Doug Engert

You are welcome to submit a PR, if you think that address all the concerns above, about violating the NIST standards.

One thing you can try to see what happens: piv-tool -s"00:f7:00:9A:00" Then repeat using for 9B, 9C, 9D, 9E, 80, 81 for all the keys. I do not have a...

Looks like for DES or AES (and may be others) you may need to add CKA_VALUE_LEN to the template. http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/pkcs11-curr-v2.40.html 2.8.4 AES-ECB "For unwrapping, the mechanism decrypts the wrapped key,...

There may be some issues. These may have resulted from what does a card can do with an unwrapped key. Does it return the results or does it unwrap the...

In response to: https://github.com/OpenSC/OpenSC/issues/1796#issuecomment-534169750 "With the current design of unwrap, each card is supposed to do some arbitrary on-card-storage or nothing." That is true for the card driver layer, but...

I meant memory in middleware. The card only supports RSA RAW (CKM_RSA_X_509), ECDSA and ECDH. So all RSA operations to card send k bytes to the card and receive k...

Not all cards should be used in some senerios. In your TV example, the cable/pay-per-view/content-owner is interested in not exposing the AES key to the consumer. They control your TV...

Something like that is OK for now. The CKF_HW needs to be implemented.

"Is this a design feature - in that when you create a private token public key OpenSC overides this and makes them a public token object?" This may not be...

> I'm setting Le to a length less than the object length. The current OpenSC PIV driver does this intentionally. It will do GET_DATA for 8 bytes, then determine the...