Context Specific Login Using Pin Pad Reader Fix

sc_pkcs15_verify_pin say: /* if pin cache is disabled, we can get here with no PIN data. * in this case, to avoid error or unnecessary pin prompting on pinpad, * check if the PIN has been already verified and the access condition * is still open on card. */ It then call sc_pkcs15_get_pin_info A context specific login is used in PKCS#11 to force the user to enter the PIN again and a verify command be sent to the card. (Actually it could be a different value for the PINi depending on the card) sc_pkcs15_get_pin_info will then call the card driver, but does not say why it is testing the login status.sc_pkcs15_get_pin_info may return SC_PIN_STATE_LOGGED_IN=1 and sc_pkcs15_verify_pin will then skip sending the actual verify command to the card via _sc_pkcs15_verify_pin To avoid this, sc_pkcs15_get_pin_info will set data.pin_type = pin_info->auth_method; In the case of a context specific login, this is SC_AC_CONTEXT_SPECIFIC and the card driver can take action and can return SC_PIN_STATE_LOGGED_IN=0 so the verify will be done. The PIV driver card-piv.c does this. Other drivers could do something similar. Date: MOn May 21 20:40:00 2018 -0500 On branch History-fixes Changes to be committed: modified: card-piv.c modified: pkcs15-pin.c
2018-04-18 21:04:00 -05:00 · 2018-04-18 21:04:00 -05:00 · 91812cf40f
parent 08ec4b85e1
commit 91812cf40f
2 changed files with 11 additions and 1 deletions
--- a/src/libopensc/card-piv.c
+++ b/src/libopensc/card-piv.c
@ -3452,6 +3452,16 @@ piv_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, int *tries_left)
 		data->pin1.tries_left = priv->tries_left;
 		if (tries_left)
 			*tries_left = priv->tries_left;
+
+		/*
+		 * If called to check on the login state for a context specific login
+		 * return not logged in. Needed because of logic in e6f7373ef066  
+		 */
+		if (data->pin_type == SC_AC_CONTEXT_SPECIFIC) {
+			data->pin1.logged_in = 0;
+			 LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
+		}
+
 		if (priv->logged_in == SC_PIN_STATE_LOGGED_IN) {
 			/* Avoid status requests when the user is logged in to handle NIST
 			 * 800-73-4 Part 2:
--- a/src/libopensc/pkcs15-pin.c
+++ b/src/libopensc/pkcs15-pin.c
@ -700,7 +700,7 @@ int sc_pkcs15_get_pin_info(struct sc_pkcs15_card *p15card,
 	/* Try to update PIN info from card */
 	memset(&data, 0, sizeof(data));
 	data.cmd = SC_PIN_CMD_GET_INFO;
-	data.pin_type = SC_AC_CHV;
+	data.pin_type = pin_info->auth_method;
 	data.pin_reference = pin_info->attrs.pin.reference;

 	r = sc_pin_cmd(card, &data, NULL);