These certs may be on the card, or they may be at a URL. Regardless of where they are found, the private keys for the certs are on the card. The requirement is a key challenge for each type of certificate/key escrow scheme defined. So, while this is an extension of Issue #58, it this bug specifically addresses the object acquisition and private/public key matching components of any retired key management certificates found on the card.

If the certificate exists, perform a key challenge/response with the appropriate key.

Each retired key management certificate (1-20) has a separate key identifier. Our APDUConstants class needs to be updated to include a map of certificate object names and key identifiers. By doing so, and modifying PKIX.11 to take the key identifier as a parameter, this issue can be addressed.