Doug Engert

You can submit a PR if you think this is important.

@mtrojnar any comments on this?

Please see https://github.com/OpenSC/OpenSC/pull/3203 Newer cards that may be marked as FIPS, work with EC but not RSA.

Could this have anything to do with libp11 [Use of OS locking disabled in 0.4.14](https://github.com/OpenSC/libp11/issues/602) fixed in https://github.com/OpenSC/libp11/pull/603

Looks like it should work. Here are some things to look at: - You may need to update `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Calais\SmartCards` and install OpenSC 32 bit. - Check `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\PIV Device ATR Cache`...

Not sure what "modified PivApplet to use P_DEFAULT (0), which is P_ONCE" does. This Windows policy for ECC keys for login maybe the problem: https://learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings#allow-ecc-certificates-to-be-used-for-logon-and-authentication Also says: "This policy setting...

As you already know, the OpenSC PIV for minidriver is not installed by default. This was because Microsoft provides a way to use PIV cards. Have you tried letting Microsoft...

@ckahlo can you try setting these in the `opensc.conf` for the system. The location in registry at `HKEY_LOCAL_MACHINE\SOFTWARE\OpenSC Project\OpenSC` And get a debug log with log level at least set...

Windows appears to have a different way to handle the "PIN Always"/"OCC Always" type of key, by using `PIN_CACHE_POLICY_TYPE` `PinCacheAlwaysPrompt` and/or the minidriver.c has a `MD_ROLE_USER_SIGN`. which need to be...

> So similarly, you would need such special treatment when checking whether the applet is selected in piv_card_reader_lock_obtained(). In general, the PIV driver may need to be reviewed to avoid...