Add pin_cache_ignore_user_consent parameter to opensc.conf
When OpenSC is used with a card that enforces user_consent and the calling PKCS#11 application does not understand how to handle the CKA_ALWAYS_AUTHENTICATE, signature operations will fail. OpenSC will not cache a PIN that protects a user_consent object as one would expect. This mods allows PINs to be cached even if protecting a user_consent object by adding pin_cache_ignore_user_consent = true; option in opensc.conf. Thunderbird is the prime example of this situation. Mozilla has accepted mods (357025 and 613507) to support CKA_ALWAYS_AUTHENTICATE that will appear in NSS-3.14 but this may be some time before this version is in vendor distribution.
This commit is contained in:
parent
4e44cabcf0
commit
a3b516a1e1
@ -437,6 +437,11 @@ app default {
|
||||
# Default: 10
|
||||
# pin_cache_counter = 3;
|
||||
#
|
||||
# Older PKCS#11 applications not supporting CKA_ALWAYS_AUTHENTICATE
|
||||
# may need to set this to get signatures to work with some cards.
|
||||
# Default: false
|
||||
# pin_cache_ignore_user_consent = true;
|
||||
#
|
||||
# Enable pkcs15 emulation.
|
||||
# Default: yes
|
||||
# enable_pkcs15_emulation = no;
|
||||
|
@ -609,11 +609,13 @@ void sc_pkcs15_pincache_add(struct sc_pkcs15_card *p15card, struct sc_pkcs15_obj
|
||||
|
||||
if (sc_pkcs15_compare_id(&obj->auth_id, &auth_info->auth_id)) {
|
||||
/* Caching is refused, if the protected object requires user consent */
|
||||
if (!p15card->opts.pin_cache_ignore_user_consent) {
|
||||
if (obj->user_consent > 0) {
|
||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "caching refused (user consent)");
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
obj = obj->next;
|
||||
}
|
||||
@ -640,8 +642,11 @@ int sc_pkcs15_pincache_revalidate(struct sc_pkcs15_card *p15card, const sc_pkcs1
|
||||
if (!p15card->opts.use_pin_cache)
|
||||
return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED;
|
||||
|
||||
/* Apps that do not support CK_ALWAYS_AUTHENTICATE may need pin_cache_ignore_user_consent = 1 */
|
||||
if (!p15card->opts.pin_cache_ignore_user_consent) {
|
||||
if (obj->user_consent)
|
||||
return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED;
|
||||
}
|
||||
|
||||
if (p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD)
|
||||
return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED;
|
||||
|
@ -1141,6 +1141,7 @@ int sc_pkcs15_bind(sc_card_t *card, struct sc_aid *aid, struct sc_pkcs15_card **
|
||||
p15card->opts.use_file_cache = 0;
|
||||
p15card->opts.use_pin_cache = 1;
|
||||
p15card->opts.pin_cache_counter = 10;
|
||||
p15card->opts.pin_cache_ignore_user_consent = 0;
|
||||
|
||||
conf_block = sc_get_conf_block(ctx, "framework", "pkcs15", 1);
|
||||
|
||||
@ -1148,9 +1149,10 @@ int sc_pkcs15_bind(sc_card_t *card, struct sc_aid *aid, struct sc_pkcs15_card **
|
||||
p15card->opts.use_file_cache = scconf_get_bool(conf_block, "use_file_caching", p15card->opts.use_file_cache);
|
||||
p15card->opts.use_pin_cache = scconf_get_bool(conf_block, "use_pin_caching", p15card->opts.use_pin_cache);
|
||||
p15card->opts.pin_cache_counter = scconf_get_int(conf_block, "pin_cache_counter", p15card->opts.pin_cache_counter);
|
||||
p15card->opts.pin_cache_ignore_user_consent = scconf_get_bool(conf_block, "pin_cache_ignore_user_consent", p15card->opts.pin_cache_ignore_user_consent);
|
||||
}
|
||||
sc_log(ctx, "PKCS#15 options: use_file_cache=%d use_pin_cache=%d pin_cache_counter=%d",
|
||||
p15card->opts.use_file_cache, p15card->opts.use_pin_cache, p15card->opts.pin_cache_counter);
|
||||
sc_log(ctx, "PKCS#15 options: use_file_cache=%d use_pin_cache=%d pin_cache_counter=%d pin_cache_ignore_user_consent=%d",
|
||||
p15card->opts.use_file_cache, p15card->opts.use_pin_cache, p15card->opts.pin_cache_counter, p15card->opts.pin_cache_ignore_user_consent);
|
||||
|
||||
r = sc_lock(card);
|
||||
if (r) {
|
||||
|
@ -599,6 +599,7 @@ typedef struct sc_pkcs15_card {
|
||||
int use_file_cache;
|
||||
int use_pin_cache;
|
||||
int pin_cache_counter;
|
||||
int pin_cache_ignore_user_consent;
|
||||
} opts;
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user