From 124d6e3a407415c051d862771ab813a73ec8a498 Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Mon, 13 Feb 2012 14:34:31 +0200 Subject: [PATCH] esteid: Do not set CKA_ALWAYS_AUTHENTICATE for the "Allkirjastamine" key CKA_ALWAYS_AUTHENTICATE implies CKU_CONTEXT_SPECIFIC login, but all this key really should need is a C_Login with CKU_USER. The historical reason for having CKA_ALWAYS_AUTHENTICATE set was to keep Firefox/NSS from using that particular key for SSL connections. However, starting with Firefox 8, NSS ignores Non Repudiation certificates for SSL and that makes the CKA_ALWAYS_AUTHENTICATE workaround unnecessary. Now that Firefox is fixed, drop the workaround in OpenSC so that applications that follow the pkcs11 spec wouldn't have to login twice to access the key. --- src/libopensc/pkcs15-esteid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libopensc/pkcs15-esteid.c b/src/libopensc/pkcs15-esteid.c index 3f3249b7..d9999ba6 100644 --- a/src/libopensc/pkcs15-esteid.c +++ b/src/libopensc/pkcs15-esteid.c @@ -244,7 +244,7 @@ sc_pkcs15emu_esteid_init (sc_pkcs15_card_t * p15card) strlcpy(prkey_obj.label, prkey_name[i], sizeof(prkey_obj.label)); prkey_obj.auth_id.len = 1; prkey_obj.auth_id.value[0] = prkey_pin[i]; - prkey_obj.user_consent = (i == 1) ? 1 : 0; + prkey_obj.user_consent = 0; prkey_obj.flags = SC_PKCS15_CO_FLAG_PRIVATE; r = sc_pkcs15emu_add_rsa_prkey(p15card, &prkey_obj, &prkey_info);