Context Specific Login Using Pin Pad Reader Fix
sc_pkcs15_verify_pin say: /* if pin cache is disabled, we can get here with no PIN data. * in this case, to avoid error or unnecessary pin prompting on pinpad, * check if the PIN has been already verified and the access condition * is still open on card. */ It then call sc_pkcs15_get_pin_info A context specific login is used in PKCS#11 to force the user to enter the PIN again and a verify command be sent to the card. (Actually it could be a different value for the PINi depending on the card) sc_pkcs15_get_pin_info will then call the card driver, but does not say why it is testing the login status.sc_pkcs15_get_pin_info may return SC_PIN_STATE_LOGGED_IN=1 and sc_pkcs15_verify_pin will then skip sending the actual verify command to the card via _sc_pkcs15_verify_pin To avoid this, sc_pkcs15_get_pin_info will set data.pin_type = pin_info->auth_method; In the case of a context specific login, this is SC_AC_CONTEXT_SPECIFIC and the card driver can take action and can return SC_PIN_STATE_LOGGED_IN=0 so the verify will be done. The PIV driver card-piv.c does this. Other drivers could do something similar. Date: MOn May 21 20:40:00 2018 -0500 On branch History-fixes Changes to be committed: modified: card-piv.c modified: pkcs15-pin.c
This commit is contained in:
parent
08ec4b85e1
commit
91812cf40f
|
@ -3452,6 +3452,16 @@ piv_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, int *tries_left)
|
||||||
data->pin1.tries_left = priv->tries_left;
|
data->pin1.tries_left = priv->tries_left;
|
||||||
if (tries_left)
|
if (tries_left)
|
||||||
*tries_left = priv->tries_left;
|
*tries_left = priv->tries_left;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If called to check on the login state for a context specific login
|
||||||
|
* return not logged in. Needed because of logic in e6f7373ef066
|
||||||
|
*/
|
||||||
|
if (data->pin_type == SC_AC_CONTEXT_SPECIFIC) {
|
||||||
|
data->pin1.logged_in = 0;
|
||||||
|
LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
|
||||||
|
}
|
||||||
|
|
||||||
if (priv->logged_in == SC_PIN_STATE_LOGGED_IN) {
|
if (priv->logged_in == SC_PIN_STATE_LOGGED_IN) {
|
||||||
/* Avoid status requests when the user is logged in to handle NIST
|
/* Avoid status requests when the user is logged in to handle NIST
|
||||||
* 800-73-4 Part 2:
|
* 800-73-4 Part 2:
|
||||||
|
|
|
@ -700,7 +700,7 @@ int sc_pkcs15_get_pin_info(struct sc_pkcs15_card *p15card,
|
||||||
/* Try to update PIN info from card */
|
/* Try to update PIN info from card */
|
||||||
memset(&data, 0, sizeof(data));
|
memset(&data, 0, sizeof(data));
|
||||||
data.cmd = SC_PIN_CMD_GET_INFO;
|
data.cmd = SC_PIN_CMD_GET_INFO;
|
||||||
data.pin_type = SC_AC_CHV;
|
data.pin_type = pin_info->auth_method;
|
||||||
data.pin_reference = pin_info->attrs.pin.reference;
|
data.pin_reference = pin_info->attrs.pin.reference;
|
||||||
|
|
||||||
r = sc_pin_cmd(card, &data, NULL);
|
r = sc_pin_cmd(card, &data, NULL);
|
||||||
|
|
Loading…
Reference in New Issue