Add pin_cache_ignore_user_consent parameter to opensc.conf

When OpenSC is used with a card that enforces user_consent
and the calling PKCS#11 application does not understand how
to handle the CKA_ALWAYS_AUTHENTICATE, signature operations
will fail.

OpenSC will not cache a PIN that protects a user_consent
object as one would expect.

This mods allows PINs to be cached even if protecting a
user_consent object by adding
 pin_cache_ignore_user_consent = true;
option in opensc.conf.

Thunderbird is the prime example of this situation.
Mozilla has accepted mods (357025 and 613507) to support
CKA_ALWAYS_AUTHENTICATE that will appear in NSS-3.14 but
this may be some time before this version is in vendor
distribution.

etc/opensc.conf.in

@@ -437,6 +437,11 @@ app default {
 		# Default: 10
 		# pin_cache_counter = 3;
 		#
+		# Older PKCS#11 applications not supporting CKA_ALWAYS_AUTHENTICATE
+		# may need to set this to get signatures to work with some cards.
+		# Default: false
+		# pin_cache_ignore_user_consent = true;
+		#
 		# Enable pkcs15 emulation.
 		# Default: yes
 		# enable_pkcs15_emulation = no;

src/libopensc/pkcs15-pin.c

@@ -609,10 +609,12 @@ void sc_pkcs15_pincache_add(struct sc_pkcs15_card *p15card, struct sc_pkcs15_obj
 
 		if (sc_pkcs15_compare_id(&obj->auth_id, &auth_info->auth_id)) {
 			/* Caching is refused, if the protected object requires user consent */
+		    if (!p15card->opts.pin_cache_ignore_user_consent) {
 			if (obj->user_consent > 0) {
 				sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "caching refused (user consent)");
 				return;
 			}
+		    }
 		}
 
 		obj = obj->next;
@@ -640,8 +642,11 @@ int sc_pkcs15_pincache_revalidate(struct sc_pkcs15_card *p15card, const sc_pkcs1
 	if (!p15card->opts.use_pin_cache)
 		return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED;
 
-	if (obj->user_consent)
+/*  Apps that do not support CK_ALWAYS_AUTHENTICATE may need pin_cache_ignore_user_consent = 1 */
+	if (!p15card->opts.pin_cache_ignore_user_consent) {
+	    if (obj->user_consent)
 		return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED;
+	}
 
 	if (p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD)
 		return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED;

src/libopensc/pkcs15.c

@@ -1141,6 +1141,7 @@ int sc_pkcs15_bind(sc_card_t *card, struct sc_aid *aid, struct sc_pkcs15_card **
 	p15card->opts.use_file_cache = 0;
 	p15card->opts.use_pin_cache = 1;
 	p15card->opts.pin_cache_counter = 10;
+	p15card->opts.pin_cache_ignore_user_consent = 0;
 
 	conf_block = sc_get_conf_block(ctx, "framework", "pkcs15", 1);
 
@@ -1148,9 +1149,10 @@ int sc_pkcs15_bind(sc_card_t *card, struct sc_aid *aid, struct sc_pkcs15_card **
 		p15card->opts.use_file_cache = scconf_get_bool(conf_block, "use_file_caching", p15card->opts.use_file_cache);
 		p15card->opts.use_pin_cache = scconf_get_bool(conf_block, "use_pin_caching", p15card->opts.use_pin_cache);
 		p15card->opts.pin_cache_counter = scconf_get_int(conf_block, "pin_cache_counter", p15card->opts.pin_cache_counter);
+		p15card->opts.pin_cache_ignore_user_consent =  scconf_get_bool(conf_block, "pin_cache_ignore_user_consent", p15card->opts.pin_cache_ignore_user_consent);
 	}
-	sc_log(ctx, "PKCS#15 options: use_file_cache=%d use_pin_cache=%d pin_cache_counter=%d",
-	         p15card->opts.use_file_cache, p15card->opts.use_pin_cache, p15card->opts.pin_cache_counter);
+	sc_log(ctx, "PKCS#15 options: use_file_cache=%d use_pin_cache=%d pin_cache_counter=%d pin_cache_ignore_user_consent=%d",
+	         p15card->opts.use_file_cache, p15card->opts.use_pin_cache, p15card->opts.pin_cache_counter, p15card->opts.pin_cache_ignore_user_consent);
 
 	r = sc_lock(card);
 	if (r) {

src/libopensc/pkcs15.h

@@ -599,6 +599,7 @@ typedef struct sc_pkcs15_card {
 		int use_file_cache;
 		int use_pin_cache;
 		int pin_cache_counter;
+		int pin_cache_ignore_user_consent;
 	} opts;