Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

Separate signature slots containing a signature certificate, protected by an additional PIN, is an additional security measure, typically used for Qualified Electronic Signatures(QES). Currently, Identity Manager supports the signature slot for the following middleware:

  • Gemalto (since PRIME 3.12)
  • Personal (since Identity Manager 22.10.2
  • Idopte  (since Identity Manager 23.04.4)

In this article you can find general information regarding signature slot. For use cases for a specific middleware, follow the links above.

Prerequisites

 Prerequisites

A token that supports the signature slot. For details, see the section referring to the signature slot in the middleware pages linked above.

Use cases

 Write to the signature slot

To explicitly select the signature slot as a target for your application, use the Location keyword in the respective Application_* section. Location supports only one value: Signature. Any other value will point to the default slot, as will omitting the Location keyword altogether. The value can either be hard coded in the encoding description (e.g. Location=#Signature) or it can reference a field (for example, Location=LOCATION_FIELD)

In the following example a certificate is written to the default slot (authenticated by PIN), one to the signature slot (authenticated by SignPIN) and one's location is determined at runtime by the field LOCATION_FIELD.

Explicitly selecting slots
[Fields]
PIN=
SIGN_PIN=
LOCATION_FIELD=
  
[Description]
PKCS11Library=yourMiddleware.dll
ApplicationList=ABC
# Default slot credentials
PIN=PIN
# Signature slot credentials
SignPIN=SIGN_PIN

[Application_A]
# Write a certificate to the default slot
KeySize=2048
CertTempl=myAuthCertTemplate
 
[Application_B]
# Write a certificate to the signature slot
KeySize=2048
CertTempl=myAuthCertTemplate
Location=#signature
 
[Application_C]
# Determine the slot to Write a certificate using process variables
KeySize=2048
CertTempl=mySigCertTemplate
Location=LOCATION_FIELD
 Change signature slot credentials

The PINs for the signature slot can be changed similarly to the standard P11 PIN/PUK handling, but with different keywords:

Standard P11 PIN/PUK keywordsSignature PIN/PUK keywords

PIN

SignPIN
PUK SignPUK
InitialPUKInitialSignPUK
Pin_ValidationSignPin_Validation

Examples

Example: Change signature PUK and signature PIN using field values
[Fields]
OLD_SIGN_PUK=
NEW_SIGN_PUK=
NEW_SIGN_PIN=
 
[Description]
PKCS11Library=yourMiddleware.dll
SetPin=true
InitialSignPUK=OLD_SIGN_PUK
SignPUK=NEW_SIGN_PUK
SignPIN=NEW_SIGN_PIN
Example: Change signature PIN by entering old and new values. PIN must be at least 4 digits long
[Description] PKCS11Library=yourMiddleware.dll
SetPin=true
SignPIN=!FROM_USER_DIALOG_3_FIELD
SignPin_Validation=reg_exp([0-9]{4,})

This article includes updates for Smart ID 23.04.4. 

Related information

  • No labels

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions