TokenTPM

[TokenTPM]
CheckExpire=60
Events=4
LoadFromPCSC=1
:LoginTimeout=0
:ModeReadOnly=0
:ModeRegisterCertificate=0
NameAllow=
NameDeny=Microsoft Virtual Smart Card*;Windows Hello*;Intercede Virtual Reader*
PinExpire=0
PinMaxLen=32
PinMinLen=2
:PinPolicy=
:PinType=0
SingleSignOn=1

CheckExpire

CheckExpire checks the validity period on the certificate. CheckExpire returns a value of the remaining time in seconds when less than or equal to the set value. If the remaining time is greater than the set value, it returns -1.

[SmartCard]
CheckExpire=<time>

Values

time

The time in days.

Events

The Events parameter tells when to validate the soft token for updates. The value is a bitmask so it can be checked at several places.

#define VALIDATE_TOKEN_OFF           0
#define VALIDATE_TOKEN_EVENT         1
#define VALIDATE_TOKEN_LIST_SLOT     2
#define VALIDATE_TOKEN_DETECT_RUN    4

[TokenTPM]
Events=4

LoadFromPCSC

The standard behavior is to load TPM modules from PC/SC. The alternative is to specify the names to load.

[TokenTPM]
LoadFromPCSC=1

LoginTimeout

LoginTimeout specifies the number of seconds the login procedure can be inactive. The counter resets when the PIN is used.

Resets the counter:

  • Login

  • Login (when already logged in)

  • Key usage (sign/verify/encrypt/decrypt/etc.)

  • Card update (create/delete/etc.)

Does not reset the counter:

  • Search for object

  • Reading object

  • Login status check

#define PIN1 0x01
#define PIN2 0x02
#define PIN3 0x04

[TokenTPM]
LoginTimeout=<seconds>,<pin-bit-mask>

Values

seconds

Number of seconds that the PIN is valid.

pin-bit-mask

Specifies for which PINs the LoginTimeout is used. If no value is given, all PINs use the LoginTimeout value.

ModeReadOnly

There are situations when Net iD Client should load the TPM modules but not allow any update, such as changing of PIN.

[TokenTPM]
ModeReadOnly=0

ModeRegisterCertificate

Certificates from the TPM modules are most likely registered by Microsoft using Microsoft Certificate propagation. This parameter enables/disables certificate registration.

[TokenTPM]
ModeRegisterCertificate=0

NameAllow, NameDeny

The NameAllow and NameDeny parameters are used as a whitelist/blacklist of the TPM module names that should be handled.

[TokenTPM]
NameAllow=
NameDeny=Microsoft Virtual Smart Card*;Windows Hello*;Intercede Virtual Reader*

PinExpire

Soft tokens always support time stamps for PIN change, so you can also include an automatic PIN expiration functionality. This means that the end-user will be forced to change PIN at regular intervals. The PinExpire parameter tells the number of days until a change is required.

[TokenTPM]
PinExpire=90

PinMaxLen

PIN policy should be stored in the smart card profile. But the configuration can add more requirements. The PinMaxLen parameter tells the maximum number of characters in the PIN.

[TokenTPM]
PinMaxLen=6

PinMinLen

PIN policy should be stored in the smart card profile But the configuration can add more requirements. The PinMinLen parameter tells the minimum number of characters in the PIN.

[TokenTPM]
PinMinLen=6

PinPolicy

PinPolicy specifies the default PIN policy to use when creating a new TPM token. Normally, PinPolicy is specified during creation.

PinType

PIN policy should be stored in the smart card profile But the configuration can add more requirements. The PinType parameter tells that a specific PIN policy is necessary.

// Password type:
// 0 -> all chars (case sensitive)
// 1 -> all chars (case insensitive)
// 2 -> all chars (max 2 in row or normal/keyboard sequence)
// 3 -> all chars (max 2 in row or normal sequence)
// 4 -> all chars (max 2 in row)
// 5 -> only digits
//
// Normal sequence:
// a-z, z-a, 0-9, 9-0
// Keyboard sequence:
// qwertyuiop, poiuytrewq
// asdfghjkl, lkjhgfdsa,
// zxcvbnm, mnbvcxz,
// qaz, zaq, wsx, xsw, ...

[TokenTPM]
PinType=5

SingleSignOn

Single sign-on can be available even for soft tokens. The SingleSignOn parameter tells if single sign-on is available or not.

[TokenTPM]
SingleSignOn=1