SmartCard PIV
[SmartCard PIV]
:AllowAnyNewKeyId=0
CheckFIPS=1
:KeepCardNumber=0
RequireDigits=0
:ShowObjects=0
:UpdateByUser=0
UseCardLabel=0
UseCardNumber=0
AllowAnyNewKeyId
When generating a key, it is possible to specify key ID, that is, 1 byte with 9A, 9C, etc. It is also possible to specify an empty key ID, that is, 0 byte. If the parameter is set to 1, active, all non-one-byte key IDs will be classified as empty. That is, the first possible will be used.
[SmartCard PIV]
AllowAnyNewKeyId=0
KeepCardNumber
The card number can be stored in the PIV profile.
Net iD Client can generate a new random token number at C_InitToken
when initializing a token.
But it can also keep the current number.
Activate the KeepCardNumber parameter to keep the old number.
[SmartCard PIV]
KeepCardNumber=0
ShowObjects
There are a number of PIV data objects that can be shown as PKCS#11 data objects. We try to avoid reading unnecessary objects, so only those configured are read. This value contains a bitmask for the objects that can be read.
BITMASK;NAME;OID
0x0000000001;Card Capability Container;2.16.840.1.101.3.7.2.219.0
0x0000000002;Card Holder Unique Identifier;2.16.840.1.101.3.7.2.48.0
0x0000000004;X.509 Certificate for PIV Authentication;2.16.840.1.101.3.7.2.1.1
0x0000000008;Cardholder Fingerprints;2.16.840.1.101.3.7.2.96.16
0x0000000010;Security Object;2.16.840.1.101.3.7.2.144.0
0x0000000020;Cardholder Facial Image;2.16.840.1.101.3.7.2.96.48
0x0000000040;Printed Information;2.16.840.1.101.3.7.2.48.1
0x0000000080;X.509 Certificate for Digital Signature;2.16.840.1.101.3.7.2.1.0
0x0000000100;X.509 Certificate for Key Management;2.16.840.1.101.3.7.2.1.2
0x0000000200;X.509 Certificate for Card Authentication;2.16.840.1.101.3.7.2.5.0
0x0000000400;Discovery Object;2.16.840.1.101.3.7.2.96.80
0x0000000800;Key History Object;2.16.840.1.101.3.7.2.96.96
0x0000001000;Retired X.509 Certificate for Key Management 1;2.16.840.1.101.3.7.2.16.1
0x0000002000;Retired X.509 Certificate for Key Management 2;2.16.840.1.101.3.7.2.16.2
0x0000004000;Retired X.509 Certificate for Key Management 3;2.16.840.1.101.3.7.2.16.3
0x0000008000;Retired X.509 Certificate for Key Management 4;2.16.840.1.101.3.7.2.16.4
0x0000010000;Retired X.509 Certificate for Key Management 5;2.16.840.1.101.3.7.2.16.5
0x0000020000;Retired X.509 Certificate for Key Management 6;2.16.840.1.101.3.7.2.16.6
0x0000040000;Retired X.509 Certificate for Key Management 7;2.16.840.1.101.3.7.2.16.7
0x0000080000;Retired X.509 Certificate for Key Management 8;2.16.840.1.101.3.7.2.16.8
0x0000100000;Retired X.509 Certificate for Key Management 9;2.16.840.1.101.3.7.2.16.9
0x0000200000;Retired X.509 Certificate for Key Management 10;2.16.840.1.101.3.7.2.16.10
0x0000400000;Retired X.509 Certificate for Key Management 11;2.16.840.1.101.3.7.2.16.11
0x0000800000;Retired X.509 Certificate for Key Management 12;2.16.840.1.101.3.7.2.16.12
0x0001000000;Retired X.509 Certificate for Key Management 13;2.16.840.1.101.3.7.2.16.13
0x0002000000;Retired X.509 Certificate for Key Management 14;2.16.840.1.101.3.7.2.16.14
0x0004000000;Retired X.509 Certificate for Key Management 15;2.16.840.1.101.3.7.2.16.15
0x0008000000;Retired X.509 Certificate for Key Management 16;2.16.840.1.101.3.7.2.16.16
0x0010000000;Retired X.509 Certificate for Key Management 17;2.16.840.1.101.3.7.2.16.17
0x0020000000;Retired X.509 Certificate for Key Management 18;2.16.840.1.101.3.7.2.16.18
0x0040000000;Retired X.509 Certificate for Key Management 19;2.16.840.1.101.3.7.2.16.19
0x0080000000;Retired X.509 Certificate for Key Management 20;2.16.840.1.101.3.7.2.16.20
0x0100000000;Cardholder Iris Images;2.16.840.1.101.3.7.2.16.21
[SmartCard PIV]
ShowObjects=0x0000000797 (1)
1 | The bitmask value 0x0000000797 corresponds to: 0x0000000001;Card Capability Container;2.16.840.1.101.3.7.2.219.0 0x0000000002;Card Holder Unique Identifier;2.16.840.1.101.3.7.2.48.0 0x0000000004;X.509 Certificate for PIV Authentication;2.16.840.1.101.3.7.2.1.1 0x0000000010;Security Object;;2.16.840.1.101.3.7.2.144.0 0x0000000080;X.509 Certificate for Digital Signature;2.16.840.1.101.3.7.2.1.0 0x0000000100;X.509 Certificate for Key Management;2.16.840.1.101.3.7.2.1.2 0x0000000200;X.509 Certificate for Card Authentication;2.16.840.1.101.3.7.2.5.0 0x0000000400;Discovery Object;2.16.840.1.101.3.7.2.96.80 |
RequireDigits
The PIV specification requires that the PIN only contains digits, but there are PIV implementations that allow non-digits. The RequireDigits parameter can disable the requirement and allow all characters.
[SmartCard PIV]
RequireDigits=0
UpdateByUser
The PIV specification specifies that all updates of PIV token require administrator (CKU_SO), using AdminKey. But some PIV implementations allow User PIN for updates.
[SmartCard PIV]
UpdateByUser=0