Context Specific Login Using Pin Pad Reader Fix
sc_pkcs15_verify_pin say: /* if pin cache is disabled, we can get here with no PIN data. * in this case, to avoid error or unnecessary pin prompting on pinpad, * check if the PIN has been already verified and the access condition * is still open on card. */ It then call sc_pkcs15_get_pin_info A context specific login is used in PKCS#11 to force the user to enter the PIN again and a verify command be sent to the card. (Actually it could be a different value for the PINi depending on the card) sc_pkcs15_get_pin_info will then call the card driver, but does not say why it is testing the login status.sc_pkcs15_get_pin_info may return SC_PIN_STATE_LOGGED_IN=1 and sc_pkcs15_verify_pin will then skip sending the actual verify command to the card via _sc_pkcs15_verify_pin To avoid this, sc_pkcs15_get_pin_info will set data.pin_type = pin_info->auth_method; In the case of a context specific login, this is SC_AC_CONTEXT_SPECIFIC and the card driver can take action and can return SC_PIN_STATE_LOGGED_IN=0 so the verify will be done. The PIV driver card-piv.c does this. Other drivers could do something similar. Date: MOn May 21 20:40:00 2018 -0500 On branch History-fixes Changes to be committed: modified: card-piv.c modified: pkcs15-pin.c
This commit is contained in:
parent
08ec4b85e1
commit
91812cf40f
|
@ -3452,6 +3452,16 @@ piv_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, int *tries_left)
|
|||
data->pin1.tries_left = priv->tries_left;
|
||||
if (tries_left)
|
||||
*tries_left = priv->tries_left;
|
||||
|
||||
/*
|
||||
* If called to check on the login state for a context specific login
|
||||
* return not logged in. Needed because of logic in e6f7373ef066
|
||||
*/
|
||||
if (data->pin_type == SC_AC_CONTEXT_SPECIFIC) {
|
||||
data->pin1.logged_in = 0;
|
||||
LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
|
||||
}
|
||||
|
||||
if (priv->logged_in == SC_PIN_STATE_LOGGED_IN) {
|
||||
/* Avoid status requests when the user is logged in to handle NIST
|
||||
* 800-73-4 Part 2:
|
||||
|
|
|
@ -700,7 +700,7 @@ int sc_pkcs15_get_pin_info(struct sc_pkcs15_card *p15card,
|
|||
/* Try to update PIN info from card */
|
||||
memset(&data, 0, sizeof(data));
|
||||
data.cmd = SC_PIN_CMD_GET_INFO;
|
||||
data.pin_type = SC_AC_CHV;
|
||||
data.pin_type = pin_info->auth_method;
|
||||
data.pin_reference = pin_info->attrs.pin.reference;
|
||||
|
||||
r = sc_pin_cmd(card, &data, NULL);
|
||||
|
|
Loading…
Reference in New Issue