From 91812cf40f12028bb366c77def22e13f5814eafa Mon Sep 17 00:00:00 2001 From: Doug Engert Date: Wed, 18 Apr 2018 21:04:00 -0500 Subject: [PATCH] Context Specific Login Using Pin Pad Reader Fix sc_pkcs15_verify_pin say: /* if pin cache is disabled, we can get here with no PIN data. * in this case, to avoid error or unnecessary pin prompting on pinpad, * check if the PIN has been already verified and the access condition * is still open on card. */ It then call sc_pkcs15_get_pin_info A context specific login is used in PKCS#11 to force the user to enter the PIN again and a verify command be sent to the card. (Actually it could be a different value for the PINi depending on the card) sc_pkcs15_get_pin_info will then call the card driver, but does not say why it is testing the login status.sc_pkcs15_get_pin_info may return SC_PIN_STATE_LOGGED_IN=1 and sc_pkcs15_verify_pin will then skip sending the actual verify command to the card via _sc_pkcs15_verify_pin To avoid this, sc_pkcs15_get_pin_info will set data.pin_type = pin_info->auth_method; In the case of a context specific login, this is SC_AC_CONTEXT_SPECIFIC and the card driver can take action and can return SC_PIN_STATE_LOGGED_IN=0 so the verify will be done. The PIV driver card-piv.c does this. Other drivers could do something similar. Date: MOn May 21 20:40:00 2018 -0500 On branch History-fixes Changes to be committed: modified: card-piv.c modified: pkcs15-pin.c --- src/libopensc/card-piv.c | 10 ++++++++++ src/libopensc/pkcs15-pin.c | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/libopensc/card-piv.c b/src/libopensc/card-piv.c index 01bc7939..722315bf 100644 --- a/src/libopensc/card-piv.c +++ b/src/libopensc/card-piv.c @@ -3452,6 +3452,16 @@ piv_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, int *tries_left) data->pin1.tries_left = priv->tries_left; if (tries_left) *tries_left = priv->tries_left; + + /* + * If called to check on the login state for a context specific login + * return not logged in. Needed because of logic in e6f7373ef066 + */ + if (data->pin_type == SC_AC_CONTEXT_SPECIFIC) { + data->pin1.logged_in = 0; + LOG_FUNC_RETURN(card->ctx, SC_SUCCESS); + } + if (priv->logged_in == SC_PIN_STATE_LOGGED_IN) { /* Avoid status requests when the user is logged in to handle NIST * 800-73-4 Part 2: diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c index 4e807be9..ab94e74f 100644 --- a/src/libopensc/pkcs15-pin.c +++ b/src/libopensc/pkcs15-pin.c @@ -700,7 +700,7 @@ int sc_pkcs15_get_pin_info(struct sc_pkcs15_card *p15card, /* Try to update PIN info from card */ memset(&data, 0, sizeof(data)); data.cmd = SC_PIN_CMD_GET_INFO; - data.pin_type = SC_AC_CHV; + data.pin_type = pin_info->auth_method; data.pin_reference = pin_info->attrs.pin.reference; r = sc_pin_cmd(card, &data, NULL);