sc-hsm: Bind PIN object to applet aid to ensure SELECT before PIN verification

src/libopensc/card-sc-hsm.c

@@ -85,10 +85,6 @@ static int sc_hsm_select_file(sc_card_t *card,
 	sc_file_t *file = NULL;
 
 	if (file_out == NULL) {				// Versions before 0.16 of the SmartCard-HSM do not support P2='0C'
-		if (!in_path->len && in_path->aid.len) {
-			sc_log(card->ctx, "Preventing reselection of applet which would clear the security state");
-			return SC_SUCCESS;
-		}
 		rv = sc_hsm_select_file(card, in_path, &file);
 		if (file != NULL) {
 			sc_file_free(file);

src/libopensc/pkcs15-sc-hsm.c

@@ -866,9 +866,10 @@ static int sc_pkcs15emu_sc_hsm_init (sc_pkcs15_card_t * p15card)
 
 	pin_info.auth_id.len = 1;
 	pin_info.auth_id.value[0] = 1;
+	pin_info.path.aid = sc_hsm_aid;
 	pin_info.auth_type = SC_PKCS15_PIN_AUTH_TYPE_PIN;
 	pin_info.attrs.pin.reference = 0x81;
-	pin_info.attrs.pin.flags = SC_PKCS15_PIN_FLAG_LOCAL|SC_PKCS15_PIN_FLAG_INITIALIZED|SC_PKCS15_PIN_FLAG_UNBLOCK_DISABLED|SC_PKCS15_PIN_FLAG_EXCHANGE_REF_DATA;
+	pin_info.attrs.pin.flags = SC_PKCS15_PIN_FLAG_LOCAL|SC_PKCS15_PIN_FLAG_INITIALIZED|SC_PKCS15_PIN_FLAG_EXCHANGE_REF_DATA;
 	pin_info.attrs.pin.type = SC_PKCS15_PIN_TYPE_ASCII_NUMERIC;
 	pin_info.attrs.pin.min_length = 6;
 	pin_info.attrs.pin.stored_length = 0;
@@ -890,16 +891,17 @@ static int sc_pkcs15emu_sc_hsm_init (sc_pkcs15_card_t * p15card)
 
 	pin_info.auth_id.len = 1;
 	pin_info.auth_id.value[0] = 2;
+	pin_info.path.aid = sc_hsm_aid;
 	pin_info.auth_type = SC_PKCS15_PIN_AUTH_TYPE_PIN;
 	pin_info.attrs.pin.reference = 0x88;
-	pin_info.attrs.pin.flags = SC_PKCS15_PIN_FLAG_LOCAL|SC_PKCS15_PIN_FLAG_CHANGE_DISABLED|SC_PKCS15_PIN_FLAG_INITIALIZED|SC_PKCS15_PIN_FLAG_UNBLOCK_DISABLED|SC_PKCS15_PIN_FLAG_SO_PIN;
+	pin_info.attrs.pin.flags = SC_PKCS15_PIN_FLAG_LOCAL|SC_PKCS15_PIN_FLAG_INITIALIZED|SC_PKCS15_PIN_FLAG_UNBLOCK_DISABLED|SC_PKCS15_PIN_FLAG_SO_PIN;
 	pin_info.attrs.pin.type = SC_PKCS15_PIN_TYPE_BCD;
 	pin_info.attrs.pin.min_length = 16;
 	pin_info.attrs.pin.stored_length = 0;
 	pin_info.attrs.pin.max_length = 16;
 	pin_info.attrs.pin.pad_char = '\0';
-	pin_info.tries_left = 3;
-	pin_info.max_tries = 3;
+	pin_info.tries_left = 15;
+	pin_info.max_tries = 15;
 
 	strlcpy(pin_obj.label, "SOPIN", sizeof(pin_obj.label));
 	pin_obj.flags = SC_PKCS15_CO_FLAG_PRIVATE;

src/pkcs15init/sc-hsm.profile

@@ -5,65 +5,16 @@ cardinfo {
     label               = "SmartCard-HSM";
     manufacturer        = "CardContact";
 
-    max-pin-length      = 16;
+    max-pin-length      = 15;
     min-pin-length      = 6;
     pin-encoding        = ascii-numeric;
 }
 
-# Default settings.
-# This option block will always be processed.
-option default {
-	macros {
-		protected	= *=$SOPIN, READ=NONE;
-		unprotected	= *=NONE;
-		so-pin-flags	= local, initialized, soPin;
-		so-min-pin-length = 8;
-		so-pin-attempts	= 3;
-		so-auth-id	= 3;
-		odf-size	= 256;
-		aodf-size	= 256;
-		cdf-size	= 512;
-		prkdf-size	= 256;
-		pukdf-size	= 256;
-		dodf-size	= 256;
-	}
-}
-
 filesystem {
-	DF MF {
-		path	= 3F00;
+	# Here comes the application DF
+	DF PKCS15-AppDF {
 		type	= DF;
-
-		# This is the DIR file
-		EF DIR {
-			type	= EF;
-			file-id	= 2F00;
-			acl		= *=NONE;
-		}
-
-		# Here comes the application DF
-		DF PKCS15-AppDF {
-			type	= DF;
-			exclusive-aid = E8:2B:06:01:04:01:81:C3:1F:02:01;
-			acl		= *=NONE;
-
-			EF PKCS15-TokenInfo {
-				ACL		= $unprotected;
-			}
-
-			EF PKCS15-PrKDF {
-				size		= $prkdf-size;
-				acl		= $protected;
-			}
-
-			EF PKCS15-PuKDF {
-				size		= $pukdf-size;
-				acl		= $protected;
-			}
-
-			EF PKCS15-CDF {
-				acl		= $unprotected;
-			}
-		}
+		exclusive-aid = E8:2B:06:01:04:01:81:C3:1F:02:01;
+		acl		= *=NONE;
 	}
 }