For CardOS 4.3B and 4.4, the Verify Retry Counter Package

can be loaded at ADMINISTRATION life cycle phase to change
the behavior of the VERIFY command in regard to return codes.
When that package is loaded, the PIN can be created with this
"verifyRC" flag in cardos.profile if the return code must be 
ISO7816-4 compliant (63Cx with x being the value of the remaining 
retry counter when required verification has failed).



git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5558 c6295689-39f2-0310-b995-f0e70906c6a9

src/libopensc/pkcs15.h

@@ -62,6 +62,7 @@ typedef struct sc_pkcs15_id sc_pkcs15_id_t;
 #define SC_PKCS15_PIN_FLAG_INTEGRITY_PROTECTED		0x0200
 #define SC_PKCS15_PIN_FLAG_CONFIDENTIALITY_PROTECTED	0x0400
 #define SC_PKCS15_PIN_FLAG_EXCHANGE_REF_DATA		0x0800
+#define SC_PKCS15_PIN_FLAG_VERIFY_RC_COUNTER		0x1000
 
 #define SC_PKCS15_PIN_TYPE_BCD				0
 #define SC_PKCS15_PIN_TYPE_ASCII_NUMERIC		1

src/pkcs15init/cardos.profile

@@ -24,6 +24,17 @@ PIN user-puk {
     attempts	= 10;
 }
 
+# For CardOS 4.3B and 4.4, the Verify Retry Counter Package 
+# can be loaded at ADMINISTRATION life cycle phase to change
+# the behavior of the VERIFY command in regard to return codes.
+# When that package is loaded, the PIN can be created with this
+# "verifyRC" flag if the return code must be ISO7816-4 compliant
+# (63Cx with x being the value of the remaining retry counter
+# when required verification has failed).
+#PIN user-pin {
+#    flags	= verifyRC;
+#}
+
 # Additional filesystem info.
 # This is added to the file system info specified in the
 # main profile.

src/pkcs15init/pkcs15-cardos.c

@@ -409,6 +409,7 @@ cardos_store_pin(sc_profile_t *profile, sc_card_t *card,
 		const u8 *pin, size_t pin_len)
 {
 	struct sc_cardctl_cardos_obj_info args;
+	struct sc_pkcs15_auth_info profile_auth;
 	unsigned char	buffer[256];
 	unsigned char	pinpadded[256];
 	struct tlv	tlv;
@@ -445,6 +446,11 @@ cardos_store_pin(sc_profile_t *profile, sc_card_t *card,
 	/* parameters */
 	tlv_next(&tlv, 0x85);
 	tlv_add(&tlv, 0x02);		/* options byte */
+	sc_profile_get_pin_info(profile, SC_PKCS15INIT_USER_PIN, &profile_auth);
+	if (profile_auth.attrs.pin.flags & SC_PKCS15_PIN_FLAG_VERIFY_RC_COUNTER)	{
+		/* Use 9 byte OCI parameters to be able to set VerifyRC bit */
+		tlv_add(&tlv, 0x04);		/* options_2 byte with Bit n°2 set to return CurrentErrorCounter */
+		}
 	tlv_add(&tlv, attempts & 0xf);	/* flags byte */
 	tlv_add(&tlv, CARDOS_ALGO_PIN);	/* algorithm = pin-test */
 	tlv_add(&tlv, attempts & 0xf);	/* errcount = attempts */

src/pkcs15init/profile.c

@@ -191,6 +191,7 @@ static struct map		pinFlagNames[] = {
 	{ "integrity-protected",	SC_PKCS15_PIN_FLAG_INTEGRITY_PROTECTED		},
 	{ "confidentiality-protected",	SC_PKCS15_PIN_FLAG_CONFIDENTIALITY_PROTECTED	},
 	{ "exchangeRefData",		SC_PKCS15_PIN_FLAG_EXCHANGE_REF_DATA		},
+	{ "verifyRC",			SC_PKCS15_PIN_FLAG_VERIFY_RC_COUNTER		},
 	{ NULL, 0 }
 };
 static struct map		idStyleNames[] = {