Doug Engert

By default key `9E` should not require a PIN. You said you have a "patched/pkcs11-tool" What is the patch?

The info.flags are for the token. The PIV specs (sp800-74-4 Part1 Table 3) also say the `9A` and `9E` and their certificates "X.509 Certificate for PIV Authentication" and "X.509 Certificate...

Try this patch that needs a lot of testing. [proposed-fix-1769.diff.txt](https://github.com/OpenSC/OpenSC/files/3527419/proposed-fix-1769.diff.txt) You can use it as a starting point and submit a PR if you want. It moves the test for...

It should work the same. The default the PIV and Yubico `9E` key does not require a login. If the Yubico can not tell you what is the policy then...

The patch is working for the default pin policies. (See exception below) The Revised PIN policies will not work unless Yubico documents how to test for policy of a key...

New version of the patch: [fix-1747.diff-v2.diff.txt](https://github.com/OpenSC/OpenSC/files/3531147/fix-1747.diff-v2.diff.txt) Unmodified `pkcs11-tool.c` would have done a login first so session was `CKS_RW_USER_FUNCTIONS` then `find_object` would see all the keys and select the key with...

PKCS\#11 imposes some other restrictions. You must first call `C_OpenSession`, which gets a `CKS_RW_PUBLIC_SESSION` session. At this point you can call `C_FindObjects*` to search for objects not protected by a...

If you think there is a simple command to find the private key without first doing a C_Login, show how to defer the login in `pkcs11-tool.c`. I don't think it...

In a separate e-mail to Yubico 8/22/2019 I asked: "As an OpenSC developer I am trying to address: "YubiKey PIN policy is not supported #1769" https://github.com/OpenSC/OpenSC/issues/1769 The OpenSC PIV driver...

Just to clarify the situation, Yubico has implemented their own PIN policy extensions to the NIST PIV standards, but provide no way to actually test use them except a trial...