search

arekinath / PivApplet

PIV applet for JavaCard 2.2.2 and 3.0.4+ with full ECDSA/ECDH support
111 stars 37 forks source link

Global PIN #70

Closed Muzosh closed 1 year ago

Muzosh commented 1 year ago

Hello @arekinath, does the current version of PivApplet support "Global PIN" as mentioned several times in SP 800-73-4? If not, how could it be implemented? By making the OwnerPIN object extend from Shareable interface?

I saw @dengert talk about GlobalPlatform PIN in other issue. Is there any documentation for this? I wasn't able to find anything.

Thanks, Petr.

Muzosh commented 1 year ago

Maybe @martinpaljak might know something about sharing PIN between multiple applets loaded onto JavaCard?

dengert commented 1 year ago

See: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf "Part" 1 "3.3.2 Discovery Object" 

Tag 0x5F2F encodes the PIN Usage Policy in two bytes:

First byte: Bit 7 is set to 1 to indicate that the mandatory PIV Card Application PIN
                            satisfies the PIV Access Control Rules (ACRs) for command
                            execution6 and data object access.

                Bit 6 indicates whether the optional Global PIN satisfies the PIV ACRs for
                            command execution and PIV data object access.
...
 The second byte of the PIN Usage Policy encodes the cardholder’s PIN preference for
 PIV Cards with both the PIV Card Application PIN and the Global PIN enabled:

       Second byte: 0x10 indicates that the PIV Card Application PIN is the primary PIN used
                                     to satisfy the PIV ACRs for command execution and object access.

                             0x20 indicates that the Global PIN is the primary PIN used to satisfy the
                                   PIV ACRs for command execution and object access.

Note: If Bit 6 of the first byte of the PIN Usage Policy is set to zero, then the second byte
is RFU and shall be set to 0x00.

The discovery object is optional. When the discovery options is written, the bits need to match what the card and PIV applet can do.

One could still see if either are supported, using something like OpenSC's piv-tool -s "00 20 00 XX 08 31 32 33 34 35 36 FF FF where PIN is 123456 and XX is 80 for local pin or 00 for global pin. (An invalid pin counts against the retry counter. Use with caution.)

See NIST.SP.800-73-4 "Part 2" "3.2.1 VERIFY Card Command" and "3.2.1.1 PIV Card Application PIN and Global PIN"

Muzosh commented 1 year ago

I was hoping to get some information outside of an official PIV standard documents. I know PIV talks about Global PIN, but the implementation must be device-specific, right?

If so, does GlobalPlatform offer some solution for PIV-enabled JavaCards (lik this PivApplet) and is there any documentation for that.

dengert commented 1 year ago

If so, does GlobalPlatform offer some solution for PIV-enabled JavaCards (lik this PivApplet) and is there any documentation for that.

Sorry I can not help much. OpenSC, PIV, Shibboleth, AD and Kerberos are my strong points.

Google for: Globalplatform "global pin" or java smartcards

martinpaljak commented 1 year ago

What exactly is the question and how can I help? Is the idea to use GP GLobalPIN? Or to create something for multiple applets? What are the other applets in this case ?

Muzosh commented 1 year ago

Sorry, this issue is no longer relevant. I was looking for "CVM" and found it.