From f252277fab64a50214779dc8f3dbaeb7481e1bf5 Mon Sep 17 00:00:00 2001 From: Frank Morgner Date: Wed, 16 Sep 2015 07:16:21 +0200 Subject: [PATCH] Add configuration for sloppy PKCS#11 initialization --- etc/opensc.conf.in | 17 ++++++++++++++++- etc/opensc.conf.win.in | 30 ++++++++++++++++++++++++++++++ src/pkcs11/misc.c | 2 ++ src/pkcs11/pkcs11-global.c | 7 ++++++- src/pkcs11/sc-pkcs11.h | 1 + 5 files changed, 55 insertions(+), 2 deletions(-) diff --git a/etc/opensc.conf.in b/etc/opensc.conf.in index a270308d..531a82c1 100644 --- a/etc/opensc.conf.in +++ b/etc/opensc.conf.in @@ -334,9 +334,12 @@ app default { #path to ans name of external SM module #module_name = @DEFAULT_SM_MODULE@; #module_path = @libdir@; + # directory with external SM module + # Default: defined by windows register + # module_path = ""; # specific data to tune the module initialization - #module_data = "Here can be your SM module init data"; + # module_data = "Here can be your SM module init data"; # SM mode: # 'transmit' -- in this mode the procedure to securize an APDU is called by the OpenSC general @@ -568,6 +571,18 @@ app opensc-pkcs11 { # Default: false # lock_login = true; + # With this setting disabled, the OpenSC PKCS#11 module will initialize + # the slots available when the application calls `C_GetSlotList`. With + # this setting enabled, the slots will also get initialized when + # C_GetSlotInfo is called. + # + # This setting is a workaround for Java which does not call + # `C_GetSlotList` when configured with a static `slot` instead of + # `slotListIndex`. + # + # Default: true + # init_sloppy = false; + # User PIN unblock style # none: PIN unblock is not possible with PKCS#11 API; # set_pin_in_unlogged_session: C_SetPIN() in unlogged session: diff --git a/etc/opensc.conf.win.in b/etc/opensc.conf.win.in index b1efb221..cd320a0e 100644 --- a/etc/opensc.conf.win.in +++ b/etc/opensc.conf.win.in @@ -305,6 +305,14 @@ app default { # name = "Morpho YpsID S3 IAS/ECC"; # # secure_messaging = local_morpho_YpsID_S3; #} + #card_atr 3B:DF:96:00:80:31:FE:45:00:31:B8:64:04:1F:EC:C1:73:94:01:80:82:90:00:EC { + # type = 25005; + # driver = "iasecc"; + # name = "Morpho MI IAS/ECC v1.0.1"; + # md_read_only = false; + # md_supports_X509_enrollment = true; + # secure_messaging = local_morpho_mi; + #} card_atr 3B:DF:18:FF:81:91:FE:1F:C3:00:31:B8:64:0C:01:EC:C1:73:94:01:80:82:90:00:B3 { type = 25004; driver = "iasecc"; @@ -559,6 +567,18 @@ app opensc-pkcs11 { # Default: false # lock_login = true; + # With this setting disabled, the OpenSC PKCS#11 module will initialize + # the slots available when the application calls `C_GetSlotList`. With + # this setting enabled, the slots will also get initialized when + # C_GetSlotInfo is called. + # + # This setting is a workaround for Java which does not call + # `C_GetSlotList` when configured with a static `slot` instead of + # `slotListIndex`. + # + # Default: true + # init_sloppy = false; + # User PIN unblock style # none: PIN unblock is not possible with PKCS#11 API; # set_pin_in_unlogged_session: C_SetPIN() in unlogged session: @@ -618,6 +638,16 @@ app opensc-pkcs11 { # create_slots_for_pins = "user,sign"; # create_slots_for_pins = application; # create_slots_for_pins = "application,sign"; + # + # For the module to simulate the opensc-onepin module behavior the following option + # must be set: + # create_slots_for_pins = "user" + } +} + +app onepin-opensc-pkcs11 { + pkcs11 { + slots_per_card = 1; } } diff --git a/src/pkcs11/misc.c b/src/pkcs11/misc.c index a2422db4..2ade4f5d 100644 --- a/src/pkcs11/misc.c +++ b/src/pkcs11/misc.c @@ -324,6 +324,7 @@ void load_pkcs11_parameters(struct sc_pkcs11_config *conf, sc_context_t * ctx) } conf->hide_empty_tokens = 1; conf->lock_login = 0; + conf->init_sloppy = 1; conf->pin_unblock_style = SC_PKCS11_PIN_UNBLOCK_NOT_ALLOWED; conf->create_puk_slot = 0; conf->zero_ckaid_for_ca_certs = 0; @@ -339,6 +340,7 @@ void load_pkcs11_parameters(struct sc_pkcs11_config *conf, sc_context_t * ctx) conf->slots_per_card = scconf_get_int(conf_block, "slots_per_card", conf->slots_per_card); conf->hide_empty_tokens = scconf_get_bool(conf_block, "hide_empty_tokens", conf->hide_empty_tokens); conf->lock_login = scconf_get_bool(conf_block, "lock_login", conf->lock_login); + conf->init_sloppy = scconf_get_bool(conf_block, "init_sloppy", conf->init_sloppy); unblock_style = (char *)scconf_get_str(conf_block, "user_pin_unblock_style", NULL); if (unblock_style && !strcmp(unblock_style, "set_pin_in_unlogged_session")) diff --git a/src/pkcs11/pkcs11-global.c b/src/pkcs11/pkcs11-global.c index 8c7959b1..275a5bc8 100644 --- a/src/pkcs11/pkcs11-global.c +++ b/src/pkcs11/pkcs11-global.c @@ -473,6 +473,7 @@ static sc_timestamp_t get_current_time(void) CK_RV C_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { struct sc_pkcs11_slot *slot; + unsigned int uninit_slotcount; sc_timestamp_t now; CK_RV rv; @@ -485,7 +486,11 @@ CK_RV C_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) sc_log(context, "C_GetSlotInfo(0x%lx)", slotID); - if (1 <= list_size(&virtual_slots)) { + if (sc_pkcs11_conf.plug_and_play) + uninit_slotcount = 1; + else + uninit_slotcount = 0; + if (sc_pkcs11_conf.init_sloppy && uninit_slotcount <= list_size(&virtual_slots)) { /* Most likely virtual_slots only contains the hotplug slot and has not * been initialized because the caller has *not* called C_GetSlotList * before C_GetSlotInfo, as required by PKCS#11. Initialize diff --git a/src/pkcs11/sc-pkcs11.h b/src/pkcs11/sc-pkcs11.h index b89185ce..22e08235 100644 --- a/src/pkcs11/sc-pkcs11.h +++ b/src/pkcs11/sc-pkcs11.h @@ -78,6 +78,7 @@ struct sc_pkcs11_config { unsigned int slots_per_card; unsigned char hide_empty_tokens; unsigned char lock_login; + unsigned char init_sloppy; unsigned int pin_unblock_style; unsigned int create_puk_slot; unsigned int zero_ckaid_for_ca_certs;