart card implementation. But it is possible to change those values for some smart cards. The upper WORD contains the minimum size, and the lower WORD contains the maximum size.
LoginTimeout specifies the number of seconds the login procedure can be inactive. The counter resets when the PIN is used.
Resets the counter:
Login (when already logged in)
Key usage (sign/verify/encrypt/decrypt/etc.)
Card update (create/delete/etc.)
Does not reset the counter:
Search for object
Login status check
#define PIN1 0x01 #define PIN2 0x02 #define PIN3 0x04 [SmartCard] LoginTimeout=<seconds>,<pin-bit-mask>
The MaxProfiles parameter tells the maximum number of smart card profiles. Usually, only one profile is required, but some smart cards contain many profiles.
Most smart cards create objects using primary PIN, even for secondary PIN objects. But some require secondary PIN when creating secondary PIN objects.
Multi-PIN tokens usually update the tokens using PIN1, even for objects connected to PIN2. The NoWriteMapping parameter contains a semicolon-separated list of smart card profiles that require PIN2 for the update of objects connected to PIN2.
For AdmUtil, only the PIN1 dialog is shown when NoWriteMapping is not specified or does not include the profile name.
For AdmUtil, both the PIN1 and PIN2 dialog are shown when NoWriteMapping has a specified value.
[SmartCard] NoWriteMapping=PKCS#15;IDPrime SIS
Certificates are sorted based on certificate issuing date.
The complete representation of date and time of day is given by
Sorting can be based on date, date and time of day, or no sorting.
#define SORT_MODE_NONE 0 #define SORT_MODE_DAY 1 #define SORT_MODE_SECOND 2 [SmartCard] ObjectSortMode=2
The PinExpire parameter tells the number of days until a PIN change is required. Smart cards that support update counter with timestamps for PIN change can also include an automatic PIN expire functionality. This means that the end-user is forced to change the PIN at regular intervals.
|For smart cards with no support for PinExpire, that is, no possibility to write a timestamp, PinExpire is always set to 0.|
The number of days until PIN must be changed.
Card model for which the time rule is valid. Optional argument.
PIN policy should be stored in the smart card profile. But the configuration can add more requirements. The PinMaxLen parameter tells the maximum number of characters in the PIN.
PIN policy should be stored in the smart card profile But the configuration can add more requirements. The PinMinLen parameter tells the minimum number of characters in the PIN.
PIN policy should be stored in the smart card profile But the configuration can add more requirements. The PinType parameter tells that a specific PIN policy is necessary.
// Password type: // 0 -> all chars (case sensitive) // 1 -> all chars (case insensitive) // 2 -> all chars (max 2 in row or normal/keyboard sequence) // 3 -> all chars (max 2 in row or normal sequence) // 4 -> all chars (max 2 in row) // 5 -> only digits // // Normal sequence: // a-z, z-a, 0-9, 9-0 // Keyboard sequence: // qwertyuiop, poiuytrewq // asdfghjkl, lkjhgfdsa, // zxcvbnm, mnbvcxz, // qaz, zaq, wsx, xsw, ... [SmartCard] PinType=5
There is some special handling for temporary smart cards. The TemporaryModel parameter contains a list of semicolon-separated models that are considered to be temporary.
There is some special handling for temporary smart cards. The TemporaryValidity parameter tells the validity period for models that are considered to be temporary.
Challenge-response to unlock PIN is supported on some smart cards. The UseChallengeResponse parameter tells which smart card models that can use challenge-response. Some smart cards use challenge-response for PIN1, and PUK for PIN2, so it is possible to specify different values for each PIN.
[SmartCard] UseChallengeResponse=<timeout pin1>[:<size pin1>] <timeout pin2>[:<size pin2>] <timeout pin3>[:<size pin3>],<ATR-model>
For all IDPrime MD cards, you must examine the trace. If only PUK or SO-KEY is given as unlock type, it will be solved automatically.
PIN1 and PIN2 are handled automatically. PIN3 requires configuration settings because PUK is the default usage.
[00003676:00005196] 11.03.05.118 ProfilePrimeMD - Credential PIN1 available (size 6-16, unlock SO-KEY) (1) [00003676:00005196] 11.03.05.118 ProfilePrimeMD - Credential PIN2 available (size 6-16, unlock PUK) (1) [00003676:00005196] 11.03.05.118 ProfilePrimeMD - Credential PIN3 available (size 6-16, unlock PUK/SO-KEY) (2)
|1||PIN1 and PIN2 are handled automatically because only SO-KEY or PUK is given as unlock type.|
|2||PIN3 requires configuration settings because PUK is default usage.|
These are the settings for the smart card IDPrime MD 830B where PIN2 uses PUK, but PIN1 and PIN3 use challenge-response.
[SmartCard] UseChallengeResponse=180 0 180,IDPrime MD 830B
|You do not need to specify the size since it is always 8 bytes.|
|The example configuration above is not necessary since the settings specified in the example are set automatically by Net iD Client.|
Some smart cards have an update counter, but may not store a timestamp. Some of those smart cards allows creation of data object, which will allow creation of an internal update counter that can use a timestamp. This timestamp then allows for the PIN expire functionality.
Some smart cards have a reference to the last update counter but did not make this counter updateable, so it must be disabled.