diff --git a/etc/opensc.conf.in b/etc/opensc.conf.in index 8dec93bf..89c632d2 100644 --- a/etc/opensc.conf.in +++ b/etc/opensc.conf.in @@ -437,6 +437,11 @@ app default { # Default: 10 # pin_cache_counter = 3; # + # Older PKCS#11 applications not supporting CKA_ALWAYS_AUTHENTICATE + # may need to set this to get signatures to work with some cards. + # Default: false + # pin_cache_ignore_user_consent = true; + # # Enable pkcs15 emulation. # Default: yes # enable_pkcs15_emulation = no; diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c index c863f5d2..6604c325 100644 --- a/src/libopensc/pkcs15-pin.c +++ b/src/libopensc/pkcs15-pin.c @@ -609,10 +609,12 @@ void sc_pkcs15_pincache_add(struct sc_pkcs15_card *p15card, struct sc_pkcs15_obj if (sc_pkcs15_compare_id(&obj->auth_id, &auth_info->auth_id)) { /* Caching is refused, if the protected object requires user consent */ + if (!p15card->opts.pin_cache_ignore_user_consent) { if (obj->user_consent > 0) { sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "caching refused (user consent)"); return; } + } } obj = obj->next; @@ -640,8 +642,11 @@ int sc_pkcs15_pincache_revalidate(struct sc_pkcs15_card *p15card, const sc_pkcs1 if (!p15card->opts.use_pin_cache) return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; - if (obj->user_consent) +/* Apps that do not support CK_ALWAYS_AUTHENTICATE may need pin_cache_ignore_user_consent = 1 */ + if (!p15card->opts.pin_cache_ignore_user_consent) { + if (obj->user_consent) return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; + } if (p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD) return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; diff --git a/src/libopensc/pkcs15.c b/src/libopensc/pkcs15.c index 83b2dd38..b6d5b4a9 100644 --- a/src/libopensc/pkcs15.c +++ b/src/libopensc/pkcs15.c @@ -1141,6 +1141,7 @@ int sc_pkcs15_bind(sc_card_t *card, struct sc_aid *aid, struct sc_pkcs15_card ** p15card->opts.use_file_cache = 0; p15card->opts.use_pin_cache = 1; p15card->opts.pin_cache_counter = 10; + p15card->opts.pin_cache_ignore_user_consent = 0; conf_block = sc_get_conf_block(ctx, "framework", "pkcs15", 1); @@ -1148,9 +1149,10 @@ int sc_pkcs15_bind(sc_card_t *card, struct sc_aid *aid, struct sc_pkcs15_card ** p15card->opts.use_file_cache = scconf_get_bool(conf_block, "use_file_caching", p15card->opts.use_file_cache); p15card->opts.use_pin_cache = scconf_get_bool(conf_block, "use_pin_caching", p15card->opts.use_pin_cache); p15card->opts.pin_cache_counter = scconf_get_int(conf_block, "pin_cache_counter", p15card->opts.pin_cache_counter); + p15card->opts.pin_cache_ignore_user_consent = scconf_get_bool(conf_block, "pin_cache_ignore_user_consent", p15card->opts.pin_cache_ignore_user_consent); } - sc_log(ctx, "PKCS#15 options: use_file_cache=%d use_pin_cache=%d pin_cache_counter=%d", - p15card->opts.use_file_cache, p15card->opts.use_pin_cache, p15card->opts.pin_cache_counter); + sc_log(ctx, "PKCS#15 options: use_file_cache=%d use_pin_cache=%d pin_cache_counter=%d pin_cache_ignore_user_consent=%d", + p15card->opts.use_file_cache, p15card->opts.use_pin_cache, p15card->opts.pin_cache_counter, p15card->opts.pin_cache_ignore_user_consent); r = sc_lock(card); if (r) { diff --git a/src/libopensc/pkcs15.h b/src/libopensc/pkcs15.h index f92dce67..28522c85 100644 --- a/src/libopensc/pkcs15.h +++ b/src/libopensc/pkcs15.h @@ -599,6 +599,7 @@ typedef struct sc_pkcs15_card { int use_file_cache; int use_pin_cache; int pin_cache_counter; + int pin_cache_ignore_user_consent; } opts;