OpenFIPS201 is intended to be highly flexible to support a variety of usage scenarios whilst being capable of fully complying with the PIV card application standard.

To support this:

It has a dynamic file system, which can describe any number of data objects, including access permissions
It has a dynamic key store, which permits any combination of keys and mechanisms (algorithms), with flexible access permissions, key roles and attributes.
The applet has a number of configuration parameters which drive behaviour of the applet. These can be dynamically configured during issuance, post-issuance or even left untouched to make use of NIST-compliant default values.
All of the above can be managed securely using a GlobalPlatform Secure Channel either locally or over a network.

3 Personalisation Steps

Apply any Configuration changes required (this should be done first as it may effect subsequent steps)
Define which Data Objects and Keys are required on the card.
Populate data objects using standard PIV interoperable commands.
Generate or Inject Key values using either standard PIV interoperable commands or the Secure Messaging interface.

4 Configuration

OpenFIPS201 configuration parameters can be applied at any time during the card life-cycle, so long as it is done under a GlobalPlatform Secure Channel or using Delegated Administrative Commands.

...

Element

Description

Id

TYPE: OCTET STRING (1 to 3 bytes for data objects, 1 byte for keys)

The unique identifier for this object on the card.

Info
OpenFIPS201 only makes use of the least-significant byte for identification storage. This may change in the future but for now this means the identifiers `112233h` and `333333h` would be treated as duplicates. It is strongly recommended to still pre-perso with full 3-byte PIV identifiers to future-proof your personalisation scripts.

Mode Contact

Type: Enumeration

Provides access control restrictions and permissions for this object when connecting over the Contact interface.

Info
See `Enumeration - Access Mode` below for details on populating this value.

Mode Contactless

Type: Enumeration

Provides access control restrictions and permissions for this object when connecting over the Contactless interface.

Info
See `Enumeration - Access Mode` below for details on populating this value.

Info
If the `Options.ignoreContactlessAcl` parameter is set to True, this value is not used in assessing permissions.

Admin Key

Type: OCTET STRING (1 byte) OPTIONAL

Specifies which symmetric key can be used for managing this object using the PUT DATA or GENERATE ASSYMETRIC KEYPAIR command.

This is useful where a particular implementation wishes to define specific Data or Key objects that are managed by a third party, where it is desirable to compartmentalise access to only those objects.

Info
This field is optional and if it is not specified, the default administrative key `9B` is used. For systems that only want to administrate using Secure Channel, simply setting this value to a non-existent key id, or not initialising the 9B key will be sufficient to disable this capability.

Key Mechanism

Type: Enumeration

Describes which cryptographic primitive (mechanism) will be associated with this key.

Info
See Enumeration - Key Mechanism below for details on populating this value.

Key Role

Type: Enumeration

Specifies what role(s) this key may perform for GENERAL AUTHENTICATE commands.

Info
See Enumeration - Key Role below for details on populating this value.

Key Attribute

Type: Enumeration

Specifies what special attributes / options are flagged against this key.

Info
See Enumeration - Key Attribute below for details on populating this value.

5.1.1 Enumeration - Access Mode

Info
This enumeration is a `Bit Field`, however for legacy reasons it was encoded as an OCTET STRING

Element

Description

Never

The object may not be read or used under any circumstances.

Info
This is a special value that cannot be combined with any other value.

The object may be accessed only after PIN authentication.

Pin Always

The object may be accessed only IMMEDIATELY after PIN authentication in the current session.

Info
It is acceptable to also set the `Pin` flag in addition to this, but not necessary as `Pin Always` will take precedence.

Occ

The object may be accessed only after a successful Biometric On-Card-Comparison in the current session.

User Admin

The object may be managed after the access conditions have been successfully met.

Info
This has the effect or permitting the PUT DATA and GENERATE ASSYMMETRIC KEYPAIR commands for these values. It does not permit extended administration commands such as `PUT DATA ADMIN` and `CHANGE REFERENCE DATA ADMIN`, which require a GlobalPlatform Secure Channel.

Always

The object may be read or used without any authentication.

Info
This is a special value that cannot be combined with any other value.

NoteWhen reading this field, take care to evaluate for Always and Never special values first, as the Always value sets all lower 7 bits, which can look like other options are set

Element

Description

Id

TYPE: OCTET STRING (1 to 3 bytes for data objects, 1 byte for keys)

The unique identifier for this object on the card.

Info
OpenFIPS201 only makes use of the least-significant byte for identification storage. This may change in the future but for now this means the identifiers `112233h` and `333333h` would be treated as duplicates. It is strongly recommended to still pre-perso with full 3-byte PIV identifiers to future-proof your personalisation scripts.

Mode Contact

Type: Enumeration

Provides access control restrictions and permissions for this object when connecting over the Contact interface.

Info
See `Enumeration - Access Mode` below for details on populating this value.

Mode Contactless

Type: Enumeration

Provides access control restrictions and permissions for this object when connecting over the Contactless interface.

Info
See `Enumeration - Access Mode` below for details on populating this value.

Info
If the `Options.ignoreContactlessAcl` parameter is set to True, this value is not used in assessing permissions.

Admin Key

Type: OCTET STRING (1 byte) OPTIONAL

Specifies which symmetric key can be used for managing this object using the PUT DATA or GENERATE ASSYMETRIC KEYPAIR command.

This is useful where a particular implementation wishes to define specific Data or Key objects that are managed by a third party, where it is desirable to compartmentalise access to only those objects.

Info
This field is optional and if it is not specified, the default administrative key `9B` is used. For systems that only want to administrate using Secure Channel, simply setting this value to a non-existent key id, or not initialising the 9B key will be sufficient to disable this capability.

5.1.1 Enumeration - Access Mode

Info
This enumeration is a `Bit Field`, however for legacy reasons it was encoded as an OCTET STRING

Element

Description

Never

The object may not be read or used under any circumstances.

Info
This is a special value that cannot be combined with any other value.

The object may be accessed only after PIN authentication.

Pin Always

The object may be accessed only IMMEDIATELY after PIN authentication in the current session.

Info
It is acceptable to also set the `Pin` flag in addition to this, but not necessary as `Pin Always` will take precedence.

Occ

The object may be accessed only after a successful Biometric On-Card Comparison in the current session.

User Admin

The object may be managed after the access conditions have been successfully met.

Info
This has the effect or permitting the PUT DATA and GENERATE ASSYMMETRIC KEYPAIR commands for these values. It does not permit extended administration commands such as `PUT DATA ADMIN` and `CHANGE REFERENCE DATA ADMIN`, which require a GlobalPlatform Secure Channel.

Always

The object may be read or used without any authentication.

Info
This is a special value that cannot be combined with any other value.

Note
When reading this field, take care to evaluate for `Always` and `Never` special values first, as the `Always` value sets all lower 7 bits, which can look like other options are set.

Key Object Parameters

Element

Description

Key Mechanism

Type: Enumeration

Describes which cryptographic primitive (mechanism) will be associated with this key.

Info
See Enumeration - Key Mechanism below for details on populating this value.

Key Role

Type: Enumeration

Specifies what role(s) this key may perform for GENERAL AUTHENTICATE commands.

Info
See Enumeration - Key Role below for details on populating this value.

Key Attribute

Type: Enumeration

Specifies what special attributes / options are flagged against this key.

Info
See Enumeration - Key Attribute below for details on populating this value.

5.1.2 Enumeration - Key Mechanism

...

Versions Compared

Old Version 16

New Version 17

Key

3 Personalisation Steps

4 Configuration

5.1.1 Enumeration - Access Mode

5.1.1 Enumeration - Access Mode

Key Object Parameters

5.1.2 Enumeration - Key Mechanism

Page Comparison

Versions Compared

Old Version 16

New Version 17

Key

3 Personalisation Steps

4 Configuration

5.1.1 Enumeration - Access Mode

5.1.1 Enumeration - Access Mode

Key Object Parameters

5.1.2 Enumeration - Key Mechanism