Added two test cards with ICI values of 8 and 9

This is to test whether validation systems and PACS use the high-order bit of the ICI. The cards are valid ICAM PIV test cards using NIST test OIDs. The photo on 46_Golden_FIPS_201-2_PIV_ICI_8 is null as an additional test condition.

Corrected IDEMIA applet version

The tlvparsing/usr/local/bin/idemia_atrs.pl script was updated to report the correct applet description. GUI updated to show release. Added O/S utility.

Single Button for PIV and Global PIN Retries

Refactored retry counter checks into a single button that retrieves the retry counters for both the PIV and Global PINs.

Added Card Utilities Tab

The "Card Encoder" tab name has been changed to "Card Utilities." The Card Utilities tab provides a quicker way to determine the number of retries without decrementing either retry counter.

Updated Golden PIV, PIV-I Auth Certs with UPN

There have been multiple requests for UPNs in the PIV Auth certs for LACS logon in addition to PACS. The PIV Auth or Auth certs on the following cards have been updated:

• Card 39 - [email protected]
• Card 46 - [email protected]
• Card 54 - [email protected]

Added Cards 57-59, updated Card 48

Card 57's CHUID signature cert is revoked. Basic SP 800-116 rule. Card 58's Card Authentication Certificate is revoked. Another Basic SP 800-116 rule. Card 59 contains a valid Card 51 data set so that Card 51 time of access can be tested.

Reverted Separate CRL for Response Signer Certs

For some systems, the response signing certificates were not available if the CRL was not available. Since the response signing certs were in the same CRL as the EE certs, Windows doesn't bother to look at the CRL DP in the response signing certs that clearly pointed to the separate CRL. Since most of the validation systems are Windows-based, we decided we should return the serial numbers of the two revoked response signing certs to the signing CA's main CRL.

Populated Empty .p7c Files

For whatever reason, these files had been empty. Populated them in an effort to reduce some of the stagnation that has strange side effects on Windows platforms.

Corrected Path 32 (Invalid SKID)

This path was actually correct, so needed to be broken by creating a SKID that is not the SHA-1 hash of its public key. Database files needed to be rebuilt with an empty CRL being specially created for the Gen3 issuer.

Rebuilt CA Database, Cleaned up Responder Installer

Rebuilt CA databases to double-check that the right certs, CRLs, and database files are getting propagated during responder database updates, Cleaned up responder installer so that it doesn't mangle /etc/hosts files.